emerging trends in information security and privacy
DESCRIPTION
Malware infiltrations, spear phishing, data breaches these are scary words with even scarier implications. These threats are hitting the interconnected technology world fast and hard and can no longer be ignored. Are you doing everything you can to avoid having your data compromised and becoming the next security breach horror story? To help you answer that question, join the security experts at LGC+D for the Emerging Trends in Information Privacy and Security seminar on Wednesday, August 6th. They will be joined by a dream team panel of IT, legal and insurance experts that deal with these threats every day, and have the experience and knowledge to help you make the right security decisions.TRANSCRIPT
EMERGING TRENDS IN
INFORMATION PRIVACY
AND SECURITY
August 6, 2014 Presentation
Logistics
CPE Credit Requirements
Takeaways
Full service Professional Services Firm: Attest services
Tax preparation and compliance
IT Audit and Security
Internal Control
Internal Audit Outsourcing
SSAE 16 Services
Over 70 professionals Highly qualified in
variety of specializations:
CPA, CIA, CFE, CISA, MCSE, ABV, CVA, MST
Affiliations:
AICPA, PCAOB, ACFEI, ISACA, PCAOB, TANGO, CICPAC, Practicewise, VACO Risk Solutions
Vaco Risk Solutions
Specializing in helping our clients reduce their risks
30 locations strong
Highly qualified consultants
▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt
We belong to: ▪ Member of Information System Audit and Controls Association (ISACA)
▪ Member of American College of Forensic Examiners Institute (ACFEI)
▪ Association of Credit Union Internal Auditors (ACUIA)
▪ PCI Qualified Security Assessors certified by PCI Security Standards Council
▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council
▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS)
▪ Member of National Association of Convenience Stores (NACS)
4
Former FBI Director Mueller:
“There are two types of companies, those
that have been hacked and those
that don’t know it”
Suzanne Miller, Ph. D., Partner – Vaco Risk Solutions
Linn Foster Freedman, Esq., Partner – Nixon Peabody LLP
Brian Bonkoski, Vice President – ACE
Professional Risk Kevin Ricci, CISA, Director of Information
Technology – LGC&D LLP
Speaker Risk Discussions
Panel Discussion – Best Practices and Strategies
Question and Answer
Suzanne Miller, Ph.D. VCAG
Vaco Compliance and Audit Group August 6, 2014
9
PCI – Quick Overview
Growing Data Trends and Associated Risks ◦ Employees: IT Convenience ◦ Customers: Mobile Apps
Growing Threats to Corporate Security ◦ Top 3 Threats Affecting Corporate Security
10
An open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
- September 7, 2006 -
Founders ◦ American Express
◦ Discover Financial Services
◦ JCB
◦ MasterCard Worldwide
◦ Visa International
New NACHA
‹#›
Service Providers
15
SAQ Validation Type Description
# of Qs v3.0
# of Qs v2.1 ASV Pen Test
A Card-not-present merchants: All payment processing functions fully
outsourced, no electronic cardholder data storage 14 1 No No
A-EP E-commerce merchants re-directing to a third-party website for payment
processing, no electronic cardholder data 139 NEW Yes Yes
B Merchants with only imprint machines or only standalone dial-out payment
terminals: No e-commerce or electronic cardholder data storage 41 12 No No
B-IP Merchants with standalone, IP-connected payment terminals: No e-
commerce or electronic cardholder data storage 83 NEW Yes No
C
Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage 139 59 Yes No
C-VT Merchants with web-based virtual payment terminals: No e-commerce or
electronic cardholder data storage 73 22 No No
D-MER All other SAQ-eligible merchants 326 38 Yes Yes
D-SP SAQ-eligible service providers 347 NEW Yes Yes
P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-
commerce or electronic cardholder data storage 35 17 No No
PCISecurityStandards.org
16
Employees: IT Convenience
Customers: Mobile Apps
17
Cloud – Computing Enabling employees to take advantage of collaboration tools/programs and share work related data
18
Cloud – Computing
19
Cloud – Computing Risks Organizational Risk ◦ Employees use unauthorized consumer-oriented
tools and save corporate data Trade secrets, financial reports, meeting notes,
etc. Sits unprotected; locations unknown to company
Financial Risk: ◦ Cost of exposed business confidential data
~ $214 per compromised record –Ponemon Institute May 2014
20
Cloud – Risk Mitigation ◦ Strategy Monitoring and controlling use of collaboration tools Securing data on collaboration tools COST SAVINGS & PRODUCTIVITY IMPROVEMENTS:
> $8,184 per user annually. Productivity ~1.2 hours each day or 266 hours per year
◦ Policy Governance
◦ Technology Offer safer enterprise-grade consumer tools
◦ Education Risk Awareness to rank and file
21
Cloud – Computing Cloud Security Alliance maintains the Cloud Controls Matrix to assist cloud providers and cloud consumers meet audit requirements, including the PCI DSS.
