Where’s the Breach?...record 1 Data breaches averaged $5.4 million per data breach1 In 2013, there were 63,437 security incidents, which included 1,367 data breaches2 Of the healthcare

5/28/2014

1

Copyright © 2014 Deloitte Development LLC. All rights reserved.

Where’s the Breach?Privacy is Everyone's Business

June 13, 2014

Bob Glaser

Specialist Leader

Deloitte & Touche LLP

Alison Brunelle

Specialist Master

Deloitte & Touche LLP

Copyright © 2014 Deloitte Development LLC. All rights reserved.This presentation is intended solely for the Society of Corporate Compliance and Ethics and should not be used or relied upon by any other person or entity.

Agenda

Introductions

Setting the stage: What is privacy?

Data breaches happen

Breach notification

What constitutes a data breach?

Breach notification requirements

2

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

5/28/2014

2


Setting the stage

Draft – For Discussion Purposes

This presentation is intended solely for the Society of Corporate Compliance and Ethics and should not be used or relied upon by any other person or entity.


Privacy is big business: The Data Ecosystem

4

Source: Federal Trade Commission (FTC) Exploring Privacy Roundtable Series, 2010

5/28/2014

3


5

Setting the stage: Privacy and security

ConfidentialityIntegrityAvailabilityReliabilityAuthorizationAuthenticationAccess Controls

Notice and ChoiceCollection LimitationUse LimitationData QualityPurpose SpecificationOpennessAccountabilityAccess to Data

Data Safeguards

Awareness and Training

Compliance

The rapid influx of data is also increasing the challenges associated with managing and safeguarding enterprise data assets. While privacy and security requirements may differ among jurisdictions, an effective enterprise data governance program provides a framework for achieving the objectives of both.

Privacy Components Security Components

PrivacyStrong privacy requires protecting a user’s identity and preventing unauthorized access or unintended use of personal information.

SecurityStrong security requires binding a user’s identity to their behavior to assist in monitoring and individual accountability.

The Privacy and Security Paradox


“The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and

disposal of personal information”1 based on basic

principles such as notice, choice acceptable use,

accountability and cross-border sharing of data.

Safeguarding and controlling data as it moves

across the data lifecycle including data both within the enterprise and as it

travels beyond the enterprise’s technical

infrastructure.

Privacy

Security

1American Institute of Certified Public Accounts (AICPA) Generally Accepted Privacy Principles (GAPP)


6


Drivers for privacy and security

Privacy and Security

• Relationships with partners, vendors and service providers

• Inconsistent implementation of privacy practices among independent or acquired organizations

• Who has responsibility and associated liability for data protection?

Extended Enterprise

• Multiple jurisdictions of privacy regulations

• Country specific compliance

• Legal solutions for cross-border data transfers such as Safe Harbor or Model Contracts

• Industry specific privacy codes of conduct

Increased Regulation

• Sensitivity to aggressive marketing practices

• Existing privacy policies and client expectations

• Differing perspectives and expectations

• Procedures for responding to privacy complaints

Customer Sensitivity

• Employee privacy in multinational companies

• Requires localized and tailored approach

Employee Data Mgmt.• Integrated Mobile Devices

• Federated Identity

• GPS

• Social Networks

• Technical Solutions and Architectures for Privacy and Data Protection

• RFID

Advances in Technology

• Information exchange economy

• Offshoring

• Human Resources Information System (HRIS) and Customer Relationship Manager (CRM) systems centralizes client and employee data from around the world

Globalization

• Manage risk

• Protect brand

• Build trust

• Create competitive advantage

Brand• Fiduciary responsibility to protect data assets

such as:– Personally Identifiable Information (PII) and

Protected Health Information (PHI), National Provider Identifier (NPI), and Sensitive Personal Information

– Intellectual Property– Proprietary and Confidential Information– Data Lifecycle Management – Records Retention

Data Asset Protection

5/28/2014

4


Data Attributes Enterprise Context

Associated Risk Value

Disposal and

Archival

Use, Transfer

and SharingStorage

Collection and

Acquisition

Recursive


Data as an assetData is an asset with multiple attributes. The value associated with data is determined by its attributes, context within the enterprise and associated risk.

The nature of data changes over time, as it is stored, used, transferred, and shared across the data lifecycle.

7


• Any information in physical or electronic form that identifies an individual or could reasonably be used to identify an individual

Personally Identifiable Information (PII)

• A regulatory related term used to describe personal information associated with the Health Insurance Portability and Accountability Act (HIPAA)

Protected Health Information (PHI)

• A regulatory related term used to describe personal information associated with the Gramm–Leach–Bliley Act (GLBA)

Non-public Personal Information (NPI)

• Information relating to the racial or ethnic origin, political opinion, religious belief, trade union membership, health, sexual preference or activity, or criminal convictions of the subject of the information

Sensitive Personal Information

• Patent, Copyright, Trademark, Research and Development (R&D), Trade Secrets and other proprietary and confidential information

Intellectual Property


What data needs safeguarding?

8

5/28/2014

5


Finance• Payroll• Credit Cards• Expense Reports• Accounts Payable

Human Resources • Compensation• Benefits• Workers’ Compensation• Call Center/Employee Resource Center• Employer Sponsored Benefits Program (HIPAA /

Health Insurance Technology for Economic and Clinical Health Act (HITECH))

• Vehicle, Travel, and Credit Card Reimbursements• Recruitment• Training

Research, Development and Pharmacovigilance

• Trial Practices and Data• Secondary Use• Subject Recruitment• Pharmacovigilance/Safety• Contract Research Organizations (CRO)/Service

Provider Safeguards• Medical Affairs • Sample Repositories• Records Based Research

Information Technology, Compliance, Legal and Procurement

• Device Encryption and Loss Reporting• Physical Security, Investigations and Other Areas ‐ Litigation• Help Desk Log• Vendor Management/Accreditation• Contracting/Procurement• Breach Notification and Response• Call Centers – Physician and patient• Cross‐Border Data Transfer• Records, E‐Discovery, Investigations, Foreign Corrupt Practices Act,

other Law/Compliance Areas• Internal Audit, Investor Relations, Corporate Functions• Records Management

Patient, Customer, Consumer, and Commercial• Patient PHI, Medical Records, Personal Health Records (PHR),

Electronic Health Records (EHR), Electronic Medical Record (EMR) • Customer/Consumer Account Information• Direct‐to‐Consumer Marketing, including e‐Marketing • Health Care Professional Data / Profiling• Brands• Sales and Marketing, including Sales Force Automation • Joint Ventures, Licensing and Other Partnerships• Call Centers• Pricing and Reimbursement• Consumer Loyalty Programs

Today’s scope for data safeguardingDraft – For Discussion Purposes

9


In the end…What requires protection?

Name Date of Birth (excluding year itself)

Health Plan Beneficiary Numbers

Drug Enforcement Administration Number

Certificate / License Numbers

Intellectual Property or other Proprietary

Information

(e.g., research and development (R&D), trade

secret)

Government Issued Identification

(e.g., Social Security Number, Driver’s License

Number)

Financial Data

Account Numbers Health Information Credit Card Information Biometric Identifiers (e.g., finger print, voice)

Photographic Image (full face or comparable) Signature

Vehicle Identifiers and Serial Numbers (e.g.,

license plate)Medical Record Numbers

Unique, identifying information including numbers, photographs, characteristics, codes, or combinations that could allow the identification of a single individual should be protected.


10

5/28/2014

6


Data breaches happen



Copyright © 2014 Deloitte Development LLC. All rights reserved.This presentation is intended solely for the Society for Corporate Compliance and Ethics and should not be used or relied upon by any other person or entity.


Data breach challenges

12

The profile of cyber attacks and resulting breaches has evolved from simple “capture the flag” pranks to establishing a sustained presence representing a sustained and persistent threat against enterprise systems for monetary gain or competitive advantage. With more pervasive and successful breaches comes a corresponding rise in security and privacy laws and regulations. Notification of stakeholders when a privacy breach occurs is becoming a global regulatory requirement.

