SlideShare ist ein Scribd-Unternehmen logo

Data Security and Regulatory Compliance

Als PPTX, PDF herunterladen
Lifeline Data Centers
Lifeline Data Centers

Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business. This presentation has been shared with permission.

Recht
1 von 38
DATA SECURITY AND REGULATORY COMPLIANCE By: Daniel D. Bobilya Bonahoom & Bobilya, LLC
Data Security and Compliance: Why It’s Important  Data breach events result in significant losses each year.  Insurance company Lloyd’s estimates data breach events cost companies about $400 billion per year.  In 2012, average cost to each company that had a data breach was $5.4 million.  The average cost per compromised record is $188.00.  Common sources of loss include lawsuits filed by individuals whose information is compromised, notification and advertising costs, lost business/goodwill, direct theft of funds, and ransomware (programs that affect a computer or network and hold files hostage until a ransom is paid).
Data Security and Compliance cont.  Government fines and investigations.  Data security and compliance with applicable laws/regulations must be an integral part of every company’s risk management plan.  Ignorance of the rules is not an excuse.
Data Breaches are a Real Problem  Recent examples show data breaches are a growing problem affecting companies all over the world.  Ashley Madison (Canada)  Target (Minnesota)  Home Depot (Georgia)  Sony Pictures (Japan)  Wyndham Hotels (New Jersey)  Neiman Marcus (Texas)  Medical Informatics Engineering (Indiana)  Anthem (Indiana)  All of the foregoing breaches resulted in governmental investigations and litigation
Legal Framework Regarding Data Security  Complex legal and regulatory framework.  There are a number of federal and state laws that address a company’s responsibilities with respect to data security.  Some laws such as Sarbanes Oxley and the FederalTrade Commission Act have broad applicability while others are industry specific.  We will discuss a few of the significant laws that address data security, discuss the requirements and potential liability under those laws, and then provide some tips on how to protect yourself.
Significant Laws, Standards, and Programs Addressing Data Security Issues  There is no uniform set of standards that apply to every company. It is up to each company to determine which laws apply and how to comply with them. Below are the most broadly applicable statutes.  Sarbanes Oxley  FederalTrade Commission Act  Gramm-Leach-Bliley Act  Health Insurance Portability and AccountabilityAct  Health InformationTechnology for Economic and Clinical Health Act  Fair Credit Reporting Act  Children’s Online Privacy Protection Act  Stored Communications Act  State Laws  Indiana’s Data Breach Notification Law, Ind. C ode § 24-4.9-2-2  Payment Card Industry Data Security Standards  Federal Information Security Management Act  Federal Risk and Authorization Management Program
Sarbanes Oxley Act of 2002 15 U.S.C § 7262  Enacted in 2002 in response to Enron and Worldcom scandals.  Designed to protect investors and public by increasing accuracy and reliability of corporate disclosures.  Applies to all publicly traded companies and public accounting firms.  Section 404 calls for the creation of rules requiring management to establish and maintain adequate “internal controls” and assess the effectiveness of those internal controls.
Sarbanes Oxley: Application to IT Departments  While Sarbanes Oxley deals primarily with the accuracy of financial reports, companies that are governed by Sarbanes Oxley typically rely on IT systems to process and store the data that is the basis for the financial reports; thus, Section 404 is intended to require organizations to consider the IT controls that are in place to ensure the accuracy of the financial information.  Key to that is preventing unauthorized access to systems and data and ensuring proper backups are in place in the event of a disaster.
Sarbanes Oxley: Penalties  Sarbanes Oxley is enforced by the Securities Exchange Commission.  Failure to comply with Sarbanes Oxley is treated as a violation of the Securities and Exchange Act of 1934, 15 U.S.C. § 7202.  Could carry significant penalties—up to $5,000,000 for individuals and $25,000,000 for non-individuals if violation is willful.  Also could lead to imprisonment. 15 U.S.C. § 78ff.
Sarbanes Oxley: How to Protect Yourself  The COBIT (Control Objectives for Information and Related Technologies) has developed a framework to assist with Sarbanes Oxley compliance.  Sample objectives include the following:  5.16—Trust Path: ensuring that sensitive transaction data is only exchanged over a trusted path.  5.20—Firewall Architectures and Connections with Public Networks: if connections to the internet or public networks exist, an adequate firewall must be installed and operative to protect against denial of services and unauthorized access to internet resources.  5.4—User Account Management: Management should establish procedures regarding user accounts, rules that define privileges and access, etc.  There are a number of additional objectives, and it would be worth your time to familiarize yourself with them. http://www.isaca.org/Knowledge- Center/COBIT/Pages/Overview.aspx
Federal Trade Commission Act (FTCA) 14 U.S.C. § 41  Section 45(a) states, “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”  An unfair practice is one that causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by the consumers themselves and is not outweighed by countervailing benefits to consumers or competition.  Not very specific, but this law has real world consequences for IT professionals.  InWyndham case, the FTC argued that allowing/not preventing data breach was an unfair practice and theThird Circuit Court of Appeals Agreed. FTC v.Wyndham Worldwide Corp., Case No. 14-3514 (3d. Cir 2015).
FTCA: Penalties  The FTCA is enforced by the FTC.  If the FTC believes a company is engaging in a deceptive trade practice, it can obtain a cease and desist order requiring the company to quit engaging in the deceptive practice.  Theoretically opens every company that has a data breach to extensive FTC investigation, regardless of whether a specific consumer sues.  Company can face penalties of up to $10,000 per violation.
