PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016
|
|
- Jeffery Norris
- 5 years ago
- Views:
Transcription
1 PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY Annmarie Giblin, Esq. Thursday, April 21, 2016
2 AGENDA: I. INTRODUCTION II. DATA PRIVACY V. DATA SECURITY III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS IV. CURRENT REGULATORY OBLIGATIONS REGARDING THIRD PARTIES/VENDORS V. INCREASED OVERSIGHT THE FUTURE OF REGULATION CONCERNING THIRD PARTIES/VENDORS VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK VII.CONCLUSION
3 I. INTRODUCTION The Internet has brought incredible opportunity, incredible wealth. It gives us access to data and information that are enhancing our lives in all sorts of ways. It also means that more and more of our lives are being downloaded, being stored, and as a consequence are a lot more vulnerable. That s true for the private sector. That s true for individual Americans. That true for federal, state, and local governments. It s true for our critical infrastructure. - Remarks by the President of the United States on the Cybersecurity National Action Plan, February 17, 2016
4 II. DATA PRIVACY V. DATA SECURITY The collection and storage of information v. the expectation, and now legal duty to protect the information collected Data includes both information collected and stored electronically and on paper/hardcopy. Consistently evolving legal landscape on collection of data, protection of data and its use.
5 Data Privacy Privacy in the United States v. Privacy in the European Union II. DATA PRIVACY V. DATA SECURITY OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Clinton and Gore Framework for Global Electronic Commerce General Privacy Laws in the United States Privacy Act of 1974 Right to Financial Privacy Act of 1978 Gramm-Leach-Bliley Act Regulation S-P (17 CFR ) Fair Credit Reporting Act 15 USC u HIPAA Dissolution of Safe Harbor and creation of the US-EU Privacy Shield
6 Data Security II. DATA PRIVACY V. DATA SECURITY 31 States and Puerto Rico have laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable. * The Federal Trade Commission has a data disposal rules which is a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and mandates that sensitive information from consumer reports be appropriately disposed of. * National Conference of State Legislatures, viewed on April 17, 2016
7 Data Security Cont. II. DATA PRIVACY V. DATA SECURITY There are currently 47 States that have laws requiring notification of security breaches of information involving personally identifiable information. The District of Columbia, Puerto Rico, and the United States Virgin Islands also have notification laws. These laws are varied and have different definitions of personal information, as well as different requirements for notification. Several States have introduced legislation this year expanding these laws and tightening the regulations.
8 II. DATA PRIVACY V. DATA SECURITY Data Security Cont. Cyber Security Act of 2015 Pending Federal Legislation Cybersecurity National Action Plan Commission on Enhancing National Cybersecurity Dodd-Frank Financial Stability Oversight Council SEC OCIE s 2015 Cybersecurity Examination Initiative
9 Defining Third Parties/Vendors Who has access to the institutions data? What data do they have access to? Why do they have access to this data? How do they protect the institutions data? How do they protect their own data? III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS
10 III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS Third Parties/Vendors include any party/company that has access to or can have access to your data and can include: Fintech providers Insurance Companies Auditors Outside IT companies Repairmen Cleaning service providers Document Shredding companies Attorneys Etc.
11 III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers, April 2015 Key findings from the Report include: Nearly 1 in 3 (approximately 30 percent) of the banks surveyed do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach. Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors. Approximately 1 in 5 banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors. Nearly half of the banks do not require a warranty of the integrity of the third-party vendor s data or products (e.g., that the data and products are free of viruses). * * last viewed on April 18, 2016.
12 III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS
13 State Breach Notification Laws Fair Credit Reporting Act 15 USC u IV. CURRENT REGULATORY OBLIGATIONS REGARDING THIRD PARTIES/VENDORS The Health Information Technology for Economic and Clinical Health (HITECH) Act SEC OCIE s 2015 Cybersecurity Examination Initiative PCI Security Standards Gramm-Leach-Bliley Act Regulation S-P (17 CFR )
14 Pending Federal Legislation Pending State Legislation V. INCREASED OVERSIGHT THE FUTURE OF REGULATION CONCERNING THIRD PARTIES/VENDORS New York State Department of Financial Services Potential New Cyber Security Requirements NIST Framework EU General Data Protection Regulation Codification of PCI Security Standards
15 VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Mitigation of Risks Associated with Third Parties/Vendors who have access to the Institutions Data: Incorporate management of data that third parties/vendors have access to in data retention policy. Consider creating separate policy solely dealing with management of data to third parties/vendors. Document and continually update specifically what data third party/vendor has access to, when they received access, when that access was terminated and how that data will be retrieved when it is no longer needed. Incorporate response to incident stemming from Third Parties/Vendors into Institution s Incident Response Plan. Organize Third Parties/Vendors by Risk and treat accordingly Assignment of Risk Category should focus on role of the third party/vendor and the data they will have access to. High Risk Third Parties/Vendors should receive the most scrutiny Evaluation of Third Parties/Vendors should start before retention/signing of contract Due Diligence is key Prioritize Resources
16 VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Put expectations in writing. Mandate immediate reporting of a data incident/breach and negotiate the right to be included in forensic evaluation and recovery. Depending on the information they have access to, require that third parties/vendors store and protect the institutions data separately from other data. Consider limiting access to data to only certain high level and/or necessary personnel at the third party/vendor. Require registration and security training of those persons on how to protect and manage the institution s data. Require that the third party/vendor provide proof of their data security policies, testing and controls. Require that they provide results of penetration testing and security evaluations, copies of their incident response plan and assurances about how they treat data security with their third parties/vendors. For High Risk Third Parties/Vendors require cyber liability insurance and ask to be named as an additional insured. Obtain proof of this.
17 VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Include indemnification provision in contract. Identify specifically, indemnification for first party losses and third party losses First party losses are losses suffered by the institution Third party losses are losses suffered by others (customers, business partners, etc.). Limit access to only essential information. Be suspicious of requests for new or additional information that do not seem essential or go beyond your understanding of what was agreed to be necessary. Encrypt data and require multi-factor authentication. Do not give open access to your system unless essential. If essential, limit the access to certain employees of the third party/vendor. Visit higher risk third parties/vendors places of business, conduct a visual inspection. Remember information can still be stolen the old fashioned way. Do not discredit the threat of a data breach that originates from the loss of hard copy.
18 VII. CONCLUSION **This PowerPoint and the information contained within is for informational purposes only. Nothing contained within is intended to be used or relied on as Legal Advice or opinion.
NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS
REGULATORY LAW ALERT JUNE 2017 NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS OVERVIEW In potentially the most significant state-level expansion
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationBuilding a Program to Manage the Vendor Management Lifecycle
Building a Program to Manage the Vendor Management Lifecycle Libbie Canter Amelia Hukoveh Daniel Nazar October 5, 2017 Overview 1. Introduction and Background 2. Three Pillars of Third-Party Risk Management
More informationU.S. Private-sector Privacy Certification
1 Page 1 of 5 U.S. Private-sector Privacy Certification Outline of the Body of Knowledge for the Certified Information Privacy Professional/United States (CIPP/US ) I. Introduction to the U.S. Privacy
More informationRIMS Cyber Presentation
RIMS Cyber Presentation Forrest Pace Cyber & Strategic Risk Leader South Zone AIG Property Casualty Forrest.Pace@aig.com 1 Bio Forrest Pace is the Cyber and Strategic Risk Leader for the South Zone, coordinating
More informationHIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018
1 HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier March 22, 2018 2 Today s Panel: Kimberly Holmes - Moderator - Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters,
More informationCybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do
ARTICLE Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do By Gene Griggs and Saad Gul This article analyzes cybersecurity issues for retirement plans. Introduction
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationHot Topics in Software as a Service and Cloud
Hot Topics in Software as a Service and Cloud Presented by: Robert J. Scott www.scottandscottllp.com Speaker Robert J. Scott Cloud Computing Trends Forrester Research estimates the cloud market will reach
