Privacy Rights Clearing House

Similar documents
Brief. The BakerHostetler Data Security Incident Response Report 2015

Cyber Liability. What School Districts Need to Know

Network Security & Privacy Landscape

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Data Breach and Senior Living Communities May 29, 2015

Managing Cyber & Privacy Risks

Cyber Risks in the Boardroom

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

What Data? I m A Trucking Company!

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

CYBER-LIABILITY COVERAGE: The $ 45 Million Dollar Exposure

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

CyberSecurity for Law Firms

Joe A. Ramirez Catherine Crane

Enterprise PrivaProtector 9.0

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

ISO? ISO? ISO? LTD ISO?

Security Breaches. There are unscrupulous individuals, like identity thieves, who want your information to commit fraud.

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

National Cyber Security Month 2015: Daily Security Awareness Tips

Data Security Incident Response Plan. [Insert Organization Name]

DATA BREACH COVERAGE

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

ACE Advantage PRIVACY & NETWORK SECURITY

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Wellesley College Written Information Security Program

Cyber-Crime Protection

Cyber-insurance: Understanding Your Risks

Cyber Liability & Data Breach Insurance Claims

HIPAA Security Alert

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Identity Theft Prevention Program Compliance Model

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Data security: A growing liability threat

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Cybersecurity. Are you prepared?

BERKELEY COLLEGE DATA SECURITY POLICY

The Basics of HIPAA Privacy and Security and HITECH

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

INFORMATION SECURITY FOR YOUR AGENCY

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Common Data Breach Threats Facing Financial Institutions

Standard: Information Security Incident Management

HIPAA and Health Information Privacy and Security

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

F G F O A A N N U A L C O N F E R E N C E

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Rogers Insurance Client Presentation

Information Security Incident Management Guidelines

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Privacy and Data Breach Protection Modular application form

plantemoran.com What School Personnel Administrators Need to know

Cybersecurity Workshop

KEY STEPS FOLLOWING A DATA BREACH

Transcription:

10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights Clearing House Privacy Rights Clearinghouse (PRC) The San Diego-based consumer information and advocacy nonprofit lists a chronology of data breaches on its Web site, www.privacyrights.org, dating to 2005. Incidents listed on the site from January 2005 through early June of this year total 155,048,651 records containing sensitive personal information that have been involved in security breaches. That s an average of almost 5 million per month. 1

Privacy Rights Clearing House U.S. Educational Institutions: è 2005-current: 14,725,924 from 756 breaches è 2012-current: 5,691,077 records from 177 breaches è 2014-current: 1,065,409 records from 37 breaches *represents the approximate number of records that have been compromised due to security breaches, not necessarily the number of individuals affected Breaches by Industry FYE 2014 Medical/Healthcare 42.5% Business sector 33% Government/Military 11.7% Education 7.3% Banking/Credit/Financial-5.5% YTD 8/18/2015 Medical/Healthcare 34.9% Business sector 39.4% Government/Military 7.7% Education 8.7% Banking/Credit/Financial-9.3% Source: The ITRC Data Breach Report 2

What Comes to Mind When We Think of Cyber Crime? Unintended disclosure - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail. Hacking or malware - Electronic entry by an outside party, malware and spyware. Payment Card Fraud - Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals. Insider - Someone with legitimate access intentionally breaches information - such as an employee or contractor. Physical loss - Lost, discarded or stolen non-electronic records, such as paper documents Portable device - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc. Stationary device - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility. Statistics to Consider Total breach costs have grown every year since 2004 2015 cost of a data breach study reveals that the average cost has reached $3.79 million, a 23% increase in total costs over 2013 Average cost per lost or stolen record has risen to $154, a 12% increase over 2013 Healthcare leads with $363 a record followed by Education at $300 *based off Ponemon Institutes Annual Study 3

Statistics to Consider Key findings in the report include: è Board level involvement and the purchase of insurance can reduce the cost of a data breach by $5.50 per record, and insurance protection reduces the cost by $4.40 per record. è Business continuity management plays an important role in reducing the cost of data breach by an average of $7.10 per compromised record è 47% of all breaches were caused by malicious or criminal attacks, with the average cost per record to resolve such an attack is $170, while system glitches cost $142 per record, and human error or negligence is $137 per record è Costs associated with lost business steadily increased from $1.23 million in 2013 to $1.57 million in 2015 è Malicious attacks can take an average of 256 days to identify, while data breaches caused by human error take an average of 158 days *based off Ponemon Institutes Annual Study Statistics to Consider Frequency by type: Employee negligence (37%) external theft of a device (22%) Employee theft (16%) Phishing and malware (combined 25%) #1 Human Error #2 Software Systems Failures #3 Loss of Paper Records *based off BakerHostetler 2015 report 4

What Types of Records Are at Risk? It s not just electronic records! Paper 21% Electronic 79% What information was compromised 34% health information 8% credit card 58% other (drivers license, financial, passwords, SS#) How many involve a decision to notify subject to state breach laws, such as SS#, driver license, and financial information 58% required notification 42% did not *based off BakerHostetler 2015 report Real Life Examples Bonita Unified School District The Bonita Unified School District notified parents and students of a breach when unauthorized access was discovered at San Dimas High School server. On June 2, 2015 the district discovered the unauthorized access to the high school's student database and noticed that several students grades had been changed. The district believes that the individual (s) that changed the grades also downloaded personal information of students. The information compromised included names, Social Security numbers, birthdates, medical information, the school's systems usernames and passwords, addresses, email addresses, and phone numbers. 5

Real Life Examples Harvard University July 2015 Harvard University is notifying individuals of a data breach to their system that included 8 colleges and administrations. Those colleges and administrations include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health. The university has not commented on how many individuals were affected or what information was compromised. The university is requesting that anyone who is associated with any of the entities to change their username and password. Real Life Examples Milford Schools July 2 Up to 25 students at Milford Schools may have had their personal information stolen due to a data breach with a third party billing service, Multi-State Billing Services, located in Somersworth, New Hampshire, when an employee's laptop was stolen from their locked vehicle in May. The laptop was password protected but not encrypted, contained information on nearly 3,000 students from 19 school districts in Central and Eastern Massachusetts. The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers. 6

What are Your Potential Liabilities? Ø Invasion of privacy Ø Negligence Ø Violation of federal statutes governing the handling of student, employee or health information Ø Misappropriation of sensitive or secret proprietary information Ø Investigations by governmental authorities Ø Business interruption/extra expense if they must shut down certain online systems or websites in order to contain (or determine the method of) the attack Ø Costs related to informing families, faculty, staff and third parties Data Loss/Breach Notification Laws All states, except four, have data loss/breach notification laws: Alabama, Kentucky, New Mexico, and South Dakota No universal definition of Personally Identifiable Information (PII), but typically includes: ü Social Security numbers ü Bank account or credit card numbers ü Date and place of birth ü Address ü Driver s license number ü Passwords 7

Data Loss/Breach Notification After the report of a breach, regulators most often ask to review: Copies of policies and procedures governing privacy and security; Evidence of education and awareness programs, including attendance logs; Risk assessments conducted by the organization over a severalyear period preceding the incident; Risk mitigation plans developed as a result of the risk assessments; Vendor/Business Associate agreements in place, regardless of whether a vendor caused the breach; and Copies of disaster recovery and business continuity plans. Best Practices Changes in SEC rules dictate that an organization under their jurisdiction has additional Directors and Officers exposure from failure to properly insure and protect. Although not subject to SEC jurisdiction, your boards have a fiduciary responsibility to ensure the financial stability of the organization. 8

Best Practices How Do We Protect and Monitor? Risk Management Conduct a Risk Assessment Categorize the Data Determine Who Has Access Control Administrative Rights Manage Your Staff Best Practices How Do We Protect and Monitor? What proactive steps should you consider? Ø Because it is not if but when an incident will occur, companies can become compromise ready by taking the following steps: Developing an incident response plan Working with an experienced security consultant to conduct security assessments (to understand where assets and sensitive data are located); Implementing reasonable security and detection capabilities based on the recommendations of the consultant; Gathering threat intelligence to understand the nature of current risks; Conducting personnel training and awareness-raising activities to reduce the chance that an incident will result from employee negligence and those incidents that do occur will be quickly identified; Undertaking vendor due diligence and contract analysis, to reduce the chance that an incident will be caused by a company s business contacts; and Maintaining ongoing diligence, updating and adapting to changing risks, to proactively guard against evolving and emerging threats. 9

Best Practices Risk Management Encrypt Information Track Portable Devices Monitor Inexpensive Assets Engage a cyber advisor Maintain Physical Access Control Dispose of Records Properly Implement Policies and Procedures around social media and privacy, data security Manage Your Vendors (third parties for IT support) Risk Transfer purchase cyber liability insurance Traditional Liability Pitfalls Traditional liability policies have been modified to clarify intent NOT to cover cyber exposures with exclusions or clarifying language: Exclusions: for damage arising from damage to or the loss of electronic data under the ISO Commercial General Liability (CGL) form within the last decade for liability arising from violation of statutes, regulations, or ordinances related to sending, distributing, or transmitting information An exclusion for personal or advertising liability arising from chat rooms or bulletin boards owned, managed, or controlled by the insured 10

Cyber Liability Cyber policies may be broken into two coverage types: third-party liability, which is liability to others first-party liability, which is coverage for the school s own losses Third-Party Liability Network Security & Privacy Liability, can include: Both online and offline information Virus attacks Denial of service Failure to prevent transmission of malicious code Defense costs and fines/penalties for violations of privacy regulations (i.e.; HIPPA, Red Flag Rules, New Hi-Tech Act) Cyber Liability Multimedia Insurance can include: Both online and offline media Copyright/trademark infringement Libel/slander Advertising/false advertising Plagiarism Personal injury 11

Cyber Liability First Party Privacy Breach Response Costs, can include: Forensic Costs - including costs to determine the extent of the unauthorized access with sensitive personal information and legal fees for client attorney privilege Notification Costs - including postage, printing, drafting, call center, and advertisements Credit Protection Costs - including credit monitoring services, credit freezes, or fraud alerts Crisis Management Expenses - including fees for a public relations firm Credit Monitoring Services - up to a specified amount per affected person, for one year's services You Are All Free to Go Home Now Questions? Jamie Gershon Senior Vice President Tel. 408-780-7555 Fax. 408-780-7594 jgershon@boltonco.com 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information