Lawley Insurance, profile picture
Uploaded byLawley Insurance
PPTX, PDF1,145 views

Cybersecurity Seminar March 2015

This document summarizes a seminar on cybersecurity insurance. It discusses the presenters and provides examples of data breach headlines. It then explains the threats to data, including internal and external threats. The document outlines the immediate expenses of a data breach such as notification, call centers, credit monitoring, legal expenses, and forensics. Finally, it discusses the typical costs of a data breach, which can range from hundreds of thousands to millions of dollars depending on the size and type of breach.

Embed presentation

Downloaded 13 times
C Y B E R S E C U R I T Y I N S U R A N C E S E M I N A R Can You Afford NOT To Have Cybersecurity? March 4, 2015
TODAY’S PRESENTERS Reggie Dejean Specialty Lines Manager Lawley & Lawley Andolina Verdi Mary Beth DiBacco Specialty Insurance Manager Chubb Insurance Carl Cadregari Executive Vice President and Practice Lead Bonadio IT/IS Risk Management
DIGITAL HACKING FORENSICS
HEADLINES
HEADLINES EXPLAINED  Identities left exposed in Indiana salvage yards - items included medical records, bank statements, insurance cards, employee identification cards, car registrations, a signature, a child’s name, dates of birth, and an application for welfare assistance.  Stolen Pioneer bank laptop contained some customers’ data  Pioneer Bank over the weekend alerted some of its customers that an employee’s laptop stolen Jan. 26 contained “secured personal information of certain customers, including names, social security numbers, street addresses, and account and debit card numbers.”  Harel Chiropractic Clinic notifies 3,000 patients of breach
HEADLINES EXPLAINED CONT.  St. Peter’s Health Partners is warning of a possible data breach in its email system, following the theft of a manager’s cellphone.  California Pacific Medical Center discovers employee was improperly accessing patient records for one year  Natural Grocers Investigating Card Breach - traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country
HEADLINES EXPLAINED CONT.  Data Breach Results in $4.8 Million HIPAA Settlements from New York and Presbyterian Hospital  A 214 bed Medical Center laptop stolen with data in an excel spreadsheet - Medical Center says data is safe since the thief would have to know how to unhide columns in Excel spreadsheet to read them
THREATS TO DATA  Internal Threats  External Threats  Have You Heard About Target?  Not just credit card information but also personal identifiable information (PII) is at risk  According to recent surveys  Street Cost – Social Security Number……..$ 1.00  Street Cost – Financial Record ……........... $ 0.50  Lost Medical Record………………………..$316.00
CSIRP Computer Security Incident Response Plan • Wh a t to d o wh e n y o u “ th i n k o r k n o w” y o u h a v e h a d a d i s c l o s u r e • Th e wh o , wh a t wh e r e a n d wh e n to f o l l o w • S te p b y s te p p r o c e s s • M a y b e r e q u i r e d b y s o m e l a ws a n d r e g u l a ti o n s
CSIRP You Need a Breach Notification Policy 1. NY State, HIPAA, PCI, GLBA requires a documented policy that includes all factors of breach notification including: • When to alert persons whose data has been breached • What you have to pay for • When to send lost data information to the Attorney General and regulatory bodies • When you are to place conspicuous notice on your website • When you are to alert local media and television
CSIRP You need a plan to follow that includes: 1. What constitutes a breach 2. Who is on the team 3. Who is allowed to talk to any external entity 4. When to involve external crisis management 5. When to trigger your liability policy
