Cybersecurity (EX) Task Force

Size: px
Start display at page:

Download "Cybersecurity (EX) Task Force"

Transcription

1 2015 Summer National Meeting Chicago, Illinois Cybersecurity (EX) Task Force August 16, National Association of Insurance Commissioners 1

2 Consider Adoption of its April 16, and March 29 Minutes Attachment One 2

3 Draft: 8/6/15 Cybersecurity (EX) Task Force April 16, 2015 The Cybersecurity (EX) Task Force met via conference call April 16, The following Task Force members participated: Adam Hamm, Chair (ND); Raymond G. Farmer, Vice Chair (SC); Lori K. Wing-Heier represented by Martiny Hester (AK); Jim L. Ridling represented by Richard Ford and Charles Turner (AL); Germaine L. Marks (AZ); Dave Jones represented by Susan Bernard, Bryant Henley, Jack Ho and Ber Vang (CA); Katharine L. Wade, Jon Arsenault, George Bradner and Kurt Swan (CT); Kevin McCarty represented by Christina Huff and Amy Groszos (FL); Gordon I. Ito (HI); James Stephens represented by Judy Mottar (IL); Al Redmer Jr. represented by Catherine Grason and Paula Keen (MD); Eric A. Cioppa represented by Benjamin Yardley (ME); Mike Rothman and Tim Vande Hey (MN); John M. Huff represented by Angela Nelson and Jim Mealer (MO); Monica J. Lindeen (MT); Bruce R. Ramge represented by Christy Neighbors (NE); Roger A. Sevigny represented by Barbara Richardson (NH); Kenneth E. Kobylowski represented by Peter L. Hartt (NJ); Scott J. Kipper (NV); Benjamin M. Lawsky represented by Alexander Sand (NY); Mary Taylor and Jill Froment (OH); John D. Doak represented by Gordon Amini, Buddy Combs, Michael Pavlik, Joel Sander and Eli Snowbarger (OK); Joseph Torti III and Paula Pallozzi (RI); David Mattax represented by David Bolduc, Carole Cearley, Teresa Saldana and Stan Strickland (TX); Jaqueline K. Cunningham represented by Vicki Ayers and Rebecca Nichols (VA); Mike Kreidler represented by Steven Drutz and Patrick McNaughton (WA); and Ted Nickel (WI). Also participating were: Trey Sivley (GA); Jason Tippett (MI); Scott J. Kipper (NV); and Jake Garn (UT). 1. Adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance Commissioner Hamm reviewed the introductory paragraph of the Draft Principles for Effective Cybersecurity Insurance Regulatory Guidance (Attachment A). He said the revised set of principles now consists of 12 principles rather than the original 18 principles (Attachment B). Commissioner Hamm said the number of principles has been condensed due to combining some of the principles and deleting two principles. He said these changes were made after carefully considering the comments the Task Force received. Commissioner Hamm said the Task Force is recommending leaving the reference to the National Institute of Standards and Technology (NIST) framework in principle 4 in order to be consistent. It is anticipated that the Information Technology (E) Working Group will be using NIST as a baseline in the NAIC Financial Condition Examiners Handbook. Commissioner Hamm said the current version of the guiding principles streamlines the initial draft of the guiding principles, incorporates some of the comments and suggestions received from interested parties, and accomplishes the Task Force s intent behind having a set of guiding principles. Commissioner Hamm said that Commissioner Huff suggested replacing the word national in principle 1 with the word coordinated. He said Commissioner Huff said that cybersecurity guidance and regulation should not just be consistent nationally, but internationally. Director Farmer said he was initially concerned regarding the deletion of the original principle 17 and principle 18; however, after reviewing the comments that were received and reviewing the principles again, he said principle 17 is already being done as it is a state insurance regulator s job to regulate solvency. He said principle 18 is also being addressed as the Property and Casualty Insurance (C) Committee is working on a supplement to the Property and Casualty Annual Statement to collect data regarding cybersecurity insurance products. Ms. Pallozzi said principle 8 and a few of the other principles strictly reference insurers and producers, and Rhode Island is concerned that there are other regulated entities, such as appraisers, adjusters, third-party administrators (TPAs), managing general agents (MGAs), etc. She said they want to be sure that these entities are included. Ms. Pallozzi suggested that principle 8 read, insurers, insurance producers and other regulated entities. She said this wording should also be added to principle 1 and principle 2. Angela Gleason (American Insurance Association AIA) suggested changing information stored to information that is collected, stored and transferred in principle three for consistency. NAIC staff will make the change. National Association of Insurance Commissioners Handout Page # 1 3

4 Bob Ridgeway (America s Health Insurance Plans AHIP) and Daniel Nutkis (Health Information Trust Alliance HITRUST) said principle 4 should not require the specificity of the NIST framework. Sonja Larkin-Thorne (Consumer Representative) said she recommends leaving NIST in principle 4, as consumers can easily access NIST. Robbie Meyer (American Council of Life Insurers ACLI) said as the Task Force moves forward toward the implementation of the principles, there is a need to stress the fundamental importance of uniformity and consistency in the application of the principles from state to state. She said this is necessary to avoid different and possibly conflicting laws and rules across the country as we have seen with the existing data breach notification laws. Tom Glassic (Property Casualty Insurers of America PCI) said to change for insurers in principle 7 to by insurers. NAIC staff will make the change. Paul Tetrault (National Association of Mutual Insurance Companies NAMIC), Wes Bisset (Independent Insurance Agents and Brokers of America IIABA) and Jenn Webb (National Association of Professional Insurance Agents PIA) said principle 11 infers that all insurers and insurance producers should use an information-sharing and analysis organization (ISAO) to share information and that it does not make sense for all organizations to use an ISAO. Joshua Ladeau (Allied World Assurance Company) said the company collects a lot of data on the network security controls of its clients. He asked if principle 3 could be changed to include this type of information. The principle would read, State insurance regulators have a responsibility to protect personally identifiable consumer or producer information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. In the event of a breach, those affected should be alerted in a timely manner. Director Farmer made a motion, seconded by Commissioner Nickel, to adopt the Principles for Effective Cybersecurity Insurance Regulatory Guidance based on the changes made during this conference call, including the revised introductory paragraph (Attachment C). The motion passed. Having no further business, the Cybersecurity (EX) Task Force adjourned. W:\National Meetings\2015\Summer\TF\Cybersecurity\0416-CybersecurityTFmin.docx National Association of Insurance Commissioners Handout Page # 2 4

5 Draft: 4/17/15 Cybersecurity (EX) Task Force Phoenix, Arizona March 29, 2015 The Cybersecurity (EX) Task Force met in Phoenix, AZ, March 29, The following Task Force members participated: Adam Hamm, Chair (ND); Raymond G. Farmer, Vice Chair (SC); Lori K. Wing-Heier (AK); Jim L. Ridling (AL); Germaine L. Marks (AZ); Dave Jones (CA); Katharine L. Wade (CT); Chester McPherson (DC); Kevin McCarty represented by Christina Huff (FL); Gordon I. Ito (HI); James Stephens (IL); Al Redmer Jr. (MD); Eric A. Cioppa (ME); Mike Rothman (MN); John M. Huff (MO); Monica J. Lindeen (MT); Bruce R. Ramge (NE); Roger A. Sevigny (NH); Kenneth E. Kobylowski represented by Peter L. Hartt (NJ); Mark O. Rabauliman (NMI); Benjamin M. Lawsky (NY); Mary Taylor (OH); John D. Doak represented by Cuc Nguyen (OK); Joseph Torti III (RI); David Mattax represented by Stan Strickland (TX); Jaqueline K. Cunningham (VA); Mike Kreidler represented by Patrick McNaughton (WA); and Ted Nickel (WI). 1. Reviewed its Charges Commissioner Hamm reported the Task Force met March 12 in regulator-to-regulator session pursuant to paragraph 8 (consideration of strategic planning issues relating to federal legislative and regulatory matters or international regulatory matters) of the NAIC Policy Statement on Open Meetings. During the meeting, the Task Force discussed its work plan and a set of guiding principles, which were distributed for public input later that day. Commissioner Hamm said the Task Force charges are fairly broad and will allow it to work on several specific projects to be discussed later in the agenda. He said the Task Force is asked to: 1) monitor cybersecurity developments; 2) keep the Executive (EX) Committee informed on cybersecurity issues and make recommendation where the Task Force believes it is appropriate; 3) coordinate activities with NAIC standing committees regarding cybersecurity issues; 4) represent the NAIC and communicate with other entities/groups, including the sharing of information as may be appropriate, on cybersecurity issues; and 5) perform such other tasks as may be assigned by the Executive (EX) Committee relating to the area of cybersecurity. 2. Discussed its Work Plan Commissioner Hamm said the Task Force has a fairly aggressive work plan. The work plan involves coordination with various NAIC groups. He said the Task Force will be working with the Property and Casualty Insurance (C) Committee on a proposal to add a cybersecurity supplement to the P/C annual statement. He advised that the Committee adopted a motion to release the Annual Statement Supplement for public comment and asked for comments to be submitted by March 23. The Committee intends to discuss the comments received during the Spring National Meeting. Commissioner Hamm said the Task Force will also be working with the IT Examination (E) Working Group. The Working Group plans to review existing guidance and will be working with the Task Force on modernizing the examination protocols for financial examiners to check on the cybersecurity capabilities of insurers. Commissioner Hamm reported the Task Force will create a survey of states to assess state cyber vulnerabilities. He said drafting will occur during the months of May and June. The survey will be distributed near the end of June, with responses expected in July or August. The plan is to be able to discuss results during the Fall National Meeting. Commissioner Hamm advised the Task Force would be developing a Consumer Bill of Rights. He expects it will cover existing laws and regulations regarding security breach notification. It will also outline expectations of insurers if they experience a cybersecurity issue. He said consumers deserve to know insurers are protecting their sensitive financial and health information. They also deserve to know when a breach occurs so they can take steps to safeguard themselves from identity theft or other fraud. He said the Task Force will begin work on the Consumer Bill of Rights in April following adoption of the Guiding Principles. Commissioner Hamm reported on information sharing activities. He announced he was serving as principle representing insurance regulators on the Financial and Banking Information Infrastructure (FBIIC) and the Cybersecurity Forum for Independent and Executive Branch Regulators (the Forum). The FBIIC is charged with improving coordination and communication among financial regulators, enhancing the resiliency of the financial sector, and promoting the public/private partnerships. The FBIIC is chartered under President Barack Obama's Working Group on Financial Markets, and is chaired National Association of Insurance Commissioners Handout Page # 3 5

