Cyber Risk and Global Security Issues: is your business fully prepared

Size: px
Start display at page:

Download "Cyber Risk and Global Security Issues: is your business fully prepared"

Transcription

1 Cyber Risk and Global Security Issues: is your business fully prepared Thursday 2 October 2014 Copyright 2014 by K&L Gates LLP. All rights reserved.

2 Identifying cyber risks and how they impact your business klgates.com

3 klgates.com

4 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com

5 The Practical Risks of Cyber Attacks Loss of crown jewels, IP and trade secrets Compromise of customer information, credit cards and other PII Loss of web presence and online business Interception of and data communications Loss of customer funds and reimbursement of charges Brand tarnishment and reputational harm Legal and regulatory complications klgates.com

6 Advanced Persistent Threats Targeted, persistent, evasive and advanced Nation state sponsored P.L.A. Unit Comment Crew klgates.com

7 Advanced Persistent Threats United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the greatest transfer of wealth in history. Source: New York Times, June 1, klgates.com

8 Advanced Persistent Threats The Director-General of MI5 warned that one London business suffered 800 million in losses following an attack The UK s National Security Council has judged that the four highest priority risks are currently those arising from: International terrorism Cyber attack International military crises and Major accidents or natural hazards** *Source: Cyber crime a global threat, MI5 head warns (2012) ** Source: A Strong Britain in an Age of Uncertainty: The National Security Strategy (October 2010) klgates.com

9 Advanced Persistent Threats A survey by anti-virus specialists Kaspersky found that cyber security measures taken by UK businesses were woefully inadequate Only 25% of IT specialists thought that their company was completely protected from cyber threats - although can there ever be complete protection? When questioned, 33% of IT managers did not know anything about the common cyber threats that have been targeting corporates *Source: BCS The Chartered Institute for IT -http://www.bcs.org/content/conwebdoc/49048 klgates.com

10 Advanced Persistent Threats Penetration: 67% of organisations admit that their current security activities are insufficient to stop a targeted attack.* Duration: average = 356 days** Discovery: External Alerts 55 percent are not even aware of intrusions* *Source: Trend Micro, USA. **Source: Mandiant, APT1, Exposing One of China s Cyber Espionage Units klgates.com

11 Advanced Persistent Threats: Penetration Spear Phishing Watering Hole Attack rely on insecurity of frequently visited websites Infected Thumb Drive **Source: Mandiant, APT1, Exposing One of China s Cyber Espionage Units *Source: Trend Micro, USA. es/advance-targeted-attacks/index.html klgates.com

12 Advanced Persistent Threats Target Profiles Industry: Government Information Technology Aerospace Telecom/Satellite Energy and Infrastructure Engineering/Research/Defense Chemical/Pharma Activities: Announcements of China deals China presence klgates.com

13 Advanced Persistent Threats klgates.com

14 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com

15 Cybercriminals, Exploits and Malware klgates.com

16 Cybercriminals, Exploits and Malware 60,000 known software vulnerabilities 23 new zero-day exploits in 2014 Risk = threat + vulnerability klgates.com

17 Cybercriminals, Exploits and Malware Ransomware UK Law Enforcement CryptoLocker klgates.com

18 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com

19 Inadequate security and systems: thirdparty vendors Vendors with client data Vendors with password access Vendors with direct system integration Point-of-sale klgates.com

20 Inadequate security and systems: thirdparty vendors klgates.com

21 Cybercriminals, Exploits and Malware In the UK, a government report found that the cost of cyber security breaches nearly doubled in 2013 For large organisations the worst breaches cost between 600,000 and million (up from k a year ago) *Source: UK Government press release, 29 April 2014 https://www.gov.uk/government/news/cost-of-business-cyber-security-breaches-almost-double klgates.com

22 Cybercriminals, Exploits and Malware Cost Per Record: $158 Notification Costs: $509,000 Post-Breach Costs: $1.6M Business Loss: $3.3M *Source: Symantec Internet Security Trend Report 2014 klgates.com

23 Dangers of new and emerging risks klgates.com

24 Cloud Computing Risks Exporting security function and control Geographical uncertainty creates exposure to civil and criminal legal standards Risk of collateral damage klgates.com

25 Mobile Device Risks 52% of mobile users store sensitive files online 24% of mobile users store work and personal info in same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security klgates.com