CSIRP 1. How to assess the risks (likelihood and severity) 2. Does the breach fall into pre-defined categories (and what are they) 3. What to do to investigate the breach 4. What to do to minimize the breach 5. What to do to report on the breach 6. What to do to never repeat the breach 7. How to close the incident
AFTER THE INFORMATION HAS BEEN GATHERED INFORMATION
WHAT IS THE IMMEDIATE EXPENSE? • Notification • Creating letter or other notification • Printing or design • Mailing or other transmission • Public Relations • Call Center operations • Credit Monitoring or Identity Theft Remediation • Advertising & Press Releases • Forensics • Legal Expenses for outside Attorney • Cost of Forensic Examination • Cost to Remediate Discovered Vulnerabilities
KEY COSTS TO A DATA BREACH DIRECT COSTS VICTIM COSTS INDIRECT COSTS ($134) Cost Per Record $201 (2014) • Discovery • Data Forensics • Notification • Call Center • Identity Monitoring • Identity Remediation • Lawsuits • Regulatory Fines • Additional Security & Audit Requirements • Reputational Damage/Lost Business Source: Ponemon Institute, LLC and Symantec Corporation. 2014 Annual Study: U.S. Cost of a Data Breach. March 2014
DATA IS VULNERABLE Data can escape your organization in many different ways Source: Privacy Rights Clearinghouse, Chronology of Data Breaches 2008-2013. www.privacyrights.org 4% 6% 12% 12% 18% 23% 25% STATIONARY DEVICE UNKNOWN PHYSICAL MALICIOUS INSIDER NEGLIGENCE HACKING PORTABLE DEVICES
COMPUTER SECURITY vs. INFORMATION SECURITY  COMPUTER SECURITY  This means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering ro collapse by unauthorized activiites or untrustworthy individuals and unplanned events.  INFORMATION SECURITY  This is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.).
INCIDENT RESPONSE PLAN 1. If a company does not have one they are playing with fire 2. Essential for company to have in place in order to effectively respond to a security breach 3. IRP’s should be tested at least on an annual basis using various breach scenarios 4. IRP’s typically include: 1. A. IRP Team (Ideally SR Mgmt. in Info Tech, Customer Service, Legal, Privacy & PR 2. B. Clear guidelines categorizing a risk/threat level 3. C. Documentation Instructions 4. D. Guidelines for getting third parties involved 5. E. Notification Process -- One of the most important practices --
 Sets the security foundation  First measure that must be taken to reduce the risk of unacceptable use of the company’s information resources  Companies define which assets are critical and ways to protect them  Development and implementation of a security policy turns employees into active participants towards securing company information (helps prevent human factor)  Should be tested and reviewed on an annual basis INFORMATION SECURITY POLICY
 Key factors to help a company protect their systems  Protection starts with firewalls as they protect resources on a private network  Anti-virus software can be used to prevent, detect & remove viruses  Intrusion detection software monitors the network for malicious activity or policy violations & reports back (should be reviewed monthly at a minimum)  Penetration tests look for vulnerable access points (preferred but many small companies don’t run. VIRUS PREVENTION, INTURSION DETECTION & PENETRATION TESTING
 Iphones, Blackberrys & Laptops bring on challenges to protecting data  A mobile device security policy should prohibit the storage of confidential data on mobile devices  If data is stored on a mobile devices, the security policy should mandate the use of data encryption (128 Bit recommended)  Want to see power up passwords, kill switches, and alerts in internal system when PII is sent MOBILE DEVICE SERCURITY
