Privacy Rights Clearing House

Transcription

1 10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights Clearing House Privacy Rights Clearinghouse (PRC) The San Diego-based consumer information and advocacy nonprofit lists a chronology of data breaches on its Web site, dating to Incidents listed on the site from January 2005 through early June of this year total 155,048,651 records containing sensitive personal information that have been involved in security breaches. That s an average of almost 5 million per month. 1

2 Privacy Rights Clearing House U.S. Educational Institutions: è 2005-current: 14,725,924 from 756 breaches è 2012-current: 5,691,077 records from 177 breaches è 2014-current: 1,065,409 records from 37 breaches *represents the approximate number of records that have been compromised due to security breaches, not necessarily the number of individuals affected Breaches by Industry FYE 2014 Medical/Healthcare 42.5% Business sector 33% Government/Military 11.7% Education 7.3% Banking/Credit/Financial-5.5% YTD 8/18/2015 Medical/Healthcare 34.9% Business sector 39.4% Government/Military 7.7% Education 8.7% Banking/Credit/Financial-9.3% Source: The ITRC Data Breach Report 2

3 What Comes to Mind When We Think of Cyber Crime? Unintended disclosure - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via , fax or mail. Hacking or malware - Electronic entry by an outside party, malware and spyware. Payment Card Fraud - Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals. Insider - Someone with legitimate access intentionally breaches information - such as an employee or contractor. Physical loss - Lost, discarded or stolen non-electronic records, such as paper documents Portable device - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc. Stationary device - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility. Statistics to Consider Total breach costs have grown every year since cost of a data breach study reveals that the average cost has reached $3.79 million, a 23% increase in total costs over 2013 Average cost per lost or stolen record has risen to $154, a 12% increase over 2013 Healthcare leads with $363 a record followed by Education at $300 *based off Ponemon Institutes Annual Study 3

4 Statistics to Consider Key findings in the report include: è Board level involvement and the purchase of insurance can reduce the cost of a data breach by $5.50 per record, and insurance protection reduces the cost by $4.40 per record. è Business continuity management plays an important role in reducing the cost of data breach by an average of $7.10 per compromised record è 47% of all breaches were caused by malicious or criminal attacks, with the average cost per record to resolve such an attack is $170, while system glitches cost $142 per record, and human error or negligence is $137 per record è Costs associated with lost business steadily increased from $1.23 million in 2013 to $1.57 million in 2015 è Malicious attacks can take an average of 256 days to identify, while data breaches caused by human error take an average of 158 days *based off Ponemon Institutes Annual Study Statistics to Consider Frequency by type: Employee negligence (37%) external theft of a device (22%) Employee theft (16%) Phishing and malware (combined 25%) #1 Human Error #2 Software Systems Failures #3 Loss of Paper Records *based off BakerHostetler 2015 report 4

5 What Types of Records Are at Risk? It s not just electronic records! Paper 21% Electronic 79% What information was compromised 34% health information 8% credit card 58% other (drivers license, financial, passwords, SS#) How many involve a decision to notify subject to state breach laws, such as SS#, driver license, and financial information 58% required notification 42% did not *based off BakerHostetler 2015 report Real Life Examples Bonita Unified School District The Bonita Unified School District notified parents and students of a breach when unauthorized access was discovered at San Dimas High School server. On June 2, 2015 the district discovered the unauthorized access to the high school's student database and noticed that several students grades had been changed. The district believes that the individual (s) that changed the grades also downloaded personal information of students. The information compromised included names, Social Security numbers, birthdates, medical information, the school's systems usernames and passwords, addresses, addresses, and phone numbers. 5

6 Real Life Examples Harvard University July 2015 Harvard University is notifying individuals of a data breach to their system that included 8 colleges and administrations. Those colleges and administrations include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health. The university has not commented on how many individuals were affected or what information was compromised. The university is requesting that anyone who is associated with any of the entities to change their username and password. Real Life Examples Milford Schools July 2 Up to 25 students at Milford Schools may have had their personal information stolen due to a data breach with a third party billing service, Multi-State Billing Services, located in Somersworth, New Hampshire, when an employee's laptop was stolen from their locked vehicle in May. The laptop was password protected but not encrypted, contained information on nearly 3,000 students from 19 school districts in Central and Eastern Massachusetts. The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers. 6

7 What are Your Potential Liabilities? Ø Invasion of privacy Ø Negligence Ø Violation of federal statutes governing the handling of student, employee or health information Ø Misappropriation of sensitive or secret proprietary information Ø Investigations by governmental authorities Ø Business interruption/extra expense if they must shut down certain online systems or websites in order to contain (or determine the method of) the attack Ø Costs related to informing families, faculty, staff and third parties Data Loss/Breach Notification Laws All states, except four, have data loss/breach notification laws: Alabama, Kentucky, New Mexico, and South Dakota No universal definition of Personally Identifiable Information (PII), but typically includes: ü Social Security numbers ü Bank account or credit card numbers ü Date and place of birth ü Address ü Driver s license number ü Passwords 7

8 Data Loss/Breach Notification After the report of a breach, regulators most often ask to review: Copies of policies and procedures governing privacy and security; Evidence of education and awareness programs, including attendance logs; Risk assessments conducted by the organization over a severalyear period preceding the incident; Risk mitigation plans developed as a result of the risk assessments; Vendor/Business Associate agreements in place, regardless of whether a vendor caused the breach; and Copies of disaster recovery and business continuity plans. Best Practices Changes in SEC rules dictate that an organization under their jurisdiction has additional Directors and Officers exposure from failure to properly insure and protect. Although not subject to SEC jurisdiction, your boards have a fiduciary responsibility to ensure the financial stability of the organization. 8

9 Best Practices How Do We Protect and Monitor? Risk Management Conduct a Risk Assessment Categorize the Data Determine Who Has Access Control Administrative Rights Manage Your Staff Best Practices How Do We Protect and Monitor? What proactive steps should you consider? Ø Because it is not if but when an incident will occur, companies can become compromise ready by taking the following steps: Developing an incident response plan Working with an experienced security consultant to conduct security assessments (to understand where assets and sensitive data are located); Implementing reasonable security and detection capabilities based on the recommendations of the consultant; Gathering threat intelligence to understand the nature of current risks; Conducting personnel training and awareness-raising activities to reduce the chance that an incident will result from employee negligence and those incidents that do occur will be quickly identified; Undertaking vendor due diligence and contract analysis, to reduce the chance that an incident will be caused by a company s business contacts; and Maintaining ongoing diligence, updating and adapting to changing risks, to proactively guard against evolving and emerging threats. 9

10 Best Practices Risk Management Encrypt Information Track Portable Devices Monitor Inexpensive Assets Engage a cyber advisor Maintain Physical Access Control Dispose of Records Properly Implement Policies and Procedures around social media and privacy, data security Manage Your Vendors (third parties for IT support) Risk Transfer purchase cyber liability insurance Traditional Liability Pitfalls Traditional liability policies have been modified to clarify intent NOT to cover cyber exposures with exclusions or clarifying language: Exclusions: for damage arising from damage to or the loss of electronic data under the ISO Commercial General Liability (CGL) form within the last decade for liability arising from violation of statutes, regulations, or ordinances related to sending, distributing, or transmitting information An exclusion for personal or advertising liability arising from chat rooms or bulletin boards owned, managed, or controlled by the insured 10

11 Cyber Liability Cyber policies may be broken into two coverage types: third-party liability, which is liability to others first-party liability, which is coverage for the school s own losses Third-Party Liability Network Security & Privacy Liability, can include: Both online and offline information Virus attacks Denial of service Failure to prevent transmission of malicious code Defense costs and fines/penalties for violations of privacy regulations (i.e.; HIPPA, Red Flag Rules, New Hi-Tech Act) Cyber Liability Multimedia Insurance can include: Both online and offline media Copyright/trademark infringement Libel/slander Advertising/false advertising Plagiarism Personal injury 11

12 Cyber Liability First Party Privacy Breach Response Costs, can include: Forensic Costs - including costs to determine the extent of the unauthorized access with sensitive personal information and legal fees for client attorney privilege Notification Costs - including postage, printing, drafting, call center, and advertisements Credit Protection Costs - including credit monitoring services, credit freezes, or fraud alerts Crisis Management Expenses - including fees for a public relations firm Credit Monitoring Services - up to a specified amount per affected person, for one year's services You Are All Free to Go Home Now Questions? Jamie Gershon Senior Vice President Tel Fax jgershon@boltonco.com 12