Systems and methods for managing data incidents

US 9,483,650 B2
Filed: 12/31/2014
Issued: 11/01/2016
Est. Priority Date: 02/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing a data incident, comprising:

receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment;

automatically generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising;

at least one federal rule;

at least one state rule, each of the rules defining requirements associated with data incident notification laws; and

at least one contractual obligation defining contractual requirements of a breaching party due to the data incident, the breaching party being a party to the at least one contractual obligation;

providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server; and

generating a notification schedule when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, the at least one contractual obligation, or combinations thereof.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing a data incident are provided herein. Exemplary methods may include receiving data breach data that comprises information corresponding to the data breach, automatically generating a risk assessment from a comparison of data breach data to privacy rules, the privacy rules comprising at least one federal rule, at least one state rule, and at least one contractual obligation, each of the rules defining requirements associated with data breach notification laws, and providing the risk assessment to a display device that selectively couples with the risk assessment server.

48 Citations

View as Search Results

32 Claims

1. A method for managing a data incident, comprising:
- receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment;
  
  automatically generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising;
  
  at least one federal rule;
  
  at least one state rule, each of the rules defining requirements associated with data incident notification laws; and
  
  at least one contractual obligation defining contractual requirements of a breaching party due to the data incident, the breaching party being a party to the at least one contractual obligation;
  
  providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server; and
  
  generating a notification schedule when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, the at least one contractual obligation, or combinations thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, wherein receiving data incident data comprises:
    - providing one or more questions to the display device that elicit information corresponding to the data incident;
      
      receiving responses to the one or more questions;
      
      providing the responses to the display device; and
      
      receiving confirmation of at least a portion of the responses.
  - 3. The method according to claim 1, further comprising:
    - receiving one or more selections of one or more states;
      
      selecting one or more state statutes based upon the one or more selections; and
      
      generating at least one state rule based upon a selected state statute.
  - 4. The method according to claim 1, wherein the at least one federal rule comprises a federal statute that governs privacy breaches relative to at least one of protected health information (PHI), personally identifiable information (PII), or combinations thereof.
  - 5. The method according to claim 1, wherein the at least one state rule comprises a state statute that governs privacy breaches relative to at least one of protected health information (PHI), personally identifiable information (PII), or combinations thereof.
  - 6. The method according to claim 1, wherein the risk assessment comprises a risk level that indicates a severity of the data incident relative to at least one of the at least one federal rule, the at least one state rule, or combinations thereof.
  - 7. The method according to claim 6, wherein the risk level is associated with a color, wherein a hue of the color is associated with the severity of the data incident as determined by the comparison.
  - 8. The method according to claim 1, wherein the risk assessment defines one or more exceptions that apply to at least a portion of the data incident data based upon the comparison.
  - 9. The method according to claim 1, wherein the risk assessment comprises at least a portion of the at least one state rule.
  - 10. The method according to claim 1, further comprising providing an alert to the display device when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, or combinations thereof.
  - 11. The method according to claim 1, wherein the notification schedule comprises notification dates that are based upon a violated statute, along with notification requirements that describe information that is to be provided to a regulatory agency.
  - 12. The method according to claim 11, further comprising receiving the information that is to be provided to a regulatory agency and storing the same in a content repository associated with the risk assessment server.
  - 13. The method according to claim 1, wherein the comparison includes modeling of the data incident data to the privacy rules to determine a severity and a data sensitivity of the data incident.
  - 14. The method according to claim 1, wherein the comparison comprises:
    - modeling the data incident data to determine severity and data sensitivity of the data incident by evaluating the data incident data relative to the at least one state rule; and
      
      generating a state specific risk assessment from the modeling.

15. A risk assessment server for managing a data incident, the server comprising:
- a memory for storing executable instructions;
  
  a processor for executing the instructions;
  
  an input module stored in memory and executable by the processor to receive in response to an occurrence of the data incident, data incident data, the data incident data comprising information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment;
  
  a risk assessment generator stored in memory and executable by the processor to generate a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising;
  
  at least one federal rule;
  
  at least one state rule, each of the rules defining requirements associated with data incident notification laws; and
  
  at least one contractual obligation defining contractual requirements of a breaching party due to the data incident, the breaching party being a party to the at least one contractual obligation;
  
  a user interface module stored in memory and executable by the processor to provide the risk assessment to a display device that selectively couples with the risk assessment server; and
  
  a notification module generating a notification schedule when the comparison indicates that the data incident violates at least one federal rule, the at least one state rule, the at least one contractual obligation, or combinations thereof.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The server according to claim 15, wherein the input module further:
    - generates one or more questions to the display device that elicit data incident data corresponding to the data incident;
      
      receives responses to the one or more questions;
      
      generates a summary of responses to the one or more questions;
      
      provides the summary to the display device; and
      
      receives confirmation of the summary.
  - 17. The server according to claim 15, wherein the input module further:
    - receives one or more selections of one or more states; and
      
      selects the at least one state rule based upon the one or more selections.
  - 18. The server according to claim 15, further comprising a rule generator stored in memory and executable by the processor to:
    - generate the at least one federal rule from a federal statute that governs privacy breaches relative to protected health information (PHI);
      
      orgenerate the at least one state rule from a state statute that governs privacy breaches relative to at least one of personally identifiable information (PII), PHI, or combinations thereof.
  - 19. The server according to claim 15, wherein the risk assessment generator generates a risk assessment that comprises a risk level that indicates a severity of the data incident relative to at least one of the at least one federal rule, the at least one state rule, or combinations thereof.
  - 20. The server according to claim 15, wherein the risk assessment generator creates a notification that one or more exceptions apply to at least a portion of the data incident data based upon modeling.
  - 21. The server according to claim 15, further comprising a reporting module stored in memory and executable by the processor to receive information that is to be provided to a regulatory agency and stores the same in a content repository associated with the risk assessment server.

