1copyright 2009. jordan lawrence. all rights reserved. annual in-house symposium practical steps to...
TRANSCRIPT
![Page 1: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/1.jpg)
1Copyright 2009. Jordan Lawrence. All rights reserved.
Annual In-House Symposium
Practical Steps to Minimize Privacy Risks: Understanding The Intersection Between Information Management and Privacy Law
May 21, 2009
Marty ProvinExecutive Vice President
Jordan [email protected]
![Page 2: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/2.jpg)
2Copyright 2009. Jordan Lawrence. All rights reserved.
Privacy Breaches Happen Everyday• May 7th , 2009
3,400 individuals information from a benefits report may have been pulled out of a dumpster. • May 5th, 2009
Documents that included SS numbers, addresses, phone numbers and names were found in an unlocked public container sitting off a side street in their apartment complex.
• May 5th, 2009 Boxes found in a trash bin contained 75,000 voter registration application cards and 24,000 precinct
cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers.
• April 29th, 2009 A spreadsheet with worker names and Social Security numbers was found on the Internet. The data
was released to a so-called peer-to-peer network during a music transfer to an agency laptop. • April 29th, 2009
A laptop computer containing the personal information of about 225,000 individuals was stolen from a home. The names, Social Security numbers, tax identification numbers, birth dates and addresses.
• March 24, 2009 Hospital employee left patients records on an train she was taking with her to do billing work over
the weekend. • March 11th, 2009
University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open.
Source : Privacy Rights Clearinghouse
![Page 3: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/3.jpg)
3Copyright 2009. Jordan Lawrence. All rights reserved. 3
Current Standard
• Definition of Personally Identifiable Information Resident’s first and last name, or first initial and last name
• Social Security number
• Driver’s license or state-issued ID card number
• Financial account number
• Credit or debit card number
Possibly medical or biometric information
![Page 4: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/4.jpg)
4Copyright 2009. Jordan Lawrence. All rights reserved. 4
Who & What
• Who privacy laws apply to A resident of the particular state Not location of the business or breach
• Always apply to electronic information May apply to hardcopy as well
• Trigger of notification period Disclosure should be expedient, and without unreasonable delay
following the discovery of the breach
“Timeliness” of response will be scrutinized
![Page 5: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/5.jpg)
5Copyright 2009. Jordan Lawrence. All rights reserved.
After a Privacy Breach
• Safe Harbor Possible if data was encrypted Best Practice is to notify regardless
Credit monitoring and assistance
• PenaltiesFinesCivil right of action
![Page 6: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/6.jpg)
6Copyright 2009. Jordan Lawrence. All rights reserved.
Cost of a Privacy Breach
• Hard Dollar Costs$6.6 m average expense to an organization
• Cost of notifying victims
• Maintaining information hotlines
• Legal, investigative, and administrative expenses
• Credit monitoring
• Reputational Harm31% of breach notice recipients terminate their business57% reported losing trust and confidence
Source: Ponemon Institute
![Page 7: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/7.jpg)
7Copyright 2009. Jordan Lawrence. All rights reserved.
Privacy Laws & Cross Border Litigation• EU privacy laws vs. FRCP• Blocking statutes restrict discovery of information meant for
disclosure in a foreign jurisdiction Switzerland, France and the United Kingdom
• EU Data Protection Authorities intend on limiting U.S. discovery within the EU
• Doubtful U.S. judges will be sympathetic
![Page 8: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/8.jpg)
8Copyright 2009. Jordan Lawrence. All rights reserved.
Why Companies Struggle
• Misguided “prevention” effortsLess then 20% of breaches involve unauthorized network accessMore then $5 billion spent on network security
• Fail to understand the most common risks 73 of125 data breaches reported1 in 2009 have involved
• Lost or stolen laptops, computers or storage devices
• Backup tapes lost by employees or third-party vendor
• Employees’ handling of information
• Dumpster diving
1Source : Privacy Rights Clearinghouse as of May 20th, 2009
![Page 9: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/9.jpg)
9Copyright 2009. Jordan Lawrence. All rights reserved.
People and Policy
Its about policy awareness and policy compliance
• 54% of business representatives don’t think their companies privacy policy applies to email1
• 39% of business representatives report saving sensitive1 company data to personal computer and storage devices• One out of ten employees report having had a company computer or
storage device lost or stolen in last 12 months2
1Source: 2008 Jordan Lawrence Assessment Data 2Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress
![Page 10: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/10.jpg)
10Copyright 2009. Jordan Lawrence. All rights reserved.
Taking The First Step
Identify the necessary information
• What personally identifiable data does the company have• Where do they have it• How is it managed
![Page 11: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/11.jpg)
11Copyright 2009. Jordan Lawrence. All rights reserved.
How Do You Get This Information
• Business Representatives understandThe types of sensitive information they work withWhat media its inWho they share it withHow they manage itWhat they do with it at end of life
• Subject Matter Experts understandEncryption services deployedBack-up processesDisposal processesThird party’s that have access to sensitive information
![Page 12: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/12.jpg)
12Copyright 2009. Jordan Lawrence. All rights reserved.
What You Will Find
• 1,272 record type profiles with sensitive information
Type of Sensitive Data
Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization
Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization
Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin)
Location of Data
• Social Security Numbers
• Credit History Information
• Credit/Debit Account Information
• Employment Information
• Medical Information
• Name, Phone, Address
Source : Client data from a Jordan Lawrence Assessment
![Page 13: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/13.jpg)
13Copyright 2009. Jordan Lawrence. All rights reserved.
Putting Policy Into Practice
• Develop a policy includingDefinition of what is considered sensitive informationHow to manage sensitive informationHow to dispose of sensitive informationAnnual acknowledgment Consequences for not complying
• Train all employeesConduct annual trainingMake it part of the hiring process
![Page 14: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/14.jpg)
14Copyright 2009. Jordan Lawrence. All rights reserved.
Enforcing Policy
• Implement process for safeguarding sensitive information Information technology for technical safeguardsThe business for managing and destroying hardcopy
• Audit Formal audit processAnnual spot auditing of business areas
• Annually re-assess Identify new risks as business processes changeEnsure compliance with “New” and changing lawsCross border litigation
![Page 15: 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e005503460f94aea008/html5/thumbnails/15.jpg)
15Copyright 2009. Jordan Lawrence. All rights reserved.
Thank You Marty Provin
636-821-2250