May 17, 2011
Eric M. Wright, CPA, CITP
PRESENTER
Shareholder, Technology Advisory Services
Schneider Downs & Co., Inc.
L. Spencer Timmel, CITRMS
PRESENTER
Privacy and Network Security Specialist
Hylant Executive Risk Practice
• Privacy Related Risks – What are we talking about?
• Legal Perspective
• Target Industries
• Privacy Incident Loss Examples
• Unplanned Cash Flows
• Privacy Incident Costs
• Traditional Insurance Policy Gap Analysis
• Mitigating the Risk and Questions for your IT Staff
• Cyber/Privacy Products
• Evaluating Insurance as an Option - What should you expect?
2
Personally Identifiable Information (PII):
– Individuals name, consisting of the individual's first name or first initial and last name, in combination with…
• Social Security Number
• Drivers License Number or State Identification Number
• Credit Card, Debit Card, Financial Account Numbers
Protected Health Information (PHI)
– Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral
3
State Privacy Breach Notification Law
– 48 states/territories with legislation, including D.C. and Puerto Rico
– Kentucky and Alabama have introduced bills
– South Dakota and New Mexico have yet to make a move
– Massachusetts: A bit watered down since its initial form, but still requires organizations who do business in the state to inventory personal information and educate employees about safeguards
– Subject to the state the affected party resides, not where you are headquartered or where the breach occurred
Health Insurance Portability and Accountability Act (HIPAA)
“…maintain a reasonable and appropriate administrative, technical, and physical safeguard to prevent use or disclosure of protected health information.”
Federal Privacy Breach Notification Law:
“not yet, but…” Obama’s recent push & Kerry/McCain Privacy Bill of Rights
4
Gramm-Leach-Bliley Act (GLBA)
– Businesses that are engaged in traditional banking, lending and insurance functions
– Privacy Rule
“…insure the security and confidentiality of customer information: protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer”
“FACT” Act (Red Flags Rule)
– Creditors and Financial Institutions with covered accounts
– Implementation of an Identity Theft Prevention Program that accomplishes the following:
1. Identify and outline “Red Flags”
2. Monitor for and detect “Red Flags”
3. Mitigate when “Red Flags” are detected
4. Update the Identity Theft Prevention Program periodically
5
• Retail
• Healthcare
• Financial Services
• Colleges, Universities and Municipalities
• Data Processors and Data Storage Companies
6
• Heartland Payment Systems (01/09): 130 million credit card numbers breached
• Sony Corp (4/11): 102 million records, 12 million credit card numbers; dual attack
• Michaels Stores (05/11): 10,000 credit card numbers; pin pad tampering
• Starbucks (11/08): 97,000 social security numbers of employees: lost laptop
• HealthNet (01/11): 1.9 million PHI records: 9 servers missing
(05/09): 1.5 million PHI records: portable disk drive missing
• BC/BS Tennessee (10/10): 1 million+ PHI 57 hard drives stolen
• State University (12/2010): 750,000 PII records: Unauthorized access
• E-mail data management firms (12/10) & (3/11)
7
• State and/or Federally Mandated Notification Costs
• Forensic Investigation, Data Restoration Expenses, Assets Damage
• Brand Preservation:
Voluntary Notification, Credit Monitoring, Public Relations Expense
• Defense and Indemnity Expense from 3 rd Party Allegations
• Regulatory Defense Costs
• Regulatory / PCI Fines and Penalties
• Business Income Loss
8
Summary of Ponemon Institute, LLC’s 2010 Annual Study: Cost of a Data Breach:
– Continued trend of increased average cost and per record cost, $7.2 million
(+7%) and $214 (+5%), respectively.
– Direct costs increased 22% to $73 per record. (legal counsel, notification letters, credit monitoring, etc.) The increase is driven by the rising legal defense costs.
Cost by industry class
Average
Per record
$214
Education
Retail
Healthcare
Financial Institutions
$112
$185
$301
$353
9
Ponemon Institute 2010 (cont.)
• Data Breaches from malicious attacks are up 7% from 2009 having doubled the year before. The cost per compromised record for these types of breaches has skyrocketed to $318 per record. This increase reinforces the extreme danger hostile breaches pose.
• Class Action suits from breach victims have yet to gain traction as it is difficult to prove damages. (It’s just a matter of time, Sony? RockYou?)
• More organizations favor rapid response than ever before, but it seems to be costing them. Notification within one month of discovery increases the cost per record by $94, totaling $268. Is this tied to overreaction, a business decision to protect the brand, or a response to meet more stringent data breach notification laws?
10
General Liability Insurance – Coverage for bodily injury or property damage
- Intentional acts are excluded
- Intangible property is excluded
Property Insurance – Coverage for loss of tangible property caused by a covered peril
- Computer viruses are excluded
- Intangible property is excluded
- Business interruption coverage only applies if there has been a direct physical loss or damage to covered property
Crime Insurance – Coverage for theft of money, securities or other property
- No coverage for theft of information, trade secrets and other types of confidential information
Directors & Officers Liability Insurance – Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity as such
11
There are several ways that Risk Management can help to mitigate the risk to cyber related losses:
1. Understand the role of IT and their perspective on this area of risk (How do they prevent internal and external breaches, where are the vulnerabilities, what has been the history of breach incidents, what is the process for responding to a breach, involvement of RM in that process, etc.)
