Presentation on theme: "Privacy Liability and Network Security May 17, 2011 L. Spencer Timmel, CITRMS PRESENTER Privacy and Network Security Specialist Hylant Executive Risk Practice."— Presentation transcript:
Privacy Liability and Network Security May 17, 2011 L. Spencer Timmel, CITRMS PRESENTER Privacy and Network Security Specialist Hylant Executive Risk Practice Eric M. Wright, CPA, CITP PRESENTER Shareholder, Technology Advisory Services Schneider Downs & Co., Inc.
2 Table of Contents Privacy Related Risks – What are we talking about? Legal Perspective Target Industries Privacy Incident Loss Examples Unplanned Cash Flows Privacy Incident Costs Traditional Insurance Policy Gap Analysis Mitigating the Risk and Questions for your IT Staff Cyber/Privacy Products Evaluating Insurance as an Option - What should you expect?
3 PII and PHI Personally Identifiable Information (PII): – Individuals name, consisting of the individual's first name or first initial and last name, in combination with… Social Security Number Drivers License Number or State Identification Number Credit Card, Debit Card, Financial Account Numbers Protected Health Information (PHI) – Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral
4 Legal Perspective State Privacy Breach Notification Law – 48 states/territories with legislation, including D.C. and Puerto Rico – Kentucky and Alabama have introduced bills – South Dakota and New Mexico have yet to make a move – Massachusetts: A bit watered down since its initial form, but still requires organizations who do business in the state to inventory personal information and educate employees about safeguards – Subject to the state the affected party resides, not where you are headquartered or where the breach occurred Health Insurance Portability and Accountability Act (HIPAA) “…maintain a reasonable and appropriate administrative, technical, and physical safeguard to prevent use or disclosure of protected health information.” Federal Privacy Breach Notification Law: “not yet, but…” Obama’s recent push & Kerry/McCain Privacy Bill of Rights
5 Legal Perspective (cont.) Gramm-Leach-Bliley Act (GLBA) – Businesses that are engaged in traditional banking, lending and insurance functions – Privacy Rule “…insure the security and confidentiality of customer information: protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer” “FACT” Act (Red Flags Rule) – Creditors and Financial Institutions with covered accounts – Implementation of an Identity Theft Prevention Program that accomplishes the following: 1.Identify and outline “Red Flags” 2.Monitor for and detect “Red Flags” 3.Mitigate when “Red Flags” are detected 4.Update the Identity Theft Prevention Program periodically
6 Target Industries Retail Healthcare Financial Services Colleges, Universities and Municipalities Data Processors and Data Storage Companies
7 Privacy Incidents Heartland Payment Systems (01/09): 130 million credit card numbers breached Sony Corp (4/11): 102 million records, 12 million credit card numbers; dual attack Michaels Stores (05/11): 10,000 credit card numbers; pin pad tampering Starbucks (11/08): 97,000 social security numbers of employees: lost laptop HealthNet (01/11): 1.9 million PHI records: 9 servers missing (05/09): 1.5 million PHI records: portable disk drive missing BC/BS Tennessee (10/10): 1 million+ PHI 57 hard drives stolen State University (12/2010): 750,000 PII records: Unauthorized access E-mail data management firms (12/10) & (3/11)
8 Unplanned Cash Flows State and/or Federally Mandated Notification Costs Forensic Investigation, Data Restoration Expenses, Assets Damage Brand Preservation: Voluntary Notification, Credit Monitoring, Public Relations Expense Defense and Indemnity Expense from 3 rd Party Allegations Regulatory Defense Costs Regulatory / PCI Fines and Penalties Business Income Loss
9 What is a privacy incident going to cost me? Summary of Ponemon Institute, LLC’s 2010 Annual Study: Cost of a Data Breach: – Continued trend of increased average cost and per record cost, $7.2 million (+7%) and $214 (+5%), respectively. – Direct costs increased 22% to $73 per record. (legal counsel, notification letters, credit monitoring, etc.) The increase is driven by the rising legal defense costs. Cost by industry classPer record Average$214 Education$112 Retail$185 Healthcare$301 Financial Institutions$353
10 What is a privacy incident going to cost me? Ponemon Institute 2010 (cont.) Data Breaches from malicious attacks are up 7% from 2009 having doubled the year before. The cost per compromised record for these types of breaches has skyrocketed to $318 per record. This increase reinforces the extreme danger hostile breaches pose. Class Action suits from breach victims have yet to gain traction as it is difficult to prove damages. (It’s just a matter of time, Sony? RockYou?) More organizations favor rapid response than ever before, but it seems to be costing them. Notification within one month of discovery increases the cost per record by $94, totaling $268. Is this tied to overreaction, a business decision to protect the brand, or a response to meet more stringent data breach notification laws?
