most businesses couldn’t pass a dol audit – could yours? guest presenter september 15, 2015 2015...
TRANSCRIPT
Most Businesses Couldn’t Pass a DOL Audit – Could Yours?
Guest Presenter
September 15, 2015
2015 Education Series
Charles P. BellingrathNational Practice Leader: Privacy, Network Security, Technology E&O
Cyber Security:Protecting Your Business and Your Customers
1
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Between January 2005 and today, 4,602 Data Breaches have been reported allowing unauthorized access to 868,403,517 records…
Are you prepared?
Presented By:Chas Bellingrath – ARC Excess & Surplus, LLC
In Partnership the Sylvia Group
This presentation is advisory in nature and all examples and descriptions are for illustrative purposes only.
3
The Evolving Liabilities of Healthcare Cyber, Privacy & Security Risks
• Personally Identifiable Information (PII)• Social Security number• Drivers license number• Credit/debit card numbers• Passport number• Banking records• Date of birth• Medical information• Mother’s maiden name• Email/username in combination with password/security question
and answer
The Evolving Liabilities of Healthcare Cyber, Privacy & Security Risks
• HIPAA• Protected Health Information (PHI)
• Medical records• Health status• Provision of health care• Payment for health care
4
The Evolving Liabilities of Healthcare Cyber, Privacy & Security Risks
• Payment Card Information (PCI)• Primary Account Number (PAN)• Cardholder name• Expiration date• Service code (3- or 4-digit code)• PIN
5
6
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Corporate Confidential Information
Data pertaining to a client of the Insured which resides on the Insured’s Network due to the Insured providing professional services to such client and for which the Insured has a legal or contractual duty to keep secure and/or confidential such Data.
Corporate Confidential Information includes but is not limited to:- Trade Secrets- Designs- Interpretation- Forecast- Formula- Method- Practices
7
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Breaches: By Whom and Where?
Who has Unauthorized Access? Hackers Employees, Faculty and Students Outsourcers and Third Party Vendors
What are they accessing? Laptops Computer Networks/Wireless Networks PDAs/Cell Phones Paper Files Websites Clouds
Picture Source: www.cyberinquirer.com
8
• Hackers• Rogue Employees• Independent Contractors• Human Error• Social Media• Mobile Devices• Cloud Computing• A Changing Regulatory Environment
The Evolving Liabilities: Cyber, Privacy & Security ExposuresIDENTIFY THE EXPOSURE
9
The Evolving Liabilities: Cyber, Privacy & Security Exposures
HISTORY OF BREACHES OVER TIME
• Source: www.datalossdb.org – September 2015
10
The Evolving Liabilities: Cyber, Privacy & Security Exposures
• Source: www.datalossdb.org – September 2015
11
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Primary Data Breach Causes
Source: Ponemon Institute: 2015 Annual Study
BREACH COSTS BY ACTIVITY
(Source: Ponemon Institute)
12
Activity Percent Dollars Per Record
Investigation & Forensics 14% $30
Audit & Consulting Services 7% $15
Outbound Contact 3% $7
Inbound Contact 5% $11
Public Relations/Communications 1% $2
Legal Services - Defense 16% $35
Legal Services - Compliance 4% $9
Free or Discounted Services 1% $2
Identity Protection Services 2% $4
Lost Customer Business 39% $85
Customer Acquisition Cost 8% $17
Total 100% $217
13
The Evolving Liabilities: Cyber, Privacy & Security ExposuresTop Ten Largest Incidents
Top Ten Largest Incidents# of Records Date Organization
152,000,000 03/10/2012 Adobe Systems, Inc.
150,000,000 03/17/2012 Shanghai Roadway D&B Marketing Services Co.
145,000,000 05/21/2014 eBay Inc.
130,000,000 01/201/2009 Heartland Payment Systems
110,000,000 12/18/2013 Target Brands, Inc.
