Beazley presentation master

Transcription

1 The Art of Breach Management Beazley presentation master February 2008

2 A Brief Review of Data Breaches

3 What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that: o May cause the person inconvenience or harm (financial/reputational) Personally Identifiable Information (PII) Protected Healthcare Information (PHI) o May cause your company inconvenience or harm (financial/reputational) Customer Data, Applicant Data Current/Former Employee Data, Applicant Data Corporate Information/Intellectual Property 3

4 What Kinds of Information are at Risk? Consumer Information Credit Cards, Debit Cards, and other payment information Social Security Numbers, ITIN s s, and other taxpayer records Customer Transaction Information, like order history, account numbers, etc. Protected Healthcare Information (PHI), including medical records, test results, appointment history Personally Identifiable Information (PII), like Drivers License and Passport details Financial information, like account balances, loan history, and credit reports Non-PII, like addresses, phone lists, and home address that may not be independently sensitive, but may be more sensitive with one or more of the above Employee Information Employers have at least some of the above information on all of their employees Business Partners Vendors and business partners may provide some of the above information, particularly for Sub-contractors and Independent Contractors All of the above types of information may also be received from commercial clients as a part of commercial transactions or services In addition, B2B exposures like projections, forecasts, M&A activity, and trade secrets Many people think that without credit cards or PHI, they don t have a data breach risk. But can you think of any business without any of the above kinds of information? 4

5 Types of Data Security Breaches Improper Disposal of Data o Paper Un-shredded Documents File cabinets without checking for contents X-Ray Images o Electronic assets computers, smart phones, backup tapes, hard drives, servers, copiers, fax machines, scanners, printers Phishing/Spear Phishing Attacks Network Intrusions/Hacks/Malware Viruses Lost/Missing/Stolen Electronic Assets Mishaps due to Broken Business Practices Rogue Employees 5

6 Why we should be careful with the word Breach Perception is Half the Battle o People use breach too frequently and you don t want your customers or regulators to think you are subject to numerous breaches o Breach suggests something bad happened or is going to happen o Breach has legal significance Train your Incident Response Team to not use Breach within internal communications as you vet out or investigate the Security Incident 6

7 A Simplified View of a Data Breach Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequences Class-Action Lawsuits Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Forensic Investigation and Legal Review Notification and Credit Monitoring Public Relations Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Income Loss 7

8 Preparedness VS Response

9 Breach Preparedness vs. Breach Response Identify What information exists? Where is it? What format is it in? How easy or difficult is it to access? Investigate Retain Outside Counsel with Privacy Law Expertise Determine who and what caused the breach Document investigation and findings in a legally defensible manner Plan Do you know what your regulatory and compliance requirements are? Are you meeting them? Are you familiar with international data privacy laws that impact your business? Do you have a records retention schedule and policy? Do you have a response plan should a breach incident occur? Respond Determine the scope of the breach and potential notification duty Ensure appropriate parties are contacted in a timely and professional manner. Provide a mitigation or remediation resource as appropriate Retain Crisis Management / Reputational Risk Advisory Services as necessary Protect Are the systems and networks that hold the data secure? Are you utilizing storage technologies that will support your compliance with regulatory requirements? Are you securely destroying data and storage that has met the end of its retention period or lifecycle? Defend D f d Regulatory Defense Civil Liability Defense

10 Best Practices Breach Preparedness and Prevention Risk Transfer Instrument Background Screening Program Pre-Arrange Breach Response Services e-learning Initiative Incident Response Plan Tabletop Exercises Privacy Summit Legislative updates 10

11 Best Practices Breach Response Management Retain Outside Counsel Notify Correctly vs.. Quickly Outside Call Center When Appropriate Reputational Risk Advisor When Appropriate Investigate Investigate Investigate Leverage a Breach Service Provider to conduct Recovery 11

12 Thinking About Data Breaches Facts The cost of a significant data breach is estimated to be $200+/identity Direct costs like forensics, notification, and credit monitoring are significant and increasing Indirect, uninsurable costs, like lost business and reputational damage, may represent 2/3rds of the total loss after a data breach Beazley Insights Companies see a 10%+ drop in breach costs after their second breach Companies that provide timely and accurate notification see less reputational damage and attract less regulatory scrutiny Only 36% of companies notify affected consumers within 30 days, but companies that notify quickly spend 10%+ more on their breach response Good breach response requires experience and specialized expertise, so most companies struggle when handling their data breaches independently Mitigating reputational damage by avoiding unnecessary breach notifications is critical Conclusion A timely, complete breach response using the best available experts is the best way to mitigate future liability and minimize lost business and reputational damage 12

13 Contact Information: Kristen Dauphinais Work: Cell: