most businesses couldn’t pass a dol audit – could yours? guest presenter september 15, 2015 2015...

Most Businesses Couldn’t Pass a DOL Audit – Could Yours?

Guest Presenter

September 15, 2015

2015 Education Series

Charles P. BellingrathNational Practice Leader: Privacy, Network Security, Technology E&O

Cyber Security:Protecting Your Business and Your Customers

1

The Evolving Liabilities: Cyber, Privacy & Security Exposures

Between January 2005 and today, 4,602 Data Breaches have been reported allowing unauthorized access to 868,403,517 records…

Are you prepared?

Presented By:Chas Bellingrath – ARC Excess & Surplus, LLC

In Partnership the Sylvia Group

This presentation is advisory in nature and all examples and descriptions are for illustrative purposes only.

3

The Evolving Liabilities of Healthcare Cyber, Privacy & Security Risks

• Personally Identifiable Information (PII)• Social Security number• Drivers license number• Credit/debit card numbers• Passport number• Banking records• Date of birth• Medical information• Mother’s maiden name• Email/username in combination with password/security question

and answer


• HIPAA• Protected Health Information (PHI)

• Medical records• Health status• Provision of health care• Payment for health care

4


• Payment Card Information (PCI)• Primary Account Number (PAN)• Cardholder name• Expiration date• Service code (3- or 4-digit code)• PIN

5

6


Corporate Confidential Information

Data pertaining to a client of the Insured which resides on the Insured’s Network due to the Insured providing professional services to such client and for which the Insured has a legal or contractual duty to keep secure and/or confidential such Data.

Corporate Confidential Information includes but is not limited to:- Trade Secrets- Designs- Interpretation- Forecast- Formula- Method- Practices

7


Breaches: By Whom and Where?

Who has Unauthorized Access? Hackers Employees, Faculty and Students Outsourcers and Third Party Vendors

What are they accessing? Laptops Computer Networks/Wireless Networks PDAs/Cell Phones Paper Files Websites Clouds

Picture Source: www.cyberinquirer.com

http://www.cyberinquirer.com/

8

• Hackers• Rogue Employees• Independent Contractors• Human Error• Social Media• Mobile Devices• Cloud Computing• A Changing Regulatory Environment

The Evolving Liabilities: Cyber, Privacy & Security ExposuresIDENTIFY THE EXPOSURE

9


HISTORY OF BREACHES OVER TIME

• Source: www.datalossdb.org – September 2015

http://www.datalossdb.org/

10


• Source: www.datalossdb.org – September 2015


11


Primary Data Breach Causes

Source: Ponemon Institute: 2015 Annual Study

BREACH COSTS BY ACTIVITY

(Source: Ponemon Institute)

12

Activity Percent Dollars Per Record

Investigation & Forensics 14% $30

Audit & Consulting Services 7% $15

Outbound Contact 3% $7

Inbound Contact 5% $11

Public Relations/Communications 1% $2

Legal Services - Defense 16% $35

Legal Services - Compliance 4% $9

Free or Discounted Services 1% $2

Identity Protection Services 2% $4

Lost Customer Business 39% $85

Customer Acquisition Cost 8% $17

Total 100% $217

13

The Evolving Liabilities: Cyber, Privacy & Security ExposuresTop Ten Largest Incidents

Top Ten Largest Incidents# of Records Date Organization

152,000,000 03/10/2012 Adobe Systems, Inc.

150,000,000 03/17/2012 Shanghai Roadway D&B Marketing Services Co.

145,000,000 05/21/2014 eBay Inc.

130,000,000 01/201/2009 Heartland Payment Systems

110,000,000 12/18/2013 Target Brands, Inc.

