emerging trends in information security and privacy

EMERGING TRENDS IN

INFORMATION PRIVACY

AND SECURITY

August 6, 2014 Presentation

Logistics

CPE Credit Requirements

Takeaways

Full service Professional Services Firm: Attest services

Tax preparation and compliance

IT Audit and Security

Internal Control

Internal Audit Outsourcing

SSAE 16 Services

Over 70 professionals Highly qualified in

variety of specializations:

CPA, CIA, CFE, CISA, MCSE, ABV, CVA, MST

Affiliations:

AICPA, PCAOB, ACFEI, ISACA, PCAOB, TANGO, CICPAC, Practicewise, VACO Risk Solutions

Vaco Risk Solutions

Specializing in helping our clients reduce their risks

30 locations strong

Highly qualified consultants

▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt

We belong to: ▪ Member of Information System Audit and Controls Association (ISACA)

▪ Member of American College of Forensic Examiners Institute (ACFEI)

▪ Association of Credit Union Internal Auditors (ACUIA)

▪ PCI Qualified Security Assessors certified by PCI Security Standards Council

▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council

▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS)

▪ Member of National Association of Convenience Stores (NACS)

4

http://www.google.com/url?sa=i&rct=j&q=pa+qsa+logo&source=images&cd=&cad=rja&docid=ga9zdJIDKEpJkM&tbnid=Y-NWsgsY0qjt4M:&ved=0CAUQjRw&url=http://www.2-sec.com/pci-dss-training/&ei=DUoZUer1MIaQ9gTf6YGgAQ&bvm=bv.42080656,d.eWU&psig=AFQjCNFo7veJLNvSiGSvwMKnJQSKOaw1Aw&ust=1360698246291610

Former FBI Director Mueller:

“There are two types of companies, those

that have been hacked and those

that don’t know it”

Suzanne Miller, Ph. D., Partner – Vaco Risk Solutions

Linn Foster Freedman, Esq., Partner – Nixon Peabody LLP

Brian Bonkoski, Vice President – ACE

Professional Risk Kevin Ricci, CISA, Director of Information

Technology – LGC&D LLP

Speaker Risk Discussions

Panel Discussion – Best Practices and Strategies

Question and Answer

Suzanne Miller, Ph.D. VCAG

Vaco Compliance and Audit Group August 6, 2014

9

PCI – Quick Overview

Growing Data Trends and Associated Risks ◦ Employees: IT Convenience ◦ Customers: Mobile Apps

Growing Threats to Corporate Security ◦ Top 3 Threats Affecting Corporate Security

10

An open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

- September 7, 2006 -

Founders ◦ American Express

◦ Discover Financial Services

◦ JCB

◦ MasterCard Worldwide

◦ Visa International

New NACHA

‹#›

Service Providers

15

SAQ Validation Type Description

# of Qs v3.0

# of Qs v2.1 ASV Pen Test

A Card-not-present merchants: All payment processing functions fully

outsourced, no electronic cardholder data storage 14 1 No No

A-EP E-commerce merchants re-directing to a third-party website for payment

processing, no electronic cardholder data 139 NEW Yes Yes

B Merchants with only imprint machines or only standalone dial-out payment

terminals: No e-commerce or electronic cardholder data storage 41 12 No No

B-IP Merchants with standalone, IP-connected payment terminals: No e-

commerce or electronic cardholder data storage 83 NEW Yes No

C

Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage 139 59 Yes No

C-VT Merchants with web-based virtual payment terminals: No e-commerce or

electronic cardholder data storage 73 22 No No

D-MER All other SAQ-eligible merchants 326 38 Yes Yes

D-SP SAQ-eligible service providers 347 NEW Yes Yes

P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-

commerce or electronic cardholder data storage 35 17 No No

PCISecurityStandards.org

16

Employees: IT Convenience

Customers: Mobile Apps

17

Cloud – Computing Enabling employees to take advantage of collaboration tools/programs and share work related data

