On The Cutting Edge!
Cyber Security: Pre & Post
Breach
Oliver Brew, Liberty International Underwriters
John Mullen, Sr, Lewis, Brisbois, Bisgaard & Smith
Charles Beard, PwC
Amy Stanphill, Eisenhower Medical Center
Theodore Kobus, III, Baker Hostetler
David Lewison, AmWINS Brokerage Group
28th Annual Blue Ribbon Conference – May 4-8, 2014
Proprietary and Confidential
Agenda
• Eisenhower Medical Center case study (45 mins)
• Short break (5 mins)
• Cyber security issues, pre-breach planning, issues and
trends (70 minutes)
– Questions at end of each section
– 2 CE credits
Proprietary and Confidential
Eisenhower Medical Center
• Case Study:
– Incident Facts
– Claims and Coverage
– Incident Consequences
– Lessons Learned
– Recommendations
Proprietary and Confidential
Eisenhower Medical Center
• Coachella Valley not-for-profit hospital
• High quality, compassionate care for over 40 years and
accredited teaching hospital
• Main Campus in 130 acres within Rancho Mirage:
– 476-bed hospital, Annenberg Center for Health Sciences
at Eisenhower
– Barbara Sinatra Children's Center at Eisenhower
– Outpatient facilities in Palm Springs, Cathedral City,
Rancho Mirage and La Quinta
– Betty Ford Center
• Philanthropy and volunteerism allow EMC to fulfill its
mission
Proprietary and Confidential
EMC Case Study
• Friday, March 11, 2011
– Television and computer stolen from EMC
• Monday, March 14, 2011
– Discovered when employee arrived at work after weekend
Proprietary and Confidential
EMC Case Study
• Is it a breach?
• Do you involve law enforcement?
• Do you hire a forensics company?
• Do you retain counsel?
• Do you involve regulatory agencies?
• Is crisis management necessary?
• Do you offer credit monitoring?
• Do you get relief from a “law enforcement” delay?
Proprietary and Confidential
EMC Case Study
• Immediate First Steps:
– Investigation
– Law enforcement
– Insurance
– Outside counsel
– Forensics
– Crisis management
Proprietary and Confidential
EMC Case Study
• Investigation:
– Computer was password protected, but not encrypted
– Computer contained limited patient index information used
by EMC
– Information in index file included: patient names, ages,
dates of birth, the last four digits of the Social Security
number, and the hospital’s medical record numbers
(MRNs)
– No medical records on the computer
– No financial or insurance information on the computer
Proprietary and Confidential
EMC Case Study
• Notification – March 30, 2011:
– Over half a million patients affected
– Limited personal data
– Notified in less than 3 weeks from theft
– Credit monitoring Vendor
– Mailing and Call Center Vendor
– Media
– Substitute notice
– Agency notifications
Proprietary and Confidential
EMC Case Study
Proprietary and Confidential
EMC Case Study
Proprietary and Confidential
EMC Case Study
Proprietary and Confidential
EMC Case Study
• Post-notification:
– Patient inquiries and concerns
– Public relations
– State and federal agency inquiries and investigation
– Litigation
– Internal policy and procedure review
Proprietary and Confidential
EMC Case Study
• Cost of response:
– Forensics
– Notification costs
– Credit monitoring
– Call center
– Crisis response
– Legal fees
– Defense costs/settlement expenses
– Regulatory fines
Proprietary and Confidential
EMC Case Study
• Insurance implications
• Communications
• Proactive measures
15
Proprietary and Confidential
EMC Case Study
• Lessons learned:
– Prepare and practice a
response plan
– Respond quickly
– Bring in the right team
– Preserve evidence
– Contain and remediate
– Let the forensics drive
the decision making
– Law enforcement
– Document analysis
– Involve the C-Suite
• Be guarded, consistent,
and honest in
communications
– Plan for likely reaction
of customers,
employees and key
stakeholders
– Mitigate harm
Proprietary and Confidential
Short Break
Proprietary and Confidential
Facebook funding…
18
Proprietary and Confidential
Topics
•
•
•
•
•
•
•
19
Brief history
Scope of data
Internal and external threats
Regulatory issues
Litigation trends
Practical tips
Future gazing
Proprietary and Confidential
A brief history
Then
…
1998
20
Percentage of
developed world
using internet
Data storage
cost
Number of Smart
phones
17%
77%
$60/GB
5₵/GB
0
1.5 billion
And
now…
2014
Proprietary and Confidential
Insurance history lesson
•
•
•
•
•
1997: First ‘internet liability’ policy written
1999: Y2K catalyst to focus on technology risk
1999 – 2002: Dot-com bubble - first phase growth
2003: CA 1386 (first notification law)
2005 – 2010: Breaches on the rise and increasing
regulation
–
–
•
•
21
2007: TJX breach
2009: Heartland Payment Systems
2013: HIPAA final rule
Compared to auto insurance…?
Proprietary and Confidential
Data breach history
Total Cyber Events and Records Breached* (2004 – 2013)
450m!
Number of events
*Only Depicting Events with losses >30K Records
22
Record count
Proprietary and Confidential
Range of industries impacted
Cyber Events By Industry (2009 – 2014) *US Companies only
Financial
services
Government
Education
Healthcare
23
Proprietary and Confidential
What information is at risk?
• Personally identifiable information (PII)
– email addresses, zip codes, phone numbers?
• Protected Health Information (PHI)
• Payment Card Industry (PCI) information
Proprietary and Confidential
Threat landscape
• Internal threats: employee risk (malicious / inadvertent)
• External threats
• Regulatory regime
• Litigation on the increase
Proprietary and Confidential
Internal threats
• Employee SNAFUs – 65% of data breaches due to lost
paper files and devices*
• Malicious intent
• Poor practices
*Society of Corporate Compliance and Ethics (SCCE) and the Health Care
Compliance Association (HCCA) survey Nov 2013
Proprietary and Confidential
Hacking: the glamorous threat
• Hacktivism - Anonymous
• Organized financial crime
• “Just because I can”
• State sponsored…?
27
Proprietary and Confidential
Why the concern?
• Costs: Breach response
• Reputation: 76% of potential victims will close account
with an organization if a breach occurs
– 65% would publicly expose a company for failure to
safeguard information
• Litigation: 53% would be willing to sue
Source: Unisys Security Index, Lieberman Researcher Group &
Newspoll
Proprietary and Confidential
State Regulations: notice
• 46+ states require notice to customers
– Required time to notice: most expedient manner
possible (no later than 45 days in FL, OH, and WI)
• Affirmative state laws (e.g. NV, MA)
• Issues: competing definitions of “Breach”
and other terms
Proprietary and Confidential
Other regulations
• HIPAA / HITECH is 2009 expansion of Health Insurance
Portability and Accountability Act (HIPAA)
– Notice within 60 days when PHI is breached
– Requires notice to Secretary of HHS (within 60 days if
breach involves 500 or more)
– Allows State AGs to bring civil actions for
HIPAA violations including failure to notice
• PCI DSS – contractually driven obligations from card
brands
Proprietary and Confidential
Litigation trends
Injury and Standing
• Tri-West, Starbucks, Hannaford
Injury and Standing
• FTC v Wyndham
• Curry v AvMed
Proprietary and Confidential
Prevention and preparation
“We’ve spent over 12 years building our
reputation, brand, and trust with our customers.
It’s painful to see us take so many steps back due
to a single incident.”
-Zappos CEO Tony Hsieh
“Everyone has a plan… until they get punched in
the face”
- Mike Tyson
Proprietary and Confidential
Safeguard controls
• People: proper security budget and vigilance
• Processes: ISO27002, HITECH ready;
employee education and training; written
management processes; breach response plan
• Technology: firewalls; intrusion detection
software; hardened and patched servers
(tested); encryption of PII
Proprietary and Confidential
Practical issues on data risk
• Education and culture
• Handheld devices - BYOD
• Data hygiene (e.g passwords)
• Effective encryption
Proprietary and Confidential
Practical issues on data risk
• Mock breaches – aka “tabletop exercises”
• Limit online access to data storage servers
• Destruction of hard drives to remove all PII
Proprietary and Confidential
The future
• $5Bn market before 2020*
• Continued expansion of buyers
• Market consolidation:
– Specialists
– Everyone else offering add-on
• IT risk integrated as part of enterprise risk management
• Network risk only increasing
*Advisen Research
Questions?
Thank You!
Oliver Brew, oliver.brew@libertyiu.com
John Mullen, Sr, john.mullen@Lewisbrisbois.com
Charles Beard, charles.e.beard@us.pwc.com
Amy Stanphill, AStanphill@emc.org
Theodore Kobus, III, tkobus@bakerlaw.com
David Lewison, david.lewison@amwins.com
28th Annual Blue Ribbon Conference – May 4-8, 2014