DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Similar documents
CYBER RISK SECURITY, NETWORK & PRIVACY

NZI LIABILITY CYBER. Are you protected?

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Managing Cyber Risk through Insurance

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber-Crime Protection

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Cyber Threats: Exposures and Breach Costs

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Cyber Insurance Presentation

Data Breach and Senior Living Communities May 29, 2015

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

DATA BREACH COVERAGE

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Managing Cyber & Privacy Risks

Are You Ready for PCI 3.1?

Rogers Insurance Client Presentation

cyber invasions cyber risk insurance AFP Exchange

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Law Firm Cyber Security & Compliance Risks

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber/ Network Security. FINEX Global

Cyber and Data Security. Proposal form

plantemoran.com What School Personnel Administrators Need to know

Enterprise PrivaProtector 9.0

What Data? I m A Trucking Company!

Understanding the Business Risk

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Joe A. Ramirez Catherine Crane

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Discussion on Network Security & Privacy Liability Exposures and Insurance

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Cyber and data Policy wording

Teradata and Protegrity High-Value Protection for High-Value Data

PCI Compliance for Healthcare

Mitigating and managing cyber risk: ten issues to consider

KEEPING PATIENT INFORMATION SAFE AND SECURE IN THE CLOUD

Cyber-insurance: Understanding Your Risks

Privacy and Data Breach Protection Modular application form

Cybersecurity y Managing g the Risks

Network Security & Privacy Landscape

Cyber Risks and Insurance Solutions Malaysia, November 2013

How-To Guide: Cyber Security. Content Provided by

Zurich Security And Privacy Protection Policy Application

Aftermath of a Data Breach Study

Embracing Cyber Risk: Insurance Solutions

Understanding Professional Liability Insurance

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Top Ten Technology Risks Facing Colleges and Universities

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Data Security Incident Response Plan. [Insert Organization Name]

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

Incident Response. Proactive Incident Management. Sean Curran Director

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

ISO? ISO? ISO? LTD ISO?

Identifying Cyber Risks and How they Impact Your Business

Privacy Rights Clearing House

Cybersecurity. Are you prepared?

Cyber Risks in Italian market

Retail Roundtable: Payment System Cyber Attacks Preparing, Protecting, and Responding. June 11, 2014

Health Care Data Breach Discovery Strategies for Immediate Response

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Cybersecurity Workshop

Beazley presentation master

Cyber Insurance as one element of the Cyber risk management strategy

Transcription:

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET 2014 NSGA Management Conference John Webb Jr., CIC Emery & Webb, Inc. Inga Goddijn, CIPP/US Risk Based Security, Inc.

Not just a big business problem Cyber Liability comes from various sources Sources that almost every business has Employees Websites Laptops

Sources of Liability Employees making data handling errors such as sending emails to wrong person or emails with defamatory statements Websites and Social Media platforms where ideas and comments can be posted Websites using unauthorized images, music or documents

More Sources of Liability Your business computer system can be used to transmit a virus or attack to other computer systems Your computer system can be made inoperable due to bad programming or malicious activity. This equals costly downtime and data restoration costs

Yes, even more sources of Liability The data in your computer system is valuable, very valuable Credit and debit card information flowing between your Point of Sale system and the processor Customer information such as name, address, bank account numbers, etc And it can be threatened as easy as a lost or stolen laptop or thumb drive

How valuable is my data? Your data is valuable enough that laws have been written to protect it Data breach notification laws have real costs associated with them even if there is no harm proven or damage to the other party The simple fact that a data breach happened will cause real costs to your business

What kind of costs? Notification Expense Credit Monitoring or Identity Repair Forensic Investigations Public Relations Assistance Data Restoration Business Interruption Lawsuits and governmental investigations

Examples of Real Cost Notification: $1 - $2 per person Credit monitoring subscriptions: $15 - $25 per person Consulting for forensic research & recovery: $250 - $350 per hour Credit card reissuance fee: $20 - $30 per card Legal fees: $350 - $600 per hour (specialist required) Information hotlines: $5+ per call Downtime, damages, settlements, fines, penalties???

Manage your data risk, don t ignore it! Reduce the cost to your business with: Risk Management Insurance Ultimately, security is about people not technology It s not a matter of if, but when Foundations of Information Privacy and Data Protection. P. Swire & K. Ahmed, 2012 Said, thought or written by nearly every data security professional working today

First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring Controls Know your data! Was it really a beach? Is credit monitoring necessary?

WAIT We didn t lose the data

First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR Controls Get your team ready to play

First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR 3. Cyber Extortion Controls Regular back-ups and testing

First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR 3. Cyber Extortion 4. Business Interruption, Extra Expense & Data Asset Restoration Controls Prepare a business continuity plan

First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR 3. Cyber Extortion 4. Business Interruption, Extra Expense & Data Asset Restoration 5. Regulatory Fines / Penalties Controls Be forthcoming Be proactive

Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus Controls Keep systems up to date and monitor as much as possible

Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus 2. Privacy Failure to protect personal information Controls Transparent data collection and use policies

Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus 2. Privacy Failure to protect personal information 3. Electronic Content Libel, defamation, infringement Controls Review process for all content and certs from developers

Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus 2. Privacy Failure to protect personal information 3. Electronic Content Libel, defamation, infringement 4. Regulatory Actions Controls Communication, communication, and more communication

Target Breach Why Security is Hard 3 rd party access HVAC vendor phished, giving hackers a foothold in Target s system Network separation Like old fortresses, the perimeter is protected much more than the rooms inside the gates IDS malware warnings missed Hundreds of alerts are generated every day, often across multiple programs requiring manual verification IDS data exfiltration warnings lots of manual work to find and unless correlated to the infiltration, easy to see as a false positive

Target Breach Why Response is Hard 12/12/2013 Target is notified by DoJ they have been breached Statistics vary, but research shows most breaches are discovered by 3 rd parties 12/19/2013 Target publicly discloses breach December 18, 2013 Target breach is revealed in a news story published by krebsonsecurity.com. 12/20/2013 Target offers 10% off in-store sales for all U.S. customers Attack was planned to coincide with busy holiday shopping. Target takes a hit with sales down 3%-4%. Mid-January 2014 Credit monitoring for ALL In an effort to repair customer confidence, credit monitoring is offered to, well, everyone in the US

Target Breach destroying the company s brand and alienating customers. Yahoo Finance Target s lost opportunity to say it s sorry 3/26/2014 future lives could well be rocked by identity theft for no reason other than they chose to patronize your business. ABC News The Data Breach Factor So Many Companies Forget: Emotion 3/29/2014 Probably 5% to 10% of customers will never shop there again. Brian Yarbrough, Research Analyst Edward Jones, quoted in USA Today Target sees drop in customer visits after breach 3/11/2014

Target Breach Shopping isn t objective. It s emotional. Yahoo Finance Target s lost opportunity to say it s sorry 3/26/2014

What to do? Don t ignore it! Data protection is worth your time and attention Expensive software won t fix the problem To be effective, solutions need to realistically fit into your operations Audit systems & processes Regular scanning for vulnerabilities can find issues early Educate employees Training and awareness can go a long way in reducing risk Prepare for the worst With an incident response plan & insurance

The Golden Rule of Data If you don t need it, don t keep it!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information