SlideShare a Scribd company logo

Emerging Trends in Information Security and Privacy

L
lgcdcpas

Malware infiltrations, spear phishing, data breaches these are scary words with even scarier implications. These threats are hitting the interconnected technology world fast and hard and can no longer be ignored. Are you doing everything you can to avoid having your data compromised and becoming the next security breach horror story? To help you answer that question, join the security experts at LGC+D for the Emerging Trends in Information Privacy and Security seminar on Wednesday, August 6th. They will be joined by a dream team panel of IT, legal and insurance experts that deal with these threats every day, and have the experience and knowledge to help you make the right security decisions.

Related slideshows

The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
1 of 93
Download to read offline
EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY August 6, 2014 Presentation
Logistics CPE Credit Requirements Takeaways
 Full service Professional Services Firm:  Attest services  Tax preparation and compliance  IT Audit and Security  Internal Control  Internal Audit Outsourcing  SSAE 16 Services  Over 70 professionals  Highly qualified in variety of specializations:  CPA, CIA, CFE, CISA, MCSE, ABV, CVA, MST  Affiliations:  AICPA, PCAOB, ACFEI, ISACA, PCAOB, TANGO, CICPAC, Practicewise, VACO Risk Solutions
 Vaco Risk Solutions  Specializing in helping our clients reduce their risks  30 locations strong  Highly qualified consultants ▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt  We belong to: ▪ Member of Information System Audit and Controls Association (ISACA) ▪ Member of American College of Forensic Examiners Institute (ACFEI) ▪ Association of Credit Union Internal Auditors (ACUIA) ▪ PCI Qualified Security Assessors certified by PCI Security Standards Council ▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council ▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS) ▪ Member of National Association of Convenience Stores (NACS) 4
Emerging Trends in Information Security and Privacy
Former FBI Director Mueller: “There are two types of companies, those that have been hacked and those that don’t know it”
 Suzanne Miller, Ph. D., Partner –Vaco Risk Solutions  Linn Foster Freedman, Esq., Partner – Nixon Peabody LLP  Brian Bonkoski,Vice President – ACE Professional Risk  Kevin Ricci, CISA, Director of Information Technology – LGC&D LLP
 Speaker Risk Discussions  Panel Discussion – Best Practices and Strategies  Question andAnswer
Suzanne Miller, Ph.D. VCAG Vaco Compliance and Audit Group August 6, 2014 9
 PCI – Quick Overview  Growing Data Trends and Associated Risks ◦ Employees: IT Convenience ◦ Customers: Mobile Apps  Growing Threats to Corporate Security ◦ Top 3 Threats Affecting Corporate Security 10
 An open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. - September 7, 2006 -
 Founders ◦ American Express ◦ Discover Financial Services ◦ JCB ◦ MasterCard Worldwide ◦ Visa International New NACHA
Emerging Trends in Information Security and Privacy
‹#› Service Providers
15 SAQ Validatio n Type Description # of Qs v3.0 # of Qs v2.1 ASV Pen Test A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 14 1 No No A-EP E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data 139 NEW Yes Yes B Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage 41 12 No No B-IP Merchants with standalone, IP-connected payment terminals: No e- commerce or electronic cardholder data storage 83 NEW Yes No C Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage 139 59 Yes No C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 22 No No D-MER All other SAQ-eligible merchants 326 38 Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e- commerce or electronic cardholder data storage 35 17 No No
PCISecurityStandards.org 16
Employees: IT Convenience Customers: Mobile Apps 17
Cloud – Computing Enabling employees to take advantage of collaboration tools/programs and share work related data 18
Cloud – Computing 19
Cloud – Computing Risks  Organizational Risk ◦ Employees use unauthorized consumer-oriented tools and save corporate data  Trade secrets, financial reports, meeting notes, etc.  Sits unprotected; locations unknown to company  Financial Risk: ◦ Cost of exposed business confidential data  ~ $214 per compromised record –Ponemon Institute May 2014 20
Cloud – Risk Mitigation ◦ Strategy  Monitoring and controlling use of collaboration tools  Securing data on collaboration tools  COST SAVINGS & PRODUCTIVITY IMPROVEMENTS:  > $8,184 per user annually.  Productivity ~1.2 hours each day or 266 hours per year ◦ Policy  Governance ◦ Technology  Offer safer enterprise-grade consumer tools ◦ Education  Risk Awareness to rank and file 21
Cloud – Computing Cloud Security Alliance maintains the Cloud Controls Matrix to assist cloud providers and cloud consumers meet audit requirements, including the PCI DSS. https://cloudsecurityalliance.org/research/ccm/ 22
Mobile Apps revenue expected to reach an estimated $70 Billion by 2017*. Revenue in 2012 ~ $8.5 billion 23
Risks  Organizational Risk: ◦ Non-compliance with state and federal regulatory requirements for Mobile Apps  Geo-location data  Behavioral targeting  Inferred consent  Retargeting  Data security and quality  Mobile Privacy Statement 24
 Financial Risk: ◦ Fines  Delta failed to have a conspicuous privacy policy on ‘Fly Delta’ - CA Attorney General (12/2012)  Fined $2,500 per app download  Downloaded 1 million times on Google Play  Social networking app, ‘Path’  Fined $800,000 by FTC over allegations that it collected personal information without obtaining consumers’ consent - (2/11/2013)  FTC Crackdown COPPA  $16,000 fine for each download (5/15/2014) 25
Risk Mitigation ◦ Strategy  Understand the changing compliance landscape for Mobile Apps across your enterprise  Marketing, application developers, legal, internal audit, etc.  Expand Risk Governance ◦ Policy  Expand Risk Governance ◦ Technology  Understand the ecosystem ◦ Education  Risk Awareness to rank and file NOTE: The FTC released on 2/11/2013 a report outlining privacy guidelines for mobile platform providers, application developers, and advertising networks (the “Report”). Explaining the Commission’s increased attention to this area, the outgoing FTC Commissioner described the current state of rules and practices in the mobile space as a sort of “Wild West.” Cautioning that the Commission will "closely monitor developments in this space”, the FTC “strongly” encouraged companies in the mobile ecosystem to work expeditiously to implement the recommendations in the Report. The guidance focuses on how mobile app players should improve their disclosures to ensure that users understand how their personal data will be collected and used. 26
◦ Privacy Statement shall state:  What information is collected from an Individual's Mobile Device;  Whether information is shared with another application installed on the Individual's Mobile Device;  How Geo-location Data is used;  If Geo-location Data is used to create a profile about the Individual;  How long Geo-location Data is retained;  What type of Third Parties, including Service Providers is Geo-location Data is shared with and for what purpose;  How the Individual can restrict the disclosure of Geo- location data to Third Parties; and  How the Individual can revoke consent to your company's collection and use of Geo-Location Data.  …and the list goes on 27
Era of Advancing Risks* 28 * Global State of Information Security Survey 2014, CIO and CSO Magazine
 Most dangerous cyber threat today  Few organizations have the capabilities to prevent 29
Look at Healthcare sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place 30