26 Social Media Risks Consumer harm and reputational damage klgates.com

27 Example Peter Pan virus phishing (September 2014) purportedly came from real company BH Live Ticketing and entertainment company based in Bournemouth Claimed recipients had tickets to see Peter Pan Invited people to open attached e-tickets Opening attachment may have downloaded viruses BH Live inundated with phone calls from worried recipients klgates.com

28 Protection and Risk Mitigation klgates.com

29 WHY MITIGATE CYBER RISK? Consequences of a cyber attack could be catastrophic Consider How long could a business that relies on internet sales survive if no one could access its website? What would be the impact on its sales if no one was prepared to enter their credit card details? klgates.com

30 LEGAL CONSEQUENCES The Data Protection Act 1998 ( DPA ) requires the data controller to implement appropriate technical and organisational security measures against unauthorised or unlawful processing, accidental loss, destruction or damage of personal data. Regulatory penalties may be imposed on the company for breach of the DPA including: Fines; Enforcement notices; and Director disqualification Personal data owners may claim compensation from the data controller for such breaches under the DPA. klgates.com

31 PRACTICAL CONSEQUENCES As important to companies subject to a cyber attack are what the consequences of such an attack are in practice for the business. Loss of customer information, credit card details and other personal information. Data owners seeks compensation against a business under the Data Protection Act, especially if the hacker cannot be identified. Prevention of sales. Retailers with an online presence that are subject to a Denial of Service attack lose customers to competitors. You may eventually get your site back up, but will the customer be back? This risk is heightened at times of traditional high online sales klgates.com

32 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL Not an IT problem - board level support is required to ensure that the resources both in time and capital are expended. Ensure that a cybercrime management policy is part of the company s governance framework and that this is given the same level of attention as financial and other risk management regimes. klgates.com

33 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (2) How would the board answer the following questions: What strategy did you have in place to prevent this cyber attack from happening? Who was responsible for the strategy? What was done in advance to limit the damage from attacks of this nature? klgates.com

34 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (3) Basic information risk management will highlight potential cyber attacks, allowing a board to see what constitute the most potent risks to the company. Understand what data you hold how sensitive the data is which systems control the management of key information how critical is the information to the management of the business klgates.com

35 ENSURING INTERNET SAFETY AND NETWORK SECURITY Methods to reduce cyber risk include: Mobile working - ensure that a mobile working policy is in place to ensure the security of documents away from the office. Control access to removable media such as memory sticks and removable hard drives and avoid their use where possible, especially with regards to storage of sensitive data. All removable data should be encrypted. Establish a policy on appropriate use and educate staff regarding the appropriate way to use the company s IT systems. Implement an incident response plan to ensure effective response to a cyber attack. klgates.com

36 ENSURING INTERNET SAFETY AND NETWORK SECURITY (2) Create an incident management team and provide specialist training to it who can carry out this process. Control and limit access - Only allow employees access to the information they require to carry out their roles. Scan all media before incorporating them into IT systems to detect any malware. Monitor ICT systems for unusual activity. Implement malware protection to all business areas and produce a policy on dealing with any malware issues. Install security patches Implement basic security controls on networks. Exemployees should immediately be denied access. klgates.com

37 ADEQUATE TRAINING AND INTERNAL PROCEDURES A cyber attack can take many forms including deliberate attacks, technology issues or simple human error or negligence. Every company has a cyber defence weak spot in its own employees. An adequate defence system protecting a company from cyber attacks should not only have the relevant defences and policies in place, but staff must be trained on the relevant policies. klgates.com

38 ADEQUATE TRAINING AND INTERNAL PROCEDURES (2) Implementing staff training and clear mechanisms for staff to report concerns regarding other members of staff noncompliance with polices Not knowing what devices are held significantly increases a company's cyber risk profile Every company should draft and implement a home and mobile working policy, and train staff to adhere to it klgates.com

39 ONGOING MANAGEMENT Planning and analysis of risk serves no purpose unless a company also properly implements its findings. As cybercrime evolves over time, companies must constantly monitor the adequacy of their cyber defences and re-evaluate the threats pertinent to their business. klgates.com

40 IMMEDIATE DAMAGE TO REPUTATION Cyber attacks naturally affect customer confidence, especially when customer information or funds are stolen. Exacerbated by online communication forums that spread news of such an attack Crisis management costs include: Informing affected customers; PR campaigns to restore reputation; Management time; Retrieving data; Suspending customer access to data and websites where relevant; Forensic investigation of the attack; and Repairing cyber defences. klgates.com

