The Impact of COVID-19 On Municipal Cyber SecurityMichael Watza and Carina Kraatz of Kitch
Devin Mackinder from the City of Portage
John DiMaggio of Blue Orange Compliance amp
Bill Schaumann
Kitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th Floor
Detroit MI 48226
General Counsel PROTEC
E Mail MikeWatzaKitchCom
O (313) 965-7983
M (248) 921-3888
wwwprotec-miorg
wwwkitchcom
EFFECT OF COVID-19 ON US
INTERNET TRAFFIC AKAMAI APRIL 29 2020
bull Remote WorkEducationplay in March -
Internet traffic up 33
bull April Internet traffic drops to 15 above
normal
bull Patterns vary by State and even City
based on Emergency Declarations
bull Weekend use has leveled out with
weekdayshttpsblogsakamaicomsitr202004parts-of-a-whole-
effect-of-covid-19-on-us-internet-traffichtml
EFFECT OF COVID-19 ON US
CYBER SECURITYbull 1st - Stressed employees are distracted and more
likely to fall into malicious phishing emails or click on a
news story that takes them to a malicious web page
bull 2nd Remote Access Home and Mobile = ldquotarget-
rich environmentrdquobull Securing endpoint devices becomes a significantly bigger challenge
bull Hackers using ldquooff the shelfrdquo malware kits - Thousands of new sites
registered daily for phishing attacks distributing malware ransomware or for
financial fraud - tricking users into paying for fake cures supplements or
vaccines
bull Phishing attacks taking advantage of the health crisis Phishing URLs
include terms corona coronavirus or World Health Organization (WHO)
bull httpswwwzdnetcomarticlethousands-of-covid-19-scam-and-malware-sites-are-
being-created-on-a-daily-basis
bull httpswwwakamaicom
CRITICAL REFERENCESbull Dept of Homeland Securitys Cybersecurity amp
Infrastructure Security Agency (CISA)
httpswwwcisagovcyber-essentials
bull httpsstaysafeonlineorg
bull httpswwwnextgovcomcybersecurity20200
1pentagon-announces-final-version-cyber-
standards-contractors162807
CRITICAL REFERENCES CONTrsquoD
bull FCC Publishes Pandemic Scam ListWebsite
httpswwwfccgovcovid-scams
bull From the ldquoIt Can happen to Anybody
Departmentrdquo - US Health Agency Suffers
Cyber-Attack During Covid-19 Outbreakhttpswwwbloombergcomnewsarticles2020-03-16u-s-
health-agency-suffers-cyber-attack-during-covid-19-
response
CRITICAL REFERENCES CONTrsquoDbull FBI very involved ndash Interstate Crime Cyber
agent can be reached 247 313-965-2323
East Michigan - 616-456-5489 West Michiganhttpswwwfbigovinvestigatecyber
bull Watch Out for Zoom-Bombings on Online
Video Meeting Apps
ndash Require a password andor use the waiting room
feature and control admittance
ndash Do not share a link to a teleconference or
classroom publicly
ndash Provide the link directly to specific peoplehttpswwwpcmagcomnewsfbi-watch-out-for-
zoom-bombings-on-online-video-meeting-apps
TAKE AWAY HACKED
bull YOUR SECURITY MEASURES ARE IN
PLACE AND CURRENT
bull YOUR TEAM IS IN PLACE
bull YOUR PROTOCOLS ARE IN PLACE
bull EMERGENCY TEAM CONTACTS AT
YOUR FINGER TIPS AND NOTIFIED
- Cyber security specialists
- Legal and PR for potential 3rd party
impacts
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
EFFECT OF COVID-19 ON US
INTERNET TRAFFIC AKAMAI APRIL 29 2020
bull Remote WorkEducationplay in March -
Internet traffic up 33
bull April Internet traffic drops to 15 above
normal
bull Patterns vary by State and even City
based on Emergency Declarations
bull Weekend use has leveled out with
weekdayshttpsblogsakamaicomsitr202004parts-of-a-whole-
effect-of-covid-19-on-us-internet-traffichtml
EFFECT OF COVID-19 ON US
CYBER SECURITYbull 1st - Stressed employees are distracted and more
likely to fall into malicious phishing emails or click on a
news story that takes them to a malicious web page
bull 2nd Remote Access Home and Mobile = ldquotarget-
rich environmentrdquobull Securing endpoint devices becomes a significantly bigger challenge
bull Hackers using ldquooff the shelfrdquo malware kits - Thousands of new sites
registered daily for phishing attacks distributing malware ransomware or for
financial fraud - tricking users into paying for fake cures supplements or
vaccines
bull Phishing attacks taking advantage of the health crisis Phishing URLs
include terms corona coronavirus or World Health Organization (WHO)
