Data Risks In A Digital Age


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Risks In A Digital Age

  1. 1. Privacy and Security Risks in a Digital Age Risk Management Strategies January 26, 2009 professional underwriters, inc .
  2. 2. Overview <ul><li>Rising tide of information security, privacy and identity theft regulation </li></ul><ul><ul><li>Federal </li></ul></ul><ul><ul><li>State </li></ul></ul><ul><ul><li>International </li></ul></ul><ul><li>Requires a Comprehensive approach to compliance </li></ul><ul><ul><li>The Unified Approach </li></ul></ul>
  3. 3. Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing
  4. 4. A Sectoral Approach… National Security Corporate IT Governance Health Care Payment Cards Consumer Protection Financial Services Infrastructure Protection Other Higher Education
  5. 5. … Created Numerous Laws, Regulations and Standards… Int’l Law State Law SOX FTCA <ul><ul><li>Infrastructure Protection </li></ul></ul><ul><ul><li>Identify Theft Prevention </li></ul></ul><ul><ul><li>Corporate Governance and Reporting </li></ul></ul><ul><ul><li>Standards ( e.g., NIST and ISO 17799) </li></ul></ul><ul><ul><li>The Payment Card Industry Data Security Standard (PCI DSS) </li></ul></ul>FISMA HIPAA GLBA
  6. 6. …Which has Led to Compliance “Silos”
  7. 7. Creating Inefficiencies and other Problems for Our Clients <ul><li>Multiple Compliance Efforts </li></ul><ul><ul><li>Costs more money </li></ul></ul><ul><ul><ul><li>Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law) </li></ul></ul></ul><ul><ul><ul><li>So multiple efforts are undertaken when essentially a single effort would suffice </li></ul></ul></ul><ul><ul><li>Undermine overall compliance effectiveness </li></ul></ul><ul><ul><ul><li>Redundancy, inconsistency, lack of centralized oversight </li></ul></ul></ul>FTCA Consultants PCI Consultants Int’l Consultants State Law Consultants
  8. 8. Managing Information Risks Avoid Mitigate Control Transfer Assume RISK
  9. 9. Response: A Unified Approach to Information Security Compliance Includes Insurance Coverage Addresses all of the legal requirements: Security, Privacy and Identity Theft Uses popular standards and compliance frameworks Risk Assumption, Mitigation and Control Risk Transfer Comprehensive Risk Management Program
  10. 10. Possibly Applicable Laws <ul><li>State Law </li></ul><ul><ul><li>Notice of Breach Law </li></ul></ul><ul><ul><li>Data Security Laws </li></ul></ul><ul><ul><li>Disposal and Destruction Rules </li></ul></ul><ul><li>Federal </li></ul><ul><ul><li>Sarbanes Oxley </li></ul></ul><ul><ul><li>Federal Trade Commission Act </li></ul></ul><ul><ul><li>EU Data Protection Directive </li></ul></ul><ul><li>International </li></ul><ul><ul><li>EU Data Protection Directive (e.g., UK and Ireland) </li></ul></ul><ul><ul><li>PIPEDA and Canadian Provincial </li></ul></ul><ul><ul><li>Australia </li></ul></ul>
  11. 11. State Laws <ul><li>Notice, Data Security and Disposal all cover “personal information” </li></ul><ul><li>Personal Information in most states does not include encrypted information </li></ul>
  12. 12. State Notice of Breach Laws <ul><li>The following states do not have a notice of breach law: </li></ul><ul><ul><li>Alabama </li></ul></ul><ul><ul><li>Kentucky </li></ul></ul><ul><ul><li>Missouri </li></ul></ul><ul><ul><li>Mississippi </li></ul></ul><ul><ul><li>New Mexico </li></ul></ul><ul><ul><li>South Dakota </li></ul></ul><ul><li>44 States </li></ul><ul><li>PLUS: </li></ul><ul><li>District of Columbia (B16-810, D.C. Code § 28-3851) </li></ul><ul><li>Puerto Rico (Law 111 and Regulation 7207) </li></ul>Most require businesses and/or government to notify state residents if their computerized “personal information” is involved in a data breach <ul><li>Compliance obligations can </li></ul><ul><li>differ significantly and </li></ul><ul><ul><li>requires research of key provisions </li></ul></ul><ul><ul><li>in every state for which you have </li></ul></ul><ul><ul><li>a resident’s PI </li></ul></ul>
  13. 13. State Data Security Laws <ul><li>Ten States have laws requiring businesses to protect the “security and confidentiality” of personal information about residents </li></ul><ul><ul><li>Arkansas, California, Connecticut, Maryland, Massachusetts, Nevada, Rhode Island, Oregon, Texas, and Utah </li></ul></ul><ul><li>While most require “reasonable safeguards,” Oregon and Massachusetts have specific compliance requirements </li></ul><ul><ul><li>e.g., Massachusetts requires entities to </li></ul></ul><ul><ul><ul><li>Implement a risk-based “ comprehensive, written information security program” in accordance with a detailed list of requirements; and </li></ul></ul></ul><ul><ul><ul><li>Encrypt all personal information stored on laptops or other portable devices, all records and files transmitted over public networks “to the extent technically feasible,” and all data transmitted wirelessly. </li></ul></ul></ul>
