Emerging Trends in Information Security and Privacy
- 3. Full service
Professional Services
Firm:
Attest services
Tax preparation and
compliance
IT Audit and Security
Internal Control
Internal Audit
Outsourcing
SSAE 16 Services
Over 70 professionals
Highly qualified in
variety of
specializations:
CPA, CIA, CFE, CISA,
MCSE, ABV, CVA, MST
Affiliations:
AICPA, PCAOB, ACFEI,
ISACA, PCAOB, TANGO,
CICPAC, Practicewise,
VACO Risk Solutions
- 4. Vaco Risk Solutions
Specializing in helping our clients reduce their risks
30 locations strong
Highly qualified consultants
▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt
We belong to:
▪ Member of Information System Audit and Controls Association (ISACA)
▪ Member of American College of Forensic Examiners Institute (ACFEI)
▪ Association of Credit Union Internal Auditors (ACUIA)
▪ PCI Qualified Security Assessors certified by PCI Security Standards Council
▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council
▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS)
▪ Member of National Association of Convenience Stores (NACS)
4
- 7. Suzanne Miller, Ph. D., Partner –Vaco Risk
Solutions
Linn Foster Freedman, Esq., Partner – Nixon
Peabody LLP
Brian Bonkoski,Vice President – ACE
Professional Risk
Kevin Ricci, CISA, Director of Information
Technology – LGC&D LLP
- 8. Speaker Risk Discussions
Panel Discussion – Best Practices and
Strategies
Question andAnswer
- 10. PCI – Quick Overview
Growing Data Trends and Associated Risks
◦ Employees: IT Convenience
◦ Customers: Mobile Apps
Growing Threats to Corporate Security
◦ Top 3 Threats Affecting Corporate Security
10
- 11. An open global forum for the ongoing
development, enhancement, storage,
dissemination and implementation of security
standards for account data protection.
- September 7, 2006 -
- 12. Founders
◦ American Express
◦ Discover Financial Services
◦ JCB
◦ MasterCard Worldwide
◦ Visa International
New NACHA
- 15. 15
SAQ
Validatio
n Type Description
# of Qs
v3.0
# of Qs
v2.1 ASV Pen Test
A
Card-not-present merchants: All payment processing functions fully
outsourced, no electronic cardholder data storage 14 1 No No
A-EP
E-commerce merchants re-directing to a third-party website for payment
processing, no electronic cardholder data 139 NEW Yes Yes
B
Merchants with only imprint machines or only standalone dial-out payment
terminals: No e-commerce or electronic cardholder data storage 41 12 No No
B-IP
Merchants with standalone, IP-connected payment terminals: No e-
commerce or electronic cardholder data storage 83 NEW Yes No
C
Merchants with payment application systems connected to the Internet: No
e-commerce or electronic cardholder data storage 139 59 Yes No
C-VT
Merchants with web-based virtual payment terminals: No e-commerce or
electronic cardholder data storage 73 22 No No
D-MER All other SAQ-eligible merchants 326 38 Yes Yes
D-SP SAQ-eligible service providers 347 NEW Yes Yes
P2PE
Hardware payment terminals in a validated PCI P2PE solution only: No e-
commerce or electronic cardholder data storage 35 17 No No
- 20. Cloud – Computing Risks
Organizational Risk
◦ Employees use unauthorized consumer-oriented
tools and save corporate data
Trade secrets, financial reports, meeting notes,
etc.
Sits unprotected; locations unknown to company
Financial Risk:
◦ Cost of exposed business confidential data
~ $214 per compromised record –Ponemon Institute May
2014
20
- 21. Cloud – Risk Mitigation
◦ Strategy
Monitoring and controlling use of collaboration tools
Securing data on collaboration tools
COST SAVINGS & PRODUCTIVITY IMPROVEMENTS:
> $8,184 per user annually.
