Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
3. Full service professional
services firm:
Attest services
Tax preparation and
compliance
IT audit
Data security and design
IT compliance
Internal control
Internal audit outsourcing
SSAE 16 services (SOC 1-3)
Over 80 professionals
Highly qualified in variety
of specializations:
CPA, CIA, CFE, CISA,
MCSE, ABV, CVA, MST
Affiliations:
AICPA, PCAOB, ACFEI,
ISACA, PCAOB, TANGO,
CICPAC, Practicewise,
VACO Risk Solutions
4. Vaco Risk Solutions
Specializing in helping our clients reduce their risks
30 locations strong
Highly qualified consultants
▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt
We belong to:
▪ Member of Information System Audit and Controls Association (ISACA)
▪ Member of American College of Forensic Examiners Institute (ACFEI)
▪ Association of Credit Union Internal Auditors (ACUIA)
▪ PCI Qualified Security Assessors certified by PCI Security Standards Council
▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council
▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS)
▪ Member of National Association of Convenience Stores (NACS)
4
5.
6.
7. • Averages:
• Cost per incident - $6,500,000
• Records compromised - 28,070
• Cost per record - $217
• Average cost per record by industry:
• Healthcare - $398 (highest)
• Financial - $259
• Industrial - $190
• Retail - $189
• Public - $73 (lowest)
• Cause of breaches:
• 49% - Malicious or criminal attack
• 19% - Human error
• 32% - System glitch
• Averages:
• Cost per incident - $6,500,000
• Records compromised - 28,070
• Cost per record - $217
• Average cost per record by industry:
• Healthcare - $398 (highest)
• Financial - $259
• Industrial - $190
• Retail - $189
• Public - $73 (lowest)
• Cause of breaches:
• 49% - Malicious or criminal attack
• 19% - Human error
• 32% - System glitch
The Cost of a Breach
Source: Ponemon Institute’s 2015 Cost of Data Breach Study
6
16. Security morphs to “Cybersecurity’
14
Gartner Group:
Cybersecurity encompasses a broad
range of practices, tools and concepts
related closely to those of
information and operational
technology security. Cybersecurity is
distinctive in its inclusion of the
offensive use of information
technology to attack adversaries.
19. 9
It starts with the right people …
In-house staff Partners Outsourced Providers
People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt
Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced Providers
People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt
Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
In-house staff Partners Outsourced Providers
People Customers
Security is only as good as its people.
Points of Consideration:
People are the weakest link.
Staff will need a specialized skill set and experienced staff are often difficult to find
Current training is expensive, time consuming and non-effective
Need analysts for 24x7 coverage, other supporting functions must be considered:
- System admins, Intelligence resources, Escalation resources, Compliance officers, Management / Supervision
20. 10
Integrated processes ….
In-house staff Partners Outsourced Providers
People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt
Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced Providers
People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt
Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
Data Security processes and procedures must be documented, consistently implemented, and based upon existing standards /
governance frameworks. Procedures must take into consideration corporate security policy, business controls, and relevant
regulatory requirements.
Points of Consideration:
The Cybersecurity mission must be clearly defined – Incident discovery, CERT, etc.
An alarm does not always equate to action.
Processes must take into consideration evaluation and incorporation of a constantly changing stream of potentially threats
Best practices for incident investigation, response, and mitigation must be maintained and updated as technologies are added, change, or
mature.
Process
Threat Analysis Compliance Mgmt.
SLA Mgmt.
Risk AssessmentChange Mgmt.
Vulnerability Mgmt. Identity & Access Incident Mgmt.
21. 11
Built on a solid technology platform
In-house staff Partners Outsourced Providers
People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt
Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced Providers
People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt
Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners
Identity &
Desktop Mgmt.
Ticketing System Change Tracking
Technology is the foundation on which the organization demonstrates the ability to provide security continuously, even under times
of duress such as persistent attack, natural disaster, facilities failure, etc.