18

Cloud – Computing

19

Cloud – Computing Risks Organizational Risk ◦ Employees use unauthorized consumer-oriented

tools and save corporate data Trade secrets, financial reports, meeting notes,

etc. Sits unprotected; locations unknown to company

Financial Risk: ◦ Cost of exposed business confidential data

~ $214 per compromised record –Ponemon Institute May 2014

20

Cloud – Risk Mitigation ◦ Strategy Monitoring and controlling use of collaboration tools Securing data on collaboration tools COST SAVINGS & PRODUCTIVITY IMPROVEMENTS:

> $8,184 per user annually. Productivity ~1.2 hours each day or 266 hours per year

◦ Policy Governance

◦ Technology Offer safer enterprise-grade consumer tools

◦ Education Risk Awareness to rank and file

21

Cloud – Computing Cloud Security Alliance maintains the Cloud Controls Matrix to assist cloud providers and cloud consumers meet audit requirements, including the PCI DSS.

https://cloudsecurityalliance.org/research/ccm/

22

Mobile Apps revenue expected to reach an estimated $70 Billion by 2017*. Revenue in 2012 ~ $8.5 billion

23

Risks Organizational Risk: ◦ Non-compliance with state and federal regulatory

requirements for Mobile Apps Geo-location data Behavioral targeting Inferred consent Retargeting Data security and quality Mobile Privacy Statement

24

Financial Risk: ◦ Fines Delta failed to have a conspicuous privacy policy

on ‘Fly Delta’ - CA Attorney General (12/2012) Fined $2,500 per app download Downloaded 1 million times on Google Play

Social networking app, ‘Path’ Fined $800,000 by FTC over allegations that it

collected personal information without obtaining consumers’ consent - (2/11/2013)

FTC Crackdown COPPA $16,000 fine for each download (5/15/2014)

25

Risk Mitigation ◦ Strategy Understand the changing compliance landscape for

Mobile Apps across your enterprise Marketing, application developers, legal, internal

audit, etc. Expand Risk Governance

◦ Policy Expand Risk Governance

◦ Technology Understand the ecosystem

◦ Education Risk Awareness to rank and file

NOTE: The FTC released on 2/11/2013 a report outlining privacy guidelines for mobile platform providers, application developers, and advertising networks (the “Report”). Explaining the Commission’s increased attention to this area, the outgoing FTC Commissioner described the current state of rules and practices in the mobile space as a sort of “Wild West.” Cautioning that the Commission will "closely monitor developments in this space”, the FTC “strongly” encouraged companies in the mobile ecosystem to work expeditiously to implement the recommendations in the Report. The guidance focuses on how mobile app players should improve their disclosures to ensure that users understand how their personal data will be collected and used.

26

◦ Privacy Statement shall state: What information is collected from an Individual's Mobile

Device; Whether information is shared with another application

installed on the Individual's Mobile Device; How Geo-location Data is used; If Geo-location Data is used to create a profile about the

Individual; How long Geo-location Data is retained; What type of Third Parties, including Service Providers is

Geo-location Data is shared with and for what purpose; How the Individual can restrict the disclosure of Geo-

location data to Third Parties; and How the Individual can revoke consent to your company's

collection and use of Geo-Location Data. …and the list goes on

27

Era of Advancing Risks*

28

* Global State of Information Security Survey 2014, CIO and CSO Magazine

Most dangerous cyber threat today

Few organizations have the capabilities to prevent

29

Look at Healthcare sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place

30

Look at Public sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place

31

Look at Retail sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place

32

33

Look at Healthcare sector: Percentage of respondents who report the impact of data

beaches.

34

Look at Public sector: Percentage of respondents who report the impact of data

beaches.

35

Look at Retail sector: Percentage of respondents who report the impact of data

beaches.