  14. 14. Massachusetts: Compliance Program Elements <ul><li>201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth requires entities with PI to create/implement policies and procedures to: </li></ul><ul><ul><li>Assign Responsibility </li></ul></ul><ul><ul><li>Identify Information Assets : Identify the corporate information assets that need to be protected </li></ul></ul><ul><ul><li>Conduct Risk Assessment </li></ul></ul><ul><ul><li>Implement Security Controls </li></ul></ul><ul><ul><li>Monitor Effectiveness </li></ul></ul><ul><ul><li>Regularly Review Program </li></ul></ul><ul><ul><li>Address Third Party Issues </li></ul></ul>
  15. 15. Massachusetts: Safeguards <ul><li>- Limit the amount of personal information (PI) collected, retention periods, and the persons who are allowed to access </li></ul><ul><li>- Implement policies and procedures regarding: </li></ul><ul><ul><li>employee access and transport of records outside of business premises; </li></ul></ul><ul><ul><li>Disciplinary measures for violations of the security program; </li></ul></ul><ul><ul><li>To prevent terminated employees from accessing records; and </li></ul></ul><ul><li>- Provide Security education and training for employees. </li></ul>- Secure user authentication protocols; - Secure access, providing access to only to those require information to perform their job duties; assign unique ID and passwords to each person; - Encrypt records containing PI transmitted over the Internet, transmitted wirelessly, or are stored on laptops or other portable devices; - Monitor systems for unauthorized access or use; and - Keep current firewall protection, operating system security patches for systems connected to the Internet, and malware/virus software. - Implement reasonable restrictions on physical access to records; and - storage of records containing PI and data in locked facilities, storage areas or containers. Physical Administrative Technical
  16. 16. State Disposal Rules <ul><li>23 States have laws on proper disposal of Personal Information </li></ul><ul><ul><li>Alaska, Arkansas, California, Colorado, Hawaii, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Montana, Nevada, New Jersey, New York, North Carolina, Oregon, South Carolina, Tennessee, Utah, Vermont, Washington , Wisconsin </li></ul></ul><ul><li>In most states, destruction is accomplished through shredding, erasure, redaction or rendering the information unreadable or indecipherable </li></ul>
  17. 17. SOX and Security <ul><li>Sa r b a n e s O x l e y A c t , 1 5 U . S . C . §§7241 and 7267 </li></ul><ul><li>SOX is &quot;basically silent&quot; on information security, </li></ul><ul><li>However Information Security is implicit: </li></ul><ul><ul><ul><li>Certification of effectiveness of controls (404) </li></ul></ul></ul><ul><ul><ul><li>Annual assessment and report on effectiveness of the controls (302) </li></ul></ul></ul><ul><li>The SEC final rules </li></ul><ul><ul><ul><li>rules require management to certify that two types of controls have been established and their effectiveness has been assessed </li></ul></ul></ul><ul><ul><ul><ul><li>Access Security </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Internal Controls </li></ul></ul></ul></ul><ul><li>COBIT and COSO </li></ul>
  18. 18. FTC Authority <ul><li>Section 5 of the FTC Act (“FTCA”) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course of commercial activities </li></ul><ul><ul><li>Deceptive trade practice is any commercial conduct that includes false or misleading claims or claims that omit material facts </li></ul></ul><ul><ul><li>Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid </li></ul></ul>
  19. 19. FTC Security Enforcement Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc. Deceptive Trade Practices Unfair Trade Practices Practices that &quot;threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club ) GLBA Safeguards Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp. )
  20. 20. Recent Enforcement/Consent Orders - FTCA <ul><li>In re Reed Elsevier Inc. , FTC, File No. 052 3094, 3/27/08 </li></ul><ul><li>In re TJX Cos. Inc. , FTC, File No. 072 3055 (3/27/08) </li></ul><ul><li>United States v. ValueClick Inc. , C.D. Cal., No. CV08-01711, (3/17/08) </li></ul><ul><li>Life is good Inc. , FTC, File No. 072-3046, (1/17/08) </li></ul><ul><li>In re Guidance Software Inc. , FTC, File No. 062 3057 (11/16/06) </li></ul><ul><li>United States v. ChoicePoint , 106-cv-0198 (N.D. GA, 2-15-06) </li></ul><ul><li>In re CardSystems Solutions Inc ., FTC, File No. 052 3148 (9/5/06) </li></ul>Total of 18 Cases