109,000,000 09/02/2014 The Home Depot

104,000,000 01/20/2014 Korea Credit Bureau

94,000,000 01/17/2007 TJX Companies

90,000,000 06/01/1984 Sears

83,000,000 08/27/2014 JPMorgan Chase

Source: www.datalossdb.org


Claims Scenarios: Educational Institutions

July 14, 2014 – Orangeburg-Calhoun Technical College – Orangeburg, SC:"Orangeburg-Calhoun Technical College in South Carolina is notifying 20,000 former and current students and faculty members that an unencrypted laptop computer stolen this month from a staff member's office contained their personal information.” The information contained on the laptops included names, birth dates and Social Security numbers of individuals. The college stated that the information goes back six or seven years and that it believes the thief was after the hardware, not the data stored on it. The college neglected to comment on whether it is providing credit monitoring services for those affected.

Total Records: 20,000

December 17, 2013 – Radnor Township School – Wayne, PA:An employee performing a transfer of personnel data accidentally left the data accessible, and a middle-school student viewed it. The student also shared the information. Current and former employees may have had their names, addresses, phone numbers, dates of birth and Social Security numbers accessed as early as June and as late as the end of the 2012-2013 school year. The breach was discovered in November.


Since 2005, 756 Educational Institutions have been subject to breaches affecting 14,725,924 individuals.

Source: www.privacyrights.org

http://www.octech.edu/about/data_security_update.aspx


Claims Scenarios: Health Care

October 22, 2013 – AHMC Healthcare – Alhambra, CA:The October 12 office theft of two laptops resulted in the exposure of patient information from a number of facilities. Authorities believe a well-known transient was responsible for the thefts. 729,000 names, Social Security numbers, diagnosis and procedure codes, insurance identification numbers and insurance payments were exposed.


August 29, 2014 – Memorial Hermann Hospital – Houston:Memorial Hermann Hospital is notifying patients of a data breach in which a former employee accessed medical records of more than 10,000 patients. Reportedly, the former employee had been accessing patient information outside his normal job description for more than seven years, from December 2007 through July 2014. The information breached included patients' medical records, health insurance information, Social Security numbers, names, addresses and dates of birth.


Since 2005, 1214 health-care and medical facilities have been subject to breaches affecting 43,040,901 individuals.



Claims Scenarios: Financial

July 30, 2011 – Belmont Savings Bank – Boston:In May, a bank employee left a backup tape on a desk rather than storing it. A cleaning crew disposed of it later that night. Names, Social Security numbers and account numbers were exposed. The tape contained personal information of more than 13,000 customers. After the breach, the Massachusetts Attorney General’s Office issued a $7,500 fine for failure to protect personal information.


July 17, 2014 – Total Bank – Miami:Total Bank, a subsidiary of Banco Popular that has 21 locations in South Florida, is notifying 72,500 customers that their account information was potentially exposed after an unauthorized third party gained access to the bank's computer network. Information obtained by this unauthorized third party included names, addresses, account numbers, account balances, Social Security numbers and driver's license numbers. The bank is offering 12 months free of credit-monitoring services for those who were affected.


Since 2005, 609 financial institutions have been subject to breaches affecting 359,188,179 individuals.



Claims Scenarios: Manufacturing

ABC Manufacturing – June 2014 – Albany, NY

A local manufacturing company outside of Albany, NY, suffered a denial-of-service attack on its network, resulting in a loss of income and extra expenses. It also resulted in lost production and distribution of the company’s products. Extra expenses included the cost to hire a forensic expert to get systems back up and running, and the company was shut down for several days. Expenses and loss of income exceeded $150,000.

18


Corporate Exposure to Cyber Attacks

o What is a Cyber Attack?o What are criminals seeking when they attack a

business’ network or electronic data? o “Street” value of one stolen information item is

reported to be up to $50. The incentive to steal is enormous.

o How do criminals access private or confidential information from a business or organization’s electronic files?

