2011 hildebrandt institute cio forum data privacy and security presentation - facilitated by dave cunningham - april 28 2011


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2011 hildebrandt institute cio forum data privacy and security presentation - facilitated by dave cunningham - april 28 2011

  1. 1. April 28, 2011 Sentry Centers New York, NYLeveraging IT in Times of Fiscal Restraintto Support Evolving Law Firm Business ModelsData Privacy and Security Risk Management and Competitive Advantage Michael McGuire, CISO, Littler Mendelson Andrew Rose, Global IT Risk Manager, Clifford Chance Dave Cunningham, Managing Director, Hildebrandt Baker Robbins
  2. 2. Obligations That May Apply to PersonallyIdentifiable and Sensitive Data• HIPAA• HITECH Act• State/Local Breach Notification Laws• State/Local Encryption Laws• PCI• FTC Red Flags Rule• Model Rules• Ethical Obligations 2
  3. 3. Examples of data that is regulated by one ormore privacy/security statutes• Name • Physical or mental health conditions• Social security number • Information regarding provision• Last four of social security of or payment for health care number • Financial information• Drivers license number (electronic payroll deposit)• Date of birth • Credit card or debit card• Passport information information• Health information • Government identification numbers• Maiden name • Tax information• Electronic or digitized signature • Address or phone numbers • Biometric information (fingerprint, voice print, etc.) 3
  4. 4. 4
  5. 5. Anonymous and HB Gary 5
  6. 6. 6
  7. 7. 7 7
  8. 8. Ex-Sonsini Attorney Charged In $32MInsider Trading Case• A former senior associate at Wilson Sonsini Goodrich & Rosati PC was arrested and charged in connection with allegations that he stole inside information from three firms that netted $32 million in a decades long insider trading scheme.• Kluger regularly ―stole and disclosed material, nonpublic information regarding anticipated corporate mergers and acquisitions on which his law firms were working,‖ according to a copy of the criminal complaint. 8
  9. 9. HIPAA Sanctions• $4.3 Million against health provider – multiple ―willful‖ failures to respond to patient requests for records• $1 Million payment to avoid a penalty by Massachusetts Hospital – 192 patient paper records left on subway 9
  10. 10. Information Security Roles Andrew Rose Global IT Risk Manager, Clifford Chance Michael McGuire Chief Information Security Officer, Littler Mendelson 10
  11. 11. ISO 27001 in a Nutshell...• Define the Scope• Do the Admin – Create and communicate your IS Policy – Identify and value your assets – Complete the ‗Statement of Applicability‘ 6-9 Months – Define your risk assessment process – Conduct a baseline risk assessment – Define and initiate an internal IT audit process• Set up a Security Forum• Set up a Risk Treatment Plan (Live with it for a while) 2-3 Months• Stage 1 Audit (Live with it for a while longer)• Stage 2 Audit 1-2 Months 11
  12. 12. Audits• SAS 70—Statement on Auditing Standards (SAS) No. 70, Service Organizations. It is an audit standard developed by the American Institute of Certified Public Accountants (AICPA).• SSAE 16 SOC Reports—Statement on Standards for Attestation Engagements (SSAE) No. 16, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) http://www.ssae16.org/ 12
  13. 13. Components of TypicalInformation Security Program• Administrative controls • Technical controls – Comprehensive, written – Passwords information security program – Encryption – Education of employees • Data in transit – Information classification • Data at rest – Transfer and termination policies • Data on backup media – Service provider management – Vulnerability scans of systems – Incident response program that store PII – Personnel controls – Controls for removable media – Firewalls and intrusion• Physical controls detection/prevention – Access controls – Virus prevent programs • Badges – Deployment of security • Locked areas patches – Clean desk policies – Secure deletion of data on – Cameras for sensitive areas media prior to disposal 13
  14. 14. Service Provider Management• Risk assessment process – Identify vendors who will have access to PII – Explore what level of controls vendor has – Possible on-site risk assessment – Bind by contract to maintain controls 14
  15. 15. Examples of Contractual Controls• Need to know access restrictions• Encryption of PII in transit• Encryption of PII when stored on portable devices• No reuse of data• No onward transfer of data• Return or destruction of data• Pre-approval of vendors who will gain access to data• Information security training for staff with access to data• Complex passwords• Notification of security breaches• Deployment of security patches 15
  16. 16. Questions Michael McGuire Chief Information Security Officer, Littler Mendelson mmcguire@littler.com Andrew Rose Global IT Risk Manager, Clifford Chance andrew.rose@cliffordchance.com Dave Cunningham Managing Director, Hildebrandt Baker Robbins dcunningham@hbrconsulting.com 16
  17. 17. How to Engage Your Company‘s IT Security Team• Work with internal security team to ensure they understand use of HR data in litigation• Security by design• Engage law firms and inquire about controls• Don‘t send more data than is necessary• Consider ―easy‖ encryption options 17