Regulatory Updates
Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013Eric M. Wright, CPA, CITP
Eric has been involved with Information Technology with Schneider Downs since 1983. He specializes in and oversees the design, setup installation and implementation of automated accounting, distribution and manufacturing systems. Eric also is responsible for the firm’s IT compliance services. Eric has performed IT audits on a number of systems and different organizations. In addition to helping our clients with their IT audit initiatives, he has also assisted clients with becoming PCI‐DSS, HIPAA and SOX compliant, ISO 27001 certified and performed NIST security audits. 2Eric M. Wright, CPA, CITP
Member – Pennsylvania Institute of Certified Public AccountantsMember – The American Institute of Certified Public Accountants – Information Management and Technology Assurance Section
Certified Information Technology Professional (CITP)
Chair – PICPA IT Assurance Committee
B.S. – Mathematics and Computer Science, Waynesburg College, Magna Cum Laude
• Payment Card Industry • HIPAA • State Data Breach Law • Federal Cyber Legislation 4
Topics to be Covered
0 100 200 300 400 500 600 700 2006 2007 2008 2009 2010 2011 2012 Number of Hacks 5Why all the Fuss?
0 50,000,000 100,000,000 150,000,000 200,000,000 250,000,000 2006 2007 2008 2009 2010 2011 2012 Number of Records Breached 6Payment Card Industry Data Security Standards
7 • The PCI Data Security Standard (DSS) represents a set of fundamental security requirements, industry tools and measurements, that address the handling of cardholder information. • The first thing to note, PCI compliance is not required by any federal law. • 48 states have or are in the process of enacting data breach legislation addressing the loss of credit card data, but for most organizations, this compliance requirement is strictly “voluntary.” • PCI compliance requirements originally start as multiple programs administered by individual credit card companies. • Applicable to everyone who “stores, processes, or transmits” payment card data. • Enforced by contract with banks that provide payment card processing. 8What is PCI‐DSS?
Merchant Compliance Validation RequirementsPayment Brand Level 1 Level 2 Level 3 Level 4*
Visa Cardholder Information Security Program (CISP) 6M+ transactions regardless of acceptance channel Onsite security audit required annually Network scan required quarterly 1‐6M transactions Self assessment questionnaire required annually Network scan required quarterly 20K‐1M e‐commerce transactions Self‐assessment questionnaire required annually Network scan required quarterly Less than 20K e‐ commerce or 1M overall transactions Self‐assessment questionnaire recommended annually Network scan recommended quarterly MasterCard Site Data Protection (SDP) Program 6M+ transactions regardless of acceptance channel Onsite security audit required annually Network scan required quarterly 1‐6M transactions Self‐assessment questionnaire required annually Network scan required quarterly Over 20K e‐commerce transactions and less than 1M total Self‐assessment questionnaire required annually Network scan required quarterly All other merchants Self‐assessment questionnaire required annually Network scan required quarterly American Express Data Security Operating Policy (DSOP) 2.5M+ transactions Onsite security audit required annually Network scan required quarterly 50K‐2.5M transactions Network scan required quarterly Less than 50K transactions Network scan recommended quarterly N/A ∙Current requirements as of 5/09 ∙Being considered a Level 1 merchant for any brand causes the remainder of the card brands to consider the entity a Level 1 as well. 9
• In 2004, the PCI‐DSS version 1.0 was developed by Master Card and agreed to by the other four major credit card companies. • In September 2006, the Brands formed the PCI –SSC to standardize the compliance requirements and promote the education and awareness of protecting cardholder data. • PCI‐DSS 2.0 is the current version. 10
History
11What is New?
• New mobile security standards were released February 2013. • Why is mobile different? –Tablets and smart phones do not provide the same level of security as you would expect at a traditional retail store. –Almost any mobile application could access account data stored in or passing through a mobile device. –Trust is important due to the fragmentation of this environment. This environment includes device manufacturers, developers of operating systems, application designers, network carriers and various protocols to link them all together. Ensuring security requires all of these parties to work together. 12New Standards for Mobile Payment Acceptance
–What if a device is owned by an individual and not the employer? How is the patching process managed without invading the privacy of the owner? Not considered best practice and is not recommended. –The ease in which a device can be stolen, modified and returned without being noticed. 13 • Prevent account data from being intercepted when entering into a mobile device. • Prevent account data from being compromised while processed or stored with the mobile device. • Prevent account data from interception upon transmission out of the mobile device. The guidance consists of 31 control activities that address these 3 objectives. 14
The Three Objectives of the MPA Guidance
• Updated the testing standards associated with use of point‐to‐point encryption (P2PE) to transmit card data. • Introduced new requirements effective June 30, 2012 associated with vulnerability scans of internal networks. These scans must be performed quarterly or after a significant change in the processing environment. • To obtain a passing grade, the merchant must resolve all “high” vulnerabilities as defined in requirement 6.2, which requires the merchant to establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. 15Additional Changes to the Standards
Future Requirements being Considered
• PCI_DSS version 3.0 – Version 3.0 will include more changes to the framework than version 2.0 – Items being considered in the new standard will include •EMV chip adoption in the US •Strengthening Mobile Payment Acceptance guidelines •Greater awareness and education •Challenges and lessons learned –business as usual •Additional guidance regarding Third Party Security Assurance •Additional requirements for penetration testing and segmentation •Security Policy and Procedures built into each requirement 16 • By October 2015, all merchants will be subjected to the new Europay, MasterCard and Visa (EMV) standards. • The new standards marks a shift from magnetic strip credit cards to chip and pin cards. • The EMV standards will be required for card acquirers, merchants and processors. If a merchant does not meet the EMV standards, they will be held liable for any fraudulent transactions. • The intent is to use both the EMV and PCI standards together to protect cardholder data. 17Future Requirements being Considered
18• Passed in 1998 with little or no enforcement activity for 10 years. • Congress passes the HiTech act in 2009 as part of ARRA to add teeth to the original act. • In 2009, moved the enforcement activities from Centers of Medicare and Medicaid Services to Office of Civil Rights. 19
HIPAA ‐ History
• Policies and Procedures are outdated or do not exist. • Compliance programs were not a priority. • Small providers have broad failures. • Larger entities continue to struggle with data security. • Third parties are not being managed. 20A Year of Audits
• On January 17, 2013, the Department of Health and Human Services Office of Civil Rights released the 563 page final rule detailing the requirements of the Health Insurance Portability and Accountability Act (HIPAA). • The final rule made sweeping changes to HIPAA’s data security and breach requirements and has a significant impact on covered entities, business associates and subcontractors of business associates. • Rule became effective March 26thand compliance was required by September 23rd. 21HIPAA
• Covered Entities can be held liable for the actions of their business associates. • Holds Business Associates directly liable for compliance with certain HIPAA privacy and security requirements. • Changes the definition of business associate to include subcontractors that create, receive, maintain or transmit Protected Health Information (PHI) on behalf of covered entities. Business Associates are required to have full‐blown written Business Associate agreements with sub‐contractors. • Changes the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity or Business Associate can demonstrate there is a low probability that the PHI was compromised. • Requires covered entities to protect decedent’s PHI in accordance with the privacy rule for 50 years, following the date of death. 22
HIPAA Changes
• Under the current requirements, a breach must be reported only if it poses a “significant risk of financial, reputational or other harm to the individual.” The new rule eliminates the risk of harm threshold and requires covered entities and business associates to consider four factors when determining whether a breach must be reported: – 1) The nature and extent of the PHI involved, including the identifiers and the likelihood of re‐identification; – 2) The unauthorized person who used the PHI or to whom the disclosure was made; – 3) Whether the PHI was acquired or viewed; and – 4) The extent to which the risk to the PHI has been mitigated. • With few exceptions, prohibits the sale of PHI without an individual’s consent. 23HIPAA Changes
(Continued)
• HIPAA enforcement is moving toward a penalty‐based system and away from voluntary compliance by introducing a tiered system of civil penalties based on culpability. Penalties range from $100 to $50,000 per incident with an annual cap of $1.5 million. • The Office of Civil Rights released a 169 step audit program to address the new compliance standards. • Enhances the patients rights to electronic copies of their records. Covered entities must provide an electronic copy of records in a mutually agreed upon machine readable format. Also requires covered entities to provide the records within 30 days instead of 60. The requests for records must be in writing and signed by the requesting individual. 24HIPAA Changes
(Continued)
• Requires that covered entities obtain a valid authorization from individuals before using or disclosing PHI to "market" a product or service. The term "marketing" means "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” • The changes imposed by the final rule will require most organizations to revise their Business Associate agreements. The deadline for having revised agreements in place is September 23, 2014, unless the parties amend or renew an existing contract during the period March 26, 2013 through September 23, 2013. Amendments or contracts signed during that time period require the Business Associate agreement to comply with the new regulations by September 23, 2013. 25
HIPAA Changes
(Continued)
State Data Breach Laws
26 Personally Identifiable Information (PII): • Individual’s name, consisting of the individual's first name or first initial and last name, in combination with… • Social Security Number • Drivers License Number or State Identification Number • Credit Card, Debit Card, Financial Account Numbers Protected Health Information (PHI) • Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral 27PA Data Breach Law ‐ What Information are You
Generally Required by Law to Secure
Jurisdictions that have broader definitions
Alaska California Georgia Iowa Kansas Maine
Maryland Massachusetts Missouri Nebraska New Jersey New York
North Carolina North Dakota Ohio Oregon South Carolina Texas
Vermont Virginia Wisconsin Wyoming Washington
DC Puerto Rico 28 • If a breach occurs, the organization must contact the individuals and inform them of the circumstances regarding the data breach. • Must provide credit monitoring services if more than 1,000 individuals information is breached. • If more than 175,000 individuals are effected or the cost to notify is greater than $100,000, then the organization is permitted to use alternative method of notification. • With the exception of Alabama, Kentucky, New Mexico and South Dakota data encryption is a “get out of jail free card”. 29
Data Breach Law
Federal Cyber Legislation
30• During the State of the Union address, President Obama announced that he had issued and signed executive orders on cyber security. • This executive order is directed at federal agencies, but any industry regulated by a federal agency will be impacted by these new compliance requirements. • The executive order gives the Director of Homeland Security 150 days to identify critical infrastructure where a cyber incident could result in debilitating impact on national security, national economic security or public health and safety. • So, if you are bank, hospital, energy provider or another industry that falls within the “critical infrastructure” designation, be prepared to comply with these new regulations. 31