bull httpswwwzdnetcomarticlethousands-of-covid-19-scam-and-malware-sites-are-
being-created-on-a-daily-basis
bull httpswwwakamaicom
CRITICAL REFERENCESbull Dept of Homeland Securitys Cybersecurity amp
Infrastructure Security Agency (CISA)
httpswwwcisagovcyber-essentials
bull httpsstaysafeonlineorg
bull httpswwwnextgovcomcybersecurity20200
1pentagon-announces-final-version-cyber-
standards-contractors162807
CRITICAL REFERENCES CONTrsquoD
bull FCC Publishes Pandemic Scam ListWebsite
httpswwwfccgovcovid-scams
bull From the ldquoIt Can happen to Anybody
Departmentrdquo - US Health Agency Suffers
Cyber-Attack During Covid-19 Outbreakhttpswwwbloombergcomnewsarticles2020-03-16u-s-
health-agency-suffers-cyber-attack-during-covid-19-
response
CRITICAL REFERENCES CONTrsquoDbull FBI very involved ndash Interstate Crime Cyber
agent can be reached 247 313-965-2323
East Michigan - 616-456-5489 West Michiganhttpswwwfbigovinvestigatecyber
bull Watch Out for Zoom-Bombings on Online
Video Meeting Apps
ndash Require a password andor use the waiting room
feature and control admittance
ndash Do not share a link to a teleconference or
classroom publicly
ndash Provide the link directly to specific peoplehttpswwwpcmagcomnewsfbi-watch-out-for-
zoom-bombings-on-online-video-meeting-apps
TAKE AWAY HACKED
bull YOUR SECURITY MEASURES ARE IN
PLACE AND CURRENT
bull YOUR TEAM IS IN PLACE
bull YOUR PROTOCOLS ARE IN PLACE
bull EMERGENCY TEAM CONTACTS AT
YOUR FINGER TIPS AND NOTIFIED
- Cyber security specialists
- Legal and PR for potential 3rd party
impacts
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
EFFECT OF COVID-19 ON US
CYBER SECURITYbull 1st - Stressed employees are distracted and more
likely to fall into malicious phishing emails or click on a
news story that takes them to a malicious web page
bull 2nd Remote Access Home and Mobile = ldquotarget-
rich environmentrdquobull Securing endpoint devices becomes a significantly bigger challenge
bull Hackers using ldquooff the shelfrdquo malware kits - Thousands of new sites
registered daily for phishing attacks distributing malware ransomware or for
financial fraud - tricking users into paying for fake cures supplements or
vaccines
bull Phishing attacks taking advantage of the health crisis Phishing URLs
include terms corona coronavirus or World Health Organization (WHO)
bull httpswwwzdnetcomarticlethousands-of-covid-19-scam-and-malware-sites-are-
being-created-on-a-daily-basis
bull httpswwwakamaicom
CRITICAL REFERENCESbull Dept of Homeland Securitys Cybersecurity amp
Infrastructure Security Agency (CISA)
httpswwwcisagovcyber-essentials
bull httpsstaysafeonlineorg
bull httpswwwnextgovcomcybersecurity20200
1pentagon-announces-final-version-cyber-
standards-contractors162807
CRITICAL REFERENCES CONTrsquoD
bull FCC Publishes Pandemic Scam ListWebsite
httpswwwfccgovcovid-scams
bull From the ldquoIt Can happen to Anybody
Departmentrdquo - US Health Agency Suffers
Cyber-Attack During Covid-19 Outbreakhttpswwwbloombergcomnewsarticles2020-03-16u-s-
health-agency-suffers-cyber-attack-during-covid-19-
response
CRITICAL REFERENCES CONTrsquoDbull FBI very involved ndash Interstate Crime Cyber
agent can be reached 247 313-965-2323
East Michigan - 616-456-5489 West Michiganhttpswwwfbigovinvestigatecyber
bull Watch Out for Zoom-Bombings on Online
Video Meeting Apps
ndash Require a password andor use the waiting room
feature and control admittance
ndash Do not share a link to a teleconference or
classroom publicly
ndash Provide the link directly to specific peoplehttpswwwpcmagcomnewsfbi-watch-out-for-
zoom-bombings-on-online-video-meeting-apps
TAKE AWAY HACKED
bull YOUR SECURITY MEASURES ARE IN
PLACE AND CURRENT
bull YOUR TEAM IS IN PLACE
bull YOUR PROTOCOLS ARE IN PLACE
bull EMERGENCY TEAM CONTACTS AT
YOUR FINGER TIPS AND NOTIFIED
- Cyber security specialists
- Legal and PR for potential 3rd party
impacts
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
CRITICAL REFERENCESbull Dept of Homeland Securitys Cybersecurity amp
Infrastructure Security Agency (CISA)
httpswwwcisagovcyber-essentials
bull httpsstaysafeonlineorg
bull httpswwwnextgovcomcybersecurity20200
1pentagon-announces-final-version-cyber-
standards-contractors162807
CRITICAL REFERENCES CONTrsquoD