https://cloudsecurityalliance.org/research/ccm/
22
Mobile Apps revenue expected to reach an estimated $70 Billion by 2017*. Revenue in 2012 ~ $8.5 billion
23
Risks Organizational Risk: ◦ Non-compliance with state and federal regulatory
requirements for Mobile Apps Geo-location data Behavioral targeting Inferred consent Retargeting Data security and quality Mobile Privacy Statement
24
Financial Risk: ◦ Fines Delta failed to have a conspicuous privacy policy
on ‘Fly Delta’ - CA Attorney General (12/2012) Fined $2,500 per app download Downloaded 1 million times on Google Play
Social networking app, ‘Path’ Fined $800,000 by FTC over allegations that it
collected personal information without obtaining consumers’ consent - (2/11/2013)
FTC Crackdown COPPA $16,000 fine for each download (5/15/2014)
25
Risk Mitigation ◦ Strategy Understand the changing compliance landscape for
Mobile Apps across your enterprise Marketing, application developers, legal, internal
audit, etc. Expand Risk Governance
◦ Policy Expand Risk Governance
◦ Technology Understand the ecosystem
◦ Education Risk Awareness to rank and file
NOTE: The FTC released on 2/11/2013 a report outlining privacy guidelines for mobile platform providers, application developers, and advertising networks (the “Report”). Explaining the Commission’s increased attention to this area, the outgoing FTC Commissioner described the current state of rules and practices in the mobile space as a sort of “Wild West.” Cautioning that the Commission will "closely monitor developments in this space”, the FTC “strongly” encouraged companies in the mobile ecosystem to work expeditiously to implement the recommendations in the Report. The guidance focuses on how mobile app players should improve their disclosures to ensure that users understand how their personal data will be collected and used.
26
◦ Privacy Statement shall state: What information is collected from an Individual's Mobile
Device; Whether information is shared with another application
installed on the Individual's Mobile Device; How Geo-location Data is used; If Geo-location Data is used to create a profile about the
Individual; How long Geo-location Data is retained; What type of Third Parties, including Service Providers is
Geo-location Data is shared with and for what purpose; How the Individual can restrict the disclosure of Geo-
location data to Third Parties; and How the Individual can revoke consent to your company's
collection and use of Geo-Location Data. …and the list goes on
27
Era of Advancing Risks*
28
* Global State of Information Security Survey 2014, CIO and CSO Magazine
Most dangerous cyber threat today
Few organizations have the capabilities to prevent
29
Look at Healthcare sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place
30
Look at Public sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place
31
Look at Retail sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place
32
33
Look at Healthcare sector: Percentage of respondents who report the impact of data
beaches.
34
Look at Public sector: Percentage of respondents who report the impact of data
beaches.
35
Look at Retail sector: Percentage of respondents who report the impact of data
beaches.
36
Look at Healthcare sector: Percentage of respondents who report core security safeguards ARE NOT in place.
37
Look at Public sector: Percentage of respondents who report core security safeguards ARE NOT in place.
38
Look at Retail sector: Percentage of respondents who report core security safeguards ARE NOT in place.
39
Percentage of respondents identifying their greatest obstacles to improving the strategic effectiveness of their company’s information security function.
EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY
LINN F. FREEDMAN, ESQ. AUGUST 6, 2014
SUMMARY OF PRESENTATION
—Headlines on data privacy and security and breaches
—What are the Risks
—Implementing a Data Privacy & Security Plan
—Identify high risk data
—State Privacy & Security Laws
—Federal Privacy & Security Regulations
—Use of mobile technology
—Use of e-mail and cloud services
—Best practices
DATA SECURITY — WHAT’S THE RISK?
Increase of conducting
business online
Exponential increase of
threats to data security
=
DATA SECURITY — WHAT’S THE RISK? (CONT’D)
— Companies collect and possess larger
amounts of customer, employee and client
data than ever
— Greater use of mobile technology,
websites, cloud storage
• Allows for easier opportunity for hackers,
identity thieves/data security breaches
• Increase in loss of proprietary information
• Potential for damage to company’s
reputation
• Threat of state and federal
regulatory enforcement
INCREASE OF DATA SECURITY BREACHES
June 2012 Ponemon Institute Report
— 90% of companies surveyed had a
computer breached at least once in the
prior 12 months
— 44% of companies surveyed viewed IT
infrastructures as insecure
INCREASE OF DATA SECURITY BREACHES (CONT’D)
May 2013 Ponemon Institute Report
— Data breaches cost U.S. companies
surveyed an average of $5.4 million in
the prior 12 months
— An average of 28,765 records for U.S.
companies surveyed were exposed or
compromised in the prior 12 months
— It cost U.S. companies surveyed an
average of $188 per record breached
in the prior 12 months
DATA PRIVACY & SECURITY PLAN
Identify high risk data
Use of mobile technology, e-mail and cloud services
Develop policies and best practices
Train all employees
48
IDENTIFYING HIGH-RISK DATA
— Personally Identifiable Information
• Includes SS #, state-issued ID #, mother’s
maiden name, driver’s license #, passport #,
credit history, criminal history
— Name & Contact Information
• Includes initials, address, telephone number,
e-mail address, mobile number, date of birth
— Personal Characteristics
• Includes age, gender, marital status,
nationality, sexual orientation, race, ethnicity,
religious beliefs
49
IDENTIFYING HIGH-RISK DATA (CONT’D)
— Financial Institution Data
• Includes credit, ATM, debit card #s, bank
accounts, payment card information, PINs,
magnetic stripe data, security codes,
access codes, passwords
— Health & Insurance Account Information
• Includes health status and history, disease
status, medical treatment, diagnoses,
prescriptions, insurance account #,
Medicare and Medicaid information
• HIPAA compliance
50
IDENTIFYING HIGH-RISK DATA (CONT’D)
— Website Traffic
• Notice of Privacy Practices
• Terms and Conditions of Use
— Employment Information
• Includes income, salary, service fees, compensation
information, background check information
51
STATE PRIVACY & SECURITY LAWS
Social Security number
protection laws
— e.g. Rhode Island
— e.g. New York (§399-dd) –
restrictions on use, disclosure and
access
Data security regulations
— e.g. Massachusetts (201 CMR §
17.00) –must implement a written
information security plan with
detailed data security safeguards
Data security regulations
— 47 states
• Most states require notification of
a breach to state authorities
Website/mobile app data
collection laws
— e.g. California (§§22575-22579,
“CalOPPA”) –conspicuously post
privacy policy with transparent
details re: data collection/use
— None in RI to date
52
STATE ENFORCEMENT/FINES AND PENALTIES
Examples:
— Massachusetts data security regulations
(up to $5k per violation)
• $63k against MA restaurant
• $750k against South Shore Hospital
— California website/mobile app CalOPPA
statute (up to $2,500 per violation)
• AG sent hundreds of non-compliance letters to
companies without privacy policies and/or
unclear privacy practices on website/mobile app
— None in Rhode Island to date
53
STATE HEALTH INFORMATION PRIVACY LAWS
— Mental Health Law
— HIV/Aids
— Sexually transmitted diseases
— Genetic Information
54
FEDERAL PRIVACY & SECURITY LAWS
— Federal Trade Commission (“FCC”)
• § 5 of the FTC Act prohibits “unfair or
deceptive acts or practices”
Covers advertising claims, marketing,
and promotions
Not limited to any particular medium
• Enforcement of several sector-specific
privacy laws
Fair Credit Reporting Act (“FCRA”)
Children’s Online Privacy Protection Act
(“COPPA”)
55
FTC ENFORCEMENT/FINES AND PENALTIES
More than 100 privacy-related actions
since 2001, including:
— 40+ Data Security Cases
— 100+ Spyware Cases
— 20 COPPA cases
— Several FCRA cases
— Increasing Emphasis on Mobile
Technology
56
FEDERAL PRIVACY & SECURITY LAWS (CONT.)
— Gramm-Leach-Bliley Act
• To protect privacy of personally
identifiable, nonpublic financial
information
57
FEDERAL PRIVACY & SECURITY LAWS (CONT.)
— HIPAA
• To protect the privacy of
health information
58
THE OMNIBUS RULE
Certain HIPAA “Privacy and Security Rule” Provisions
apply directly to business associates as a regulated entity
— BAs must have required HIPAA policies and procedures
in place
— BAs are subject to direct enforcement by OCR as of
September 23, 2013
59
ENFORCEMENT PENALTIES FOR HIPAA
VIOLATIONS
Civil Penalties are tiered,
depending on conduct
— Unknown
— $100 per violation up to $50,000
for all identical violations in a
calendar year
Reasonable cause that is not
willful neglect
— $1,000 for each violation up to
$50,000 for all identical violations
in a calendar year
Willful neglect
— If violation corrected within 30
days of knowledge: $10,000 for
each identical violation, up to
$50,000 for all identical violations
in a calendar year
— If violation not corrected: $50,000
for each violation, up to
$1.5 million for all identical or non-
identical violations in a calendar
year
60
CRIMINAL ENFORCEMENT PROVISIONS
HIPAA also carries criminal penalties for persons who
“knowingly” obtain or disclose PHI in violation of the
Privacy Rule, or who improperly use unique health
identifiers, under 42 U.S.C. § 1320d–6(a):
61
Fine Prison
Knowingly $50,000 One year
False Pretenses $100,000 Five years
For Profit, Gain, or Harm $250,000 10 years
RISKS OF BREACH ASSOCIATED WITH MOBILE TECHNOLOGY
— Smartphones
— Laptops
— USB or flashdrives
• 5 million British Columbians’ data
breached (1/15/13)
USB drive
— Compliance with 47 state breach
notification regulations
• E-mails
• Cloud vendors
62
RISKS OF CLOUD COMPUTING
— There are over 400 cloud computing providers
— Privacy and Security
— Confidentiality
— ‘True’ Ownership and Control
— Data Restoration and Data Retention, Longevity of Vendors
— Accessibility (i.e. all business hours, weekends, holidays; 24
hours a day)
— Unfamiliarity with Technology
— Integration with Firm Systems
— Jurisdictional Concerns if Dispute Arises
63
BEST PRACTICES FOR LAPTOPS & REMOVABLE MEDIA
— Encryption
— Policies and procedures for removing devices and data
from business premises
— Do not permit employees to leave laptops and
removable devices in cars or hotel rooms
— Prohibition of down loading sensitive data on hard drive
of laptop or other removable media
— Remote wipe procedures
— BYOD policy
BEST PRACTICES USING E-MAIL
— Encryption
— Virtual Private Network/RSA
— Verify Selected Recipients
— Use Standard Confidentiality Disclaimer
— “Sensitive” Communications, Special
Protections against Disclosure to 3rd Parties
• It is the responsibility of the employee directing
the communication to determine if the
communication is “sensitive” in accordance with
RIOHHS policies and procedures
REPORTING SECURITY INCIDENTS
— Make sure all employees know
to report a privacy concern, a
suspected breach, information
security problem, theft of
computer equipment or if you
suspect there may be a
problem to the Security Officer
— When in doubt REPORT
CONCLUSION
— Identify all of your “electronic highways” and what they
connect with on the inside.
— Perform threat and risk assessment on a regularly basis
— Identify controls that will reduce risk to an acceptable level
— Review the effectiveness of controls periodically as well as
after incidents
— Ensure you have proper Incident Response Plans in place
— Present Key Risk Indicators (KRI) to management in order
to gain their support with regard to any proposed risk
mitigation efforts
— Insure risks
This presentation contains images used under license. Retransmission, republication, redistribution, and downloading
of this presentation, including any of the images as stand-alone files, is prohibited.
This presentation may be considered advertising under certain rules of professional conduct. The content should not be
construed as legal advice, and readers should not act upon information in this publication without professional counsel.
©2014. Nixon Peabody LLP. All rights reserved.
THANK YOU! QUESTIONS?
Linn Foster Freedman, Esq.
T: 401-454-1108 [email protected]
Nixon Peabody LLP One Citizens Plaza Suite 500 Providence, RI 02903
EMERGING TRENDS IN
INFORMATION PRIVACY AND
SECURITY
PRESENTED BY BRIAN BONKOSKI – ACE USA
Disclaimer
The material presented in this presentation is not intended to provide
legal or other expert advice as to any of the subjects mentioned, but
rather is presented for general information only. You should consult
knowledgeable legal counsel or other knowledgeable experts as to any
legal or technical questions you may have. Further, the insurance
discussed is a product summary only. For actual terms and conditions
of any insurance product, please refer to the policy. Coverage may
not be available in all states.
70
Goals of Todays Presentation Coverage Overview by Insuring Agreement Network Security Liability Privacy Liability Data Breach Team Network Extortion Business Interruption Loss Digital Asset Loss
Key Markets Claims Overview Industry Trends and Expenses Claims Examples
71
Network Security Liability Covers any liability of the organization arising out of the failure of network security,
including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code.
72
Privacy Liability Covers loss arising out of the organization’s failure to protect sensitive personal or
corporate information in any format. Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation.
73
Data Breach Expenses – 1st Party Forensics Public Relations/Crisis Management Services Legal Services including but not limited to determining compliance with Privacy Regulations,
drafting notification letters and indemnification rights Notification/Credit Monitoring Services Call Center Services Fraud Consultation services provided through a licensed investigator or credit specialist Identity Restoration Services
74
Data Breach Expenses – 1st Party Cont’d Network Extortion Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive
information or bring down a network unless consideration is made. Digital Asset Loss Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a
result of a network security failure. Business Interruption Covers loss of income and extra expense arising out of the interruption of network service due to an
attack on the insured’s network.
75
Markets ACE USA
AIG
Lexington
Beazley
C.N.A.