Productivity ~1.2 hours each day or 266 hours per year
◦ Policy
Governance
◦ Technology
Offer safer enterprise-grade consumer tools
◦ Education
Risk Awareness to rank and file
21
- 22. Cloud – Computing
Cloud Security Alliance maintains the Cloud Controls Matrix to assist cloud providers
and cloud consumers meet audit requirements, including the PCI DSS.
https://cloudsecurityalliance.org/research/ccm/
22
- 23. Mobile Apps revenue expected to reach an estimated $70
Billion by 2017*. Revenue in 2012 ~ $8.5 billion
23
- 24. Risks
Organizational Risk:
◦ Non-compliance with state and federal regulatory
requirements for Mobile Apps
Geo-location data
Behavioral targeting
Inferred consent
Retargeting
Data security and quality
Mobile Privacy Statement
24
- 25. Financial Risk:
◦ Fines
Delta failed to have a conspicuous privacy policy
on ‘Fly Delta’ - CA Attorney General (12/2012)
Fined $2,500 per app download
Downloaded 1 million times on Google Play
Social networking app, ‘Path’
Fined $800,000 by FTC over allegations that it
collected personal information without
obtaining consumers’ consent - (2/11/2013)
FTC Crackdown COPPA
$16,000 fine for each download (5/15/2014)
25
- 26. Risk Mitigation
◦ Strategy
Understand the changing compliance landscape for
Mobile Apps across your enterprise
Marketing, application developers, legal, internal
audit, etc.
Expand Risk Governance
◦ Policy
Expand Risk Governance
◦ Technology
Understand the ecosystem
◦ Education
Risk Awareness to rank and file
NOTE: The FTC released on 2/11/2013 a
report outlining privacy guidelines for
mobile platform providers, application
developers, and advertising networks (the
“Report”). Explaining the Commission’s
increased attention to this area, the
outgoing FTC Commissioner described the
current state of rules and practices in the
mobile space as a sort of “Wild West.”
Cautioning that the Commission will
"closely monitor developments in this
space”, the FTC “strongly” encouraged
companies in the mobile ecosystem to
work expeditiously to implement the
recommendations in the Report. The
guidance focuses on how mobile app
players should improve their disclosures
to ensure that users understand how their
personal data will be collected and used.
26
- 27. ◦ Privacy Statement shall state:
What information is collected from an Individual's Mobile
Device;
Whether information is shared with another application
installed on the Individual's Mobile Device;
How Geo-location Data is used;
If Geo-location Data is used to create a profile about the
Individual;
How long Geo-location Data is retained;
What type of Third Parties, including Service Providers is
Geo-location Data is shared with and for what purpose;
How the Individual can restrict the disclosure of Geo-
location data to Third Parties; and
How the Individual can revoke consent to your company's
collection and use of Geo-Location Data.
…and the list goes on
27
- 28. Era of Advancing Risks*
28
* Global State of Information Security Survey 2014, CIO and CSO Magazine
- 29. Most dangerous cyber threat today
Few organizations have the capabilities to
prevent
29
- 30. Look at Healthcare sector: Percentage of respondents who report that their organization
has the following APT-related capabilities in place
30
- 31. Look at Public sector: Percentage of respondents who report that their organization has
the following APT-related capabilities in place
31
- 32. Look at Retail sector: Percentage of respondents who report that their organization has
the following APT-related capabilities in place
32
- 34. 34
Look at Public sector: Percentage of respondents who report the impact of data
beaches.
- 35. 35
Look at Retail sector: Percentage of respondents who report the impact of data
beaches.
- 36. 36
Look at Healthcare sector: Percentage of respondents who report core security
safeguards ARE NOT in place.
- 37. 37
Look at Public sector: Percentage of respondents who report core security safeguards
ARE NOT in place.
- 38. 38
Look at Retail sector: Percentage of respondents who report core security safeguards
ARE NOT in place.
- 39. 39
Percentage of respondents identifying their greatest obstacles to improving the
strategic effectiveness of their company’s information security function.