Data breaches cost $188 per compromised record 1

Data breaches averaged $5.4 million per data breach 1

In 2013, there were 63,437 security incidents, which included 1,367 data breaches2

Of the healthcare institutions interviewed by the Ponemon Institute in 2014, 90% reported having a data breach within the past two years3

2 Verizon 2014 Data Breach Investigations Report

The prevalence and public nature of privacy breaches within the industry requires organizations to evaluate their capabilities to identify and respond to a breach

Frequency of Incidents in 2013 by Incident Type

Source: Verizon 2014 Data Breach Investigations Report

1 Ponemon Institute 2013 Cost of a Data Breach Study

3 Ponemon Institute 2014 Patient Privacy Data Security Report

5/28/2014

7



Breach notification laws




Global legislative and regulatory landscape

14

FEDERAL LAWS

• Although there is no federal data breach law (yet), industry specific (e.g., finance, health) and state data breach laws exist with varying notification requirements

• Data breaches of health information are addressed by the HIPAA/HITECH and the Federal Trade Commission’s (FTC) Health Breach Notification Rule

STATE LAWS

• As of April 2014, 47 states have data breach notification laws

• Washington D.C., Puerto Rico, and the U.S. Virgin Islands also have their own data breach notification laws

Data breach laws and regulations have been implemented both globally and within the United States.

INTERNATIONAL LAWS• A comprehensive breach notification directive does not yet exist in the EU; however individual European

countries may have requirements to notify affected individuals or data protection authorities (DPAs) in the event of a data breach

• In Canada, there is no federal data breach notification law; however, data breach laws may exist at the provincial level

• Data privacy laws also exist in Asian countries and, in addition, South Korea and Taiwan have breach notification requirements

• The data privacy laws in some Latin and South American countries have requirements to notify affected individuals (e.g., Mexico, Uruguay) or the national DPA in the event of a data breach

5/28/2014

8



California

15

Data Security Breach Reporting, California Civil Code, CAL. CIV. § § 1798.29 and 1798.80 et seq. (2002)

Applies to any person, business, or state agency (i.e., Entity) that does business in California and owns and licenses computerized data that contains personal information.

Applies to any person, business, or state agency (i.e., Entity) that does business in California and owns and licenses computerized data that contains personal information.

Any Entity under this statute shall notify affected or potentially affected California residents in the event that there is an unauthorized acquisition of unencrypted computerized data that compromises the confidentiality, integrity, or security of the personal information.

Any Entity under this statute shall notify affected or potentially affected California residents in the event that there is an unauthorized acquisition of unencrypted computerized data that compromises the confidentiality, integrity, or security of the personal information.

Personal information is defined as an individual’s first and last name in combination with one or more data types, including: Social Security Number, Driver’s License Number, Account Number, Credit Card Number (with access code), Medical Information, Health Insurance Information.

Personal information is defined as an individual’s first and last name in combination with one or more data types, including: Social Security Number, Driver’s License Number, Account Number, Credit Card Number (with access code), Medical Information, Health Insurance Information.

Notice should be made to affected or potentially affected California residents in the most expedient time possible without unreasonable delay in written or electronic form. If the data breach affects more than 500 residents, the Attorney General must also be notified. The statute details the information to be included in the notice.

Notice should be made to affected or potentially affected California residents in the most expedient time possible without unreasonable delay in written or electronic form. If the data breach affects more than 500 residents, the Attorney General must also be notified. The statute details the information to be included in the notice.

Ap

plic

atio

n Overview

Per

son

al

Info

rmat

ion

Data B

reach

Req

uirem

ents



Texas

16

Notification Required Following Breach of Security of Computerized Data, Texas Business & Commerce Code Chapter 521, TEX. BUS. & COM. CODE ANN. §521.002, 521.053 (2007)

Applies to any person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Applies to any person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Requires notification to any individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person. If affected or potentially affected individuals are resident of another state with data breach notification laws, those individuals must receive notice under that state’s law.

Requires notification to any individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person. If affected or potentially affected individuals are resident of another state with data breach notification laws, those individuals must receive notice under that state’s law.

Personal information includes name, social security number, date of birth, mother’s maiden name, biometric data (e.g., fingerprint). Sensitive personal information includes first and last name in conjunction with driver's license number, financial account information, health care information, physical or mental health condition.

Personal information includes name, social security number, date of birth, mother’s maiden name, biometric data (e.g., fingerprint). Sensitive personal information includes first and last name in conjunction with driver's license number, financial account information, health care information, physical or mental health condition.

Any individuals (i.e., in addition to Texas residents) affected or who are reasonably believed to have been affected must be notified as quickly as possible in written or electronic form. Any person who maintains computerized data that includes sensitive personal information shall notify the owner as soon as the data breach has been detected.

Any individuals (i.e., in addition to Texas residents) affected or who are reasonably believed to have been affected must be notified as quickly as possible in written or electronic form. Any person who maintains computerized data that includes sensitive personal information shall notify the owner as soon as the data breach has been detected.

Ap

plic

atio

n Overview

Per

son

al

Info

rmat

ion

Data B

reach

Req

uirem

ents

5/28/2014

9



Massachusetts

17

Security Breaches, Massachusetts General Laws, MASS. GEN. LAWS 93H § 1 (2007)

Applies to any natural person, legal entity, or agency who owns, licenses, maintains, or stores personal information about residents of the state of Massachusetts.

Applies to any natural person, legal entity, or agency who owns, licenses, maintains, or stores personal information about residents of the state of Massachusetts.

Requires notification of affected residents following the unauthorized acquisition or use of the residents’ personal information. Other entities that should be notified are consumer reporting agencies, state agencies, or the owner or licensee of the information (for persons or entities who only maintain or store personal information).

Requires notification of affected residents following the unauthorized acquisition or use of the residents’ personal information. Other entities that should be notified are consumer reporting agencies, state agencies, or the owner or licensee of the information (for persons or entities who only maintain or store personal information).

Personal information includes the first and last name (or first initial and last name) in combination with the resident’s social security number, driver’s license (or Massachusetts state identification), and/or financial information (e.g., account number, credit card number with or with security code, access code, password, or ID number).

Personal information includes the first and last name (or first initial and last name) in combination with the resident’s social security number, driver’s license (or Massachusetts state identification), and/or financial information (e.g., account number, credit card number with or with security code, access code, password, or ID number).

Affected residents should be notified as soon as practicable or without unreasonable delay by written or electronic notice that includes the resident’s right to obtain a police report, how to request a security feed, and any fees required to be paid to consumer reporting agencies. Residents should also be provided with information about relevant state agencies and consumer reporting agencies.

Affected residents should be notified as soon as practicable or without unreasonable delay by written or electronic notice that includes the resident’s right to obtain a police report, how to request a security feed, and any fees required to be paid to consumer reporting agencies. Residents should also be provided with information about relevant state agencies and consumer reporting agencies.

Ap

plic

atio

n Overview

Per

son

al

Info

rmat

ion

Data B

reach

Req

uirem

ents



Connecticut

18

Breach of Security Re Computerized Data Containing Personal Information, Connecticut General Statutes, CONN. GEN. STAT. § 36a-701b (2006)

Applies to any person or entity who conducts business in Connecticut and who owns, maintains, or licenses computerized data that includes personal information in the ordinary course of such person or entity’s business.

Applies to any person or entity who conducts business in Connecticut and who owns, maintains, or licenses computerized data that includes personal information in the ordinary course of such person or entity’s business.

Requires the notification of Connecticut residents following the discovery of the unauthorized access or acquisition of the unencrypted electronic files, media, or database containing personal information by an unauthorized person. The person or entity must also notify the state Attorney General.

Requires the notification of Connecticut residents following the discovery of the unauthorized access or acquisition of the unencrypted electronic files, media, or database containing personal information by an unauthorized person. The person or entity must also notify the state Attorney General.

Personal information means an individual’s first and last name in combination with Social Security number, driver’s license number (or state identification card number), and/or financial information (e.g., account number, credit or debit card number with security code, access code, or password).

Personal information means an individual’s first and last name in combination with Social Security number, driver’s license number (or state identification card number), and/or financial information (e.g., account number, credit or debit card number with security code, access code, or password).

Affected residents should be notified through written, electronic, or telephonic notice without unreasonable delay after the discovery of the data breach . The person or entity is not required to notify affected residents if, after an investigation, the person or entity reasonably determines that the data breach did not result in harm to the affected residents.

Affected residents should be notified through written, electronic, or telephonic notice without unreasonable delay after the discovery of the data breach . The person or entity is not required to notify affected residents if, after an investigation, the person or entity reasonably determines that the data breach did not result in harm to the affected residents.

Ap

plic

atio

n Overview

Per

son

al

Info

rmat

ion

Data B

reach

Req

uirem

ents

5/28/2014

10








20

Although the exact language varies from state to state, the general definition of a data breach is: The unauthorized acquisition of unencrypted data that compromises the security, confidentiality, or integrity of Personal Information of residents of the state or territory. This definition can be broken down into several important elements:

Unauthorized Acquisition Unencrypted

ResidentsPersonal

InformationCompromises

Security

Many states have an exception for the good faith acquisition of Personal Information if it was done by an employee or agent of the entity for the entity

Most states require that the Personal Data must have been acquired; however, six states also include unauthorized access

The database or system in which the Personal Information is stored must be unencrypted or not redacted for a breach to have occurred

Some, but not all, states require that the data breach reasonably caused harm to the affected or potentially affected individuals

Seven states and Puerto Rico include health information or health insurance informationwithin the definition of Personal Information

Data breach laws affect the residents of the state; however, some laws also require notification to affected or potentially affected residents of other states

5/28/2014

11



Breach notification requirements




Who should be notified?Depending on the severity of the security breach, as well as the number of individuals affected, different entities should be contacted in the event of a security breach.

22

ALL STATES

MANY STATES

SOME STATES

All states require that the company (or other entity) notify: • Affected State Residents• The Owner of the Personal Information (if the company or entity is managing the Person

Information for another company or entity)

Depending on the severity of the breach, many states require that the company (or other entity) notify: • Consumer Reporting Agencies • State Attorneys General • State Agency (e.g., state consumer agency)

Depending on the severity of the breach, some states require that the company (or other entity) notify: • Police or Local Law Enforcement • State Legislature

5/28/2014

12



What should be included?

23

The exact information that should be included in a breach notification will vary depending on the jurisdiction and law. However, here is some information that typically should be included:

Information About the Data Breach

Information About the Response to the Breach

How the Consumer Can Protect Themselves

• Date of the breach• Type(s) of Personal Information protected• Description of the incident

• Phone number or address of a contact person at the company or entity

• Acts taken by the company or entity to protect the Personal Information from further access

• Whether there was a delay in notification due to law enforcement involvement

• Advice on what the individual can do to safeguard his or her Personal Information

• Toll free numbers of consumer reporting agencies

• Toll free numbers of the FTC or state agencies



Other breach notification requirements

24

Depending on the specifications of the state’s regulations, there are other common requirements that should be taken into consideration in the event of a data breach.

TIMING

• States generally require that notification be made efficiently and without unreasonable delay consistent

• Some states (e.g., Florida) may establish actual timing requirements

• Most states allow a delay if notification would impede criminal investigations

• Notification can either be through postal mail or electronically

• Some states allow notification by other media (e.g., telephone, fax)

• Substitute notice generally allowed if the company (or other entity) can prove that notice would exceed a dollar amount (varies by state) or if it does not have sufficient contact information

• Substitute notice methods vary but may include an email to whole class, media, posting to company’s (or other entity’s) website

FORM

• Many states have established exceptions where the company (or other entity) is in compliance with the breach notification requirements of other federal or more restrictive state laws (e.g., HIPAA)

• Many states have established exceptions where the company (or other entity has implemented and follows breach notification procedures that are consistent with the timing requirements of the state law

EXCEPTIONS

5/28/2014

13


Q&A

Page 25



Biographies


5/28/2014

14


Robert has more than 25 years of global Privacy and Information Technology experience Federal, Public and Private Sectors. He began as career as a Navy Hospital Corpsman where he was trained as an Aviation Physiology Technician, Audiology Technician, Emergency Medical Technician, Surface Medicine Technician, and Submarine Medicine Technician / Radiation Health Officer. Robert held positions as the Chief Information Officer for Naval Medical Center, San Diego; Global Program Director for the Department of Defense Persian Gulf Illness Program in the Office of the Assistant Secretary of Defense (Health Affairs), and finished his military career as the Medical Chief Information Officer for the U.S. Pacific Command and U.S. Pacific Fleet.

Since leaving the service, Robert has held positions as VP/CIO of Sparrow Health System; VP of International Operations and Business Development for MyDocOnline a wholly owned subsidiary of Aventis Pharmaceuticals; and served as the Chief Privacy Officer for Aventis Pharmaceuticals, Roche Pharmaceuticals, and Genentech.

As a privacy professional, Robert has worked within Legal and Healthcare Compliance Departments of his employers to develop overarching enterprise privacy programs while providing ongoing advisory services to business units including Legal, Information Services, Human Resources, Commercial Operations, Commercial Business Operations, Interactive Marketing, Managed Care Operations, Employee Health Services, Product Development, Corporate Relations, and Procurement determining compliance with ethical and regulatory requirements pertaining to the collection, protection, use, and transfer of Personal Data / Personally Identifiable Information. He has coordinated affiliate privacy related activities in the U.S. and routinely collaborated with Global Data Protection Officers on matters such as cross border data transfer, model contracts, and company due diligence. Robert has chaired multidisciplinary Privacy Incident Response Teams investigating potential privacy incidents and managing remediation actions.Robert has completed multiple privacy assessments in the areas of enterprise, cross border data transfer, human resources, commercial, employee health services, and patient support programs across industries. Robert has recently worked on engagements supporting Safe Harbor readiness, global human resources, and internal audit and completed proof of concept demonstrations on three separate Data Loss Prevention (DLP) applications in live operating environments and implemented DLP solutions.

Robert specializes in developing ground up privacy and IT programs for global based companies. Robert is the former Board Vice Chair and Chair of the International Pharmaceutical Privacy Consortium and holds memberships in the International Association of Privacy Professionals, Health Information Management Systems Society, and American College of Healthcare Executives.

Specialist Leader, Deloitte & Touche LLP

Robert GlaserDraft – For Discussion Purposes

Contact Information

Email: [email protected]

Phone: (281) 753-4673


Alison Brunelle is a privacy and data protection specialist with Deloitte’s Cyber Risk Services practice. Alison has extensive experience assisting client organizations within Biopharmaceuticals, Healthcare Provider, Technology, Retail, Education, and Financial Services. She has assisted in identifying and managing risks and opportunities associated with information management, privacy and data protection. Her work has improved clients’ abilities to respond strategically and tactically when addressing data asset management issues associated with globalization, diverse and conflicting legal and regulatory requirements, rapidly changing technology, and extended enterprises.

At Deloitte, she has led and supported a variety of initiatives including: evaluating, assessing, designing, developing, implementing, integrating, and auditing privacy infrastructure including enterprise privacy governance and rationalized privacy and data protection requirements and controls, cross border data transfer, human resources data, intellectual property, privacy and data protection current state assessments and remediation planning, policy analysis, development and adoption, as well as privacy and data protection program development, execution and maturation.

Previously, Alison served as Lead Privacy Strategist for a Federally Funded Research and Development Center (FFRDC) located in Washington, D.C. During her tenure, she directly supported the Office of the National Coordinator for Health Information Technology (ONC), Office of the Chief Privacy Officer (OCPO) and focused exclusively on healthcare privacy and security matters supporting public policy formulation necessary for implementing the requirements under HIPAA/HITECH. Her work also included briefing government officials, analysts and committee members on various healthcare topics including the potential privacy and security impacts of health information exchanges (HIE) and secondary uses of data.

Her experience includes the establishment, management and maturation of a privacy program while also serving as the Information Technology (IT) Compliance Manager for a captive finance company. Central to this role was operationalizing privacy program practices by instituting policies and procedures and providing ongoing training, awareness and education of privacy concerns thus ensuring compliance with applicable legislative and regulatory requirements mandated under the Gramm–Leach–Bliley Act.

Professionally prominent, Alison is currently an adjunct faculty member at The John Marshall Law School in Chicago teaching an advanced accelerated course in privacy and information security fundamentals to law students pursuing their JD and LLM degrees. She also serves on The John Marshall Law School’s Academic Advisory Board for the Center for Information Technology and Privacy Law. As an active member of the International Association of Privacy Professionals (IAPP), Alison has served two terms as Chair for the Association’s KnowledgeNet Program and is a Certified Information Privacy Professional (CIPP/US) also with a specialization in government (CIPP/G).

Specialist Master, Deloitte & Touche LLP

Alison BrunelleDraft – For Discussion Purposes

Contact Information

Email: [email protected]

Phone: (312) 833-3186

5/28/2014

15

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

Copyright © 2014 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

Documents

Where’s the Breach?...record 1 Data breaches averaged $5.4 million per data breach1 In 2013, there were 63,437 security incidents, which included 1,367 data breaches2 Of the healthcare