The Data Governance Crisis

– Real or Perceived?

Presented byCarol Romej, J.D., L.L.M.|(248) 740-7505 | cromej@hallrender.com

The Data Governance Crisis – Real

or Perceived?

History

A – Association of

R – Records

M – Managers and

A - Administrators

3

“fake news”

• False, often sensational, information disseminated under the guise of news reporting. Collins English Dictionary

• A type of yellow journalism or propaganda that consists of deliberate misinformation or hoaxes spread via traditional print and broadcast news media or online social media. wikipedia

4

Maureen Paschal, School Librarian

“The only reliable way to protect citizens from fake news, alternate facts, or hate groups, is for all of us to learn how to navigate digital information with discernment and skepticism”

1. Know the parts of a newspaper or cable news broadcast

2. Understand bias and point of view

3. Know how a search engine works and algorithms

4. Determine what is a reliable source

5. THEN choose your news source

5

Ms. Paschal’s Key Points

• Learn the difference between opinion, analysis and editorial presentations.

• Know the difference between a news anchor and a news channel personality.

• Three Little Pigs – if the pigs only read news stories written by pigs, they never get exposed to the other side’s thoughts, opinions, and may lose the opportunity to see things through someone else’s perspective.

• Reliable sources make their credential obvious and easy to find.

• Algorithms take into account our past searches and what our friends like – then, present the information.

6

The True Story of The 3 Little Pigs

LITTLE PIGS WOLF

Wolf blew my house down! I have allergies and your house was made of straw.

Wolf ate the first little pig after blowing his house down.

I am a carnivore have no diet restrictions. Besides, the little guy was dead anyways when the house fell on him.

Wolf did same at second pig with the stick house!

Same story – and why waste food. All I wanted was to borrow a cup of sugar! I was baking. I was framed!

Ms. Paschal’s Takeaways

It’s easy to lose our skepticism when all we see is what we already believe. It’s not until we see things we don’t know or believe that our sense of curiosity and skepticism is awakened.

8

PINTEREST

• Source code studies your selections and choices, and then decides which recipes to show an individual, and which to hide from the individual

If you use the Internet

YOU are an ALGORITHM

Disruptive Technologies

• Internet of Things (IoT)

• The Cloud

• Mobile Devices

• Data Analytics

Embedding RFID Chips in

Employees

Three Square Market Employees VOLUNTEERED to be embedded. Their bodies are now key cards for building entry access and to pay for food in the company cafeteria.

Three Square Market promises not to track employees.

12

Vehicle Operation Systems

• Wireless infotainment systems

• Autonomous vehicles

• Cellular-Vehicle-to-Everything system (FORD)

Auto-ISAC Best Practices

• Governance – define oversight and culture

• Risk Assessment and Management

• Security by Design – identify risks early during design

• Threat Detection and Protection – be proactive and vigilantly monitor

• Incident Response

• Training employees

• Collaboration with rest of industry

Auto-ISAC

Organizations have the autonomy and ability to select and voluntarily adopt practices based on their respective risk landscapes.

Lessons Learned OCR HIPAA SettlementsType of Entity Amount Individuals

AffectedState Year Key Facts

Medical ResearchInstitute

$3,900,000 13,000 NY 2016 • Stolen unencrypted laptop • Lack of policies and procedures related to

accessing ePHI• Inadequate security management process

Health System $1,550,000 9,497 MN 2016 • Stolen unencrypted laptop• Failure to institute an organization-wide risk

analysis • Failure to have compliant business associate

agreements

Teaching Hospital $750,000 90,000 WA 2015 • Malicious malware compromised IT system• Lack of organization-wide risk analysis

Insurance $3,500,000 Exactnumber not provided

PR 2015 • Multiple Reported Breaches • Failure to implement comprehensive wide

compliance program

Teaching Hospital $850,000 599 MA 2015 • Stolen laptop • Widespread non-compliance• No thorough risk analysis• Lack of policies procedures related to

safeguarding workstations.

Physician Group $750,000 55,000 IN 2015 • Stolen unencrypted backup media• Lack of enterprise –wide risk analysis • Failure to implement a comprehensive wide

device and media control policy.

16

Critical & Sensitive Data

• Social Security Number

• Credit Card Information

• Drivers License

• Birth Date

• Protected Health Information under HIPAA/HITECH (Insurance/Medical)

• Employment/Income

• Email address

• Corporate Intellectual Property

• Corporate Proprietary Information

Gatekeepers of Information

Who ‘touches’ data?

• Accounting

• IT

• Marketing

• Service Lines

• Business Lines

• Vendors

• Customers

Who ‘owns’ data risk management?

Who is held accountable?

Educating the Guards

• NIST – National Institute of Standards and Technology

• ITL – Information Technology Laboratory

• NICE – National Initiative for Cybersecurity Education

• KSAs – Knowledge, Skills and Abilities

KSAs

• Knowledge is a body of information applied directly to the performance of a work/job function.

• Skill is defined as an observable competence to perform a learned in order to apply tools, frameworks, processes and controls that have an impact on the cybersecurity posture of an organization.

• Ability is competence to perform an observable behavior that results in an observable product (performance).

NICE Mission

• A partnership between the government, academia and the private sector working to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development.

• Coordinates and builds on existing programs, facilitates change and innovations, and brings vision to increase the number of skilled cybersecurity professionals to keep our nation secure.

• Cultivating a cybersecurity workforce that is globally competitive (from hire to retire)

• Increasing the KSAs of the workforce in cybersecurity

Cybersecurity Workforce

• A workforce that includes a broad range of skills within an organization – NOT just technical staff

• A workforce that includes employees that have an impact on an organization’s ability to protect its data, systems and operations in order to implement the organization’s business mission

NIST SP 800-181 Task Detail

• T8094 – Develop and manage enterprise-wide procedures to ensure the development of new products and services is consistent with the company privacy policies and legal obligations.

• T0870 – Serve in a leadership role for Privacy Oversight Committee activities.

• T0861 – Work with the general counsel, external affairs and business leads to endure both existing and new services comply with privacy and data security obligations.

• T0506 – Seek consensus on proposed policy changes from stakeholders.

• T0493 – Oversee budget, contracting and staffing.

NIST 800-181 Knowledge Areas

• K0008 – Knowledge of applicable business processes and operations of customer organizations

• K0096 – Knowledge of the capabilities and functionality of various collaborative technologies (e.g., SharePoint)

• K0095 – Knowledge of the capabilities and functionality associated with various technologies for organizing and managing information (e.g., databases)

• K0120 – Knowledge of how information needs and collection requirements are translated, tracked and prioritized across the organization

NIST 800-181 Key Ability

A0074 – Ability to collaborate with others

Security Ecosystem

• Critical Business Software Applications

• Hosted / In-house applications

• Mobile Devices

• Copies of data (ordinary course of business)

2017 DBIR

No locale, industry or organization is bulletproof when it comes to the compromise of data.

Information Security Teams

The soldier is told to guard a certain hill and to keep it at all costs. However, he is not told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike.

2016 DBIR Report, Page 6

Equifax IT Organization

• 225 Cyber professionals on staff

• A 3 year security budget exceeding a quarter billion dollars

EQUIFAX Breach Chronology

1. March 7- CERT issues a vulnerability warning for a flaw in Apache Struts software.

2. March 9 -a warning is issued internally to security staffers about the vulnerability.

3. March 16 - Equifax IT runs (weekly) scans to detect any patch not addressed. Scan program misses the Apache Struts application patch.

4. May 13 - hackers access the sensitive information of 45% of all Americans.

5. July 29 – Equifax IT discovers compromise.

6. September 7 – Equifax made breach public.

Rep. Greg Walden, Ore.

“How does this happen when so much is at stake? I don’t think we can pass a law that can fix stupid!”

Jason’s Deli Breach

• June 8, 2017 – Criminals deploy RAM-scraping malware on point-of-sale (POS) terminals

• December 22, 2017 – Jason’s HQ was notified by credit card payment processors that credit card security personnel noticed card information for sale on the dark web, and analysis led to the source – the deli.