WHAT WE CAN PROVIDE IN PROTECTION & PREVENTION CYBERSECURITY
THE PATH TO UNDERSTANDING Exposure & Causes of Loss “You hold private information” Legal Issues “You are obligated to protect it” Costs of a Data Breach “Breaches are costly and complicated” BBR Key Features “Coverage is available”
 Consumer Information  Credit cards, debit cards, payment info  Social Security Numbers, ITIN’s, taxpayer records  Protected Healthcare Information (PHI), e.g. medical records, test results  Personally Identifiable Information (PII), e.g. Drivers License / Passport details  Non-PII, like email addresses, phone lists, address  Employee Information  Employers have at least some of the above information on all of their employees  Business Partners  Sub-contractors and Independent Contractors  Information received from commercial clients as a part of commercial transactions or services  B2B exposures like projections, forecasts, M&A activity, trade secrets INFORMATION AT RISK PII: Personal Identifiable Information PHI: Personal Health Information  Many people think that without credit cards or PHI, they don’t have a data breach risk.  But can you think of any business without any of the above kinds of information?
WHAT IS A DATA BREACH?  Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that:  May cause the person inconvenience or harm (financial/reputational)  - Personally Identifiable Information (PII)  - Protected Healthcare Information (PHI)  May cause your company inconvenience or harm (financial/reputational)  - Customer Data, Applicant Data  - Current/Former Employee Data, Applicant Data  - Corporate Information/Intellectual Property  Paper or Electronic  Potential Security Threats  - Compromises to the integrity, security or confidentiality of information  - Circumstances where a data breach may have happened or could happen in the future. (e.g. lost flash drive with PII)
KEY CAUSES OF LOSS • Lost/Stolen Portable Computers or Media • Employee Misuse • Negligent Release • Improper Disposal of Paper Records • Lost/Stolen Backup Tapes • Computer Hacking • Vendor Negligence • Improper Disposal of Computer Equipment Hackers make the headlines, but almost half of data breach incidents result from “insider negligence”. (Ponemon Institute)
815 MILLION RECORDS LEAKED Since Privacy Rights Clearinghouse began tracking US data breaches in 2005
CAUSES OF LOSS Malicious or Criminal Attack 36% System Glitch 29% Human Factor 35% • Hacking • Virus, Malware • Phishing • Spear Phishing • Network Intrusion • Lost laptops • Improper disposal of backup tapes • Accidental release • Broken business practices • Un-shredded documents • Negligent release Source: 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute , May 2013 64% of breaches are accidental
TYPICAL COSTS • Response costs – sending out notices, call center services, and the offer of credit monitoring: o Up to $30 per record • Forensics, to determine the size and scope of the breach: o $25,000 to more than $500,000 • Legal Costs: o Very costly: $200,000 up to the millions • A retailer with just 10 sales a day would pay $781,000 for a year’s worth of breached records. • An MRI facility conducting 15 scans a day would face expenses exceeding $1 million for every year of patient records compromised.
IT TAKES 20 YEARS TO BUILD A REPUTATION, AND FIVE MINUTES TO DESTROY IT. -- Warren Buffett “ ”
Q&A Reggie Dejean Specialty Lines Manager Lawley & Lawley Andolina Verdi Mary Beth DiBacco Specialty Insurance Manager Chubb Insurance Carl Cadregari Executive Vice President and Practice Lead Bonadio IT/IS Risk Management
THANK YOU Lawley Insurance

