Presentation on theme: "Limiting Risk in Your Cyber Community Gordon J. Calhoun, Esq. Lewis Brisbois Bisgaard & Smith LLP."— Presentation transcript:
Limiting Risk in Your Cyber Community Gordon J. Calhoun, Esq. Lewis Brisbois Bisgaard & Smith LLP
Highlights The incontrovertible benefits of cyberspace as well as how to protect against the dark side, which exists in any community Some of the many lessons learned in the last year since the Target breach was reported Using cyber risk insurance to complete your risk management program Immediate, inexpensive ways to improve data security and minimize liability
21 st Century Cyber World Is Wonderful Globalization (You are everywhere) –International relationships –New vendors –New customers Communication (Instantaneous) –Text messaging –Social media –Emails –Video streaming Cost Effectiveness (Virtual world) –Faster speed saves time which either saves or makes money. –Automated and streamlined processes reduce labor costs
Data Security Incidents and Presumptive Breaches Occur Every Minute 90 percent of business acknowledge at least 1 data security event in the last year; frequency is greatly understated We live in a “Bring Your Own Device” (“BYOD”) world 112 smartphones are lost or stolen every minute – that’s 57 million data security incidents per year in the United States Add in lost or stolen lap tops, flash drives, etc. Add in malicious insiders, criminal and government sponsored hackers (reconnaissance and disruption), and critical infrastructure attacks The issue is not if, but when and how often
How Is Stolen Data Marketed? What Is Most Valuable to Cyber Criminals?
Top 10 Breaches of Personal Records 1.Court Ventures October 21, 2013 200.0M 2.Adobe September 18, 2013 152.0M 3.eBay May 21, 2014 145.0M 4.Heartland Payment Systems January 20, 2009 130.0M 5.Target November 04, 2013 110.0M 6.TJX retail stores January 17, 2007 100.0M 7.U.S. Military Veterans October 02, 2009 76.0M 8.Evernote February 13, 2013 50.0M 9.LivingSocial April 04, 2013 50.0M 10.CardSystems June 16, 2005 40.0M This does not include significant breaches in 2014, including: 1.Russian crime syndicate1,200.0M 2.Home Depot 56.0M 3.JPMorgan 76.0M + 7.0M SMBs Bloomberg Visual Data 9/4/2-14 sourced from Privacy Rights Clearinghouse
Cyber Crime Statistics 2012 Verizon Report: Targeting of smaller businesses is common –Less security spending, training, infrastructure
Cyber Crime Statistics Breaches and Incidents reported 2013, and cumulative since 2011 NOTE: Only ~ 2% of incidents resulted in breaches –Source: 2014 Verizon Data Breach Investigation Report
Source 2012 Study of Industry Losses Paid Out The Problem: Identity Theft, Fraud and Data Breaches: Challenges, Costs & Trends
HOW VICTIMS' INFORMATION IS MISUSED, 2013 (1) (1)Percentages are based on the total number of complaints in the Federal Trade Commission’s Consumer Sentinel Network (290,056 in 2013). Percentages total to more than 100 because some victims reported experiencing more than one type of identity theft (16% in 2013). (2)Includes fraud involving checking and savings accounts and electronic fund transfers. Type of Identity Theft/ FraudPercent Attempted identity theft7% Bank fraud (2) 8% Credit card fraud17% Employment-related fraud6% Government documents or benefits fraud34% Loan fraud4% Other identity theft24% Phone or utilities fraud14% Source: Federal Trade Commission
Fines Regulators Impose Represent a Major Source of Economic Loss in Data Security Events
The Problem: Data Breaches Are Expensive Average cost* per breach was $3.7 million ($2.4 million in 2011) –Total claim cases in study = 135 –Claim range = $2K to $76 million –Claim Cost mode = $25K to $200K (most typical claim) Average cost** per record was $3.94 –Average records lost = 1.4 million (range was 1 record to 17 million records) Legal (Defense & Settlement) represents the largest portion of costs incurred –Average Cost of Defense $582K –Average Cost of Settlement $2.1 million Crisis Services costs (forensics, legal counsel, notification & credit monitoring) average about $983K per event Source 2012 Study of Industry Losses Paid Out *Average calculated on all breaches that reported claims paid ** Average calculated on breaches that reported BOTH # of records & payouts, less 2 large claims of 100 million records each
The Cost of a Breach (and Other Cyber Events ) Direct Costs Discovery/Data forensics. Notification costs. Identity monitoring costs. Real-time crisis management costs. Additional security measures, remediation. Lawsuits. Regulatory fines. Indirect Costs Loss of customer confidence. Executive management distraction from core business objectives. Loss of employee productivity. Lost sales. Higher customer acquisition costs. Lower stock price. Loss to reputation/brand. Similar Costs for other Cyber Events = Reputational Risk
28 Information Risk Insurance Marketplace Robust market up to $300-400 Million of market capacity First Party Exposures –Data Breach Management –Cyber Extortion –Business Interruption Income/Extra Expense –Data Asset Protection Third Party Liability –Privacy Liability –Network Security Liability –Privacy Regulatory Defense Costs –Media Liability
29 Examples of Data Security Incidents Affecting SMBs
Reality: Self-Aggrandizing Employees A temporary employee sends 4,000 workers compensation claims files to his personal email address Precipitous remedial action taken by immediate supervisor Tracking down the data Forensic examination establishes no unauthorized viewing Importance of having an Incident Response Plan and to follow it
Reality: Keeping Obsolete Information Is Fatal Workers compensation claim file auditor with its own servers and no data destruction policy Burglary results in loss of servers, which were not encrypted Many hundreds of thousands of records are presumed to have been compromised Projected notice costs of $480,000 exceeded the net worth of this small business Protection sought via a Chapter 7 liquidating Bankruptcy When PHI is involved, upstream players are potentially liable for downstream breaches; you can do everything right and still have exposure
Reality: Difference Between Poorly and Well Handled Incidents Is Huge Poorly Handled Suspected breach only Thousands of PHI records Delay of more than 1 year before reporting No risk assessment No remedial action after the event Regulators highly critical: $400,000 fine and 2 year remedial action plan Legal costs Well Handled Actual breach Over 10,000 PHI records Prompt initial investigation and timely reporting Undocumented events that could qualify as a risk assessment were reconstructed and presented via affidavits Prompt assessment and remedial action taken where needed No regulatory action Legal costs
Key Factors that Influence the Cost of a Data Breach According to Symantec/Ponemon Institute, the following have a direct influence on reducing the cost of a breach. –The organization had an incident management plan in place. –Consultants were engaged to help remediate the data breach. –Speed of team engagement and recognizing scope of risk. –Proactively managing as opposed to reacting. –Pre-approved communications materials.
Principles of Crisis Management for Cyber Events: BEFORE Not all events are equal or require the same level of response so escalation criteria needs to be clear. Identify outside resources that you will need and define when and who makes the decision to engage them. Make sure your process is understood by those who will have to implement it. –Train and practice, practice practice. –Even the best plan won’t help if executives don’t know what to do. Additional considerations –Do you extend your data security policies to your suppliers? –Vendors? Does that change how you respond? –Beyond meeting minimum legal notification requirements, what level of protection are you prepared to offer? –When and what do you communicate to non-impacted employees or customers, your board, business partners, etc.?
Following the Incident Response Plan : DURING Understand the scope –Forensic analysis –What kind of data has been lost? Financial, personal, strategic? Confidential business information? A crisis must be managed (not simply responded to) –Activate Incident Response Team to coordinate decisions across the enterprise Crises do not happen in a vacuum –Understand the potential for spillover into unrelated areas –What else is going on? New leadership? Budget negotiations? Major events/deals? Demonstrate concern, commitment, and control Recognize that response and priorities can often be complicated by requirements of law enforcement, including secret service, FBI, etc. Understand your legal and regulatory obligations, including notification/public disclosure, timing, to help set priorities and inform decision-making. Understand the communications expectations of all your stakeholders and ensure message consistency.
Principles of Crisis Management for Cyber Events: AFTER 1.Conduct a post-incident review immediately to understand: –Damage to stakeholder opinion, reputation (and other impacts). –Effectiveness of response. –Effectiveness of established procedures. 2.Learn from your mistakes and successes –Assess IT security program, gaps, internal educational efforts, etc. –Revise/update crisis management program and incident response plans. 3.Assess reputational impact –It takes approximately three-and-a-half years for an organization to recover from a reputational failure.
Phases of Crisis Management/Response for Cyber Security Events Before Preparedness: Planning, Training and Exercising, Program, Governance After Review, Repair and Recover During Real-Time Crisis Management Before Preparedness : Planning, Training and Exercising, Program, Governance After Review, Repair and Recover During Real-Time Crisis Management, mitigation Analyze capabilities, needs, risks, vulnerabilities. Develop/Prepare Advance Strategies: Design, enhance programs for cyber events, IT HR, crisis management, reputational risk, strategic communications. Practice: Training and exercises (team and integrated). Real-Time Crisis Response: implement plans, seek expert guidance and support to manage corporate response, mitigate potential damage, protect brand and reputation. Repair and Recover: Review and repair any damage. Rebuild and strengthen relationships with stakeholders. Improve process/plans.
Takeaways Issue of data breach businesses face is not if, but when Businesses need to minimize exposure; create systems to protect data; respond appropriately and use insurance to cover response costs Human beings are inventive; despite the best policies, non-compliance and resulting breaches will occur Your crisis management skills will serve you well when paired with subject matter experts