bull FCC Publishes Pandemic Scam ListWebsite
httpswwwfccgovcovid-scams
bull From the ldquoIt Can happen to Anybody
Departmentrdquo - US Health Agency Suffers
Cyber-Attack During Covid-19 Outbreakhttpswwwbloombergcomnewsarticles2020-03-16u-s-
health-agency-suffers-cyber-attack-during-covid-19-
response
CRITICAL REFERENCES CONTrsquoDbull FBI very involved ndash Interstate Crime Cyber
agent can be reached 247 313-965-2323
East Michigan - 616-456-5489 West Michiganhttpswwwfbigovinvestigatecyber
bull Watch Out for Zoom-Bombings on Online
Video Meeting Apps
ndash Require a password andor use the waiting room
feature and control admittance
ndash Do not share a link to a teleconference or
classroom publicly
ndash Provide the link directly to specific peoplehttpswwwpcmagcomnewsfbi-watch-out-for-
zoom-bombings-on-online-video-meeting-apps
TAKE AWAY HACKED
bull YOUR SECURITY MEASURES ARE IN
PLACE AND CURRENT
bull YOUR TEAM IS IN PLACE
bull YOUR PROTOCOLS ARE IN PLACE
bull EMERGENCY TEAM CONTACTS AT
YOUR FINGER TIPS AND NOTIFIED
- Cyber security specialists
- Legal and PR for potential 3rd party
impacts
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
CRITICAL REFERENCES CONTrsquoD
bull FCC Publishes Pandemic Scam ListWebsite
httpswwwfccgovcovid-scams
bull From the ldquoIt Can happen to Anybody
Departmentrdquo - US Health Agency Suffers
Cyber-Attack During Covid-19 Outbreakhttpswwwbloombergcomnewsarticles2020-03-16u-s-
health-agency-suffers-cyber-attack-during-covid-19-
response
CRITICAL REFERENCES CONTrsquoDbull FBI very involved ndash Interstate Crime Cyber
agent can be reached 247 313-965-2323
East Michigan - 616-456-5489 West Michiganhttpswwwfbigovinvestigatecyber
bull Watch Out for Zoom-Bombings on Online
Video Meeting Apps
ndash Require a password andor use the waiting room
feature and control admittance
ndash Do not share a link to a teleconference or
classroom publicly
ndash Provide the link directly to specific peoplehttpswwwpcmagcomnewsfbi-watch-out-for-
zoom-bombings-on-online-video-meeting-apps
TAKE AWAY HACKED
bull YOUR SECURITY MEASURES ARE IN
PLACE AND CURRENT
bull YOUR TEAM IS IN PLACE
bull YOUR PROTOCOLS ARE IN PLACE
bull EMERGENCY TEAM CONTACTS AT
YOUR FINGER TIPS AND NOTIFIED
- Cyber security specialists
- Legal and PR for potential 3rd party
impacts
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
CRITICAL REFERENCES CONTrsquoDbull FBI very involved ndash Interstate Crime Cyber
agent can be reached 247 313-965-2323
East Michigan - 616-456-5489 West Michiganhttpswwwfbigovinvestigatecyber
bull Watch Out for Zoom-Bombings on Online
Video Meeting Apps
ndash Require a password andor use the waiting room
feature and control admittance
ndash Do not share a link to a teleconference or
classroom publicly
ndash Provide the link directly to specific peoplehttpswwwpcmagcomnewsfbi-watch-out-for-
zoom-bombings-on-online-video-meeting-apps
TAKE AWAY HACKED
bull YOUR SECURITY MEASURES ARE IN
PLACE AND CURRENT
bull YOUR TEAM IS IN PLACE
bull YOUR PROTOCOLS ARE IN PLACE
bull EMERGENCY TEAM CONTACTS AT
YOUR FINGER TIPS AND NOTIFIED
- Cyber security specialists
- Legal and PR for potential 3rd party
impacts
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
TAKE AWAY HACKED
bull YOUR SECURITY MEASURES ARE IN
PLACE AND CURRENT
bull YOUR TEAM IS IN PLACE
bull YOUR PROTOCOLS ARE IN PLACE
bull EMERGENCY TEAM CONTACTS AT
YOUR FINGER TIPS AND NOTIFIED
- Cyber security specialists
- Legal and PR for potential 3rd party
impacts
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
BEST PRACTICE
The Technology Services Department has adopted the Federal Bureau of Investigation multi-agency network security best practices with a specific focus on ransomware We also stay current with new industry standards and utilize top-rated products and appliances
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
PROTOCOL 1
bull Staff Awareness Training
Mandatory training for new users
Simulated phishing emails to users ndash mandatory retraining for users who ldquotake the baitrdquo
Ongoing communications on trends and specific incident alerts
According to Verizonrsquos 2018 Data Breach Investigations Report phishing or other forms of social engineering cause 93 of all data breaches
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
PROTOCOL 2
bull Proactive Protection
bull Network Security (two-factor authentication passphrases NIST recommendations)
bull Endpoint Security
bull Email Security (filtering encryption threat monitoring sandboxing blacklists)
bull Mobile Device Security
bull Physical Security
bull Website Security (secure https connection)
bull Offsite Disaster Recovery and Business Continuity Planning
bull Data Backups
bull Network Assessments ndash recommended annually
bull RelationshipsPartnerships with Law Enforcement AgenciesSecurity Experts
bull Data Breach Response PlanrdquoTabletop Drillsrdquo
bull Internal Local Agency Security Officer Terminal Agency Coordinator
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
PROTOCOL 3
bull How to Choose a Managed Services Provider
bull Cybersecurity disaster recovery business continuity planning expertise
bull Ensures your IT environment will be highly secure
bull Highly certified and experienced staff
bull CEH ndash Certified Ethical Hacker
bull CISM ndash Certified Information Security Manager
bull CompTIA Security+
bull CISSP ndash Certified Information Systems Security Professional
bull GSEC ndash SANS GIAC Security Essentials
bull Provides guaranteed Service Level Agreementproactive support
bull Assists with budgeting and planned upgrades
bull Makes your success a priority
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
PROTOCOL SUMMARY
bull Proactive Measures
bull Staff awareness and training program ndash End users are the primary targets
bull Implement proactive measures as previously discussed
bull Business continuity plan in place and maintained regularly
bull Network security incident response (Breach Policy) in place and maintained
bull Partner with law enforcement and third-party cybersecurity experts
bull Remain current with best practices and software patches
bull Annual auditassessment
bull Secure backups Ensure backups are not connected permanently to computers and networks they are backing up
bull Centralize technology processes procurements etc with IT Department
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
CONTACT INFORMATION
Devin Mackinder Director of Technology Services
City of Portage MI
269-324-9217
mackinddportagemigov
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
We Simplify Information Security and Privacy
14
MTA Security OverviewSecurity Management
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
About the Presenter
John DiMaggio is the co-founder and CEO of Blue Orange Compliance a firm dedicated to helping organizations protect information and navigate privacy and security regulations John is a recognized privacy and security speaker for national and state-level organizations
Johnrsquos extensive experience includes Chief Information Officer with NCS Healthcare and Omnicare senior operations roles with NeighborCare and general consulting to the industry John began his career as a key expert in Price Waterhousersquos Advanced Technologies Group and served on several national and international standards organizations including the American National Standards Institute (ANSI) and the International Standards Organization (ISO)
John is the named inventor for multiple healthcare technology and process patents He holds an MBA in Finance from Katz Graduate School of Business and a BS in Computer Science from the University of Pittsburgh
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
About Blue Orange
Assessments
bullHIPAA
bullNIST Cyber Security Framework
bullHITRUST
Plan amp Guidance
bullOn-line Plans
bullRegular Guidance
bullPolicies and Procedures
Automated Testing
bullVulnerability Scanning
bullElevated Privileges
bullFirewall
bullO365
Manual Testing
bullPenetration Testing
bullSocial EngineeringPhish
Support amp Governance
bullIncidentAudit
bullBoardExecutive MaterialsAnalytics
Monitoring
bullHigh Priority Event Monitoring
bullTier 2 Support
bull National Provider
bull Information Privacy and Security Solutions
bull Authorized HITRUST Assessor
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Security ManagementNIST Cybersecurity Framework
Identify
bullPeople
bullTechnologies
bullProcesses
bullRisk Tolerance
bullAssessments