2. Evaluation of contracts with outside service providers, specifically 3 rd party IT, data storage or data processing vendors
3. Require and obtain certificates of insurance for both Professional E&O and
Privacy/Cyber Liability coverage
4. Outside Quiet Audit by a third party IT Security assessment firm
5. Evaluate the need for insurance as a “safety net” to other internal and external safeguards
12
Top Data Breach Prevention and Detection Controls to Ask
1.
Sensitive Data Storage
• Do we know what types of sensitive data (if any) we have and how we are storing and transmitting it?
• Have we performed a risk assessment to understand what kind of impact a breach may have on our organization?
2.
Access to Sensitive Data
• Have we restricted access to any sensitive data or systems appropriately?
(Unique accounts, strong passwords, etc.)
3.
Encryption
• Do we have encryption in place regarding:
– transmission of secure data files? (FTP)
– communications that may contain sensitive information? (Email)
– Handling of devices that contain sensitive information? (Laptops,
Backup Media, etc.)
13
Top Data Breach Prevention and Detection Controls to Ask
4.
Server Patching
• Do we have a patch management solution in place to ensure that all critical patches are installed on our servers in a timely manner?
5.
Firewall Protection
• Do we have a firewall in place that has been updated to reflect the most recent best practice settings?
6.
Intrusion Detection
• Do we have an appropriate solution in place in order to detect and alert us to suspicious activity that is taking place on our Network?
7.
Anti-Virus Protection
• Do we have a central anti-virus solution in place that updates all workstations and servers regularly?
14
Top Data Breach Prevention and Detection Controls to Ask
8.
Vulnerability Testing and Internal Control Reviews
• Do we regularly test our Network resources and security in order to evaluate it for any weaknesses?
• Do we evaluate our internal controls for weaknesses?
9.
Information Security Policy
• Do we have a policy in place that addresses our approach and our internal requirements regarding Information Security and our expectations to our employees?
10. Incident Response Plan
• Have we identified our responsibilities in the event of a data breach and the steps that we need to take to reduce the damage and maintain forensic evidence of the breach and any data lost?
11. Know whom you’re sharing your data with
• Do we have a strong vendor management policy?
15
Cyber/Privacy Liability coverage can provide protection for:
– Privacy Violations – Electronic and Non-Electronic
– Intellectual property infringement
– Security breaches
– Internet, network programming errors and omissions
– Business interruption causing loss of revenue and extra expense
– Destruction, disclosure and theft of electronic data
– Fines and Penalties and Punitive Damages
– Post-Event Crisis Management Expenses
– Regulatory Defense, Fines and Penalties Coverage
– Cyber Extortion
Market Place
– Market Evolution: Lloyd’s vs. Domestic
– Capacity
16
Exposure Analysis and Policy Review:
• Every policy is different and careful analysis of risk will allow the broker to tailor the most appropriate coverage at the most competitive price
• Work with a broker that is a technical specialist on this coverage – many of the policy forms available in the marketplace need to be enhanced in order to obtain the broadest available coverage
Obtaining a proposal:
• A relatively simple process – Depends on Industry, Size and Operations
• Application, Financials, conference call with IT Security or CIO
17
Hylant Group
As a member of Hylant Group’s Executive Risk Practice, Spencer serves as the Cyber Security and Privacy Liability specialist. He provides consultative support to clients and oversees the placements of this and other Executive Risk insurance in all industry classes. Prior to joining
Hylant, he was an Executive Protection Underwriter for the Chubb Group of Insurance
Companies and the Cincinnati Insurance Company.
Bachelors degree in Business, Finance from Ohio University
Masters in Business Administration from Xavier University
Specialties
Cyber Security and Privacy Liability;
Directors and Officers Liability;
E&O Liability;
Employment Practices Liability;
Fiduciary Liability;
Crime/Workplace Violence/Kidnap/Ranson & Extortion Coverage
Contact Information: Office (513) 354-1656 Cell: (513) 518-1535 E-mail: spencer.timmel@hylant.com
18
Schneider Downs & Co., Inc.
Eric has been involved with Information Technology with Schneider Downs since 1983. He is responsible for the firm’s IT compliance services. Eric has performed IT audits on a number of systems, including SAP, Oracle, J.D. Edwards and Lawson and has a strong understanding of the application controls that are available in each of these systems. In addition to helping our clients with their SOX initiatives, he has also assisted clients with becoming PCI-DSS compliant, ISO 27001 certified and performed NIST security audits.
Bachelors Degree in Mathematics and Computer Science from Waynesburg University
Member— Pennsylvania Institute of Certified Public Accountants
Ohio Society of Certified Public Accountants
The American Institute of Certified Public Accountants - M.I.S. and High Tech Division
Contact Information: Office (412) 697-5328 E-mail: ewright@schneiderdowns.com
19