November, 2014--Limiting Risk in Your Cyber Community

advertisement
Limiting Risk in Your Cyber
Community
Gordon J. Calhoun, Esq.
Lewis Brisbois Bisgaard & Smith LLP
Highlights
• The incontrovertible benefits of cyberspace as well as
how to protect against the dark side, which exists in any
community
• Some of the many lessons learned in the last year since
the Target breach was reported
• Using cyber risk insurance to complete your risk
management program
• Immediate, inexpensive ways to improve data security
and minimize liability
21st Century Cyber World Is Wonderful
• Globalization (You are everywhere)
– International relationships
– New vendors
– New customers
• Communication (Instantaneous)
– Text messaging
– Social media
– Emails
– Video streaming
• Cost Effectiveness (Virtual world)
– Faster speed saves time which either
saves or makes money.
– Automated and streamlined processes
reduce labor costs
A More Realistic Picture of the Threat
Price Waterhouse Coopers The Global State of
Information Security® Survey 2015
Data Security Incidents and Presumptive
Breaches Occur Every Minute
• 90 percent of business acknowledge at least 1 data
security event in the last year; frequency is greatly
understated
• We live in a “Bring Your Own Device” (“BYOD”) world
• 112 smartphones are lost or stolen every minute –
that’s 57 million data security incidents per year in the
United States
• Add in lost or stolen lap tops, flash drives, etc.
• Add in malicious insiders, criminal and government
sponsored hackers (reconnaissance and disruption),
and critical infrastructure attacks
• The issue is not if, but when and how often
How Is Stolen Data Marketed?
What Is Most Valuable to Cyber Criminals?
Top 10 Breaches of Personal Records
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Court Ventures
Adobe
eBay
Heartland Payment Systems
Target
TJX retail stores
U.S. Military Veterans
Evernote
LivingSocial
CardSystems
October 21, 2013
September 18, 2013
May 21, 2014
January 20, 2009
November 04, 2013
January 17, 2007
October 02, 2009
February 13, 2013
April 04, 2013
June 16, 2005
This does not include significant breaches in 2014, including:
1. Russian crime syndicate
2. Home Depot
3. JPMorgan
200.0M
152.0M
145.0M
130.0M
110.0M
100.0M
76.0M
50.0M
50.0M
40.0M
1,200.0M
56.0M
76.0M + 7.0M SMBs
Bloomberg Visual Data 9/4/2-14 sourced from
Privacy Rights Clearinghouse
Street Prices for Purloined Data
What Happens When Data Gets Hacked?
Screen Shot of Underground Bazaar
Selling Credit Cards Hacked from Target
Graphic Ads for Stolen Credit Cards
Hacked Credit Card Numbers Lose Value
Quickly Under Glare of Public Scrutiny
More Publicity Causes Hacked Cards to
Lose Value Faster
Are Hacked Email Accounts Worth
More than Credit Cards?
Cyber Crime Trends
17
Cyber Crime Statistics
• 2012 Verizon Report: Targeting of smaller
businesses is common
– Less security spending, training, infrastructure
Cyber Crime Statistics
• Breaches and Incidents reported 2013, and cumulative since 2011
NOTE: Only ~ 2% of incidents resulted in breaches
– Source: 2014 Verizon Data Breach Investigation Report
The Problem: Identity Theft, Fraud and Data
Breaches: Challenges, Costs & Trends
Source 2012 Study of
Industry Losses Paid Out
HOW VICTIMS' INFORMATION IS MISUSED, 2013 (1)
Type of Identity Theft/ Fraud
Attempted identity theft
Bank fraud (2)
Credit card fraud
Employment-related fraud
Government documents or benefits fraud
Loan fraud
Other identity theft
Phone or utilities fraud
Percent
7%
8%
17%
6%
34%
4%
24%
14%
(1) Percentages are based on the total number of complaints in the Federal Trade Commission’s Consumer Sentinel
Network (290,056 in 2013). Percentages total to more than 100 because some victims reported experiencing more than
one type of identity theft (16% in 2013).
(2) Includes fraud involving checking and savings accounts and electronic fund transfers.
Source: Federal Trade Commission
Fines Regulators Impose Represent a Major Source of
Economic Loss in Data Security Events
The Problem: Data Breaches Are Expensive
•
Average cost* per breach was $3.7 million ($2.4 million in 2011)
– Total claim cases in study = 135
– Claim range = $2K to $76 million
– Claim Cost mode = $25K to $200K (most typical claim)
•
Average cost** per record was $3.94
– Average records lost = 1.4 million (range was 1 record to 17 million records)
•
Legal (Defense & Settlement) represents the largest portion of costs incurred
– Average Cost of Defense $582K
– Average Cost of Settlement $2.1 million
•
Crisis Services costs (forensics, legal counsel, notification & credit monitoring) average
about $983K per event
*Average calculated on all breaches that reported claims paid
** Average calculated on breaches that reported BOTH # of records & payouts, less 2
large claims of 100 million records each
Source 2012 Study of
Industry Losses Paid Out
The Cost of a Breach (and Other Cyber
Events)
Direct Costs
• Discovery/Data forensics.
• Notification costs.
• Identity monitoring costs.
• Real-time crisis management
costs.
• Additional security measures,
remediation.
• Lawsuits.
• Regulatory fines.
Indirect Costs
• Loss of customer confidence.
• Executive management
distraction from core business
objectives.
• Loss of employee productivity.
• Lost sales.
• Higher customer acquisition
costs.
• Lower stock price.
• Loss to reputation/brand.