• Jason’s Deli has over 266 stores in 28 states. It is estimated the 2 million customers are affected.

Vtech Breach

• E-Toymaker reached settlement with the Federal Trade Commission for $650,000

• A 2 year investigation

• Vtech found to have failed to solicit parental consent before collection children’s name, date of birth and gender

• FTC ruled Vtech failed to utilize reasonable safeguards to protect the children’s information

Aetna Insurance

• Used an envelope window for a mailing to 12,000 insureds that exposed portion of the letter that included the words ‘filling your HIV prescription’

• Recently settled for $17 M

Data Breach Investigations Report

• Over 60 Global Organizations are Contributors

• Aggregate and analyze common incident patterns

• Publish findings and make recommendations to industry

2010 – DBIR – Verizon Data

• Most breaches are discovered by external parties

• Most breaches could have been avoided without difficult or expensive controls

Data Breach Trends - Ponemon

• Average cost for each stolen or lost record is $221.00 per record

• Biggest financial consequence is lost business

• Malicious attacks by cyber criminals are taking longer to detect

• Ransomware – focuses on a new primary victim – the organization who is exposed to the additional risk of paying a ransom

Key Data Loss Prevention Controls

• Endpoint security solutions

• Encryption

• Data Governance programs

• Incident Response team

• Investments in in-house expertise

Ineffective Risk Management

• Not knowing where your Intellectual Property, Sensitive Data, or Proprietary Data is residing (i) Internally or (ii) Externally

• Not procuring cyber insurance

• Accountability for risk management is dispersed throughout the organization

Mitigating Risk – Training

• Develop a culture of compliance – Designate a budget for security

– Make privacy and security a daily part of operations

– Empower managers to take responsibility

– Every workforce member must see themselves as being responsible for privacy and security of patient information

– Train employees to treat patient information in the same manner they treat the patient

– Develop a privacy theme for your organization such as “Keep It to Yourself,” “Keep It Confidential,” etc. – make it fun

– Develop a privacy committee with broad representation

42

Tone at the Top

• Drives the organization’s control environment

• Reduces the risk of working with vendors that are not trustworthy

• Incorporates integrity and ethics in relationships with vendors

• Increases employee awareness of the importance of security, data protection and business resiliency

New Data Breach Insurance

Benchmarks affecting Data

Governance

• Do you require that every person in the organization be given anti-fraud security awareness training on an ongoing basis that includes but is not limited to detection of social engineering, phishing or other scams?

• Do you conduct recurring, third-party penetration tests to assess the organization’s vulnerabilities, including unannounced random calls or emails to employees soliciting information that should not be shared?

More Insurance Benchmarks

affecting Data Governance

• Has any service provider with access to the Applicant’s network or computer system(s) sustained an unscheduled network outage or interruption lasting longer than 4 hours within the past 3 years?

• Does your virus or malicious code control program address the following: anti-virus on ALL systems, filtering of ALL content for malicious code, controls on shared drives and folders, CERT or similar vendor neutral threat notification services….?

References

• www.veriscommunity.com

• www.vcdb.org

• National Institute of Standards and Technology, Special Publication 800-181 (August 2017)

• 2016 Cost of Data Breach Study: United States, Ponemon Institute, June 2016

• www.fbi.gov

• Tone at the Top and Third Party Risk, Ponemon Institute and Shared Assessments 2016, May 2016

• 2017 Data Breach Investigations Report, www.verizonenterprise.com

References

• “What you don’t know about Internet Algorithms is hurting you”, by Caitlin Dewey, March 23, 2015, The Washington Post

Please visit the Hall Render Blog at http://blogs.hallrender.com for more information on topics related to health care law.

Carol Romej, J.D., L.L.M. (248) 740-7505cromej@hallrender.com

Anchorage | Dallas | Denver | Detroit | Indianapolis | Louisville | Milwaukee | Philadelphia | Raleigh | Seattle | Washington, D.C.

This presentation is solely for educational purposes and the matters presented herein do not constitute legal advice with respect to your particular situation.