Embed Size (px)
Citation preview
License No. 045127
Thank you for joining us. We have a great many participants in today’s call. Your phone is currently muted so that the noise level can be kept to a minimum. If you have not yet joined the audio portion of this webinar, please click on Communicate at the top of your screen, and then Join Teleconference. The dial-in information will appear. If you have any questions, you can send them to the host using the Chat feature in the bottom right corner during the webinar. The webinar will start momentarily. © 2014 Keenan & Associates
Don’t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks
License No. 045127 License No. 045127
Protecting Your Organization From Data Breach and Privacy Risks
2
Brad Keenan Cyber Specialist Keenan
Kyle McKibbin Cyber Specialist Keenan
Presented by:
License No. 045127
Cyber Summary
• Cyber Risk and Data Breaches – Overview – Where are the exposures? – How much of a financial impact do they have?
• Data breach examples • Cyber Risk Management
– Risk retention – Risk control – Risk transfer
3
License No. 045127
Myths about Cyber Security
• ALL Cyber Breaches are Preventable • “The IT Team is on top of it” • Cyber Theft/Data Breach is about credit cards • Big Corporate Companies are most at-risk • External hackers are the biggest security risk
4
License No. 045127 5
License No. 045127
40 Million Individuals; $148 Million Loss 24 States; 51 Stores
$4.8 Million HIPAA Fine
350,000 credit cards; $4.1 Million Loss
National Headlines
6
56 million credit cards; Unknown Loss
License No. 045127 7
License No. 045127
School Districts
8
License No. 045127
Healthcare Organizations
9
License No. 045127
Municipalities
10
License No. 045127 11
License No. 045127
Data Breach
A data breach is an incident in which sensitive,
protected or confidential data has potentially been
viewed, stolen or used by an individual unauthorized
to do so
12
License No. 045127
Important Records
• Student records • Employee records • Credit card information • Financial aid records • Job applicant records • Tax ID information
• Utility payment records • Citation payment records • Patient records • Health plan records and
ID numbers
13
License No. 045127
Exposures
INTERNAL • Lost or stolen laptops,
computers, flash drives or other storage devices
• Backup tapes misplaced or lost in transit
• Rogue employees • Inadequate computer-use
policies • Weak IT Infrastructure • Employee Negligence
EXTERNAL • IT consultants/vendors • Internet and network access
points • Sale, donation or disposal of
old office equipment (desks, file cabinets, copiers) that contain employee records
• Viruses or Malware • “Dumpster diving”
14
License No. 045127
Why are Organizations at Risk
• Resource Size – Less sophisticated safeguards – Less dedicated manpower may lead to delayed or no detection – Less resources to use to recover vs. big business
• Ability to React – Detect/report a breach – Notify/assist affected individuals – Reimburse individuals for actual losses
15
License No. 045127
Regulation & Notification Laws
• Federal guidelines – HIPAA – Payment Card Industry Data Security Standard (PCI-DSS) – Drivers Privacy Protection Act (DPPA)
• Notification and consumer protection laws vary from state as to who must be notified and the manner of notification
• 47 states (including California) and D.C. have separate breach
laws in place as of 2/6/12 – AB 1149 (effective January 1, 2014) – SB 46 (effective January 1, 2014)
16
License No. 045127
Media Management
17
Response to a Breach
License No. 045127
Per Person Cost of a Breach
18
$316 $286
$259 $237 $236
$223 $219
$209 $204
$196 $183 $181
$172 $125
$93 $73
$0 $50 $100 $150 $200 $250 $300 $350
Healthcare Transportation
Education Energy
Financial Services
Communications Pharmaceutical
Industrial Consumer
Media Technology
Public Retail
Hospitality Research
According to 2014 Ponemon Institute Study
License No. 045127
Real Life Example #1
• Healthcare industry • Children’s health system • 1.6 million patients and employees effected • Lost three unencrypted computer backup tapes
during a building remodeling project – Patient billing – Employee payroll
• $316 x 1.6M = Could you absorb this loss?
19
License No. 045127
• Local Community College
• Confidential records for 35,212 students were mistakenly emailed to an unknown account
• The employee used a personal
email account to send the data to the researcher’s personal email address because the data file was too large to go through the district’s secure, encrypted email server
• The incident is costing about
$290,000
20
Real Life Example #2
License No. 045127
Real Life Example #3
• Southern California City • CalPERS payment document was accidentally
posted to the Water District’s website • Document contained personal information,
including names and SSNs • Information of employees and former employees
who were enrolled in CalPERS during July 1986-October 2011
21
License No. 045127
Risk Management Strategies
Risk Transfer • Cyber Liability Insurance (Data Breach/Privacy)
– A risk management option that reduces the out-of-pocket cost related to data breaches
• Vendor Management – Cloud/Data management provider – Data is held by a 3rd party vendor
22
License No. 045127
Cyber Liability: First-Party Coverage
Loss of Data – Costs for repair and restoration of computer programs and electronic data
Cyber Extortion – Covers extortion threats to commit an intentional computer attack against the
insured
Crisis Management – Costs for hiring a public relations firm to mitigate negative publicity – Security experts to come in and assess the scope of the breach and determine a
plan of action – Costs to comply with multiple state breach notice laws
Notification requirements Credit monitoring for detecting fraud
23
License No. 045127
Cyber Liability: Third-Party Coverage
Network and Information Security Liability – To defend and indemnify claims for breach of security and access
to protected information
Regulatory Defense Expenses – Defense costs and claims expenses involved with the regulatory
action taken against you resulting from a data breach.
24
License No. 045127
Policy Benefits
Loss Prevention Services
• In-depth knowledge of the risk and specific exposures
• Training and compliance solutions • IT Security Assessment services • Consultations • Proactive computer security services
25
License No. 045127
3rd Party Contractual Language
1) Seek defense/indemnity for breach of information security
2) Seek proof of insurance and adequate limits, perhaps even contract specific limits
3) Beware of limitation of liability provisions, limiting to amount of the contract
26
License No. 045127
Risk Management Strategy
• Risk retention
27
License No. 045127
Risk Management Strategy
Risk Control • Insider misuse • Physical theft/loss • Miscellaneous errors
28
License No. 045127 29
License No. 045127
Protect Your Organization
• Privacy/Breach Mitigation Program: – network authentication – credit card security – data back-up – complex passwords & physical security controls – encrypted laptops/access – file purging
• Assess your exposures, including employees, students, parents/guardians, volunteers, vendors, contractors, residents, customers, and patients
• Evaluate your potential costs and liabilities in connection with a breach – Identify and track the life cycle of information in your organization
30
License No. 045127 31
Questions? Disclaimer – Keenan & Associates is an insurance brokerage and consulting firm. It is not a law firm or an accounting firm. We do not give legal advice or tax advice and neither this presentation, the answers provided during the Question and Answer period, nor the documents accompanying this presentation constitutes or should be construed as legal or tax advice. You are advised to follow up with your own legal counsel and/or tax advisor to discuss how this information affects you.
31
License No. 045127
Innovative Solutions. Enduring Principles.
32
Thank you for your participation!
