2. NEW “How SMBs Can Prepare for
a Data Breach” Whitepaper
Utilizing Cyber Insurance as One Component of a Data Breach
Incident Response Plan
*Request your Free Whitepaper – Email:
Christine@DataPrivacyInsurance.com
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
3. Outline
• What is sensitive data?
• Review of Key Findings from the National Cyber Security Alliance
(NCSA) and Symantec SMB Survey
• Review of recent data breaches
• Costs associated with a Data Breach
• How to contain and minimize risks
• Define an Incident Response Plan
• Legal issues surrounding Data Breach notification mandates
• Risk Assessment and Risk Management
• Cyber Insurance 101: Cyber Insurance Introduction and How an
SMB can use cyber insurance as one component of an Incident
Response Plan
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
4. Know and protect your sensitive data
What is sensitive data?
– Personally Identifiable Information (PII)
– Protected Health Information (PHI)
– Credit Card Numbers and/or Financial Information
– Intellectual property – copyrights, trademarks & patents
– Trade secrets - business plans, customer lists, etc.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
5. Key Findings from the National Cyber Security Alliance (NCSA)
And Symantec “National Small Business” survey show
respondents cited :
• 86% of the 1,015 businesses (250 employees or fewer) said
they are "satisfied" with the level of security they have in
place to defend customer or employee data,
• 87% of respondents have not written a formal security policy
for employees,
• 83% lack any security blueprint at all and
• 59% have no plan in place to respond to a security incident.
Small Enterprises Don't Perceive
They'll be Attacked
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
6. A look at recent security and
data breach incidents
• Credit Card Data Breach at Barnes & Noble Stores
• Hackers stole credit card information for
customers who shopped at 63 Barnes & Noble
stores across the country.
• TD Bank Data Breach Hits 260,000 customers
• Unencrypted backup data tapes including
account information and Social Security
numbers were misplaced in March.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
9. How to contain and minimize risks
• Take stock
– Know what is PII & Other Sensitive Data
– Where is it in your organization
• Scale down
– Only collect what you need
• Lock it
– Secure, encrypt, protect
• Proper Disposal
– Securely dispose of documents per your retention
schedule –Plan ahead
– Know your security incident response procedure
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
10. Define an incident response plan
• Management
– Who takes the lead?
• Reporting
– Inform the proper channels (regulating bodies)
• Customer Notification
– Notify customers
– Outline plan of action
• Corrective Actions
– How can it be corrected or minimized
• Communication
– Regular communication to keep customers and channels
informed of actions and results
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
11. Legal Issues surrounding Data Breach
Notification Mandates
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
Responding to a Data Breach can be an
overwhelming process for SMBs
•46 U.S. State breach notification laws and
numerous sectoral and federal laws
•Class Action suits quite common
•High legal defense costs and potential legal
settlements
12. Risk Assessment and Risk Management
Got Data? Now What?
•Conduct a Risk Assessment Analysis
•Identify the types of data your SMB collects
– Are you collecting sensitive data?
– Are you encrypting data at rest or in motion?
•Learn what types of threats your SMB may be
vulnerable to and the risk levels of your data
•Take proactive steps to secure your data and manage
and mitigate risks.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
13. Data Security Myths Held by
Small-Midsized Businesses
• Myth 1 - “A data breach or cyber attack could never happen to our SMB.”
– Wrong. See, Infosecurity Magazine, “SMBs more vulnerable to data breaches than
larger brethren,” Oct. 11, 2012, at http://bit.ly/TAOqKh
• Myth 2 – “We will worry about how to pay for a data breach if one
happens.”
– With an average cost of $194 per record and an average organization cost of $5.5
million per data beach, according to the Ponemon Institute’s latest 2011 annual Data
Breach Study, the average SMB may not have adequate fiscal resources on hand.
• Myth 3 – “Small-midsized businesses are not a target for cyber attacks.
Criminals only go after larger companies.”
– Not so, unfortunately. Nearly 72 percent of data breaches investigated by Verizon
Communications’ forensic analysis unit in 2011 occurred at companies with less than
100 employees. See, Combating Small Business Security Threats, McAffee Associates, at
http://bit.ly/PPBSOI
• Myth 4 – “We are covered under our existing CGL insurance policy.”
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
14. Utilizing Cyber Insurance as One
Component of an Incident Response Plan
Every business that collects data should develop a
written incident response plan.
Cyber Insurance offers SMBs:
•Help with managing the “aftermath” of a data
breach/security incident
•An incident response team
•A “Data Breach Coach”
•Help with discovery and reporting and notifying those
affected of your data breach/security incident.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
15. Utilizing Cyber Insurance as One
Component of an Incident Response Plan
• Rule 1 – Risk management solutions don’t “eliminate” risk,
but help minimize them to otherwise “acceptable” levels
• Rule 2 – Insurance is, fundamentally, a “transfer” of identified
risks
A cyber risk insurance policy that includes incident response coverage (i.e.,
Data Breach Response Services) provides one golden arrow in the quiver
of a comprehensive risk management solution that will hit the target
when everything is moving very quickly during a data incident.
