Network Security & Privacy Landscape

Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division

Agenda Network Security Overview Latest Threats Exposure Trends Regulations Claim Examples Security & Privacy Coverage Coverage Parts Gaps in Traditional Coverage Question & Answer

Data Security Not Just an IT Problem Information security viewed as an IT Problem vs. Enterprise-wide risk management issue - Misconception that IT alone can safeguard the organization - Failure to address the human element and not just the technology Negligence is the leading cause of a data breach, at 41% of all reported cases Physical breaches accounted for 29% of all data breaches in 2010, up 14% from 2009 Sources: Ponemon Institute Cost of a Data Breach Report 2010 & Verizon Business 2011 Data Breach Investigations Report

Some Quick Stats $214 per record is the average cost of a data breach, with an average total per-incident cost of $7.2 million in 2011 98% of senior executives indicated that their boards were not actively addressing IT operations and vendor management in a 2010 Carnegie Mellon survey 96% of breaches could have been avoided if reasonable data security controls had been in place at the time of incident Sources: Carnegie Mellon Governance of Enterprise Security: CyLab 2010 Report, Ponemon Institute Cost of a Data Breach Report 2010 & Verizon Business 2011 Data Breach Investigations Report

Causes of Publicly Reported Breaches Lost Media Back Up: 5% Social Engineering: 5% 5% 5% External Hackers: 15% 33% 15% Negligent Employee: 22% System Failure: 10% 3rd Parties - Partner, Outsourcer: 10% 10% 10% 22% Laptop Theft or Other Device: 33% Source: http://www.privacyrights.org/ar/chrondatabreaches.html; as of January 15, 2010

Highly Targeted Information Personal Identifiable Information (PII) For example, first name, last name, Social Security number, Date of Birth (Current breaches: http://www.privacyrights.org) Financial Account Information Credit Card data Bank account and PIN information Patient Healthcare Information (PHI) Patient medical information can be stolen & sold Corporate Confidential Information 3 rd party trade secrets wrongfully disclosed

Impact of Social Media Networks How can a Social Media Network lead to a breach? Provides a source of information for hackers looking to create a Phishing scheme on an intended target. Provides different avenues with which a person can disseminate private or confidential information. Provides opportunities for viruses, trojan horses, etc to infiltrate a system 20% of companies have investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 53% of companies identify Facebook and LinkedIn as a high concern for information leakage. Source: Fear of data loss, social media security risks rising by Joan Goodchild http://www.networkworld.com/news/2010/092010-fear-of-data-loss-social.html?page=1

What Can Cause a Breach Storage of prohibited / unnecessary data (magnetic stripe, secret PIN, old data) Malware impacting computer systems Employee / Contractor privileged access misuse Vendor default settings and passwords Physical security breach Phishing, Spear Phishing, Vishing, etc.

Regulatory Environment Increased industry, regulatory and legislative focus on security due to high profile data compromises Massachusetts 201 CMR 17 + State Notification Laws Revised Health Insurance Portability and Accountability Act (HIPAA) > HITECH act for Protected Health Information (PHI) to include business associates doing business with healthcare organizations Payment Card Industry Data Security Standards (PCI DSS) Fair and Accurate Credit Transaction Act (FACTA) Red Flag Rules imposed by Federal Trade Commission Pending Federal Legislative initiatives

State Notification Laws Only 3 states do not have notification provisions: Alabama, New Mexico and South Dakota Most states define a breach as unauthorized access to unencrypted, computerized personal information which is generally first name, or first initial and last name, plus: - Social Security number; or - Driver s license or state ID card number; or - Financial account, credit or debit card number, along with required access code or password Massachusetts law requires any businesses handling personal information of state residents to proactively develop, execute and maintain a program to protect this information South Carolina s breach notice statue Source: NCSL State Security Breach Notification Laws; http://www.ncsl.org

HIPAA Data Breach Notification HITECH act altered HIPAA - Privacy and Security rules implemented under HIPAA to cover business associates (legal, accounting, claim, data aggregation, finance, benefits management) 45 CFR 160.103 - A business associate is someone on behalf of a covered entity, performs activity involving Protected Healthcare Information (PHI) - A covered entity is a health plan, clearinghouse, physician, or hospital What does this mean for business associates? - Business associates have affirmative duty to protect PHI and it should be stated in written agreement with covered entities - They need to implement policies to prevent, detect and contain security violations of unsecured electronic PHI and develop safeguards - Compromised business associate must report breach to covered entity - For over 500 individuals annually, breaches are posted on Health and Human Services (HHS) website along with notice to individual

PCI-DSS (Payment Card Industry Data Security Standard) Pressure to Enforce Tighter Standards due to recent breaches - Estimated that less than 10% of Level 4 merchants are compliant - Payment processors are held to higher standards by VISA Level / Tier Merchant Criteria Validation Requirements 1 Any merchant processing over 6M transactions 2 Any merchant processing 1M to 6M transactions 3 Any merchant processing 20,000 to 1M e-commerce transactions 4 Any merchant processing less than 1 million transactions (20,000 e-commerce) Annual report on Compliance Quarterly scan by ASV Annual self assessment Quarterly scan by ASV Annual Self-assessment Quarterly scan by ASV Recommended self-assessment Scan requirement set by acquirer