109,000,000 09/02/2014 The Home Depot
104,000,000 01/20/2014 Korea Credit Bureau
94,000,000 01/17/2007 TJX Companies
90,000,000 06/01/1984 Sears
83,000,000 08/27/2014 JPMorgan Chase
Source: www.datalossdb.org
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Claims Scenarios: Educational Institutions
July 14, 2014 – Orangeburg-Calhoun Technical College – Orangeburg, SC:"Orangeburg-Calhoun Technical College in South Carolina is notifying 20,000 former and current students and faculty members that an unencrypted laptop computer stolen this month from a staff member's office contained their personal information.” The information contained on the laptops included names, birth dates and Social Security numbers of individuals. The college stated that the information goes back six or seven years and that it believes the thief was after the hardware, not the data stored on it. The college neglected to comment on whether it is providing credit monitoring services for those affected.
Total Records: 20,000
December 17, 2013 – Radnor Township School – Wayne, PA:An employee performing a transfer of personnel data accidentally left the data accessible, and a middle-school student viewed it. The student also shared the information. Current and former employees may have had their names, addresses, phone numbers, dates of birth and Social Security numbers accessed as early as June and as late as the end of the 2012-2013 school year. The breach was discovered in November.
Total Records: 2,000
Since 2005, 756 Educational Institutions have been subject to breaches affecting 14,725,924 individuals.
Source: www.privacyrights.org
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Claims Scenarios: Health Care
October 22, 2013 – AHMC Healthcare – Alhambra, CA:The October 12 office theft of two laptops resulted in the exposure of patient information from a number of facilities. Authorities believe a well-known transient was responsible for the thefts. 729,000 names, Social Security numbers, diagnosis and procedure codes, insurance identification numbers and insurance payments were exposed.
Total Records: 729,000
August 29, 2014 – Memorial Hermann Hospital – Houston:Memorial Hermann Hospital is notifying patients of a data breach in which a former employee accessed medical records of more than 10,000 patients. Reportedly, the former employee had been accessing patient information outside his normal job description for more than seven years, from December 2007 through July 2014. The information breached included patients' medical records, health insurance information, Social Security numbers, names, addresses and dates of birth.
Total Records: 45,600
Since 2005, 1214 health-care and medical facilities have been subject to breaches affecting 43,040,901 individuals.
Source: www.privacyrights.org
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Claims Scenarios: Financial
July 30, 2011 – Belmont Savings Bank – Boston:In May, a bank employee left a backup tape on a desk rather than storing it. A cleaning crew disposed of it later that night. Names, Social Security numbers and account numbers were exposed. The tape contained personal information of more than 13,000 customers. After the breach, the Massachusetts Attorney General’s Office issued a $7,500 fine for failure to protect personal information.
Total Records: 13,000
July 17, 2014 – Total Bank – Miami:Total Bank, a subsidiary of Banco Popular that has 21 locations in South Florida, is notifying 72,500 customers that their account information was potentially exposed after an unauthorized third party gained access to the bank's computer network. Information obtained by this unauthorized third party included names, addresses, account numbers, account balances, Social Security numbers and driver's license numbers. The bank is offering 12 months free of credit-monitoring services for those who were affected.
Total Records: 72,500
Since 2005, 609 financial institutions have been subject to breaches affecting 359,188,179 individuals.
Source: www.privacyrights.org
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Claims Scenarios: Manufacturing
ABC Manufacturing – June 2014 – Albany, NY
A local manufacturing company outside of Albany, NY, suffered a denial-of-service attack on its network, resulting in a loss of income and extra expenses. It also resulted in lost production and distribution of the company’s products. Extra expenses included the cost to hire a forensic expert to get systems back up and running, and the company was shut down for several days. Expenses and loss of income exceeded $150,000.
18
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Corporate Exposure to Cyber Attacks
o What is a Cyber Attack?o What are criminals seeking when they attack a
business’ network or electronic data? o “Street” value of one stolen information item is
reported to be up to $50. The incentive to steal is enormous.
o How do criminals access private or confidential information from a business or organization’s electronic files?
