Emerging Trends in Information Privacy and Security

EMERGING TRENDS IN
INFORMATION PRIVACY
AND SECURITY
November 18, 2015 Presentation

Logistics
CPE Credit Requirements
Takeaways

 Full service professional
services firm:
 Attest services
 Tax preparation and
compliance
 IT audit
 Data security and design
 IT compliance
 Internal control
 Internal audit outsourcing
 SSAE 16 services (SOC 1-3)
 Over 80 professionals
 Highly qualified in variety
of specializations:
 CPA, CIA, CFE, CISA,
MCSE, ABV, CVA, MST
 Affiliations:
 AICPA, PCAOB, ACFEI,
ISACA, PCAOB, TANGO,
CICPAC, Practicewise,
VACO Risk Solutions

 Vaco Risk Solutions
 Specializing in helping our clients reduce their risks
 30 locations strong
 Highly qualified consultants
▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt
 We belong to:
▪ Member of Information System Audit and Controls Association (ISACA)
▪ Member of American College of Forensic Examiners Institute (ACFEI)
▪ Association of Credit Union Internal Auditors (ACUIA)
▪ PCI Qualified Security Assessors certified by PCI Security Standards Council
▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council
▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS)
▪ Member of National Association of Convenience Stores (NACS)
4

• Averages:
• Cost per incident - $6,500,000
• Records compromised - 28,070
• Cost per record - $217
• Average cost per record by industry:
• Healthcare - $398 (highest)
• Financial - $259
• Industrial - $190
• Retail - $189
• Public - $73 (lowest)
• Cause of breaches:
• 49% - Malicious or criminal attack
• 19% - Human error
• 32% - System glitch
• Averages:
• Cost per incident - $6,500,000
• Records compromised - 28,070
• Cost per record - $217
• Average cost per record by industry:
• Healthcare - $398 (highest)
• Financial - $259
• Industrial - $190
• Retail - $189
• Public - $73 (lowest)
• Cause of breaches:
• 49% - Malicious or criminal attack
• 19% - Human error
• 32% - System glitch
The Cost of a Breach
Source: Ponemon Institute’s 2015 Cost of Data Breach Study
6

Former FBI
Director Mueller:
“There are two types
of companies, those
that have been
hacked and those
that don’t know it”

 Gourav Mukherjee
 Partner
 Vaco Risk Solutions
 Laurie Kamaiko
 Partner
 Sedgwick LLP
 Shiraz Saeed
 Product Specialist – Cyber Liability
 AIG

 Speaker Risk Discussions
 Panel Discussion – Best Practices and
Strategies
 Question andAnswer

Presenter:
Gourav Mukherjee, Partner
CISA, CISSP, CRISC, QSA, JD
Enterprise Data Security Roadmap

With traditional culprits
• Petty criminals
• Organized crime
• Governments

3
Cyber attacks dominating the news

Their targets and attack methods evolve
4

Current
Environment*
Creates
Cybersecurity
Demands
5*Skyrocketing data breaches and diminishing privacy, accompanied by huge fines and disintegrating public trust

Security morphs to “Cybersecurity’
14
Gartner Group:
Cybersecurity encompasses a broad
range of practices, tools and concepts
related closely to those of
information and operational
technology security. Cybersecurity is
distinctive in its inclusion of the
offensive use of information
technology to attack adversaries.

Enterprise Data
Security
is a subset of
Enterprise
Cybersecurity
6

Foundation of
Cybersecurity:
The Golden
Triangle
8

9
It starts with the right people …
In-house staff Partners Outsourced Providers
People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt
Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced Providers
People
Process
Technology
Identity &
Desktop Mgmt
SLA Mgmt
Customers
People Customers
Security is only as good as its people.
Points of Consideration:
 People are the weakest link.
 Staff will need a specialized skill set and experienced staff are often difficult to find
 Current training is expensive, time consuming and non-effective
 Need analysts for 24x7 coverage, other supporting functions must be considered:
- System admins, Intelligence resources, Escalation resources, Compliance officers, Management / Supervision

10
Integrated processes ….
People
Process
Technology
Identity &
Desktop Mgmt
SLA Mgmt
People
Process
Technology
Identity &
Desktop Mgmt
SLA Mgmt
Customers
Data Security processes and procedures must be documented, consistently implemented, and based upon existing standards /
governance frameworks. Procedures must take into consideration corporate security policy, business controls, and relevant
regulatory requirements.
 The Cybersecurity mission must be clearly defined – Incident discovery, CERT, etc.
 An alarm does not always equate to action.
 Processes must take into consideration evaluation and incorporation of a constantly changing stream of potentially threats
 Best practices for incident investigation, response, and mitigation must be maintained and updated as technologies are added, change, or
mature.
Process
Threat Analysis Compliance Mgmt.
SLA Mgmt.
Risk AssessmentChange Mgmt.
Vulnerability Mgmt. Identity & Access Incident Mgmt.

11
Built on a solid technology platform
People
Process
Technology
Identity &
Desktop Mgmt
SLA Mgmt
People
Process
Technology
Identity &
Desktop Mgmt
SLA Mgmt
Customers
Technology
Identity &
Desktop Mgmt.
Technology is the foundation on which the organization demonstrates the ability to provide security continuously, even under times
of duress such as persistent attack, natural disaster, facilities failure, etc.
 Security technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose, costly, and challenging to maintain due
to their overall complexity
 The number of disparate systems and volume of device / event data will typically require a dedicated IT staff for system administration
 Capacity management can be challenge due to the need to support peak loads which may include DDoS, monthly batch processing, etc.
 The management and reporting systems must be flexible enough to accommodate process and security policy as well as changes in the
technology landscape

The changing requirements for enterprise data security & risk management coupled with technology
advancements have triggered a paradigm shift in the design and ongoing administration of security.
Charter
Governance
Strategy
Build a dedicated security
operations capability
Cross-functional
(IT, Business, Audit, etc.)
3+ year cycle, priorities
set by enterprise
Technology or service
only
Self governed (IT Security)
Budget based,
12 month planning cycle
Mission&Strategy
Tools
Use Cases
Referential
Data
SIEM, ticketing, portal/
dashboard, Big Data
Tailored rules based on
risk & compliance drivers
Required data, used to
prioritize work
SIEM tool only
Standard rules
Minimal customization
Minimal importance,
Secondary priority
Technology
Measures
Reporting
Cross-functional, efficiency,
quality, KPI/SLO/SLA
Metrics, analytics,
scorecards, & dashboards
Silos, ticket/technology
driven
Ticket/technology driven
Operations
Management
Proactive.
Visible.
Anticipate
threats.
Mitigate
risks.
Detect &
react to
threats.
Security Cybersecurity

There is no app for enterprise data security…
….Don’t be a FOOL and think you just need to buy a TOOL

Information (Data) Life Cycle
15
ISACA.ORG
To identify residual risks and select
appropriate technical measures and
activities to protect confidential data,
an organization must first understand
how information flows throughout its
systems over time and how the
information is accessed and processed
at different stages.

Principles of Data
• Principle 1: Honor policies throughout the confidential data life span.3 This includes a
commitment to process all data in accordance with applicable statutes and regulations,
preserve privacy and respect customer choice and consent, and allow individuals to review
and correct their information if necessary.
• Principle 2: Minimize risk of unauthorized access or misuse of confidential data. The
information management system should provide reasonable administrative, technical and
physical safeguards to ensure confidentiality, integrity and availability of data.
• Principle 3: Minimize the impact of confidential data loss. Information protection
systems should provide reasonable safeguards, such as encryption, to ensure the
confidentiality of data that are lost or stolen. Appropriate data breach response plans and
escalation paths should be in place, and all employees who are likely to be involved in
breach response should receive training.
• Principle 4: Document applicable controls and demonstrate their effectiveness.
16

Roadmap to Data Security
17
Classification
Discovery
Security
Enforcement
Monitoring

Classification
• Determine what data are sensitive to the organization, either for
regulatory compliance and/or internally.
▫ Written procedures and guidelines for data classification should define
what categories and criteria the organization will use to classify data and
specify the roles and responsibilities of employees within the
organization regarding data stewardship
▫ To be effective, a classification scheme should be simple enough that all
employees can execute it properly.
• EDUCATE and TRAIN
18

Discovery
• Find out where the sensitive data are located, how they flow, who
can access them, performance and other requirements for security.
▫ Data Mapping: Structured and Unstructured Data
 Location
 Relevance
 Sensitivity
 Use
 Correctness
▫ Cleanup/Remediate
▫ EDUCATE and TRAIN
19

Security
• Apply the data security method(s) that best achieve the requirements
from discovery, and protect the data according to the sensitivity
determined in classification.
▫ Data at rest, transit and disposal
▫ Frameworks
 Cybersecurity framework – NIST
 ISACA
 IS0 27001
 Best Practices
20

Enforcement
• Design and implement processes and technology to disclose
sensitive data only to authorized users, according to the least
possible amount of information required to perform job
functions (least-privilege principle).
21

Monitoring
• Ensure ongoing, highly granular monitoring of any attempts to
access sensitive data. Monitoring is the only defense against
authorized user data abuse.
▫ Internal and External
22

23
Enterprise Data
Security
is a subset of
Enterprise
Cybersecurity
NIST 800-53

EMERGING TRENDS IN DIGITAL
PRIVACY AND SECURITY:
THE LEGAL LANDSCAPE
Laurie Kamaiko
Cybersecurity and Privacy Group
Sedgwick LLP
New York Office
Laurie.Kamaiko@sedgwicklaw.com
Telephone 212.898.4015
12

Cyber Risks – Why Do You Care?
 Every company is vulnerable if subject to a
successful cyber attack
 Every company is subject to a loss or cost
 Every company is subject to statutory or regulatory
compliance of some kind, especially if a breach
of personal information  resultant risk of
regulatory inquiry and litigation

Cyber Risks – Why Do You Care?
 Every company can reduce these risks and
resultant costs by:
 Awareness
 Preparedness
 Reducing human error element

Current & Impending Cyber Risks
& Exposures
Data Breaches of Personally Identifiable Information (PI)
and Protected Health Information (PHI) of Individuals
 Type of information defined by statutes and regulations
 Heavily regulated to protect against identity theft and
fraudulent transactions
 Security requirements
 Breach response requirements
 Traditionally name plus:
 Financial account, payment card numbers
 Government-issued identification, social security number, etc.
 Variations Include: Health information, insurance account
 Trend toward expansion of what constitutes protected PI:
 Online account credentials
 Medical biometric information
15

& Exposures
 Theft of Other Confidential Information
 Trade secrets / IP / business secrets
 Client/customer secrets
 Cyber attacks on property and business functions
 Denial of service attacks/disruption of business and operating systems
 Targeting your company
 Targeting others or critical infrastructure  affecting your company
 Financially motivated versus malicious versus political
 Extortion
16

& Exposures
 Business Practices in Collection/Usage/Disclosure
and Information About Individuals
 Online behavior tracking
 Collection and usage of information on individuals
 Sharing of that information
 Disclosure of collection and sharing
 Storage beyond need
 Zip code collection (when not necessary for credit card transaction)
 Privacy policy and terms of use statements/sufficiency
 Increased use of vendors
17

& Exposures
 “Big Data”
 Collection and analysis of data about consumer and
populations has become important to most companies
 Its use and transferability are part of many corporate
transactions
 Planning  Marketing
 Acquisitions  Divestitures
 Data Security, privacy and practices present myriad
of (non) compliance risks
 Laws  Regulations
 Controls  Due diligence obligations

