Emerging Trends in Information Security and Privacy

EMERGING TRENDS IN
INFORMATION PRIVACY
AND SECURITY
August 6, 2014 Presentation

Logistics
CPE Credit Requirements
Takeaways

 Full service
Professional Services
Firm:
 Attest services
 Tax preparation and
compliance
 IT Audit and Security
 Internal Control
 Internal Audit
Outsourcing
 SSAE 16 Services
 Over 70 professionals
 Highly qualified in
variety of
specializations:
 CPA, CIA, CFE, CISA,
MCSE, ABV, CVA, MST
 Affiliations:
 AICPA, PCAOB, ACFEI,
ISACA, PCAOB, TANGO,
CICPAC, Practicewise,
VACO Risk Solutions

 Vaco Risk Solutions
 Specializing in helping our clients reduce their risks
 30 locations strong
 Highly qualified consultants
▪ CHS, CISA, CISM, CISSP, CITP, CPA, PMP, QSA, PA QSA, PCIP, JD, Six-Sigma Black Belt
 We belong to:
▪ Member of Information System Audit and Controls Association (ISACA)
▪ Member of American College of Forensic Examiners Institute (ACFEI)
▪ Association of Credit Union Internal Auditors (ACUIA)
▪ PCI Qualified Security Assessors certified by PCI Security Standards Council
▪ Payment Application Qualified Security Assessors certified by PCI Security Standards Council
▪ Member of Petroleum Convenience Alliance for Technology Standards (PCATS)
▪ Member of National Association of Convenience Stores (NACS)
4

Former FBI
Director Mueller:
“There are two types
of companies, those
that have been
hacked and those
that don’t know it”

 Suzanne Miller, Ph. D., Partner –Vaco Risk
Solutions
 Linn Foster Freedman, Esq., Partner – Nixon
Peabody LLP
 Brian Bonkoski,Vice President – ACE
Professional Risk
 Kevin Ricci, CISA, Director of Information
Technology – LGC&D LLP

 Speaker Risk Discussions
 Panel Discussion – Best Practices and
Strategies
 Question andAnswer

Suzanne Miller, Ph.D.
VCAG
Vaco Compliance and Audit Group
August 6, 2014
9

 PCI – Quick Overview
 Growing Data Trends and Associated Risks
◦ Employees: IT Convenience
◦ Customers: Mobile Apps
 Growing Threats to Corporate Security
◦ Top 3 Threats Affecting Corporate Security
10

 An open global forum for the ongoing
development, enhancement, storage,
dissemination and implementation of security
standards for account data protection.
- September 7, 2006 -

 Founders
◦ American Express
◦ Discover Financial Services
◦ JCB
◦ MasterCard Worldwide
◦ Visa International
New NACHA

15
SAQ
Validatio
n Type Description
# of Qs
v3.0
# of Qs
v2.1 ASV Pen Test
A
Card-not-present merchants: All payment processing functions fully
outsourced, no electronic cardholder data storage 14 1 No No
A-EP
E-commerce merchants re-directing to a third-party website for payment
processing, no electronic cardholder data 139 NEW Yes Yes
B
Merchants with only imprint machines or only standalone dial-out payment
terminals: No e-commerce or electronic cardholder data storage 41 12 No No
B-IP
Merchants with standalone, IP-connected payment terminals: No e-
commerce or electronic cardholder data storage 83 NEW Yes No
C
Merchants with payment application systems connected to the Internet: No
e-commerce or electronic cardholder data storage 139 59 Yes No
C-VT
Merchants with web-based virtual payment terminals: No e-commerce or
electronic cardholder data storage 73 22 No No
D-MER All other SAQ-eligible merchants 326 38 Yes Yes
D-SP SAQ-eligible service providers 347 NEW Yes Yes
P2PE
Hardware payment terminals in a validated PCI P2PE solution only: No e-
commerce or electronic cardholder data storage 35 17 No No

Employees: IT Convenience
Customers: Mobile Apps
17

Cloud – Computing
Enabling employees to take advantage of collaboration
tools/programs and share work related data
18

Cloud – Computing Risks
 Organizational Risk
◦ Employees use unauthorized consumer-oriented
tools and save corporate data
 Trade secrets, financial reports, meeting notes,
etc.
 Sits unprotected; locations unknown to company
 Financial Risk:
◦ Cost of exposed business confidential data
 ~ $214 per compromised record –Ponemon Institute May
2014
20

Cloud – Risk Mitigation
◦ Strategy
 Monitoring and controlling use of collaboration tools
 Securing data on collaboration tools
 COST SAVINGS & PRODUCTIVITY IMPROVEMENTS:
 > $8,184 per user annually.
 Productivity ~1.2 hours each day or 266 hours per year
◦ Policy
 Governance
◦ Technology
 Offer safer enterprise-grade consumer tools
◦ Education
 Risk Awareness to rank and file
21

Cloud – Computing
Cloud Security Alliance maintains the Cloud Controls Matrix to assist cloud providers
and cloud consumers meet audit requirements, including the PCI DSS.
https://cloudsecurityalliance.org/research/ccm/
22

Mobile Apps revenue expected to reach an estimated $70
Billion by 2017*. Revenue in 2012 ~ $8.5 billion
23

Risks
 Organizational Risk:
◦ Non-compliance with state and federal regulatory
requirements for Mobile Apps
 Geo-location data
 Behavioral targeting
 Inferred consent
 Retargeting
 Data security and quality
 Mobile Privacy Statement
24

 Financial Risk:
◦ Fines
 Delta failed to have a conspicuous privacy policy
on ‘Fly Delta’ - CA Attorney General (12/2012)
 Fined $2,500 per app download
 Downloaded 1 million times on Google Play
 Social networking app, ‘Path’
 Fined $800,000 by FTC over allegations that it
collected personal information without
obtaining consumers’ consent - (2/11/2013)
 FTC Crackdown COPPA
 $16,000 fine for each download (5/15/2014)
25

Risk Mitigation
◦ Strategy
 Understand the changing compliance landscape for
Mobile Apps across your enterprise
 Marketing, application developers, legal, internal
audit, etc.
 Expand Risk Governance
◦ Policy
 Expand Risk Governance
◦ Technology
 Understand the ecosystem
◦ Education
 Risk Awareness to rank and file
NOTE: The FTC released on 2/11/2013 a
report outlining privacy guidelines for
mobile platform providers, application
developers, and advertising networks (the
“Report”). Explaining the Commission’s
increased attention to this area, the
outgoing FTC Commissioner described the
current state of rules and practices in the
mobile space as a sort of “Wild West.”
Cautioning that the Commission will
"closely monitor developments in this
space”, the FTC “strongly” encouraged
companies in the mobile ecosystem to
work expeditiously to implement the
recommendations in the Report. The
guidance focuses on how mobile app
players should improve their disclosures
to ensure that users understand how their
personal data will be collected and used.
26

◦ Privacy Statement shall state:
 What information is collected from an Individual's Mobile
Device;
 Whether information is shared with another application
installed on the Individual's Mobile Device;
 How Geo-location Data is used;
 If Geo-location Data is used to create a profile about the
Individual;
 How long Geo-location Data is retained;
 What type of Third Parties, including Service Providers is
Geo-location Data is shared with and for what purpose;
 How the Individual can restrict the disclosure of Geo-
location data to Third Parties; and
 How the Individual can revoke consent to your company's
collection and use of Geo-Location Data.
 …and the list goes on
27

Era of Advancing Risks*
28
* Global State of Information Security Survey 2014, CIO and CSO Magazine

 Most dangerous cyber threat today
 Few organizations have the capabilities to
prevent
29

Look at Healthcare sector: Percentage of respondents who report that their organization
has the following APT-related capabilities in place
30

Look at Public sector: Percentage of respondents who report that their organization has
the following APT-related capabilities in place
31

Look at Retail sector: Percentage of respondents who report that their organization has
the following APT-related capabilities in place
32

33
Look at Healthcare sector: Percentage of respondents who report the impact of data
beaches.

34
Look at Public sector: Percentage of respondents who report the impact of data
beaches.

35
Look at Retail sector: Percentage of respondents who report the impact of data
beaches.

36
Look at Healthcare sector: Percentage of respondents who report core security
safeguards ARE NOT in place.

37
Look at Public sector: Percentage of respondents who report core security safeguards
ARE NOT in place.

38
Look at Retail sector: Percentage of respondents who report core security safeguards
ARE NOT in place.

39
Percentage of respondents identifying their greatest obstacles to improving the
strategic effectiveness of their company’s information security function.

Suzanne Miller, Ph.D.
DrMiller@vaco.com
40

EMERGING TRENDS IN
INFORMATION
PRIVACY AND
SECURITY
LINN F. FREEDMAN, ESQ.
AUGUST 6, 2014

SUMMARY OF PRESENTATION
—Headlines on data privacy and security and breaches
—What are the Risks
—Implementing a Data Privacy & Security Plan
—Identify high risk data
—State Privacy & Security Laws
—Federal Privacy & Security Regulations
—Use of mobile technology
—Use of e-mail and cloud services
—Best practices

DATA SECURITY — WHAT’S THE RISK?
Increase of conducting
business online
Exponential increase of
threats to data security
=

DATA SECURITY — WHAT’S THE RISK? (CONT’D)
— Companies collect and possess larger
amounts of customer, employee and client
data than ever
— Greater use of mobile technology,
websites, cloud storage
• Allows for easier opportunity for hackers,
identity thieves/data security breaches
• Increase in loss of proprietary information
• Potential for damage to company’s
reputation
• Threat of state and federal
regulatory enforcement

INCREASE OF DATA SECURITY BREACHES
June 2012 Ponemon Institute Report
— 90% of companies surveyed had a
computer breached at least once in the
prior 12 months
— 44% of companies surveyed viewed IT
infrastructures as insecure