Look at Public sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place 31
Look at Retail sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place 32
33 Look at Healthcare sector: Percentage of respondents who report the impact of data beaches.
34 Look at Public sector: Percentage of respondents who report the impact of data beaches.
35 Look at Retail sector: Percentage of respondents who report the impact of data beaches.
36 Look at Healthcare sector: Percentage of respondents who report core security safeguards ARE NOT in place.
37 Look at Public sector: Percentage of respondents who report core security safeguards ARE NOT in place.
38 Look at Retail sector: Percentage of respondents who report core security safeguards ARE NOT in place.
39 Percentage of respondents identifying their greatest obstacles to improving the strategic effectiveness of their company’s information security function.
Suzanne Miller, Ph.D. DrMiller@vaco.com 40
EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY LINN F. FREEDMAN, ESQ. AUGUST 6, 2014
SUMMARY OF PRESENTATION —Headlines on data privacy and security and breaches —What are the Risks —Implementing a Data Privacy & Security Plan —Identify high risk data —State Privacy & Security Laws —Federal Privacy & Security Regulations —Use of mobile technology —Use of e-mail and cloud services —Best practices
Emerging Trends in Information Security and Privacy
DATA SECURITY — WHAT’S THE RISK? Increase of conducting business online Exponential increase of threats to data security =
DATA SECURITY — WHAT’S THE RISK? (CONT’D) — Companies collect and possess larger amounts of customer, employee and client data than ever — Greater use of mobile technology, websites, cloud storage • Allows for easier opportunity for hackers, identity thieves/data security breaches • Increase in loss of proprietary information • Potential for damage to company’s reputation • Threat of state and federal regulatory enforcement
INCREASE OF DATA SECURITY BREACHES June 2012 Ponemon Institute Report — 90% of companies surveyed had a computer breached at least once in the prior 12 months — 44% of companies surveyed viewed IT infrastructures as insecure
INCREASE OF DATA SECURITY BREACHES (CONT’D) May 2013 Ponemon Institute Report — Data breaches cost U.S. companies surveyed an average of $5.4 million in the prior 12 months — An average of 28,765 records for U.S. companies surveyed were exposed or compromised in the prior 12 months — It cost U.S. companies surveyed an average of $188 per record breached in the prior 12 months
DATA PRIVACY & SECURITY PLAN Identify high risk data Use of mobile technology, e- mail and cloud services Develop policies and best practices Train all employees 48
IDENTIFYING HIGH-RISK DATA — Personally Identifiable Information • Includes SS #, state-issued ID #, mother’s maiden name, driver’s license #, passport #, credit history, criminal history — Name & Contact Information • Includes initials, address, telephone number, e-mail address, mobile number, date of birth — Personal Characteristics • Includes age, gender, marital status, nationality, sexual orientation, race, ethnicity, religious beliefs 49
IDENTIFYING HIGH-RISK DATA (CONT’D) — Financial Institution Data • Includes credit, ATM, debit card #s, bank accounts, payment card information, PINs, magnetic stripe data, security codes, access codes, passwords — Health & Insurance Account Information • Includes health status and history, disease status, medical treatment, diagnoses, prescriptions, insurance account #, Medicare and Medicaid information • HIPAA compliance 50
IDENTIFYING HIGH-RISK DATA (CONT’D) — Website Traffic • Notice of Privacy Practices • Terms and Conditions of Use — Employment Information • Includes income, salary, service fees, compensation information, background check information 51
STATE PRIVACY & SECURITY LAWS Social Security number protection laws — e.g. Rhode Island — e.g. New York (§399-dd) – restrictions on use, disclosure and access Data security regulations — e.g. Massachusetts (201 CMR § 17.00) –must implement a written information security plan with detailed data security safeguards Data security regulations — 47 states • Most states require notification of a breach to state authorities Website/mobile app data collection laws — e.g. California (§§22575-22579, “CalOPPA”) –conspicuously post privacy policy with transparent details re: data collection/use — None in RI to date 52
STATE ENFORCEMENT/FINES AND PENALTIES Examples: — Massachusetts data security regulations (up to $5k per violation) • $63k against MA restaurant • $750k against South Shore Hospital — California website/mobile app CalOPPA statute (up to $2,500 per violation) • AG sent hundreds of non-compliance letters to companies without privacy policies and/or unclear privacy practices on website/mobile app — None in Rhode Island to date 53
STATE HEALTH INFORMATION PRIVACY LAWS — Mental Health Law — HIV/Aids — Sexually transmitted diseases — Genetic Information 54
FEDERAL PRIVACY & SECURITY LAWS — Federal Trade Commission (“FCC”) • § 5 of the FTC Act prohibits “unfair or deceptive acts or practices”  Covers advertising claims, marketing, and promotions  Not limited to any particular medium • Enforcement of several sector-specific privacy laws  Fair Credit Reporting Act (“FCRA”)  Children’s Online Privacy Protection Act (“COPPA”) 55
FTC ENFORCEMENT/FINES AND PENALTIES More than 100 privacy-related actions since 2001, including: — 40+ Data Security Cases — 100+ Spyware Cases — 20 COPPA cases — Several FCRA cases — Increasing Emphasis on Mobile Technology 56
FEDERAL PRIVACY & SECURITY LAWS (CONT.) — Gramm-Leach-Bliley Act • To protect privacy of personally identifiable, nonpublic financial information 57
FEDERAL PRIVACY & SECURITY LAWS (CONT.) — HIPAA • To protect the privacy of health information 58
THE OMNIBUS RULE Certain HIPAA “Privacy and Security Rule” Provisions apply directly to business associates as a regulated entity — BAs must have required HIPAA policies and procedures in place — BAs are subject to direct enforcement by OCR as of September 23, 2013 59
ENFORCEMENT PENALTIES FOR HIPAA VIOLATIONS Civil Penalties are tiered, depending on conduct — Unknown — $100 per violation up to $50,000 for all identical violations in a calendar year Reasonable cause that is not willful neglect — $1,000 for each violation up to $50,000 for all identical violations in a calendar year Willful neglect — If violation corrected within 30 days of knowledge: $10,000 for each identical violation, up to $50,000 for all identical violations in a calendar year — If violation not corrected: $50,000 for each violation, up to $1.5 million for all identical or non- identical violations in a calendar year 60