& Exposures
 Increasing Risks From:
 Internet of Things  Increased Interconnectivity
 Increased Vulnerability
 13.4 Billion in 2015
 > 25 to 75 Billion Interconnected Devices by 2020
 Increased Use of Vendors  Vendor Vulnerability
 Access to company data
 Avenue for malware intrusion
 Lack of control  increased need for due diligence
 Contractual responsibilities and liabilities
 Incorporating Use of Personal Devices and Social Media
Into Work Place
19

& Exposures
 Increasing National/Regulatory Agency/Industry
Standards 
 Expansion of statutory liabilities
 Increased regulatory enforcement
 Increase in contractual responsibilities
o All increase potential liabilities for non-compliance
o Compliant today may not be compliant tomorrow
 Growth of Contractual Obligations
o Security
o Breach response
o Indemnity
20

& Exposures
 All entities are at risk
 Employee information
 Customers’/clients’ information
 Business information
 Functions you perform for others
 Functions others perform for you
 Small company small risk
 Industries most targeted:
 Financial Institutions
 Healthcare
 Educational institutions
 Retail
 Service providers to targeted companies
21

The Sources of Exposures
CYBER
RISKS
Fraud
Theft
Deceit
Hacktivisim
Terrorism
Rogue
Employees
External
Hackers
Phishing
Trojans
Botnots
System
Failure
Poor Data
Protection
Security
Flaw
Accidental
Disclosure
Lost
Devices
Negligence/
Inadvertent
Activity
(Human
Error)
Criminal/
Malicious
Activity
Insiders ▪ Outsiders ▪ Vendors/Agents
22

Costs and Exposures From a Data
Breach
Direct Response Costs
 Crisis Management
• Legal forensics
• Mandatory notifications (PI/PHI)
• Remediation to consumers
• Remediation of breached system
• Contractual indemnities and
penalties
 Claims
• Contractual
• Third parties affected
(clients, consumers)
• Legal fees for defense
• Settlements/judgments
Business Costs
 Business disruption
 Management resources
 Impairment systems and equipment
 Reputation Harm
 Customer turnover
 Loss of profits/earnings
 Reconstitution of lost data
 Marketing
 Voluntary notifications
 Loss of IP/secrets/business
opportunities
23

Legal and Regulatory Framework
 Three Themes
 Privacy
 Collecting, using, and disclosing/sharing
certain levels of data about individuals
 Security
 Protecting data against loss, unauthorized
acquisition, misuse, or damage Implementing
“reasonable” & “appropriate” measures to
protect data
 Breach Notification
 Notifying those affected and governmental agencies
when security is breached
 Content and notice requirements vary
 Generally “breach” defined to mean:
 Unauthorized acquisition or misuse of found information
 In some states/regulations, unauthorized access sufficient
 Not all require likelihood of harm24
Requirements can
vary depending on
jurisdiction, agency
with oversight, type
of entity breached
and type of data

 State Laws Mandating Security and Breach Response
 47 States Have Breach Response Requirements
 Lesser Number (But Growing) Have Security Requirements
 Expanding Requirements (e.g., Level of Encryption) and Scope (Types of Information)
 State Laws Mandating Disclosure of Collection, Usage
and Security Practices
 Business Practices Are Under Scrutiny
 Growing Trend to Regulate and Enforce (Starting in California)
25

 Federal and Sector-Specific Laws and Regulations
 Not Yet National Statute Re Security and Breach Notice, Though Bills Pending
 Both Federal Agency and State Agency Can Enforce
 Healthcare: HIPAA and HiTech
 Financial: Gramm-Leach-Bliley, et al.
 Public Companies: SEC (Disclosure Guidelines)
 Also: Red Flags Rule, FCRA, Can-Spam, Video Privacy Protection Act, etc.
 Federal Agency Guidelines: SEC, FTC, FDA, FCC, NIST For Critical Infrastructure, etc.
 International: Data Security and Response Requirements
 Cross-Boarder Transfer of Information About Individuals and Other Countries
 Recent Upheaval Re: U.S. Safe Harbor Program for Transfer
of PI to U.S. Declared Invalid By E.U. Commission October 6, 2015

 Increasing Enforcement
 Regulatory Enforcement Actions More Frequent & Resulting in Larger
Settlements
o 20 years of monitoring/audits
 AGs, OCR (healthcare) and Other Regulatory Agencies Focus on Companies
That:
o Knew or should have known of a problem
o Did not do pre-incident assessment of their data and their security
o Did not have incident response plans in place
 FTC Enforcement Focused on Unfair and Deceptive Trade Practices
o “Unfair” -- Inadequate security
o “Deceptive” – Not act in conformity with policies and statements
 Private Litigation/Class Actions
27

Industry Internal Regulation:
Credit / Debit Cards
 PCI – DSS (Payment Card Industry Data Security Standards)
 Contract-based obligations applicable to all involved in chain of card processing
 Requires specified security measures to protect credit card transactions
 Incorporated into some state statutes (e.g., Nevada, New Mexico, Washington)
 New rules require due diligence and responsibility for vendors
• Major Factor in Any Credit Card Breaches
 Most entities not fully compliant with PCI DSS
• Liability Impact
 Breached merchants contractually liable for substantial assessments/fines for PCI-DSS
violations
led to breaches
 Basis of negligence and other allegations in 31 party claims
 New liability shifting for costs of fraudulent transactions if merchant does not institute
new chip card processing
28

Litigation Trends:
Statutory, Regulatory, Contractual
 Holding Companies Accountable
 For Your Own Practices
 For Your Business Partners
 Due Diligence of Vendors
 If You Are a Vendor, Responsibility for Sensitive Information of
Clients That You access, e.g.,:
 Business Associates & HIPAA-Covered Entities
 Notice Obligations If Breach, at Least to Business Client
 Scrutinizing Pre-Breach Efforts at Compliance,
If Not Just Breach and Post-Breach Response

Litigation Trends:
 Litigation Arising From Breaches of PI
 Failure to adequately secure information
 Failure to timely notify of breach
 Failure to adequately respond to breach
 Misrepresentation of security vulnerability, effect
 Pre-Breach
 Post-Breach
 Unjust enrichment (part of fees paid is for security not provided)
 Lost value of stolen information
 Loss of use of service or hardware
 Violation of consumer protection statutes  statutory $ awards
 Avoids Issue of Whether Plaintiffs Sustained Actual Damage
 > 80 different causes of action have been identified
30

Litigation Trends:
 Potential Plaintiffs
 Consumers whose information is accessed (consumer class actions)
 Financial institutions affected (fraud charges, card replacement costs, etc.)
 Shareholder/derivative suits
 Share price drops
 Wasting of corporate assets
 Board approval of inadequate security/failure assess/address vulnerabilities
 Misrepresentation/failure to disclose:
 Cause, Information at Risk, Remediation
 Breached entity seeking contribution from others contributing to
lapse in security: vendors, advisors, etc.
 Regulators
31

Litigation Trends:
 Potential Defendants
 Breached entities
 Vendors holding an access route to information
 Security vendors involved in security or design, security assessments,
or remediation
 Professional advisors
 D&Os approving company security policies, responses and financial disclosures
32

Other Privacy Litigation
 Theories of Liability for Non-Breach Privacy Lawsuits
 Consumer Tracking/Online Behavioral Advertising
 Improper collection practices
 Improper disclosures
 Statutory Violations That are Not Data Breaches Per Se
 Privacy Violations – From Business Practices
 Wrongful collection/sale of PI
 Failure disclose collection/sharing of PI (e.g., California)
 Adequacy of privacy policies (websites, mobile apps)
 Non-compliance with representations in privacy policies
 Zip codes as wrongfully collected PI by retailers without need (California, Massachusetts,
and possibly other states in future)
 Unauthorized distribution (blasting, e.g., TCPA)
 Restrictions on recording of business calls with consumers
 Trend toward asserting violations of unfair trade practices and consumer
protections  seeking statutory damages
33