Similar Costs for other Cyber Events = Reputational Risk
INFORMATION SECURITY
INSURANCE OVERVIEW
Information Risk Insurance Marketplace
• Robust market up to $300-400 Million of market
capacity
• First Party Exposures
–
–
–
–
Data Breach Management
Cyber Extortion
Business Interruption Income/Extra Expense
Data Asset Protection
• Third Party Liability
–
–
–
–
Privacy Liability
Network Security Liability
Privacy Regulatory Defense Costs
Media Liability
28
Examples of Data Security Incidents Affecting SMBs
29
Reality: Self-Aggrandizing Employees
• A temporary employee sends 4,000 workers
compensation claims files to his personal email address
• Precipitous remedial action taken by immediate
supervisor
• Tracking down the data
• Forensic examination establishes no unauthorized
viewing
• Importance of having an Incident Response Plan and to
follow it
Reality:
Keeping Obsolete Information Is Fatal
• Workers compensation claim file auditor with its own servers and
no data destruction policy
• Burglary results in loss of servers, which were not encrypted
• Many hundreds of thousands of records are presumed to have
been compromised
• Projected notice costs of $480,000 exceeded the net worth of this
small business
• Protection sought via a Chapter 7 liquidating Bankruptcy
• When PHI is involved, upstream players are potentially liable for
downstream breaches; you can do everything right and still have
exposure
Reality: Difference Between Poorly and
Well Handled Incidents Is Huge
Poorly Handled
•
•
•
•
•
•
•
Suspected breach only
Thousands of PHI records
Delay of more than 1 year before
reporting
No risk assessment
No remedial action after the
event
Regulators
highly
critical:
$400,000 fine and 2 year
remedial action plan
Legal costs
Well Handled
•
•
•
•
•
•
•
Actual breach
Over 10,000 PHI records
Prompt initial investigation and
timely reporting
Undocumented events that could
qualify as a risk assessment were
reconstructed and presented via
affidavits
Prompt assessment and remedial
action taken where needed
No regulatory action
Legal costs
Best Practices for
Dealing with a Data Breach
Key Factors that Influence the Cost of a
Data Breach
According to Symantec/Ponemon Institute, the following
have a direct influence on reducing the cost of a breach.
– The organization had an incident management plan
in place.
– Consultants were engaged to help remediate the
data breach.
– Speed of team engagement and recognizing scope
of risk.
– Proactively managing as opposed to reacting.
– Pre-approved communications materials.
Principles of Crisis Management for Cyber
Events: BEFORE
•
Not all events are equal or require the same level of response so escalation
criteria needs to be clear.
• Identify outside resources that you will need and define when and who
makes the decision to engage them.
• Make sure your process is understood by those who will have to implement
it.
– Train and practice, practice practice.
– Even the best plan won’t help if executives don’t know what to do.
• Additional considerations
– Do you extend your data security policies to your suppliers?
– Vendors? Does that change how you respond?
– Beyond meeting minimum legal notification requirements, what level of
protection are you prepared to offer?
– When and what do you communicate to non-impacted employees or
customers, your board, business partners, etc.?
Following the Incident Response Plan: DURING
•
Understand the scope
–
–
•
A crisis must be managed (not simply responded to)
–
•
•
•
Activate Incident Response Team to coordinate decisions across the enterprise
Crises do not happen in a vacuum
–
–
•
•
Forensic analysis
What kind of data has been lost? Financial, personal, strategic? Confidential business
information?
Understand the potential for spillover into unrelated areas
What else is going on? New leadership? Budget negotiations? Major events/deals?
Demonstrate concern, commitment, and control
Recognize that response and priorities can often be complicated by
requirements of law enforcement, including secret service, FBI, etc.
Understand your legal and regulatory obligations, including notification/public
disclosure, timing, to help set priorities and inform decision-making.
Understand the communications expectations of all your stakeholders and
ensure message consistency.
Principles of Crisis Management for Cyber
Events: AFTER
1. Conduct a post-incident review immediately to understand:
– Damage to stakeholder opinion, reputation (and other impacts).
– Effectiveness of response.
– Effectiveness of established procedures.
2. Learn from your mistakes and successes
– Assess IT security program, gaps, internal educational efforts,
etc.
– Revise/update crisis management program and incident
response plans.
3. Assess reputational impact
– It takes approximately three-and-a-half years for an organization
to recover from a reputational failure.
Phases of Crisis Management/Response for
Cyber Security Events
Analyze capabilities, needs, risks,
vulnerabilities.
Before
Before
Develop/Prepare Advance Strategies:
Design, enhance programs for cyber
events, IT HR, crisis management,
reputational risk, strategic
communications.
Preparedness:
Preparedness:
Planning,
Training
and and
Planning,
Training
Exercising, Program,
Exercising,
Program,
Governance
Governance
Practice: Training and exercises
(team and integrated).
After
After
Review,
Review,
Repair
and
Recover
Repair
and
Recover
Repair and Recover: Review
and repair any damage. Rebuild
and strengthen relationships with
stakeholders. Improve
process/plans.
Real-Time Crisis Response:
implement plans, seek expert
guidance and support to manage
corporate response, mitigate
potential damage, protect brand
and reputation.
During
During
Real -Time
Real
-Time
Crisis
CrisisManagement,
Management
mitigation
Takeaways
• Issue of data breach businesses face is not if, but when
• Businesses need to minimize exposure; create systems
to protect data; respond appropriately and use insurance
to cover response costs
• Human beings are inventive; despite the best policies,
non-compliance and resulting breaches will occur
• Your crisis management skills will serve you well when
paired with subject matter experts
Download