Beazley presentation master



Similar documents
THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Data Breach and Senior Living Communities May 29, 2015

Managing Cyber & Privacy Risks

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

DATA BREACH COVERAGE

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

plantemoran.com What School Personnel Administrators Need to know

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Discussion on Network Security & Privacy Liability Exposures and Insurance

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Data Loss Prevention Program

Law Firm Cyber Security & Compliance Risks

Understanding the Business Risk

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber Liability & Data Breach Insurance Claims

HIPAA Privacy Rule Policies

BUSINESS ASSOCIATE AGREEMENT

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Cyber Liability. What School Districts Need to Know

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Your Agency Just Had a Privacy Breach Now What?

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Cyber Liability Insurance: It May Surprise You

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

BUSINESS ASSOCIATE AGREEMENT

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

The potential legal consequences of a personal data breach

Brief. The BakerHostetler Data Security Incident Response Report 2015

Cyber Threats: Exposures and Breach Costs

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Data Security Incident Response Plan. [Insert Organization Name]

Joe A. Ramirez Catherine Crane

CSR Breach Reporting Service Frequently Asked Questions

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Rogers Insurance Client Presentation

Privacy Rights Clearing House

Network Security & Privacy Landscape

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Use & Disclosure of Protected Health Information by Business Associates

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

BUSINESS ASSOCIATE AGREEMENT

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Data Privacy & Security: Essential Questions Every Business Must Ask

Logging In: Auditing Cybersecurity in an Unsecure World

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

COMPLIANCE ALERT 10-12

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Personal Information Protection Act Information Sheet 11

Procedure for Managing a Privacy Breach

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Breach Notification Policy

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

PRIVACY BREACH MANAGEMENT POLICY

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Presented by Jack Kolk President ACR 2 Solutions, Inc.

BUSINESS ASSOCIATE AGREEMENT TERMS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Transcription:

The Art of Breach Management Beazley presentation master February 2008

A Brief Review of Data Breaches

What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that: o May cause the person inconvenience or harm (financial/reputational) Personally Identifiable Information (PII) Protected Healthcare Information (PHI) o May cause your company inconvenience or harm (financial/reputational) Customer Data, Applicant Data Current/Former Employee Data, Applicant Data Corporate Information/Intellectual Property 3

What Kinds of Information are at Risk? Consumer Information Credit Cards, Debit Cards, and other payment information Social Security Numbers, ITIN s s, and other taxpayer records Customer Transaction Information, like order history, account numbers, etc. Protected Healthcare Information (PHI), including medical records, test results, appointment history Personally Identifiable Information (PII), like Drivers License and Passport details Financial information, like account balances, loan history, and credit reports Non-PII, like email addresses, phone lists, and home address that may not be independently sensitive, but may be more sensitive with one or more of the above Employee Information Employers have at least some of the above information on all of their employees Business Partners Vendors and business partners may provide some of the above information, particularly for Sub-contractors and Independent Contractors All of the above types of information may also be received from commercial clients as a part of commercial transactions or services In addition, B2B exposures like projections, forecasts, M&A activity, and trade secrets Many people think that without credit cards or PHI, they don t have a data breach risk. But can you think of any business without any of the above kinds of information? 4

Types of Data Security Breaches Improper Disposal of Data o Paper Un-shredded Documents File cabinets without checking for contents X-Ray Images o Electronic assets computers, smart phones, backup tapes, hard drives, servers, copiers, fax machines, scanners, printers Phishing/Spear Phishing Attacks Network Intrusions/Hacks/Malware Viruses Lost/Missing/Stolen Electronic Assets Mishaps due to Broken Business Practices Rogue Employees 5

Why we should be careful with the word Breach Perception is Half the Battle o People use breach too frequently and you don t want your customers or regulators to think you are subject to numerous breaches o Breach suggests something bad happened or is going to happen o Breach has legal significance Train your Incident Response Team to not use Breach within internal communications as you vet out or investigate the Security Incident 6

A Simplified View of a Data Breach Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequences Class-Action Lawsuits Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Forensic Investigation and Legal Review Notification and Credit Monitoring Public Relations Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Income Loss 7

Preparedness VS Response

Breach Preparedness vs. Breach Response Identify What information exists? Where is it? What format is it in? How easy or difficult is it to access? Investigate Retain Outside Counsel with Privacy Law Expertise Determine who and what caused the breach Document investigation and findings in a legally defensible manner Plan Do you know what your regulatory and compliance requirements are? Are you meeting them? Are you familiar with international data privacy laws that impact your business? Do you have a records retention schedule and policy? Do you have a response plan should a breach incident occur? Respond Determine the scope of the breach and potential notification duty Ensure appropriate parties are contacted in a timely and professional manner. Provide a mitigation or remediation resource as appropriate Retain Crisis Management / Reputational Risk Advisory Services as necessary Protect Are the systems and networks that hold the data secure? Are you utilizing storage technologies that will support your compliance with regulatory requirements? Are you securely destroying data and storage that has met the end of its retention period or lifecycle? Defend D f d Regulatory Defense Civil Liability Defense

Best Practices Breach Preparedness and Prevention Risk Transfer Instrument Background Screening Program Pre-Arrange Breach Response Services e-learning Initiative Incident Response Plan Tabletop Exercises Privacy Summit Legislative updates 10

Best Practices Breach Response Management Retain Outside Counsel Notify Correctly vs.. Quickly Outside Call Center When Appropriate Reputational Risk Advisor When Appropriate Investigate Investigate Investigate Leverage a Breach Service Provider to conduct Recovery 11

Thinking About Data Breaches Facts The cost of a significant data breach is estimated to be $200+/identity Direct costs like forensics, notification, and credit monitoring are significant and increasing Indirect, uninsurable costs, like lost business and reputational damage, may represent 2/3rds of the total loss after a data breach Beazley Insights Companies see a 10%+ drop in breach costs after their second breach Companies that provide timely and accurate notification see less reputational damage and attract less regulatory scrutiny Only 36% of companies notify affected consumers within 30 days, but companies that notify quickly spend 10%+ more on their breach response Good breach response requires experience and specialized expertise, so most companies struggle when handling their data breaches independently Mitigating reputational damage by avoiding unnecessary breach notifications is critical Conclusion A timely, complete breach response using the best available experts is the best way to mitigate future liability and minimize lost business and reputational damage 12

Contact Information: Kristen Dauphinais Kristen.dauphinais@beazley.com Work: 214-561-8643 Cell: 801-518-2004 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information