bullTesting
Protect
bull Implement Safeguards
bullPolicies
bullProcedures
bullTechnology
Detect
bullProcesses
bullTechnology
bullMonitoring
Respond
bullProcesses
bullCommunication
bullMitigation
Recover
bullRestore
bullLessons learned
EXECUTIVES FUNCTIONBUSINESS PROCESS
IMPLEMENTATION OPERATIONS
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Example - Ransomware
Identify
bull Email Remote Access (RDP)
bull Awareness Level
bull Business Processes (Billing Service)
bull Risk Assessment
bull Location of Data
bull Backuprecover capabilities
bull Vulnerability Scans
bull Penetration test
Protect
bull Security awareness training
bull Lockdown Technical Access
bull Minimum Necessary
bull Anti-virus Intrusion detection
bull Off-Line regular backups testing
bull Anti-spam
Detect
bull Monitoring
bull Security event monitoring
bull Awareness
Respond
bull Coordination Communication
bull FBI Cyber Insurance Vendor
bull Tabletop exercise
bull Playbook
bull Test recovery
Recover
bull Restore testing
bull Lessons learned
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Additional Information
wwwblueorangecompliancecom
Follow BlueOrange on LinkedIn for compliance and security updates
httpswwwlinkedincomcompany2363281
Telework Policy and Procedure
Download Cyber Security E Book
COVID-19 Guidance
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Contact Info and Additional
Information
John DiMaggio CEO
Blue Orange Compliance
johndimaggioblueorangecompliancecom
6145674109
Thank You
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Modern Privacy Concepts
during Covid-19Practical Privacy LLC May 2020
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
US States -Current or proposed privacy regulations
Signed Privacy Regulations
Proposed Privacy Regulations
US Privacy Map
Virginia HB 473
Personal data management
and oversight
HawaiiSB 418
Relating to Privacy
CaliforniaCivil Code sectsect 1798100- 99
California Consumer Protection Act
Washington
SB 5376 AN ACT Relating
to the management and
oversight of personal
data
IllinoisSB2330Data
Transparency and Privacy Act
NebraskaLB746
Nebraska Consumer Data Privacy Act
Minnesota SB29172912
Consumer rights to
personal data
processing
Maine 946
Act to Protect the
Privacy of Online
Customer
Information
Massachusetts
431120
An Act relative to
consumer data
privacyNew York S5642
NY Privacy Act
New Jersey S2834
Online Consumer Opt-
out
Pennsylvania HB1049
Protecting Consumer
Information and Privacy
Rhode Island
NY Privacy Act
A nation trending towards increased data protection regulation
Practical Privacy LLC 2020
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Key Areas for Operationalizing Privacy
23
Operationalizing privacy involves ongoing active participation
Privacy Training
Privacy Operations
Third Party Management
Privacy Notices
Individual Rights
Requests (IRM)
Due Diligence
amp Monitoring
Privacy Impact Assessments
bull Receive and track requestsbull Retrieve databull Securely fulfill request
bull Train those who handle PIIbull Develop role based guidancebullTrack compliance
bull Assess the use of PIIbull Monitor changes in
business processbull Training records
bull Updated for new obligations bull Presented during data collectionbull Transparent data use
descriptions
bull Accurate inventories of third party data usebullSecure data transmission practices
bull Updated contracts for current obligations
bull Assess the use of PII in systems and processesbull Conducted for new or changing
applications bull Incorporate PIA use into the
culture of the organization
Practical Privacy LLC 2020
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
25New work from home process disruption risk
Covid-19 Impact on Privacy
Practical Privacy LLC 2020
Privacy use controls and business process are in sync
Data Classification Sensitivity level
CategoryType
Use
Sharing Selling
Commodity Status
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses
(SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 3
Data Classification Sensitivity level
CategoryType
Use
System Access (IAM)Services
Human
Privacy Impact AssessmentsAssessed use ===gt Known Use
Process Changes===gt New uses (SDLC)Unassessed usage===gt Risk Calc
Data at RestEncryption
Anonymization