More informationIHDE BUSINESS ASSOCIATE AGREEMENT (BAA)
IHDE BUSINESS ASSOCIATE AGREEMENT (BAA) This Business Associate Agreement (BAA) is entered into by and between the Covered Entity aka. Data Provider/User, (please enter name of organization) and the Business
More informationAmerican Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1
Introduction American Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1 The objective of this Cybersecurity Checklist is to assist procuring organizations,
More informationDesigning Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016
Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions June 2016 Program Overview Regulatory Environment Who Needs a Privacy Program and Common Questions Components of a Comprehensive
More informationThe Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist
The Security Risk Analysis Requirement for MIPS August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist Today s Speaker Peter Mercuri Peter Mercuri, MBA, HCISPP, CHSA,CMQP,CEHR,CHTS,CHWP
More informationPRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS
PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS Don Shelkey and Ezra Church May 22, 2018 2018 Morgan, Lewis & Bockius LLP Overview Introduction Why should I care? Five Key Legal Requirements Sector-Specific
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More information503 SURVIVING A HIPAA BREACH INVESTIGATION
503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented
More informationData Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor
Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor This Addendum is applicable only in those situations where the Selected
More informationREF STANDARD PROVISIONS
This Data Protection Addendum ( Addendum ) is an add- on to the Purchasing Terms and Conditions. It is applicable only in those situations where the Selected Firm/Vendor provides goods or services under
More informationInformation Security and Third-Party Service Provider Agreements
The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements
More informationNegotiating SaaS and Cloud Contracts May 28, Peter J. Kinsella 303/
Negotiating SaaS and Cloud Contracts May 28, 2015 Peter J. Kinsella 303/291-2328 Disclaimer The information provided in this presentation does not necessarily reflect the opinions of Perkins Coie LLP,
More informationHEALTHCARE BREACH TRIAGE
IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards
More informationPayment Card Industry Data Security Standards (PCI DSS) Initial Training
Payment Card Industry Data Security Standards (PCI DSS) Initial Training PCI DSS Training Content What topics will this training cover? What is PCI DSS? Objectives of PCI DSS Common Terminology Background
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationWe re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber
We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber Protection Data Creates Duties What data do you access, and
More informationRe: Proposed Cybersecurity Requirements for Financial Services Companies DFS P
CATHERINE M. TULLY Director, Government Affairs Submit via electronic mail: CyberRegComments@dfs.ny.gov November 15, 2016 Ms. Cassandra Lentchner Deputy Superintendent for Compliance NYS Department of
More informationReviewing and Drafting IT Agreements
Reviewing and Drafting IT Agreements March 10, 2015 Peter J. Kinsella 303/291-2328 The information provided in this presentation does not necessarily reflect the opinions of Perkins Coie LLP, its clients
More informationHIPAA STUDENT ASSOCIATE AGREEMENT
HIPAA STUDENT ASSOCIATE AGREEMENT This Agreement dated as of, 20 is made by and between Petaluma Health Center (Hereinafter Covered Entity ) and (Hereinafter Student ). INTRODUCTION This Agreement governs
More informationNEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the
More informationWEEK 1/FEBRUARY 17, 2016 MODULE #1
CERTIFIED INFORMATION PRIVACY PROFESSIONAL/UNITED STATES NORTHERN VIRGINIA COMMUNITY COLLEGE RESTON, RESTON TECH TRAINING CENTER AND ON-LINE WED, FEBRUARY 17, 2016 MARCH 23. 2016: 6:30 9:30 PM INSTRUCTOR:
More informationHIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia
HIPAA in the Digital Age Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia Virginia MGMA reminds attendees that the program is not intended to provide legal advice and advises participants
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationNATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE
NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance
More informationSAFE DESTRUCTION OF DOCUMENTS
SAFE DESTRUCTION OF DOCUMENTS Federal and State Requirements for Proper Disposal of Information Contained in Consumer Reports OVERVIEW With the growth in popularity for organizations to utilize electronic
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationEmma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements
POLICY INFORMATION Document # 900 Revision # 1.0 Safeguard: Administrative Title: Business Associate Agreements Prepared by: J. Black Approved by: Dean Beth E. Foley Print Date: 8/29/2016 Date Prepared:
More informationRecord Management & Retention Policy
POLICY TYPE: Corporate Divisional EFFECTIVE DATE: INITIAL APPROVAL DATE: NEXT REVIEW DATE: POLICY NUMBER: May 15, 2010 May - 2010 March 2015 REVISION APPROVAL DATE: 5/10, 3/11, 5/12, 9/13, 4/14, 11/14
More informationCyber Risks & Insurance
Cyber Risks & Insurance Bob Klobe Asst. Vice President & Cyber Security Subject Matter Expert Chubb Specialty Insurance Legal Disclaimer The views, information and content expressed herein are those of
More informationH 7789 S T A T E O F R H O D E I S L A N D
======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives
More informationHIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.
HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure
More informationHow to mitigate risks, liabilities and costs of data breach of health information by third parties
How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com Rick Kam President and Co-Founder richard.kam@idexpertscorp.com
More informationPrivacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR
Resource provided by Page 1 of 10 Contents I. The Privacy Rule The Fundamental HIPAA Rule... 1 II. Privacy Rule Overview... 1 III. Privacy Rule Standards and Implementation Specifications Covered in Section
More informationUniversity Data Policies
BACKGROUND Data are valuable institutional assets of Washington State University. Data policies are needed to ensure that these resources are carefully managed, maintained, protected, and used appropriately.
More information[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4
Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did
More informationDATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY
THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY Coverage under this endorsement is subject to the following: PART 1 RESPONSE
More informationHIPAA and Lawyers: Your stakes have just been raised
HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory
More informationCyber Insurance 2017:
Cyber Insurance 2017: Ensuring Your Coverage is Sound Thursday, March 23, 2017 Attorney Advertising Prior results do not guarantee a similar outcome 777 East Wisconsin Avenue, Milwaukee, WI 53202 414.271.2400
More informationPresented by Max Muller. Records Retention and Destruction for Human Resources
Presented by Max Muller Records Retention and Destruction for Human Resources Today s Agenda Be able to analyze your current document retention policies and procedures to ensure they re in compliance with
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationCyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby
Cyberinsurance: Necessary, Expensive and Confusing as Hell Presenters: Sharon Nelson and Judy Selby Setting the stage 2018 report from PwC one-third of US businesses have some form of cyberinsurance PwC
More informationPATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationNegotiating Business Associate Agreements
Negotiating Business Associate Agreements February 19, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON, DC About HIPAA HIPAA is a federal
More informationThe Privacy Rule. Health insurance Portability & Accountability Act
The Privacy Rule Health insurance Portability & Accountability Act Enacted on August 21, 1996 to amend the Internal Revenue Code of 1986 To improve portability and continuity of health insurance coverage
More informationChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them
ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them PROVIDED BY HUB INTERNATIONAL October 25th, 2016 W W W. C H I C A G O L A N D R I S K F O R U M. O R G AGENDA 1. The evolution of
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationHIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT
WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile
More informationACORD 834 (2014/12) - Cyber and Privacy Coverage Section
ACORD 834 (2014/12) - Cyber and Privacy Coverage Section ACORD 834, Cyber and Privacy Coverage Section, is used to apply for cyber and privacy coverage. The form was designed to be used in conjunction
More informationCyber Risk Proposal Form
Cyber Risk Proposal Form Company or trading name Address Postcode Country Telephone Email Website Date business established Number of employees Do you have a Chief Privacy Officer (or Chief Information
More informationSecure Information Destruction; A Legal Imperative
In this Issue Information as a Double-Edged Sword Not Knowing the Law Secure Information Destruction and Legal Compliance Information Security Recommendations From Shred-it Secure Information Destruction;
More informationCompliance With the Red Flags Rules
For Audio Participation, Please Call 1.866.281.4322, *1382742* Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321
More informationLargest Risk for Public Pension Plans (Other Than Funding) Cybersecurity
Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity 2017 Public Safety Employees Pension & Benefits Conference Ronald A. King (517) 318-3015 rking@ I am convinced that there are only
More informationCYBER AND INFORMATION SECURITY COVERAGE APPLICATION
NOTICE: THIS APPLICATION IS FOR CLAIMS-MADE AND REPORTED COVERAGE, WHICH APPLIES ONLY TO CLAIMS FIRST MADE AND REPORTED IN WRITING DURING THE POLICY PERIOD, OR ANY EXTENDED REPORTING PERIOD. THE LIMIT
More informationRISK TRACK. Privacy and Data Protection
RISK TRACK Privacy and Data Protection Presenters Marti Arvin Chief Compliance Officer UCLA Health Sciences Phone: 310-794-6763 MArvin@mednet.ucla.edu Marti Arvin is the Chief Compliance Officer for UCLA
More informationLEGAL ISSUES IN HEALTH IT SECURITY
LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson
More informationClaims Made Basis. Underwritten by Underwriters at Lloyd s, London
APPLICATION for: NetGuard Plus Claims Made Basis. Underwritten by Underwriters at Lloyd s, London tice: The Policy for which this Application is made applies only to Claims made against any of the Insureds
More informationCYBER LIABILITY REINSURANCE SOLUTIONS
CYBER LIABILITY REINSURANCE SOLUTIONS CYBER STRONG. CYBER STRONG. State-of-the-Art Protection for Growing Cyber Risks Businesses of all sizes and in every industry are experiencing an increase in cyber
More informationCyber Risk Management
Cyber Risk Management Agenda Asset Inventory and Baselines Vendor Management Incident Response Planning Resilience Insurance Considerations All. Together. Certain. 2 1 Asset Inventory and Baselines All.
More informationHIPAA P11 Retention and Destruction of Protected Health Information
HIPAA P11 Retention and Destruction of Protected Health Information FULL POLICY CONTENTS Scope Reason for Policy Definitions Policy Statement Sanctions ADDITIONAL DETAILS Additional Contacts Forms Related
More informationCyber ERM Proposal Form
Cyber ERM Proposal Form This document allows Chubb to gather the needed information to assess the risks related to the information systems of the prospective insured. Please note that completing this proposal
More informationWhat You Need to Know to Make Sure Your Insurance Business Complies
New York State Department of Financial Services New Cybersecurity Regulation 23 NYCRR Part 500 What You Need to Know to Make Sure Your Insurance Business Complies Presented by: NAIFA-NYS, Peter J. Molinaro,
More informationNACHA Third-Party Sender Certification Program Criteria
INTRODUCTION These Third-Party Sender Certification Program Criteria set forth the subject matter areas that will be reviewed by NACHA in order to determine whether an applicant ( Applicant ) satisfies
More informationAssessing and Mitigating Risk Under the HIPAA Omnibus Rule
Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta
More informationAssessing and Mitigating Risk Under the HIPAA Omnibus Rule
Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta
More informationPRIVACY AND CYBER SECURITY
PRIVACY AND CYBER SECURITY Presented by: Joe Marra, Senior Account Executive/Producer Stoya Corcoran, Assistant Vice President Presented to: CIFFA Members September 20, 2017 1 Disclaimer The information
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES January 23, 2014 I. Executive Summary I: The HIPAA Final Rule
More informationDATA COMPROMISE COVERAGE FORM
DATA COMPROMISE DATA COMPROMISE COVERAGE FORM Various provisions in this policy restrict coverage. Read the entire policy carefully to determine rights, duties and what is and is not covered. Throughout
More informationCOMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM
APPENDIX J Rev dated 11/24/2014 COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM WHEREAS, the Pennsylvania Department of Human Services (Covered Entity) and Contractor (Business Associate) intend
More informationCyber Liability Launch Event Moscow
Allianz Global Corporate & Specialty Cyber Liability Launch Event Moscow AGCS November 2016 Cyber Insurance market Stand Alone Business USA USA Started in the early to mid 1990 s 50 Started + carriers
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationHIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.
HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationHIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?
HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What
More informationCyber Risk Mitigation
Cyber Risk Mitigation Eide Bailly Howalt + McDowell Insurance Introduction Meet your presenters Eric Pulse Risk Advisory Director 20 years in the public accounting and consulting industry providing information
More informationAPPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London
APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London SECTION I. GENERAL INFORMATION 1. Name of Applicant: Physical Address: (as it should appear
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationFederal Banking Agencies Request Comment on Enhanced Cybersecurity Standards
Federal Banking Agencies Request Comment on Enhanced Cybersecurity Standards October 20, 2016 Financial Institutions, Cybersecurity On October 19, 2016, the Board of Governors of the Federal Reserve System
More informationTestimony. Submitted for the Record. American Bankers Association. Financial Institutions and Consumer Credit Subcommittee
Testimony Submitted for the Record from the American Bankers Association for the Financial Institutions and Consumer Credit Subcommittee of the Committee on Financial Services United States House of Representatives
More informationMNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota
MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota 1. MNsure Duties A. Application Counselor Duties (a) (b) (c) (d) (e) (f) Develop and administer
More informationAuditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees
Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees San Antonio IIA: I HEART AUDIT CONFERENCE February 24,
More informationCyber Risks & Cyber Insurance
Cyber Risks & Cyber Insurance Terry Quested Executive Director Associated Risk Managers of Ohio Darren Faye Vice President Leonard Insurance / Assured Partners Legal Disclaimer The views, information and
More informationPriciest HIPAA Incidents of 2015
Priciest HIPAA Incidents of 2015 Cornell Prescription Pharmacy - $125,000 Cornell Prescription Pharmacy, a Denver-based pharmacy specializing in compounded medications, was ordered to pay $125,000 due
More informationBREACH MITIGATION EXPENSE COVERAGE
POLICY NUMBER: QBPC-2030 (09-16) THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. BREACH MITIGATION EXPENSE COVERAGE This endorsement modifies insurance provided under the following: INSURANCE
More informationA Step By Step Guide To Dealership Compliance Team One research and Training /Summit Group
A Step By Step Guide To Dealership Compliance 2008 Team One research and Training /Summit Group As you probably already know, 2008 has brought the automobile dealer a whole new set of compliance issues
More informationAPPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE
Deerfield Insurance Company Evanston Insurance Company Essex Insurance Company Markel American Insurance Company Markel Insurance Company Associated International Insurance Company DataBreach SM APPLICATION
More informationNAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit
Page 1 of 24 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0 (Glossary provided at end of document.) Information Security 1.1 Information Security
More informationExcept as otherwise provided in this title, 1 for purposes of this title, 1 the following definitions shall apply:
TITLE 12 - BANKS AND BANKING CHAPTER 53 - WALL STREET REFORM AND CONSUMER PROTECTION SUBCHAPTER V - BUREAU OF CONSUMER FINANCIAL PROTECTION 5481. Definitions Except as otherwise provided in this title,
More informationRECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and
Amendment to Business Associate Agreements and All Other Contracts Containing Embedded Business Associate Provisions as stated in a Health Insurance Portability and Accountability Act Section between Independent
More informationPrivacy and Security Issues Facing Qualified Retirement Plans
SECURIAN FINANCIAL 1 Privacy and Security Issues Facing Qualified Retirement Plans Theodore Schmelzle, JD, CIPP/US Senior Director, Retirement Solutions November 2018 SECURIAN FINANCIAL 2 Agenda Why advisors,
More information