Red Flags Rule Purpose: - FTC requires certain entities to protect against identity theft - Implement policies and procedures to detect suspicious activity Red Flag is a pattern, practice or specific account activity that indicates possibility of Identity theft on covered account. www.ftc.gov/redflagsrule Red Flag Compliance requires: - Initial Risk Assessment and Policies manual - Staff Training and Program Implementation - Change of Address Verification - Confirm Authentication and Risk Reduction Who has to comply? - Any financial institution or creditor (extends or renews credit) - Often will include retailers, automobile dealers, utilities, health care providers

Claim Example Hacking The Claim: Try Media s ActiveStore application (POS software) was hacked and credit card information was obtained on roughly 12,500 individuals. The intruders were able to steal information from approximately a month at the end of 2011. How to Apply This to You: No such thing as impenetrable IT systems Often times you don t even know you ve been hacked What is your response plan? Source: http://privacyrights.org/data-breach/new

Claim Example Employee Negligence The Claims: 1. An employee of Towers Watson accidentally posted personal information of nearly 400 current and former Sequoia Hospital employees. Names and social security numbers were disclosed. 2. Approximately 2,000 patient records including names, Social Security numbers, addresses and more were found in a trash can. They were traced to Ayuda Medical Case Management. The boxes were auctioned off after the owner failed to pay the rental fee on a storage unit. How to Apply This to You: Employee training matters Monitor employee access to sensitive data Source: http://privacyrights.org/data-breach/new

Claim Example Stolen Portable Media The Claim: A laptop was stolen from Triumph, LLC with over 2,000 people s confidential data on it. 2 men distracted the receptionist, while a third stole the laptop from down the hallway. Names, dates of birth, medical records, insurance numbers and Medicaid numbers were disclosed. How to Apply This to You: Physical controls & employee training Remote wipe capabilities Encryption (whole disk) for sensitive data on portable media Source: http://privacyrights.org/data-breach/new

Claim Example Rogue Employee The Claims: 1. A rogue employee at Hackensack Medical Center was accessing and stealing patient information including names, Social Security numbers, address, dates of birth, driver s license numbers, health insurance cards and other information. Around 500 people were affected. 2. A Staples cashier used a skimming device to steal credit card information and selling them to a third party. Only 50 numbers were stolen, which amounted to $181,000 in fraudulent purchases. How to Apply This to You: Rogue employees can circumvent your IT security Large black market for personal information with growing connection to organized crime Source: http://privacyrights.org/data-breach/new

Claim Example Mailing / Vendor Error The Claim: A mailing error at the Illinois State Treasurer's Office led to the social security numbers of over 36,000 people to be visible from the outside of envelopes mailed in October of 2011. The sensitive data was printed on the wrong part of the letter. How to Apply This to You: Know your vendors and your responsibilities in the event of a loss Contractual indemnity language is important Source: http://privacyrights.org/data-breach/new

Cost Variation- Dependent on Vendor Selection Healthcare organization Breach of approx 50,000 records, including social security numbers Two years of credit monitoring services provided to victims Insured's Vendor Cost Chartis IDT Vendor Cost Savings Legal Assistance with Notification Letters $24,190 $10,000 $14,190 Print/Mail Letters $63,551 $56,341 $7,209 Call Center Services $118,642 $66,852 $51,790 Identity Monitoring Services $683,996 $317,297 $336,698 Totals $885,379 $450,490 $439,888

What are the Consequences of a Breach Breach Notification Costs - Average industry consumer notification cost approx $12 per individual Identity Monitoring - Estimated approx $40 per person per year Regulatory Actions - Always changing - Costs to defend and fines/penalties Lawsuits & Defense Costs - Liability for damages - Costs of defense are rising Unbudgeted Expenses - Lost man hours and resources Reputational Damage - Lost customers/revenues estimated 66% of the financial impact on a company from a data breach Source: Ponemon Institute Cost of a Data Breach Report 2010

Security & Privacy Insurance Security and Privacy Liability (3 rd party) - A successful computer attack against an insured that causes harm to a third party - A wrongful disclosure or breach of private or confidential data Event Management/ Information Asset (1 st party) - Notification costs (print/mail letters) - Identity Monitoring/Consumer ID Protection - Forensic investigation - Legal assistance to determine appropriate response - Public relations to restore the insured's reputation - Call center services

Gaps in Traditional Coverage Traditional insurance policies frequently exclude intangible exposures, such as data loss due to virus, web attacks, and lost laptops The following coverage is confined to physical perils such as fire, flood, fraud and theft: Commercial General Liability (CGL) Property Crime / Fidelity Although most cyber incidents are not covered by traditional insurance, 65% of respondents in Carnegie Mellon study indicated that their boards are not reviewing insurance coverage for cyber related risks. Source: Carnegie Mellon Governance of Enterprise Security: CyLab 2010 Report

Risk Mitigation at the Enterprise Level Commitment from Senior Level Management Information Technology Most Recent Technologies and Change Management Limit Access to Sensitive Data Legal Understand the Changing Regulatory Environment Implement Plans to Respond to a Breach in a Timely and Compliant Manner Vendor Management Proper Vetting of 3 rd Party Vendors Contract Management Human Resources Proper Hiring and Termination Techniques Employee Training on How to Classify and Handle Data Data Retention Don t Keep What You Don t Need Safe & Secure Methods of Disposing of Data Risk Control Physical Security Written security policies Transfer Risk to a Third Party (Insurance Solutions)

Questions and Answers Pam Townley; pam.townley@aig.com; 770-671-2282 Jennifer Bolling; jennifer_bolling@ajg.com; 205-986-7711 www.aig.com www.ajgrms.com