Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Transcription

1 Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Jeremy Ong Divisional Vice-President Great American Insurance Company November 13,

2 Agenda Overview of data breach statistics and trends. Discuss applicable regulatory laws. Financial impact of a data breach. Managing your risk. 2

3 Data Breach Studies 3 Privacy Rights Clearinghouse Non-profit consumer organization dedicated to consumer information and advocacy. Database of data breach incidents reported since 2005 Verizon / US Secret Service Data Breach Investigations Report Spans 6 years covering 900+ breaches that accounted for 900 Million compromised records Ponemon Institute Independent research on privacy, data protection, and information security policy.

4 Common Examples of 2009 /2010 Data Breach Incidents from PrivacyRights.org 3 Travel agency break-in. Computers and customer information were stolen. Embezzlement of $100,000. Several customers complained about fraudulent charges on their debt and credits cards that they used on a online retailer s website. Theft of a laptop resulted in the company notifying 4,004 current and former employees that their personal information was on the laptop. Paper files containing personal information going back to 2005 were found near a dumpster. Internet shopping website lost credit card details on 52,000 customers after its servers were hacked. The company has suspended its website and has informed its customers and relevant authorities.

5 Common Examples of 2009 /2010 Data Breach Incidents from PrivacyRights.org A worker s failure to abide by security precautions caused a portable storage device containing information on 4,000 employees to disappear. Personal information of clients were accidentally posted online. A package containing sensitive hardcopy customer information including financial data on a CD were stolen. CD was not encrypted. Blackberry device was stolen from an employee s desk. The device was unencrypted and contained sensitive customer information. $50,000 of fraudulent charges were incurred by a hacker from Romania who was able to hack into a computer server of a business establishment. 5

6 2010 Verizon Data Breach Study 6 Incidences by Industry Groups : Financial Services 35% Hospitality 23% Retail 15% Manufacturing 6% Technology Services 5% Business Services 4% Government 4% Media 4% Healthcare 3%

7 2010 Verizon Data Breach Study 37% took months to discover data breach while 24% discovered within weeks. 83% of compromised data was payment card information Size of Organizations by percentage of breach: 1 to 100 employees % 101 to 1000 employees % 1001 to 100,000 employees--49% over 100,000 employees % 7

8 2010 Verizon Data Breach Study Source of Data Breaches in 2009: External 45% 138,566,355 records Internal 27% 2,640,240 records Multiple Agents 27% 46,451,904 records Partner 1% 43,744,573 records 8

9 2010 Verizon Data Breach Study 9 Most Common Actions that Causes a Breach: Malware (malicious software such as virus, trojan horses, spyware, sleeper virus) Hacking Social (solicitation /bribery, phishing /masquerading a trustworthy entity, pretexting / tricking a victim to divulge info, fake websites, extortion, scam). Misuse such as fraud, abuse of system access, use of unapproved devices, violation of web policy and handling of data. Physical (theft, tampering, surveillance, Error (misconfiguration, loss or misplacement, publishing error, technical /system malfunction)

10 2010 Verizon Business Team Study 6 External Breach Sources by Geography : 21% Eastern Europe (Russia) 19% North America 18% Asia East (China) 10% Western Europe 5% Middle East 2% Africa 2% Asia-South/Southeast 2% Oceania Organized crime accounts for 24% of the external breach sources.

11 Ponemon Institute : 2010 Study of Data Breaches Average cost per record is $204 in the US. Lost business accounts for 66% of data breach costs Root causes: 36% Systems glitch 40% Negligence 24% Malicious or Criminal attack 11

12 Regulatory Considerations Data Breach Notification Laws In effect in 47 states except: Alabama, New Mexico, & South Dakota. Subject to statutory fines / penalties. Exemptions and notification deadlines vary by state. 12 Red Flags Rule FTC requires Identity Theft Protection programs in place for each organization that is involved with providing credit and financial services. Fines / Penalties will be assessed by the FTC for non-compliance. Law is effective January 1, 2011

13 Financial Impact of a Data Breach 13 Interruption of your business operations loss of revenue Hiring Consulting services that specialize in Identity Theft / Crisis management ($400 /hr) Forensics- investigating how it occurred, how much data was taken / compromised, and fixing the deficiencies (if any). Damage to your electronic data and the costs of restoring it back. Costs to comply with your state s data breach notification law. Notifications typically cost $15 per record Damage Control costs such as providing 1 year of credit monitoring and fraud monitoring services to minimize loss of customers. Tarnished Reputation resulting in loss of referral business from existing clients.

14 Financial Impact of a Data Breach Loss of Customers: Ponemon study indicates 66% of costs of data breach are attributed to loss of customers. Additional staffing costs to comply with notification law and handle surge in unhappy customer calls. Customers could file a lawsuit against you for breach of privacy. Fines/Penalties assessed by the FTC May be liable to pay for the breach caused by your vendor if customer information is shared or access is granted to them. 14

15 Managing Your Risk Internal Controls: Encrypting your data on all equipment and mobile devices. Hiring practices. Background checks. Screening Vendors. Overseas vendors may operate under different standards when it comes to data privacy and protection. Restricting and monitoring privileged users to customer information. Using current and appropriate security software tools. Limiting the sharing of customer information. Restrict customer information from being stored in portable devices like laptops /smart phones/ portable USB storage devices. 15

16 Managing Your Risk Do not discard paper files without shredding them. Holding your vendors accountable to protecting your data. Assessing how much customer data you have stored electronically or in paper files. The more data, the higher the potential costs if a breach occurs. Is it time to purge your files? If your data is stored by a 3 rd party vendor such as cloud computing data center infrastructure, read your contract to see how much you are still liable for. If applicable to your business, be PCI DSS compliant (Payment Card Industry Data Security Standard) to reduce your exposure to a breach and also minimize potential for fines assessed by the credit card companies. Privacy Notice on your website. 16

17 Managing Your Risk 17 Transferring your Risk: Requiring on vendor contracts to carry sufficient insurance coverage. Securing insurance coverage that addresses the following : a) Liability for Website Content. b) Liability for Data Security Breach. c) Expenses to pay for state mandated notification requirements and other crisis management related expenses. d) Coverage for the damage to your electronic data and extortion. e) Provides Business Interruption coverage f) Services of a reputable Identity Theft consulting firm that will assist you during the data breach crisis management process. Cyber Insurance is now commonly available with broad coverages and affordable pricing geared for a small business operations.

18 Summary: 18 Based on statistical data, the risk of losing more than half the customers due to a data breach is worth noting. Costs to comply with state mandated laws for customer notification account is the most common business loss. Organized crime particularly from overseas is very active in stealing data. Even the best system security controls cannot protect against human error or mistakes that lead to a breach. Victims are oftentimes the last one to know of a breach and usually discover it much later. The more customer information you have in your database, the higher your risk to loss potential should a breach occurs. Manage your cyber /data risk accordingly based on your total exposure to business loss and your tolerance to risk.

19 Information Resources Identity Theft Resource Center Identity Theft Ponemon Institute Privacy Rights Clearinghouse Federal Trade Commission (FTC) Federal Bureau of Investigation (FBI) 19

20 Questions? 20