Gramm-Leach-Bliley Act 15 U.S.C. § 6801  Applies to all banks and financial institutions.  Enforced by multiple agencies, including the FTC.  Each financial institution has an obligation to respect the privacy of customers and to protect the security and confidentiality of those customers’ non-public personal information.  Financial institutions must insure security and confidentiality of customer records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to such records
Gramm-Leach-Bliley Act: Penalties  Gramm-Leach-Bliley is enforced by various bodies having regulatory authority over financial institutions.  Violations of the Gramm-Leach-Bliley Act can result in stiff penalties (up to $100,000 per violation for the financial institution).  Officers and directors may face personal liability, including fines up to $10,000 and imprisonment.
Health Insurance Portability and Accountability Act (HIPAA) 42 U.S.C. § 1320d  Applies to health plans, health care providers, pharmacists, and any entity or person that transmits health information in electronic form.  Requires the Secretary of the Department of Human Services to establish standards that, among other things, call for certain security measures to protect individually identifiable health information.  Companies are required to maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of such information and protect against reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information. 42 U.S.C. § 1320d-2(d).
HIPAA: Penalties  HIPAA is enforced by the Department of Health and Human Services and state attorneys general.  Penalties for failing to ensure security and integrity of individually identifiable health information can range from $50,000 per occurrence or $1,500,000 per year if there are multiple violations.  There is also a penalty of up to $50,000 and imprisonment of up to 1 year for the knowing disclosure of individually identifiable health information, which goes up to $250,000 and 10 years imprisonment if the disclosure is made under false pretenses or with intent to sell the information.
Health Information Technology for Economic and Clinical Health Act (HITECH)  The goal is the promotion of health IT.  HITECH extends the privacy and security measures of HIPAA to “BusinessAssociates” of those entities covered by HIPAA. A “BusinessAssociate” is an entity that, for and on behalf of a health care provider, health plan, etc. creates, receives, maintains, or transmits protected health information for a function or activity such as claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, etc.
HITECH Cont.  Contains new notification requirement, where entities covered by HIPAA and Business Associates are now required to notify each individual whose information may have been compromised, and if the breach involves 500 or more individuals, to notify the media and the Secretary of Health and Human Services.  HITECH extends the penalty provisions of HIPAA to Business Associates.
Fair Credit Reporting Act 15 U.S.C. § 1681  Requires consumer reporting agencies to adopt reasonable procedures for meeting needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.  A company that fails to comply with this law may be liable for actual damages plus costs and attorneys’ fees.  This law also imposes a fine of up to $5,000 and/or imprisonment of up to 1 year on officers and employees who knowingly and willfully disclose information from the consumer reporting agency’s files to a person not authorized to receive such information.
Children’s Online Privacy Protection Act (COPPA) 15 U.S.C. § 6501  Applies to websites or online services (Operators) directed to children under 13 years of age.  Operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of data collected from children.  Operators must also take reasonable measures to ensure that parents receive notice of the operator’s practices with regard to collection, use, or disclosure of personal information from children.
COPPA: Penalties  COPPA is enforced by the FTC.  A violation of COPPA is treated as an unfair or deceptive act under the FTCA.  Penalties are governed by the FTCA.
Stored Communications Act 18 U.S.C. § 2701  Prohibits an individual from intentionally and without authorization from accessing stored electronic communications.  Also prohibits an entity providing an electronic communication service to the public from knowingly divulging to any person or entity the contents of an electronic communication while in electronic storage by that service or from knowingly divulging any communication which is carried or maintained on that service on behalf of, and received by electronic transmission, a subscriber or customer of such service.
Stored Communications Act: Penalties  Unlike some of the other statutes we have talked about, this law gives individuals who are affected by a violation the right to file a civil action.  Individual may recover actual damages; however, individual is entitled to at least $1,000 per person so if actual damages are less, then the aggrieved individual will get at least $1,000.  Violation of the Stored Communications Act is one of the claims asserted in one of theAshley Madison cases filed in Bentonville,Arkansas.
Other Potentially Applicable Federal Laws  Electronic Communications Privacy Act—prohibits interception, use, disclosure of wire, oral, and electronic communications.  Not out of the realm of possibility that this law could be invoked to impose liability on company for failing to secure its data system.  Bank Secrecy Act  USA PatriotAct  Bank Secrecy Act and Patriot Act work in conjunction to prevent money laundering—these laws do not directly address privacy concerns, but do impose requirements on banks and other institutions to help prevent money-laundering.  IT provisions apply primarily to financial institutions.
State Laws  Ind. Code § 24-4.9-2.2  Requires any database owner to disclose a security breach to the affected individuals.  If the breach involves more than 1,000 individuals, the database owner must notify applicable consumer reporting agencies;  Also requires database owners to implement and maintain reasonable procedures to protect and safeguard from unlawful use or disclosure of any personal information of Indiana residents collected or maintained by the database owner.
State Laws Cont.  Failure to disclose a breach under Ind. Code § 24-4.9- 2-2 is a deceptive act that is punishable by the attorney general.  Fines of up to $150,000 per deceptive act may be imposed (Note: in Indiana, a failure to make a required disclosure in connection with a related series of breaches of the security of data is considered one deceptive act.)  In addition to Indiana law, need to be aware of other state consumer protection laws (i.e., unfair trade practices and deceptive acts.)