More Related Content

PPTX
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
PDF
Managing Personally Identifiable Information (PII)
byKP Naidu
 
PPTX
Next Dimension: How to create a Cybersecurity Strategy
byNext Dimension Inc.
 
PDF
Cybercrime and the Healthcare Industry
byEMC
 
PPTX
How your nonprofit can avoid data breaches and ensure privacy
byTechSoup Canada
 
PPTX
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
byTechSoup Canada
 
PPTX
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
byEric Vanderburg
 
PPTX
Cybersecurity: What does Cyber Insurance Cover?
byNext Dimension Inc.
 
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
Managing Personally Identifiable Information (PII)
byKP Naidu
 
Next Dimension: How to create a Cybersecurity Strategy
byNext Dimension Inc.
 
Cybercrime and the Healthcare Industry
byEMC
 
How your nonprofit can avoid data breaches and ensure privacy
byTechSoup Canada
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
byTechSoup Canada
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
byEric Vanderburg
 
Cybersecurity: What does Cyber Insurance Cover?
byNext Dimension Inc.
 

What's hot

PPTX
Insider threat v3
byLancope, Inc.
 
PDF
Co3 rsc r5
byPatrick Florer
 
PPTX
Panel Cyber Security and Privacy without Carrie Waggoner
bymihinpr
 
PPTX
Cyber Security Planning: Preparing for a Data Breach
byFletcher Media
 
PDF
The Legal Case for Cybersecurity
byShawn Tuma
 
PPTX
Healthcare Cyber Security Webinar
byHealthCareManagement
 
PPTX
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
PDF
Where in the world is your PII and other sensitive data? by @druva inc
byDruva
 
PPTX
Information Security For Small Business
byJulius Clark, CISSP, CISA
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PDF
2015 09-22 Is it time for a Security and Compliance Assessment?
byRaffa Learning Community
 
PDF
BEA Presentation
byGlenn E. Davis
 
PDF
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
bySafeNet
 
PDF
CMW Cyber Liability Presentation
bySean Graham
 
PDF
Responding to a Data Breach, Communications Guidelines for Merchants
by- Mark - Fullbright
 
PDF
Looking Forward - Regulators and Data Incidents
byResilient Systems
 
PDF
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
PPT
What Is Security Risk Analysis? By: MedSafe
byMedSafe
 
Insider threat v3
byLancope, Inc.
 
Co3 rsc r5
byPatrick Florer
 
Panel Cyber Security and Privacy without Carrie Waggoner
bymihinpr
 
Cyber Security Planning: Preparing for a Data Breach
byFletcher Media
 
The Legal Case for Cybersecurity
byShawn Tuma
 
Healthcare Cyber Security Webinar
byHealthCareManagement
 
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
Where in the world is your PII and other sensitive data? by @druva inc
byDruva
 
Information Security For Small Business
byJulius Clark, CISSP, CISA
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
2015 09-22 Is it time for a Security and Compliance Assessment?
byRaffa Learning Community
 
BEA Presentation
byGlenn E. Davis
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
bySafeNet
 
CMW Cyber Liability Presentation
bySean Graham
 
Responding to a Data Breach, Communications Guidelines for Merchants
by- Mark - Fullbright
 
Looking Forward - Regulators and Data Incidents
byResilient Systems
 
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
What Is Security Risk Analysis? By: MedSafe
byMedSafe
 

Viewers also liked

PDF
Når det verste skjer, Bård Fossli Jensen, Pasientsikkerhetskonferansen 2015
byNasjonalt kunnskapssenter for helsetjenesten
 
PDF
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
byNicolas Beyer
 
PPT
Cyber Security
byNeha Gupta
 
PDF
2017 Cybersecurity Predictions
byPaloAltoNetworks
 
PPTX
Cyber security
bySiblu28
 
PPTX
Cyber crime and security ppt
byLipsita Behera
 
PDF
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
bySlideshare
 
Når det verste skjer, Bård Fossli Jensen, Pasientsikkerhetskonferansen 2015
byNasjonalt kunnskapssenter for helsetjenesten
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
byNicolas Beyer
 
Cyber Security
byNeha Gupta
 
2017 Cybersecurity Predictions
byPaloAltoNetworks
 
Cyber security
bySiblu28
 
Cyber crime and security ppt
byLipsita Behera
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
bySlideshare
 

Similar to Cybersecurity Seminar March 2015

PPT
Cyber Risks
byRickWaldman
 
PPTX
Deconstructing Data Breach Cost
byResilient Systems
 
PPTX
IT & Network Security Awareness
byThe Network Support Company
 
PPTX
I’ve Been Hacked  The Essential Steps to Take Next
byBrian Pichman
 
PPT
George Gavras 2010 Fowler Seminar
byDon Grauel
 
PPTX
Introduction to Incident Response Management
byDon Caeiro
 
PDF
Axxera End Point Security Protection
byShawn Crimson
 
PDF
Data Breach Response: Before and After the Breach
byFinancial Poise
 
PDF
Data Privacy
bycliff_rudolph
 
PPTX
The Basics of Cyber Insurance
byHB Litigation Conferences
 
PPT
Tips to Protect Your Organization from Data Breaches and Identity Theft
byCase IQ
 
PPT
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
PPTX
Cyber Security and Healthcare
byJonathon Coulter
 
PPTX
The Evolution of Cybercrime
byStephen Cobb
 
PDF
Responding to a Company-Wide PII Data Breach
byCBIZ, Inc.
 
PDF
Don't let them take a byte
bylgcdcpas
 
PDF
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
PPSX
November 2017: Part 6
byseadeloitte
 
PPTX
What Cybercriminals Want: Company Data – by United Security Providers
byUnited Security Providers AG
 
PDF
How to Build and Implement your Company's Information Security Program
byFinancial Poise
 
Cyber Risks
byRickWaldman
 
Deconstructing Data Breach Cost
byResilient Systems
 
IT & Network Security Awareness
byThe Network Support Company
 
I’ve Been Hacked  The Essential Steps to Take Next
byBrian Pichman
 
George Gavras 2010 Fowler Seminar
byDon Grauel
 
Introduction to Incident Response Management
byDon Caeiro
 
Axxera End Point Security Protection
byShawn Crimson
 
Data Breach Response: Before and After the Breach
byFinancial Poise
 
Data Privacy
bycliff_rudolph
 
The Basics of Cyber Insurance
byHB Litigation Conferences
 
Tips to Protect Your Organization from Data Breaches and Identity Theft
byCase IQ
 
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
Cyber Security and Healthcare
byJonathon Coulter
 
The Evolution of Cybercrime
byStephen Cobb
 
Responding to a Company-Wide PII Data Breach
byCBIZ, Inc.
 
Don't let them take a byte
bylgcdcpas
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
November 2017: Part 6
byseadeloitte
 
What Cybercriminals Want: Company Data – by United Security Providers
byUnited Security Providers AG
 
How to Build and Implement your Company's Information Security Program
byFinancial Poise
 

More from Lawley Insurance

PPTX
How to Prevent a Bad Hire
byLawley Insurance
 
PPTX
Key Person Total Rewards for Small & Mid-Size Businesses (Human Resources & E...
byLawley Insurance
 
PPTX
How Captive Insurance Has Helped Improve the Bottom Line
byLawley Insurance
 
PPT
OSHA Cooperative Programs for Small Business
byLawley Insurance
 
PPTX
Lawley Seminar | ACSI Retirement Planning
byLawley Insurance
 
PPTX
Lawley Seminar | Navigating the Retirement Minefield
byLawley Insurance
 
PPTX
Lawley Insurance - Saving Money Through Workplace Safety Best Practices
byLawley Insurance
 
PPT
Lawley Insurance - Private Exchnages In The Era Of The Affordable Care Act
byLawley Insurance
 
PPT
Lawley Insurance - New York State Workers Compensation
byLawley Insurance
 
How to Prevent a Bad Hire
byLawley Insurance
 
Key Person Total Rewards for Small & Mid-Size Businesses (Human Resources & E...
byLawley Insurance
 
How Captive Insurance Has Helped Improve the Bottom Line
byLawley Insurance
 
OSHA Cooperative Programs for Small Business
byLawley Insurance
 
Lawley Seminar | ACSI Retirement Planning
byLawley Insurance
 
Lawley Seminar | Navigating the Retirement Minefield
byLawley Insurance
 
Lawley Insurance - Saving Money Through Workplace Safety Best Practices
byLawley Insurance
 
Lawley Insurance - Private Exchnages In The Era Of The Affordable Care Act
byLawley Insurance
 
Lawley Insurance - New York State Workers Compensation
byLawley Insurance
 

Recently uploaded

DOCX
How Brands Engineer Attention at Scale.docx
byjenwhite023
 
PDF
How Businesses CanOvercome Tech InfrastructureFailures with Smart Planningand...
bybhavanisaitechdm
 
PPTX
SharePoint Consulting Service | Betatest Solutions
byJamesParker406701
 
PDF
When and Where to See Africa’s Big 5
byDestinations Africa
 
PPTX
10 Ways to Prevent Gutter Clogs Before They Start
bySunshine Gutters PRO
 
PDF
11 Trending Wood Bedside Tables for Minimalist Interiors.pdf
byFerrowoods
 
PPTX
Cycling Shoes That Are Trending Among Pro Riders This Season
bySpatzwear .
 