Data in MotionInternal Systems to system
ExternalThird parties
Service providers
Business Process 4
Business Process 3
Business Process 2
Business Process 1
Sharing Selling
Commodity Status
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Speaker
Bill Schaumann
Privacy Professional
Practical Privacy LLC
BillSchaumanngmailcom
248-705-8020
26
Bill Schaumann
Bill is a privacy pro with twenty plus years of experience
managing Privacy and Security teams in the development
of privacy and security systems and programs for a variety
of fortune 100 clients in the financial services
manufacturing government and insurance sectors
Bill has a deep understanding of the processes and related
technologies needed to meet todays complex universe of
regulatory requirements and how to implement
supporting programs to manage administrative and
technical controls for the use of personal and sensitive
data
Bill has a BA in communications from Temple University
and carries CIPPIT CISSP and GIAC professional
certifications
Practical Privacy LLC 2020
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Federal Cyber Security Law
bull HIPAA (1996)
ndash Enacted methods to safeguard protected personal information
(PPI)
bull Gramm-Leach-Bliley (1999)
ndash Set requirements on financial institutions regarding how to store
and protect customerrsquos private information
ndash Each state required to implement
bull Homeland Security Act (2002)
ndash Created the National Institute of Standards and Technology
(NIST)
bull Responsible for developing standards and guidelines for
cyber security protections
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Michigan Cyber Security Law
bull Michigan Identity Theft Protection Act (2004)
ndash Provides stronger protections than the older statute
which it replaced
ndash sect44563 Broadened the definition of identity to include
Personal Identifying Information (PII)
ndash sect44572 provides the notice requirements for
database security breaches
ndash sect44572a mandates destruction of PII when removed
from a database
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Michigan Cyber Security Law
bull Michigan Social Security Number Privacy Act
(2004)
ndash sect44583 limits the usage of a personrsquos social security
number to 4 sequential digits
bull Michigan Medical Records Access Act (2004)
ndash Regulates access to and disclosure of medical
records
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Michigan Cyber Security Law
bull Michigan Revised School Code (2016)
ndash Addresses the issue of protecting the privacy of
student records
bull Michigan Insurance Code
ndash Based on the model NAIC statute implementing the
Federal Gramm Leach Bliley Act to protect the privacy
of financial information
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Michigan Cyber Security Law
bull Michigan Cyber Security Act (2018)
ndash Places requirements on any person or business
licensed by the Michigan Department of Insurance
and Financial Services
ndash Based on the 2017 National Association of Insurance
Commissioners (NAIC) data security model law
ndash Is Michiganrsquos answer to large scale data breaches
such as Equifax
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
MICHIGAN CASE LAWDoe v Henry Ford Health System308 Mich App 592 (Mich Ct App 2014) 865 NW2d 915 2015 Mich
LEXIS 1995 Lv denied 498 Mich 879 | 868 NW2d 912 lsquo
A seminal Court of Appeals opinion in which we established that dismissal of
our Hospital client HFHS was and remains appropriate based on a lack of
intentional acts and lack of actual injury in a cyber breach case
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Who We Are And What We DoThe Michigan Coalition To Protect Public Rights-Of-Way was formed in 1996 by several Michigan cities interested in protecting their citizensrsquo control over public rights-of-way and their right to receive fair compensation from the telecommunications companies that use public property
Industries we deal with in our Rts of Way work include Telecommunications (Wireline wireless and videocable) Electric (Distribution and Transmission) Pipelines as well as Municipal Water and Sewerage