36

Look at Healthcare sector: Percentage of respondents who report core security safeguards ARE NOT in place.

37

Look at Public sector: Percentage of respondents who report core security safeguards ARE NOT in place.

38

Look at Retail sector: Percentage of respondents who report core security safeguards ARE NOT in place.

39

Percentage of respondents identifying their greatest obstacles to improving the strategic effectiveness of their company’s information security function.

Suzanne Miller, Ph.D.

[email protected]

40

mailto:[email protected]

EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY

LINN F. FREEDMAN, ESQ. AUGUST 6, 2014

SUMMARY OF PRESENTATION

—Headlines on data privacy and security and breaches

—What are the Risks

—Implementing a Data Privacy & Security Plan

—Identify high risk data

—State Privacy & Security Laws

—Federal Privacy & Security Regulations

—Use of mobile technology

—Use of e-mail and cloud services

—Best practices

DATA SECURITY — WHAT’S THE RISK?

Increase of conducting

business online

Exponential increase of

threats to data security

=

DATA SECURITY — WHAT’S THE RISK? (CONT’D)

— Companies collect and possess larger

amounts of customer, employee and client

data than ever

— Greater use of mobile technology,

websites, cloud storage

• Allows for easier opportunity for hackers,

identity thieves/data security breaches

• Increase in loss of proprietary information

• Potential for damage to company’s

reputation

• Threat of state and federal

regulatory enforcement

INCREASE OF DATA SECURITY BREACHES

June 2012 Ponemon Institute Report

— 90% of companies surveyed had a

computer breached at least once in the

prior 12 months

— 44% of companies surveyed viewed IT

infrastructures as insecure

INCREASE OF DATA SECURITY BREACHES (CONT’D)

May 2013 Ponemon Institute Report

— Data breaches cost U.S. companies

surveyed an average of $5.4 million in

the prior 12 months

— An average of 28,765 records for U.S.

companies surveyed were exposed or

compromised in the prior 12 months

— It cost U.S. companies surveyed an

average of $188 per record breached

in the prior 12 months

DATA PRIVACY & SECURITY PLAN

Identify high risk data

Use of mobile technology, e-mail and cloud services

Develop policies and best practices

Train all employees

48

IDENTIFYING HIGH-RISK DATA

— Personally Identifiable Information

• Includes SS #, state-issued ID #, mother’s

maiden name, driver’s license #, passport #,

credit history, criminal history

— Name & Contact Information

• Includes initials, address, telephone number,

e-mail address, mobile number, date of birth

— Personal Characteristics

• Includes age, gender, marital status,

nationality, sexual orientation, race, ethnicity,

religious beliefs

49

IDENTIFYING HIGH-RISK DATA (CONT’D)

— Financial Institution Data

• Includes credit, ATM, debit card #s, bank

accounts, payment card information, PINs,

magnetic stripe data, security codes,

access codes, passwords

— Health & Insurance Account Information

• Includes health status and history, disease

status, medical treatment, diagnoses,

prescriptions, insurance account #,

Medicare and Medicaid information

• HIPAA compliance

50

IDENTIFYING HIGH-RISK DATA (CONT’D)

— Website Traffic

• Notice of Privacy Practices

• Terms and Conditions of Use

— Employment Information

• Includes income, salary, service fees, compensation

information, background check information

51

STATE PRIVACY & SECURITY LAWS

Social Security number

protection laws

— e.g. Rhode Island

— e.g. New York (§399-dd) –

restrictions on use, disclosure and

access

Data security regulations

— e.g. Massachusetts (201 CMR §

17.00) –must implement a written

information security plan with

detailed data security safeguards

Data security regulations

— 47 states

• Most states require notification of

a breach to state authorities

Website/mobile app data

collection laws

— e.g. California (§§22575-22579,

“CalOPPA”) –conspicuously post

privacy policy with transparent

details re: data collection/use

— None in RI to date

52

STATE ENFORCEMENT/FINES AND PENALTIES

Examples:

— Massachusetts data security regulations

(up to $5k per violation)

• $63k against MA restaurant

• $750k against South Shore Hospital

— California website/mobile app CalOPPA

statute (up to $2,500 per violation)

• AG sent hundreds of non-compliance letters to

companies without privacy policies and/or

unclear privacy practices on website/mobile app

— None in Rhode Island to date

53

STATE HEALTH INFORMATION PRIVACY LAWS

— Mental Health Law

— HIV/Aids

— Sexually transmitted diseases

— Genetic Information

54

FEDERAL PRIVACY & SECURITY LAWS

— Federal Trade Commission (“FCC”)

• § 5 of the FTC Act prohibits “unfair or

deceptive acts or practices”

Covers advertising claims, marketing,

and promotions

Not limited to any particular medium

• Enforcement of several sector-specific

privacy laws

Fair Credit Reporting Act (“FCRA”)

Children’s Online Privacy Protection Act

(“COPPA”)

55

FTC ENFORCEMENT/FINES AND PENALTIES

More than 100 privacy-related actions

since 2001, including:

— 40+ Data Security Cases

— 100+ Spyware Cases

— 20 COPPA cases

— Several FCRA cases

— Increasing Emphasis on Mobile

Technology

56

FEDERAL PRIVACY & SECURITY LAWS (CONT.)

— Gramm-Leach-Bliley Act

• To protect privacy of personally

identifiable, nonpublic financial

information

57

FEDERAL PRIVACY & SECURITY LAWS (CONT.)

— HIPAA

• To protect the privacy of

health information

58

THE OMNIBUS RULE

Certain HIPAA “Privacy and Security Rule” Provisions

apply directly to business associates as a regulated entity

— BAs must have required HIPAA policies and procedures

in place

— BAs are subject to direct enforcement by OCR as of

September 23, 2013

59

ENFORCEMENT PENALTIES FOR HIPAA

VIOLATIONS

Civil Penalties are tiered,

depending on conduct

— Unknown

— $100 per violation up to $50,000

for all identical violations in a

calendar year

Reasonable cause that is not

willful neglect

— $1,000 for each violation up to

$50,000 for all identical violations

in a calendar year

Willful neglect

— If violation corrected within 30

days of knowledge: $10,000 for

each identical violation, up to

$50,000 for all identical violations

in a calendar year

— If violation not corrected: $50,000

for each violation, up to

$1.5 million for all identical or non-

identical violations in a calendar

year

60

CRIMINAL ENFORCEMENT PROVISIONS

HIPAA also carries criminal penalties for persons who

“knowingly” obtain or disclose PHI in violation of the

Privacy Rule, or who improperly use unique health

identifiers, under 42 U.S.C. § 1320d–6(a):

61

Fine Prison

Knowingly $50,000 One year

False Pretenses $100,000 Five years

For Profit, Gain, or Harm $250,000 10 years

RISKS OF BREACH ASSOCIATED WITH MOBILE TECHNOLOGY

— Smartphones

— Laptops

— USB or flashdrives

• 5 million British Columbians’ data

breached (1/15/13)

USB drive

— Compliance with 47 state breach

notification regulations

• E-mails

• Cloud vendors

62

RISKS OF CLOUD COMPUTING

— There are over 400 cloud computing providers

— Privacy and Security

— Confidentiality

— ‘True’ Ownership and Control

— Data Restoration and Data Retention, Longevity of Vendors

— Accessibility (i.e. all business hours, weekends, holidays; 24

hours a day)

— Unfamiliarity with Technology

— Integration with Firm Systems

— Jurisdictional Concerns if Dispute Arises

63

BEST PRACTICES FOR LAPTOPS & REMOVABLE MEDIA

— Encryption

— Policies and procedures for removing devices and data

from business premises

— Do not permit employees to leave laptops and

removable devices in cars or hotel rooms

— Prohibition of down loading sensitive data on hard drive

of laptop or other removable media

— Remote wipe procedures

— BYOD policy

BEST PRACTICES USING E-MAIL

— Encryption

— Virtual Private Network/RSA

— Verify Selected Recipients

— Use Standard Confidentiality Disclaimer

— “Sensitive” Communications, Special

Protections against Disclosure to 3rd Parties

• It is the responsibility of the employee directing

the communication to determine if the

communication is “sensitive” in accordance with

RIOHHS policies and procedures

REPORTING SECURITY INCIDENTS

— Make sure all employees know

to report a privacy concern, a

suspected breach, information

security problem, theft of

computer equipment or if you

suspect there may be a

problem to the Security Officer

— When in doubt REPORT

CONCLUSION

— Identify all of your “electronic highways” and what they

connect with on the inside.

— Perform threat and risk assessment on a regularly basis

— Identify controls that will reduce risk to an acceptable level

— Review the effectiveness of controls periodically as well as

after incidents

— Ensure you have proper Incident Response Plans in place

— Present Key Risk Indicators (KRI) to management in order

to gain their support with regard to any proposed risk

mitigation efforts

— Insure risks

This presentation contains images used under license. Retransmission, republication, redistribution, and downloading

of this presentation, including any of the images as stand-alone files, is prohibited.

This presentation may be considered advertising under certain rules of professional conduct. The content should not be

construed as legal advice, and readers should not act upon information in this publication without professional counsel.

©2014. Nixon Peabody LLP. All rights reserved.

THANK YOU! QUESTIONS?

Linn Foster Freedman, Esq.

T: 401-454-1108 [email protected]

Nixon Peabody LLP One Citizens Plaza Suite 500 Providence, RI 02903

EMERGING TRENDS IN

INFORMATION PRIVACY AND

SECURITY

PRESENTED BY BRIAN BONKOSKI – ACE USA

Disclaimer

The material presented in this presentation is not intended to provide

legal or other expert advice as to any of the subjects mentioned, but

rather is presented for general information only. You should consult

knowledgeable legal counsel or other knowledgeable experts as to any

legal or technical questions you may have. Further, the insurance

discussed is a product summary only. For actual terms and conditions

of any insurance product, please refer to the policy. Coverage may

not be available in all states.

70

Goals of Todays Presentation Coverage Overview by Insuring Agreement Network Security Liability Privacy Liability Data Breach Team Network Extortion Business Interruption Loss Digital Asset Loss

Key Markets Claims Overview Industry Trends and Expenses Claims Examples

71

Network Security Liability Covers any liability of the organization arising out of the failure of network security,

including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code.

72

Privacy Liability Covers loss arising out of the organization’s failure to protect sensitive personal or

corporate information in any format. Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation.

73

Data Breach Expenses – 1st Party Forensics Public Relations/Crisis Management Services Legal Services including but not limited to determining compliance with Privacy Regulations,

drafting notification letters and indemnification rights Notification/Credit Monitoring Services Call Center Services Fraud Consultation services provided through a licensed investigator or credit specialist Identity Restoration Services

74

Data Breach Expenses – 1st Party Cont’d Network Extortion Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive

information or bring down a network unless consideration is made. Digital Asset Loss Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a

result of a network security failure. Business Interruption Covers loss of income and extra expense arising out of the interruption of network service due to an

attack on the insured’s network.

75

Markets ACE USA

AIG

Lexington

Beazley

C.N.A.

