Protect Your Privates Session 502 June 10, 2014 1:45 PM IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Agenda Introductions Objectives Overview of Privacy Laws and Regulations Recent Breaches Current and Future Trends Risk Mitigation Strategies
Chris Tait, CISA, CCSK Principal Baker Tilly Virchow Krause, LLP chris.tait@bakertilly.com
Mike Cullen, CISA, CISSP, CIPP/US Senior Manager Baker Tilly Virchow Krause, LLP mike.cullen@bakertilly.com
POLL Poll Everywhere Online = pollev.com/mc99 Text = 22333
Objectives Review the definition and certain standards for privacy Review insurance specific privacy specific laws and regulations Learn about recent data breaches Discuss current and future trends in privacy Debate risk mitigation strategies with session participants
Overview of Privacy What is privacy? The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.» Source: American Institute of Certified Public Accountants (AICPA) Generally Accepted Privacy Principles
Overview of Privacy What is the difference between privacy and security? Privacy is concerned with enabling individuals to have say over how their personal information is collected, used, retained, and disclosed. Security is concerned with protecting information from inappropriate access, modification, or destruction. To achieve privacy, you must have security. Both security and privacy are business issues. 9
Overview of Privacy What is personally identifiable information (PII)? Information that can be attributable and used to identify a specific individual may include: Name Social Security Number Residential and Office addresses Phone numbers Account numbers (e.g., driver s license, financial) Demographics (e.g., age, gender, race, ethnicity) Identification numbers (e.g., student ID, driver s license, IP address) Claims records Physical characteristics (e.g., face, eyes, fingerprints, handwriting) Profile (e.g., buying history, browsing history,
Overview of Privacy Why does privacy matter to insurance companies? Exceptional volume and variety of personal information (e.g., policies, health records, incident history) Increased complexity and oversight challenges Subject to many privacy laws and regulations due to breadth and nature of business operations Intrinsic reputational importance of services
Overview of Privacy Benefits Brand protection Market confidence Customer Loyalty Trust Competitive differentiation Risks Negative publicity Lost business Damaged relationships Legal liability and financial loss Regulatory or industry sanctions 12
Laws and Regulations CAN-SPAM Gramm Leach Bliley Act (GLBA) Drivers Privacy Protection Act (DPPA) Fair Credit Reporting Act (FCRA) Genetic Information Nondiscrimination Act (GINA) HIPAA and HITECH Act Identity Theft Red Flags International Laws PCI DSS State Data Protection and Breach Notification Laws
PCI DSS Version 3.0 PCI DSS - Version 3.0 (effective on January 1, 2014) Have until January 1, 2015 to be in compliance Some changes are future dated requirements and are best practices until July 1, 2015 Three change types clarification (vast majority), additional guidance, and evolving requirements
State Data Protection and Breach Notification Laws Data protection and breach notification laws 47 states, DC, Guam, Puerto Rico, US Virgin Islands Exception Alabama, New Mexico, South Dakota Kentucky joined the club April 11, 2014 Minnesota, Nevada, and Washington have all passed laws that codify some or all aspects of PCI DSS Generally these laws apply to all entities that have data about the respective state s residents, regardless if the entity does business in that state Laws dictate specific info types (PII, financial, genetic)
Laws and Regulations Future laws and regulations Federal Breach Notification White House Big Data Initiative http://www.whitehouse.gov/issues/technology/big-data-review
Federal Breach Notification Personal Data Privacy and Security Act of 2014 Sen. Patrick Leahy In committee Application Privacy, Protection, and Security Act of 2013 Rep. Hank Johnson In committee
Federal Breach Notification Federal Agency Data Breach Notification Act of 2014 Rep. Gerry Connolly In committee Personal Data Protection and Breach Accountability Act of 2014 Sen. Richard Blumenthal In committee
White House Big Data Initiative President s Council of Advisors on Science and Technology (PCAST) issued report May 1, 2014 Recommendations: Advance the Consumer Privacy Bill of Rights Pass National Data Breach Legislation Extend Privacy Protections to non-u.s. Persons Ensure Data Collected on Students in School is used for Educational Purposes Expand Technical Expertise to Stop Discrimination Amend the Electronic Communications Privacy Act
Recent Breaches Nationwide Insurance AppleCare Insurance Services Continental American Insurance BCBS NJ
Recent Warnings sans.org FBI Warns Healthcare Industry of Cyber Security Risks (April 2014) The FBI has issued two private industry notices (PINs) to the healthcare sector, warning that cyber attacks against devices and systems in that industry are likely to increase. The transition to electronic health records (EHRs), weak security, and the value of medical data on black market are all indicators that the number of attacks will rise.
Recent Warnings sans.org Medical Devices Lack Adequate Security (April 2014) A study of medical equipment at a chain of health care facilities in the Midwest found drug infusion pumps that could be remotely controlled to alter dosages; Bluetooth enabled defibrillators that could be manipulated to deliver or prevent shocks; and electronic medical records with inadequate protections, leaving them vulnerable to alteration and theft. Many devices lacked access authentication requirements, and many had weak or hardcoded passwords. Of particular concern were embedded web services that let devices communicate with each other and deliver data to electronic medical records.
Recent Warnings sans.org Study Shows More than 40 Percent of Identity Theft is Medical-Related (April 2014) A survey recently released by the Identity Theft Resource Center found that 43 percent of all identity thefts reported in the US in 2013 were medicalrelated. Stolen medical identity information has been used to obtain treatment and prescription medicines; medical identity fraud also places incorrect information in the patients health records.