Payment Card Industry Data Security Standards (PSI DSS)  Initiated byVisa and Mastercard in 2001 to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.  Applies to all entities involved in payment card processing, all entities that store, process and transmit cardholder data and sensitive authentication data.
PSI DSS: The Standards  PSI DSS Contains 12 Standards: 1. Install and maintain a firewall configuration to protect cardholder data; 2. Do not use vendor-supplied defaults for system passwords and other security parameters; 3. Protect stored cardholder data; 4. Encrypt transmission of cardholder data across open, public networks; 5. Protect all systems against malware and regularly update anti-virus software or programs; 6. Develop and maintain secure systems and applications; 7. Restrict access to cardholder data by business need to know; 8. Identify and authenticate access to system components; 9. Restrict physical access to cardholder data; 10. Track and monitor all access to network resources and cardholder data; 11. Regularly test security systems and processes; 12. Maintain a policy that addresses information security for all personnel.
PSI DSS: Enforcement  Most of the major credit card companies incorporate these standards into their merchant account agreements with various businesses.  Those agreements will spell out the potential exposure for failing to comply with the PCI DSS; at a minimum, failure to comply may result in termination of agreement and termination of the merchant’s card privileges; some agreements also incorporate fines, which may range from $5,000 to $100,000 per month.  While the PCI DSS are not required under federal law, some states have incorporated the standards into their state law.  Also note that these standards might be reviewed by a Court to evaluate whether a company has satisfied its standard of care; this could come up in lawsuits by individuals whose data was compromised.
Federal Information Security Management Act (FISMA) 44 U.S.C. § 3551  Carried out by the Secretary of the Department of Homeland Security. Enacted with six goals in mind:  Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets;  Recognize highly networked nature of the current Federal computing environment and provide government-wide management and oversight of the related information security risks;  Provide for redevelopment and maintenance of minimum controls required to protect Federal information and information systems;  Provide a mechanism for improved oversight of Federal agency information security programs, including through automated security tools to continuously diagnose and improve security;  Acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions;  Recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.
FISMA: Requirements  Requires the head of each federal agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:  Information collected or maintained by or on behalf of the agency;  Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.  Requires the head of each federal agency to comply with the requirements of FISMA and related policies, procedures, standards, and guidelines.  Requires the head of each federal agency to ensure that information security management processes are integrated with agency strategic, operational, and budgetary planning processes.  Contains annual reporting and oversight requirements.
FISMA: Penalties  No penalties per se, but the government does publish each agency’s FISMA results each year, which has led to public awareness of deficiencies and ridicule.  There have also been threats by lawmakers to cut agency budgets if agencies don’t improve their FISMA scores.
Federal Risk and Authorization Management Program (FEDRAMP)  Not a law but government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  FEDRAMP Security Measures are FISMA compliant.
Negligence?  While we have noted some of the important data security laws in existence, it is important to note that in addition to regulatory penalties, companies may face lawsuits directly from the consumers as well.  Most of the cases noted above were based on simple claims of negligence meaning the company owed a duty to the customer to protect the confidential information, breached that duty, and as a result, the customer suffered damages.  Thus, the specific penalties mentioned in the previous laws we discussed are only a portion of the liability a company may face for a data security breach.
Insurance  General liability policy probably does not cover data breaches.  However, many major insurance companies such as Hartford, Liberty Mutual,Travelers, Chubb Group, andTech Insurance offer data breach insurance protection.  May be added on as optional coverage to the business owner’s policy, general liability policy, or may be offered as a separate policy.
Insurance Cont.  Benefits:  Provide access to professionals who can assist with regulatory compliance;  Provide guidance on how to help prevent a data breach;  Assist with handling a breach crisis if one occurs;  Assist with notification of breach;  In most states, coverage is available for defense and liability if a lawsuit is filed;  Offset costs such as investigation costs to determine how breach occurred, credit monitoring costs, lost business, damage to company reputation, etc.  Cost:  Like any insurance, cost depends on a number of factors—in this arena, factors include the size of the company, amount of data that is being protected, and the security features that are in place to protect the data;  According to insurance brokerage, NFP Property & Casualty, average premiums are about $2,500 per year;  Cost could go as high as $10,000 per month, depending on the company.
Takeaways  Data Security is becoming a significant issue in our technological age and there are a number of pitfalls that can result in significant financial loss to unwary companies.  Companies need to be taking measures to ensure that data is secure.
What Can You Do?  Work with lawyers to identify applicable laws and best practices to ensure compliance with those laws.  Work with IT professionals to ensure data security measures incorporate best practices and are sufficient to comply with applicable laws.