6 by the U.S. Department of the Treasury s (Treasury) Assistant Secretary for Financial Institutions. The Forum is a broader group including many diverse federal agencies. It is chaired by the U.S. Nuclear Regulatory Commission (NRC). Commissioner Hamm said that perhaps the best way for insurers to share information on cyber activity is through the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a resource for the financial sector on cyber and physical threat intelligence analysis and information sharing. The FS-ISAC is a member-owned nonprofit entity providing an anonymous information sharing capability across the entire financial services industry. Commissioner Hamm said the Task Force plans to host a webinar to receive information from the FS-ISAC. The webinar will cover the benefits of information sharing through the FS-ISAC. Commissioner Hamm said there is a need to take a look at NAIC model laws and regulations to update them with regard to privacy and cybersecurity. Among the models under consideration are: the NAIC Insurance Information and Privacy Protection Model Act (#670); the Privacy of Consumer Financial and Health Information Regulation (#672); the Standards for Safeguarding Consumer Information Model Regulation (#673); and the Insurance Fraud Prevention Model Act (#680). He said no definite time has been set for this work. 3. Discussed the Status of Anthem Data Breach Remediation Efforts Thomas Zielinski (Anthem, Inc.) said that immediately upon the discovery of the data breach, he was delegated by Anthem s CEO as the contact person to develop and execute a plan in response to the breach. Mr. Zielinski said Anthem has been working actively with the Federal Bureau of Investigation (FBI), and the FBI should come to a conclusion in the next 30 to 60 days regarding the parties responsible for the attack. He said the FBI will also provide a detailed description of how the attack occurred. Mr. Zielinski said in response to the attack, Anthem retained Mandiant, an outside cybersecurity firm, which has been working with Anthem closely to identify how the attack occurred. He said Mandiant is also helping Anthem develop, install and institute new security measures going forward to protect personal information, as well as personal health information. Mr. Zielinski said the FBI has allowed him to disclose publicly that they monitor all websites that are known to deal in the black market when personal information is hacked and fraudulently sold into the market for profit on a constant basis. He said that as of today, none of Anthem s information, such as Social Security numbers, names and addresses, etc., has been dumped into or sold on the black market. Mr. Zielinski said there has been much discussion surrounding encryption and said that even if Anthem s data had been encrypted at rest, the breach still would have occurred because passwords were compromised. He said Anthem is now using a more robust process in terms of passwords and multi-factor authentication to gain access to its databases. Mr. Zielinski said once an intruder has passwords, the encryption does not prevent the unauthorized access. Tom Miller (Anthem, Inc.) said there are various types of breaches, and Anthem s breach came from an advanced persistent threat that is very sophisticated and complex. He said the threat actors used customized malware to gain access to Anthem s system. Mr. Miller said detection of this type of attack is difficult because the threat actors disguise themselves as valid users. He said Anthem detected a query that was running by someone other than the owner of the user ID, Mr. Miller said Anthem took severe measures very quickly. He said Anthem shut down all points of network access that were not using multi-factor authentication and reset all of the passwords, as well as disabled and reissued every user ID that had elevated access with new credentials. He said Anthem added a third level of authentication for all users that had elevated access. Mr. Miller said an additional provision regarding the passwords provided included the passwords expiring after a matter of hours. Mr. Miller said these hardening techniques insured that the threat actors were unable to get back into Anthem s system and extract any further data. Mr. Miller said Anthem has five work streams, and Anthem is now running an accelerated program to further strengthen its security capabilities. These work streams include: 1) organization governance and risk management; 2) identity and access management; 3) security monitoring; 4) sensitive data protection; and 5) infrastructure modification and protection. Commissioner Hamm asked Mr. Zielinski and Mr. Miller what type of information-sharing protocols Anthem has had prebreach and if anything has been changed post-breach. He also asked them to update the Task Force regarding the number of mailings that are being sent out to the 80 million potentially affected consumers, as well as commenting on consumer response. Additionally, Commissioner Hamm asked if Anthem had received any information that any individual has had his or her personal information stolen and negatively affected. National Association of Insurance Commissioners Handout Page # 4 6

7 Mr. Zielinksi said that since the late 2000s, they have been members of HiTrust, and Anthem is HiTrust-certified. He said Anthem s chief information security officer (CISO) sits on the board at HiTrust. Mr. Zielinski said HiTrust is used to sharing information across the health industry. He said the information most relevant to sharing after a breach, like the one that occurred at Anthem, is: 1) the indicators of compromise; 2) the specific Internet Protocol (IP) addresses; and 3) the malware files that could be used elsewhere in the industry to compromise peers. Mr. Zielinski said Anthem immediately shared all of this information through HiTrust and syndicated it out to both the press and the health industry and other information forums for other industries. He said Anthem also started some informal information-sharing forums to share general information to help the rest of the industry know what was happening. Mr. Zielinski said Anthem also shared the indicators of compromise with its 36 blues plans and the Blue Cross and Blue Shield Associations to make them aware of what was happening. He said Anthem will continue to share this information. Mr. Miller said he was personally on customer calls with thousands of customers. He said Anthem hosted several town hall meetings and set up in person meetings with brokers and customers to share up-to-date information to assure interested parties that the breach had been contained and that the environment was secured. Mr. Zielinski said that before the mailings began, Anthem gave substitute notice in addition. He said they made the strategic decision to go public through The Wall Street Journal and other media outlets because they thought initially this would deliver a broader source to the affected individuals. Mr. Zielinski said they also placed notices in newspapers throughout the country and that notices were sent out to everyone for which Anthem had addresses. He said they started the mailings at 1.5 million letters a day and are up to 2.5 million letters a day and will complete the mailings by March 30, based on valid addresses. Mr. Zielinski said they are still working on providing information to the people for which they do not have valid addresses. Mr. Zielinski said there are two ways to sign up through AllClear, an identity protection provider: 1) by phone; and 2) by using the Web portal. He said based on their research of prior breaches, only 5% of the people that get notice actually sign up for any credit protection and monitoring. Mr. Zielinski said at this point in time, their metrics are relatively consistent with the 5% take rate. Mr. Zielinksi said the FBI told Anthem that as of March 28, they had no knowledge indicating that any information had been publicly disseminated. He said they have had calls from certain individuals who have had fraudulent tax returns filed, and felt this happened due to Anthem s breach. Mr. Zielinski said there are a lot of fraudulent tax returns being filed, and he has no evidence that there is any causal connection. He said when members and other individuals contact Anthem regarding fraudulent tax returns, they will work through AllClear and the Internal Revenue Service (IRS) to get the refund paid to the correct party and a proper tax return filed. Mr. Hartt said compromised data can sit for many years without being used, or a database could be hacked again at another time. He asked Anthem for their thoughts about the viability of more permanent remediation approaches. Mr. Hartt asked what would be done for situations where a child s Social Security number might be used in 20 or 30 years. Mr. Zielinski said he has spoken with multiple experts in the field of cybersecurity in the past months. He said the experts he spoke with said if the purpose of the attack is to use data for fraudulent purposes, it is used quickly. Mr. Zielinski said the overwhelming majority of information that is compromised will be put out to the black market and used in the first six to nine months after an attack. He said as the timeline goes out, it is very unlikely that the compromised data will be used. Mr. Zielinski said most companies provide one year of credit monitoring service; however, Anthem chose a two-year period to add further protection. Mr. Zielinski said the FBI told Anthem that the attackers modus operandi is not to sell the data in the black market. He said Anthem realizes that there are Social Security numbers of young people that have been exposed, and they are open to discussion regarding minors that were involved in the breach. Superintendent Lawsky said New York conducted a survey and found that out of the entire insurance industry in New York, only 14% of CEOs responding to the survey perform monthly debriefings regarding cybersecurity at their firms. He asked Anthem if they felt that senior executives at a large insurance firm should be familiar with cybersecurity terminology due to the sophisticated and serious nature of hacking. Mr. Zielinski said that while he was not versed in the technicalities regarding the products used to prevent an advanced persistent threat, he was very familiar with what happened. He said he has been general counsel for Anthem since June 2014, National Association of Insurance Commissioners Handout Page # 5 7

