Data is everywhere within our organizations. Not protecting the data puts your organization at risk of lawsuits and other regulatory fines.
Cyber liability is one of the newest emerging risks that schools, public agencies, and healthcare organizations must manage on a daily basis. Don’t become one of the almost 4,500 organizations across the United States who were victims of a data breach within the last 10 years.
-
2. License No. 045127License No. 045127
Protecting Your Organization From
Data Breach and Privacy Risks
2
Brad Keenan
Cyber Specialist
Keenan
Kyle McKibbin
Cyber Specialist
Keenan
Presented by:
3. License No. 045127
Cyber Summary
• Cyber Risk and Data Breaches
– Overview
– Where are the exposures?
– How much of a financial impact do they have?
• Data breach examples
• Cyber Risk Management
– Risk retention
– Risk control
– Risk transfer
3
4. License No. 045127
Myths about Cyber Security
• ALL Cyber Breaches are Preventable
• “The IT Team is on top of it”
• Cyber Theft/Data Breach is about credit cards
• Big Corporate Companies are most at-risk
• External hackers are the biggest security risk
4
6. License No. 045127
40 Million Individuals;
$148 Million Loss 24 States; 51 Stores
$4.8 Million HIPAA
Fine
350,000 credit
cards;
$4.1 Million
Loss
National Headlines
6
56 million credit cards;
Unknown Loss
12. License No. 045127
Data Breach
A data breach is an incident in which sensitive,
protected or confidential data has potentially been
viewed, stolen or used by an individual unauthorized
to do so
12
13. License No. 045127
Important Records
• Student records
• Employee records
• Credit card information
• Financial aid records
• Job applicant records
• Tax ID information
• Utility payment records
• Citation payment records
• Patient records
• Health plan records and
ID numbers
13
14. License No. 045127
Exposures
INTERNAL
• Lost or stolen laptops,
computers, flash drives or other
storage devices
• Backup tapes misplaced or lost
in transit
• Rogue employees
• Inadequate computer-use
policies
• Weak IT Infrastructure
• Employee Negligence
EXTERNAL
• IT consultants/vendors
• Internet and network access
points
• Sale, donation or disposal of
old office equipment (desks, file
cabinets, copiers) that contain
employee records
• Viruses or Malware
• “Dumpster diving”
14
15. License No. 045127
Why are Organizations at Risk
• Resource Size
– Less sophisticated safeguards
– Less dedicated manpower may lead to delayed or no detection
– Less resources to use to recover vs. big business
• Ability to React
– Detect/report a breach
– Notify/assist affected individuals
– Reimburse individuals for actual losses
15
16. License No. 045127
Regulation & Notification Laws
• Federal guidelines
– HIPAA
– Payment Card Industry Data Security Standard (PCI-DSS)
– Drivers Privacy Protection Act (DPPA)
• Notification and consumer protection laws vary from state as
to who must be notified and the manner of notification
• 47 states (including California) and D.C. have separate breach
laws in place as of 2/6/12
– AB 1149 (effective January 1, 2014)
– SB 46 (effective January 1, 2014)
16
18. License No. 045127
Per Person Cost of a Breach
18
$316
$286
$259
$237
$236
$223
$219
$209
$204
$196
$183
$181
$172
$125
$93
$73
$0 $50 $100 $150 $200 $250 $300 $350
Healthcare
Transportation
Education
Energy
Financial
Services
Communications
Pharmaceutical
Industrial
Consumer
Media
Technology
Public
Retail
Hospitality
Research
According to 2014 Ponemon Institute Study
19. License No. 045127
Real Life Example #1
• Healthcare industry
• Children’s health system
• 1.6 million patients and employees effected
• Lost three unencrypted computer backup tapes
during a building remodeling project
– Patient billing
– Employee payroll
• $316 x 1.6M = Could you absorb this loss?
19
20. License No. 045127
• Local Community College
• Confidential records for 35,212
students were mistakenly emailed
to an unknown account
• The employee used a personal
email account to send the data to
the researcher’s personal email
address because the data file was
too large to go through the
district’s secure, encrypted email
server
• The incident is costing about
$290,000
20
Real Life Example #2
21. License No. 045127
Real Life Example #3
• Southern California City
• CalPERS payment document was accidentally
posted to the Water District’s website
• Document contained personal information,
including names and SSNs
• Information of employees and former employees
who were enrolled in CalPERS during July 1986-
October 2011
21
22. License No. 045127
Risk Management Strategies
Risk Transfer
• Cyber Liability Insurance (Data Breach/Privacy)
– A risk management option that reduces the out-of-pocket cost
related to data breaches
• Vendor Management
– Cloud/Data management provider
– Data is held by a 3rd party vendor
22
23. License No. 045127
Cyber Liability: First-Party Coverage
Loss of Data
– Costs for repair and restoration of computer programs and electronic data
Cyber Extortion
– Covers extortion threats to commit an intentional computer attack against the
insured
Crisis Management
– Costs for hiring a public relations firm to mitigate negative publicity
– Security experts to come in and assess the scope of the breach and determine a
plan of action
– Costs to comply with multiple state breach notice laws
Notification requirements
Credit monitoring for detecting fraud
23
24. License No. 045127
Cyber Liability: Third-Party Coverage
Network and Information Security Liability
– To defend and indemnify claims for breach of security and access
to protected information
Regulatory Defense Expenses
– Defense costs and claims expenses involved with the regulatory
action taken against you resulting from a data breach.
24
25. License No. 045127
Policy Benefits
Loss Prevention Services
• In-depth knowledge of the risk and specific
exposures
• Training and compliance solutions
• IT Security Assessment services
• Consultations
• Proactive computer security services
25
26. License No. 045127
3rd Party Contractual Language
1) Seek defense/indemnity for breach of information
security
2) Seek proof of insurance and adequate limits,
perhaps even contract specific limits
3) Beware of limitation of liability provisions,
limiting to amount of the contract
26
30. License No. 045127
Protect Your Organization
• Privacy/Breach Mitigation Program:
– network authentication
– credit card security
– data back-up
– complex passwords & physical security controls
– encrypted laptops/access
– file purging
• Assess your exposures, including employees, students,
parents/guardians, volunteers, vendors, contractors, residents,
customers, and patients
• Evaluate your potential costs and liabilities in connection with
a breach
– Identify and track the life cycle of information in your organization
30
31. License No. 045127
31
Questions?
Disclaimer – Keenan & Associates is an insurance brokerage and consulting firm.
It is not a law firm or an accounting firm. We do not give legal advice or tax
advice and neither this presentation, the answers provided during the Question
and Answer period, nor the documents accompanying this presentation
constitutes or should be construed as legal or tax advice. You are advised to
follow up with your own legal counsel and/or tax advisor to discuss how this
information affects you.
31