Empfohlen

The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Imperva
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Don Grauel
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
Ethan S. Burger
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance Temp
Rohan Sehgal
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec
 

Empfohlen

The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Imperva
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Don Grauel
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
Ethan S. Burger
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance Temp
Rohan Sehgal
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
HB Litigation Conferences
 
Cyber liability and cyber security
Cyber liability and cyber securityCyber liability and cyber security
Cyber liability and cyber security
Helen Carpenter
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013
- Mark - Fullbright
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
Dr. Ahmed Al Zaidy
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
American Chamber of Commerce in Bahrain
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
DFickett
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
Raymond Cunningham
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
Graham Mann
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the Cloud
Symantec
 
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
Peter Goldbrunner
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Symantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR Compliance
Symantec
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
NetIQ
 
Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...
Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...
Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...
Symantec
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover Story
Patrick Spencer
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
gorsline
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
Zuckerman Law Whistleblower Protection Law Firm
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
DFickett
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the Cloud
Symantec
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 

Was ist angesagt? (20)

The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Cyber liability and cyber security
Cyber liability and cyber securityCyber liability and cyber security
Cyber liability and cyber security
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the Cloud
 
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Symantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR Compliance
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...
Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...
Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover Story
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
 
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
 

Ähnlich wie Data Security and Regulatory Compliance

TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
gorsline
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulations
Nicholas Davis
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
Nicholas Davis
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 