- 42. SUMMARY OF PRESENTATION
—Headlines on data privacy and security and breaches
—What are the Risks
—Implementing a Data Privacy & Security Plan
—Identify high risk data
—State Privacy & Security Laws
—Federal Privacy & Security Regulations
—Use of mobile technology
—Use of e-mail and cloud services
—Best practices
- 44. DATA SECURITY — WHAT’S THE RISK?
Increase of conducting
business online
Exponential increase of
threats to data security
=
- 45. DATA SECURITY — WHAT’S THE RISK? (CONT’D)
— Companies collect and possess larger
amounts of customer, employee and client
data than ever
— Greater use of mobile technology,
websites, cloud storage
• Allows for easier opportunity for hackers,
identity thieves/data security breaches
• Increase in loss of proprietary information
• Potential for damage to company’s
reputation
• Threat of state and federal
regulatory enforcement
- 46. INCREASE OF DATA SECURITY BREACHES
June 2012 Ponemon Institute Report
— 90% of companies surveyed had a
computer breached at least once in the
prior 12 months
— 44% of companies surveyed viewed IT
infrastructures as insecure
- 47. INCREASE OF DATA
SECURITY BREACHES (CONT’D)
May 2013 Ponemon Institute Report
— Data breaches cost U.S. companies
surveyed an average of $5.4 million in
the prior 12 months
— An average of 28,765 records for U.S.
companies surveyed were exposed or
compromised in the prior 12 months
— It cost U.S. companies surveyed an
average of $188 per record breached
in the prior 12 months
- 48. DATA PRIVACY & SECURITY PLAN
Identify high risk data
Use of mobile technology, e-
mail and cloud services
Develop policies and best
practices
Train all employees
48
- 49. IDENTIFYING HIGH-RISK DATA
— Personally Identifiable Information
• Includes SS #, state-issued ID #, mother’s
maiden name, driver’s license #, passport #,
credit history, criminal history
— Name & Contact Information
• Includes initials, address, telephone number,
e-mail address, mobile number, date of birth
— Personal Characteristics
• Includes age, gender, marital status,
nationality, sexual orientation, race, ethnicity,
religious beliefs
49
- 50. IDENTIFYING HIGH-RISK DATA (CONT’D)
— Financial Institution Data
• Includes credit, ATM, debit card #s, bank
accounts, payment card information, PINs,
magnetic stripe data, security codes,
access codes, passwords
— Health & Insurance Account Information
• Includes health status and history, disease
status, medical treatment, diagnoses,
prescriptions, insurance account #,
Medicare and Medicaid information
• HIPAA compliance
50
- 51. IDENTIFYING HIGH-RISK DATA (CONT’D)
— Website Traffic
• Notice of Privacy Practices
• Terms and Conditions of Use
— Employment Information
• Includes income, salary, service fees, compensation
information, background check information
51
- 52. STATE PRIVACY & SECURITY LAWS
Social Security number
protection laws
— e.g. Rhode Island
— e.g. New York (§399-dd) –
restrictions on use, disclosure and
access
Data security regulations
— e.g. Massachusetts (201 CMR §
17.00) –must implement a written
information security plan with
detailed data security safeguards
Data security regulations
— 47 states
• Most states require notification of
a breach to state authorities
Website/mobile app data
collection laws
— e.g. California (§§22575-22579,
“CalOPPA”) –conspicuously post
privacy policy with transparent
details re: data collection/use
— None in RI to date
52
- 53. STATE ENFORCEMENT/FINES AND PENALTIES
Examples:
— Massachusetts data security regulations
(up to $5k per violation)
• $63k against MA restaurant
• $750k against South Shore Hospital
— California website/mobile app CalOPPA
statute (up to $2,500 per violation)
• AG sent hundreds of non-compliance letters to
companies without privacy policies and/or
unclear privacy practices on website/mobile app
— None in Rhode Island to date
53
- 54. STATE HEALTH INFORMATION PRIVACY LAWS
— Mental Health Law
— HIV/Aids
— Sexually transmitted diseases
— Genetic Information
54
- 55. FEDERAL PRIVACY & SECURITY LAWS
— Federal Trade Commission (“FCC”)
• § 5 of the FTC Act prohibits “unfair or
deceptive acts or practices”
Covers advertising claims, marketing,
and promotions
Not limited to any particular medium
• Enforcement of several sector-specific
privacy laws
Fair Credit Reporting Act (“FCRA”)
Children’s Online Privacy Protection Act
(“COPPA”)
55
- 56. FTC ENFORCEMENT/FINES AND PENALTIES
More than 100 privacy-related actions
since 2001, including:
— 40+ Data Security Cases
— 100+ Spyware Cases
— 20 COPPA cases
— Several FCRA cases
— Increasing Emphasis on Mobile
Technology
56
- 57. FEDERAL PRIVACY & SECURITY LAWS (CONT.)