Points of Consideration:
Security technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose, costly, and challenging to maintain due
to their overall complexity
The number of disparate systems and volume of device / event data will typically require a dedicated IT staff for system administration
Capacity management can be challenge due to the need to support peak loads which may include DDoS, monthly batch processing, etc.
The management and reporting systems must be flexible enough to accommodate process and security policy as well as changes in the
technology landscape
22. The changing requirements for enterprise data security & risk management coupled with technology
advancements have triggered a paradigm shift in the design and ongoing administration of security.
Charter
Governance
Strategy
Build a dedicated security
operations capability
Cross-functional
(IT, Business, Audit, etc.)
3+ year cycle, priorities
set by enterprise
Technology or service
only
Self governed (IT Security)
Budget based,
12 month planning cycle
Mission&Strategy
Tools
Use Cases
Referential
Data
SIEM, ticketing, portal/
dashboard, Big Data
Tailored rules based on
risk & compliance drivers
Required data, used to
prioritize work
SIEM tool only
Standard rules
Minimal customization
Minimal importance,
Secondary priority
Technology
Measures
Reporting
Cross-functional, efficiency,
quality, KPI/SLO/SLA
Metrics, analytics,
scorecards, & dashboards
Silos, ticket/technology
driven
Ticket/technology driven
Operations
Management
Proactive.
Visible.
Anticipate
threats.
Mitigate
risks.
Detect &
react to
threats.
Security Cybersecurity
23. There is no app for enterprise data security…
….Don’t be a FOOL and think you just need to buy a TOOL
25. Information (Data) Life Cycle
15
ISACA.ORG
To identify residual risks and select
appropriate technical measures and
activities to protect confidential data,
an organization must first understand
how information flows throughout its
systems over time and how the
information is accessed and processed
at different stages.
26. Principles of Data
• Principle 1: Honor policies throughout the confidential data life span.3 This includes a
commitment to process all data in accordance with applicable statutes and regulations,
preserve privacy and respect customer choice and consent, and allow individuals to review
and correct their information if necessary.
• Principle 2: Minimize risk of unauthorized access or misuse of confidential data. The
information management system should provide reasonable administrative, technical and
physical safeguards to ensure confidentiality, integrity and availability of data.
• Principle 3: Minimize the impact of confidential data loss. Information protection
systems should provide reasonable safeguards, such as encryption, to ensure the
confidentiality of data that are lost or stolen. Appropriate data breach response plans and
escalation paths should be in place, and all employees who are likely to be involved in
breach response should receive training.
• Principle 4: Document applicable controls and demonstrate their effectiveness.
16
27. Roadmap to Data Security
17
Classification
Discovery
Security
Enforcement
Monitoring
28. Classification
• Determine what data are sensitive to the organization, either for
regulatory compliance and/or internally.
▫ Written procedures and guidelines for data classification should define
what categories and criteria the organization will use to classify data and
specify the roles and responsibilities of employees within the
organization regarding data stewardship
▫ To be effective, a classification scheme should be simple enough that all
employees can execute it properly.
• EDUCATE and TRAIN
18
29. Discovery
• Find out where the sensitive data are located, how they flow, who
can access them, performance and other requirements for security.
▫ Data Mapping: Structured and Unstructured Data
Location
Relevance
Sensitivity
Use
Correctness
▫ Cleanup/Remediate
▫ EDUCATE and TRAIN
19
30. Security
• Apply the data security method(s) that best achieve the requirements
from discovery, and protect the data according to the sensitivity
determined in classification.
▫ Data at rest, transit and disposal
▫ Frameworks
Cybersecurity framework – NIST
ISACA
IS0 27001
Best Practices
▫ EDUCATE and TRAIN
20
31. Enforcement
• Design and implement processes and technology to disclose
sensitive data only to authorized users, according to the least
possible amount of information required to perform job
functions (least-privilege principle).
▫ EDUCATE and TRAIN
21
32. Monitoring
• Ensure ongoing, highly granular monitoring of any attempts to
access sensitive data. Monitoring is the only defense against
authorized user data abuse.