Ähnlich wie Data Security and Regulatory Compliance (20)

TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
Affirmative Defense Response System (ADRS)
Affirmative Defense Response System (ADRS)Affirmative Defense Response System (ADRS)
Affirmative Defense Response System (ADRS)
 
Adrs Flip Chart From Ppl
Adrs Flip Chart From PplAdrs Flip Chart From Ppl
Adrs Flip Chart From Ppl
 
Adrs Flip Chart From Ppl
Adrs Flip Chart From PplAdrs Flip Chart From Ppl
Adrs Flip Chart From Ppl
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Cloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breachCloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breach
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Adrs Presentation March 2008
Adrs Presentation March 2008Adrs Presentation March 2008
Adrs Presentation March 2008
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulations
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 

Kürzlich hochgeladen

CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
Aurora Consulting
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptx
ca2or2tx
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
MollyBrown86
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
RRR Chambers
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
ShashankKumar441258
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
nyabatejosphat1
 
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
James Watkins, III JD CFP®
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
SS A
 
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

Kürzlich hochgeladen (20)

THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptx
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 
Introduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusionIntroduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusion
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
 
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 

Data Security and Regulatory Compliance

  • 1. DATA SECURITY AND REGULATORY COMPLIANCE By: Daniel D. Bobilya Bonahoom & Bobilya, LLC
  • 2. Data Security and Compliance: Why It’s Important  Data breach events result in significant losses each year.  Insurance company Lloyd’s estimates data breach events cost companies about $400 billion per year.  In 2012, average cost to each company that had a data breach was $5.4 million.  The average cost per compromised record is $188.00.  Common sources of loss include lawsuits filed by individuals whose information is compromised, notification and advertising costs, lost business/goodwill, direct theft of funds, and ransomware (programs that affect a computer or network and hold files hostage until a ransom is paid).
  • 3. Data Security and Compliance cont.  Government fines and investigations.  Data security and compliance with applicable laws/regulations must be an integral part of every company’s risk management plan.  Ignorance of the rules is not an excuse.
  • 4. Data Breaches are a Real Problem  Recent examples show data breaches are a growing problem affecting companies all over the world.  Ashley Madison (Canada)  Target (Minnesota)  Home Depot (Georgia)  Sony Pictures (Japan)  Wyndham Hotels (New Jersey)  Neiman Marcus (Texas)  Medical Informatics Engineering (Indiana)  Anthem (Indiana)  All of the foregoing breaches resulted in governmental investigations and litigation
  • 5. Legal Framework Regarding Data Security  Complex legal and regulatory framework.  There are a number of federal and state laws that address a company’s responsibilities with respect to data security.  Some laws such as Sarbanes Oxley and the FederalTrade Commission Act have broad applicability while others are industry specific.  We will discuss a few of the significant laws that address data security, discuss the requirements and potential liability under those laws, and then provide some tips on how to protect yourself.
  • 6. Significant Laws, Standards, and Programs Addressing Data Security Issues  There is no uniform set of standards that apply to every company. It is up to each company to determine which laws apply and how to comply with them. Below are the most broadly applicable statutes.  Sarbanes Oxley  FederalTrade Commission Act  Gramm-Leach-Bliley Act  Health Insurance Portability and AccountabilityAct  Health InformationTechnology for Economic and Clinical Health Act  Fair Credit Reporting Act  Children’s Online Privacy Protection Act  Stored Communications Act  State Laws  Indiana’s Data Breach Notification Law, Ind. C ode § 24-4.9-2-2  Payment Card Industry Data Security Standards  Federal Information Security Management Act  Federal Risk and Authorization Management Program
  • 7. Sarbanes Oxley Act of 2002 15 U.S.C § 7262  Enacted in 2002 in response to Enron and Worldcom scandals.  Designed to protect investors and public by increasing accuracy and reliability of corporate disclosures.  Applies to all publicly traded companies and public accounting firms.  Section 404 calls for the creation of rules requiring management to establish and maintain adequate “internal controls” and assess the effectiveness of those internal controls.