8 and started attending board meetings in January Mr. Zielinski said Anthem s board meets five times a year, and during every board meeting, there is a discussion and presentation to the board regarding cybersecurity, possible threats and the company s information technology (IT) infrastructure. He said it is a part of Anthem s enterprise risk management (ERM), and Anthem has an Own Risk Solvency and Solvency Assessment (ORSA.) Superintendent Lawsky asked Anthem what they have learned and what they would have done differently, now that the event has occurred. Mr. Miller said they would move faster on the security roadmap, because security is not a static situation. He said every company has a level of security that is better than it was a year ago, but not as good as it will be a year from now. 4. Discussed Property and Casualty Insurance (C) Committee Work on the Annual Statement Supplement Director Farmer said the Property and Casualty Insurance (C) Committee drafted a Cybersecurity Insurance Coverage Supplement blanks proposal and exposed the draft for public comment March 11. He added the Blanks (E) Working Group voted to expose the Cybersecurity Insurance Coverage Supplement for comment March 28. Director Farmer said there will likely be modifications to the proposed blank, as the Committee received eight comment letters proposing changes to the supplement. These comment letters will be reviewed during the Committee meeting March 30. He said the Committee will report back to the Task Force with the final draft of the blanks proposal. 5. Discussed Cyber-Related Activities of the IT Examination (E) Working Group Mr. McNaughton said every state is required to use specialists at companies when reviewing its data security controls. He said specialists generally are Certified Information Systems Auditors (CISAs), as well as have the automated examination specialist certification from the Society of Financial Examiners (SOFE). Mr. McNaughton said using these specialists is an accreditation requirement on all multi-state examinations. Mr. McNaughton said the NAIC Financial Analysis Handbook (Handbook) has an extensive section regarding review of automated controls. He said the Handbook uses the COBIT 5 standards, which are recommended and promoted by the Information Systems Audit and Control Association (ISACA). He said the standards are very strict and robust with respect to evaluating and determining whether the general information technology controls at a company are operating as they should. Mr. McNaughton said the difference between what the IT Examination (E) Working Group and what a cybersecurity firm does is that the Working Group ensures that a company is evaluating its risks and hiring the necessary firms to examine its data and systems. A cybersecurity firm, such as Mandiant, does actual penetration testing, monitoring and ongoing reviews on behalf of the insurers. Mr. McNaughton said the IT Examination (E) Working Group regularly revises its guidelines and standards. He said the Working Group has used the draft principles put together by the Task Force to determine the Working Group s next steps to insure its guidelines include a more robust look at cybersecurity. Mr. McNaughton said the Working Group formed subgroups to evaluate and compare principles five, six and seven of the draft guidelines. He said they are going to compare the National Institute of Standard Technology (NIST) framework to their existing framework to be sure there are no gaps between the two frameworks. Mr. McNaughton said when they do a risk-focused exam, they look at how a company identifies and defines its risks and what it does to mitigate its risks. He said they also weigh what the CEO and board members have to say regarding these risks, and they often find that data security and cybersecurity is not high on the list of risks identified by companies. Mr. Stephens said Anthem was relying on HiTrust, which is an alliance with a framework. He asked if there were any plans to review HiTrust s framework or some of the other available frameworks. Mr. McNaughton said not at this time. 6. Considered Comments on Draft Principles for Effective Cybersecurity Insurance Regulatory Guidance and Voted to Extend the Comment Period Ryan Johnson (Alvarez & Marsal) said the Commerce Department s National Institute of Standards and Technology (NIST) is an excellent framework and is often used. He said he would like for the Task Force to take into consideration that there were other viable options available. Mr. Johnson said one standard may not be sufficient, and the Task Force may want to consider all of the available frameworks. National Association of Insurance Commissioners Handout Page # 6 8

9 Birny Birnbaum (Center for Economic Justice CEJ) said it would be useful to know the results of the financial examination of Anthem prior to its data breach and whether those examinations identified any of the vulnerabilities. He said if there were no vulnerabilities identified; this might be something that could be used to strengthen the examination process. Mr. Birnbaum said that consumers can be harmed in many ways other than having their personal information used for financial identity theft. He said fraudsters could tap into the data stolen in order to target senior citizens regarding their health conditions. Mr. Birnbaum said credit monitoring will not solve these types of problems. Mr. Birnbaum said the guiding principles were taken from the Securities Industry and Financial Markets Association (SIFMA) principles. He said the Task Force s draft regulatory guidance is devoid of any type of consumer perspective or consumer involvement. Mr. Birnbaum said the written comments that were submitted offer a number of suggestions. Superintendent Lawsky said it would be relatively easy to add consumer language to the guiding principles. Mr. Hartt said principle nine references consumers as well. Commissioner Rothman said fundamentally the issue is to determine from a regulatory perspective, the industry perspective and the consumer perspective the critical needs to get sufficient cybersecurity systems for the protection of the consumer. He said it is important to recognize that these are international, national and black market threats that can affect anyone, but the overriding goal is to accelerate what is necessary for the insurance sector to get ahead of these cyber-risks and to be provided with the necessary resources. Mr. Birnbaum said that if an insurance company does not have adequate capital resources, it is not allowed to sell insurance. He said similarly, if it is determined that an insurance company does not have reasonable protections and infrastructure in place to protect consumer information, regulators should prohibit the company from collecting and maintaining that consumer information. Kate Kennen (American Council of Life Insurers ACLI) said the ACLI is looking for a consistent, coordinated, national approach, which is mentioned in the draft guiding principles. She said the ACLI hopes that these principles will be flexible and practical. Ms. Kennan said companies want to be able to react quickly and continue to anticipate these cyber-attacks as they affect the private sector and the public sector as well. Dave Snyder (Property Casualty Insurers Association of America PCI) said consumers are benefited not just from more regulation, but from the right regulation and from cost-effective regulation. He said the PCI would also like for the NAIC to support the growth of the cybersecurity market. Mr. Snyder said this includes helping insurers overcome the barriers that may exist, as well as not erecting new barriers. He said, for example, principle 17, if taken to the extreme, might actually provide disincentives for a company that wants to write this type of coverage. Angela Gleason (American Insurance Association AIA) said the AIA participated in the development of the NIST framework. She said it is a good framework, but not the only framework. Ms. Gleeson said the P/C industry is looking at the principles from the insurance aspect and protecting their own systems and recommend that principles 17 and 18 do not fit in this document. She said the AIA recommends these principles are dealt with in another manner. Mark Pratt (America s Health Insurance Plans AHIP) said that within the insurance ecosystem, it is going to be very important to coordinate the Task Force s work with other federal efforts to make sure there is a consistent and coordinated approach. Kim Holland (Blue Cross and Blue Shield Association) said she would like to offer up the expertise of the many cybersecurity professionals within their system to work with the Task Force s efforts. Commissioner Hamm recommended the Task Force keep the comment period open until close of business April 10 to allow further comments on the Draft Principles for Effective Cybersecurity Insurance Regulatory Guidance (Attachment One) to be submitted. He said the comments will be compiled, and the Task Force can review these comments during a conference call to be held April 16. Director Huff made a motion, seconded by Mr. Rothman, to extend the comment period. The motion passed. Having no further business, the Cybersecurity (EX) Task Force adjourned. W:\National Meetings\2015\Spring\TF\Cybersecurity\03-CybersecurityTFmin.docx National Association of Insurance Commissioners Handout Page # 7 9

10 Discuss Comments Received on the Cybersecurity Bill of Rights Exposure Attachment Two National Association of Insurance Commissioners Handout Page # 8 10

11 Cybersecurity Bill of Rights As an insurance consumer, you generally have the right to: 1. Know what type of personally identifiable information is being collected and how long that personally identifiable information is kept by an insurer, insurance producer, or other state-regulated entity. 2. Expect that an insurer, insurance producer, or other state-regulated entity that holds your personally identifiable information in connection with an insurance transaction or service is adequately protecting the personally identifiable information from disclosure to unauthorized persons. 3. Receive notice from an insurer, insurance producer, or other state-regulated entity if your personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person and could result in identity theft or fraud to you. 4. Receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach that provides: Notice in written form by first-class mail, or alternatively, by if you have agreed to receive such notices electronically; The notification without unreasonable delay and in no case later than 60 days following the discovery of a breach. This notice within 60 days may be delayed in the event that the release of the breach information obstructs a criminal investigation or jeopardizes national security; A description of the types of information that were involved in the breach, and the steps you can take to protect yourself from potential harm; Contact information for the three nationwide consumer reporting agencies; Contact information for the regulated entity that suffered the breach. 5. Receive notification, from health insurers regarding a data breach of protected health information that is held by a health plan, under federal HIPAA laws. 6. Receive notice from an insurer, insurance producer, or other state-regulated entity without unreasonable delay, and in no case later than 60 days, information on any relevant payment card/bank account number breach, if the breach involves a breach of the payment card/bank account numbers. This notice within 60 days may be delayed in the event that the release of the breach information obstructs a criminal investigation or jeopardizes national security. 7. Receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach of their security system, maintained by a third-party service provider that has been contracted to maintain, store, or process personally identifiable information in electronic or paper form. 8. Receive a general description of the actions taken by the insurer, insurance producer, or other state-regulated entity to restore the security and confidentiality of the personally identifiable information involved in a data breach. 9. Receive a minimum of two years of identity theft protection from the insurer, insurance producer, or other state-regulated entity in the event of a data breach. 10. Receive a summary of the rights of victims of identity theft prepared under the Fair Credit Reporting Act, in the event of a data breach that involves personally identifiable information. Your rights under the Fair Credit Reporting Act include: The right to ask the three nationwide consumer reporting agencies to place fraud alerts in your file to let potential creditors and others know that you may be a victim of identity theft. o An initial fraud alert remains in your file for at least 90 days; o An extended fraud alert remains in your file for seven years; The right to obtain free copies of your credit report; o An initial fraud alert entitles you to a copy of all information in your file for each of the three nationwide consumer reporting agencies: Equifax; Experian; and TransUnion; o An extended fraud alert entitles you to two free copies of the information in your files for each of the three nationwide consumer reporting agencies: Equifax; Experian; and TransUnion; The right to have fraudulent information removed (or blocked ) from your credit report; The right to dispute fraudulent or inaccurate information on your credit report; The right to obtain information from debt collectors regarding collections for fraudulent accounts and to stop the debt collector from contacting you; The right to obtain copies of the documents relating to fraudulent transactions made or accounts opened using your personal information; o You will have to ask for these documents in writing o You may be asked for proof of your identity Note: you will need to create an identity theft report to take advantage of some of these rights. This can be done online National Association of Insurance 2015 Commissioners National Association of Insurance Commissioners Handout Page # 9 11

12 at the Federal Trade Commission s (FTC) website: or by calling the FTC at: or (TTY) 11. Request all three nationwide consumer reporting agencies to place a security freeze on your credit report (http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs). A security freeze will limit the consumer reporting agency from releasing your credit report or any information from your credit report without your authorization. 12. Receive an insurer, insurance producer, or other regulated entity s privacy policy regarding the data they collect on you. The regulated entity should provide a clear and conspicuous notice to you that accurately reflects its privacy policies and practices on an annual basis. Note: Your specific data rights are based on and subject to state and federal law. For more details regarding protections in your state, contact your state insurance department. The contact information can be found on the NAIC s web page, Standard Definitions Data Breach: The unlawful and unauthorized acquisition of personal, financial and health information that compromises the security, confidentiality, or integrity of the personally identifiable information. Consumer Reporting Agency: a business who regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee; obtains information primarily from sources other than insurance institutions; and furnishes consumer reports to other persons or businesses. Insurance: A written contract issued by an entity (insurer) agreeing to accept a risk transfer from an individual, family, or business for a fee (premium). Insurance Producer means an individual or business entity required to be licensed to sell, solicit or negotiate insurance. Insurance Transaction: any transaction that involves the sale, solicitation or negotiation of insurance or any activity by an insurer, insurance producer or other state-regulated entity to determine eligibility for insurance, determine the price for insurance, issue the insurance contract or certificate, or settlement of claims for benefits provided by an insurance contract. Personally Identifiable Information is any information about a consumer maintained by an insurer, insurance producer, or other state-regulated entity, including any information that can be used to distinguish or trace a consumer s identity, such as name, social security number, date and place of birth, mother s maiden name, or biometric records; and any other information that is linked or linkable to a consumer such as medical, educational, financial, employment, and protected health information National Association of Insurance Commissioners National Association of Insurance Commissioners Handout Page # 10 12

13 Helpful Links: https://www.privacyrights.org/ https://www.identitytheft.gov/info-lost-or-stolen.html https://www.identitytheft.gov/know-your-rights.html https://bulkorder.ftc.gov/system/files/publications/pdf-0009-taking-charge.pdf National Association of Insurance Commissioners National Association of Insurance Commissioners Handout Page # 11 13

14 August 5, 2015 Pam Simpson National Association of Insurance Commissioners 444 North Capitol Street NW, Suite 700 Washington, DC By to: Dear Ms. Simpson: Thank you for the opportunity to provide feedback on the Draft Cybersecurity Bill of Rights. The formation and work of the NAIC Cybersecurity Task Force mark the start of critical progress towards strengthening the security posture of the insurance industry. This Cybersecurity Bill of Rights will also help to reinforce confidence in an industry that has suffered high profile breaches at the hands of cyber criminals. As a member of the Casualty Actuarial Society s Cyber Risk Task Force, the founder of Enterprise Risk Associates, an insurance agency that sells cyber insurance, and the President of 4A Security, a cyber risk management consulting firm that has worked with many organizations, including insurance companies and vendors to insurance companies, to strengthen their cybersecurity, respond to cyber incidents and comply with data security and privacy regulations and guidance, I am pleased to make this small contribution to your project. I hope you find the handful of suggested revisions below useful. Item #3. believed to have been, acquired by an unauthorized person Comment: The phrase acquired by suggests a physical removing, taking or copying of data. However, it is possible that someone can see data that they are not authorized access, without actually acquiring that data. For example, someone may view a health record which they are not authorized to view and relate that information to the media or other persons, or use a diagnosis or treatment to blackmail the victim, without actually acquiring the data. According to HIPAA, this would constitute a breach of PHI. Recommendation: Replace the words acquired by with disclosed to. Item #3. could result in identity theft or fraud to you. Comment: While these are both possible scenarios, a breach of privacy is also a fundamental outcome which would occur, possibly resulting in humiliation, emotional distress, financial loss, etc. Recommendation: Modify the sentence to end with could result in a breach of your privacy, identity theft or fraud. Item #7. Receive notice from an insurer, insurance producer, or other state regulated entity in the event of a data breach of their security system, maintained by a third party service provider that has been contracted to maintain, store, or process personally identifiable information in electronic or paper form. Comment: The phrase data breach of their security system is imprecise. A data breach means that data has been disclosed to an unauthorized party. A breach of a security system means that one or more National Association of Insurance Commissioners Handout Page # 12 14

15 security controls have been compromised but it does not necessarily mean that a data breach has occurred, since the data might be encrypted and therefore other security controls may still prevent disclosure to unauthorized parties (i.e. a security breach but no data breach). In addition, as written, the phrase of their security system, maintained by a third party service provider might be interpreted to mean that the security system is maintained by a third party service provider. While this is not an unusual circumstance, it is most likely not the intended meaning of the sentence. Recommendation: Modify the phrase to read in the event of a data breach at a third party provider that has been contracted to maintain, store, or process your personally identifiable information in electronic or paper form. Item #8. to restore the security and confidentiality of the personally identifiable information involved in a data breach. Comment: First, it may be difficult or impossible to restore the confidentiality of PII, once it has been improperly disclosed to an unauthorized party. Rather, the victim should expect the insurer, insurance producer, etc. to restore the security of the information system so it once again protects the confidentiality of the data it creates, stores, processes and transmits. In addition, ensuring the integrity of the victim s data still in use at the insurer, insurance producer, etc. is of critical importance to prevent additional complications or damages. Some malware disturbs, but does not destroy data or data base management systems so the integrity of the data may be compromised. This can be problematic when financial data is involved, but is especially dangerous to health and safety when healthcare data is concerned. Therefore, ensuring data integrity after a security compromise can be critically important and should be included here. Recommendation: Modify the phrase to read to Receive a general description of the actions taken by the insurer, insurance producer, or other state regulated entity to assure the integrity of personally identifiable information involved in a data breach, and to restore the security of the information system so that the confidentiality of the data it creates, stores, processes and transmits may be maintained. Thank you for the opportunity to provide these comments and to participate in this important project. I will be happy to answer any questions and look forward to working with the Task Force on this and future issues. Respectfully submitted, Ben Goodman Ben Goodman, CRISC President, 4A Security National Association of Insurance Commissioners Handout Page # 13 15

