Limiting Risk in Your Cyber Community Gordon J. Calhoun, Esq. Lewis Brisbois Bisgaard & Smith LLP Highlights • The incontrovertible benefits of cyberspace as well as how to protect against the dark side, which exists in any community • Some of the many lessons learned in the last year since the Target breach was reported • Using cyber risk insurance to complete your risk management program • Immediate, inexpensive ways to improve data security and minimize liability 21st Century Cyber World Is Wonderful • Globalization (You are everywhere) – International relationships – New vendors – New customers • Communication (Instantaneous) – Text messaging – Social media – Emails – Video streaming • Cost Effectiveness (Virtual world) – Faster speed saves time which either saves or makes money. – Automated and streamlined processes reduce labor costs A More Realistic Picture of the Threat Price Waterhouse Coopers The Global State of Information Security® Survey 2015 Data Security Incidents and Presumptive Breaches Occur Every Minute • 90 percent of business acknowledge at least 1 data security event in the last year; frequency is greatly understated • We live in a “Bring Your Own Device” (“BYOD”) world • 112 smartphones are lost or stolen every minute – that’s 57 million data security incidents per year in the United States • Add in lost or stolen lap tops, flash drives, etc. • Add in malicious insiders, criminal and government sponsored hackers (reconnaissance and disruption), and critical infrastructure attacks • The issue is not if, but when and how often How Is Stolen Data Marketed? What Is Most Valuable to Cyber Criminals? Top 10 Breaches of Personal Records 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Court Ventures Adobe eBay Heartland Payment Systems Target TJX retail stores U.S. Military Veterans Evernote LivingSocial CardSystems October 21, 2013 September 18, 2013 May 21, 2014 January 20, 2009 November 04, 2013 January 17, 2007 October 02, 2009 February 13, 2013 April 04, 2013 June 16, 2005 This does not include significant breaches in 2014, including: 1. Russian crime syndicate 2. Home Depot 3. JPMorgan 200.0M 152.0M 145.0M 130.0M 110.0M 100.0M 76.0M 50.0M 50.0M 40.0M 1,200.0M 56.0M 76.0M + 7.0M SMBs Bloomberg Visual Data 9/4/2-14 sourced from Privacy Rights Clearinghouse Street Prices for Purloined Data What Happens When Data Gets Hacked? Screen Shot of Underground Bazaar Selling Credit Cards Hacked from Target Graphic Ads for Stolen Credit Cards Hacked Credit Card Numbers Lose Value Quickly Under Glare of Public Scrutiny More Publicity Causes Hacked Cards to Lose Value Faster Are Hacked Email Accounts Worth More than Credit Cards? Cyber Crime Trends 17 Cyber Crime Statistics • 2012 Verizon Report: Targeting of smaller businesses is common – Less security spending, training, infrastructure Cyber Crime Statistics • Breaches and Incidents reported 2013, and cumulative since 2011 NOTE: Only ~ 2% of incidents resulted in breaches – Source: 2014 Verizon Data Breach Investigation Report The Problem: Identity Theft, Fraud and Data Breaches: Challenges, Costs & Trends Source 2012 Study of Industry Losses Paid Out HOW VICTIMS' INFORMATION IS MISUSED, 2013 (1) Type of Identity Theft/ Fraud Attempted identity theft Bank fraud (2) Credit card fraud Employment-related fraud Government documents or benefits fraud Loan fraud Other identity theft Phone or utilities fraud Percent 7% 8% 17% 6% 34% 4% 24% 14% (1) Percentages are based on the total number of complaints in the Federal Trade Commission’s Consumer Sentinel Network (290,056 in 2013). Percentages total to more than 100 because some victims reported experiencing more than one type of identity theft (16% in 2013). (2) Includes fraud involving checking and savings accounts and electronic fund transfers. Source: Federal Trade Commission Fines Regulators Impose Represent a Major Source of Economic Loss in Data Security Events The Problem: Data Breaches Are Expensive • Average cost* per breach was $3.7 million ($2.4 million in 2011) – Total claim cases in study = 135 – Claim range = $2K to $76 million – Claim Cost mode = $25K to $200K (most typical claim) • Average cost** per record was $3.94 – Average records lost = 1.4 million (range was 1 record to 17 million records) • Legal (Defense & Settlement) represents the largest portion of costs incurred – Average Cost of Defense $582K – Average Cost of Settlement $2.1 million • Crisis Services costs (forensics, legal counsel, notification & credit monitoring) average about $983K per event *Average calculated on all breaches that reported claims paid ** Average calculated on breaches that reported BOTH # of records & payouts, less 2 large claims of 100 million records each Source 2012 Study of Industry Losses Paid Out The Cost of a Breach (and Other Cyber Events) Direct Costs • Discovery/Data forensics. • Notification costs. • Identity monitoring costs. • Real-time crisis management costs. • Additional security measures, remediation. • Lawsuits. • Regulatory fines. Indirect Costs • Loss of customer confidence. • Executive management distraction from core business objectives. • Loss of employee productivity. • Lost sales. • Higher customer acquisition costs. • Lower stock price. • Loss to reputation/brand. Similar Costs for other Cyber Events = Reputational Risk INFORMATION SECURITY INSURANCE OVERVIEW Information Risk Insurance Marketplace • Robust market up to $300-400 Million of market capacity • First Party Exposures – – – – Data Breach Management Cyber Extortion Business Interruption Income/Extra Expense Data Asset Protection • Third Party Liability – – – – Privacy Liability Network Security Liability Privacy Regulatory Defense Costs Media Liability 28 Examples of Data Security Incidents Affecting SMBs 29 Reality: Self-Aggrandizing Employees • A temporary employee sends 4,000 workers compensation claims files to his personal email address • Precipitous remedial action taken by immediate supervisor • Tracking down the data • Forensic examination establishes no unauthorized viewing • Importance of having an Incident Response Plan and to follow it Reality: Keeping Obsolete Information Is Fatal • Workers compensation claim file auditor with its own servers and no data destruction policy • Burglary results in loss of servers, which were not encrypted • Many hundreds of thousands of records are presumed to have been compromised • Projected notice costs of $480,000 exceeded the net worth of this small business • Protection sought via a Chapter 7 liquidating Bankruptcy • When PHI is involved, upstream players are potentially liable for downstream breaches; you can do everything right and still have exposure Reality: Difference Between Poorly and Well Handled Incidents Is Huge Poorly Handled • • • • • • • Suspected breach only Thousands of PHI records Delay of more than 1 year before reporting No risk assessment No remedial action after the event Regulators highly critical: $400,000 fine and 2 year remedial action plan Legal costs Well Handled • • • • • • • Actual breach Over 10,000 PHI records Prompt initial investigation and timely reporting Undocumented events that could qualify as a risk assessment were reconstructed and presented via affidavits Prompt assessment and remedial action taken where needed No regulatory action Legal costs Best Practices for Dealing with a Data Breach Key Factors that Influence the Cost of a Data Breach According to Symantec/Ponemon Institute, the following have a direct influence on reducing the cost of a breach. – The organization had an incident management plan in place. – Consultants were engaged to help remediate the data breach. – Speed of team engagement and recognizing scope of risk. – Proactively managing as opposed to reacting. – Pre-approved communications materials. Principles of Crisis Management for Cyber Events: BEFORE • Not all events are equal or require the same level of response so escalation criteria needs to be clear. • Identify outside resources that you will need and define when and who makes the decision to engage them. • Make sure your process is understood by those who will have to implement it. – Train and practice, practice practice. – Even the best plan won’t help if executives don’t know what to do. • Additional considerations – Do you extend your data security policies to your suppliers? – Vendors? Does that change how you respond? – Beyond meeting minimum legal notification requirements, what level of protection are you prepared to offer? – When and what do you communicate to non-impacted employees or customers, your board, business partners, etc.? Following the Incident Response Plan: DURING • Understand the scope – – • A crisis must be managed (not simply responded to) – • • • Activate Incident Response Team to coordinate decisions across the enterprise Crises do not happen in a vacuum – – • • Forensic analysis What kind of data has been lost? Financial, personal, strategic? Confidential business information? Understand the potential for spillover into unrelated areas What else is going on? New leadership? Budget negotiations? Major events/deals? Demonstrate concern, commitment, and control Recognize that response and priorities can often be complicated by requirements of law enforcement, including secret service, FBI, etc. Understand your legal and regulatory obligations, including notification/public disclosure, timing, to help set priorities and inform decision-making. Understand the communications expectations of all your stakeholders and ensure message consistency. Principles of Crisis Management for Cyber Events: AFTER 1. Conduct a post-incident review immediately to understand: – Damage to stakeholder opinion, reputation (and other impacts). – Effectiveness of response. – Effectiveness of established procedures. 2. Learn from your mistakes and successes – Assess IT security program, gaps, internal educational efforts, etc. – Revise/update crisis management program and incident response plans. 3. Assess reputational impact – It takes approximately three-and-a-half years for an organization to recover from a reputational failure. Phases of Crisis Management/Response for Cyber Security Events Analyze capabilities, needs, risks, vulnerabilities. Before Before Develop/Prepare Advance Strategies: Design, enhance programs for cyber events, IT HR, crisis management, reputational risk, strategic communications. Preparedness: Preparedness: Planning, Training and and Planning, Training Exercising, Program, Exercising, Program, Governance Governance Practice: Training and exercises (team and integrated). After After Review, Review, Repair and Recover Repair and Recover Repair and Recover: Review and repair any damage. Rebuild and strengthen relationships with stakeholders. Improve process/plans. Real-Time Crisis Response: implement plans, seek expert guidance and support to manage corporate response, mitigate potential damage, protect brand and reputation. During During Real -Time Real -Time Crisis CrisisManagement, Management mitigation Takeaways • Issue of data breach businesses face is not if, but when • Businesses need to minimize exposure; create systems to protect data; respond appropriately and use insurance to cover response costs • Human beings are inventive; despite the best policies, non-compliance and resulting breaches will occur • Your crisis management skills will serve you well when paired with subject matter experts