41 IMMEDIATE DAMAGE TO REPUTATION (2) 82% of the UK public would stop dealing with an organisation if their online data was breached (Unisys survey, 2011) Brand damage may also come in the form of intellectual property infringement with fake websites or counterfeit products sold online. IP theft can result in loss of first-to-market advantage and a consequential loss of competitive advantage. klgates.com

42 POSSIBLE LONG TERM IMPACT ON BUSINESS STRATEGY AND FINANCIAL STABILITY Research and development may be scaled back to preserve current financial stability or because frequent IP theft has made it unprofitable. Businesses may shy away from exploiting the online market for fear of incurring another costly cyber attack klgates.com

43 A GROWING ISSUE Consumers are becoming increasingly receptive to interacting with businesses online As customer interaction with online technology grows, so too does their disclosure of sensitive, personal information. A cyber attack that results in a loss of customer information can cause huge reputational damage The prominence of social media and the speed at which information can be disseminated can cause reputational damage at an unprecedented speed. klgates.com

44 COFFEE BREAK

45 Personal Data Breaches and Notifications a U.S. Perspective

46 LEGAL AND REGULATORY FRAMEWORK Federal Privacy Laws Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH) Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act Federal Trade Commission Act State Privacy Laws/Consumer Protection Statutes SEC Cybersecurity Guidance NIST Cybersecurity Framework Payment Card Industry Data Security Standards (PCI DSS) 46

47 FEDERAL PRIVACY LAWS Gramm-Leach-Bliley Act U.S. financial services organisations shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards-- 1. (1) to insure the security and confidentiality of customer records and information; 2. (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and 3. (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer. (15 U.S.C ) 47

48 FEDERAL PRIVACY LAWS HIPAA A covered entity or business associate must, in accordance with [ Security standards: General rules ] [i]implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart. (45 C.F.R (a).) HITECH A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. (42 U.S.C )

49 FEDERAL PRIVACY LAWS Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilisation of such information in accordance with the requirements of this subchapter. (15 U.S.C ) Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR ) 49

50 FEDERAL PRIVACY LAWS Federal Trade Commission Act Section 5 empowers the FTC to prevent... unfair or deceptive acts or practices in or affecting commerce : The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. 45(a)(2).) 50

51 STATE PRIVACY LAWS/CONSUMER PROTECTION LAWS Pennsylvania: Breach of Personal Information Notification Act (a) General rule.--an entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. [T]he notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth. (73 P.S. 2303(a).) The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation 51

52 SEC CYBERSECURITY GUIDANCE [A]ppropriate disclosures may include : Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences ; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks ; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences ; Risks related to cyber incidents that may remain undetected for an extended period ; and Description of relevant insurance coverage. Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, 52

53 NIST CYBERSECURITY FRAMEWORK NIST Cybersecurity Framework provides a common taxonomy and mechanism for organisations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity risk. The Framework is voluntary (for now) 53

54 NIST CYBERSECURITY FRAMEWORK 85% of security budgets currently go here According to Gartner: By 2020, 75% of security budgets will go towards detection and response NIST Unveils Cybersecurity Framework, 54

55 NIST CYBERSECURITY FRAMEWORK 55

56 PCI DSS PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. 56

57 TRENDS ARTICLE III STANDING CLAPPER 57

58 TRENDS ARTICLE III STANDING GALARIA

59 TRENDS ARTICLE III STANDING NEIMAN MARCUS 59

60 TRENDS ARTICLE III STANDING SONY 60

61 TRENDS ARTICLE III STANDING MICHAELS STORES 61

62 TRENDS ARTICLE III STANDING ADOBE 62

63 TRENDS SHAREHOLDER LITIGATION TARGET 63

64 TRENDS SHAREHOLDER LITIGATION WYNDHAM 64

65 TRENDS FTC REGULATORY ACTION WYNDHAM 65

66 TRENDS FTC REGULATORY ACTION WYNDHAM 66

67 TRENDS SEC THE NEW SHERIFF 67

68 Personal Data Breaches and Notifications a UK perspective

69 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Part 1(7), Schedule 1 to DPA) 7 th principle. No prescriptive requirements, unless sector specific regulation. No one size fits all but three principles: 1. Risk assessment what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach. 2. Reliability of employees 3. Vet your data processors written contracts Guidance from regulator (UK Information Commissioner s Office): Encryption? Data storage vs. transmission. International Standard / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies IT Internet use / data retention and destruction / data security / training Processes and security protocols staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing

70 DO WE NEED TO NOTIFY TO UK ICO? What sector are you in? PECR Notifications only compulsory for publically available electronic communication services same across all of EU i.e. telcoms / ISPs. 24 hours after breach detection. Everyone else no legal requirement, but ICO guidance. Should notify if serious. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying. Notify data subjects? Do they need to take steps to protect themselves? Contractual obligation to notify? Public sector bodies may have own requirements health service organisations IG Toolkit Incident Reporting Tool. Financial institutions FCA / FMSA. Police / insurers / professional bodies / bank or credit card companies.

71 UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to 500,000 serious breaches contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it. (s.55(a) DPA). Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted).

72 ENFORCEMENT TRENDS Leading video games provider (Jan 2013) Network platform subject to several DDoS ( distributed denial of service ) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn t keep up to date with technical developments. Didn t deal with system vulnerabilities even though update available Didn t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn t react quickly enough Voluntarily reported (mitigating factor) 250,000 fine Internal cost to Data Controller thought to be in region of $171 million. Booking agent for travel services (Dec 2012) SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active). Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills) No evidence of actual harm / fraud Voluntarily reported (mitigating factor) 150,000 fine.

73 APRIL MARCH 2014

74 APRIL MARCH 2014

75 FUTURE DEVELOPMENTS CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices Nov Cyber Security Strategy produced. Set agenda for Set up National Cyber Security Programme (NCSP) with 650 million funding for four years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec Most recent progress published on 10 Sep September BIS issued guidance for companies 5 Jun New ISO Standard based on ISO Certification to demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified. CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field as will be required under upcoming European Cyber-Security Directive. No UK specific legislation on horizon but watch out for European Data Protection Regulation and Network and Information Security Directive.

76 Personal Data Breaches and Notifications a German perspective

77 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal Data Protection Act (BDSG) Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular: 1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access. 2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to. 3. Input control: Ensuring possibility to trace alteration or deletion of data. 4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions 5. Availability control: Ensuring personal data is protected against accidental destruction or loss

78 WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT? General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG): Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy) Threatening serious harm to the rights or legitimate interests of data subjects Information to DPA: Without undue delay Nature of the disclosure and possible harmful consequences Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is not endangered Nature of the disclosure; recommendations to minimise possible harm klgates.com

79 ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG): Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections Notify data subjects in case of violation and report to prosecution authorities Order measures to remedy violations (e.g. prohibiting data processing) Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)

80 ENFORCEMENT TRENDS There still is no common code of practice among DPAs, which leads to varying practices in different German states ( Länder ). In the past, German DPAs were not very strict in enforcing data protection laws by raising fines. Example 1: Google StreetView ( ): Google provides panorama pictures for Street View While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000 Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA

81 NUMBERS AND TABLES No absolute numbers on breaches and notifications; all DPAs are obliged to publish data protection reports, but they vary and can hardly be compared Statement of Federal Commissioner for Data Protection: March 2011 October 2013: 501 notifications in total TelCom Sector: 2012: 27 notifications 2013: 66 notifications

82 FUTURE DEVELOPMENTS Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation

83 Personal Data Breaches and Notifications A French perspective

84 LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of 1978 Directive 2009/136/EC eprivacy implementing data breach requirements in August 2010 Breach of personal data - The French definition and scope Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public. Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed by electronic communication service providers operating electronic communication networks with open public access.

85 LEGISLATIVE REQUIREMENTS Two categories of notifications 1. To the French DPA Within 24 hours of the effective knowledge, through an electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the affected parties, Spontaneous information of the affected parties.

Identifying Cyber Risks and How they Impact Your Business

Identifying Cyber Risks and How they Impact Your Business 10 December, 2014 Identifying Cyber Risks and How they Impact Your Business David Bateman, Partner, K&L Gates, Seattle Sasi-Kanth Mallela, Special Counsel, K&L Gates, London Copyright 2013 by K&L Gates

More information

Navigating the Privacy Law Landscape - US and Europe

Navigating the Privacy Law Landscape - US and Europe 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,

More information

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day Lloyd s of London (Reuters) May 8, 2000 Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day Rivers Casino, Pittsburgh November 17, 2014

More information

Cyber Security Issues in the Healthcare Industry PBI 21st Annual Health Law Institute