16 Roberta Meyer Vice President & Associate General Counsel August 10, 2015 The Honorable Adam Hamm Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department 600 E. Boulevard Avenue Bismarck, North Dakota The Honorable Ray Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force P.O. Box Columbia, South Carolina Re: Proposed Cybersecurity Bill of Rights Dear Commissioner Hamm and Director Farmer: These comments regarding the proposed Cybersecurity Bill of Rights (Bill of Rights) are submitted to the NAIC Cybersecurity (EX) Task Force (Task Force) on behalf of the American Council of Life Insurers (ACLI). The ACLI is a Washington D.C. based trade association with approximately 284 member companies operating in the United States and abroad. ACLI advocates in federal, state, and international forums for public policy that supports the industry marketplace and the 75 million American families that rely on life insurers products for financial and retirement security. ACLI members offer life insurance, annuities, retirement plans, long-term care and disability income insurance and reinsurance, representing 90% of industry assets and premiums. ACLI supports the NAIC s efforts to identify uniform national cybersecurity standards and to promote a collaborative approach, that joins the insurance industry in a partnership with regulators and appropriate policymakers, to develop and implement a consistent, flexible, and risk-based approach to cybersecurity. Accordingly, ACLI appreciates and thanks you for the opportunity to comment on the proposed Bill of Rights. At the same time, ACLI has some concerns with the Bill of Rights, as currently proposed, as described below. Overview ACLI respectfully submits it is not clear how the Bill of Rights is intended to be used. As a result, ACLI s overarching concern with the Bill of Rights, as currently proposed, is that it includes a number of National Association of Insurance Commissioners Handout Page # 14 16

17 provisions we fear may be misunderstood by consumers to grant them rights to certain protections that differ from, or go beyond, the protections provided under the laws of the states in which particular consumers live. ACLI is concerned this not only will confuse consumers as to their actual rights, but is likely to also cause confusion for insurers, in the event a customer seeks protections based on the Bill of Rights that go beyond, or conflict with, the insurer s legal obligations under applicable law. ACLI respectfully submits that a Bill of Rights that will most benefit consumers, without confusing them, would be understandable and concise, and make it clear that: (i) it is intended to provide a general summary of consumers rights relating to cybersecurity and breach notification; (ii) it is provided for informational purposes only; and (iii) an individual s actual specific rights are based on and subject to state and federal law. Also, in view of the widely differing protections or rights provided under the 47 different state breach notification laws, the Bill of Rights should describe consumers rights as generically as possible. ACLI s comments and proposed modifications to specific provisions of the proposed Bill of Rights are below. Comments on Specific Provisions Preamble. ACLI urges that a preamble be added under the title Cybersecurity Bill of Rights and before the clause As an insurance consumer, you generally have the right to: that reads as follows: This Bill of Rights is intended to provide a general summary of insurance consumers rights relating to cybersecurity and breach notification. It is provided for informational purposes only. Your specific rights are based on and subject to state and federal law. Explanation Insertion of this preamble is important for the reasons discussed above, to avoid confusion, and to clarify the purpose of Bill of Rights, what it is intended to be, why it is being provided, and that it does not grant any rights or protections that are not provided under federal or state law. 1. Know what type of personally identifiable information is being collected and how long that personally identifiable information is kept by an insurer, insurance producer, or other stateregulated entity. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): Know what type of personally identifiable information is being collected and how long that personally identifiable information is kept by an insurer and the insurer s privacy policies regarding the information., insurance producer, or other state-regulated entity. National Association of Insurance Commissioners Handout Page # 15 17

18 Explanation The length of time an insurer may retain consumer information varies depending on the requirements of different laws, the purpose(s) for which the information was collected, the nature of the insurer s relationship with a consumer, and the pendency of an application, claim, or litigation, among other things. As a result, at any particular time, an insurer may not know how long it will need to keep an individual s personally identifiable information to fulfill its contractual or other legal requirements or to perform other ordinary insurance business functions. Nor are insurers required to include information about the length of time they keep personally identifiable information in any privacy notices they are required to provide under state or federal privacy laws. Accordingly, the reference to a consumer s right to know the length of time personally identifiable information will be kept should be eliminated. In most states, insurance producers generally are not required to provide privacy notices if the notices are provided by the insurer. Moreover, for a variety of reasons, insurers generally believe it most prudent for the insurer to make the determination about whether a breach in the security of their customers personally identifiable information has occurred, and to provide, or to direct the provision of, any required notification of a breach to their customers. Accordingly, to simplify and streamline the Bill of Rights, ACLI urges modification to this provision and throughout the draft to eliminate any reference to insurance producers. Similarly, ACLI urges modification to this provision and throughout the draft to eliminate the reference to other state-regulated entities, particularly since it is unclear who these entities are. Also to make the Bill of Rights as clear and concise as possible, ACLI suggests combining provision #12 (that describes the right to an insurer s privacy policy) with provision #1, since both provisions address the same, or closely, related issues. Elimination of reference to provision of privacy notices on an annual basis, as currently provided in provision #12, is appropriate, since insurers are not required to provide annual privacy notices to all consumers. They are only required to provide annual privacy notices to their customers, 2. Expect that an insurer, insurance producer, or other state-regulated entity that holds your personally identifiable information in connection with an insurance transaction or service is adequately protecting the personally identifiable information from disclosure to unauthorized persons. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): Expect that an insurer, insurance producer, or other state-regulated entity that holds your personally identifiable information in connection with an insurance transaction or service is adequately protecting the personally identifiable information. from disclosure to unauthorized persons. National Association of Insurance Commissioners Handout Page # 16 18

19 Explanation (i) Deletion of the references to insurance producer or other state-regulated entity is urged for the reasons explained above in connection with provision #1. (ii) Deletion of the phrase in connection with an insurance transaction or service is suggested to simplify and streamline the provision. (iii) Deletion of the word adequately is requested because it is unclear how it may be construed by a consumer and its legal meaning is unclear. (iv) Finally, deletion of the phrase from disclosure to unauthorized persons is urged since its meaning is not clear; and insurers must disclose personally identifiable information, without the subject s authorization, to perform essential ordinary insurance business functions, as recognized under state laws and regulations that track the NAIC Insurance Information and Privacy Protection Model Act and the NAIC Model Privacy of Consumer Financial and Health Information Regulation, and the federal Gramm Leach Bliley Act and HIPAA Privacy Rule. 3. Receive notice from an insurer, insurance producer, or other state-regulated entity if your personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person and could result in identity theft or fraud to you. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): Receive notice from an insurer, or from a third party service provider, contracted to maintain, store, or process personally identifiable information on behalf of the insurer, insurance producer, or other stateregulated entity if your personally identifiable information in electronic form was, or is reasonably believed to have been, acquired by an unauthorized person and there is a likelihood of and could result in identity theft or fraud to you. Explanation (i) Insertion of the phrase or a third party service provider, contracted to maintain, store, or process personally identifiable information on behalf of the insurer, is urged to combine this provision #3 with provision #7, to streamline and clarify the Bill of Rights. It is appropriate because the general circumstances under which notice would be required to be provided by an insurer or one of its third party service providers are the same. (ii) Deletion of the phrase insurance producer, or other state-regulated entity is urged for the reasons discussed above in connection with provision #1. (iv) Insertion of the phrase in electronic form is requested because the majority of the state breach notification laws only require notice to consumers of breaches in the security of personally identifiable information that is in electronic form. (v) Finally, substitution of the phrase could result in identity theft or fraud to you with the phrase there is a likelihood of identity theft or fraud to you is urged in line with state breach notification laws that seek to avoid needlessly alarming consumers by only requiring notice when there is a likelihood of harm. National Association of Insurance Commissioners Handout Page # 17 19

