Systems and methods for managing data incidents

US 9,781,147 B2
Filed: 09/28/2015
Issued: 10/03/2017
Est. Priority Date: 02/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing a data incident, comprising:

providing an external entity interface that receives;

external entity information comprising;

a contract between a first party and at least one additional party;

notification obligations that specify when the first party or the at least one additional party notifies entities that a data incident has occurred; and

properties that trigger an assessment of the notification obligations;

receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment by the first party or the at least one additional party;

comparing the data incident data to the properties that trigger an assessment;

wherein if the properties indicate that an assessment is required, generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising;

at least one federal rule;

at least one state rule, each of the rules defining requirements associated with data incident notification laws; and

the contract;

providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server;

generating a risk assessment guidance interface when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, the contract, or combinations thereof; and

wherein the risk assessment guidance interface comprises an impact summary that indicates which state or federal rule was violated and one or more external entities implicated or impacted in the data incident.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing a data incident are provided herein. Exemplary methods may include providing an external entity interface that receives external entity information including a contract between a first party and at least one additional party, notification obligations that specify when the first party or the at least one additional party notifies entities that a data incident has occurred, and properties that trigger an assessment of the notification obligations. When an incident occurs, an assessment is completed and the results thereof are displayed on a risk assessment guidance interface.

Citations

23 Claims

1. A method for managing a data incident, comprising:
- providing an external entity interface that receives;
  
  external entity information comprising;
  
  a contract between a first party and at least one additional party;
  
  notification obligations that specify when the first party or the at least one additional party notifies entities that a data incident has occurred; and
  
  properties that trigger an assessment of the notification obligations;
  
  receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment by the first party or the at least one additional party;
  
  comparing the data incident data to the properties that trigger an assessment;
  
  wherein if the properties indicate that an assessment is required, generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising;
  
  at least one federal rule;
  
  at least one state rule, each of the rules defining requirements associated with data incident notification laws; and
  
  the contract;
  
  providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server;
  
  generating a risk assessment guidance interface when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, the contract, or combinations thereof; and
  
  wherein the risk assessment guidance interface comprises an impact summary that indicates which state or federal rule was violated and one or more external entities implicated or impacted in the data incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method according to claim 1, wherein receiving data incident data comprises:
    - providing one or more questions to the display device that elicit information corresponding to the data incident;
      
      receiving responses to the one or more questions;
      
      providing the responses to the display device; and
      
      receiving confirmation of at least a portion of the responses.
  - 3. The method according to claim 1, further comprising:
    - receiving one or more selections of one or more states;
      
      selecting one or more state statutes based upon the one or more selections; and
      
      generating at least one state rule based upon a selected state statute.
  - 4. The method according to claim 1, wherein the at least one federal rule comprises a federal statute that governs privacy breaches relative to at least one of protected health information (PHI), personally identifiable information (PII), or combinations thereof.
  - 5. The method according to claim 1, wherein the at least one state rule comprises a state statute that governs privacy breaches relative to at least one of protected health information (PHI), personally identifiable information (PII), or combinations thereof.
  - 6. The method according to claim 1, wherein the risk assessment comprises a risk level that indicates a severity of the data incident relative to at least one of the at least one federal rule, the at least one state rule, or combinations thereof.
  - 7. The method according to claim 6, wherein the risk level is associated with a color, wherein a hue of the color is associated with the severity of the data incident as determined by the comparison.
  - 8. The method according to claim 1, wherein the risk assessment defines one or more exceptions that apply to at least a portion of the data incident data based upon the comparison.
  - 9. The method according to claim 1, wherein the risk assessment comprises at least a portion of the at least one state rule.
  - 10. The method according to claim 1, further comprising providing an alert to the display device when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one state rule, or combinations thereof.
  - 11. The method according to claim 1, wherein the notification obligations comprise notification dates that are based upon a violated statute, along with notification requirements that describe information that is to be provided to a regulatory agency.
  - 12. The method according to claim 11, further comprising receiving the information that is to be provided to a regulatory agency and storing the same in a content repository associated with the risk assessment server.
  - 13. The method according to claim 1, wherein the comparison includes modeling of the data incident data to the privacy rules to determine a severity and a data sensitivity of the data incident.
  - 14. The method according to claim 1, wherein the comparison comprises:
    - modeling the data incident data to determine severity and data sensitivity of the data incident by evaluating the data incident data relative to the at least one state rule; and
      
      generating a state specific risk assessment from the modeling.
  - 15. The method according to claim 1, wherein the data incident data specifies a role for the first party or the at least one additional party as a business associate, a client, or service provider, a data incident notification date, and combinations thereof.
  - 16. The method according to claim 1, wherein the data incident data specifies an identification of a subcontractor rather than one or more employees.
  - 17. The method according to claim 1, wherein the first party or the at least one additional party is both a covered entity and a business associate of another covered entity.
  - 18. The method according to claim 1, wherein the external entity interface comprises a contract upload interface and a notification designation interface.
  - 19. The method according to claim 1, wherein the risk assessment guidance interface comprises an external entity assessment profile that comprises a chronological list of data incident events and a disposition for each of the data incident events.
  - 20. The method according to claim 1, further comprising generating a data incident detail interface that comprises risk factors from the data incident data, a regulated data table, a data sensitivity index, jurisdiction identification, and an identity of any external entities, or any combinations thereof.
  - 21. The method according to claim 20, wherein the regulated data table comprises cells that each comprise a visual indicator of low, medium, or high risk for each type of sensitive information included in the data incident.
  - 22. The method according to claim 21, wherein the jurisdiction identification comprises an identification of the at least one federal rule or the at least one state rule.
  - 23. The method according to claim 1, further comprising generating a data incident detail interface that comprises selected details for the data incident in visual format.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radar, LLC
Original Assignee
Radar, Incorporated (J & J Snack Foods Corporation)
Inventors
Sher-Jan, Mahmood, Rook, Susan M., Kotka, Greg L., Migliore, Andrew, Cannon, Travis, Cleek, Billie, Church, Nicholas J, DeAngelis, David J
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/868,311
Publication Number

US 20160021133A1
Time in Patent Office

736 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06F 21/6245   Protecting personal data, e...

G16H 10/60   for patient-specific data, ...

H04L 63/0407   wherein the identity of one...

H04L 63/1433   Vulnerability analysis

H04W 12/02   Protecting privacy or anony...

Systems and methods for managing data incidents

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for managing data incidents

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links