By pro-actively detailing and enacting a range of benefits, payments and
services in advance such a policy can uniquely serve as a valuable
component of any incident response plan.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
16. Cyber Insurance can help Mitigate the
Risk and Costs Associated with a Data
Breach
• By planning in advance, small-midsized businesses
can minimize their risks, costs and the impact of a
breach to their customers and the reputation of their
company and brand.
• Insurance carriers have already pre-negotiated
associated costs with various pre-approved
vendors, saving SMBs money and the hassle
of scrambling around and trying to put
together an Incident Response team at the
time of an incident.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
17. How Can Cyber Insurance Help SMBs Stay
in Business after a Security Incident?
• Small-to-midsized businesses can utilize appropriate cyber
risk insurance coverages to minimize the impact of a data
incident on (i) the reputational damage to their companies
and “brand,” as well as (ii) potentially crippling financial
penalties and response expenses.
• Cyber Insurance Policies with “Data Breach Response Service”
coverage can help offload the uncertainty of managing a
comprehensive and effective response - that complies fully
with potentially numerous statutory requirements - in the
aftermath of an actual or suspected data incident event.
• May act to “save” the company from bankruptcy or
liquidation in face of large regulatory penalties.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
18. Commonly Offered
Cyber Insurance Coverages
• Crisis management and customer notification expenses
• Credit/identity theft monitoring
• Privacy and security liability claims coverage
• Expenses for data privacy security defense and regulatory
penalties
• Computer security expert services and forensic investigation
• Costs of a “Data Breach Coach” (a/k/a “Privacy” and Infosec
attorney)
• Pre-incident planning services – selection of vetted, pre-
approved partners and resources
* Note: Not every policy will necessarily include all of the above coverages or items.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
19. Solutions
Response Solutions:
•Cyber Security Insurance with Data Breach Response –
Coverage features may include privacy liability, computer
information security, lost income coverage, electronic media
liability and first party coverage for losses from network security
breaches.
•Data Breach Response Services – Coverage features may
include breach notification and credit monitoring services,
forensic investigation, legal assistance, crisis management help,
regulatory civil action coverage, cyber extortion coverage and
content liability.
*This description is for preliminary informational purposes only. Please note that insurance policy coverage's vary by insurance carrier. In
all cases, actual policy wording will determine the coverage and services provided.
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
20. Solutions
Legal Information Security Review and Preparation
•Integrated Risk Assessment (IRA) – Comprehensively identify data and information
security issues, risks and legal/compliance obligations.
– Serves as a foundation for additional cost/benefit risk analysis to guide security programs, policies,
systems and compliance obligations.
– Insurance premiums may be higher in absence of demonstrating that an IRA has been conducted
•Incident Response Plan (IRP) – Increasing required under many state and federal
regulatory regimes, most notably HIPAA/HITECH for securing and protecting PHI.
– IRPs serve as quick response road map in the event of a data incident or breach
– There’s typically little time in a data event to “figure out” what needs to be done on the fly; missteps
can prove costly (i.e., a well-meaning, but ill conceived forensic effort can, for example, modify meta
data that would be helpful in “proving” whether data has been accessed, etc.)
– Many resources available to guide creating an IRP, including aid from cyber risk insurance carriers
(see, e.g., NIST SP 800-61, Computer Security Incident Handling Guide (Jan. 2012, rev. 2) -
http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf)
•Comprehensive Legal Analyses – Rise of “legally defensible” security analysis by
courts where info security professionals have to adequately defend security decisions
in the legal context with the ultimate goal of reducing legal risk.
*This description is for preliminary informational purposes only. Please note that insurance policy coverage's vary by insurance carrier. In all cases, actual
policy wording will determine the coverage and services provided.
21. About
Cyber Data Risk Managers LLC is an Independent Insurance Agency specializing in
Data Privacy, Cyber Liability risk, D&O insurance and (IP) Intellectual Property
protection.
Web: www.DataPrivacyInsurance.com
Phone: 1-(855) CUT-RISK
InfoLawGroup LLP was established in October 2009 to provide efficient and high
quality legal services. The firm concentrates on legal issues concerning privacy, data
security, traditional and emerging media, advertising and promotions, consumer
protection matters, information technology, e-commerce and intellectual property.
InfoLawGroup addresses a broad spectrum of legal matters, including transactions
and e-commerce, compliance, enforcement, breach notice, incident response and
litigation.
Web: www.InfoLawGroup.com
Phone: 1-(203) 292-0667
www.DataPrivacyInsurance.com
www.InfoLawGroup.com
22. Contact Information:
Christine Marciano CIPP/US
Cyber Data Risk Managers LLC
Phone: (855) CUT-RISK
Web: www.DataPrivacyInsurance.com
Email: Christine@DataPrivacyInsurance.com
Richard Santalesa, Esq. CIPP/US
Information Law Group LLP
Phone: (203) 292-0667
Web: www.InfoLawGroup.com
Email: RSantalesa@InfoLawGroup.com
www.DataPrivacyInsurance.com
www.InfoLawGroup.com