Factors Reducing Costs of Breaches
 Board-Level Involvement in Breach
 Insurance Protection
 Industry
 Regulated Industries, Such as Healthcare and Education,
More Costly
 Ponemon study

Factors Reducing Costs of Breaches
 Company Has Plans In Place
 Incident Response Plan
 Lawyer on Retainer
 Pre-Negotiated Contracts/Rates for Forensics,
Customer Notification, Call Centers, Credit Card Monitoring
 Increased Costs if Breach due to Hackers/Criminal
Insiders (47% Breaches)
 Verizon study

Risk Management Tips
 Be Prepared
 Be Aware of the Issues and Vulnerabilities
o Yours
o Your Business Partners
 Identify Your Data Assets and Where Sensitive Data Is Located
o On Your Systems and Within Your Company
 Perform Risk Threat Assessments, and Identify Controls
and Their Effectiveness
 Allocate Resources: $, Management
o SEU
 Create Policies and Procedures Before an Incident
 Privacy
 Training
 Incident Response
■ Vendor Selection, Due Diligence and Management
36

• Be Prepared continued
 Accept It Is Not Just an IT Issue
 Preparedness & response requires involvement of all departments, including:
C-Suite, Legal, IT, Risk Management, Human Resources, Marketing, Operations
 Institute a Culture of Compliance
 “Privacy by Design”
 Practice
 Table Tops, “Fire Drills”
 Legal Compliance

 Identify √ High Risk, High Value Data and Risks of Loss Breach
√ Controls
 Protect √ Create Systematic Protections, Bring in Technology &
Experts to Address Vulnerabilities & Increase Protections
√ Due Diligence on Vendors
 Prepare √ Develop Policies and Response Plans
√ Risk Transfer: Insurance, Contractual Indemnity
with Vendors
 Train √ Train all employees
√ Table tops, Drill
√ Test
 Repeat
38

Laurie Kamaiko
Cybersecurity and Privacy Group
Sedgwick LLP
New York Office
Laurie.Kamaiko@sedgwicklaw.com
Telephone 212.898.4015
39
82364316v1
Questions?

Cyber Liability – Network Security and Privacy

 Identify exposures
 Third party liability
 First party losses
 Other coverage sections
 Claims
 Sample situation
 AIG enhancements
 Conclusion
41
Agenda

42
Do You Handle
Confidential Information?
How Do We Identify Exposures?
Where Do You Store
The Information?
Do You Have A Website?
 Own company (including
employees)
 Clients (confidential,
personal, or commercial)
 Computer network – do you
operate the network
yourself or outsource to a
vendor?
 Paper records
 What content is on the site?
 Can employees or third
parties upload content
(blog, post pictures or
comments)?

 Internally
– Employees/Vendors
– Malicious - Stealing Information (Card Skimming)
– Negligence – Lost Resources (Laptop, Smart Phone, Tablet)
– Vendor Contracts – Indemnification
 Externally
– Individual Hackers/Organized Crime
– Stealing Information
– Sending Viruses/Malicious Code
– Disruption Of Business (Vandalism)
43
HOW CAN AN EVENT OCCUR?

 Network Security Failure
– Failure of a company to protect their computer systems
– Virus, malicious code, malware attacks
 Privacy Event
– Failure to protect confidential information
– Personal or corporate; online or offline
– Violation of any Federal, State, or local privacy statute
– Failure to comply with PCI-DSS standards
 Allegations Can be Brought by
– Government agencies, individuals, businesses or administrative
44
THIRD PARTY COVERAGE

 Event Management – Incident Response Plan
– Breach Consultation – Legal Consultation
– Forensic Investigation
– Public Relations Services
– Notification To Consumers Based On State Mandate
– Providing ID-monitoring/Credit Monitoring
– Lost Electronic Data
45
FIRST PARTY COVERAGE

 Network Interruption
– Addresses loss of income and operating expenses resulting from
the interruption or suspension of business due to a failure of
network security
 Cyber Extortion
– Provides coverage for extortion threats against a company’s
computer network and confidential information by an outsider
seeking money or other valuables
46
FIRST PARTY COVERAGE

Media Content Liability
 Companies Have Published Content
– Website, print, broadcast
 Typical Types of Claims
– Trademark and copyright infringement
– Defamation, false light and imprisonment
– Product disparagement, infliction of emotional distress
47
THIRD PARTY COVERAGE

48
CYBEREDGE BREACH RESOLUTION TEAM
 24/7 hotline staffed by IBM experts to respond to Insureds concern
that they may be victim of a breach
 The IBM experts will go over key indicators of a breach with the
Insured’s IT department to determine if one has indeed occurred.
 If a breach is suspected or has occurred, Insureds will be
automatically connected with our CyberEdge Breach Resolution Team.
© American International Group, All rights reserved.
CyberEdge Hotline: 1-800-CYBR-345 (292–7345)

50
SAMPLE SITUATION
 HIPAA: Privacy regulations that govern the healthcare industry
 HITECH Act (Health Information Technology for Economic and Clinical Health Act)
 Enacted on February 17, 2009
 Breach notification requirements for HIPAA covered entities + business associates
 Breach notification applies to HIPAA to promote the adoption and meaningful use of health
information technology
 Subtitle D of the HITECH Act addresses the privacy and security
 Outlines the guidelines for who, what, where, when a privacy breach occurs
Access Record
Maintain Destroy
Retain Hold
Modify Use
Source: www.healthit.gov
Covered Entity: Hospital

51
GUIDELINES
If… Then…
Breach occurs Written notice, first class mail at last known address,
as soon as practicable no later than 60 days after
discovery of breach
Individual is deceased Notify next of kin
Insufficient information for 10+ individuals Home page of website of covered entity or major print
or broadcast media
Urgent Telephone
500+ residents in a given state 1. Prominent media outlet within the state
2. Notify the Secretary within 60 days
3. Secretary to post on an HHS Web site a list that
identifies each covered entity involved

52
 Letters/E-mail typically include the following:
 Description of what happened, date of the breach and the date of
the discovery of the breach
 Description of the types of unsecured PHI that were involved in the
breach (i.e. full name, Social Security number, date of birth etc.)
 The steps individuals should take to protect themselves from
potential harm resulting from the breach
 Description of what the covered entity involved is doing to
investigate the breach, to mitigate losses, and to protect against
any further breaches
 Contact procedures for individuals
NOTIFICATION REQUIREMENTS

 Detects vulnerabilities across network devices, servers, web
applications, and databases to help reduce risk exposure and better
manage compliance requirements
 Strong security expertise provides vulnerability identification with
resulting prioritized plan for remediation and improved security
INFRASTRUCTURE VULNERABILITY SCANNING
POWERED BY IBM
Key Components
• Reports help demonstrate compliance with federal, state and industry regulations
• Assess an environment from either the external or internal perspective
• IBM Security expertise improves accuracy of findings and reduces mitigation time
• Consultation on recommendations for improved security

 Leading edge global threat intelligence and technology that
isolates and shuns IP addresses currently being used by criminals.
 Before initiating an attack on a network, criminals first conduct
reconnaissance to confirm that certain IP addresses are viable
targets.
 Shunning prevents these criminal communications from reaching a
network and confirming the IP addresses as viable targets
WHAT IS IP SHUNNING?

