Security Regulations GLB

1
Security RegulationsGLB HIPAA
ComplianceSignificant Role for SRA

• Tampa, Florida
• February 7, 2001

2
Argument

• SRA should closely monitor GLB HIPAA
• Represent significant info-security policy
• GLB Security rules cover new ground
• Especially third party liability and due
  diligence.
• HIPAA Security rules cover financial institutions
• Contrast with GLB - Alternative risk assessment
  framework
• Limited certification, audit, compliance
  certainty
• Significant criminal and civil penalties

3
GLB Mandatory Guidelines Process requirements

• Final Guidelines focus security-process
  requirements
• More than Bank Secrecy Act, final rules
• Require board of director, senior management
  involvement
• Require information security risk assessments
• Require response and restoration programs
• Require training and awareness for employees
• Require encryption of critical privacy data
• Require testing (independence required)
• Require vendor management due diligence defined

4
GLB Other Agency RegulatorsDecentralized
Policy Development

• SRA should note different implementation
  approaches
• SEC Adopts less specific approach
• General requirement for privacy data protection
• FTC Preparing Safeguard rules
• Will cover unregulated, uninsured financial
  institutions
• New financial institutions - will include AOL,
  Yahoo!, MSN, as aggregation service providers
• Final rules expected within next several months
• States Missing the mark consumer privacy, not
  security

5
GLB Vendor ManagementDefining Due Diligence

• Trial Bar translation Standards for negligence
  defined
• Regulators define Service Provider
  requirements
• Contract with SP contract structured to achieve
  Guidelines
• Not necessary to list each provision
• Selection of SP review service provider controls
• Includes review of controls with sub-servicer
• Monitoring of SP review audit and other
  necessary reports
• On-site inspection not necessary

6
HIPAA Underlying Philosophy

• HIPAA roots are simplification, uniformity, and
  consistency
• Too many methods of sharing data - inefficient
• Individually identifiable patient data is not
  well guarded
• Need for consistent electronic standards
• Congress requires DHHS to implement, with
  regulations
• Privacy rules (Notice, Choice, Access)
• Security and E-signature (Administrative,
  Technical, Physical)
• Electronic transactions (Transmission of certain
  data)
• Other industry-oriented regulations

7
HIPAA Security RulesSRA Issues

• Security Rules Standards for protecting health
  information
• Robust process and technical requirements
• In transit or in storage
• Communications internal and external to the
  company
• Involving contractors and service providers
• Congress clearly and specifically includes
• Financial institutions Contractors
• Congress clearly and specifically exempts
• Authorizing, processing, clearing, billing,
  reconciling for FI (NACHA).

8
HIPAA Penalties and Compliance

• Penalties for non-compliance are severe
• Criminal fines/imprisonment (e.g., criminal
  negligence)
• Civil fines
• Compliance enforcement
• States with principal enforcement role
• Labor, Treasury, DHHS have potential enforcement
  roles
• Linked to size of operation from 2001-2003
• Governance vacuum audit, certify?

9
Recommendations

• Identify SRA inputs certification, training,
  risk modeling, etc.
• GLB Final Security Rules At a minimum,
• Review overall security requirements and
  framework
• Focus on vendor management implementation
• Articulate affiliate responsibilities (holding
  companies, subsidiaries)
• HIPAA Proposed Security Rules At a minimum,
• Review proposed rules (1998)
• Uncover and translate particular FI issues,
  responsibilities
• Translate into SRA initiatives - Certification,
  audit, training, etc.

10
Contact Information

• Lee Zeichner, Esq.
• LegalNet Works Incorporated
• 3204 Juniper Lane
• Falls Church, Virginia 22044
• 703/534-2001 (phone)
• 703/534-2003 (fax)
• admin_at_legalnet.com