  • 8. Sarbanes Oxley: Application to IT Departments  While Sarbanes Oxley deals primarily with the accuracy of financial reports, companies that are governed by Sarbanes Oxley typically rely on IT systems to process and store the data that is the basis for the financial reports; thus, Section 404 is intended to require organizations to consider the IT controls that are in place to ensure the accuracy of the financial information.  Key to that is preventing unauthorized access to systems and data and ensuring proper backups are in place in the event of a disaster.
  • 9. Sarbanes Oxley: Penalties  Sarbanes Oxley is enforced by the Securities Exchange Commission.  Failure to comply with Sarbanes Oxley is treated as a violation of the Securities and Exchange Act of 1934, 15 U.S.C. § 7202.  Could carry significant penalties—up to $5,000,000 for individuals and $25,000,000 for non-individuals if violation is willful.  Also could lead to imprisonment. 15 U.S.C. § 78ff.
  • 10. Sarbanes Oxley: How to Protect Yourself  The COBIT (Control Objectives for Information and Related Technologies) has developed a framework to assist with Sarbanes Oxley compliance.  Sample objectives include the following:  5.16—Trust Path: ensuring that sensitive transaction data is only exchanged over a trusted path.  5.20—Firewall Architectures and Connections with Public Networks: if connections to the internet or public networks exist, an adequate firewall must be installed and operative to protect against denial of services and unauthorized access to internet resources.  5.4—User Account Management: Management should establish procedures regarding user accounts, rules that define privileges and access, etc.  There are a number of additional objectives, and it would be worth your time to familiarize yourself with them. http://www.isaca.org/Knowledge- Center/COBIT/Pages/Overview.aspx
  • 11. Federal Trade Commission Act (FTCA) 14 U.S.C. § 41  Section 45(a) states, “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”  An unfair practice is one that causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by the consumers themselves and is not outweighed by countervailing benefits to consumers or competition.  Not very specific, but this law has real world consequences for IT professionals.  InWyndham case, the FTC argued that allowing/not preventing data breach was an unfair practice and theThird Circuit Court of Appeals Agreed. FTC v.Wyndham Worldwide Corp., Case No. 14-3514 (3d. Cir 2015).
  • 12. FTCA: Penalties  The FTCA is enforced by the FTC.  If the FTC believes a company is engaging in a deceptive trade practice, it can obtain a cease and desist order requiring the company to quit engaging in the deceptive practice.  Theoretically opens every company that has a data breach to extensive FTC investigation, regardless of whether a specific consumer sues.  Company can face penalties of up to $10,000 per violation.
  • 13. Gramm-Leach-Bliley Act 15 U.S.C. § 6801  Applies to all banks and financial institutions.  Enforced by multiple agencies, including the FTC.  Each financial institution has an obligation to respect the privacy of customers and to protect the security and confidentiality of those customers’ non-public personal information.  Financial institutions must insure security and confidentiality of customer records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to such records
  • 14. Gramm-Leach-Bliley Act: Penalties  Gramm-Leach-Bliley is enforced by various bodies having regulatory authority over financial institutions.  Violations of the Gramm-Leach-Bliley Act can result in stiff penalties (up to $100,000 per violation for the financial institution).  Officers and directors may face personal liability, including fines up to $10,000 and imprisonment.
  • 15. Health Insurance Portability and Accountability Act (HIPAA) 42 U.S.C. § 1320d  Applies to health plans, health care providers, pharmacists, and any entity or person that transmits health information in electronic form.  Requires the Secretary of the Department of Human Services to establish standards that, among other things, call for certain security measures to protect individually identifiable health information.  Companies are required to maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of such information and protect against reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information. 42 U.S.C. § 1320d-2(d).
  • 16. HIPAA: Penalties  HIPAA is enforced by the Department of Health and Human Services and state attorneys general.  Penalties for failing to ensure security and integrity of individually identifiable health information can range from $50,000 per occurrence or $1,500,000 per year if there are multiple violations.  There is also a penalty of up to $50,000 and imprisonment of up to 1 year for the knowing disclosure of individually identifiable health information, which goes up to $250,000 and 10 years imprisonment if the disclosure is made under false pretenses or with intent to sell the information.
  • 17. Health Information Technology for Economic and Clinical Health Act (HITECH)  The goal is the promotion of health IT.  HITECH extends the privacy and security measures of HIPAA to “BusinessAssociates” of those entities covered by HIPAA. A “BusinessAssociate” is an entity that, for and on behalf of a health care provider, health plan, etc. creates, receives, maintains, or transmits protected health information for a function or activity such as claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, etc.
  • 18. HITECH Cont.  Contains new notification requirement, where entities covered by HIPAA and Business Associates are now required to notify each individual whose information may have been compromised, and if the breach involves 500 or more individuals, to notify the media and the Secretary of Health and Human Services.  HITECH extends the penalty provisions of HIPAA to Business Associates.
  • 19. Fair Credit Reporting Act 15 U.S.C. § 1681  Requires consumer reporting agencies to adopt reasonable procedures for meeting needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.  A company that fails to comply with this law may be liable for actual damages plus costs and attorneys’ fees.  This law also imposes a fine of up to $5,000 and/or imprisonment of up to 1 year on officers and employees who knowingly and willfully disclose information from the consumer reporting agency’s files to a person not authorized to receive such information.
  • 20. Children’s Online Privacy Protection Act (COPPA) 15 U.S.C. § 6501  Applies to websites or online services (Operators) directed to children under 13 years of age.  Operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of data collected from children.  Operators must also take reasonable measures to ensure that parents receive notice of the operator’s practices with regard to collection, use, or disclosure of personal information from children.
  • 21. COPPA: Penalties  COPPA is enforced by the FTC.  A violation of COPPA is treated as an unfair or deceptive act under the FTCA.  Penalties are governed by the FTCA.
  • 22. Stored Communications Act 18 U.S.C. § 2701  Prohibits an individual from intentionally and without authorization from accessing stored electronic communications.  Also prohibits an entity providing an electronic communication service to the public from knowingly divulging to any person or entity the contents of an electronic communication while in electronic storage by that service or from knowingly divulging any communication which is carried or maintained on that service on behalf of, and received by electronic transmission, a subscriber or customer of such service.
  • 23. Stored Communications Act: Penalties  Unlike some of the other statutes we have talked about, this law gives individuals who are affected by a violation the right to file a civil action.  Individual may recover actual damages; however, individual is entitled to at least $1,000 per person so if actual damages are less, then the aggrieved individual will get at least $1,000.  Violation of the Stored Communications Act is one of the claims asserted in one of theAshley Madison cases filed in Bentonville,Arkansas.
  • 24. Other Potentially Applicable Federal Laws  Electronic Communications Privacy Act—prohibits interception, use, disclosure of wire, oral, and electronic communications.  Not out of the realm of possibility that this law could be invoked to impose liability on company for failing to secure its data system.  Bank Secrecy Act  USA PatriotAct  Bank Secrecy Act and Patriot Act work in conjunction to prevent money laundering—these laws do not directly address privacy concerns, but do impose requirements on banks and other institutions to help prevent money-laundering.  IT provisions apply primarily to financial institutions.
  • 25. State Laws  Ind. Code § 24-4.9-2.2  Requires any database owner to disclose a security breach to the affected individuals.  If the breach involves more than 1,000 individuals, the database owner must notify applicable consumer reporting agencies;  Also requires database owners to implement and maintain reasonable procedures to protect and safeguard from unlawful use or disclosure of any personal information of Indiana residents collected or maintained by the database owner.
  • 26. State Laws Cont.  Failure to disclose a breach under Ind. Code § 24-4.9- 2-2 is a deceptive act that is punishable by the attorney general.  Fines of up to $150,000 per deceptive act may be imposed (Note: in Indiana, a failure to make a required disclosure in connection with a related series of breaches of the security of data is considered one deceptive act.)  In addition to Indiana law, need to be aware of other state consumer protection laws (i.e., unfair trade practices and deceptive acts.)
  • 27. Payment Card Industry Data Security Standards (PSI DSS)  Initiated byVisa and Mastercard in 2001 to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.  Applies to all entities involved in payment card processing, all entities that store, process and transmit cardholder data and sensitive authentication data.
  • 28. PSI DSS: The Standards  PSI DSS Contains 12 Standards: 1. Install and maintain a firewall configuration to protect cardholder data; 2. Do not use vendor-supplied defaults for system passwords and other security parameters; 3. Protect stored cardholder data; 4. Encrypt transmission of cardholder data across open, public networks; 5. Protect all systems against malware and regularly update anti-virus software or programs; 6. Develop and maintain secure systems and applications; 7. Restrict access to cardholder data by business need to know; 8. Identify and authenticate access to system components; 9. Restrict physical access to cardholder data; 10. Track and monitor all access to network resources and cardholder data; 11. Regularly test security systems and processes; 12. Maintain a policy that addresses information security for all personnel.