Where We Appear Governmental Bodies we work with include the Federal and State Courts FCC NTIA US DOT PHSMA MPSC DHS Metro Authority (Now the Local Community Stabilization Authority) and the Michigan Legislature and Congress
100+ Members include Municipalities Across Michiganhttpwwwprotec-miorgsupportersphp
Our 20182019 Annual Reporthttpwwwprotec-miorgmedia2014-annual-reportpdf
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Michael J Watza BiographyMartindale Hubbell AV Rating
Super Lawyer Designation
Detroit Business Top Lawyer
bull Michael J Watza is Co-Chair of the Governmental and Commercial Litigation Practice Groups at Kitch a full service Law firm based in Detroit with offices in Lansing Marquette Mt Clemens Chicago Ill and Toledo OH
bull Mr Watzas practice provides litigated legislative and regulatory solutions on behalf of municipal health care and private sector clients concerning Legislation Complex Litigation Governance Issues Telecommunications including Cable and Cell Towers Energy Insurance and Cyber Security including advising a large governmental risk management pool as it amended general coverage docs and considered adopting limited coverage for same
bull Michael has managed multiple legislative initiatives represented clients in State and Federal trial and appellate courts across Michigan as well as attended to regulatory matters before the Michigan Public Service Commission Michigan Tax Tribunal Department of Labor and Economic Growth and the Federal Communications Commission and Department of Transportation (PHSMA)
bull Michael has represented clients in the halls of the Michigan Legislature and Congress through negotiation drafting and testimony regarding legislation on various issues including energy transmission line sitingtelecommunications (cable and cell towers) pipeline regulation the formation of inter-governmental authorities and tort reform
bull Michael also serves as General Counsel to PROTEC and the Mobile Technology Association of Michigan the Michigan Gaming Control Board Covenant House Central School Board in Detroit Chairman of the Novi EDC Chairman of Attorney Grievance Commission Grievance Panel 9 Immediate Past Chairman of the Administrative Law Section of the State Bar and TreasurerSecretary of the Public Corporation Law Section of the State Bar and Chairman of the International Municipal Lawyers Technology Committee
bull Michael is an adjunct faculty member at Michigan State University College of Law having taught Communications Law and Policy and Ethics and the Practice of Law
bull In 2008 Michael successfully led a coalition of Michigan Cities to Federal Court and Congress to oppose Comcastrsquos effort to move PEG channels to the 900 channel range and digital at a time when all other cable channels were analog
bull In 2013 Michael provided the legal components to the development of the 1st new Municipal Fiber to the Home and Business (FTTP) project and the development of a DDA sponsored WIFI system in Michigan in the face of legislative impediments
Michael J WatzaKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail MikeWatzaKitchCom
O (313) 965-7983Fax (313) 965-7403M (248) 921-3888
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403
Carina M Kraatz Biography
Michigan Rising Star
bull Carina M Kraatz concentrates her practice in commercial litigation technology and data security data privacy real estate construction contract review and litigation intellectual property prosecution and litigation bankruptcy and creditordebtor rights
bull Mrs Kraatzrsquos client base is composed of both domestic and international clients
bull She has litigated cases in a variety of jurisdictions at both the federal and state level including Michigan Indiana Ohio and Iowa
bull Mrs Kraatz is also committed to pro bono and represents pro bono clients in litigation and through various ldquoadvice and counselrdquo clinics Additionally she is a part of the Firmrsquos Marketing and Pro Bono Committees
bull Additionally Mrs Kraatz serves as a commercial case evaluator for the Mediation Tribunal Association located in Wayne County Michigan
Carina M KraatzKitch Drutchas Wagner Valitutti amp Sherbrook
1 Woodward 24th FloorDetroit MI 48226
E Mail CarinaKraatzKitchcom
O (313) 965-7647Fax (313) 965-7403