AWAC

Chubb

Axis

XL

76

Hiscox

Zurich

Travelers

Philadelphia Insurance

One Beacon

Hartford

Swiss RE

Endurance

Houston Casualty

Claims and Industry Trends (as of 1/31/2014)

77

Paper 6%

Human Error 14%

Privacy Policy 9%

Hack 24%

Rogue Employee 15%

Software Error 3%

Unknown 7%

Laptops 15%

Hard Drives 5%

Other 2%

Lost/Stolen Hardware

22%

Industry Breakout

• Healthcare – 31%

• Technology – 14%

• Professional Services – 12%

• Retail – 10%

• Financial Institutions – 8%

Targeted Attacks for PI:

• Lost/Stolen Devices

• 2008 – 41%

• 2012 – 17%

• 2013 – 17%

• Hacking and Rogue Employee

• 2008 – 31%

• 2012 – 44%

• 2013 – 44%

This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied

or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014

Triggers by Industry Segment (as of 1/31/2014)

78

0%

5%

10%

15%

20%

25%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

4%

22% 25%

19%

11%

Healthcare

0%

5%

10%

15%

20%

25%

30%

35%

40%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

42%

17% 15%

6%

15%

Retail

0%

5%

10%

15%

20%

25%

30%

35%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

34%

10%

21%

9%

12%

Technology

0%

5%

10%

15%

20%

25%

30%

35%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

21%

14%

32%

14%

6%

Professional Services



Average Cost of First Party Expenses (as of 1/15/2014)

Every Breach Response is Unique

Cost Range of Each Service

Legal Fees:

Under $5,000 up to about $250,000

Forensics:

About $10,000 to Seven Figures

Notification & Call Center:

Approximately $3 per Record

Credit Monitoring:

Payment per Enrollee or

Restoration Service

Minimal Crisis Management Costs

Objective: Limit Third Party Exposure

79

* ACE Data, Reflects Average Incurred Costs Across Paid Claims



$48,091.00

$192,049.00

$272,428.00

$157,577.00

$12,600.00

$-

$50,000.00

$100,000.00

$150,000.00

$200,000.00

$250,000.00

$300,000.00

Legal Fees Forensics Notification &Call Center

CreditMonitoring

CrisisManagement

Claims Process

Pre-Breach Preparation

Identify Decision Makers

Consider Vendor Relationships and Selection for Breach Response

Test Incident Response Plans

Notice

Contact key personnel internally

Contact Insurance Carrier (if applicable)

Engage Data Breach Vendors

Data Breach Coach

Forensic and Legal Investigation

Notification and Call Center

Credit Monitoring

Crisis Management

Third Party Claims

Class Action Lawsuits

PCI Assessments

Regulatory Fines and Penalties

80



Third Party Claims

Three Types of Third Party Claims Regulatory Proceedings (Less than 2%)

Pre-litigation Demands (8%)

Class Action Lawsuits (10%)

Regulatory Fines Bad Actor – Lack of Proper Response or Compliance

Repeat Offender

Lack of Internal Privacy Policies and Procedures

Pre-Litigation Demands Mostly in Healthcare

Disclosure of Extremely Sensitive Information

Adverse Employment Action

81



Lawsuits – 10%

Non-Lawsuits – 8%

Regulatory Proceedings – 2%

Claims Examples – Retail

82



Website Breached Users of a $250 million online retailer’s website began experiencing fraudulent credit card charges. The retailer’s IT group

contacted its web hosting company, which conducted a review of the data stored on the servers. Subsequently, a virus was found

and removed. The breach resulted in a compromise of close to 1 million records and the fraudulent use of 50 credit cards. The

retailer also incurred fines and penalties for not being Payment Card Industry (PCI) compliant.

Data Breach Fund Costs

$750,000 for notification, call center services, and legal fees to determine the insured’s regulatory obligations

Privacy Liability Costs

$500,000 in assessments for lack of PCI compliance

Credit Card Information Stolen by Employee A $100 million retail company’s employee improperly obtained the credit card information of a client and fraudulently used the

information to make illegal purchases. The employee was caught and prosecuted. The client’s attorney demanded that the insured

provide credit monitoring services and compensate the client for her damages.