20 4. Receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach that provides: Notice in written form by first-class mail, or alternatively, by if you have agreed to receive such notices electronically; The notification without unreasonable delay and in no case later than 60 days following the discovery of a breach. This notice within 60 days may be delayed in the event that the release of the breach notification obstructs a criminal investigation or jeopardizes national security; A description of the types of information that were involved in the breach, and the steps you can take to protect yourself from potential harm; Contact information for the three nationwide consumer reporting agencies; Contact information for the regulated entity that suffered the breach. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): Receive The notice referenced in #3 above from an insurer, insurance producer, or other stateregulated entity in the event of a data breach that should provide: o o o o o o Notice in written form by first-class mail, or alternatively, by if you have agreed to receive such notices electronically; The notification without unreasonable delay and in no case later than 60 days following the discovery of the unauthorized acquisition of your personally identifiable information. a breach. This notice within 60 days may be delayed in the event that the release of the breach notification obstructs a criminal investigation or jeopardizes national security; A general description of the types of information that were involved in the breach, and the steps you can take to protect yourself from potential harm; A general description of the actions taken to restore the security and confidentiality of the information involved; Contact information for the three nationwide consumer reporting agencies; Contact information for the regulated entity providing the notice. that suffered the breach. Explanation (i) The changes to the introductory sentence of this paragraph are proposed to streamline and simplify the provision. (ii) The elimination of the phrase data breach and the word breach in the introductory sentence and the second, third, and sixth bullets is requested because they are terms of art with different meanings in different states. (iii) For the same reason, in the second bullet, the phrase unauthorized acquisition of your personally identifiable information is proposed to be substituted for National Association of Insurance Commissioners Handout Page # 18 20

October 9, 2015. The Honorable Ray Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force P.O. Box 100105 Columbia, South Carolina 29202

October 9, 2015. The Honorable Ray Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force P.O. Box 100105 Columbia, South Carolina 29202 Roberta Meyer Vice President & Associate General Counsel October 9, 2015 The Honorable Adam Hamm Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department 600 E. Boulevard Avenue Bismarck,

More information

, Dear :

<DATE> <FIRST NAME> <LAST NAME> <ADDRESS LINE 1> <ADDRESS LINE 2> <CITY>, <STATE> <ZIP> Dear <FIRTST NAME> <LAST NAME>: , Dear : You are receiving this letter because computer thieves or hackers have gained access

More information

Importance: From: Anthem, Inc. Communications Sent: Thursday, February 26, 2015 4:40 PM Subject: Important message from Anthem, Inc.

Importance: From: Anthem, Inc. Communications Sent: Thursday, February 26, 2015 4:40 PM Subject: Important message from Anthem, Inc. Importance: High From: Anthem, Inc. Communications Sent: Thursday, February 26, 2015 4:40 PM Subject: Important message from Anthem, Inc. An important message from Anthem, Inc. To Members: On January 29,

More information

Joint Plumbing Industry Board Plumbers Local Union No.1 Trust Funds

Joint Plumbing Industry Board Plumbers Local Union No.1 Trust Funds Joint Plumbing Industry Board Plumbers Local Union No.1 Trust Funds Welfare Fund Trade Education Fund Additional Security Benefit Fund 401(k) Savings Plan John J. Murphy, Co-Chairman - Labor Walter Saraceni,

More information

NOTICE OF DATA BREACH. As an integral part of our dōterra family, we understand how important data security is to you.

NOTICE OF DATA BREACH. As an integral part of our dōterra family, we understand how important data security is to you. AllClear ID Processing Center P.O. BOX 141578 Austin, TX 78714 00001 ACD1234 00001 JOHN Q. SAMPLE 1234 MAIN STREET ANYTOWN US 12345-6789 April 18, 2016 Dear John Sample, NOTICE OF DATA BREACH As an integral

More information

May 11, 2016. Re: Notice of a Data Breach. Dear

May 11, 2016. Re: Notice of a Data Breach. Dear Processing Center P.O. BOX 141578 Austin, TX 78714 May 11, 2016 Re: Notice of a Data Breach Dear Kalamazoo College is committed to maintaining the privacy and security of our current and former employees

More information

Legal Concepts Meet Technology: A 50 State Survey of Privacy Laws

Legal Concepts Meet Technology: A 50 State Survey of Privacy Laws Legal Concepts Meet Technology: A 50 State Survey of Privacy Laws Miriam B. Russom University of Illinois at Chicago, Computer Science Department Robert H. Sloan University of Illinois at Chicago, Computer

More information

Background of the Incident

Background of the Incident BLAINE C. KIMREY SHAREHOLDER +1 (312) 609 7865 bkimrey@vedderprice.com 222 NORTH LASALLE STREET CHICAGO, ILLINOIS 60601 T: +1 (312) 609 7500 F: +1 (312) 609 5005 CHICAGO NEW YORK WASHINGTON, DC LONDON

More information

FORMER CMSP AND PATH2HEALTH MEMBERS YOU MAY BE AFFECTED BY ANTHEM DATA BREACH

FORMER CMSP AND PATH2HEALTH MEMBERS YOU MAY BE AFFECTED BY ANTHEM DATA BREACH What happened? FORMER CMSP AND PATH2HEALTH MEMBERS YOU MAY BE AFFECTED BY ANTHEM DATA BREACH On January 29, 2015, Anthem Blue Cross (Anthem) learned a cyber-attack to its electronic information systems

More information

UNTOI~ b& ~1\1IL.I1[A?v1S TEL 2I2309~ 1000

UNTOI~ b& ~1\1IL.I1[A?v1S TEL 2I2309~ 1000 H 0 0 UNTOI~ b& ~1\1IL.I1[A?v1S TEL 2I2309~ 1000 NEW HUNTON 200 PARK YORK, & AVENUE WILLIAMS NY 10166-0005 LLP FAX 212 309 1100 LISA J. SOflO DIRECT DIAL: 212 309~ 1223 EMAIL: LSotlo@hunton.com April 18,

More information

Tax Fraud and Identity Theft Frequently Asked Questions [Updated February 10, 2015] 4. WHAT CAN I DO TO PROTECT MYSELF FROM TAX FRAUD IN THE FUTURE?

Tax Fraud and Identity Theft Frequently Asked Questions [Updated February 10, 2015] 4. WHAT CAN I DO TO PROTECT MYSELF FROM TAX FRAUD IN THE FUTURE? 1. WHAT HAPPENED (2015 UPDATE)? Tax Fraud and Identity Theft Frequently Asked Questions [Updated February 10, 2015] 2. WHAT IS THE ARCHDIOCESE DOING ABOUT THIS? 3. WHAT WERE THE RESULTS OF THE INVESTIGATIONS?

More information

Letter from the CEO. January 25, 2014. To Our Valued Michaels Customers:

Letter from the CEO. January 25, 2014. To Our Valued Michaels Customers: Letter from the CEO January 25, 2014 To Our Valued Michaels Customers: As you may have read in the news, data security attacks against retailers have become a major topic of concern. We recently learned

More information

Responding to New Identity Theft Laws

Responding to New Identity Theft Laws Responding to New Identity Theft Laws March 2011 Privacy Expectations Today, there is increasing recognition that an individual has a legitimate interest in controlling the collection, use and disclosure/dissemination

More information

Sincerely, Meg H. Armstrong, V.P. ecommerce e-conolight 1501 96th Street, Sturtevant, WI 53177

Sincerely, Meg H. Armstrong, V.P. ecommerce e-conolight 1501 96th Street, Sturtevant, WI 53177 We take the protection of your personal information seriously and are diligently taking action to prevent a recurrence. Both E-conolight and our hosting company continue to investigate every aspect of

More information

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber

More information

NOTICE OF DATA BREACH. (For California Residents)

NOTICE OF DATA BREACH. (For California Residents) January 22, 2016 NOTICE OF DATA BREACH (For California Residents) What Happened? On November 20, 2015, Starwood Hotels & Resorts Worldwide, Inc. ( Starwood ) announced that a malware intrusion affected

More information

Update on Anthem Cyber Attack General Information for Clients and Brokers

Update on Anthem Cyber Attack General Information for Clients and Brokers Update on Anthem Cyber Attack General Information for Clients and Brokers February 20, 2015 What happened? Anthem, Inc. was the victim of a cyber attack. Anthem discovered that one of its database warehouses

More information

Data Security. Updated April, 2006. CCIM Institute 430 N. Michigan Avenue Chicago, IL 60611 (312) 321-4460

Data Security. Updated April, 2006. CCIM Institute 430 N. Michigan Avenue Chicago, IL 60611 (312) 321-4460 Data Security Updated April, 2006 CCIM Institute 430 N. Michigan Avenue Chicago, IL 60611 (312) 321-4460 Background As technology has evolved and become vital for businesses, a growing number of public

More information

The Home Depot Provides Update on Breach Investigation

The Home Depot Provides Update on Breach Investigation The Home Depot Provides Update on Breach Investigation Breach confirmed Investigation focused on April forward No evidence of debit PIN numbers compromised No customers liable for fraudulent charges Customers

More information

Substitute Notice for Village Pizza

Substitute Notice for Village Pizza Substitute Notice for Village Pizza Village Pizza is committed to protecting the personal information provided to us by our customers. This notice is regarding an incident involving some of that information.