19
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Types of Risks & Losses – 1st Party and 3rd Party
• First-Party Claims• Hardware or software malfunction• Data corruption• Denial of service attack
• Third-Party Claims• Copyright and trademark infringement• Data privacy breach• Internet media liability (i.e., defamation)• Unauthorized access/unauthorized use (e.g., third-party data
corruption, denial-of-service attack)• Statutory/regulatory liability (federal and state)
20
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Legal Landscape: New Regulations Lead to New Insurance Needs
Personal Data Privacy & Security Act of 2007 Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Gramm-Leach-Bliley Act of 1999 (GLBA) Fair Credit Reporting Act Fair & Accurate Credit Transactions Act of 2003 Electronic Communications Privacy Act of 1986 Family Educational Rights & Privacy Act (FERPA) State Specific Security Breach Notification Laws* High Tech Act (enacted with Jan 2009 Federal Stimulus Package) MA GL, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of
the Commonwealth of Massachusetts.
The Evolving Liabilities: Cyber, Privacy & Security Exposures
47 States now have breach-notification requirements
Kentucky joined as the 47th state in 2014
https://www.beazley.com/our_business/professional_liability/tmb/data_breach_map.html
Alabama, South Dakota and New Mexico are the remaining states that do not have any specific legislation pertaining to security breach notification.
22
The Evolving Liabilities: Cyber, Privacy & Security ExposuresBEST PRACTICES
• SEC Guidance• Due Diligence on Vendors• Negotiate Strong Terms in Vendor/Cloud Contracts• Risk Transfer Indemnity/Insurance• Security Assessment of Vendor: Tricky in a Multi-Tenant Cloud
Platform• Make Sure There is Adequate Notice/Disclosure of Use of Cloud
to Stakeholders
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Cyber Liability Insurance Exposures, Coverage and Risk Management
Insurance Coverage for Data Breach: • Types of policies providing coverage? • How Does Traditional Insurance Respond?
• Property Policies? • CGL Insurance Policies? • Crime Insurance Policies• D&O• E&O
24
The Evolving Liabilities: Cyber, Privacy & Security Exposures
• What Are Cyber, Privacy and Security Liability?
• Overview and History of the Coverage
25
The Evolving Liabilities: Cyber, Privacy & Security Exposures
First-Party Loss
• First-Party Breach Response Expenses• Cost to hire a breach coach/legal services• Cost to hire a computer security/forensic expert• Cost to notify the affected individuals• Cost to provide credit monitoring to affected individuals• Cost to provide call center services• Cost to hire a public relations/crisis management firm to help remediate
reputational harm resulting from the breach
• Cyber Business Income and Extra Expense Including Data Restoration Expenses
• Cyber Extortion Payments
26
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Third-Party Loss
• Failure to Implement and Maintain Reasonable Security Measures • Negligence• Unfair, Deceptive and Unlawful Business Practices• Violation of Privacy• Invasion of the Customer’s Right to Privacy• Breach of Contract and Violation of Consumer Fraud Act• Defense and Damages• Media/Intellectual Property• Regulatory Actions including fines and penalties
• PCI Fines and Penalties
27
The Evolving Liabilities: Cyber, Privacy & Security Exposures
DEALING WITH A SECURITY BREACH• Data Breach Team and Incident Response Plan needs to be
in place• Compliance with state notice laws• Notice all potentially applicable insurance• The benefits of a dedicated Cyber Insurance Policy (risk
transfer, access to breach coaches, forensic experts, etc.)
ACE
AIG AWAC ARCH AXIS BEAZLEY CHUBB C.N.A. Hiscox Endurance Liberty Great American
28
Hiscox Ironshore Various Lloyds Markets (UK) Markel/Evanston NAS Insurance Navigators Travelers XL QBE Zurich Many More! We work over 50
Markets
KEY CYBER MARKETS
29
RISK MANAGEMENTIMPLEMENT PROACTIVE MEASURES TO MINIMIZE THE RISK
OF A DATA BREACH• Create a culture of privacy and security throughout your organization • Assemble your Incident Response Team and prepare an Incident Response Plan • Perform a data privacy review and risk assessment, including vulnerability scanning and penetration testing • Utilize data classification and segmentation • Prepare a Written Information Security Program (WISP) • Conduct a Breach Response Workshop with a tabletop exercise • Implement appropriate polices, including: • Computer and electronic devices usage • Document retention and destruction • Bring Your Own Device (BYOD) • Telecommuting • Social media • Website privacy policy and terms of use • Physical and logical access security • Require confidentiality agreements for employees, vendors and visitors • Provide ongoing data privacy and security training to your employees • Properly shred and securely dispose of personal information • Use strong password protections and data encryption • Ensure that your vendors maintain appropriate security measures (and get confirmation in your vendor contracts) • Review your employee exit process • Evaluate your cyber liability insurance coverage needs
The Evolving Liabilities: Cyber, Privacy & Security Exposures10 INSURANCE TIPS FOR THE RECOVERY OF CYBER LOSSES
1. Make sure your insurance matches the way you conduct online business and process data. For example, there are insurance coverage implications if you use cloud computing or other computer vendors for hosting and processing data. Many of the cyber risk insurance policies available today can be tailored to reflect the fact that the policyholder may delegate to third-parties data management and hosting.
2. Do not rule out coverage for a claim under traditional business policies. If a cyber loss occurs consider D&O, E&O, crime and GL insurance coverage depending on the claim against your company or the form of loss. We have had success in winning coverage for our clients for cyber-related losses under traditional coverage that is not expressly sold for cyber losses.
3. Avoid cyber insurance policy terms that condition coverage on the policyholder having employed “reasonable” data security measures. These clauses are so vague and subjective that they are bound to lead to coverage fights. Further, given the lightning speed of technological innovation and amorphous nature of cyber risks, a cyber security practice that was reasonable just months ago may look reckless with the benefit of hindsight and the passage of time.
4. If you possess or process consumer or business credit card information, make sure that you have insurance coverage for fraudulent card charges and credit card brand assessments and fines—these can be large exposures when there is a significant data breach.
5. If you do business with individual consumers and obtain their personal identifying information, make sure you have coverage (including attorney fees coverage) for the inevitable expenses of responding to informal inquiries and formal proceedings that ensue from state attorney generals, the FTC and others when a breach occurs (often implicating residents of several states).
6. Make sure that your insurance covers breaches arising from mobile devices that may or may not be connected to the company’s computer network. More and more employees can access systems through tablets, smart phones, and PCs. The ever-growing size of hard drives and ubiquity of portable drives mean that some employees may create security risks, even when the device is not logged onto the company servers.
7. Complete insurance applications carefully, including D&O applications. Underwriters will be focusing more and more on computer risk areas, and insurance application responses often are used against policyholders to contest insurance claims.
8. Avoid cyber insurance policies with contractual liability exclusions. Contractual liability claims often are made in conjunction with statutory claims, negligence claims and other forms of relief, and policyholders are best off not enduring a huge allocation fight over what portion of the claim is covered in the eyes of the insurance company.
9. If you are buying or renewing specialty cyber insurance policies, make sure that you are working with a very good and experienced broker. There is not presently uniformity of product in the cyber insurance marketplace, and lots of terms are open for negotiation. A good broker can help get you the best coverage.
10. Provide notice to your insurance companies quickly after a breach. Early in the process of responding to a breach, the meter will be running on costs. When you have a breach situation, every second counts, and you undoubtedly will incur costs quickly for computer forensics, attorneys and other consultants. Providing proper notices and advising of these costs promptly can increase the odds of recovering these costs from your insurance companies.
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Resources on Security Breach Information
• Privacy Rights Clearinghouse- www.PrivacyRights.Org• Open Security Foundation- www.opensecurityfoundation.org• Ponemon Institute, LLC- www.ponemon.org• Privacy Law Blog- www.cyberinquirer.com• NetDiligence – Junto by eRiskHub - http://juntoblog.net/• Data Loss DB – www.datalossdb.org• Office of Inadequate Security – www.databreaches.net
32
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Questions?
• Cartoon Source: www.cyberinquirer.com
33
The Evolving Liabilities: Cyber, Privacy & Security Exposures
Contact Information:
Charles P BellingrathARC Excess & Surplus LLCNational Practice Leader: Privacy, Network Security, Technology E&O857.239.5051 - [email protected]