AWAC
Chubb
Axis
XL
76
Hiscox
Zurich
Travelers
Philadelphia Insurance
One Beacon
Hartford
Swiss RE
Endurance
Houston Casualty
Claims and Industry Trends (as of 1/31/2014)
77
Paper 6%
Human Error 14%
Privacy Policy 9%
Hack 24%
Rogue Employee 15%
Software Error 3%
Unknown 7%
Laptops 15%
Hard Drives 5%
Other 2%
Lost/Stolen Hardware
22%
Industry Breakout
• Healthcare – 31%
• Technology – 14%
• Professional Services – 12%
• Retail – 10%
• Financial Institutions – 8%
Targeted Attacks for PI:
• Lost/Stolen Devices
• 2008 – 41%
• 2012 – 17%
• 2013 – 17%
• Hacking and Rogue Employee
• 2008 – 31%
• 2012 – 44%
• 2013 – 44%
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Triggers by Industry Segment (as of 1/31/2014)
78
0%
5%
10%
15%
20%
25%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
4%
22% 25%
19%
11%
Healthcare
0%
5%
10%
15%
20%
25%
30%
35%
40%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
42%
17% 15%
6%
15%
Retail
0%
5%
10%
15%
20%
25%
30%
35%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
34%
10%
21%
9%
12%
Technology
0%
5%
10%
15%
20%
25%
30%
35%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
21%
14%
32%
14%
6%
Professional Services
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Average Cost of First Party Expenses (as of 1/15/2014)
Every Breach Response is Unique
Cost Range of Each Service
Legal Fees:
Under $5,000 up to about $250,000
Forensics:
About $10,000 to Seven Figures
Notification & Call Center:
Approximately $3 per Record
Credit Monitoring:
Payment per Enrollee or
Restoration Service
Minimal Crisis Management Costs
Objective: Limit Third Party Exposure
79
* ACE Data, Reflects Average Incurred Costs Across Paid Claims
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
$48,091.00
$192,049.00
$272,428.00
$157,577.00
$12,600.00
$-
$50,000.00
$100,000.00
$150,000.00
$200,000.00
$250,000.00
$300,000.00
Legal Fees Forensics Notification &Call Center
CreditMonitoring
CrisisManagement
Claims Process
Pre-Breach Preparation
Identify Decision Makers
Consider Vendor Relationships and Selection for Breach Response
Test Incident Response Plans
Notice
Contact key personnel internally
Contact Insurance Carrier (if applicable)
Engage Data Breach Vendors
Data Breach Coach
Forensic and Legal Investigation
Notification and Call Center
Credit Monitoring
Crisis Management
Third Party Claims
Class Action Lawsuits
PCI Assessments
Regulatory Fines and Penalties
80
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Third Party Claims
Three Types of Third Party Claims Regulatory Proceedings (Less than 2%)
Pre-litigation Demands (8%)
Class Action Lawsuits (10%)
Regulatory Fines Bad Actor – Lack of Proper Response or Compliance
Repeat Offender
Lack of Internal Privacy Policies and Procedures
Pre-Litigation Demands Mostly in Healthcare
Disclosure of Extremely Sensitive Information
Adverse Employment Action
81
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Lawsuits – 10%
Non-Lawsuits – 8%
Regulatory Proceedings – 2%
Claims Examples – Retail
82
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Website Breached Users of a $250 million online retailer’s website began experiencing fraudulent credit card charges. The retailer’s IT group
contacted its web hosting company, which conducted a review of the data stored on the servers. Subsequently, a virus was found
and removed. The breach resulted in a compromise of close to 1 million records and the fraudulent use of 50 credit cards. The
retailer also incurred fines and penalties for not being Payment Card Industry (PCI) compliant.
Data Breach Fund Costs
$750,000 for notification, call center services, and legal fees to determine the insured’s regulatory obligations
Privacy Liability Costs
$500,000 in assessments for lack of PCI compliance
Credit Card Information Stolen by Employee A $100 million retail company’s employee improperly obtained the credit card information of a client and fraudulently used the
information to make illegal purchases. The employee was caught and prosecuted. The client’s attorney demanded that the insured
provide credit monitoring services and compensate the client for her damages.
Privacy Liability Costs
$75,000 for the settlement amount and legal fees
Claims Examples – Healthcare
83
External Vendor Misplaced Laptops A large healthcare provider contracted with a national vendor to assist with an office relocation. During the course of the
relocation, the provider discovered a discrepancy of several laptops that contained protected health information belonging to its
members. The provider retained legal counsel to analyze its regulatory obligations as well as vendors to conduct forensics, to
notify impacted individuals, and to offer credit monitoring services. Subsequently, the provider was the subject of a regulatory
inquiry and was named as a defendant in a class action lawsuit.
Data Breach Fund Costs
$7,000,000 for forensics, legal fees, notification, call center services, and credit monitoring
Privacy Liability Costs
$2,000,000 for legal fees related to the class action suit and responses to regulatory inquiries
Employee Lost Flash Drive An employee of an $800 million healthcare provider lost a flash drive containing the protected health information of
approximately 600 individuals. The provider notified the affected individuals and provided credit monitoring services. Various
state regulators were also notified in accordance with applicable law.
Data Breach Fund Costs
$110,000 for notification, call center services, credit monitoring, and legal fees to determine the insured’s regulatory obligations
Claims Examples – Misc Services
84
Private Information Disclosed Due to Printing Error A $50 million business services company conducted a mailing project for a customer and inadvertently mailed out approximately
60,000 envelopes bearing account numbers on the outside of the envelopes.
Data Breach Fund Costs
$320,000 for notification and credit monitoring services
Laptops Stolen from Office Five laptops were stolen from the office of a professional services company. The laptops contained personal information of
approximately 35,000 customers, including names and social security numbers. The insured incurred notification and credit
monitoring costs.
Data Breach Fund Costs
$200,000 for notification, credit monitoring services, and legal fees
Personal Information Posted Online A local municipality inadvertently posted tax licensing applications on its website, resulting in the improper release of personal
information. The insured conducted forensics, retained the services of both legal counsel and a public relations firm, and is in the
process of notifying the impacted individuals and offering credit monitoring services.
Data Breach Fund Costs
$150,000 to date for legal fees, notification, credit monitoring, and Public Relations services
Questions?
85
Contact:
Brian Bonkoski
ACE Professional Risk
Vice President
(215) 640-5934
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Panel Discussion
How do I mitigate my risk with the growing use of mobile and portable technologies? Policies and Education Social networking awareness Encryption Remote Wipes/Autolocks Obtaining employee consent Backing up company
information on an employee device
Do’s and Don’ts of mobile use Laptop Safety
What should I be doing to prepare my Company for the increased regulations related to IT Security? Understand business activities
subject to regulation for privacy considerations ▪ Disclosure of PI collections and
sharing procedures ▪ Website and mobile app privacy
Know how changes in business operations impact compliance requirements
Accept responsibility for compliance ▪ EXECUTIVE MANAGEMENT ▪ BOARD OF DIRECTORS
Questions?
What are some of the things I need to consider when using 3rd party service providers?
For all vendors: ▪ Due diligence on their data
security
▪ Coordination of representations in privacy policies
▪ Allocation of responsibilities in event of breach
▪ Terms in vendor agreements: ▪ Indemnification provisions
▪ Access provisions
▪ Insurance requirements (cyber and other)
Cloud computing
▪ Identify the assets for cloud deployment
▪ Evaluate the assets
▪ Map the assets to the cloud deployment model
▪ Evaluate potential cloud service models
▪ Map out data flow
What should I be doing to prepare the Company for a breach? Screen new hires and vendors Annual risk assessments Educate employees Discuss privacy by design with
operations people Pre-arrange breach service providers Develop a cross functional privacy
committee for breach planning and response
Discuss information collection and disclosure practices with all departments
Consider insuring against risks
What can I do to better protect my data from cyber crime? Data Mapping - Understand
WHAT your sensitive data is and WHERE it resides
Perform a security risk assessment
Set security standards Develop comprehensive
policies Provide security training Adopt a business plan Spear Phishing Do’s and
Don’ts
Michael Camacho, CPA, Partner [email protected] (401) 421-4800 x233