Cyber Security Issues in the Healthcare Industry PBI 21st Annual Health Law Institute Cyber Security Issues in the Healthcare Industry PBI 21st Annual Health Law Institute Pennsylvania Convention Center March 13, 2015 Roberta D. Anderson roberta.anderson@klgates.com @RobertaEsq AGENDA Practical

More information

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures

More information

Cyber and data Policy wording

Cyber and data Policy wording Please read the schedule to see whether Breach costs, Cyber business interruption, Hacker damage, Cyber extortion, Privacy protection or Media liability are covered by this section. The General terms and

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you

More information

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

Cyber Threats: Exposures and Breach Costs

Cyber Threats: Exposures and Breach Costs Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000

More information

Joe A. Ramirez Catherine Crane

Joe A. Ramirez Catherine Crane RIMS/RMAFP PRESENTATION Joe A. Ramirez Catherine Crane RISK TRANSFER VIA INSURANCE Most Common Method Involves Assessment of Risk and Loss Potential Risk of Loss Transferred For a Premium Insurance Contract

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data Breach Cost. Risks, costs and mitigation strategies for data breaches Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,

More information

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

More information

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler Internet Gaming: The New Face of Cyber Liability Presented by John M. Link, CPCU Cottingham & Butler 1 Presenter John M. Link, Vice President jlink@cottinghambutler.com 2 What s at Risk? $300 billion in

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION October 23, 2015 THREAT ENVIRONMENT Growing incentive for insiders to abuse access to sensitive data for financial gain Disgruntled current and former

More information

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Nikos Georgopoulos Privacy Liability & Data Breach Management wwww.privacyrisksadvisors.com October 2014

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ APIP - Cyber Liability Insurance Coverages, Limits, and FAQ The state of Washington purchases property insurance from Alliant Insurance Services through the Alliant Property Insurance Program (APIP). APIP

More information

Beyond Data Breach: Cyber Trends and Exposures

Beyond Data Breach: Cyber Trends and Exposures Beyond Data Breach: Cyber Trends and Exposures Vietnam 7 th May 2015 Jason Kelly Head of Asia Financial Lines AIG Agenda Why do companies need cyber protection Example of Cyber attack worldwide and in

More information

What Data? I m A Trucking Company!

What Data? I m A Trucking Company! What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West

More information

Managing Cyber Risk through Insurance

Managing Cyber Risk through Insurance Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

More information

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber

More information

Cyber Risks in Italian market

Cyber Risks in Italian market Cyber Risks in Italian market Milano, 01.10.2014 Forum Ri&Assicurativo Gianmarco Capannini Agenda 1 Cyber Risk - USA 2 Cyber Risk Europe experience trends Market size and trends Market size and trends

More information

CYBER RISK SECURITY, NETWORK & PRIVACY

CYBER RISK SECURITY, NETWORK & PRIVACY CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread

More information

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE Businesses today rely heavily on computer networks. Using computers, and logging on to public and private networks has become second nature to

More information

Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP roberta.anderson@klgates.

Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP roberta.anderson@klgates. Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP roberta.anderson@klgates.com March 8, 2016 AGENDA Spectrum of Cyber Risk Cutting Edge Cyber Insurance

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security

More information

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Cyber Risks and Insurance Solutions Malaysia, November 2013

Cyber Risks and Insurance Solutions Malaysia, November 2013 Cyber Risks and Insurance Solutions Malaysia, November 2013 Dynamic but vulnerable IT environment 2 Cyber risks are many and varied Malicious attacks Cyber theft/cyber fraud Cyber terrorism Cyber warfare

More information

Cyber/ Network Security. FINEX Global

Cyber/ Network Security. FINEX Global Cyber/ Network Security FINEX Global ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over

More information

Cyber and Data Security. Proposal form

Cyber and Data Security. Proposal form Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which

More information

Privacy Legislation and Industry Security Standards

Privacy Legislation and Industry Security Standards Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,

More information

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

More information

GRC/Cyber Insurance. February 18, 2014. Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf

GRC/Cyber Insurance. February 18, 2014. Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf GRC/Cyber Insurance February 18, 2014 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London Join the conversation: 1 Generously sponsored by: 2 Welcome Conference Moderator Allan Wall ISSA Web Conference

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President

More information

ISO? ISO? ISO? LTD ISO?

ISO? ISO? ISO? LTD ISO? Property NetProtect 360 SM and NetProtect Essential SM Which one is right for your client? Do your clients Use e-mail? Rely on networks, computers and electronic data to conduct business? Browse the Internet

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1 MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Cybersecurity Workshop

Cybersecurity Workshop Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

The Legal Pitfalls of Failing to Develop Secure Cloud Services

The Legal Pitfalls of Failing to Develop Secure Cloud Services SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global

More information

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass

More information

Data Security: Risks, Compliance and How to be Prepared for a Breach

Data Security: Risks, Compliance and How to be Prepared for a Breach Data Security: Risks, Compliance and How to be Prepared for a Breach Presented by: Sandy B. Garfinkel, Esq. The Data Breach Reality: 2015 AshleyMadison.com (July 2015) Member site facilitating personal

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

Cybersecurity Risks, Regulation, Remorse, and Ruin

Cybersecurity Risks, Regulation, Remorse, and Ruin Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross

More information

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability Reducing Risk. Raising Expectations. CyberRisk and Professional Liability Are you exposed to CyberRisk? Like nearly every other business, you have likely capitalized on the advancements in technology today

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy Contents 1. Internet Abuse... 2 2. Bulk Commercial E-Mail... 2 3. Unsolicited E-Mail... 3 4. Vulnerability Testing... 3 5. Newsgroup, Chat Forums, Other Networks... 3 6. Offensive

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

CYBER 3.0. CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers:

CYBER 3.0. CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers: CYBER 3.0 CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers: Roberta D. Anderson, Partner, K&L Gates LLP Timothy Flaherty, Manager, Insurance Risk Management,

More information

The era of hacks and cyber regulation

The era of hacks and cyber regulation 6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,

More information

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime? Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies

More information

Data security: A growing liability threat

Data security: A growing liability threat Data security: A growing liability threat Data security breaches occur with alarming frequency in today s technology-laden world. Even a comparatively moderate breach can cost a company millions of dollars

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

Cyber Security for Non- Profit Organizations. Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3

Cyber Security for Non- Profit Organizations. Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit

More information

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem. Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot

More information

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute

More information

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill THE ANATOMY OF A CYBER POLICY Jamie Monck-Mason & Andrew Hill What s in a name? Lack of uniformity in policies: Cyber Cyber liability Data protection Tech PI The scope of cyber insurance First party coverage

More information

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 Legal Issues Involved in Creating Security Compliance Plans W. David Snead Attorney + Counselor Washington,

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

Cyber and CGL Insurance Coverage for Data Breach Claims

Cyber and CGL Insurance Coverage for Data Breach Claims Cyber and CGL Insurance Coverage for Data Breach Claims Paula Weseman Theisen, Partner Data breach overview Definition of data breach/types Data breach costs Data breach legal claims and damages Cyber-insurance

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Incident Response. Proactive Incident Management. Sean Curran Director

Incident Response. Proactive Incident Management. Sean Curran Director Incident Response Proactive Incident Management Sean Curran Director Agenda Incident Response Overview 3 Drivers for Incident Response 5 Incident Response Approach 11 Proactive Incident Response 17 2 2013

More information

Coverage is subject to a Deductible

Coverage is subject to a Deductible Frank Cowan Company Limited 75 Main Street North, Princeton, ON N0J 1V0 Phone: 519-458-4331 Fax: 519-458-4366 Toll Free: 1-800-265-4000 www.frankcowan.com CYBER RISK INSURANCE DETAILED APPLICATION Notes:

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information

More information

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident. THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident. September 22, 2015 Erica Ouellette Beazley Technology, Media & Business Services Alyson Newton, Executive

More information

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911 Overview Good

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

www.bonddickinson.com Cyber Risks October 2014 2

www.bonddickinson.com Cyber Risks October 2014 2 www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime

More information

CSR Breach Reporting Service Frequently Asked Questions

CSR Breach Reporting Service Frequently Asked Questions CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures Trends/Victimology ADVERSARY CLASSIFICATIONS SOCIAL ENGINEERING DATA SOURCES COVERT INDICATORS - METADATA METADATA data providing

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Page 1 of 15. VISC Third Party Guideline

Page 1 of 15. VISC Third Party Guideline Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision

More information

Our specialist insurance services for Professionals risks

Our specialist insurance services for Professionals risks Our specialist insurance services for Professionals risks Price Forbes & Partners is an independent Lloyd s broker based in the heart of London s insurance sector. We trade with all of the major international

More information