— Gramm-Leach-Bliley Act
• To protect privacy of personally
identifiable, nonpublic financial
information
57
- 58. FEDERAL PRIVACY & SECURITY LAWS (CONT.)
— HIPAA
• To protect the privacy of
health information
58
- 59. THE OMNIBUS RULE
Certain HIPAA “Privacy and Security Rule” Provisions
apply directly to business associates as a regulated entity
— BAs must have required HIPAA policies and procedures
in place
— BAs are subject to direct enforcement by OCR as of
September 23, 2013
59
- 60. ENFORCEMENT PENALTIES FOR HIPAA
VIOLATIONS
Civil Penalties are tiered,
depending on conduct
— Unknown
— $100 per violation up to $50,000
for all identical violations in a
calendar year
Reasonable cause that is not
willful neglect
— $1,000 for each violation up to
$50,000 for all identical violations
in a calendar year
Willful neglect
— If violation corrected within 30
days of knowledge: $10,000 for
each identical violation, up to
$50,000 for all identical violations
in a calendar year
— If violation not corrected: $50,000
for each violation, up to
$1.5 million for all identical or non-
identical violations in a calendar
year
60
- 61. CRIMINAL ENFORCEMENT PROVISIONS
HIPAA also carries criminal penalties for persons who
“knowingly” obtain or disclose PHI in violation of the
Privacy Rule, or who improperly use unique health
identifiers, under 42 U.S.C. § 1320d–6(a):
61
Fine Prison
Knowingly $50,000 One year
False Pretenses $100,000 Five years
For Profit, Gain, or Harm $250,000 10 years
- 62. RISKS OF BREACH ASSOCIATED WITH MOBILE
TECHNOLOGY
— Smartphones
— Laptops
— USB or flashdrives
• 5 million British Columbians’ data
breached (1/15/13)
USB drive
— Compliance with 47 state breach
notification regulations
• E-mails
• Cloud vendors
62
- 63. RISKS OF CLOUD COMPUTING
— There are over 400 cloud computing providers
— Privacy and Security
— Confidentiality
— ‘True’ Ownership and Control
— Data Restoration and Data Retention, Longevity of Vendors
— Accessibility (i.e. all business hours, weekends, holidays; 24
hours a day)
— Unfamiliarity with Technology
— Integration with Firm Systems
— Jurisdictional Concerns if Dispute Arises
63
- 64. BEST PRACTICES FOR LAPTOPS & REMOVABLE
MEDIA
— Encryption
— Policies and procedures for removing devices and data
from business premises
— Do not permit employees to leave laptops and
removable devices in cars or hotel rooms
— Prohibition of down loading sensitive data on hard drive
of laptop or other removable media
— Remote wipe procedures
— BYOD policy
- 65. BEST PRACTICES USING E-MAIL
— Encryption
— Virtual Private Network/RSA
— Verify Selected Recipients
— Use Standard Confidentiality Disclaimer
— “Sensitive” Communications, Special
Protections against Disclosure to 3rd Parties
• It is the responsibility of the employee directing
the communication to determine if the
communication is “sensitive” in accordance with
RIOHHS policies and procedures
- 66. REPORTING SECURITY INCIDENTS
— Make sure all employees know
to report a privacy concern, a
suspected breach, information
security problem, theft of
computer equipment or if you
suspect there may be a
problem to the Security Officer
— When in doubt REPORT
- 67. CONCLUSION
— Identify all of your “electronic highways” and what they
connect with on the inside.