PDF
Complete On-Demand App Solutions for Taxi, Delivery & Services.
byOn Demand Clone
 
DOCX
Viral Editing Techniques That Increase Watch Time.docx
byjenwhite023
 
PDF
pankh ngo rohini sector3 education for slum
byrajnishkumar709106
 
PPTX
CMMI Implementation Consulting Services.pptx
bySunil Yadav
 
PDF
Kitchen appliances store in Hyderabad 2026
byJuhiTrivedi15
 
PPTX
3 Smart Ways to Use Lender Finance to Scale Your Loan Portfolio
byAvon River Ventures
 
DOCX
How to Create Viral Micro-Content Every Day.docx
byjenwhite023
 
PDF
Data Engineering Solution- The Key to Unlocking Smarter, Scalable, and Data-D...
byjesonsethana
 
How Brands Engineer Attention at Scale.docx
byjenwhite023
 
How Businesses CanOvercome Tech InfrastructureFailures with Smart Planningand...
bybhavanisaitechdm
 
SharePoint Consulting Service | Betatest Solutions
byJamesParker406701
 
When and Where to See Africa’s Big 5
byDestinations Africa
 
10 Ways to Prevent Gutter Clogs Before They Start
bySunshine Gutters PRO
 
11 Trending Wood Bedside Tables for Minimalist Interiors.pdf
byFerrowoods
 
Cycling Shoes That Are Trending Among Pro Riders This Season
bySpatzwear .
 
Complete On-Demand App Solutions for Taxi, Delivery & Services.
byOn Demand Clone
 
Viral Editing Techniques That Increase Watch Time.docx
byjenwhite023
 
pankh ngo rohini sector3 education for slum
byrajnishkumar709106
 
CMMI Implementation Consulting Services.pptx
bySunil Yadav
 
Kitchen appliances store in Hyderabad 2026
byJuhiTrivedi15
 
3 Smart Ways to Use Lender Finance to Scale Your Loan Portfolio
byAvon River Ventures
 
How to Create Viral Micro-Content Every Day.docx
byjenwhite023
 
Data Engineering Solution- The Key to Unlocking Smarter, Scalable, and Data-D...
byjesonsethana
 