Data Costs Ponemon Institute (2013 study) Mean = $136 Financial industry = $215 Krebs on Security Black market worth itunes accounts for $8 Groupon.com accounts for $5 Facebook and Twitter retail for $2.50
Breach Stats Verizon Data Breach Report 50 CONTRIBUTING GLOBAL ORGANIZATIONS 1,367 CONFIRMED DATA BREACHES 63,437 SECURITY INCIDENTS 95 COUNTRIES REPRESENTED
Incident Types
Who Got Hit 20% Companies that were sought out 80% Victims of opportunity 90+% could have been stopped using fundamental precautions
Current and Future Trends Big Data Alternative Scoring Products Mobile Devices Lawsuits and Cyber Insurance Internet of Things
Current and Future Trends Big Data Definition Meta Data Third party Data
Big Data Gartner = Data encompassing the three Vs : Volume, Velocity and Variety Oracle = Derivation of value from traditional relational database-driven business decision making, augmented with new sources of unstructured data Intel = Data analyzed in this way are business transactions stored in relational databases, followed by documents, e- mail, sensor data, blogs, and social media
Big Data Microsoft = The process of applying serious computing power to seriously massive and often highly complex sets of information Method for an Integrated Knowledge Environment (MIKE) open-source project = A function of the complexity of a data set with a high degree of permutations and interactions within the set National Institute of Standards and Technology (NIST) = Data that exceed(s) the capacity or capability of current or conventional methods and systems
What is Big Data? High volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization Doug Laney, "The Importance of Big Data: A Definition, Gartner
Big Data Meta Data Third-party Data
Source: GAO
Data Broker Characteristics (FTC Report May 2014) Data Brokers Collect Consumer Data from Numerous Sources, Largely Without Consumers Knowledge The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each Other Data Brokers Collect and Store Billions of Data Elements Covering Nearly Every U.S. Consumer Data Brokers Combine and Analyze Data About Consumers to Make Inferences About Them, Including Potentially Sensitive Inferences Data Brokers Combine Online and Offline Data to Market to Consumers Online
Current and Future Trends Alternative Scoring Products Built using predictive modeling. Predictive modeling uses copious amounts of information fed through analytical methods to predict the future, based on past information.
Example Scores Energy consumption scores Scores that identify the approximate credit capacity of neighborhoods instead of individuals Health risk scores Target s Pregnancy Predictor Score
Example Scores Acxiom offers a Consumer Prominence Indicator Score that quantifies the size of a specific consumer s economic footprint, indicating the historical consumer purchasing and relative amount of marketing activity surrounding that individual. World Privacy Forum, The Scoring of America Report
One company states they use 300 billion data attributes in compiling their predictive scores, compiled from 8,000 data files World Privacy Forum, The Scoring of America Report
Risks/Challenges: Why and How? HOW? Volume = Capture, store, process data Notice and consent Storage costs Processing power limits Velocity = Different rates, systems Correlation Analysis Variety = Integrity of data Completeness Structured vs. unstructured
Source: FTC
Current and Future Trends Mobile Devices Data Apps Devices Organization owned vs. Bring Your Own Device (BYOD) People
Mobile Device Framework DATA WEB/APPS DEVICES PEOPLE Data App Phone Policy Confidential Data Web Tablet Agreement Restricted Practices Data App Laptop Procedures Internal Use Data Web Practices Public Data App Risk Assessment
Current and Future Trends Lawsuits Curry v. AvMed, Inc.
Current and Future Trends Cyber Insurance
Current and Future Trends Internet of Things Cameras Alarm systems Thermostats Smoke detectors Automobiles/OBD RFID (state use restrictions)
Internet of Things Autos AAA recently estimated that one in five new cars sold this year will collect and transmit data outside the vehicle. According to one survey, cars may make up over five percent of connected devices by 2025.
Internet of Things Autos The recent Government Accounting Office (GAO) report on in-car, location-based services assessed industry practices regarding connected car location data against the Fair Information Practice Principles. This report focused specifically on disclosures, consumer consent and control, data safeguards and retention policies and company accountability. The GAO s report was generally positive, reflecting the obvious attention companies in the connected car ecosystem are paying to privacy issues. The companies understand that consumer adoption of the new technologies requires consumer trust, and consumer trust requires a demonstration of robust privacy and security controls.
Internet of Things (IoT) Privacy issues: Notice Purpose limitation Proportionality Data accuracy People's rights Security
Risk Mitigation Strategies Accept Manage Transfer Avoid
Risk Mitigation Strategies Accept Is it a formal process or just acceptance by implicit consent?
Risk Mitigation Strategies Manage Policies Practices Audits
Risk Mitigation Strategies Transfer Vendor management SOC Reports
Risk Mitigation Strategies Avoid
Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. 2014 Baker Tilly Virchow Krause, LLP 55
Contact information Chris Tait, CISA, CFSA, CCSK Principal Baker Tilly Virchow Krause, LLP chris.tait@bakertilly.com Mike Cullen, CISA, CISSP, CIPP/US Senior Manager Baker Tilly Virchow Krause, LLP mike.cullen@bakertilly.com 56
Please complete the Session Evaluation Form on the conference app and include your conference Registration ID# to be included in a drawing for a free conference registration for the 2014 Annual Conference! NOTE: Your conference Registration ID# is located at the bottom left hand corner of your badge. IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW