Security Regulations GLB - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Security Regulations GLB

Description:

HIPAA Security rules cover financial ... More than Bank Secrecy Act, final rules: ... Authorizing, processing, clearing, billing, reconciling for FI (NACHA). 8 ... – PowerPoint PPT presentation

Number of Views:172
Avg rating:3.0/5.0
Slides: 11
Provided by: lega5
Category:

less

Transcript and Presenter's Notes

Title: Security Regulations GLB


1
Security RegulationsGLB HIPAA
ComplianceSignificant Role for SRA
  • Tampa, Florida
  • February 7, 2001

2
Argument
  • SRA should closely monitor GLB HIPAA
  • Represent significant info-security policy
  • GLB Security rules cover new ground
  • Especially third party liability and due
    diligence.
  • HIPAA Security rules cover financial institutions
  • Contrast with GLB - Alternative risk assessment
    framework
  • Limited certification, audit, compliance
    certainty
  • Significant criminal and civil penalties

3
GLB Mandatory Guidelines Process requirements
  • Final Guidelines focus security-process
    requirements
  • More than Bank Secrecy Act, final rules
  • Require board of director, senior management
    involvement
  • Require information security risk assessments
  • Require response and restoration programs
  • Require training and awareness for employees
  • Require encryption of critical privacy data
  • Require testing (independence required)
  • Require vendor management due diligence defined

4
GLB Other Agency RegulatorsDecentralized
Policy Development
  • SRA should note different implementation
    approaches
  • SEC Adopts less specific approach
  • General requirement for privacy data protection
  • FTC Preparing Safeguard rules
  • Will cover unregulated, uninsured financial
    institutions
  • New financial institutions - will include AOL,
    Yahoo!, MSN, as aggregation service providers
  • Final rules expected within next several months
  • States Missing the mark consumer privacy, not
    security

5
GLB Vendor ManagementDefining Due Diligence
  • Trial Bar translation Standards for negligence
    defined
  • Regulators define Service Provider
    requirements
  • Contract with SP contract structured to achieve
    Guidelines
  • Not necessary to list each provision
  • Selection of SP review service provider controls
  • Includes review of controls with sub-servicer
  • Monitoring of SP review audit and other
    necessary reports
  • On-site inspection not necessary

6
HIPAA Underlying Philosophy
  • HIPAA roots are simplification, uniformity, and
    consistency
  • Too many methods of sharing data - inefficient
  • Individually identifiable patient data is not
    well guarded
  • Need for consistent electronic standards
  • Congress requires DHHS to implement, with
    regulations
  • Privacy rules (Notice, Choice, Access)
  • Security and E-signature (Administrative,
    Technical, Physical)
  • Electronic transactions (Transmission of certain
    data)
  • Other industry-oriented regulations

7
HIPAA Security RulesSRA Issues
  • Security Rules Standards for protecting health
    information
  • Robust process and technical requirements
  • In transit or in storage
  • Communications internal and external to the
    company
  • Involving contractors and service providers
  • Congress clearly and specifically includes
  • Financial institutions Contractors
  • Congress clearly and specifically exempts
  • Authorizing, processing, clearing, billing,
    reconciling for FI (NACHA).

8
HIPAA Penalties and Compliance
  • Penalties for non-compliance are severe
  • Criminal fines/imprisonment (e.g., criminal
    negligence)
  • Civil fines
  • Compliance enforcement
  • States with principal enforcement role
  • Labor, Treasury, DHHS have potential enforcement
    roles
  • Linked to size of operation from 2001-2003
  • Governance vacuum audit, certify?

9
Recommendations
  • Identify SRA inputs certification, training,
    risk modeling, etc.
  • GLB Final Security Rules At a minimum,
  • Review overall security requirements and
    framework
  • Focus on vendor management implementation
  • Articulate affiliate responsibilities (holding
    companies, subsidiaries)
  • HIPAA Proposed Security Rules At a minimum,
  • Review proposed rules (1998)
  • Uncover and translate particular FI issues,
    responsibilities
  • Translate into SRA initiatives - Certification,
    audit, training, etc.

10
Contact Information
  • Lee Zeichner, Esq.
  • LegalNet Works Incorporated
  • 3204 Juniper Lane
  • Falls Church, Virginia 22044
  • 703/534-2001 (phone)
  • 703/534-2003 (fax)
  • admin_at_legalnet.com
Write a Comment
User Comments (0)
About PowerShow.com