Cybersecurity Seminar March 2015

  • 1.
    C Y BE R S E C U R I T Y I N S U R A N C E S E M I N A R Can You Afford NOT To Have Cybersecurity? March 4, 2015
  • 2.
    TODAY’S PRESENTERS Reggie Dejean Specialty LinesManager Lawley & Lawley Andolina Verdi Mary Beth DiBacco Specialty Insurance Manager Chubb Insurance Carl Cadregari Executive Vice President and Practice Lead Bonadio IT/IS Risk Management
  • 3.
  • 4.
  • 5.
    HEADLINES EXPLAINED  Identitiesleft exposed in Indiana salvage yards - items included medical records, bank statements, insurance cards, employee identification cards, car registrations, a signature, a child’s name, dates of birth, and an application for welfare assistance.  Stolen Pioneer bank laptop contained some customers’ data  Pioneer Bank over the weekend alerted some of its customers that an employee’s laptop stolen Jan. 26 contained “secured personal information of certain customers, including names, social security numbers, street addresses, and account and debit card numbers.”  Harel Chiropractic Clinic notifies 3,000 patients of breach
  • 6.
    HEADLINES EXPLAINED CONT. St. Peter’s Health Partners is warning of a possible data breach in its email system, following the theft of a manager’s cellphone.  California Pacific Medical Center discovers employee was improperly accessing patient records for one year  Natural Grocers Investigating Card Breach - traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country
  • 7.
    HEADLINES EXPLAINED CONT. Data Breach Results in $4.8 Million HIPAA Settlements from New York and Presbyterian Hospital  A 214 bed Medical Center laptop stolen with data in an excel spreadsheet - Medical Center says data is safe since the thief would have to know how to unhide columns in Excel spreadsheet to read them
  • 8.
    THREATS TO DATA Internal Threats  External Threats  Have You Heard About Target?  Not just credit card information but also personal identifiable information (PII) is at risk  According to recent surveys  Street Cost – Social Security Number……..$ 1.00  Street Cost – Financial Record ……........... $ 0.50  Lost Medical Record………………………..$316.00
  • 9.
    CSIRP Computer Security IncidentResponse Plan • Wh a t to d o wh e n y o u “ th i n k o r k n o w” y o u h a v e h a d a d i s c l o s u r e • Th e wh o , wh a t wh e r e a n d wh e n to f o l l o w • S te p b y s te p p r o c e s s • M a y b e r e q u i r e d b y s o m e l a ws a n d r e g u l a ti o n s
  • 10.
    CSIRP You Need aBreach Notification Policy 1. NY State, HIPAA, PCI, GLBA requires a documented policy that includes all factors of breach notification including: • When to alert persons whose data has been breached • What you have to pay for • When to send lost data information to the Attorney General and regulatory bodies • When you are to place conspicuous notice on your website • When you are to alert local media and television
  • 11.
    CSIRP You need aplan to follow that includes: 1. What constitutes a breach 2. Who is on the team 3. Who is allowed to talk to any external entity 4. When to involve external crisis management 5. When to trigger your liability policy
  • 12.
    CSIRP 1. How toassess the risks (likelihood and severity) 2. Does the breach fall into pre-defined categories (and what are they) 3. What to do to investigate the breach 4. What to do to minimize the breach 5. What to do to report on the breach 6. What to do to never repeat the breach 7. How to close the incident
  • 13.
    AFTER THE INFORMATION HASBEEN GATHERED INFORMATION
  • 14.
    WHAT IS THEIMMEDIATE EXPENSE? • Notification • Creating letter or other notification • Printing or design • Mailing or other transmission • Public Relations • Call Center operations • Credit Monitoring or Identity Theft Remediation • Advertising & Press Releases • Forensics • Legal Expenses for outside Attorney • Cost of Forensic Examination • Cost to Remediate Discovered Vulnerabilities
  • 15.
    KEY COSTS TOA DATA BREACH DIRECT COSTS VICTIM COSTS INDIRECT COSTS ($134) Cost Per Record $201 (2014) • Discovery • Data Forensics • Notification • Call Center • Identity Monitoring • Identity Remediation • Lawsuits • Regulatory Fines • Additional Security & Audit Requirements • Reputational Damage/Lost Business Source: Ponemon Institute, LLC and Symantec Corporation. 2014 Annual Study: U.S. Cost of a Data Breach. March 2014
  • 16.
    DATA IS VULNERABLE Datacan escape your organization in many different ways Source: Privacy Rights Clearinghouse, Chronology of Data Breaches 2008-2013. www.privacyrights.org 4% 6% 12% 12% 18% 23% 25% STATIONARY DEVICE UNKNOWN PHYSICAL MALICIOUS INSIDER NEGLIGENCE HACKING PORTABLE DEVICES
  • 17.
    COMPUTER SECURITY vs.INFORMATION SECURITY  COMPUTER SECURITY  This means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering ro collapse by unauthorized activiites or untrustworthy individuals and unplanned events.  INFORMATION SECURITY  This is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.).
  • 18.
    INCIDENT RESPONSE PLAN 1.If a company does not have one they are playing with fire 2. Essential for company to have in place in order to effectively respond to a security breach 3. IRP’s should be tested at least on an annual basis using various breach scenarios 4. IRP’s typically include: 1. A. IRP Team (Ideally SR Mgmt. in Info Tech, Customer Service, Legal, Privacy & PR 2. B. Clear guidelines categorizing a risk/threat level 3. C. Documentation Instructions 4. D. Guidelines for getting third parties involved 5. E. Notification Process -- One of the most important practices --