  21. 21. FTC Consent Orders and Security <ul><li>Security Program Elements: </li></ul><ul><ul><li>designate an employee or employees to coordinate the information security program; </li></ul></ul><ul><ul><li>identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place; </li></ul></ul><ul><ul><li>design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness; </li></ul></ul><ul><ul><li>develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and </li></ul></ul><ul><ul><li>evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs </li></ul></ul>Implement administrative, technical, and physical safeguards appropriate to the size, the nature of the company’s activities, and the sensitivity of the personal information collected by each organization. <ul><li>Biennial outside assessment of security programs basis for 20 years. </li></ul><ul><ul><li>Auditors certification that the companies' security programs meet or exceed the requirements of the consent orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers' PI is being protected. </li></ul></ul>Must be performed by a CISSP or equivalent
  22. 22. International Laws <ul><li>EU Data Protection Directive </li></ul><ul><ul><li>Purpose </li></ul></ul><ul><ul><ul><li>To protect individuals with respect to “processing” of personal information </li></ul></ul></ul><ul><ul><ul><li>To ensure that personal data may be freely transferred </li></ul></ul></ul><ul><ul><li>Information Security (Article 17) </li></ul></ul><ul><ul><ul><li>Appropriate technical and organizational measures to protect data against destruction, loss, alteration, or unauthorized disclosure </li></ul></ul></ul><ul><li>Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada) </li></ul><ul><ul><li>Purpose “every organization” that “collects, uses or discloses” personal information “in the course of commercial activities” must take steps to protect individual privacy </li></ul></ul><ul><ul><li>Security Standards </li></ul></ul><ul><ul><ul><li>These must be made commensurate tithe the sensitivity of the information it holds </li></ul></ul></ul><ul><ul><ul><li>Measures should address: </li></ul></ul></ul><ul><ul><ul><ul><li>The manner in which the information is stored </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Should protect against loss or theft as well as unauthorized access, disclosure, copying use, or modification of the data </li></ul></ul></ul></ul><ul><li>Others, including APEC </li></ul>
  23. 23. Inadequacy of U.S. Protections <ul><li>Article 25. Member States to enact laws prohibiting the transfer of personal data to countries outside the EU that fail to ensure an “adequate level of (privacy) protection </li></ul><ul><ul><li>US Privacy Laws Deemed Inadequate by EU </li></ul></ul><ul><li>The following methods can be used to obtain personal information from EU Countries </li></ul><ul><ul><li>Data Transfer Agreement </li></ul></ul><ul><ul><ul><li>Bind the (U.S.) importer to provide adequate protections (Article 26) </li></ul></ul></ul><ul><ul><li>US Safe Harbor Provisions </li></ul></ul><ul><ul><ul><li>Certify Compliance with Safe Harbor </li></ul></ul></ul><ul><ul><li>Unambiguous Informed Consent </li></ul></ul><ul><ul><ul><li>The EU company may transfer the data if it obtains an unambiguous informed consent from every data subject before each transfer is made. </li></ul></ul></ul><ul><ul><li>Binding Corporate Rules </li></ul></ul><ul><ul><ul><li>The use of internal policy rules, procedures and mechanisms to ensure the rights of data subjects </li></ul></ul></ul>
  24. 24. Unified Approach To Security      Security Awareness and Training      Contracts X X    Review/Evaluation      Contingency Planning      Security Incident Procedures      Management of Information Access      Workforce Security      Assigned Security Responsibility      Security Management Process Administrative Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practices
  25. 25. Unified Approach to Security      Transmission Security      Person or Entity Authentication      Integrity Controls      Audit Controls      Access Control Technical Safeguards      Device and Media Controls      Workstation Use and Security      Facility Access Controls Physical Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practice
  26. 26. Consider all of Your Security and Privacy Compliance Requirements SOX FTCA State International PCI DSS ISO FTCA (CO) COBIT COSO OECD AICPA PCI 1.2 Follow a UNIFIED APPROACH to Compliance
  27. 27. Part 2 Risk Transfer: A Valuable Tool for Risk Management Avoid Mitigate Control Transfer Assume RISK Transfer
  28. 28. Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing
  29. 29. Risk Transfer One risk management tactic is risk transfer. <ul><li>Business Interruption </li></ul><ul><li>Crisis Management </li></ul><ul><li>Network Extortion </li></ul>Protects you from attacks on your network Pays for costs associated with public relations damage control Protects you from threats of attack on your network Media Covers libel, slander, unfair trade practices via organization website or electronic media Network Security Covers liability caused by breach of network (e.g. hack or viruses) Privacy Protects organizations from losing or compromising employee and third party data
  30. 30. How do the policies work? <ul><li>They are all different </li></ul><ul><li>Liability Policies </li></ul><ul><li>Different Triggers on the regulatory costs </li></ul><ul><li>It is important to understand what YOU want out of the insurance as different policies have different strengths in different areas </li></ul>
  31. 31. Important Coverage Trends <ul><li>Moving away from network security towards privacy </li></ul><ul><ul><li>Original policies focused on external breaches of network </li></ul></ul><ul><ul><li>New policies also have privacy triggers </li></ul></ul><ul><li>Third Party Contractor coverage not limited to natural persons </li></ul><ul><li>Emphasis on notification costs </li></ul><ul><li>Regulatory fines and penalties coverage </li></ul>
  32. 32. The Application Process <ul><li>The underwriting (just like the coverage) for a privacy/security insurance policy varies depending on the carrier </li></ul><ul><ul><li>Policy-driven </li></ul></ul><ul><ul><li>Technically-driven </li></ul></ul><ul><ul><li>Very limited evaluation </li></ul></ul>
  33. 33. Example: Darwin <ul><li>New Application that accounts for new security technology </li></ul><ul><ul><li>Many applications are dated, if by only a few years, which miss key areas such as wireless networks </li></ul></ul><ul><li>For larger organizations, we will sometimes ask for a conference call. This allows us to ‘meet’ the security personnel and get a more in-depth look at security processes and procedures. </li></ul><ul><li>Pricing is based off of unique records and revenues </li></ul>
  34. 34. Risk Management <ul><li>Incident Response </li></ul><ul><ul><li>How do you respond to a breach? </li></ul></ul><ul><ul><li>Who do you call? </li></ul></ul><ul><li>Privacy consultation </li></ul><ul><ul><li>Best Practices for Contracts </li></ul></ul>
  35. 35. Darwin / Pepper Offering <ul><li>Darwin Privacy//403 Insurance Coverage, Including </li></ul><ul><ul><li>1 Hour Consultation Annually (Pepper) </li></ul></ul><ul><ul><li>Incident Response Services (Pepper) </li></ul></ul><ul><ul><ul><li>Breach Investigations </li></ul></ul></ul><ul><ul><ul><li>Breach Notices </li></ul></ul></ul><ul><li>Other Related Services from Darwin </li></ul><ul><li>Other Services from Pepper </li></ul><ul><ul><li>Complex State, Federal and International Privacy and Security Compliance Programs Identity Theft Prevention and Response Assistance </li></ul></ul><ul><ul><li>Agency Investigations/Compliance with Consent Orders </li></ul></ul><ul><ul><li>Electronic Data Retention and Destruction Programs </li></ul></ul>
  36. 36. So…How do you sell it? <ul><li>Issues </li></ul><ul><ul><li>No one understands the risks </li></ul></ul><ul><ul><li>No one understands the coverage </li></ul></ul><ul><ul><li>No one knows how much it should cost </li></ul></ul><ul><ul><li>Limited transactional experience </li></ul></ul><ul><li>What has changed? </li></ul><ul><ul><li>More expertise from certain distributors </li></ul></ul><ul><ul><li>Increased claims experience and examples </li></ul></ul><ul><ul><li>Increased benchmarks on limit and price </li></ul></ul>
  37. 37. Allied World/Darwin Financial Strength <ul><li>Darwin was recently acquired by Allied World and operates with an A “Excellent” rating by A.M. Best </li></ul><ul><li>Darwin is a recognized errors and omissions market, both medical and non-medical </li></ul><ul><li>Strong risk management culture </li></ul>
  38. 38. Takeaways <ul><li>The use of technology has triggered real consequences for the lack of data protection </li></ul><ul><li>Government action and regulation is adding concern to all organizations </li></ul><ul><li>Breaches can be very expensive, and are getting more expensive </li></ul><ul><li>Consider risk transfer as one option for managing your risk </li></ul>
  39. 39. Thank You Adam Sills AVP, Technology Liability Underwriting (860)-284-1382 [email_address] M. Peter Adler Attorney at Law Direct: 202.220.1278 Direct Fax: 800.684.2749 [email_address] Hamilton Square 600 Fourteenth Street, N.W. Washington DC 20005-2004 202.220.1200 Fax: 202.220.1665 professional underwriters, inc