62
IP SHUNNING TYPICAL DEPLOYMENT

64
CYBEREDGE RISKTOOL
 Web-based customizable risk management platform
 Manage the human element of cyber risk and manage compliance
 Pre-populated with:
 Corporate security policies
 Training with exams
 Self assessments and risk guides
 Simplifies and documents end user training
 Unlimited use

 Two complimentary hours from a specialized law firm to provide
guidance on building and executing an incident response plan, as well
as ensuring an organization is compliant with regulatory standards.
 One complimentary hour from a forensic firm on what an organization’s
technical response plan should include.
 One complimentary hour from a vetted public relations firm to discuss an
effective crisis communication plan to handle and mitigate the potential
reputational and brand risk an organization would face in the event of a
breach.
CONSULTATION SERVICES

67
COMPLIANCE/LEGAL CONSULTATION

68
American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 130
countries.. AIG companies serve commercial, institutional, and individual customers through one of the most extensive
worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and
retirement services in the
United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange.
Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter:
@AIG_LatestNews | LinkedIn: http://www.linkedin.com/company/aig
AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of
American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and
services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not
be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be
provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus
lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.
Apple, the Apple logo, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is
a service mark of Apple Inc.
Android and Google Play are trademarks of Google Inc.
Shiraz Saeed - Product Specialist - Cyber Liability
Tel +1 908 679 3472 | Cell +1 908 698 2269 | shiraz.saeed@aig.com

 How do I mitigate my risk with
the growing use of mobile and
portable technologies?
 Policies and Education
 Social networking awareness
 Encryption
 Remote Wipes/Autolocks
 Obtaining employee consent
 Backing up company
information on an employee
device
 Do’s and Don’ts of mobile use
 Laptop Safety

 What should I be doing to prepare
my Company for the increased
regulations related to IT Security?
 Understand business activities
subject to regulation for privacy
considerations
▪ Disclosure of PI collections and
sharing procedures
▪ Website and mobile app privacy
▪ Credit card information
 Know how changes in business
operations impact compliance
requirements
 Accept responsibility for
compliance
▪ EXECUTIVE MANAGEMENT
▪ BOARD OF DIRECTORS

Do You Know the SCORE?
•Security
•Compliance and
•Operations
•Risk
•Evaluation

Do You Know the SCORE?
• A high level assessment of the key
components of your IT environment:
–IT operations
–Physical security
–Logical security
–Mobile devices
–Recovery
–Network security
–Online security
–Data privacy and
security compliance
–System and
hardware controls

Michael Camacho, Partner
mcamacho@lgcd.com
Kevin Ricci, Director of IT
kricci@lgcd.com

 What are some of the things I need to consider when using 3rd
party service providers?
 For all vendors:
▪ Due diligence on their data
security
▪ Coordination of
representations in privacy
policies
▪ Allocation of responsibilities in
event of breach
▪ Terms in vendor agreements:
▪ Indemnification provisions
▪ Access provisions
▪ Insurance requirements (cyber
and other)
 Cloud computing
▪ Identify the assets for cloud
deployment
▪ Evaluate the assets
▪ Map the assets to the cloud
deployment model
▪ Evaluate potential cloud
service models
▪ Map out data flow

 What should I be doing to prepare
the Company for a breach?
 Screen new hires and vendors
 Annual risk assessments
 Educate employees
 Discuss privacy by design with
operations people
 Pre-arrange breach service providers
 Develop a cross functional privacy
committee for breach planning and
response
 Discuss information collection and
disclosure practices with all
departments
 Consider insuring against risks

 What can I do to better
protect my data from cyber
crime?
 Data Mapping - Understand
WHAT your sensitive data is
and WHERE it resides
 Perform a security risk
assessment
 Set security standards
 Develop comprehensive
policies
 Provide security training
 Adopt a business plan
 Spear Phishing Do’s and
Don’ts

Emerging Trends in Information Privacy and Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Emerging Trends in Information Privacy and Security

Similar to Emerging Trends in Information Privacy and Security (20)

Recently uploaded

Recently uploaded (20)

Emerging Trends in Information Privacy and Security