PRISM INTERNATIONAL PRIVACY+ CERTIFICATION WORKSHOP Las Vegas

 

May 14-15, 2012

http://prismintl.org/sites/default/files/Cert in Las Vegas_Layout 1-1_1.jpg

Download Brochure

Download Registration Form

Download Certifcation Checklist

Registration for this conference includes the application fee for certification.
Note: attendance at this workshop must be completed prior to certification being approved.

 

This workshop is designed to provide PRISM International members training in safe information management practices designed to prevent data breaches, identity theft and other privacy-related compliance best practices. The objective of this workshop is to provide each attendee with information and training resources, including safe information and privacy protection training for employees within their organization. In addition, attendees will receive training and materials that create a resource base for the organization's privacy officer; having an organization privacy officer is a requirement under the self-certification program.

Privacy+ is a voluntary annual certification and training program available to PRISM members.  Certified companies will be entitled to use the Privacy+ logo on their websites and in their marketing materials in order to demonstrate their commitment to information privacy. The PRISM website will contain a description of the program and a listing of all PRISM members whose certifications are active.
 
In order for a PRISM member to become certified, a PRISM member must:
•    Send at least one employee to a Privacy+ workshop each year
•    Self-certify that the company meets certain minimum standards related to maintaining the privacy of information stored on behalf of its clients

PRISM members participating in Privacy+ should be aware that the Privacy+ program will evolve over time.  For instance, third party audits of member facilities are expected to be added at
some point after 2012 – based on feedback from PRISM members that such audits are desirable.  Including third party audits will increase the cost of the Privacy+ program in future years and will also lead to a more detailed and objective certification checklist.
 
Purpose
The purpose of the Privacy+  program is to:
•    Provide PRISM members a simple means to stay updated and in compliance with evolving laws and regulations that may impact them
•    Share resources and best practices in order to help PRISM members reduce privacy breach risks
•    Reduce the number of privacy breach incidents caused by members of our industry, thereby:
    •    Preserving the reputation and trusted status of our industry
    •    Reducing the likelihood and/or severity of government  imposed legislation on our industry
•    Improve the value-proposition of becoming and remaining PRISM International membership
•    Enable PRISM members to better compete against non-certified competitors who may not live up to the same standards regarding information privacy

Date: 
May 14, 2012 - 7:30am - May 15, 2012 - 11:45am
Location: 
Caesars Palace Hotel, Las Vegas, NV
Speakers: 
Tom Dumez is the Compliance Consultant for Kent Record Management of Grand Rapids, MI. With more than 11 years of experience in the offsite record storage industry, Tom is equipped to help both covered entities and business associates in regulatory matters. As a Certified HIPAA Professional, Tom has developed a specialized HIPAA training program for the RIM industry. He has also presented several educational sessions for groups such as ARMA, AIIM, and local seminars. Tom has presented several sessions at PRISM Annual Conferences as well as workshop sessions. He is an active PRISM Task Group member and a member of the Board of Directors.
Peter J. Guffin, Partner, Pierce Atwood LLP Peter combines extensive experience in intellectual property law and privacy and data security laws and regulations with a practical appreciation of the business and legal imperatives that can determine a client's success. His focus is helping clients – in particular, businesses operating in regulated environments - navigate through the increasingly complex convergence of technology and business, offering practical and strategic advice in the following areas:  Technology procurement and outsourcing arrangements  Privacy, information security and data breach notification  Protection and enforcement of IP rights  Trademark, patent, copyright and software licensing  Internet law and e-commerce initiative As the leader of the firm's Privacy and Data Security Practice Group and member of its Intellectual Property and Technology Practice Group, Peter represents businesses in a wide range of industries, including information technology, energy, financial services, insurance and health care.
Jeffrey A. Ice, CIC, is Partner and Managing Director of Brightstone Insurance Services LLC, a boutique insurance brokerage firm specializing principally in the records information management and same day delivery industries. Jeff is a 37 year insurance industry veteran and has spent the last 7 years developing tailor-made insurance programs for the RIM industry. At the request of several of his courier clients who have transitioned into the RIM industry, Jeff has applied the same creative thinking that has served well in the transportation field to develop several key insurance programs that are unique to the RIM industry. Of those programs, Storage Legal Life stands alone as a proprietary insurance product that addresses the unique business interruption exposure faced by RIM operators today. Jeff continues to be deeply involved with the industry providing insurance and risk management products and services, contributing to industry publications and speaking at industry conferences.
Brian Jungeberg, CIC, serves as an insurance specialist for Brightstone Insurance Services, a group of dedicated insurance professionals catering to the record and information management industry. His areas of expertise include property & casualty related exposures, specifically gross business income and professional/privacy/cyber liability issues. To help address these unique and complex risks, he has been involved in developing several customized insurance products over the years. Brian is a frequent contributor to several record and information management industry publications as a trusted advisor on insurance related topics and concerns.
Michael Massaro is the Vice President of Transportation and Shred Plant Operations for Iron Mountain. He is responsible for the overall thought leadership and strategy development for Iron Mountain’s North American transportation and shred plant operations, including productivity, quality, service, employee safety and the customer experience. Michael has more than 16 years of experience in the transportation and logistics industry. Prior to joining Iron Mountain in 2005, he held various transportation and logistics leadership roles with Airborne Express, DHL and Office Depot. Michael is a graduate and former scholar athlete from the University of Dayton.
Chris Pearson is President of Vanguard Archives. With facilities in Chicago, St. Charles and Franklin Park, Illinois, Vanguard is a full-service records management company that offers scanning, vaulting, hardcopy storage and shredding services to approximately 600 clients. Prior to Joining Vanguard, Chris was a Vice President in mergers & acquisitions with J.P. Morgan & Co., with management responsibility for a group of 30 M&A professionals. During his tenure with J.P. Morgan he traveled globally and was posted in New York, Hong Kong and London. Chris is a graduate of New York University, where he received a degree in finance and international business management. Chris served as 2011 President of PRISM International.
Todd Stephenson is a Certified Information Systems Auditor (CISA) with the audit firm KirkpatrickPrice and has spent the last four years as an SAS 70/SSAE 16 specialist. Prior to KirkpatrickPrice, Todd spent nine years at IKON Office Solutions as an enterprise document specialist designing and implementing electronic document management and facility management systems.
Larry L. Varn, Partner, Pierce Atwood LLP With more than 25 years experience in a broad range of commercial and financial litigation, corporate investigations, crisis management and litigation advisory matters, Larry is highly qualified to help clients resolve their most complicated and critical concerns. He has dealt with securities laws, complex corporate and financial transactions, corporate governance and ethics, unfair competition and misuse of trade secrets, claims and defenses arising out of large loss fires and other catastrophes, and matters involving fire and life safety codes and standards. Larry has tried and argued cases in trial and appellate courts and arbitral tribunals across the United States and has supervised multiple litigations in the United Kingdom. In addition, he regularly represents corporate clients and high net worth individuals in matrimonial and family law matters
Sessions: 

8:30-9:00am
Welcome and Introduction to the Privacy+ Certification Program

 In this session attendees will receive an overview of the PRISM International Privacy+ Certification Program. The session will discuss the market demands and environmental concerns that created the need for the program, as well as regulatory and compliance drivers. In addition, the session will cover the basic requirements for certification, resources that will be made available to Privacy+ Certified companies and competitive advantages that can be created through certification. This session will also cover the long-term goals of the program and how it will likely evolve over the next two-year period.

9:30-10:30am    
Overview of U.S. Laws and Regulations Informing Privacy+  Certification

In crafting the compliance requirements for the Privacy+ Certification, PRISM International’s TG11 looked at the compliance requirements under various federal and state privacy and data protection laws and regulations and selected those that it believes are the most pertinent to the RIMS industry. In this session, the key requirements under these various laws and regulations will be discussed. Among laws to be covered are: HIPAA, the HITECH Act, GLBA, the FTC Act and various state laws and regulations relating to privacy, information protection and data breach notification.

10:45am-12:15pm
Administrative Safeguards Part I

This session will provide an overview of the general administrative safeguards that are required under various federal and state laws and regulations. It will cover the key elements of a privacy policy and best practices with respect to developing and implementing a privacy policy for your business. It also will cover the risk assessment process, risk mitigation, incident response, employee training and sanctions, data breach notification policies and procedures, and contractual controls for third parties such as subcontractors.  Checklist items related to administrative safeguards will also be reviewed and discussed.

1:30-2:30pm
Administrative Safeguards Part II

This session will review operational administrative safeguards. The session will focus on documented controls and procedures designed to safeguard client information including: visitor access, safe information handling practices at the facility and safe information handling practices for information in transit and at the client site. This session will review audit and testing procedures to ensure information security and employee training activities in areas such as privacy policy, documented controls and procedures, and regulatory and compliance requirements. Checklist items related to administrative safeguards will also be reviewed and discussed.

2:30-3:30pm
Physical Safeguard

This discussion will review the physical data storage require-ments found in the Certification Checklist. Physical safeguards include both facility intrusion prevention and detection systems and vehicle and client-site procedures designed to safeguard client information. The session will explore actual examples of physical safeguards currently in use. Checklist items related to physical safeguards will also be reviewed and discussed.

3:45-5:00pm
Technical Safeguards

This session will explore technology-related controls designed to prevent unauthorized access to digital information. The session will explore technologies like firewalls, data encryption and the encryption process, and best practices for password and other access controls. Checklist items related to technical safeguards will also be reviewed and discussed.

5:00-5:45pm Risk Mitigation Part I

8:00-9:00am Risk Mitigation Part II

In this session attendees will learn methods of reducing the risks associated with data and privacy breaches through contract language and how properly crafted language in storage agreements contract documentation can assist in the manage-ment and mitigation of risk. Issues to be covered include clarity of customer and vendor obligations, requirements for encryption of electronic information, the effect of deterioration of stored materials, applicable standards of care, limitations of liability for both storage and services and electronic and hardcopy information, and indemnification in all its several forms (indemnification by client, indemnification of client, reciprocal indemnification, and third-party indemnification) and its effect on data breach-related issues. The interplay between limitation of liability and indemnification will also be reviewed.

9:00-10:15am
Insurance Issues

This session will review the use of insurance products as an additional risk mitigation strategy. Insurance products such as professional liability insurance will be explained; new types of products such as “privacy” insurance will also be reviewed. This session will also discuss client-requested coverage, appropriate responses to those requests and discuss products that clients may purchase directly to minimize their exposure during a breach.

10:30 -11:45am
Closing Question and Answer Panel (All session presenters)

This session provides an opportunity for attendees to ask additional questions of all presenters and to raise additional issues that may not have been address during session presentations. This session will also provide an opportunity to discuss long-term plans for the PRISM International Privacy+  Certification.