Are Data Breaches a Real Concern? Protecting Your Sensitive Information Phillips Auction House NY- 03/24/2015 1
Agenda Current Data Breach Issues & Legal Implications Data Breach Case Study Risk Management & Avoidance 2
Speakers Jay Brodsky- Managing Director, Executive Risk Practice, DeWitt Stern John Mullen- Chair, Data Security & Network Security Practice, Lewis, Brisbois, Bisgaard, & Smith LLP Mark Greisiger- CEO, NetDiligence Vinny Sakore, CIPP/IT- Assistant HIPAA Security Officer, Verizon 3
Current Data Breach Landscape Business shift: Bricks and Mortar to Clicks and Orders Supply of cyber-attack tools and stolen personal, credit card, and account information is way up; cost is down High profile breaches up (Anthem, Sony, Target, Neiman Marcus, Home Depot, etc.) Rising tensions between U.S. and other nations such as Russia and Iran increasing risk of retaliatory cyber attacks towards U.S. interests 4
Popular Attack Methods Botnets (collection of compromised computers; a zombie army) Distributed Denial of Service or DDoS (disruptive attack) Advanced Persistent Threats (network breach and data exfiltration) Malware (SQLi, Trojans, key loggers, fake popups, MitB/ATOs) Social Engineering (phone cons/phishing emails, scams, and sites) Ransomware (locked out of system, must pay fee to regain access) Internal Threats (poor data mgmt., system design, and hiring/training) 5
Duties Imposed By Legal Landscape State laws (statute and common law) Federal laws/regulations - HIPAA, SOX, GLB/Red Flags, etc. PCI International
State Regulatory Exposures State level breach notice: 47 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due without unreasonable delay Some states allow private right of action for violations
Federal Regulatory Exposures HIPAA - set of national standards to protect PHI that is created, received, used, or maintained Applies to covered entities and business associates When a data security incident occurs, a breach is presumed: unauthorized access May require notice to the media, to HHS, and the patients within 60 days Other Gramm Leach Bliley, Sarbanes Oxley, FACTA
Payment Card Industry (PCI) Payment Card Industry Security Standards Council (Visa, Mastercard, AmEx, Discover, JCB International) Requires merchants and service providers to abide by certain protocols to protect customers credit card information Payment brands may fine acquiring bank $5,000 to $100,000/month for non-compliance. Banks often pass this fine on to merchant. Violations of PCI DSS have multiple consequences Impact on standard of care industry investigations, outside lawsuits Small minority of states have incorporated PCI-DSS requirements into data protection laws
Litigation Trends - Defense Eroding Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft constitutes an injury-in-fact Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) Resnick v. AvMed 11 th Cir. Similar to Anderson; also, unjust enrichment claims are viable for failure to keep promise to protect information following this decision ---------------------------------------------------------------------------------------------------------------------- In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But fraud plus purchase of credit monitoring may equal standing. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response Target Class Action Judge denies Target s motion for dismissal, holding that Banks established plausible allegation that failure to detect intrusion caused the financial institutions harm
Case Study # 1 An employee traveling on business loses an unencrypted laptop with data on approximately 10,000 clients and/or employees- Your business deals with both individuals and corporations as your clients There is a mix of corporate information, that your business has a contractual obligation to keep confidential, and sensitive personal information You transact business with clients in numerous different states The employee who lost the laptop does not notify IT for three days, hoping that he/she will be able to locate the device 11
Case Study # 2 Vendor used to process credit card transactions is hacked- Your clients credit card information is in the custody of the vendor Your contract with the vendor limits their liability to the value of your contract You transact business with clients in numerous different states 12
PII was the most frequently exposed data (41% of breaches), followed by PHI (21%) and PCI (19%). Hackers were the most frequent cause of loss (29%), followed by Staff Mistakes (13%). Healthcare was the sector most frequently breached (23%), followed closely by Financial Services (22%). Net Diligence Study - Based on 140 Claims Reported to 15 Different Insurance Carriers
Average claim $733K (median $144k) Large Co = $2.9 mil Medium = $688k Small = $664k *Target insurance claim payout ~$44M* Per Record Costs Average per-record cost*** $956 (up, 2013 was $307) Average records lost 2.4 million (Median records lost: 3.5K) Crisis Services Costs (forensics, legal counsel, notification & credit monitoring) Average cost of crisis services $366k (down, $737 in 2013) Median cost of crisis services $110K Legal Costs (defense & settlement) Average cost of defense $698K (up, $575K in 2013) Average cost of settlement $558K ( up, $258k in 2013) Net Diligence Study - Based on 140 Claims Reported to 15 Different Insurance Carriers
4 COMMON WEAK SPOTS PROBLEM 1) IDS or Intrusion Detection Software (Bad guy alert system) Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3 rd parties (and many more go undetected completely). FTC and plaintiff lawyers often cite failure to detect PROBLEM 2) Encryption (of private data) Identity Theft Resource Center: Only 2.4% of all breaches had encryption Issues: Budgets, complexities and partner systems Key soft spots: data at rest...in database & laptops (lesser extent) Benefits: Safe harbor (usually) PROBLEM 3) Patch Management Challenges: All systems need constant care (patching) to keep bad guys out. Lack of time: Gartner Group estimates that IT Managers spend an average of 2 hours per day managing patches. Problem 4). NO Centralized Security Event Logs SIEM (security information & event mgmt): central brain that can synthesize raw security data feeds, this includes: aggregate data from many internal company servers, databases real-time monitoring, correlation of events, notifications Post breach importance of SIEM: the computer forensics investigation takes much longer and cost greatly increase without SIEM.
Preparedness Tips Perform a Cyber Risk Assessment Include any 3rd party dependencies (contractors, clouds etc) map your sensitive client data assets Review privacy with security (e.g. wrongful data collection exposure) Establish an internal working group of senior execs to acclimate to a future data breach crisis Develop and operationalize an Incident Response Plan Leverage erisk Hub to bolster IRP... Self-help with outside experts Tiger Team experts o Breach Coach (legal expert) o Computer Forensics (triage and establish the facts who, what, when, where & how) o Notification & call ctr o Credit & ID Monitoring o PR Conduct training on a regular basis to all employees and vendors Review insurance coverage for gaps 16
Risk Transfer Third Party Coverages (Negligence) Security & Privacy Liability Media Content Liability First Party Coverages (Costs) Network Interruption Cyber Extortion Data Restoration Event Management Expenses &/or Often includes a Regulatory Action Sublimit Cyber Terrorism Retention Each Claim from $5,000 to $1M 17
Insurance Marketplace ACE Endurance AIG Hartford Allied World Liberty Axis Lloyd s of London Beazley Philadelphia CNA XL CFC Zurich Chubb There are approximately 30 other insurers who offer some modicum of coverage 18
Not All Policies Created Equal Coverage purporting to be Cyber Liability Sublimits offered on other policies such as Property, General Liability, Package Policies, and Errors & Omissions policies Not all stand alone Cyber Liability policies are created equal Who is the insurer? Limits being offered for first party expenses Breach of Contract Exclusion Hammer Clause PCI Fines & Penalties Coverage Unencrypted Mobile Device Exclusions Claims Handling 19
Questions & Thank You 20