▫ Internal and External
▫ EDUCATE and TRAIN
22
35. EMERGING TRENDS IN DIGITAL
PRIVACY AND SECURITY:
THE LEGAL LANDSCAPE
Laurie Kamaiko
Cybersecurity and Privacy Group
Sedgwick LLP
New York Office
Laurie.Kamaiko@sedgwicklaw.com
Telephone 212.898.4015
12
36. Cyber Risks – Why Do You Care?
Every company is vulnerable if subject to a
successful cyber attack
Every company is subject to a loss or cost
Every company is subject to statutory or regulatory
compliance of some kind, especially if a breach
of personal information resultant risk of
regulatory inquiry and litigation
37. Cyber Risks – Why Do You Care?
Every company can reduce these risks and
resultant costs by:
Awareness
Preparedness
Reducing human error element
38. Current & Impending Cyber Risks
& Exposures
Data Breaches of Personally Identifiable Information (PI)
and Protected Health Information (PHI) of Individuals
Type of information defined by statutes and regulations
Heavily regulated to protect against identity theft and
fraudulent transactions
Security requirements
Breach response requirements
Traditionally name plus:
Financial account, payment card numbers
Government-issued identification, social security number, etc.
Variations Include: Health information, insurance account
Trend toward expansion of what constitutes protected PI:
Online account credentials
Medical biometric information
15
39. Current & Impending Cyber Risks
& Exposures
Theft of Other Confidential Information
Trade secrets / IP / business secrets
Client/customer secrets
Cyber attacks on property and business functions
Denial of service attacks/disruption of business and operating systems
Targeting your company
Targeting others or critical infrastructure affecting your company
Financially motivated versus malicious versus political
Extortion
16
40. Current & Impending Cyber Risks
& Exposures
Business Practices in Collection/Usage/Disclosure
and Information About Individuals
Online behavior tracking
Collection and usage of information on individuals
Sharing of that information
Disclosure of collection and sharing
Storage beyond need
Zip code collection (when not necessary for credit card transaction)
Privacy policy and terms of use statements/sufficiency
Increased use of vendors
17
41. Current & Impending Cyber Risks
& Exposures
“Big Data”
Collection and analysis of data about consumer and
populations has become important to most companies
Its use and transferability are part of many corporate
transactions
Planning Marketing
Acquisitions Divestitures
Data Security, privacy and practices present myriad
of (non) compliance risks
Laws Regulations
Controls Due diligence obligations
42. Current & Impending Cyber Risks
& Exposures
Increasing Risks From:
Internet of Things Increased Interconnectivity
Increased Vulnerability
13.4 Billion in 2015
> 25 to 75 Billion Interconnected Devices by 2020
Increased Use of Vendors Vendor Vulnerability
Access to company data
Avenue for malware intrusion
Lack of control increased need for due diligence
Contractual responsibilities and liabilities
Incorporating Use of Personal Devices and Social Media
Into Work Place
19
43. Current & Impending Cyber Risks
& Exposures
Increasing National/Regulatory Agency/Industry
Standards
Expansion of statutory liabilities
Increased regulatory enforcement
Increase in contractual responsibilities
o All increase potential liabilities for non-compliance
o Compliant today may not be compliant tomorrow
Growth of Contractual Obligations
o Security
o Breach response
o Indemnity
20
44. Current & Impending Cyber Risks
& Exposures
All entities are at risk
Employee information
Customers’/clients’ information
Business information
Functions you perform for others
Functions others perform for you
Small company small risk
Industries most targeted:
Financial Institutions
Healthcare
Educational institutions
Retail
Service providers to targeted companies
21
45. The Sources of Exposures
CYBER
RISKS
Fraud
Theft
Deceit
Hacktivisim
Terrorism
Rogue
Employees
External
Hackers
Phishing
Trojans
Botnots
System
Failure
Poor Data
Protection
Security
Flaw
Accidental
Disclosure
Lost
Devices
Negligence/
Inadvertent
Activity
(Human
Error)
Criminal/
Malicious
Activity
Insiders ▪ Outsiders ▪ Vendors/Agents
22
46. Costs and Exposures From a Data
Breach
Direct Response Costs
Crisis Management
• Legal forensics
• Mandatory notifications (PI/PHI)
• Remediation to consumers
• Remediation of breached system
• Contractual indemnities and
penalties
Claims
• Contractual
• Third parties affected
(clients, consumers)
• Legal fees for defense
• Settlements/judgments
Business Costs
Business disruption
Management resources
Impairment systems and equipment
Reputation Harm
Customer turnover
Loss of profits/earnings
Reconstitution of lost data
Marketing
Voluntary notifications
Loss of IP/secrets/business
opportunities
23
47. Legal and Regulatory Framework
Three Themes
Privacy
Collecting, using, and disclosing/sharing
certain levels of data about individuals
Security
Protecting data against loss, unauthorized
acquisition, misuse, or damage Implementing
“reasonable” & “appropriate” measures to
protect data
Breach Notification
Notifying those affected and governmental agencies
when security is breached
Content and notice requirements vary
Generally “breach” defined to mean:
Unauthorized acquisition or misuse of found information
In some states/regulations, unauthorized access sufficient
Not all require likelihood of harm24
Requirements can
vary depending on
jurisdiction, agency
with oversight, type
of entity breached
and type of data
48. Legal and Regulatory Framework
State Laws Mandating Security and Breach Response
47 States Have Breach Response Requirements
Lesser Number (But Growing) Have Security Requirements
Expanding Requirements (e.g., Level of Encryption) and Scope (Types of Information)
State Laws Mandating Disclosure of Collection, Usage
and Security Practices
Business Practices Are Under Scrutiny
Growing Trend to Regulate and Enforce (Starting in California)
25
49. Legal and Regulatory Framework
Federal and Sector-Specific Laws and Regulations
Not Yet National Statute Re Security and Breach Notice, Though Bills Pending
Both Federal Agency and State Agency Can Enforce
Healthcare: HIPAA and HiTech
Financial: Gramm-Leach-Bliley, et al.
Public Companies: SEC (Disclosure Guidelines)
Also: Red Flags Rule, FCRA, Can-Spam, Video Privacy Protection Act, etc.
Federal Agency Guidelines: SEC, FTC, FDA, FCC, NIST For Critical Infrastructure, etc.
International: Data Security and Response Requirements
Cross-Boarder Transfer of Information About Individuals and Other Countries
Recent Upheaval Re: U.S. Safe Harbor Program for Transfer
of PI to U.S. Declared Invalid By E.U. Commission October 6, 2015
50. Legal and Regulatory Framework
Increasing Enforcement
Regulatory Enforcement Actions More Frequent & Resulting in Larger
Settlements
o 20 years of monitoring/audits
AGs, OCR (healthcare) and Other Regulatory Agencies Focus on Companies
That:
o Knew or should have known of a problem
o Did not do pre-incident assessment of their data and their security
o Did not have incident response plans in place
FTC Enforcement Focused on Unfair and Deceptive Trade Practices
o “Unfair” -- Inadequate security
o “Deceptive” – Not act in conformity with policies and statements
Private Litigation/Class Actions
27
51. Industry Internal Regulation:
Credit / Debit Cards
PCI – DSS (Payment Card Industry Data Security Standards)
Contract-based obligations applicable to all involved in chain of card processing
Requires specified security measures to protect credit card transactions
Incorporated into some state statutes (e.g., Nevada, New Mexico, Washington)
New rules require due diligence and responsibility for vendors
• Major Factor in Any Credit Card Breaches
Most entities not fully compliant with PCI DSS
• Liability Impact
Breached merchants contractually liable for substantial assessments/fines for PCI-DSS
violations
led to breaches
Basis of negligence and other allegations in 31 party claims
New liability shifting for costs of fraudulent transactions if merchant does not institute
new chip card processing
28
52. Litigation Trends:
Statutory, Regulatory, Contractual
Holding Companies Accountable
For Your Own Practices
For Your Business Partners
Due Diligence of Vendors
If You Are a Vendor, Responsibility for Sensitive Information of
Clients That You access, e.g.,:
Business Associates & HIPAA-Covered Entities
Notice Obligations If Breach, at Least to Business Client
Scrutinizing Pre-Breach Efforts at Compliance,
If Not Just Breach and Post-Breach Response
53. Litigation Trends:
Statutory, Regulatory, Contractual
Litigation Arising From Breaches of PI
Failure to adequately secure information
Failure to timely notify of breach
Failure to adequately respond to breach
Misrepresentation of security vulnerability, effect
Pre-Breach
Post-Breach
Unjust enrichment (part of fees paid is for security not provided)
Lost value of stolen information
Loss of use of service or hardware
Violation of consumer protection statutes statutory $ awards
Avoids Issue of Whether Plaintiffs Sustained Actual Damage
> 80 different causes of action have been identified
30
54. Litigation Trends:
Statutory, Regulatory, Contractual
Potential Plaintiffs
Consumers whose information is accessed (consumer class actions)
Financial institutions affected (fraud charges, card replacement costs, etc.)
Shareholder/derivative suits
Share price drops
Wasting of corporate assets
Board approval of inadequate security/failure assess/address vulnerabilities
Misrepresentation/failure to disclose:
Cause, Information at Risk, Remediation
Breached entity seeking contribution from others contributing to
lapse in security: vendors, advisors, etc.
Regulators
31
55. Litigation Trends:
Statutory, Regulatory, Contractual
Potential Defendants
Breached entities
Vendors holding an access route to information
Security vendors involved in security or design, security assessments,
or remediation
Professional advisors
D&Os approving company security policies, responses and financial disclosures
32
56. Other Privacy Litigation
Theories of Liability for Non-Breach Privacy Lawsuits
Consumer Tracking/Online Behavioral Advertising
Improper collection practices
Improper disclosures
Statutory Violations That are Not Data Breaches Per Se
Privacy Violations – From Business Practices
Wrongful collection/sale of PI
Failure disclose collection/sharing of PI (e.g., California)
Adequacy of privacy policies (websites, mobile apps)
Non-compliance with representations in privacy policies
Zip codes as wrongfully collected PI by retailers without need (California, Massachusetts,
and possibly other states in future)
Unauthorized distribution (blasting, e.g., TCPA)
Restrictions on recording of business calls with consumers
Trend toward asserting violations of unfair trade practices and consumer
protections seeking statutory damages
33
57. Factors Reducing Costs of Breaches
Board-Level Involvement in Breach
Insurance Protection
Industry
Regulated Industries, Such as Healthcare and Education,
More Costly
Ponemon study
58. Factors Reducing Costs of Breaches
Company Has Plans In Place
Incident Response Plan
Lawyer on Retainer
Pre-Negotiated Contracts/Rates for Forensics,
Customer Notification, Call Centers, Credit Card Monitoring
Increased Costs if Breach due to Hackers/Criminal
Insiders (47% Breaches)
Verizon study
59. Risk Management Tips
Be Prepared
Be Aware of the Issues and Vulnerabilities
o Yours
o Your Business Partners
Identify Your Data Assets and Where Sensitive Data Is Located
o On Your Systems and Within Your Company
Perform Risk Threat Assessments, and Identify Controls
and Their Effectiveness
Allocate Resources: $, Management
o SEU
Create Policies and Procedures Before an Incident
Privacy
Training
Incident Response
■ Vendor Selection, Due Diligence and Management
36
60. Risk Management Tips
• Be Prepared continued
Accept It Is Not Just an IT Issue
Preparedness & response requires involvement of all departments, including:
C-Suite, Legal, IT, Risk Management, Human Resources, Marketing, Operations
Institute a Culture of Compliance
“Privacy by Design”
Practice
Table Tops, “Fire Drills”
Legal Compliance
61. Risk Management Tips
Identify √ High Risk, High Value Data and Risks of Loss Breach
√ Controls
Protect √ Create Systematic Protections, Bring in Technology &
Experts to Address Vulnerabilities & Increase Protections
√ Due Diligence on Vendors
Prepare √ Develop Policies and Response Plans
√ Risk Transfer: Insurance, Contractual Indemnity
with Vendors
Train √ Train all employees
√ Table tops, Drill
√ Test
Repeat
38
62. Laurie Kamaiko
Cybersecurity and Privacy Group
Sedgwick LLP
New York Office
Laurie.Kamaiko@sedgwicklaw.com
Telephone 212.898.4015
39
82364316v1
Questions?
64. Identify exposures
Third party liability
First party losses
Other coverage sections
Claims
Sample situation
AIG enhancements
Conclusion
41
Agenda
65. 42
Do You Handle
Confidential Information?
How Do We Identify Exposures?
Where Do You Store
The Information?
Do You Have A Website?
Own company (including
employees)
Clients (confidential,
personal, or commercial)
Computer network – do you
operate the network
yourself or outsource to a
vendor?
Paper records
What content is on the site?
Can employees or third
parties upload content
(blog, post pictures or
comments)?
66. Internally
– Employees/Vendors
– Malicious - Stealing Information (Card Skimming)
– Negligence – Lost Resources (Laptop, Smart Phone, Tablet)
– Vendor Contracts – Indemnification
Externally
– Individual Hackers/Organized Crime
– Stealing Information
– Sending Viruses/Malicious Code
– Disruption Of Business (Vandalism)
43
HOW CAN AN EVENT OCCUR?
67. Network Security Failure
– Failure of a company to protect their computer systems
– Virus, malicious code, malware attacks
Privacy Event
– Failure to protect confidential information
– Personal or corporate; online or offline
– Violation of any Federal, State, or local privacy statute
– Failure to comply with PCI-DSS standards
Allegations Can be Brought by
– Government agencies, individuals, businesses or administrative
44
THIRD PARTY COVERAGE
68. Event Management – Incident Response Plan
– Breach Consultation – Legal Consultation
– Forensic Investigation
– Public Relations Services
– Notification To Consumers Based On State Mandate
– Providing ID-monitoring/Credit Monitoring
– Lost Electronic Data
45
FIRST PARTY COVERAGE
69. Network Interruption
– Addresses loss of income and operating expenses resulting from
the interruption or suspension of business due to a failure of
network security
Cyber Extortion
– Provides coverage for extortion threats against a company’s
computer network and confidential information by an outsider
seeking money or other valuables
46
FIRST PARTY COVERAGE
70. Media Content Liability
Companies Have Published Content
– Website, print, broadcast
Typical Types of Claims
– Trademark and copyright infringement
– Defamation, false light and imprisonment
– Product disparagement, infliction of emotional distress
47
THIRD PARTY COVERAGE
73. 50
SAMPLE SITUATION
HIPAA: Privacy regulations that govern the healthcare industry
HITECH Act (Health Information Technology for Economic and Clinical Health Act)
Enacted on February 17, 2009
Breach notification requirements for HIPAA covered entities + business associates
Breach notification applies to HIPAA to promote the adoption and meaningful use of health
information technology
Subtitle D of the HITECH Act addresses the privacy and security
Outlines the guidelines for who, what, where, when a privacy breach occurs
Access Record
Maintain Destroy
Retain Hold
Modify Use
Source: www.healthit.gov
Covered Entity: Hospital
74. 51
GUIDELINES
If… Then…
Breach occurs Written notice, first class mail at last known address,
as soon as practicable no later than 60 days after
discovery of breach
Individual is deceased Notify next of kin
Insufficient information for 10+ individuals Home page of website of covered entity or major print
or broadcast media
Urgent Telephone
500+ residents in a given state 1. Prominent media outlet within the state
2. Notify the Secretary within 60 days
3. Secretary to post on an HHS Web site a list that
identifies each covered entity involved
Source: www.healthit.gov
75. 52
Letters/E-mail typically include the following:
Description of what happened, date of the breach and the date of
the discovery of the breach
Description of the types of unsecured PHI that were involved in the
breach (i.e. full name, Social Security number, date of birth etc.)