— Perform threat and risk assessment on a regularly basis
— Identify controls that will reduce risk to an acceptable level
— Review the effectiveness of controls periodically as well as
after incidents
— Ensure you have proper Incident Response Plans in place
— Present Key Risk Indicators (KRI) to management in order
to gain their support with regard to any proposed risk
mitigation efforts
— Insure risks
- 68. This presentation contains images used under license. Retransmission, republication, redistribution, and downloading
of this presentation, including any of the images as stand-alone files, is prohibited.
This presentation may be considered advertising under certain rules of professional conduct. The content should not be
construed as legal advice, and readers should not act upon information in this publication without professional counsel.
©2014. Nixon Peabody LLP. All rights reserved.
THANK YOU!
QUESTIONS?
Linn Foster Freedman, Esq.
T: 401-454-1108
lfreedman@nixonpeabody.com
Nixon Peabody LLP
One Citizens Plaza
Suite 500
Providence, RI 02903
- 70. Disclaimer
The material presented in this presentation is not intended to provide
legal or other expert advice as to any of the subjects mentioned, but
rather is presented for general information only. You should consult
knowledgeable legal counsel or other knowledgeable experts as to any
legal or technical questions you may have. Further, the insurance
discussed is a product summary only. For actual terms and conditions
of any insurance product, please refer to the policy. Coverage may
not be available in all states.
70
- 71. Goals of Todays Presentation
Coverage Overview by Insuring Agreement
Network Security Liability
Privacy Liability
Data Breach Team
Network Extortion
Business Interruption Loss
Digital Asset Loss
Key Markets
Claims Overview
Industry Trends and Expenses
Claims Examples
71
- 72. Network Security Liability
Covers any liability of the organization arising out of the failure of network security,
including unauthorized access or unauthorized use of corporate systems, a denial of
service attack, or transmission of malicious code.
72
- 73. Privacy Liability
Covers loss arising out of the organization’s failure to protect sensitive personal or
corporate information in any format. Provides coverage for regulatory proceedings
brought by a government agency alleging the violation of any state, federal, or foreign
identity theft or privacy protection legislation.
73
- 74. Data Breach Expenses – 1st Party
Forensics
Public Relations/Crisis Management Services
Legal Services including but not limited to determining compliance with Privacy Regulations,
drafting notification letters and indemnification rights
Notification/Credit Monitoring Services
Call Center Services
Fraud Consultation services provided through a licensed investigator or credit specialist
Identity Restoration Services
74
- 75. Data Breach Expenses – 1st Party Cont’d
Network Extortion
Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive
information or bring down a network unless consideration is made.
Digital Asset Loss
Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a
result of a network security failure.
Business Interruption
Covers loss of income and extra expense arising out of the interruption of network service due to an
attack on the insured’s network.
75
- 76. Markets
ACE USA
AIG
Lexington
Beazley
C.N.A.