CRIMINAL ENFORCEMENT PROVISIONS HIPAA also carries criminal penalties for persons who “knowingly” obtain or disclose PHI in violation of the Privacy Rule, or who improperly use unique health identifiers, under 42 U.S.C. § 1320d–6(a): 61 Fine Prison Knowingly $50,000 One year False Pretenses $100,000 Five years For Profit, Gain, or Harm $250,000 10 years
RISKS OF BREACH ASSOCIATED WITH MOBILE TECHNOLOGY — Smartphones — Laptops — USB or flashdrives • 5 million British Columbians’ data breached (1/15/13)  USB drive — Compliance with 47 state breach notification regulations • E-mails • Cloud vendors 62
RISKS OF CLOUD COMPUTING — There are over 400 cloud computing providers — Privacy and Security — Confidentiality — ‘True’ Ownership and Control — Data Restoration and Data Retention, Longevity of Vendors — Accessibility (i.e. all business hours, weekends, holidays; 24 hours a day) — Unfamiliarity with Technology — Integration with Firm Systems — Jurisdictional Concerns if Dispute Arises 63
BEST PRACTICES FOR LAPTOPS & REMOVABLE MEDIA — Encryption — Policies and procedures for removing devices and data from business premises — Do not permit employees to leave laptops and removable devices in cars or hotel rooms — Prohibition of down loading sensitive data on hard drive of laptop or other removable media — Remote wipe procedures — BYOD policy
BEST PRACTICES USING E-MAIL — Encryption — Virtual Private Network/RSA — Verify Selected Recipients — Use Standard Confidentiality Disclaimer — “Sensitive” Communications, Special Protections against Disclosure to 3rd Parties • It is the responsibility of the employee directing the communication to determine if the communication is “sensitive” in accordance with RIOHHS policies and procedures
REPORTING SECURITY INCIDENTS — Make sure all employees know to report a privacy concern, a suspected breach, information security problem, theft of computer equipment or if you suspect there may be a problem to the Security Officer — When in doubt REPORT
CONCLUSION — Identify all of your “electronic highways” and what they connect with on the inside. — Perform threat and risk assessment on a regularly basis — Identify controls that will reduce risk to an acceptable level — Review the effectiveness of controls periodically as well as after incidents — Ensure you have proper Incident Response Plans in place — Present Key Risk Indicators (KRI) to management in order to gain their support with regard to any proposed risk mitigation efforts — Insure risks
This presentation contains images used under license. Retransmission, republication, redistribution, and downloading of this presentation, including any of the images as stand-alone files, is prohibited. This presentation may be considered advertising under certain rules of professional conduct. The content should not be construed as legal advice, and readers should not act upon information in this publication without professional counsel. ©2014. Nixon Peabody LLP. All rights reserved. THANK YOU! QUESTIONS? Linn Foster Freedman, Esq. T: 401-454-1108 lfreedman@nixonpeabody.com Nixon Peabody LLP One Citizens Plaza Suite 500 Providence, RI 02903
EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY PRESENTED BY BRIAN BONKOSKI – ACE USA
Disclaimer The material presented in this presentation is not intended to provide legal or other expert advice as to any of the subjects mentioned, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Further, the insurance discussed is a product summary only. For actual terms and conditions of any insurance product, please refer to the policy. Coverage may not be available in all states. 70
Goals of Todays Presentation  Coverage Overview by Insuring Agreement  Network Security Liability  Privacy Liability  Data Breach Team  Network Extortion  Business Interruption Loss  Digital Asset Loss  Key Markets  Claims Overview  Industry Trends and Expenses  Claims Examples 71
Network Security Liability  Covers any liability of the organization arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code. 72
Privacy Liability  Covers loss arising out of the organization’s failure to protect sensitive personal or corporate information in any format. Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation. 73
Data Breach Expenses – 1st Party  Forensics  Public Relations/Crisis Management Services  Legal Services including but not limited to determining compliance with Privacy Regulations, drafting notification letters and indemnification rights  Notification/Credit Monitoring Services  Call Center Services  Fraud Consultation services provided through a licensed investigator or credit specialist  Identity Restoration Services 74
Data Breach Expenses – 1st Party Cont’d  Network Extortion  Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network unless consideration is made.  Digital Asset Loss  Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a result of a network security failure.  Business Interruption  Covers loss of income and extra expense arising out of the interruption of network service due to an attack on the insured’s network. 75
Markets  ACE USA  AIG  Lexington  Beazley  C.N.A.  AWAC  Chubb  Axis  XL 76  Hiscox  Zurich  Travelers  Philadelphia Insurance  One Beacon  Hartford  Swiss RE  Endurance  Houston Casualty
Claims and Industry Trends(as of 1/31/2014) 77 Paper 6% Human Error 14% Privacy Policy 9% Hack 24% Rogue Employee 15% Software Error 3% Unknown 7% Laptops 15% Hard Drives 5% Other 2% Lost/Stolen Hardware 22% Industry Breakout • Healthcare – 31% • Technology – 14% • Professional Services – 12% • Retail – 10% • Financial Institutions – 8% Targeted Attacks for PI: • Lost/Stolen Devices • 2008 – 41% • 2012 – 17% • 2013 – 17% • Hacking and Rogue Employee • 2008 – 31% • 2012 – 44% • 2013 – 44% This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Triggers by Industry Segment (as of 1/31/2014) 78 0% 5% 10% 15% 20% 25% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 4% 22% 25% 19% 11% Healthcare 0% 5% 10% 15% 20% 25% 30% 35% 40% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 42% 17% 15% 6% 15% Retail 0% 5% 10% 15% 20% 25% 30% 35% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 34% 10% 21% 9% 12% Technology 0% 5% 10% 15% 20% 25% 30% 35% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 21% 14% 32% 14% 6% Professional Services This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Average Cost of First Party Expenses (as of 1/15/2014) Every Breach Response is Unique Cost Range of Each Service  Legal Fees: Under $5,000 up to about $250,000  Forensics: About $10,000 to Seven Figures  Notification & Call Center: Approximately $3 per Record  Credit Monitoring: Payment per Enrollee or Restoration Service  Minimal Crisis Management Costs Objective: Limit Third Party Exposure 79 * ACE Data, Reflects Average Incurred Costs Across Paid Claims This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014 $48,091.00 $192,049.00 $272,428.00 $157,577.00 $12,600.00 $- $50,000.00 $100,000.00 $150,000.00 $200,000.00 $250,000.00 $300,000.00 Legal Fees Forensics Notification & Call Center Credit Monitoring Crisis Management
