Cyber Risk and Global Security Issues: is your business fully prepared
|
|
- Nickolas Powell
- 8 years ago
- Views:
Transcription
1 Cyber Risk and Global Security Issues: is your business fully prepared Thursday 2 October 2014 Copyright 2014 by K&L Gates LLP. All rights reserved.
2 Identifying cyber risks and how they impact your business klgates.com
3 klgates.com
4 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com
5 The Practical Risks of Cyber Attacks Loss of crown jewels, IP and trade secrets Compromise of customer information, credit cards and other PII Loss of web presence and online business Interception of and data communications Loss of customer funds and reimbursement of charges Brand tarnishment and reputational harm Legal and regulatory complications klgates.com
6 Advanced Persistent Threats Targeted, persistent, evasive and advanced Nation state sponsored P.L.A. Unit Comment Crew klgates.com
7 Advanced Persistent Threats United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the greatest transfer of wealth in history. Source: New York Times, June 1, klgates.com
8 Advanced Persistent Threats The Director-General of MI5 warned that one London business suffered 800 million in losses following an attack The UK s National Security Council has judged that the four highest priority risks are currently those arising from: International terrorism Cyber attack International military crises and Major accidents or natural hazards** *Source: Cyber crime a global threat, MI5 head warns (2012) ** Source: A Strong Britain in an Age of Uncertainty: The National Security Strategy (October 2010) klgates.com
9 Advanced Persistent Threats A survey by anti-virus specialists Kaspersky found that cyber security measures taken by UK businesses were woefully inadequate Only 25% of IT specialists thought that their company was completely protected from cyber threats - although can there ever be complete protection? When questioned, 33% of IT managers did not know anything about the common cyber threats that have been targeting corporates *Source: BCS The Chartered Institute for IT - klgates.com
10 Advanced Persistent Threats Penetration: 67% of organisations admit that their current security activities are insufficient to stop a targeted attack.* Duration: average = 356 days** Discovery: External Alerts 55 percent are not even aware of intrusions* *Source: Trend Micro, USA. **Source: Mandiant, APT1, Exposing One of China s Cyber Espionage Units klgates.com
11 Advanced Persistent Threats: Penetration Spear Phishing Watering Hole Attack rely on insecurity of frequently visited websites Infected Thumb Drive **Source: Mandiant, APT1, Exposing One of China s Cyber Espionage Units *Source: Trend Micro, USA. es/advance-targeted-attacks/index.html klgates.com
12 Advanced Persistent Threats Target Profiles Industry: Government Information Technology Aerospace Telecom/Satellite Energy and Infrastructure Engineering/Research/Defense Chemical/Pharma Activities: Announcements of China deals China presence klgates.com
13 Advanced Persistent Threats klgates.com
14 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com
15 Cybercriminals, Exploits and Malware klgates.com
16 Cybercriminals, Exploits and Malware 60,000 known software vulnerabilities 23 new zero-day exploits in 2014 Risk = threat + vulnerability klgates.com
17 Cybercriminals, Exploits and Malware Ransomware UK Law Enforcement CryptoLocker klgates.com
18 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com
19 Inadequate security and systems: thirdparty vendors Vendors with client data Vendors with password access Vendors with direct system integration Point-of-sale klgates.com
20 Inadequate security and systems: thirdparty vendors klgates.com
21 Cybercriminals, Exploits and Malware In the UK, a government report found that the cost of cyber security breaches nearly doubled in 2013 For large organisations the worst breaches cost between 600,000 and million (up from k a year ago) *Source: UK Government press release, 29 April klgates.com
22 Cybercriminals, Exploits and Malware Cost Per Record: $158 Notification Costs: $509,000 Post-Breach Costs: $1.6M Business Loss: $3.3M *Source: Symantec Internet Security Trend Report 2014 klgates.com
23 Dangers of new and emerging risks klgates.com
24 Cloud Computing Risks Exporting security function and control Geographical uncertainty creates exposure to civil and criminal legal standards Risk of collateral damage klgates.com
25 Mobile Device Risks 52% of mobile users store sensitive files online 24% of mobile users store work and personal info in same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security klgates.com
26 Social Media Risks Consumer harm and reputational damage klgates.com
27 Example Peter Pan virus phishing (September 2014) purportedly came from real company BH Live Ticketing and entertainment company based in Bournemouth Claimed recipients had tickets to see Peter Pan Invited people to open attached e-tickets Opening attachment may have downloaded viruses BH Live inundated with phone calls from worried recipients klgates.com
28 Protection and Risk Mitigation klgates.com
29 WHY MITIGATE CYBER RISK? Consequences of a cyber attack could be catastrophic Consider How long could a business that relies on internet sales survive if no one could access its website? What would be the impact on its sales if no one was prepared to enter their credit card details? klgates.com