19


Types of Risks & Losses – 1st Party and 3rd Party

• First-Party Claims• Hardware or software malfunction• Data corruption• Denial of service attack

• Third-Party Claims• Copyright and trademark infringement• Data privacy breach• Internet media liability (i.e., defamation)• Unauthorized access/unauthorized use (e.g., third-party data

corruption, denial-of-service attack)• Statutory/regulatory liability (federal and state)

20


Legal Landscape: New Regulations Lead to New Insurance Needs

Personal Data Privacy & Security Act of 2007 Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Gramm-Leach-Bliley Act of 1999 (GLBA) Fair Credit Reporting Act Fair & Accurate Credit Transactions Act of 2003 Electronic Communications Privacy Act of 1986 Family Educational Rights & Privacy Act (FERPA) State Specific Security Breach Notification Laws* High Tech Act (enacted with Jan 2009 Federal Stimulus Package) MA GL, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of

the Commonwealth of Massachusetts.


47 States now have breach-notification requirements

Kentucky joined as the 47th state in 2014

https://www.beazley.com/our_business/professional_liability/tmb/data_breach_map.html

Alabama, South Dakota and New Mexico are the remaining states that do not have any specific legislation pertaining to security breach notification.



22

The Evolving Liabilities: Cyber, Privacy & Security ExposuresBEST PRACTICES

• SEC Guidance• Due Diligence on Vendors• Negotiate Strong Terms in Vendor/Cloud Contracts• Risk Transfer Indemnity/Insurance• Security Assessment of Vendor: Tricky in a Multi-Tenant Cloud

Platform• Make Sure There is Adequate Notice/Disclosure of Use of Cloud

to Stakeholders


Cyber Liability Insurance Exposures, Coverage and Risk Management

Insurance Coverage for Data Breach: • Types of policies providing coverage? • How Does Traditional Insurance Respond?

• Property Policies? • CGL Insurance Policies? • Crime Insurance Policies• D&O• E&O

24


• What Are Cyber, Privacy and Security Liability?

• Overview and History of the Coverage

25


First-Party Loss

• First-Party Breach Response Expenses• Cost to hire a breach coach/legal services• Cost to hire a computer security/forensic expert• Cost to notify the affected individuals• Cost to provide credit monitoring to affected individuals• Cost to provide call center services• Cost to hire a public relations/crisis management firm to help remediate

reputational harm resulting from the breach

• Cyber Business Income and Extra Expense Including Data Restoration Expenses

• Cyber Extortion Payments

26


Third-Party Loss

• Failure to Implement and Maintain Reasonable Security Measures • Negligence• Unfair, Deceptive and Unlawful Business Practices• Violation of Privacy• Invasion of the Customer’s Right to Privacy• Breach of Contract and Violation of Consumer Fraud Act• Defense and Damages• Media/Intellectual Property• Regulatory Actions including fines and penalties

• PCI Fines and Penalties

27


DEALING WITH A SECURITY BREACH• Data Breach Team and Incident Response Plan needs to be

in place• Compliance with state notice laws• Notice all potentially applicable insurance• The benefits of a dedicated Cyber Insurance Policy (risk

transfer, access to breach coaches, forensic experts, etc.)

ACE

AIG AWAC ARCH AXIS BEAZLEY CHUBB C.N.A. Hiscox Endurance Liberty Great American

28

Hiscox Ironshore Various Lloyds Markets (UK) Markel/Evanston NAS Insurance Navigators Travelers XL QBE Zurich Many More! We work over 50

Markets

KEY CYBER MARKETS

29

RISK MANAGEMENTIMPLEMENT PROACTIVE MEASURES TO MINIMIZE THE RISK

OF A DATA BREACH• Create a culture of privacy and security throughout your organization • Assemble your Incident Response Team and prepare an Incident Response Plan • Perform a data privacy review and risk assessment, including vulnerability scanning and penetration testing • Utilize data classification and segmentation • Prepare a Written Information Security Program (WISP) • Conduct a Breach Response Workshop with a tabletop exercise • Implement appropriate polices, including: • Computer and electronic devices usage • Document retention and destruction • Bring Your Own Device (BYOD) • Telecommuting • Social media • Website privacy policy and terms of use • Physical and logical access security • Require confidentiality agreements for employees, vendors and visitors • Provide ongoing data privacy and security training to your employees • Properly shred and securely dispose of personal information • Use strong password protections and data encryption • Ensure that your vendors maintain appropriate security measures (and get confirmation in your vendor contracts) • Review your employee exit process • Evaluate your cyber liability insurance coverage needs

The Evolving Liabilities: Cyber, Privacy & Security Exposures10 INSURANCE TIPS FOR THE RECOVERY OF CYBER LOSSES

1. Make sure your insurance matches the way you conduct online business and process data. For example, there are insurance coverage implications if you use cloud computing or other computer vendors for hosting and processing data. Many of the cyber risk insurance policies available today can be tailored to reflect the fact that the policyholder may delegate to third-parties data management and hosting.

2. Do not rule out coverage for a claim under traditional business policies. If a cyber loss occurs consider D&O, E&O, crime and GL insurance coverage depending on the claim against your company or the form of loss. We have had success in winning coverage for our clients for cyber-related losses under traditional coverage that is not expressly sold for cyber losses.

3. Avoid cyber insurance policy terms that condition coverage on the policyholder having employed “reasonable” data security measures. These clauses are so vague and subjective that they are bound to lead to coverage fights. Further, given the lightning speed of technological innovation and amorphous nature of cyber risks, a cyber security practice that was reasonable just months ago may look reckless with the benefit of hindsight and the passage of time.

4. If you possess or process consumer or business credit card information, make sure that you have insurance coverage for fraudulent card charges and credit card brand assessments and fines—these can be large exposures when there is a significant data breach.

5. If you do business with individual consumers and obtain their personal identifying information, make sure you have coverage (including attorney fees coverage) for the inevitable expenses of responding to informal inquiries and formal proceedings that ensue from state attorney generals, the FTC and others when a breach occurs (often implicating residents of several states).

6. Make sure that your insurance covers breaches arising from mobile devices that may or may not be connected to the company’s computer network. More and more employees can access systems through tablets, smart phones, and PCs. The ever-growing size of hard drives and ubiquity of portable drives mean that some employees may create security risks, even when the device is not logged onto the company servers.

7. Complete insurance applications carefully, including D&O applications. Underwriters will be focusing more and more on computer risk areas, and insurance application responses often are used against policyholders to contest insurance claims.

8. Avoid cyber insurance policies with contractual liability exclusions. Contractual liability claims often are made in conjunction with statutory claims, negligence claims and other forms of relief, and policyholders are best off not enduring a huge allocation fight over what portion of the claim is covered in the eyes of the insurance company.

9. If you are buying or renewing specialty cyber insurance policies, make sure that you are working with a very good and experienced broker. There is not presently uniformity of product in the cyber insurance marketplace, and lots of terms are open for negotiation. A good broker can help get you the best coverage.

10. Provide notice to your insurance companies quickly after a breach. Early in the process of responding to a breach, the meter will be running on costs. When you have a breach situation, every second counts, and you undoubtedly will incur costs quickly for computer forensics, attorneys and other consultants. Providing proper notices and advising of these costs promptly can increase the odds of recovering these costs from your insurance companies.


Resources on Security Breach Information

• Privacy Rights Clearinghouse- www.PrivacyRights.Org• Open Security Foundation- www.opensecurityfoundation.org• Ponemon Institute, LLC- www.ponemon.org• Privacy Law Blog- www.cyberinquirer.com• NetDiligence – Junto by eRiskHub - http://juntoblog.net/• Data Loss DB – www.datalossdb.org• Office of Inadequate Security – www.databreaches.net

http://www.privacyrights.org/

http://www.opensecurityfoundation.org/

http://www.ponemon.org/


http://juntoblog.net/

http://juntoblog.net/


http://www.databreaches.net/

32


Questions?

• Cartoon Source: www.cyberinquirer.com


33


Contact Information:

Charles P BellingrathARC Excess & Surplus LLCNational Practice Leader: Privacy, Network Security, Technology E&O857.239.5051 - [email protected]

mailto:[email protected]

most businesses couldn’t pass a dol audit – could yours? guest presenter september 15, 2015 2015...

Documents