More information

We are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information.

We are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information. EQUIFAX AUTHORIZATION CODE July, 2012 Dear [insert name]: We are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information. On or

More information

Cybersecurity Workshop

Cybersecurity Workshop Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153

More information

As a precaution, we have arranged with AllClear ID to provide identity protection services to affected clients at no cost for a period of one year.

As a precaution, we have arranged with AllClear ID to provide identity protection services to affected clients at no cost for a period of one year. October 1, 2015 Office of the Attorney General Attn: Security Breach Notification 200 St. Paul Place Baltimore, MD 21202 Idtheft@oag.state.md.us To Whom It May Concern: I am writing on behalf of Scottrade

More information

HIPAA Breach UPDATED 9/21/15

HIPAA Breach UPDATED 9/21/15 HIPAA Breach UPDATED 9/21/15 Benefits Administration was informed on September 10 th of a cyberattack that may have affected records of those eligible for long term care through MedAmerica and, possibly,

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

This notice contains important information about the data breaches announced by Home Depot, Kmart and Dairy Queen.

This notice contains important information about the data breaches announced by Home Depot, Kmart and Dairy Queen. RECENT DATA BREACHES This notice contains important information about the data breaches announced by Home Depot, Kmart and Dairy Queen. Data security is a number one priority at Northwest. We take every

More information

DATA BREACH POLICY IMPLENTATION GUIDE

DATA BREACH POLICY IMPLENTATION GUIDE DATA BREACH POLICY IMPLENTATION GUIDE OCTOBER 15, 2007 1 Data Breach Policy Implementation Guide Purpose The response to any breach of personally identifiable information (PII) can have a critical impact

More information

Aetna Health and Life Insurance Company (AHLIC) American Continental Insurance Company (ACI) Continental Life Insurance Company of Brentwood,

Aetna Health and Life Insurance Company (AHLIC) American Continental Insurance Company (ACI) Continental Life Insurance Company of Brentwood, Aetna Health and Life Insurance Company (AHLIC) American Continental Insurance Company (ACI) Continental Life Insurance Company of Brentwood, Tennessee (CLI) Aetna Inc. For Agent Use Only. Not to be shared

More information

Fred s Inc. Identifies and Stops Payment Card Security Incident

Fred s Inc. Identifies and Stops Payment Card Security Incident Fred s Inc. Identifies and Stops Payment Card Security Incident Fred s Inc. recognizes the importance of protecting our customers payment card information, which is why we have been working tirelessly

More information

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg. ACCG Identity Theft Prevention Program ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.org July 2009 Contents Summary of ACCG Identity Theft Prevention Program...

More information

Offer in Compromise. Attach Application Fee and Payment (check or money order) here. IRS Received Date. (Rev. May 2012) Section 3

Offer in Compromise. Attach Application Fee and Payment (check or money order) here. IRS Received Date. (Rev. May 2012) Section 3 Form 656 (Rev. May 2012) Department of the Treasury Internal Revenue Service Offer in Compromise Attach Application Fee and Payment (check or money order) here. Section 1 Your Contact Information Your

More information

Important Customer Notice. Information Concerning Data Security Incident at Some Staples Stores

Important Customer Notice. Information Concerning Data Security Incident at Some Staples Stores Important Customer Notice Information Concerning Data Security Incident at Some Staples Stores Staples wants to make customers aware that we have confirmed a data security incident involving customer payment

More information

Special Report The HITECH Act

Special Report The HITECH Act Special Report The HITECH Act Privacy and Data Breach Notification Provision An Overview of the HITECH Act On February 17, 2009, President Obama signed into law the $787 billion stimulus package known

More information

When The Cloud Goes Bust: Data Breaches In The Cloud

When The Cloud Goes Bust: Data Breaches In The Cloud When The Cloud Goes Bust: Data Breaches In The Cloud CHRISTOPHER PIERSON, PH.D., J.D. LSQ JAMES T. SHREVE, ESQ. BUCKLEYSANDLER LLP Session ID: CLD-107 Session Classification: Intermediate Scenario 1 -

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

Broadband Technology Opportunities Program: Sustainable Broadband Adoption and Public Computer Centers

Broadband Technology Opportunities Program: Sustainable Broadband Adoption and Public Computer Centers Broadband Technology Opportunities Program: Sustainable Broadband Adoption and Public Computer Centers National Telecommunications and Information Agency (NTIA) U. S. Department of Commerce Funded by the

More information

Suitability Agent Continuing Education Requirements by State

Suitability Agent Continuing Education Requirements by State Suitability Agent Continuing Education Requirements by State STATE AL AK AZ AR CA CO CT DE DC FL GA HI ID Insurance producers holding a life line of insurance license must complete a one-time 4 hour annuity

More information

Other State Policy. CA Policy. Increase Requested

Other State Policy. CA Policy. Increase Requested Rate History Contact: 1 (800) 331-1538 Form * ** Date Date Name 1 NH94 I D 9/14/1998 N/A N/A N/A 35.00% 20.00% 1/25/2006 3/27/2006 8/20/2006 2 LTC94P I F 9/14/1998 N/A N/A N/A 35.00% 20.00% 1/25/2006 3/27/2006

More information

WHAT INFORMATION WAS INVOLVED?

WHAT INFORMATION WAS INVOLVED? Processing Center P.O. BOX 141578 Austin, TX 78714 00001 ACD1234 00001 JOHN Q. SAMPLE 1234 MAIN STREET ANYTOWN US 12345-6789 May 11, 2016 Dear John Sample, We are writing to notify you about an incident

More information

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become

More information

Examining the Evolving Cyber Insurance Marketplace

Examining the Evolving Cyber Insurance Marketplace Prepared Testimony and Statement for the Record of Ola Sage Founder and CEO e-management Hearing on Examining the Evolving Cyber Insurance Marketplace Before the Senate Committee on Commerce, Science,

More information

HOME DEPOT DATA BREACH

HOME DEPOT DATA BREACH HOME DEPOT DATA BREACH This notice contains important information about the data breach announced by Home Depot, affecting some debit and credit cards used at Home Depot stores beginning April 2014. Data

More information

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity

More information

ANNUITY SUITABILITY WHY REGULATORS ARE CONCERNED. Wisconsin Office of the Commissioner of Insurance

ANNUITY SUITABILITY WHY REGULATORS ARE CONCERNED. Wisconsin Office of the Commissioner of Insurance ANNUITY SUITABILITY WHY REGULATORS ARE CONCERNED Wisconsin Office of the Commissioner of Insurance Agenda Why regulators are concerned about suitability. When may a sale be unsuitable. Serious violations.

More information

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage 2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage Chris Reese Vice President, Director of Underwriting Connie Rivas Asst. Vice President, Contracts and

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

In the first week of November, E-conolight was made aware by its website hosting company of a malware attack

In the first week of November, E-conolight was made aware by its website hosting company of a malware attack e-conolight c/o Processing Center P.O. BOX 142589 Austin, TX 78714 e-conolight c/o Processing Center P.O. Box 142589 Austin, TX 78714 [Cardholder First_Name] [Cardholder Last_Name] [Address_Line_1] [Address_Line_2]

More information

In Utilization and Trend In Quality

In Utilization and Trend In Quality AHA Taskforce on Variation in Health Care Spending O Hare Hilton, Chicago February 10, 2010 Allan M. Korn, M.D., FACP Senior Vice President, Clinical Affairs and Chief Medical Officer Variation In Utilization

More information

May 11, 2015. Re: Data Security Breach at Honig s Whistle Stop

May 11, 2015. Re: Data Security Breach at Honig s Whistle Stop May 11, 2015 New Hampshire Office of the Attorney General Consumer Protection and Antitrust Bureau 33 Capitol Street Concord, NH 03301 DOJ-CPB@doj.nh.gov Re: Re: Data Security Breach at Honig s Whistle

More information

REPORT OF THE OFFICE OF THE ATTORNEY GENERAL ON THE INVESTIGATION CONDUCTED PURSUANT TO SECTION 4-61dd OF THE CONNECTICUT GENERAL STATUTES

REPORT OF THE OFFICE OF THE ATTORNEY GENERAL ON THE INVESTIGATION CONDUCTED PURSUANT TO SECTION 4-61dd OF THE CONNECTICUT GENERAL STATUTES REPORT OF THE OFFICE OF THE ATTORNEY GENERAL ON THE INVESTIGATION CONDUCTED PURSUANT TO SECTION 4-61dd OF THE CONNECTICUT GENERAL STATUTES Report on the State Department of Education Technical High School

More information

Trends in Medigap Coverage and Enrollment, 2011

Trends in Medigap Coverage and Enrollment, 2011 Trends in Medigap Coverage and Enrollment, 2011 May 2012 SUMMARY This report presents trends in enrollment in Medicare Supplement (Medigap) insurance coverage, using data on the number of policies in force

More information

CITY OF ROCHESTER, MINNESOTA POLICE DEPARTMENT

CITY OF ROCHESTER, MINNESOTA POLICE DEPARTMENT CITY OF ROCHESTER, MINNESOTA POLICE DEPARTMENT 101 4 TH Street Southeast Rochester, Minnesota 55904-3761 507-328-6800 Fax 507-328-6975 To: From: Subject: Identity Theft and Internet Crime Victims Rochester

More information

UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION

UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION INVESTMENT ADVISERS ACT OF 1940 Release No. 4204 / September 22, 2015 ADMINISTRATIVE PROCEEDING File No. 3-16827 In the Matter of

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

AFFILIATION. Why is Affiliation an Important Issue?