Claims Process  Pre-Breach Preparation  Identify Decision Makers  Consider Vendor Relationships and Selection for Breach Response  Test Incident Response Plans  Notice  Contact key personnel internally  Contact Insurance Carrier (if applicable)  Engage Data Breach Vendors  Data Breach Coach  Forensic and Legal Investigation  Notification and Call Center  Credit Monitoring  Crisis Management  Third Party Claims  Class Action Lawsuits  PCI Assessments  Regulatory Fines and Penalties 80 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Third Party Claims Three Types of Third Party Claims  Regulatory Proceedings (Less than 2%)  Pre-litigation Demands (8%)  Class Action Lawsuits (10%) Regulatory Fines  Bad Actor – Lack of Proper Response or Compliance  Repeat Offender  Lack of Internal Privacy Policies and Procedures Pre-Litigation Demands  Mostly in Healthcare  Disclosure of Extremely Sensitive Information  Adverse Employment Action 81 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014 Lawsuits – 10% Non-Lawsuits – 8% Regulatory Proceedings – 2%
Claims Examples – Retail 82 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014 Website Breached Users of a $250 million online retailer’s website began experiencing fraudulent credit card charges. The retailer’s IT group contacted its web hosting company, which conducted a review of the data stored on the servers. Subsequently, a virus was found and removed. The breach resulted in a compromise of close to 1 million records and the fraudulent use of 50 credit cards. The retailer also incurred fines and penalties for not being Payment Card Industry (PCI) compliant. Data Breach Fund Costs $750,000 for notification, call center services, and legal fees to determine the insured’s regulatory obligations Privacy Liability Costs $500,000 in assessments for lack of PCI compliance Credit Card Information Stolen by Employee A $100 million retail company’s employee improperly obtained the credit card information of a client and fraudulently used the information to make illegal purchases. The employee was caught and prosecuted. The client’s attorney demanded that the insured provide credit monitoring services and compensate the client for her damages. Privacy Liability Costs $75,000 for the settlement amount and legal fees
Claims Examples – Healthcare 83 External Vendor Misplaced Laptops A large healthcare provider contracted with a national vendor to assist with an office relocation. During the course of the relocation, the provider discovered a discrepancy of several laptops that contained protected health information belonging to its members. The provider retained legal counsel to analyze its regulatory obligations as well as vendors to conduct forensics, to notify impacted individuals, and to offer credit monitoring services. Subsequently, the provider was the subject of a regulatory inquiry and was named as a defendant in a class action lawsuit. Data Breach Fund Costs $7,000,000 for forensics, legal fees, notification, call center services, and credit monitoring Privacy Liability Costs $2,000,000 for legal fees related to the class action suit and responses to regulatory inquiries Employee Lost Flash Drive An employee of an $800 million healthcare provider lost a flash drive containing the protected health information of approximately 600 individuals. The provider notified the affected individuals and provided credit monitoring services. Various state regulators were also notified in accordance with applicable law. Data Breach Fund Costs $110,000 for notification, call center services, credit monitoring, and legal fees to determine the insured’s regulatory obligations
Claims Examples – Misc Services 84 Private Information Disclosed Due to Printing Error A $50 million business services company conducted a mailing project for a customer and inadvertently mailed out approximately 60,000 envelopes bearing account numbers on the outside of the envelopes. Data Breach Fund Costs $320,000 for notification and credit monitoring services Laptops Stolen from Office Five laptops were stolen from the office of a professional services company. The laptops contained personal information of approximately 35,000 customers, including names and social security numbers. The insured incurred notification and credit monitoring costs. Data Breach Fund Costs $200,000 for notification, credit monitoring services, and legal fees Personal Information Posted Online A local municipality inadvertently posted tax licensing applications on its website, resulting in the improper release of personal information. The insured conducted forensics, retained the services of both legal counsel and a public relations firm, and is in the process of notifying the impacted individuals and offering credit monitoring services. Data Breach Fund Costs $150,000 to date for legal fees, notification, credit monitoring, and Public Relations services
Questions? 85 Contact: Brian Bonkoski ACE Professional Risk Vice President (215) 640-5934 brian.bonkoski@acegroup.com This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Panel Discussion
 How do I mitigate my risk with the growing use of mobile and portable technologies?  Policies and Education  Social networking awareness  Encryption  Remote Wipes/Autolocks  Obtaining employee consent  Backing up company information on an employee device  Do’s and Don’ts of mobile use  Laptop Safety
 What should I be doing to prepare my Company for the increased regulations related to IT Security?  Understand business activities subject to regulation for privacy considerations ▪ Disclosure of PI collections and sharing procedures ▪ Website and mobile app privacy  Know how changes in business operations impact compliance requirements  Accept responsibility for compliance ▪ EXECUTIVE MANAGEMENT ▪ BOARD OF DIRECTORS
Questions?
 What are some of the things I need to consider when using 3rd party service providers?  For all vendors: ▪ Due diligence on their data security ▪ Coordination of representations in privacy policies ▪ Allocation of responsibilities in event of breach ▪ Terms in vendor agreements: ▪ Indemnification provisions ▪ Access provisions ▪ Insurance requirements (cyber and other)  Cloud computing ▪ Identify the assets for cloud deployment ▪ Evaluate the assets ▪ Map the assets to the cloud deployment model ▪ Evaluate potential cloud service models ▪ Map out data flow
 What should I be doing to prepare the Company for a breach?  Screen new hires and vendors  Annual risk assessments  Educate employees  Discuss privacy by design with operations people  Pre-arrange breach service providers  Develop a cross functional privacy committee for breach planning and response  Discuss information collection and disclosure practices with all departments  Consider insuring against risks
 What can I do to better protect my data from cyber crime?  Data Mapping - Understand WHAT your sensitive data is and WHERE it resides  Perform a security risk assessment  Set security standards  Develop comprehensive policies  Provide security training  Adopt a business plan  Spear Phishing Do’s and Don’ts
Michael Camacho, CPA, Partner mcamacho@lgcd.com (401) 421-4800 x233

More Related Content

Emerging Trends in Information Security and Privacy

  • 1. EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY August 6, 2014 Presentation
  • 3.  Full service Professional Services Firm:  Attest services  Tax preparation and compliance  IT Audit and Security  Internal Control  Internal Audit Outsourcing  SSAE 16 Services  Over 70 professionals  Highly qualified in variety of specializations:  CPA, CIA, CFE, CISA, MCSE, ABV, CVA, MST  Affiliations:  AICPA, PCAOB, ACFEI, ISACA, PCAOB, TANGO, CICPAC, Practicewise, VACO Risk Solutions
  • 4.  Vaco Risk Solutions  Specializing in helping our clients reduce their risks  30 locations strong  Highly qualified consultants ▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt  We belong to: ▪ Member of Information System Audit and Controls Association (ISACA) ▪ Member of American College of Forensic Examiners Institute (ACFEI) ▪ Association of Credit Union Internal Auditors (ACUIA) ▪ PCI Qualified Security Assessors certified by PCI Security Standards Council ▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council ▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS) ▪ Member of National Association of Convenience Stores (NACS) 4
  • 6. Former FBI Director Mueller: “There are two types of companies, those that have been hacked and those that don’t know it”
  • 7.  Suzanne Miller, Ph. D., Partner –Vaco Risk Solutions  Linn Foster Freedman, Esq., Partner – Nixon Peabody LLP  Brian Bonkoski,Vice President – ACE Professional Risk  Kevin Ricci, CISA, Director of Information Technology – LGC&D LLP
  • 8.  Speaker Risk Discussions  Panel Discussion – Best Practices and Strategies  Question andAnswer
  • 9. Suzanne Miller, Ph.D. VCAG Vaco Compliance and Audit Group August 6, 2014 9
  • 10.  PCI – Quick Overview  Growing Data Trends and Associated Risks ◦ Employees: IT Convenience ◦ Customers: Mobile Apps  Growing Threats to Corporate Security ◦ Top 3 Threats Affecting Corporate Security 10
  • 11.  An open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. - September 7, 2006 -
  • 12.  Founders ◦ American Express ◦ Discover Financial Services ◦ JCB ◦ MasterCard Worldwide ◦ Visa International New NACHA
  • 15. 15 SAQ Validatio n Type Description # of Qs v3.0 # of Qs v2.1 ASV Pen Test A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 14 1 No No A-EP E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data 139 NEW Yes Yes B Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage 41 12 No No B-IP Merchants with standalone, IP-connected payment terminals: No e- commerce or electronic cardholder data storage 83 NEW Yes No C Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage 139 59 Yes No C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 22 No No D-MER All other SAQ-eligible merchants 326 38 Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e- commerce or electronic cardholder data storage 35 17 No No
  • 18. Cloud – Computing Enabling employees to take advantage of collaboration tools/programs and share work related data 18
  • 20. Cloud – Computing Risks  Organizational Risk ◦ Employees use unauthorized consumer-oriented tools and save corporate data  Trade secrets, financial reports, meeting notes, etc.  Sits unprotected; locations unknown to company  Financial Risk: ◦ Cost of exposed business confidential data  ~ $214 per compromised record –Ponemon Institute May 2014 20
  • 21. Cloud – Risk Mitigation ◦ Strategy  Monitoring and controlling use of collaboration tools  Securing data on collaboration tools  COST SAVINGS & PRODUCTIVITY IMPROVEMENTS:  > $8,184 per user annually.  Productivity ~1.2 hours each day or 266 hours per year ◦ Policy  Governance ◦ Technology  Offer safer enterprise-grade consumer tools ◦ Education  Risk Awareness to rank and file 21
  • 22. Cloud – Computing Cloud Security Alliance maintains the Cloud Controls Matrix to assist cloud providers and cloud consumers meet audit requirements, including the PCI DSS. https://cloudsecurityalliance.org/research/ccm/ 22
  • 23. Mobile Apps revenue expected to reach an estimated $70 Billion by 2017*. Revenue in 2012 ~ $8.5 billion 23
  • 24. Risks  Organizational Risk: ◦ Non-compliance with state and federal regulatory requirements for Mobile Apps  Geo-location data  Behavioral targeting  Inferred consent  Retargeting  Data security and quality  Mobile Privacy Statement 24
  • 25.  Financial Risk: ◦ Fines  Delta failed to have a conspicuous privacy policy on ‘Fly Delta’ - CA Attorney General (12/2012)  Fined $2,500 per app download  Downloaded 1 million times on Google Play  Social networking app, ‘Path’  Fined $800,000 by FTC over allegations that it collected personal information without obtaining consumers’ consent - (2/11/2013)  FTC Crackdown COPPA  $16,000 fine for each download (5/15/2014) 25
  • 26. Risk Mitigation ◦ Strategy  Understand the changing compliance landscape for Mobile Apps across your enterprise  Marketing, application developers, legal, internal audit, etc.  Expand Risk Governance ◦ Policy  Expand Risk Governance ◦ Technology  Understand the ecosystem ◦ Education  Risk Awareness to rank and file NOTE: The FTC released on 2/11/2013 a report outlining privacy guidelines for mobile platform providers, application developers, and advertising networks (the “Report”). Explaining the Commission’s increased attention to this area, the outgoing FTC Commissioner described the current state of rules and practices in the mobile space as a sort of “Wild West.” Cautioning that the Commission will "closely monitor developments in this space”, the FTC “strongly” encouraged companies in the mobile ecosystem to work expeditiously to implement the recommendations in the Report. The guidance focuses on how mobile app players should improve their disclosures to ensure that users understand how their personal data will be collected and used. 26
  • 27. ◦ Privacy Statement shall state:  What information is collected from an Individual's Mobile Device;  Whether information is shared with another application installed on the Individual's Mobile Device;  How Geo-location Data is used;  If Geo-location Data is used to create a profile about the Individual;  How long Geo-location Data is retained;  What type of Third Parties, including Service Providers is Geo-location Data is shared with and for what purpose;  How the Individual can restrict the disclosure of Geo- location data to Third Parties; and  How the Individual can revoke consent to your company's collection and use of Geo-Location Data.  …and the list goes on 27
  • 28. Era of Advancing Risks* 28 * Global State of Information Security Survey 2014, CIO and CSO Magazine
  • 29.  Most dangerous cyber threat today  Few organizations have the capabilities to prevent 29
  • 30. Look at Healthcare sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place 30
  • 31. Look at Public sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place 31
  • 32. Look at Retail sector: Percentage of respondents who report that their organization has the following APT-related capabilities in place 32
  • 33. 33 Look at Healthcare sector: Percentage of respondents who report the impact of data beaches.
  • 34. 34 Look at Public sector: Percentage of respondents who report the impact of data beaches.
  • 35. 35 Look at Retail sector: Percentage of respondents who report the impact of data beaches.
  • 36. 36 Look at Healthcare sector: Percentage of respondents who report core security safeguards ARE NOT in place.
  • 37. 37 Look at Public sector: Percentage of respondents who report core security safeguards ARE NOT in place.
  • 38. 38 Look at Retail sector: Percentage of respondents who report core security safeguards ARE NOT in place.
  • 39. 39 Percentage of respondents identifying their greatest obstacles to improving the strategic effectiveness of their company’s information security function.
  • 41. EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY LINN F. FREEDMAN, ESQ. AUGUST 6, 2014
  • 42. SUMMARY OF PRESENTATION —Headlines on data privacy and security and breaches —What are the Risks —Implementing a Data Privacy & Security Plan —Identify high risk data —State Privacy & Security Laws —Federal Privacy & Security Regulations —Use of mobile technology —Use of e-mail and cloud services —Best practices
  • 44. DATA SECURITY — WHAT’S THE RISK? Increase of conducting business online Exponential increase of threats to data security =
  • 45. DATA SECURITY — WHAT’S THE RISK? (CONT’D) — Companies collect and possess larger amounts of customer, employee and client data than ever — Greater use of mobile technology, websites, cloud storage • Allows for easier opportunity for hackers, identity thieves/data security breaches • Increase in loss of proprietary information • Potential for damage to company’s reputation • Threat of state and federal regulatory enforcement
  • 46. INCREASE OF DATA SECURITY BREACHES June 2012 Ponemon Institute Report — 90% of companies surveyed had a computer breached at least once in the prior 12 months — 44% of companies surveyed viewed IT infrastructures as insecure
  • 47. INCREASE OF DATA SECURITY BREACHES (CONT’D) May 2013 Ponemon Institute Report — Data breaches cost U.S. companies surveyed an average of $5.4 million in the prior 12 months — An average of 28,765 records for U.S. companies surveyed were exposed or compromised in the prior 12 months — It cost U.S. companies surveyed an average of $188 per record breached in the prior 12 months
  • 48. DATA PRIVACY & SECURITY PLAN Identify high risk data Use of mobile technology, e- mail and cloud services Develop policies and best practices Train all employees 48
  • 49. IDENTIFYING HIGH-RISK DATA — Personally Identifiable Information • Includes SS #, state-issued ID #, mother’s maiden name, driver’s license #, passport #, credit history, criminal history — Name & Contact Information • Includes initials, address, telephone number, e-mail address, mobile number, date of birth — Personal Characteristics • Includes age, gender, marital status, nationality, sexual orientation, race, ethnicity, religious beliefs 49
  • 50. IDENTIFYING HIGH-RISK DATA (CONT’D) — Financial Institution Data • Includes credit, ATM, debit card #s, bank accounts, payment card information, PINs, magnetic stripe data, security codes, access codes, passwords — Health & Insurance Account Information • Includes health status and history, disease status, medical treatment, diagnoses, prescriptions, insurance account #, Medicare and Medicaid information • HIPAA compliance 50
  • 51. IDENTIFYING HIGH-RISK DATA (CONT’D) — Website Traffic • Notice of Privacy Practices • Terms and Conditions of Use — Employment Information • Includes income, salary, service fees, compensation information, background check information 51
  • 52. STATE PRIVACY & SECURITY LAWS Social Security number protection laws — e.g. Rhode Island — e.g. New York (§399-dd) – restrictions on use, disclosure and access Data security regulations — e.g. Massachusetts (201 CMR § 17.00) –must implement a written information security plan with detailed data security safeguards Data security regulations — 47 states • Most states require notification of a breach to state authorities Website/mobile app data collection laws — e.g. California (§§22575-22579, “CalOPPA”) –conspicuously post privacy policy with transparent details re: data collection/use — None in RI to date 52
  • 53. STATE ENFORCEMENT/FINES AND PENALTIES Examples: — Massachusetts data security regulations (up to $5k per violation) • $63k against MA restaurant • $750k against South Shore Hospital — California website/mobile app CalOPPA statute (up to $2,500 per violation) • AG sent hundreds of non-compliance letters to companies without privacy policies and/or unclear privacy practices on website/mobile app — None in Rhode Island to date 53
  • 54. STATE HEALTH INFORMATION PRIVACY LAWS — Mental Health Law — HIV/Aids — Sexually transmitted diseases — Genetic Information 54
  • 55. FEDERAL PRIVACY & SECURITY LAWS — Federal Trade Commission (“FCC”) • § 5 of the FTC Act prohibits “unfair or deceptive acts or practices”  Covers advertising claims, marketing, and promotions  Not limited to any particular medium • Enforcement of several sector-specific privacy laws  Fair Credit Reporting Act (“FCRA”)  Children’s Online Privacy Protection Act (“COPPA”) 55
  • 56. FTC ENFORCEMENT/FINES AND PENALTIES More than 100 privacy-related actions since 2001, including: — 40+ Data Security Cases — 100+ Spyware Cases — 20 COPPA cases — Several FCRA cases — Increasing Emphasis on Mobile Technology 56
  • 57. FEDERAL PRIVACY & SECURITY LAWS (CONT.) — Gramm-Leach-Bliley Act • To protect privacy of personally identifiable, nonpublic financial information 57
  • 58. FEDERAL PRIVACY & SECURITY LAWS (CONT.) — HIPAA • To protect the privacy of health information 58
  • 59. THE OMNIBUS RULE Certain HIPAA “Privacy and Security Rule” Provisions apply directly to business associates as a regulated entity — BAs must have required HIPAA policies and procedures in place — BAs are subject to direct enforcement by OCR as of September 23, 2013 59
  • 60. ENFORCEMENT PENALTIES FOR HIPAA VIOLATIONS Civil Penalties are tiered, depending on conduct — Unknown — $100 per violation up to $50,000 for all identical violations in a calendar year Reasonable cause that is not willful neglect — $1,000 for each violation up to $50,000 for all identical violations in a calendar year Willful neglect — If violation corrected within 30 days of knowledge: $10,000 for each identical violation, up to $50,000 for all identical violations in a calendar year — If violation not corrected: $50,000 for each violation, up to $1.5 million for all identical or non- identical violations in a calendar year 60
  • 61. CRIMINAL ENFORCEMENT PROVISIONS HIPAA also carries criminal penalties for persons who “knowingly” obtain or disclose PHI in violation of the Privacy Rule, or who improperly use unique health identifiers, under 42 U.S.C. § 1320d–6(a): 61 Fine Prison Knowingly $50,000 One year False Pretenses $100,000 Five years For Profit, Gain, or Harm $250,000 10 years
  • 62. RISKS OF BREACH ASSOCIATED WITH MOBILE TECHNOLOGY — Smartphones — Laptops — USB or flashdrives • 5 million British Columbians’ data breached (1/15/13)  USB drive — Compliance with 47 state breach notification regulations • E-mails • Cloud vendors 62
  • 63. RISKS OF CLOUD COMPUTING — There are over 400 cloud computing providers — Privacy and Security — Confidentiality — ‘True’ Ownership and Control — Data Restoration and Data Retention, Longevity of Vendors — Accessibility (i.e. all business hours, weekends, holidays; 24 hours a day) — Unfamiliarity with Technology — Integration with Firm Systems — Jurisdictional Concerns if Dispute Arises 63
  • 64. BEST PRACTICES FOR LAPTOPS & REMOVABLE MEDIA — Encryption — Policies and procedures for removing devices and data from business premises — Do not permit employees to leave laptops and removable devices in cars or hotel rooms — Prohibition of down loading sensitive data on hard drive of laptop or other removable media — Remote wipe procedures — BYOD policy
  • 65. BEST PRACTICES USING E-MAIL — Encryption — Virtual Private Network/RSA — Verify Selected Recipients — Use Standard Confidentiality Disclaimer — “Sensitive” Communications, Special Protections against Disclosure to 3rd Parties • It is the responsibility of the employee directing the communication to determine if the communication is “sensitive” in accordance with RIOHHS policies and procedures
  • 66. REPORTING SECURITY INCIDENTS — Make sure all employees know to report a privacy concern, a suspected breach, information security problem, theft of computer equipment or if you suspect there may be a problem to the Security Officer — When in doubt REPORT
  • 67. CONCLUSION — Identify all of your “electronic highways” and what they connect with on the inside. — Perform threat and risk assessment on a regularly basis — Identify controls that will reduce risk to an acceptable level — Review the effectiveness of controls periodically as well as after incidents — Ensure you have proper Incident Response Plans in place — Present Key Risk Indicators (KRI) to management in order to gain their support with regard to any proposed risk mitigation efforts — Insure risks
  • 68. This presentation contains images used under license. Retransmission, republication, redistribution, and downloading of this presentation, including any of the images as stand-alone files, is prohibited. This presentation may be considered advertising under certain rules of professional conduct. The content should not be construed as legal advice, and readers should not act upon information in this publication without professional counsel. ©2014. Nixon Peabody LLP. All rights reserved. THANK YOU! QUESTIONS? Linn Foster Freedman, Esq. T: 401-454-1108 lfreedman@nixonpeabody.com Nixon Peabody LLP One Citizens Plaza Suite 500 Providence, RI 02903
  • 69. EMERGING TRENDS IN INFORMATION PRIVACY AND SECURITY PRESENTED BY BRIAN BONKOSKI – ACE USA
  • 70. Disclaimer The material presented in this presentation is not intended to provide legal or other expert advice as to any of the subjects mentioned, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Further, the insurance discussed is a product summary only. For actual terms and conditions of any insurance product, please refer to the policy. Coverage may not be available in all states. 70
  • 71. Goals of Todays Presentation  Coverage Overview by Insuring Agreement  Network Security Liability  Privacy Liability  Data Breach Team  Network Extortion  Business Interruption Loss  Digital Asset Loss  Key Markets  Claims Overview  Industry Trends and Expenses  Claims Examples 71
  • 72. Network Security Liability  Covers any liability of the organization arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code. 72
  • 73. Privacy Liability  Covers loss arising out of the organization’s failure to protect sensitive personal or corporate information in any format. Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation. 73
  • 74. Data Breach Expenses – 1st Party  Forensics  Public Relations/Crisis Management Services  Legal Services including but not limited to determining compliance with Privacy Regulations, drafting notification letters and indemnification rights  Notification/Credit Monitoring Services  Call Center Services  Fraud Consultation services provided through a licensed investigator or credit specialist  Identity Restoration Services 74
  • 75. Data Breach Expenses – 1st Party Cont’d  Network Extortion  Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network unless consideration is made.  Digital Asset Loss  Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a result of a network security failure.  Business Interruption  Covers loss of income and extra expense arising out of the interruption of network service due to an attack on the insured’s network. 75
  • 76. Markets  ACE USA  AIG  Lexington  Beazley  C.N.A.  AWAC  Chubb  Axis  XL 76  Hiscox  Zurich  Travelers  Philadelphia Insurance  One Beacon  Hartford  Swiss RE  Endurance  Houston Casualty
  • 77. Claims and Industry Trends(as of 1/31/2014) 77 Paper 6% Human Error 14% Privacy Policy 9% Hack 24% Rogue Employee 15% Software Error 3% Unknown 7% Laptops 15% Hard Drives 5% Other 2% Lost/Stolen Hardware 22% Industry Breakout • Healthcare – 31% • Technology – 14% • Professional Services – 12% • Retail – 10% • Financial Institutions – 8% Targeted Attacks for PI: • Lost/Stolen Devices • 2008 – 41% • 2012 – 17% • 2013 – 17% • Hacking and Rogue Employee • 2008 – 31% • 2012 – 44% • 2013 – 44% This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
  • 78. Triggers by Industry Segment (as of 1/31/2014) 78 0% 5% 10% 15% 20% 25% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 4% 22% 25% 19% 11% Healthcare 0% 5% 10% 15% 20% 25% 30% 35% 40% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 42% 17% 15% 6% 15% Retail 0% 5% 10% 15% 20% 25% 30% 35% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 34% 10% 21% 9% 12% Technology 0% 5% 10% 15% 20% 25% 30% 35% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 21% 14% 32% 14% 6% Professional Services This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
  • 79. Average Cost of First Party Expenses (as of 1/15/2014) Every Breach Response is Unique Cost Range of Each Service  Legal Fees: Under $5,000 up to about $250,000  Forensics: About $10,000 to Seven Figures  Notification & Call Center: Approximately $3 per Record  Credit Monitoring: Payment per Enrollee or Restoration Service  Minimal Crisis Management Costs Objective: Limit Third Party Exposure 79 * ACE Data, Reflects Average Incurred Costs Across Paid Claims This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014 $48,091.00 $192,049.00 $272,428.00 $157,577.00 $12,600.00 $- $50,000.00 $100,000.00 $150,000.00 $200,000.00 $250,000.00 $300,000.00 Legal Fees Forensics Notification & Call Center Credit Monitoring Crisis Management
  • 80. Claims Process  Pre-Breach Preparation  Identify Decision Makers  Consider Vendor Relationships and Selection for Breach Response  Test Incident Response Plans  Notice  Contact key personnel internally  Contact Insurance Carrier (if applicable)  Engage Data Breach Vendors  Data Breach Coach  Forensic and Legal Investigation  Notification and Call Center  Credit Monitoring  Crisis Management  Third Party Claims  Class Action Lawsuits  PCI Assessments  Regulatory Fines and Penalties 80 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
  • 81. Third Party Claims Three Types of Third Party Claims  Regulatory Proceedings (Less than 2%)  Pre-litigation Demands (8%)  Class Action Lawsuits (10%) Regulatory Fines  Bad Actor – Lack of Proper Response or Compliance  Repeat Offender  Lack of Internal Privacy Policies and Procedures Pre-Litigation Demands  Mostly in Healthcare  Disclosure of Extremely Sensitive Information  Adverse Employment Action 81 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014 Lawsuits – 10% Non-Lawsuits – 8% Regulatory Proceedings – 2%
  • 82. Claims Examples – Retail 82 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014 Website Breached Users of a $250 million online retailer’s website began experiencing fraudulent credit card charges. The retailer’s IT group contacted its web hosting company, which conducted a review of the data stored on the servers. Subsequently, a virus was found and removed. The breach resulted in a compromise of close to 1 million records and the fraudulent use of 50 credit cards. The retailer also incurred fines and penalties for not being Payment Card Industry (PCI) compliant. Data Breach Fund Costs $750,000 for notification, call center services, and legal fees to determine the insured’s regulatory obligations Privacy Liability Costs $500,000 in assessments for lack of PCI compliance Credit Card Information Stolen by Employee A $100 million retail company’s employee improperly obtained the credit card information of a client and fraudulently used the information to make illegal purchases. The employee was caught and prosecuted. The client’s attorney demanded that the insured provide credit monitoring services and compensate the client for her damages. Privacy Liability Costs $75,000 for the settlement amount and legal fees
  • 83. Claims Examples – Healthcare 83 External Vendor Misplaced Laptops A large healthcare provider contracted with a national vendor to assist with an office relocation. During the course of the relocation, the provider discovered a discrepancy of several laptops that contained protected health information belonging to its members. The provider retained legal counsel to analyze its regulatory obligations as well as vendors to conduct forensics, to notify impacted individuals, and to offer credit monitoring services. Subsequently, the provider was the subject of a regulatory inquiry and was named as a defendant in a class action lawsuit. Data Breach Fund Costs $7,000,000 for forensics, legal fees, notification, call center services, and credit monitoring Privacy Liability Costs $2,000,000 for legal fees related to the class action suit and responses to regulatory inquiries Employee Lost Flash Drive An employee of an $800 million healthcare provider lost a flash drive containing the protected health information of approximately 600 individuals. The provider notified the affected individuals and provided credit monitoring services. Various state regulators were also notified in accordance with applicable law. Data Breach Fund Costs $110,000 for notification, call center services, credit monitoring, and legal fees to determine the insured’s regulatory obligations
  • 84. Claims Examples – Misc Services 84 Private Information Disclosed Due to Printing Error A $50 million business services company conducted a mailing project for a customer and inadvertently mailed out approximately 60,000 envelopes bearing account numbers on the outside of the envelopes. Data Breach Fund Costs $320,000 for notification and credit monitoring services Laptops Stolen from Office Five laptops were stolen from the office of a professional services company. The laptops contained personal information of approximately 35,000 customers, including names and social security numbers. The insured incurred notification and credit monitoring costs. Data Breach Fund Costs $200,000 for notification, credit monitoring services, and legal fees Personal Information Posted Online A local municipality inadvertently posted tax licensing applications on its website, resulting in the improper release of personal information. The insured conducted forensics, retained the services of both legal counsel and a public relations firm, and is in the process of notifying the impacted individuals and offering credit monitoring services. Data Breach Fund Costs $150,000 to date for legal fees, notification, credit monitoring, and Public Relations services
  • 85. Questions? 85 Contact: Brian Bonkoski ACE Professional Risk Vice President (215) 640-5934 brian.bonkoski@acegroup.com This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
  • 87.  How do I mitigate my risk with the growing use of mobile and portable technologies?  Policies and Education  Social networking awareness  Encryption  Remote Wipes/Autolocks  Obtaining employee consent  Backing up company information on an employee device  Do’s and Don’ts of mobile use  Laptop Safety
  • 88.  What should I be doing to prepare my Company for the increased regulations related to IT Security?  Understand business activities subject to regulation for privacy considerations ▪ Disclosure of PI collections and sharing procedures ▪ Website and mobile app privacy  Know how changes in business operations impact compliance requirements  Accept responsibility for compliance ▪ EXECUTIVE MANAGEMENT ▪ BOARD OF DIRECTORS
  • 90.  What are some of the things I need to consider when using 3rd party service providers?  For all vendors: ▪ Due diligence on their data security ▪ Coordination of representations in privacy policies ▪ Allocation of responsibilities in event of breach ▪ Terms in vendor agreements: ▪ Indemnification provisions ▪ Access provisions ▪ Insurance requirements (cyber and other)  Cloud computing ▪ Identify the assets for cloud deployment ▪ Evaluate the assets ▪ Map the assets to the cloud deployment model ▪ Evaluate potential cloud service models ▪ Map out data flow
  • 91.  What should I be doing to prepare the Company for a breach?  Screen new hires and vendors  Annual risk assessments  Educate employees  Discuss privacy by design with operations people  Pre-arrange breach service providers  Develop a cross functional privacy committee for breach planning and response  Discuss information collection and disclosure practices with all departments  Consider insuring against risks
  • 92.  What can I do to better protect my data from cyber crime?  Data Mapping - Understand WHAT your sensitive data is and WHERE it resides  Perform a security risk assessment  Set security standards  Develop comprehensive policies  Provide security training  Adopt a business plan  Spear Phishing Do’s and Don’ts
  • 93. Michael Camacho, CPA, Partner mcamacho@lgcd.com (401) 421-4800 x233