11 Policy Gap Analysis General Liability Insurance – Coverage for bodily injury or property damage - Intentional acts are excluded - Intangible property is excluded Property Insurance – Coverage for loss of tangible property caused by a covered peril - Computer viruses are excluded - Intangible property is excluded - Business interruption coverage only applies if there has been a direct physical loss or damage to covered property Crime Insurance – Coverage for theft of money, securities or other property - No coverage for theft of information, trade secrets and other types of confidential information Directors & Officers Liability Insurance – Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity as such
12 Mitigating the Risk – “a RM Perspective” There are several ways that Risk Management can help to mitigate the risk to cyber related losses: 1.Understand the role of IT and their perspective on this area of risk (How do they prevent internal and external breaches, where are the vulnerabilities, what has been the history of breach incidents, what is the process for responding to a breach, involvement of RM in that process, etc.) 2.Evaluation of contracts with outside service providers, specifically 3 rd party IT, data storage or data processing vendors 3.Require and obtain certificates of insurance for both Professional E&O and Privacy/Cyber Liability coverage 4.Outside Quiet Audit by a third party IT Security assessment firm 5.Evaluate the need for insurance as a “safety net” to other internal and external safeguards
Top Data Breach Prevention and Detection Controls to Ask 1.Sensitive Data Storage Do we know what types of sensitive data (if any) we have and how we are storing and transmitting it? Have we performed a risk assessment to understand what kind of impact a breach may have on our organization? 2.Access to Sensitive Data Have we restricted access to any sensitive data or systems appropriately? (Unique accounts, strong passwords, etc.) 3.Encryption Do we have encryption in place regarding: – transmission of secure data files? (FTP) – communications that may contain sensitive information? (Email) – Handling of devices that contain sensitive information? (Laptops, Backup Media, etc.) 13
Top Data Breach Prevention and Detection Controls to Ask 4.Server Patching Do we have a patch management solution in place to ensure that all critical patches are installed on our servers in a timely manner? 5.Firewall Protection Do we have a firewall in place that has been updated to reflect the most recent best practice settings? 6.Intrusion Detection Do we have an appropriate solution in place in order to detect and alert us to suspicious activity that is taking place on our Network? 7.Anti-Virus Protection Do we have a central anti-virus solution in place that updates all workstations and servers regularly? 14
Top Data Breach Prevention and Detection Controls to Ask 8.Vulnerability Testing and Internal Control Reviews Do we regularly test our Network resources and security in order to evaluate it for any weaknesses? Do we evaluate our internal controls for weaknesses? 9.Information Security Policy Do we have a policy in place that addresses our approach and our internal requirements regarding Information Security and our expectations to our employees? 10. Incident Response Plan Have we identified our responsibilities in the event of a data breach and the steps that we need to take to reduce the damage and maintain forensic evidence of the breach and any data lost? 11. Know whom you’re sharing your data with Do we have a strong vendor management policy? 15
16 Cyber/Privacy Liability Insurance Cyber/Privacy Liability coverage can provide protection for: – Privacy Violations – Electronic and Non-Electronic – Intellectual property infringement – Security breaches – Internet, network programming errors and omissions – Business interruption causing loss of revenue and extra expense – Destruction, disclosure and theft of electronic data – Fines and Penalties and Punitive Damages – Post-Event Crisis Management Expenses – Regulatory Defense, Fines and Penalties Coverage – Cyber Extortion Market Place – Market Evolution: Lloyd’s vs. Domestic – Capacity
17 Evaluating Insurance as an option - What to Expect? Exposure Analysis and Policy Review: Every policy is different and careful analysis of risk will allow the broker to tailor the most appropriate coverage at the most competitive price Work with a broker that is a technical specialist on this coverage – many of the policy forms available in the marketplace need to be enhanced in order to obtain the broadest available coverage Obtaining a proposal: A relatively simple process – Depends on Industry, Size and Operations Application, Financials, conference call with IT Security or CIO
Spencer Timmel, CITRMS Hylant Group As a member of Hylant Group’s Executive Risk Practice, Spencer serves as the Cyber Security and Privacy Liability specialist. He provides consultative support to clients and oversees the placements of this and other Executive Risk insurance in all industry classes. Prior to joining Hylant, he was an Executive Protection Underwriter for the Chubb Group of Insurance Companies and the Cincinnati Insurance Company. Bachelors degree in Business, Finance from Ohio University Masters in Business Administration from Xavier University Specialties Cyber Security and Privacy Liability; Directors and Officers Liability; E&O Liability; Employment Practices Liability; Fiduciary Liability; Crime/Workplace Violence/Kidnap/Ranson & Extortion Coverage Contact Information: Office (513) 354-1656Cell: (513) 518-1535E-mail: firstname.lastname@example.org@hylant.com 18
Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. Eric has been involved with Information Technology with Schneider Downs since 1983. He is responsible for the firm’s IT compliance services. Eric has performed IT audits on a number of systems, including SAP, Oracle, J.D. Edwards and Lawson and has a strong understanding of the application controls that are available in each of these systems. In addition to helping our clients with their SOX initiatives, he has also assisted clients with becoming PCI-DSS compliant, ISO 27001 certified and performed NIST security audits. Bachelors Degree in Mathematics and Computer Science from Waynesburg University Member— Pennsylvania Institute of Certified Public Accountants Ohio Society of Certified Public Accountants The American Institute of Certified Public Accountants - M.I.S. and High Tech Division Contact Information: Office (412) 697-5328E-mail: email@example.com@schneiderdowns.com 19