$75,000 for the settlement amount and legal fees

Claims Examples – Healthcare

83

External Vendor Misplaced Laptops A large healthcare provider contracted with a national vendor to assist with an office relocation. During the course of the

relocation, the provider discovered a discrepancy of several laptops that contained protected health information belonging to its

members. The provider retained legal counsel to analyze its regulatory obligations as well as vendors to conduct forensics, to

notify impacted individuals, and to offer credit monitoring services. Subsequently, the provider was the subject of a regulatory

inquiry and was named as a defendant in a class action lawsuit.


$7,000,000 for forensics, legal fees, notification, call center services, and credit monitoring


$2,000,000 for legal fees related to the class action suit and responses to regulatory inquiries

Employee Lost Flash Drive An employee of an $800 million healthcare provider lost a flash drive containing the protected health information of

approximately 600 individuals. The provider notified the affected individuals and provided credit monitoring services. Various

state regulators were also notified in accordance with applicable law.


$110,000 for notification, call center services, credit monitoring, and legal fees to determine the insured’s regulatory obligations

Claims Examples – Misc Services

84

Private Information Disclosed Due to Printing Error A $50 million business services company conducted a mailing project for a customer and inadvertently mailed out approximately

60,000 envelopes bearing account numbers on the outside of the envelopes.


$320,000 for notification and credit monitoring services

Laptops Stolen from Office Five laptops were stolen from the office of a professional services company. The laptops contained personal information of

approximately 35,000 customers, including names and social security numbers. The insured incurred notification and credit

monitoring costs.


$200,000 for notification, credit monitoring services, and legal fees

Personal Information Posted Online A local municipality inadvertently posted tax licensing applications on its website, resulting in the improper release of personal

information. The insured conducted forensics, retained the services of both legal counsel and a public relations firm, and is in the

process of notifying the impacted individuals and offering credit monitoring services.


$150,000 to date for legal fees, notification, credit monitoring, and Public Relations services

Questions?

85

Contact:

Brian Bonkoski

ACE Professional Risk

Vice President

(215) 640-5934

[email protected]



Panel Discussion

How do I mitigate my risk with the growing use of mobile and portable technologies? Policies and Education Social networking awareness Encryption Remote Wipes/Autolocks Obtaining employee consent Backing up company

information on an employee device

Do’s and Don’ts of mobile use Laptop Safety

What should I be doing to prepare my Company for the increased regulations related to IT Security? Understand business activities

subject to regulation for privacy considerations ▪ Disclosure of PI collections and

sharing procedures ▪ Website and mobile app privacy

Know how changes in business operations impact compliance requirements

Accept responsibility for compliance ▪ EXECUTIVE MANAGEMENT ▪ BOARD OF DIRECTORS

Questions?

What are some of the things I need to consider when using 3rd party service providers?

For all vendors: ▪ Due diligence on their data

security

▪ Coordination of representations in privacy policies

▪ Allocation of responsibilities in event of breach

▪ Terms in vendor agreements: ▪ Indemnification provisions

▪ Access provisions

▪ Insurance requirements (cyber and other)

Cloud computing

▪ Identify the assets for cloud deployment

▪ Evaluate the assets

▪ Map the assets to the cloud deployment model

▪ Evaluate potential cloud service models

▪ Map out data flow

What should I be doing to prepare the Company for a breach? Screen new hires and vendors Annual risk assessments Educate employees Discuss privacy by design with

operations people Pre-arrange breach service providers Develop a cross functional privacy

committee for breach planning and response

Discuss information collection and disclosure practices with all departments

Consider insuring against risks

What can I do to better protect my data from cyber crime? Data Mapping - Understand

WHAT your sensitive data is and WHERE it resides

Perform a security risk assessment

Set security standards Develop comprehensive

policies Provide security training Adopt a business plan Spear Phishing Do’s and

Don’ts

Michael Camacho, CPA, Partner [email protected] (401) 421-4800 x233

mailto:[email protected]