30 LEGAL CONSEQUENCES The Data Protection Act 1998 ( DPA ) requires the data controller to implement appropriate technical and organisational security measures against unauthorised or unlawful processing, accidental loss, destruction or damage of personal data. Regulatory penalties may be imposed on the company for breach of the DPA including: Fines; Enforcement notices; and Director disqualification Personal data owners may claim compensation from the data controller for such breaches under the DPA. klgates.com
31 PRACTICAL CONSEQUENCES As important to companies subject to a cyber attack are what the consequences of such an attack are in practice for the business. Loss of customer information, credit card details and other personal information. Data owners seeks compensation against a business under the Data Protection Act, especially if the hacker cannot be identified. Prevention of sales. Retailers with an online presence that are subject to a Denial of Service attack lose customers to competitors. You may eventually get your site back up, but will the customer be back? This risk is heightened at times of traditional high online sales klgates.com
32 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL Not an IT problem - board level support is required to ensure that the resources both in time and capital are expended. Ensure that a cybercrime management policy is part of the company s governance framework and that this is given the same level of attention as financial and other risk management regimes. klgates.com
33 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (2) How would the board answer the following questions: What strategy did you have in place to prevent this cyber attack from happening? Who was responsible for the strategy? What was done in advance to limit the damage from attacks of this nature? klgates.com
34 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (3) Basic information risk management will highlight potential cyber attacks, allowing a board to see what constitute the most potent risks to the company. Understand what data you hold how sensitive the data is which systems control the management of key information how critical is the information to the management of the business klgates.com
35 ENSURING INTERNET SAFETY AND NETWORK SECURITY Methods to reduce cyber risk include: Mobile working - ensure that a mobile working policy is in place to ensure the security of documents away from the office. Control access to removable media such as memory sticks and removable hard drives and avoid their use where possible, especially with regards to storage of sensitive data. All removable data should be encrypted. Establish a policy on appropriate use and educate staff regarding the appropriate way to use the company s IT systems. Implement an incident response plan to ensure effective response to a cyber attack. klgates.com
36 ENSURING INTERNET SAFETY AND NETWORK SECURITY (2) Create an incident management team and provide specialist training to it who can carry out this process. Control and limit access - Only allow employees access to the information they require to carry out their roles. Scan all media before incorporating them into IT systems to detect any malware. Monitor ICT systems for unusual activity. Implement malware protection to all business areas and produce a policy on dealing with any malware issues. Install security patches Implement basic security controls on networks. Exemployees should immediately be denied access. klgates.com
37 ADEQUATE TRAINING AND INTERNAL PROCEDURES A cyber attack can take many forms including deliberate attacks, technology issues or simple human error or negligence. Every company has a cyber defence weak spot in its own employees. An adequate defence system protecting a company from cyber attacks should not only have the relevant defences and policies in place, but staff must be trained on the relevant policies. klgates.com
38 ADEQUATE TRAINING AND INTERNAL PROCEDURES (2) Implementing staff training and clear mechanisms for staff to report concerns regarding other members of staff noncompliance with polices Not knowing what devices are held significantly increases a company's cyber risk profile Every company should draft and implement a home and mobile working policy, and train staff to adhere to it klgates.com
39 ONGOING MANAGEMENT Planning and analysis of risk serves no purpose unless a company also properly implements its findings. As cybercrime evolves over time, companies must constantly monitor the adequacy of their cyber defences and re-evaluate the threats pertinent to their business. klgates.com
40 IMMEDIATE DAMAGE TO REPUTATION Cyber attacks naturally affect customer confidence, especially when customer information or funds are stolen. Exacerbated by online communication forums that spread news of such an attack Crisis management costs include: Informing affected customers; PR campaigns to restore reputation; Management time; Retrieving data; Suspending customer access to data and websites where relevant; Forensic investigation of the attack; and Repairing cyber defences. klgates.com
41 IMMEDIATE DAMAGE TO REPUTATION (2) 82% of the UK public would stop dealing with an organisation if their online data was breached (Unisys survey, 2011) Brand damage may also come in the form of intellectual property infringement with fake websites or counterfeit products sold online. IP theft can result in loss of first-to-market advantage and a consequential loss of competitive advantage. klgates.com
42 POSSIBLE LONG TERM IMPACT ON BUSINESS STRATEGY AND FINANCIAL STABILITY Research and development may be scaled back to preserve current financial stability or because frequent IP theft has made it unprofitable. Businesses may shy away from exploiting the online market for fear of incurring another costly cyber attack klgates.com
43 A GROWING ISSUE Consumers are becoming increasingly receptive to interacting with businesses online As customer interaction with online technology grows, so too does their disclosure of sensitive, personal information. A cyber attack that results in a loss of customer information can cause huge reputational damage The prominence of social media and the speed at which information can be disseminated can cause reputational damage at an unprecedented speed. klgates.com
44 COFFEE BREAK
45 Personal Data Breaches and Notifications a U.S. Perspective
46 LEGAL AND REGULATORY FRAMEWORK Federal Privacy Laws Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH) Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act Federal Trade Commission Act State Privacy Laws/Consumer Protection Statutes SEC Cybersecurity Guidance NIST Cybersecurity Framework Payment Card Industry Data Security Standards (PCI DSS) 46
47 FEDERAL PRIVACY LAWS Gramm-Leach-Bliley Act U.S. financial services organisations shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards-- 1. (1) to insure the security and confidentiality of customer records and information; 2. (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and 3. (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer. (15 U.S.C ) 47
48 FEDERAL PRIVACY LAWS HIPAA A covered entity or business associate must, in accordance with [ Security standards: General rules ] [i]implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart. (45 C.F.R (a).) HITECH A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. (42 U.S.C )
49 FEDERAL PRIVACY LAWS Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilisation of such information in accordance with the requirements of this subchapter. (15 U.S.C ) Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR ) 49
50 FEDERAL PRIVACY LAWS Federal Trade Commission Act Section 5 empowers the FTC to prevent... unfair or deceptive acts or practices in or affecting commerce : The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. 45(a)(2).) 50
51 STATE PRIVACY LAWS/CONSUMER PROTECTION LAWS Pennsylvania: Breach of Personal Information Notification Act (a) General rule.--an entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. [T]he notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth. (73 P.S. 2303(a).) The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation 51
52 SEC CYBERSECURITY GUIDANCE [A]ppropriate disclosures may include : Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences ; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks ; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences ; Risks related to cyber incidents that may remain undetected for an extended period ; and Description of relevant insurance coverage. Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, 52
53 NIST CYBERSECURITY FRAMEWORK NIST Cybersecurity Framework provides a common taxonomy and mechanism for organisations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity risk. The Framework is voluntary (for now) 53
54 NIST CYBERSECURITY FRAMEWORK 85% of security budgets currently go here According to Gartner: By 2020, 75% of security budgets will go towards detection and response NIST Unveils Cybersecurity Framework, 54
55 NIST CYBERSECURITY FRAMEWORK 55
56 PCI DSS PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. 56
57 TRENDS ARTICLE III STANDING CLAPPER 57
58 TRENDS ARTICLE III STANDING GALARIA
59 TRENDS ARTICLE III STANDING NEIMAN MARCUS 59
60 TRENDS ARTICLE III STANDING SONY 60
61 TRENDS ARTICLE III STANDING MICHAELS STORES 61
62 TRENDS ARTICLE III STANDING ADOBE 62
63 TRENDS SHAREHOLDER LITIGATION TARGET 63
64 TRENDS SHAREHOLDER LITIGATION WYNDHAM 64
65 TRENDS FTC REGULATORY ACTION WYNDHAM 65
66 TRENDS FTC REGULATORY ACTION WYNDHAM 66
67 TRENDS SEC THE NEW SHERIFF 67
68 Personal Data Breaches and Notifications a UK perspective
69 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Part 1(7), Schedule 1 to DPA) 7 th principle. No prescriptive requirements, unless sector specific regulation. No one size fits all but three principles: 1. Risk assessment what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach. 2. Reliability of employees 3. Vet your data processors written contracts Guidance from regulator (UK Information Commissioner s Office): Encryption? Data storage vs. transmission. International Standard / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies IT Internet use / data retention and destruction / data security / training Processes and security protocols staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing
70 DO WE NEED TO NOTIFY TO UK ICO? What sector are you in? PECR Notifications only compulsory for publically available electronic communication services same across all of EU i.e. telcoms / ISPs. 24 hours after breach detection. Everyone else no legal requirement, but ICO guidance. Should notify if serious. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying. Notify data subjects? Do they need to take steps to protect themselves? Contractual obligation to notify? Public sector bodies may have own requirements health service organisations IG Toolkit Incident Reporting Tool. Financial institutions FCA / FMSA. Police / insurers / professional bodies / bank or credit card companies.
71 UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to 500,000 serious breaches contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it. (s.55(a) DPA). Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted).
72 ENFORCEMENT TRENDS Leading video games provider (Jan 2013) Network platform subject to several DDoS ( distributed denial of service ) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn t keep up to date with technical developments. Didn t deal with system vulnerabilities even though update available Didn t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn t react quickly enough Voluntarily reported (mitigating factor) 250,000 fine Internal cost to Data Controller thought to be in region of $171 million. Booking agent for travel services (Dec 2012) SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active). Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills) No evidence of actual harm / fraud Voluntarily reported (mitigating factor) 150,000 fine.
73 APRIL MARCH 2014
74 APRIL MARCH 2014
75 FUTURE DEVELOPMENTS CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices Nov Cyber Security Strategy produced. Set agenda for Set up National Cyber Security Programme (NCSP) with 650 million funding for four years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec Most recent progress published on 10 Sep September BIS issued guidance for companies 5 Jun New ISO Standard based on ISO Certification to demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified. CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field as will be required under upcoming European Cyber-Security Directive. No UK specific legislation on horizon but watch out for European Data Protection Regulation and Network and Information Security Directive.
76 Personal Data Breaches and Notifications a German perspective
77 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal Data Protection Act (BDSG) Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular: 1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access. 2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to. 3. Input control: Ensuring possibility to trace alteration or deletion of data. 4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions 5. Availability control: Ensuring personal data is protected against accidental destruction or loss
78 WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT? General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG): Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy) Threatening serious harm to the rights or legitimate interests of data subjects Information to DPA: Without undue delay Nature of the disclosure and possible harmful consequences Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is not endangered Nature of the disclosure; recommendations to minimise possible harm klgates.com
79 ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG): Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections Notify data subjects in case of violation and report to prosecution authorities Order measures to remedy violations (e.g. prohibiting data processing) Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)
80 ENFORCEMENT TRENDS There still is no common code of practice among DPAs, which leads to varying practices in different German states ( Länder ). In the past, German DPAs were not very strict in enforcing data protection laws by raising fines. Example 1: Google StreetView ( ): Google provides panorama pictures for Street View While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000 Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA
81 NUMBERS AND TABLES No absolute numbers on breaches and notifications; all DPAs are obliged to publish data protection reports, but they vary and can hardly be compared Statement of Federal Commissioner for Data Protection: March 2011 October 2013: 501 notifications in total TelCom Sector: 2012: 27 notifications 2013: 66 notifications
82 FUTURE DEVELOPMENTS Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation
83 Personal Data Breaches and Notifications A French perspective
84 LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of 1978 Directive 2009/136/EC eprivacy implementing data breach requirements in August 2010 Breach of personal data - The French definition and scope Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public. Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed by electronic communication service providers operating electronic communication networks with open public access.
85 LEGISLATIVE REQUIREMENTS Two categories of notifications 1. To the French DPA Within 24 hours of the effective knowledge, through an electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the affected parties, Spontaneous information of the affected parties.
Identifying Cyber Risks and How they Impact Your Business
10 December, 2014 Identifying Cyber Risks and How they Impact Your Business David Bateman, Partner, K&L Gates, Seattle Sasi-Kanth Mallela, Special Counsel, K&L Gates, London Copyright 2013 by K&L Gates
More informationNavigating the Privacy Law Landscape - US and Europe
21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,
More informationCyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day
Lloyd s of London (Reuters) May 8, 2000 Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day Rivers Casino, Pittsburgh November 17, 2014
More informationData Breach Insurance
Cyber Security Issues in the Healthcare Industry PBI 21st Annual Health Law Institute Pennsylvania Convention Center March 13, 2015 Roberta D. Anderson roberta.anderson@klgates.com @RobertaEsq AGENDA Practical
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationCyber and data Policy wording
Please read the schedule to see whether Breach costs, Cyber business interruption, Hacker damage, Cyber extortion, Privacy protection or Media liability are covered by this section. The General terms and
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More informationData breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC
Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationCyber Threats: Exposures and Breach Costs
Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals
More informationJoe A. Ramirez Catherine Crane
RIMS/RMAFP PRESENTATION Joe A. Ramirez Catherine Crane RISK TRANSFER VIA INSURANCE Most Common Method Involves Assessment of Risk and Loss Potential Risk of Loss Transferred For a Premium Insurance Contract
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationInternet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler
Internet Gaming: The New Face of Cyber Liability Presented by John M. Link, CPCU Cottingham & Butler 1 Presenter John M. Link, Vice President jlink@cottinghambutler.com 2 What s at Risk? $300 billion in
More informationDATA BREACH COVERAGE
THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000
More informationCyber Risks in Italian market
Cyber Risks in Italian market Milano, 01.10.2014 Forum Ri&Assicurativo Gianmarco Capannini Agenda 1 Cyber Risk - USA 2 Cyber Risk Europe experience trends Market size and trends Market size and trends
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationPrivacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014
Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Nikos Georgopoulos Privacy Liability & Data Breach Management wwww.privacyrisksadvisors.com October 2014
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationAPIP - Cyber Liability Insurance Coverages, Limits, and FAQ
APIP - Cyber Liability Insurance Coverages, Limits, and FAQ The state of Washington purchases property insurance from Alliant Insurance Services through the Alliant Property Insurance Program (APIP). APIP
More informationHacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows
Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber
More informationRISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION
RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION October 23, 2015 THREAT ENVIRONMENT Growing incentive for insiders to abuse access to sensitive data for financial gain Disgruntled current and former
More informationHow To Cover A Data Breach In The European Market
SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE Businesses today rely heavily on computer networks. Using computers, and logging on to public and private networks has become second nature to
More informationBeyond Data Breach: Cyber Trends and Exposures
Beyond Data Breach: Cyber Trends and Exposures Vietnam 7 th May 2015 Jason Kelly Head of Asia Financial Lines AIG Agenda Why do companies need cyber protection Example of Cyber attack worldwide and in
More informationCYBER RISK SECURITY, NETWORK & PRIVACY
CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread
More informationIntroduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com
More informationWhat Data? I m A Trucking Company!
What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West
More informationManaging Cyber Risk through Insurance
Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationCyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP roberta.anderson@klgates.
Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP roberta.anderson@klgates.com March 8, 2016 AGENDA Spectrum of Cyber Risk Cutting Edge Cyber Insurance
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationCyber/ Network Security. FINEX Global
Cyber/ Network Security FINEX Global ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationCyber Risks and Insurance Solutions Malaysia, November 2013
Cyber Risks and Insurance Solutions Malaysia, November 2013 Dynamic but vulnerable IT environment 2 Cyber risks are many and varied Malicious attacks Cyber theft/cyber fraud Cyber terrorism Cyber warfare
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationDemystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature
Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach
More informationCyber and Data Security. Proposal form
Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which
More informationGRC/Cyber Insurance. February 18, 2014. Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf
GRC/Cyber Insurance February 18, 2014 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London Join the conversation: 1 Generously sponsored by: 2 Welcome Conference Moderator Allan Wall ISSA Web Conference
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationInsurance Considerations Related to Data Security and Breach in Outsourcing Agreements
Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President
More informationMANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS
MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1 MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson
More informationCyber Risk: Global Warning? by Cinzia Altomare, Gen Re
Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationISO? ISO? ISO? LTD ISO?
Property NetProtect 360 SM and NetProtect Essential SM Which one is right for your client? Do your clients Use e-mail? Rely on networks, computers and electronic data to conduct business? Browse the Internet
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationReducing Risk. Raising Expectations. CyberRisk and Professional Liability
Reducing Risk. Raising Expectations. CyberRisk and Professional Liability Are you exposed to CyberRisk? Like nearly every other business, you have likely capitalized on the advancements in technology today
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More informationHackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common
Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass
More informationData Security: Risks, Compliance and How to be Prepared for a Breach
Data Security: Risks, Compliance and How to be Prepared for a Breach Presented by: Sandy B. Garfinkel, Esq. The Data Breach Reality: 2015 AshleyMadison.com (July 2015) Member site facilitating personal
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationHow To Protect Yourself From Cyber Threats
Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit
More informationThe era of hacks and cyber regulation
6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationCyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?
Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies
More informationThe Legal Pitfalls of Failing to Develop Secure Cloud Services
SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationCyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen
Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or
More informationAcceptable Use Policy
Acceptable Use Policy Contents 1. Internet Abuse... 2 2. Bulk Commercial E-Mail... 2 3. Unsolicited E-Mail... 3 4. Vulnerability Testing... 3 5. Newsgroup, Chat Forums, Other Networks... 3 6. Offensive
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCybersecurity Risks, Regulation, Remorse, and Ruin
Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross
More informationData security: A growing liability threat
Data security: A growing liability threat Data security breaches occur with alarming frequency in today s technology-laden world. Even a comparatively moderate breach can cost a company millions of dollars
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationCyber and Privacy Risk What Are the Trends? Is Insurance the Answer?
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More information3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.
Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationCYBER 3.0. CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers:
CYBER 3.0 CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers: Roberta D. Anderson, Partner, K&L Gates LLP Timothy Flaherty, Manager, Insurance Risk Management,
More information2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012
The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 Legal Issues Involved in Creating Security Compliance Plans W. David Snead Attorney + Counselor Washington,
More informationCyber and CGL Insurance Coverage for Data Breach Claims
Cyber and CGL Insurance Coverage for Data Breach Claims Paula Weseman Theisen, Partner Data breach overview Definition of data breach/types Data breach costs Data breach legal claims and damages Cyber-insurance
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationCoverage is subject to a Deductible
Frank Cowan Company Limited 75 Main Street North, Princeton, ON N0J 1V0 Phone: 519-458-4331 Fax: 519-458-4366 Toll Free: 1-800-265-4000 www.frankcowan.com CYBER RISK INSURANCE DETAILED APPLICATION Notes:
More informationTHE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationIncident Response. Proactive Incident Management. Sean Curran Director
Incident Response Proactive Incident Management Sean Curran Director Agenda Incident Response Overview 3 Drivers for Incident Response 5 Incident Response Approach 11 Proactive Incident Response 17 2 2013
More informationData Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com
Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationTHE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.
THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident. September 22, 2015 Erica Ouellette Beazley Technology, Media & Business Services Alyson Newton, Executive
More informationTHE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill
THE ANATOMY OF A CYBER POLICY Jamie Monck-Mason & Andrew Hill What s in a name? Lack of uniformity in policies: Cyber Cyber liability Data protection Tech PI The scope of cyber insurance First party coverage
More information$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP
David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!
More informationTODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures
TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures Trends/Victimology ADVERSARY CLASSIFICATIONS SOCIAL ENGINEERING DATA SOURCES COVERT INDICATORS - METADATA METADATA data providing
More informationBest practices and insight to protect your firm today against tomorrow s cybersecurity breach
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationCYBER & PRIVACY LIABILITY INSURANCE GUIDE
CYBER & PRIVACY LIABILITY INSURANCE GUIDE 01110000 01110010 011010010111011001100001 01100 01110000 01110010 011010010111011001100001 0110 Author Gamelah Palagonia, Founder CIPM, CIPT, CIPP/US, CIPP/G,
More information資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系
資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 Outline Infosec, COMPUSEC, COMSEC, and Network Security Why do we need Infosec and COMSEC? Security
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationHow a Company s IT Systems Can Be Breached Despite Strict Security Protocols
How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911 Overview Good
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More information