Data Breach and Senior Living Communities May 29, 2015

Transcription

1 Data Breach and Senior Living Communities May 29, 2015

2 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs 4. Obligations and Responsibilities Imposed By State and Federal Government 5. Incident Risk Control Measures (Pre/Post) 6. Funding Data Breach Risk 7. Key Organizational Data Breach Questions

3 Current Data Breach Trends & Issues

4 2015 Verizon Data Breach Report

5 Data Breaches On The Rise Over 37 million Healthcare & Nonprofit records breached from 1,202 data breaches made public since 2005 Reported Healthcare & Nonprofit Data Breach Incidents % A survey of U.S. small businesses found that 55% of those responding have had a data breach, but only 33% notified individuals that their PII had been exposed % Source: 2013 Ponemon Institute Poll Incomplete data Source: Privacy Rights Clearinghouse, May 1, 2015

6 Understanding Why The Senior Living Industry May Be A Target

7 Why The Senior Living Industry Is Exposed.

8 Breach Scenarios Real Cases 1 Hacking 2 Stolen Laptop January 1, 2013 Riderwood Village Senior Living had 5 laptops stolen (4 unencrypted); 8,507 records exposed 3 Lost USB 4 Breach Caused by Vendor

9 Breach Scenarios Real Cases 5 Stolen Briefcase March 1, 2014 Briefcase with PHI stolen from independent contractors home, exposing 508 resident records 6 Document Disposal 7 Employee Error 8 Unauthorized Access

10 Data Breach Costs

11 Typical Breach Response Costs Legal Forensics Crisis Management Notification $300 - $600 per hour $250 - $600 per hour $150 per hour or legal rate $1 -$3 per letter Call Handling $7 - $25 per call Credit & Fraud Monitoring $8 - $75 per person Identity Theft Resolution $400 per case

12 Helping Businesses Manage Risk Direct Costs Crisis management Public relations Print & mail notification letters Remediation services Legal & forensic services Law suits $188 per record Average cost of a U.S. data breach of which 68% pertains to indirect costs Indirect Costs Customer churn Increased customer acquisition activities Damaged reputation Loss of goodwill Employee time & resources Factors That Influence U.S. Data Breach Costs Incident response plan Decrease $34 $37 Quick notification to victims Increase Strong security posture Decrease $42 Decrease $13 Consultants engaged Source: Ponemon Cost of Data Breach Study

13 Obligations and Responsibilities Imposed By State and Federal Government

14 What is Secured PHI? HIPAA security rule encryption standard Hard copy records must be shredded Under HHS encrypted records are a safe harbor - unauthorized access does not require notice to HHS

15 Federal HIPPA HITECH Highlights Requires notice of a breach of unsecured PHI within 60 days Notice must include a brief description of the event, the PHI involved and the steps to take to protect from future harm Must notify the media and HHS if more than 500 individuals affected; Report to HHS annually all breaches less than Breach = Unauthorized acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule which comprises the security or privacy of the PHI and poses a significant risk of financial, reputational or other harm

16 FTC Rules Regarding Notice by Business Associates Applies to vendors of personal health records, Personal Health Record-related entities, third-party service providers and non-profits. Requires FTC notice within 10 business days of discovery by a healthcare entity for more than 500 consumers; all others annually Vendors are responsible for notifying a healthcare entity without unreasonable delay within 60 days of discovery Agreements with vendors must include requirement for immediate notice of data breach Unlike HITECH all breaches require notice by the vendor even if minimal risk of harm

17 NJ Breach Law Highlights

18 NJ Breach Law Highlights

19 Incident Risk Control Measures (Pre/Post)

20 Recommendations To Address HITECH, FTC and NJ Regulations Update Document Retention Policies Modify Contracts To Require Immediate Notice and Reimbursement for Notification Costs Create An Incident Response Plan Staff training

21 Before A Breach Consider This 1 How many customers/employees does the business have and do they have a data retention policy? Data Loss 2 What types of data are stored and who does it belong to? 3 Who has access to that data? 4 5 Is there a breach response plan in place? In the event of a breach, what response services will be needed and how will expenses get covered? Not if. But when...

22 Data Risk Calculator Results For commercial policyholders to spot and fix data security gaps Reporting capabilities for clients Date, Score, User Name

23 Data Security Tools

24 Data Risk Management Website Services supported via a co-branded, secure website Includes a Knowledge Center

25 Data Security Tools

26 Post Breach Response Considerations Breach Counseling Determine if a privacy breach occurred Assess severity of the event Explain breach response requirements and best practices Crisis Management Time-saving professional service to guide you in handling a breach Work closely with policyholder and claims to outline an action plan Public relations assistance to help restore your business reputation Notification Assistance Remediation Planning Drafting and review service for creating notification letters Support in drafting and delivering alternative forms of notification Assistance in discussions with 3 rd parties that need to be notified Service recommendations to impacted individuals such as call handling, monitoring products, and identity theft resolution services Evidentiary Support Documentation of steps taken and remediation services provided to manage the privacy breach Expert Testimony witness if a claim goes to court

27 Potential Breach Response Services Needed Complete Solution Data Breach Forensics * Identify cause and extent of breach Minimize impact Recommendations to prevent future exploitation Print/Mail House * Letter preparation Printing Mailing Tracking Reporting Call Handling * Toll-free number Dedicated fraud specialists Identify special handling needs Call center metrics Remediation * Credit file reviews Place fraud alerts Victim resolution services Post fraud followup Comprehensive case files *Additional fee required

28 Multidisciplinary backgrounds Data Security IT Computer Forensics Breach Response Team Business Admin Privacy Law

29 Funding Data Breach Risk

30 Privacy Breach Coverages Privacy Breach Expense Legal Forensic investigations Crisis management Notification Call center support Credit monitoring Fraud remediation PR assistance 3 rd Party (Liability) Defense costs Fines Penalties

31 First Party Coverages Business Interruption - BI incurred as the direct result of a cyber incident which causes system failure. Data Restoration - Pays for the restoration of any data stored on the insured s computer system that is lost due to a cyber incident (excess normal operating costs) Cyber Extortion Payments - Pays expense and/or loss incurred as the result of any cyber extortion threat against an insured. Crisis Management Expenses - Pays crisis management and public relations expense incurred as the result of a cyber incident. 3

32 First Party Coverages (cont d) Notification Expenses - Pays expenses incurred by Insured to notify customers whose sensitive personal information has been breached. Credit Monitoring Expenses Pays expenses incurred after a breach to provide credit monitoring to those third individuals impacted by breach. Forensic Costs Pays costs incurred for a forensics firm to determine the cause, source and extent of a Network Attack; or investigate, examine and analyze the Named Insured s Network, to find the cause, source and extent of a Data Breach. 3

33 Third Party Coverage Privacy Liability Coverage - Covers loss arising out of the organization s failure to protect sensitive personal or corporate information in any format, including liability arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code. Regulatory Actions - Pays legal costs, fines and penalties as a result of regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation. 3

34 Key Questions: Who owns data? Who is responsible for a loss of data stored on the cloud or with my Electronic Medical Record provider? Do insurance policies require me to encrypt data and install firewalls on my servers? What about cell phones, laptops, thumb drives? What if I outsource my data to a third party IT vendor? Do I have to wait for an insurance company to approve my response to a breach or can I just respond? Business Interruption If a data breach prevents me to operate my business, how long will it take me before an I can get payment from my insurance policy? How does a retro date limit coverage under a data breach policy?

35 The Presenters Gary Uzelac, CPCU Johnson Kendall Johnson Gary Gilmore Wiley Mission De Andre Salter Professional Risk Solutions ext 22