AFFILIATION. Why is Affiliation an Important Issue? Why is Affiliation an Important Issue? AFFILIATION SBA determines whether an entity qualifies as a small business concern by counting its receipts, employees, or other measure including those of all its

More information

(or required) to sign up for managed care programs. Depending on the state, Medicaid managed care may be voluntary or mandatory.

(or required) to sign up for managed care programs. Depending on the state, Medicaid managed care may be voluntary or mandatory. HEALTH CARE INSIDER VOLUME 5 :: ISSUE 3 In This Issue: Medicaid Managed Care Continues To Expand Across The US Health Care Cyber Threats And Data Security Medicaid Managed Care Continues To Expand Across

More information

Guide to PEO Due Diligence

Guide to PEO Due Diligence Guide to PEO Due Diligence John Iorillo, Ambrose Co CEO & Co Founder www.ambrose.com 1 855 AMBROSE (262 7673) info@ambrosegroup.com Boca Raton, FL Los Angeles, CA New York, NY Short Hills, NJ Stamford,

More information

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally

More information

Get back your good name. Refuse to be a target of identity crime again.

Get back your good name. Refuse to be a target of identity crime again. Clear Your Good Name After Identity Crime You suspect that someone is using your name and personal identification information for unlawful purposes. This kit can help you resolve your identity crime case

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

Trends in Medigap Enrollment and Coverage Options, 2013

Trends in Medigap Enrollment and Coverage Options, 2013 November 2014 Trends in Medigap Enrollment and Coverage Options, 2013 www.ahipresearch.org LIST OF TABLES AND FIGURES TABLE 1. TABLE 2. TABLE 3. TABLE 4. Distribution of Medigap Companies with Standardized

More information

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace Testimony of Ben Beeson Vice President, Cyber Security and Privacy Lockton

More information

The 80/20 Rule: How Insurers Spend Your Health Insurance Premiums

The 80/20 Rule: How Insurers Spend Your Health Insurance Premiums SUMMARY The 80/20 Rule: How Insurers Spend Your Health Insurance Premiums The Affordable Care Act holds health insurers accountable to consumers and ensures that American families receive value for their

More information

Frequently Asked Questions [Updated January 20, 2015]

Frequently Asked Questions [Updated January 20, 2015] Frequently Asked Questions [Updated January 20, 2015] Some information in these FAQs has been provided to the Archdiocese of Portland in Oregon by the Internal Revenue Service. Note: Given the immediate

More information

PROPOSED INTERPRETIVE NOTICE

PROPOSED INTERPRETIVE NOTICE August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

York County Sheriff's Office Identity Theft Victim s Packet

York County Sheriff's Office Identity Theft Victim s Packet York County Sheriff's Office Identity Theft Victim s Packet Information and Instructions This packet should be completed once you have received a copy of your police report from the York County Sheriff's

More information

Refuse to be a target of identity crime.

Refuse to be a target of identity crime. Refuse to be a target of identity crime. Protecting the Real You and Only You. The International Association of Chiefs of Police 515 N. Washington Street, Alexandria, VA 22314 Telephone: 1.800.843.4227

More information

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence December 6, 2012 Michael Greenberger Professor of Law Founder and Director, CHHS Legislative Proposals Maryland

More information

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015 Data Privacy: What your nonprofit needs to know Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015 Overview 2 Data privacy versus data security Privacy polices and best practices Data security

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

What follows are various form letters that can be adapted to your

What follows are various form letters that can be adapted to your Form Letters What follows are various form letters that can be adapted to your own specific situation and used accordingly. It is prudent to send these letters by certified mail, return receipt requested,

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106

More information

Federation of State Boards of Physical Therapy Jurisdiction Licensure Reference Guide Topic: Continuing Competence

Federation of State Boards of Physical Therapy Jurisdiction Licensure Reference Guide Topic: Continuing Competence This document reports CEU requirements for renewal. It describes: Number of required for renewal Who approves continuing education Required courses for renewal Which jurisdictions require active practice

More information

IDENTITY THEFT VICTIMS: IMMEDIATE STEPS

IDENTITY THEFT VICTIMS: IMMEDIATE STEPS IDENTITY THEFT VICTIMS: IMMEDIATE STEPS If you are a victim of identity theft, take the following four steps as soon as possible, and keep a record with the details of your conversations and copies of

More information

Presidential Summit Reveals Cybersecurity Concerns, Trends

Presidential Summit Reveals Cybersecurity Concerns, Trends Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Presidential Summit Reveals Cybersecurity Concerns,

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

The Digital Identity Ecosystem of the States: Securing the Enterprise

The Digital Identity Ecosystem of the States: Securing the Enterprise The Digital Identity Ecosystem of the States: Securing the Enterprise Security Industry Alliance September 28, 2011 Doug Robinson, Executive Director National Association of State Chief Information Officers

More information

Subscribe to Credit Monitoring and/or Submit a Claim Form to get benefits. EXCLUDE YOURSELF

Subscribe to Credit Monitoring and/or Submit a Claim Form to get benefits. EXCLUDE YOURSELF SUPERIOR COURT OF THE STATE OF CALIFORNIA, COUNTY OF ORANGE If you applied for health insurance through WellPoint / Anthem Blue Cross before March 10, 2010, you could get benefits from a class action settlement.

More information

Rule 3.3: Candor Toward the Tribunal

Rule 3.3: Candor Toward the Tribunal American Bar Association CPR Policy Implementation Committee Variations of the ABA Model Rules of Professional Conduct Rule 3.3: Candor Toward the Tribunal (a) A lawyer shall not knowingly: (1) make a

More information

Information Protection

Information Protection Information Protection Security is Priority One InfoArmor solutions are created to be SSAE 16, ISO 27001 and DISA STIG compliant, requiring adherence to rigorous data storage practices. We not only passed

More information

Session #56. Two-Factor Authentication. Steven Burke & James McMahon U.S. Department of Education

Session #56. Two-Factor Authentication. Steven Burke & James McMahon U.S. Department of Education Session #56 Two-Factor Authentication Steven Burke & James McMahon U.S. Department of Education Project Overview To comply with the White House through the United States Office of Management and Budget

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Privacy Impact Assessment

Privacy Impact Assessment AUGUST 16, 2013 Privacy Impact Assessment CIVIL PENALTY FUND AND BUREAU-ADMINISTERED REDRESS PROGRAM Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220

More information

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,

More information

Legal Exemptions for Religious Based Medical Neglect. Ariel Alvarez Montclair State University April 19, 2013 Center for Child Advocacy

Legal Exemptions for Religious Based Medical Neglect. Ariel Alvarez Montclair State University April 19, 2013 Center for Child Advocacy Legal Exemptions for Religious Based Medical Neglect Ariel Alvarez Montclair State University April 19, 2013 Center for Child Advocacy Overview *About the research and goals. *Methods *Results *Discussion

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

KEY STEPS FOLLOWING A DATA BREACH

KEY STEPS FOLLOWING A DATA BREACH KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,

More information

Data Security Breach Notice Letter

Data Security Breach Notice Letter View the online version at http://us.practicallaw.com/3-501-7348 Data Security Breach Notice Letter DANA B. ROSENFELD & ALYSA ZELTZER HUTNIK, KELLEY DRYE & WARREN LLP A letter from a company to individuals

More information

Adopting a Cybersecurity Framework for Governance and Risk Management

Adopting a Cybersecurity Framework for Governance and Risk Management The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance

More information

South Dakota Prescription Drug Monitoring Program (SD PDMP) Learning Objectives

South Dakota Prescription Drug Monitoring Program (SD PDMP) Learning Objectives South Dakota Prescription Drug Monitoring Program (SD PDMP) SD Academy of Physician Assistants Summer/Fall CME Conference September 6, 2012 Ron Huether, RPh, SD PDMP Kari Shanard Koenders, RPh, PDMP Director

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS Updated 2/6/2015 Anthem and its affiliated brands was the target of a very sophisticated external cyber-attack. These cyber attackers gained unauthorized access to Anthem s information technology (IT)

More information