The steps individuals should take to protect themselves from
potential harm resulting from the breach
Description of what the covered entity involved is doing to
investigate the breach, to mitigate losses, and to protect against
any further breaches
Contact procedures for individuals
NOTIFICATION REQUIREMENTS
Source: www.healthit.gov
83. Leading edge global threat intelligence and technology that
isolates and shuns IP addresses currently being used by criminals.
Before initiating an attack on a network, criminals first conduct
reconnaissance to confirm that certain IP addresses are viable
targets.
Shunning prevents these criminal communications from reaching a
network and confirming the IP addresses as viable targets
WHAT IS IP SHUNNING?
87. 64
CYBEREDGE RISKTOOL
Web-based customizable risk management platform
Manage the human element of cyber risk and manage compliance
Pre-populated with:
Corporate security policies
Training with exams
Self assessments and risk guides
Simplifies and documents end user training
Unlimited use
91. 68
American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 130
countries.. AIG companies serve commercial, institutional, and individual customers through one of the most extensive
worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and
retirement services in the
United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange.
Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter:
@AIG_LatestNews | LinkedIn: http://www.linkedin.com/company/aig
AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of
American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and
services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not
be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be
provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus
lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.
Apple, the Apple logo, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is
a service mark of Apple Inc.
Android and Google Play are trademarks of Google Inc.
Shiraz Saeed - Product Specialist - Cyber Liability
Tel +1 908 679 3472 | Cell +1 908 698 2269 | shiraz.saeed@aig.com
93. How do I mitigate my risk with
the growing use of mobile and
portable technologies?
Policies and Education
Social networking awareness
Encryption
Remote Wipes/Autolocks
Obtaining employee consent
Backing up company
information on an employee
device
Do’s and Don’ts of mobile use
Laptop Safety
94. What should I be doing to prepare
my Company for the increased
regulations related to IT Security?
Understand business activities
subject to regulation for privacy
considerations
▪ Disclosure of PI collections and
sharing procedures
▪ Website and mobile app privacy
▪ Credit card information
Know how changes in business
operations impact compliance
requirements
Accept responsibility for
compliance
▪ EXECUTIVE MANAGEMENT
▪ BOARD OF DIRECTORS
97. Do You Know the SCORE?
•Security
•Compliance and
•Operations
•Risk
•Evaluation
98. Do You Know the SCORE?
• A high level assessment of the key
components of your IT environment:
–IT operations
–Physical security
–Logical security
–Mobile devices
–Recovery
–Network security
–Online security
–Data privacy and
security compliance
–System and
hardware controls
102. What are some of the things I need to consider when using 3rd
party service providers?
For all vendors:
▪ Due diligence on their data
security
▪ Coordination of
representations in privacy
policies
▪ Allocation of responsibilities in
event of breach
▪ Terms in vendor agreements:
▪ Indemnification provisions
▪ Access provisions
▪ Insurance requirements (cyber
and other)
Cloud computing
▪ Identify the assets for cloud
deployment
▪ Evaluate the assets
▪ Map the assets to the cloud
deployment model
▪ Evaluate potential cloud
service models
▪ Map out data flow
103. What should I be doing to prepare
the Company for a breach?
Screen new hires and vendors
Annual risk assessments
Educate employees
Discuss privacy by design with
operations people
Pre-arrange breach service providers
Develop a cross functional privacy
committee for breach planning and
response
Discuss information collection and
disclosure practices with all
departments
Consider insuring against risks
104. What can I do to better
protect my data from cyber
crime?
Data Mapping - Understand
WHAT your sensitive data is
and WHERE it resides
Perform a security risk
assessment
Set security standards
Develop comprehensive
policies
Provide security training
Adopt a business plan
Spear Phishing Do’s and
Don’ts