orlando, florida prevention: the legacy (data) we leave behind courtney m. dunn registered patent...

Orlando, Floridawww.lowndes-law.com

Prevention:

The Legacy (Data) We Leave Behind

Courtney M. DunnRegistered Patent Attorney, Senior Associate

© 2011 Lowndes, Drosdick, Doster, Kantor & Reed, P.A. All Rights Reserved

Putting the Genie Back in the BottlePreventing and Dealing with Data Breaches in Your Company

Orlando, Florida | www.lowndes-law.com

The Problem

Disposing of computer equipment without destroying the data on the equipment.



Data Privacy Laws

Duty to protect personal information of an individual



Data Privacy Laws

Whose information must a company protect?

Employees

Clients

Customers

Job Applicants

Consultants

Independent Contractors

Anyone whose personal data is acquires



Data Privacy Laws

What types of information must a company protect?

Medical (HIPAA)

Genetic (GINA)

Consumer Credit (FACTA)

Personally identifiable Information



Legal Implications• Civil Liability

º e.g. HIPAA • $100 to $50,000+ per violation• annual cap $1.5M

º e.g. FACTA• Employees identities stolen due to knowing violations

– statutory minimum - up to $1,000 plus punitive damages and attorney fees plus

– Actions brought by FTC - up to $2,500 per employee

– Additional amounts for state actions

• Criminial Liabilityº For egregious acts or acts committed knowinglyº E.g. HIPAA

• Knowingly obtain or disclose identifiable health information - $50,000 and up to 1 year imprisonment

• Involves false pretenses - $100,000 and up to 5 years imprisonment• Intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm -

$250,000 and up to 10 years imprisonment



Recent Case – Affinity Health Plan

• Affinity returned a number of photocopiers to its leasing company• CBS purchased one of the copiers at a wholesale warehouse• CBS found medical records on the copier’s hard drive• CBS notified Affinity (March 17, 2013)• Affinity filed a breach report with the U.S. Dept. of Health and Human

Services • An estimated 344,579 may have had personal and medical data

compromised• Affinity sent breach notice to all those potentially affected (April 5, 2103)• CBS returned the copier’s hard drive to Affinity (April 8, 2013)



Recent Case – Affinity Health Plan

• Affinity reaches a resolution with the U.S. Dept. of Health and Human Services (August 7, 2013)

º Fine - $1,215,780º Within 5 days - use best efforts to retrieve all copier hard drives that

remain in their leasing company’s possession.º Within 30 days - Conduct comprehensive risk analysis of all electronic

equipment owned, controlled, or leased; develop plan to address and mitigate risk



What should you do?

• Remove all data

• Keep logs of activity done

to remove data

• Set security policy for disposal of electronic equipment and data removal



What should you do?(Copiers)

• FTC Brochure – Copier Data Security

• http://www.business.ftc.gov/documents/bus43-copier-data-security



What should you do?(Copiers)

• Include copier-specific policies in your organization’s security policies

Orlando, Floridawww.lowndes-law.com

Prevention:

The Legacy (Data) We Leave Behind

Courtney M. [email protected]

407-418-6465

orlando, florida prevention: the legacy (data) we leave behind courtney m. dunn registered patent...

Documents

data breaches

company orlando

personal data

medical data

legacy data

leasing company cbs

data privacy laws duty

identifiable information