  • 19.
     Sets thesecurity foundation  First measure that must be taken to reduce the risk of unacceptable use of the company’s information resources  Companies define which assets are critical and ways to protect them  Development and implementation of a security policy turns employees into active participants towards securing company information (helps prevent human factor)  Should be tested and reviewed on an annual basis INFORMATION SECURITY POLICY
  • 20.
     Key factorsto help a company protect their systems  Protection starts with firewalls as they protect resources on a private network  Anti-virus software can be used to prevent, detect & remove viruses  Intrusion detection software monitors the network for malicious activity or policy violations & reports back (should be reviewed monthly at a minimum)  Penetration tests look for vulnerable access points (preferred but many small companies don’t run. VIRUS PREVENTION, INTURSION DETECTION & PENETRATION TESTING
  • 21.
     Iphones, Blackberrys& Laptops bring on challenges to protecting data  A mobile device security policy should prohibit the storage of confidential data on mobile devices  If data is stored on a mobile devices, the security policy should mandate the use of data encryption (128 Bit recommended)  Want to see power up passwords, kill switches, and alerts in internal system when PII is sent MOBILE DEVICE SERCURITY
  • 22.
    WHAT WE CANPROVIDE IN PROTECTION & PREVENTION CYBERSECURITY
  • 23.
    THE PATH TOUNDERSTANDING Exposure & Causes of Loss “You hold private information” Legal Issues “You are obligated to protect it” Costs of a Data Breach “Breaches are costly and complicated” BBR Key Features “Coverage is available”
  • 24.
     Consumer Information Credit cards, debit cards, payment info  Social Security Numbers, ITIN’s, taxpayer records  Protected Healthcare Information (PHI), e.g. medical records, test results  Personally Identifiable Information (PII), e.g. Drivers License / Passport details  Non-PII, like email addresses, phone lists, address  Employee Information  Employers have at least some of the above information on all of their employees  Business Partners  Sub-contractors and Independent Contractors  Information received from commercial clients as a part of commercial transactions or services  B2B exposures like projections, forecasts, M&A activity, trade secrets INFORMATION AT RISK PII: Personal Identifiable Information PHI: Personal Health Information  Many people think that without credit cards or PHI, they don’t have a data breach risk.  But can you think of any business without any of the above kinds of information?
  • 25.
    WHAT IS ADATA BREACH?  Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that:  May cause the person inconvenience or harm (financial/reputational)  - Personally Identifiable Information (PII)  - Protected Healthcare Information (PHI)  May cause your company inconvenience or harm (financial/reputational)  - Customer Data, Applicant Data  - Current/Former Employee Data, Applicant Data  - Corporate Information/Intellectual Property  Paper or Electronic  Potential Security Threats  - Compromises to the integrity, security or confidentiality of information  - Circumstances where a data breach may have happened or could happen in the future. (e.g. lost flash drive with PII)
  • 26.
    KEY CAUSES OFLOSS • Lost/Stolen Portable Computers or Media • Employee Misuse • Negligent Release • Improper Disposal of Paper Records • Lost/Stolen Backup Tapes • Computer Hacking • Vendor Negligence • Improper Disposal of Computer Equipment Hackers make the headlines, but almost half of data breach incidents result from “insider negligence”. (Ponemon Institute)
  • 27.
    815 MILLION RECORDS LEAKED Since PrivacyRights Clearinghouse began tracking US data breaches in 2005
  • 28.
    CAUSES OF LOSS Maliciousor Criminal Attack 36% System Glitch 29% Human Factor 35% • Hacking • Virus, Malware • Phishing • Spear Phishing • Network Intrusion • Lost laptops • Improper disposal of backup tapes • Accidental release • Broken business practices • Un-shredded documents • Negligent release Source: 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute , May 2013 64% of breaches are accidental
  • 29.
    TYPICAL COSTS • Responsecosts – sending out notices, call center services, and the offer of credit monitoring: o Up to $30 per record • Forensics, to determine the size and scope of the breach: o $25,000 to more than $500,000 • Legal Costs: o Very costly: $200,000 up to the millions • A retailer with just 10 sales a day would pay $781,000 for a year’s worth of breached records. • An MRI facility conducting 15 scans a day would face expenses exceeding $1 million for every year of patient records compromised.
  • 30.
    IT TAKES 20 YEARSTO BUILD A REPUTATION, AND FIVE MINUTES TO DESTROY IT. -- Warren Buffett “ ”
  • 31.
    Q&A Reggie Dejean SpecialtyLines Manager Lawley & Lawley Andolina Verdi Mary Beth DiBacco Specialty Insurance Manager Chubb Insurance Carl Cadregari Executive Vice President and Practice Lead Bonadio IT/IS Risk Management
  • 32.