AWAC
Chubb
Axis
XL
76
Hiscox
Zurich
Travelers
Philadelphia Insurance
One Beacon
Hartford
Swiss RE
Endurance
Houston Casualty
- 77. Claims and Industry Trends(as of 1/31/2014)
77
Paper 6%
Human Error
14%
Privacy Policy
9%
Hack 24%
Rogue Employee
15%
Software Error
3%
Unknown 7%
Laptops
15%
Hard Drives
5%
Other 2%
Lost/Stolen
Hardware
22%
Industry Breakout
• Healthcare – 31%
• Technology – 14%
• Professional Services – 12%
• Retail – 10%
• Financial Institutions – 8%
Targeted Attacks for PI:
• Lost/Stolen Devices
• 2008 – 41%
• 2012 – 17%
• 2013 – 17%
• Hacking and Rogue Employee
• 2008 – 31%
• 2012 – 44%
• 2013 – 44%
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
- 78. Triggers by Industry Segment (as of 1/31/2014)
78
0%
5%
10%
15%
20%
25%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
4%
22%
25%
19%
11%
Healthcare
0%
5%
10%
15%
20%
25%
30%
35%
40%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
42%
17%
15%
6%
15%
Retail
0%
5%
10%
15%
20%
25%
30%
35%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
34%
10%
21%
9%
12%
Technology
0%
5%
10%
15%
20%
25%
30%
35%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
21%
14%
32%
14%
6%
Professional Services
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
- 79. Average Cost of First Party Expenses (as of 1/15/2014)
Every Breach Response is Unique
Cost Range of Each Service
Legal Fees:
Under $5,000 up to about $250,000
Forensics:
About $10,000 to Seven Figures
Notification & Call Center:
Approximately $3 per Record
Credit Monitoring:
Payment per Enrollee or
Restoration Service
Minimal Crisis Management Costs
Objective: Limit Third Party Exposure
79
* ACE Data, Reflects Average Incurred Costs Across Paid Claims
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
$48,091.00
$192,049.00
$272,428.00
$157,577.00
$12,600.00
$-
$50,000.00
$100,000.00
$150,000.00
$200,000.00
$250,000.00
$300,000.00
Legal Fees Forensics Notification &
Call Center
Credit
Monitoring
Crisis
Management
- 80. Claims Process
Pre-Breach Preparation
Identify Decision Makers
Consider Vendor Relationships and Selection for Breach Response
Test Incident Response Plans
Notice
Contact key personnel internally
Contact Insurance Carrier (if applicable)
Engage Data Breach Vendors
Data Breach Coach
Forensic and Legal Investigation
Notification and Call Center
Credit Monitoring
Crisis Management
Third Party Claims
Class Action Lawsuits
PCI Assessments
Regulatory Fines and Penalties
80
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
- 81. Third Party Claims
Three Types of Third Party Claims
Regulatory Proceedings (Less than 2%)
Pre-litigation Demands (8%)
Class Action Lawsuits (10%)
Regulatory Fines
Bad Actor – Lack of Proper Response or Compliance
Repeat Offender
Lack of Internal Privacy Policies and Procedures
Pre-Litigation Demands
Mostly in Healthcare
Disclosure of Extremely Sensitive Information
Adverse Employment Action
81
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Lawsuits – 10%
Non-Lawsuits – 8%
Regulatory Proceedings – 2%
- 82. Claims Examples – Retail
82
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Website Breached
Users of a $250 million online retailer’s website began experiencing fraudulent credit card charges. The retailer’s IT group
contacted its web hosting company, which conducted a review of the data stored on the servers. Subsequently, a virus was found
and removed. The breach resulted in a compromise of close to 1 million records and the fraudulent use of 50 credit cards. The
retailer also incurred fines and penalties for not being Payment Card Industry (PCI) compliant.
Data Breach Fund Costs
$750,000 for notification, call center services, and legal fees to determine the insured’s regulatory obligations
Privacy Liability Costs
$500,000 in assessments for lack of PCI compliance
Credit Card Information Stolen by Employee
A $100 million retail company’s employee improperly obtained the credit card information of a client and fraudulently used the
information to make illegal purchases. The employee was caught and prosecuted. The client’s attorney demanded that the insured
provide credit monitoring services and compensate the client for her damages.
Privacy Liability Costs
$75,000 for the settlement amount and legal fees
- 83. Claims Examples – Healthcare
83
External Vendor Misplaced Laptops
A large healthcare provider contracted with a national vendor to assist with an office relocation. During the course of the
relocation, the provider discovered a discrepancy of several laptops that contained protected health information belonging to its
members. The provider retained legal counsel to analyze its regulatory obligations as well as vendors to conduct forensics, to
notify impacted individuals, and to offer credit monitoring services. Subsequently, the provider was the subject of a regulatory
inquiry and was named as a defendant in a class action lawsuit.
Data Breach Fund Costs
$7,000,000 for forensics, legal fees, notification, call center services, and credit monitoring
Privacy Liability Costs
$2,000,000 for legal fees related to the class action suit and responses to regulatory inquiries
Employee Lost Flash Drive
An employee of an $800 million healthcare provider lost a flash drive containing the protected health information of
approximately 600 individuals. The provider notified the affected individuals and provided credit monitoring services. Various
state regulators were also notified in accordance with applicable law.
Data Breach Fund Costs
$110,000 for notification, call center services, credit monitoring, and legal fees to determine the insured’s regulatory
obligations
- 84. Claims Examples – Misc Services
84
Private Information Disclosed Due to Printing Error
A $50 million business services company conducted a mailing project for a customer and inadvertently mailed out approximately
60,000 envelopes bearing account numbers on the outside of the envelopes.
Data Breach Fund Costs
$320,000 for notification and credit monitoring services
Laptops Stolen from Office
Five laptops were stolen from the office of a professional services company. The laptops contained personal information of
approximately 35,000 customers, including names and social security numbers. The insured incurred notification and credit
monitoring costs.
Data Breach Fund Costs
$200,000 for notification, credit monitoring services, and legal fees
Personal Information Posted Online
A local municipality inadvertently posted tax licensing applications on its website, resulting in the improper release of personal
information. The insured conducted forensics, retained the services of both legal counsel and a public relations firm, and is in the
process of notifying the impacted individuals and offering credit monitoring services.
Data Breach Fund Costs
$150,000 to date for legal fees, notification, credit monitoring, and Public Relations services
- 85. Questions?
85
Contact:
Brian Bonkoski
ACE Professional Risk
Vice President
(215) 640-5934
brian.bonkoski@acegroup.com
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
- 87. How do I mitigate my risk with
the growing use of mobile and
portable technologies?
Policies and Education
Social networking awareness
Encryption
Remote Wipes/Autolocks
Obtaining employee consent
Backing up company
information on an employee
device
Do’s and Don’ts of mobile use
Laptop Safety
- 88. What should I be doing to prepare
my Company for the increased
regulations related to IT Security?
Understand business activities
subject to regulation for privacy
considerations
▪ Disclosure of PI collections and
sharing procedures
▪ Website and mobile app privacy
Know how changes in business
operations impact compliance
requirements
Accept responsibility for
compliance
▪ EXECUTIVE MANAGEMENT
▪ BOARD OF DIRECTORS
- 90. What are some of the things I need to consider when using 3rd
party service providers?
For all vendors:
▪ Due diligence on their data
security
▪ Coordination of
representations in privacy
policies
▪ Allocation of responsibilities in
event of breach
▪ Terms in vendor agreements:
▪ Indemnification provisions
▪ Access provisions
▪ Insurance requirements (cyber
and other)
Cloud computing
▪ Identify the assets for cloud
deployment
▪ Evaluate the assets
▪ Map the assets to the cloud
deployment model
▪ Evaluate potential cloud
service models
▪ Map out data flow
- 91. What should I be doing to prepare
the Company for a breach?
Screen new hires and vendors
Annual risk assessments
Educate employees
Discuss privacy by design with
operations people
Pre-arrange breach service providers
Develop a cross functional privacy
committee for breach planning and
response
Discuss information collection and
disclosure practices with all
departments
Consider insuring against risks
- 92. What can I do to better
protect my data from cyber
crime?
Data Mapping - Understand
WHAT your sensitive data is
and WHERE it resides
Perform a security risk
assessment
Set security standards
Develop comprehensive
policies
Provide security training
Adopt a business plan
Spear Phishing Do’s and
Don’ts