1Copyright 2009. Jordan Lawrence. All rights reserved.

Annual In-House Symposium

Practical Steps to Minimize Privacy Risks: Understanding The Intersection Between Information Management and Privacy Law

May 21, 2009

Marty ProvinExecutive Vice President

Jordan Lawrencemprovin@jlgroup.com

2Copyright 2009. Jordan Lawrence. All rights reserved.

Privacy Breaches Happen Everyday• May 7th , 2009

3,400 individuals information from a benefits report may have been pulled out of a dumpster. • May 5th, 2009

Documents that included SS numbers, addresses, phone numbers and names were found in an unlocked public container sitting off a side street in their apartment complex.

• May 5th, 2009 Boxes found in a trash bin contained 75,000 voter registration application cards and 24,000 precinct

cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers.

• April 29th, 2009 A spreadsheet with worker names and Social Security numbers was found on the Internet. The data

was released to a so-called peer-to-peer network during a music transfer to an agency laptop. • April 29th, 2009

A laptop computer containing the personal information of about 225,000 individuals was stolen from a home. The names, Social Security numbers, tax identification numbers, birth dates and addresses.

• March 24, 2009 Hospital employee left patients records on an train she was taking with her to do billing work over

the weekend. • March 11th, 2009

University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open.

Source : Privacy Rights Clearinghouse

3Copyright 2009. Jordan Lawrence. All rights reserved. 3

Current Standard

• Definition of Personally Identifiable Information Resident’s first and last name, or first initial and last name

• Social Security number

• Driver’s license or state-issued ID card number

• Financial account number

• Credit or debit card number

Possibly medical or biometric information

4Copyright 2009. Jordan Lawrence. All rights reserved. 4

Who & What

• Who privacy laws apply to A resident of the particular state Not location of the business or breach

• Always apply to electronic information May apply to hardcopy as well

• Trigger of notification period Disclosure should be expedient, and without unreasonable delay

following the discovery of the breach

“Timeliness” of response will be scrutinized

5Copyright 2009. Jordan Lawrence. All rights reserved.

After a Privacy Breach

• Safe Harbor Possible if data was encrypted Best Practice is to notify regardless

Credit monitoring and assistance

• PenaltiesFinesCivil right of action

6Copyright 2009. Jordan Lawrence. All rights reserved.

Cost of a Privacy Breach

• Hard Dollar Costs$6.6 m average expense to an organization

• Cost of notifying victims

• Maintaining information hotlines

• Legal, investigative, and administrative expenses

• Credit monitoring

• Reputational Harm31% of breach notice recipients terminate their business57% reported losing trust and confidence

Source: Ponemon Institute

7Copyright 2009. Jordan Lawrence. All rights reserved.

Privacy Laws & Cross Border Litigation• EU privacy laws vs. FRCP• Blocking statutes restrict discovery of information meant for

disclosure in a foreign jurisdiction Switzerland, France and the United Kingdom

• EU Data Protection Authorities intend on limiting U.S. discovery within the EU

• Doubtful U.S. judges will be sympathetic

8Copyright 2009. Jordan Lawrence. All rights reserved.

Why Companies Struggle

• Misguided “prevention” effortsLess then 20% of breaches involve unauthorized network accessMore then $5 billion spent on network security

• Fail to understand the most common risks 73 of125 data breaches reported1 in 2009 have involved

• Lost or stolen laptops, computers or storage devices

• Backup tapes lost by employees or third-party vendor

• Employees’ handling of information

• Dumpster diving

1Source : Privacy Rights Clearinghouse as of May 20th, 2009

9Copyright 2009. Jordan Lawrence. All rights reserved.

People and Policy

Its about policy awareness and policy compliance

• 54% of business representatives don’t think their companies privacy policy applies to email1

• 39% of business representatives report saving sensitive1 company data to personal computer and storage devices• One out of ten employees report having had a company computer or

storage device lost or stolen in last 12 months2

1Source: 2008 Jordan Lawrence Assessment Data 2Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress

10Copyright 2009. Jordan Lawrence. All rights reserved.

Taking The First Step

Identify the necessary information

• What personally identifiable data does the company have• Where do they have it• How is it managed

11Copyright 2009. Jordan Lawrence. All rights reserved.

How Do You Get This Information

• Business Representatives understandThe types of sensitive information they work withWhat media its inWho they share it withHow they manage itWhat they do with it at end of life

• Subject Matter Experts understandEncryption services deployedBack-up processesDisposal processesThird party’s that have access to sensitive information

12Copyright 2009. Jordan Lawrence. All rights reserved.

What You Will Find

• 1,272 record type profiles with sensitive information

Type of Sensitive Data

Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization

Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization

Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin)

Location of Data

• Social Security Numbers

• Credit History Information

• Credit/Debit Account Information

• Employment Information

• Medical Information

• Name, Phone, Address

Source : Client data from a Jordan Lawrence Assessment

13Copyright 2009. Jordan Lawrence. All rights reserved.

Putting Policy Into Practice

• Develop a policy includingDefinition of what is considered sensitive informationHow to manage sensitive informationHow to dispose of sensitive informationAnnual acknowledgment Consequences for not complying

• Train all employeesConduct annual trainingMake it part of the hiring process

14Copyright 2009. Jordan Lawrence. All rights reserved.

Enforcing Policy

• Implement process for safeguarding sensitive information Information technology for technical safeguardsThe business for managing and destroying hardcopy

• Audit Formal audit processAnnual spot auditing of business areas

• Annually re-assess Identify new risks as business processes changeEnsure compliance with “New” and changing lawsCross border litigation

15Copyright 2009. Jordan Lawrence. All rights reserved.

Thank You Marty Provin

636-821-2250

mprovin@jlgroup.com