Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015

Similar documents
T H E R E A L C O S T O F A D ATA B R E A C H

TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith

New Developments in Cyber Security & Data Breaches San Diego, California May 2014

Cloudy With a Chance Of Risk Management

Privacy & Data Security

LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH

Data Breach and Senior Living Communities May 29, 2015

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

CYBER RISK Threats, Loss Control, Liability & Claims

Network Security & Privacy Landscape

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber Exposure for Credit Unions

Cyber Liability & Data Breach Insurance Claims

GALLAGHER CYBER LIABILITY PRACTICE. Cyber Risk Exposures and Solutions

Discussion on Network Security & Privacy Liability Exposures and Insurance

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Presented By: Corporate Security Information Security Treasury Management

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Updates within Network Security and Privacy Risk Management

Cyber Liability. AlaHA Annual Meeting 2013

HIPAA & Costly Data Breaches. Healthcare: Evolving Claims, Exposures and Regulatory Enforcement

CYBER INSURANCE. Cyber Insurance and Gaps in Traditional Insurance. Cyber and E&O Team Willis FINEX North America

Cyber Liability & Data Breach Insurance Claims

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Information Security Addressing Your Advanced Threats

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Network Security & Privacy Landscape

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Cyber-insurance: Understanding Your Risks

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Cybersecurity Workshop

CLOUD SECURITY LAW MICHAEL KEELING, PE, ESQ. KEELING LAW OFFICES, PC PHOENIX AND CORONADO

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Cyber Liability Insurance: It May Surprise You

GRC/Cyber Insurance. February 18, Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

4/30/2015 CYBER LIABILITY AND AVIATION AGENDA LEARNING OBJECTIVES. Presented by Hal Hunt May 3, 2015

How To Buy Cyber Insurance

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Privacy Legislation and Industry Security Standards

Health Care Data Breach Discovery Strategies for Immediate Response

Anatomy of a Privacy and Data Breach

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Data security: A growing liability threat

CAGNY Spring 2015 Meeting Fundamentals of Cyber Risk. Brad Gow June 9th, 2015 Endurance

Cyberinsurance: Insuring for Data Breach Risk

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

Willis Healthcare Practice 11 th Annual Forum July 10,2007. Managing and Insuring Risks in Network Privacy/Cyber Risk

CYBER SECURITY SPECIALREPORT

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Cybersecurity: Protecting Your Business. March 11, 2015

Privacy and Data Breach Protection Modular application form

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Cyber Insurance in an Evolving Liability Landscape: Informed, Strategic Expectations Monday, February 29, :00pm 3:00pm

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Managing Cyber & Privacy Risks

Understanding the Business Risk

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Law Firm Cyber Security & Compliance Risks

CYBER 3.0. CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers:

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

Understanding Professional Liability Insurance

Joe A. Ramirez Catherine Crane

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

Cyber and CGL Insurance Coverage for Data Breach Claims

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cyber-Crime Protection

AlienVault for Regulatory Compliance

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Cyber/ Network Security. FINEX Global

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Cyber Liability & Data Breach Insurance Claims

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Internet Stolen: The Fastest Growing White Collar Crime

Cyber Insurance Presentation

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

Cybersecurity Risk Transfer

Incident Response. Proactive Incident Management. Sean Curran Director

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

The Business Case for Security Information Management

What Data? I m A Trucking Company!

Transcription:

Are Data Breaches a Real Concern? Protecting Your Sensitive Information Phillips Auction House NY- 03/24/2015 1

Agenda Current Data Breach Issues & Legal Implications Data Breach Case Study Risk Management & Avoidance 2

Speakers Jay Brodsky- Managing Director, Executive Risk Practice, DeWitt Stern John Mullen- Chair, Data Security & Network Security Practice, Lewis, Brisbois, Bisgaard, & Smith LLP Mark Greisiger- CEO, NetDiligence Vinny Sakore, CIPP/IT- Assistant HIPAA Security Officer, Verizon 3

Current Data Breach Landscape Business shift: Bricks and Mortar to Clicks and Orders Supply of cyber-attack tools and stolen personal, credit card, and account information is way up; cost is down High profile breaches up (Anthem, Sony, Target, Neiman Marcus, Home Depot, etc.) Rising tensions between U.S. and other nations such as Russia and Iran increasing risk of retaliatory cyber attacks towards U.S. interests 4

Popular Attack Methods Botnets (collection of compromised computers; a zombie army) Distributed Denial of Service or DDoS (disruptive attack) Advanced Persistent Threats (network breach and data exfiltration) Malware (SQLi, Trojans, key loggers, fake popups, MitB/ATOs) Social Engineering (phone cons/phishing emails, scams, and sites) Ransomware (locked out of system, must pay fee to regain access) Internal Threats (poor data mgmt., system design, and hiring/training) 5

Duties Imposed By Legal Landscape State laws (statute and common law) Federal laws/regulations - HIPAA, SOX, GLB/Red Flags, etc. PCI International

State Regulatory Exposures State level breach notice: 47 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due without unreasonable delay Some states allow private right of action for violations

Federal Regulatory Exposures HIPAA - set of national standards to protect PHI that is created, received, used, or maintained Applies to covered entities and business associates When a data security incident occurs, a breach is presumed: unauthorized access May require notice to the media, to HHS, and the patients within 60 days Other Gramm Leach Bliley, Sarbanes Oxley, FACTA

Payment Card Industry (PCI) Payment Card Industry Security Standards Council (Visa, Mastercard, AmEx, Discover, JCB International) Requires merchants and service providers to abide by certain protocols to protect customers credit card information Payment brands may fine acquiring bank $5,000 to $100,000/month for non-compliance. Banks often pass this fine on to merchant. Violations of PCI DSS have multiple consequences Impact on standard of care industry investigations, outside lawsuits Small minority of states have incorporated PCI-DSS requirements into data protection laws

Litigation Trends - Defense Eroding Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft constitutes an injury-in-fact Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) Resnick v. AvMed 11 th Cir. Similar to Anderson; also, unjust enrichment claims are viable for failure to keep promise to protect information following this decision ---------------------------------------------------------------------------------------------------------------------- In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But fraud plus purchase of credit monitoring may equal standing. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response Target Class Action Judge denies Target s motion for dismissal, holding that Banks established plausible allegation that failure to detect intrusion caused the financial institutions harm

Case Study # 1 An employee traveling on business loses an unencrypted laptop with data on approximately 10,000 clients and/or employees- Your business deals with both individuals and corporations as your clients There is a mix of corporate information, that your business has a contractual obligation to keep confidential, and sensitive personal information You transact business with clients in numerous different states The employee who lost the laptop does not notify IT for three days, hoping that he/she will be able to locate the device 11

Case Study # 2 Vendor used to process credit card transactions is hacked- Your clients credit card information is in the custody of the vendor Your contract with the vendor limits their liability to the value of your contract You transact business with clients in numerous different states 12

PII was the most frequently exposed data (41% of breaches), followed by PHI (21%) and PCI (19%). Hackers were the most frequent cause of loss (29%), followed by Staff Mistakes (13%). Healthcare was the sector most frequently breached (23%), followed closely by Financial Services (22%). Net Diligence Study - Based on 140 Claims Reported to 15 Different Insurance Carriers

Average claim $733K (median $144k) Large Co = $2.9 mil Medium = $688k Small = $664k *Target insurance claim payout ~$44M* Per Record Costs Average per-record cost*** $956 (up, 2013 was $307) Average records lost 2.4 million (Median records lost: 3.5K) Crisis Services Costs (forensics, legal counsel, notification & credit monitoring) Average cost of crisis services $366k (down, $737 in 2013) Median cost of crisis services $110K Legal Costs (defense & settlement) Average cost of defense $698K (up, $575K in 2013) Average cost of settlement $558K ( up, $258k in 2013) Net Diligence Study - Based on 140 Claims Reported to 15 Different Insurance Carriers

4 COMMON WEAK SPOTS PROBLEM 1) IDS or Intrusion Detection Software (Bad guy alert system) Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3 rd parties (and many more go undetected completely). FTC and plaintiff lawyers often cite failure to detect PROBLEM 2) Encryption (of private data) Identity Theft Resource Center: Only 2.4% of all breaches had encryption Issues: Budgets, complexities and partner systems Key soft spots: data at rest...in database & laptops (lesser extent) Benefits: Safe harbor (usually) PROBLEM 3) Patch Management Challenges: All systems need constant care (patching) to keep bad guys out. Lack of time: Gartner Group estimates that IT Managers spend an average of 2 hours per day managing patches. Problem 4). NO Centralized Security Event Logs SIEM (security information & event mgmt): central brain that can synthesize raw security data feeds, this includes: aggregate data from many internal company servers, databases real-time monitoring, correlation of events, notifications Post breach importance of SIEM: the computer forensics investigation takes much longer and cost greatly increase without SIEM.

Preparedness Tips Perform a Cyber Risk Assessment Include any 3rd party dependencies (contractors, clouds etc) map your sensitive client data assets Review privacy with security (e.g. wrongful data collection exposure) Establish an internal working group of senior execs to acclimate to a future data breach crisis Develop and operationalize an Incident Response Plan Leverage erisk Hub to bolster IRP... Self-help with outside experts Tiger Team experts o Breach Coach (legal expert) o Computer Forensics (triage and establish the facts who, what, when, where & how) o Notification & call ctr o Credit & ID Monitoring o PR Conduct training on a regular basis to all employees and vendors Review insurance coverage for gaps 16

Risk Transfer Third Party Coverages (Negligence) Security & Privacy Liability Media Content Liability First Party Coverages (Costs) Network Interruption Cyber Extortion Data Restoration Event Management Expenses &/or Often includes a Regulatory Action Sublimit Cyber Terrorism Retention Each Claim from $5,000 to $1M 17

Insurance Marketplace ACE Endurance AIG Hartford Allied World Liberty Axis Lloyd s of London Beazley Philadelphia CNA XL CFC Zurich Chubb There are approximately 30 other insurers who offer some modicum of coverage 18

Not All Policies Created Equal Coverage purporting to be Cyber Liability Sublimits offered on other policies such as Property, General Liability, Package Policies, and Errors & Omissions policies Not all stand alone Cyber Liability policies are created equal Who is the insurer? Limits being offered for first party expenses Breach of Contract Exclusion Hammer Clause PCI Fines & Penalties Coverage Unencrypted Mobile Device Exclusions Claims Handling 19

Questions & Thank You 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information