22. A method for managing a data incident, comprising:
- receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment;
  
  automatically generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising;
  
  at least one federal rule;
  
  at least one state rule, each of the rules defining requirements associated with data incident notification laws; and
  
  at least one contractual obligation defining contractual requirements of a breaching party due to the data incident, the breaching party being a party to the at least one contractual obligation;
  
  providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server;
  
  receiving one or more selections of one or more states;
  
  selecting one or more state statutes based upon the one or more selections;
  
  generating at least one state rule based upon a selected state statute; and
  
  generating a notification schedule when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, the at least one contractual obligation, or combinations thereof.
- View Dependent Claims (23, 24, 25)
- - 23. The method according to claim 22, further comprising providing an alert to the display device when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, or combinations thereof.
  - 24. The method according to claim 22, wherein the notification schedule comprises notification dates that are based upon a violated statute, along with notification requirements that describe information that is to be provided to a regulatory agency.
  - 25. The method according to claim 24, further comprising receiving the information that is to be provided to a regulatory agency and storing the same in a content repository associated with the risk assessment server.

26. A risk assessment server for managing a data incident, the server comprising:
- a memory for storing executable instructions;
  
  a processor for executing the instructions;
  
  an input module stored in memory and executable by the processor to receive in response to an occurrence of the data incident, data incident data, the data incident data comprising information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment;
  
  a risk assessment generator stored in memory and executable by the processor to generate a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising;
  
  at least one federal rule;
  
  at least one state rule, each of the rules defining requirements associated with data incident notification laws; and
  
  at least one contractual obligation defining contractual requirements of a breaching party due to the data incident, the breaching party being a party to the at least one contractual obligation;
  
  a user interface module stored in memory and executable by the processor to provide the risk assessment to a display device that selectively couples with the risk assessment server; and
  
  a rule generator stored in memory and executable by the processor to;
  
  generate the at least one federal rule from a federal statute that governs privacy breaches relative to protected health information (PHI);
  
  orgenerate the at least one state rule from a state statute that governs privacy breaches relative to at least one of personally identifiable information (PII), PHI, or combinations thereof; and
  
  further comprising a notification module generating a notification schedule when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, the at least one contractual obligation, or combinations thereof.

27. A method for managing a data incident, comprising:
- receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment;
  
  determining at least one contractual obligation existing between two or more parties, the at least one contractual obligation defining contractual requirements of a breaching party due to the data incident, the breaching party being one of the two or more parties;
  
  automatically generating, via the risk assessment server, a risk assessment for the breaching party using a comparison of the data incident data to privacy rules, the privacy rules comprising at least one of;
  
  at least one federal rule;
  
  at least one state rule, each of the rules defining requirements associated with data incident notification laws; and
  
  the at least one contractual obligation;
  
  providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server; and
  
  generating a notification schedule when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, the at least one contractual obligation, or combinations thereof.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The method according to claim 27, further comprising determining if the breaching party is a data steward of the data incident data involved in the data incident, wherein a data owner has a set of obligations that are different than those of a data maintainer.
  - 29. The method according to claim 28, further comprising determining if the breaching party is a data maintainer of the data incident data involved in the data incident, wherein a data owner has a set of obligations that are different than those of a data steward.
  - 30. The method according to claim 29, wherein the notification schedule is generated for the data owner and a second data schedule is generated for the data maintainer, the notification schedules for the data owner and the data maintainer being different from one another in at least one obligation.
  - 31. The method according to claim 30, wherein generating a notification schedule comprises generating a first notification schedule for a party of the two or more parties when the party is acting as a data owner and generating a second notification schedule for the party when the party is acting as a data maintainer, wherein the generation of the first and second notification schedules occurs in response to the same data incident.

32. A method performed by a risk assessment server that comprises a processor and memory for storing instructions, the processor executing the instructions to perform the method, the method comprising:
- creating an incident record for a data incident, the incident record includes information regarding the data incident;
  
  selecting one or more roles for each party involved in the data incident, wherein any party can be assigned two or more roles for the data incident based on a contractual relationship with the party and another party;
  
  automatically generating a risk assessment from a comparison of the data incident to privacy rules; and
  
  generating a notification schedule for each party to the data incident that is based on the one or more roles for the party when the comparison of the privacy rules to the data incident indicates that the data incident violates at least one of at least one federal rule, at least one state rule, at least one contractual obligation, or combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radar, LLC
Original Assignee
Radar, Incorporated
Inventors
Sher-Jan, Mahmood, Rook, Susan M., Kotka, Greg L., Migliore, Andrew, Cannon, Travis, Cleek, Billie
Primary Examiner(s)
Moorthy, Aravind

Application Number

US14/588,159
Publication Number

US 20150113663A1
Time in Patent Office

671 Days
Field of Search

726/26, 726/22, 726/25, 713/168
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06F 21/6245   Protecting personal data, e...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Systems and methods for managing data incidents

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for managing data incidents

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others