  • 29. PSI DSS: Enforcement  Most of the major credit card companies incorporate these standards into their merchant account agreements with various businesses.  Those agreements will spell out the potential exposure for failing to comply with the PCI DSS; at a minimum, failure to comply may result in termination of agreement and termination of the merchant’s card privileges; some agreements also incorporate fines, which may range from $5,000 to $100,000 per month.  While the PCI DSS are not required under federal law, some states have incorporated the standards into their state law.  Also note that these standards might be reviewed by a Court to evaluate whether a company has satisfied its standard of care; this could come up in lawsuits by individuals whose data was compromised.
  • 30. Federal Information Security Management Act (FISMA) 44 U.S.C. § 3551  Carried out by the Secretary of the Department of Homeland Security. Enacted with six goals in mind:  Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets;  Recognize highly networked nature of the current Federal computing environment and provide government-wide management and oversight of the related information security risks;  Provide for redevelopment and maintenance of minimum controls required to protect Federal information and information systems;  Provide a mechanism for improved oversight of Federal agency information security programs, including through automated security tools to continuously diagnose and improve security;  Acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions;  Recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.
  • 31. FISMA: Requirements  Requires the head of each federal agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:  Information collected or maintained by or on behalf of the agency;  Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.  Requires the head of each federal agency to comply with the requirements of FISMA and related policies, procedures, standards, and guidelines.  Requires the head of each federal agency to ensure that information security management processes are integrated with agency strategic, operational, and budgetary planning processes.  Contains annual reporting and oversight requirements.
  • 32. FISMA: Penalties  No penalties per se, but the government does publish each agency’s FISMA results each year, which has led to public awareness of deficiencies and ridicule.  There have also been threats by lawmakers to cut agency budgets if agencies don’t improve their FISMA scores.
  • 33. Federal Risk and Authorization Management Program (FEDRAMP)  Not a law but government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  FEDRAMP Security Measures are FISMA compliant.
  • 34. Negligence?  While we have noted some of the important data security laws in existence, it is important to note that in addition to regulatory penalties, companies may face lawsuits directly from the consumers as well.  Most of the cases noted above were based on simple claims of negligence meaning the company owed a duty to the customer to protect the confidential information, breached that duty, and as a result, the customer suffered damages.  Thus, the specific penalties mentioned in the previous laws we discussed are only a portion of the liability a company may face for a data security breach.
  • 35. Insurance  General liability policy probably does not cover data breaches.  However, many major insurance companies such as Hartford, Liberty Mutual,Travelers, Chubb Group, andTech Insurance offer data breach insurance protection.  May be added on as optional coverage to the business owner’s policy, general liability policy, or may be offered as a separate policy.
  • 36. Insurance Cont.  Benefits:  Provide access to professionals who can assist with regulatory compliance;  Provide guidance on how to help prevent a data breach;  Assist with handling a breach crisis if one occurs;  Assist with notification of breach;  In most states, coverage is available for defense and liability if a lawsuit is filed;  Offset costs such as investigation costs to determine how breach occurred, credit monitoring costs, lost business, damage to company reputation, etc.  Cost:  Like any insurance, cost depends on a number of factors—in this arena, factors include the size of the company, amount of data that is being protected, and the security features that are in place to protect the data;  According to insurance brokerage, NFP Property & Casualty, average premiums are about $2,500 per year;  Cost could go as high as $10,000 per month, depending on the company.
  • 37. Takeaways  Data Security is becoming a significant issue in our technological age and there are a number of pitfalls that can result in significant financial loss to unwary companies.  Companies need to be taking measures to ensure that data is secure.
  • 38. What Can You Do?  Work with lawyers to identify applicable laws and best practices to ensure compliance with those laws.  Work with IT professionals to ensure data security measures incorporate best practices and are sufficient to comply with applicable laws.