INCREASE OF DATA
SECURITY BREACHES (CONT’D)
May 2013 Ponemon Institute Report
— Data breaches cost U.S. companies
surveyed an average of $5.4 million in
the prior 12 months
— An average of 28,765 records for U.S.
companies surveyed were exposed or
compromised in the prior 12 months
— It cost U.S. companies surveyed an
average of $188 per record breached
in the prior 12 months

DATA PRIVACY & SECURITY PLAN
Identify high risk data
Use of mobile technology, e-
mail and cloud services
Develop policies and best
practices
Train all employees
48

IDENTIFYING HIGH-RISK DATA
— Personally Identifiable Information
• Includes SS #, state-issued ID #, mother’s
maiden name, driver’s license #, passport #,
credit history, criminal history
— Name & Contact Information
• Includes initials, address, telephone number,
e-mail address, mobile number, date of birth
— Personal Characteristics
• Includes age, gender, marital status,
nationality, sexual orientation, race, ethnicity,
religious beliefs
49

IDENTIFYING HIGH-RISK DATA (CONT’D)
— Financial Institution Data
• Includes credit, ATM, debit card #s, bank
accounts, payment card information, PINs,
magnetic stripe data, security codes,
access codes, passwords
— Health & Insurance Account Information
• Includes health status and history, disease
status, medical treatment, diagnoses,
prescriptions, insurance account #,
Medicare and Medicaid information
• HIPAA compliance
50

IDENTIFYING HIGH-RISK DATA (CONT’D)
— Website Traffic
• Notice of Privacy Practices
• Terms and Conditions of Use
— Employment Information
• Includes income, salary, service fees, compensation
information, background check information
51

STATE PRIVACY & SECURITY LAWS
Social Security number
protection laws
— e.g. Rhode Island
— e.g. New York (§399-dd) –
restrictions on use, disclosure and
access
Data security regulations
— e.g. Massachusetts (201 CMR §
17.00) –must implement a written
information security plan with
detailed data security safeguards
Data security regulations
— 47 states
• Most states require notification of
a breach to state authorities
Website/mobile app data
collection laws
— e.g. California (§§22575-22579,
“CalOPPA”) –conspicuously post
privacy policy with transparent
details re: data collection/use
— None in RI to date
52

STATE ENFORCEMENT/FINES AND PENALTIES
Examples:
— Massachusetts data security regulations
(up to $5k per violation)
• $63k against MA restaurant
• $750k against South Shore Hospital
— California website/mobile app CalOPPA
statute (up to $2,500 per violation)
• AG sent hundreds of non-compliance letters to
companies without privacy policies and/or
unclear privacy practices on website/mobile app
— None in Rhode Island to date
53

STATE HEALTH INFORMATION PRIVACY LAWS
— Mental Health Law
— HIV/Aids
— Sexually transmitted diseases
— Genetic Information
54

FEDERAL PRIVACY & SECURITY LAWS
— Federal Trade Commission (“FCC”)
• § 5 of the FTC Act prohibits “unfair or
deceptive acts or practices”
 Covers advertising claims, marketing,
and promotions
 Not limited to any particular medium
• Enforcement of several sector-specific
privacy laws
 Fair Credit Reporting Act (“FCRA”)
 Children’s Online Privacy Protection Act
(“COPPA”)
55

FTC ENFORCEMENT/FINES AND PENALTIES
More than 100 privacy-related actions
since 2001, including:
— 40+ Data Security Cases
— 100+ Spyware Cases
— 20 COPPA cases
— Several FCRA cases
— Increasing Emphasis on Mobile
Technology
56

FEDERAL PRIVACY & SECURITY LAWS (CONT.)
— Gramm-Leach-Bliley Act
• To protect privacy of personally
identifiable, nonpublic financial
information
57

FEDERAL PRIVACY & SECURITY LAWS (CONT.)
— HIPAA
• To protect the privacy of
health information
58

THE OMNIBUS RULE
Certain HIPAA “Privacy and Security Rule” Provisions
apply directly to business associates as a regulated entity
— BAs must have required HIPAA policies and procedures
in place
— BAs are subject to direct enforcement by OCR as of
September 23, 2013
59

ENFORCEMENT PENALTIES FOR HIPAA
VIOLATIONS
Civil Penalties are tiered,
depending on conduct
— Unknown
— $100 per violation up to $50,000
for all identical violations in a
calendar year
Reasonable cause that is not
willful neglect
— $1,000 for each violation up to
$50,000 for all identical violations
in a calendar year
Willful neglect
— If violation corrected within 30
days of knowledge: $10,000 for
each identical violation, up to
$50,000 for all identical violations
in a calendar year
— If violation not corrected: $50,000
for each violation, up to
$1.5 million for all identical or non-
identical violations in a calendar
year
60

CRIMINAL ENFORCEMENT PROVISIONS
HIPAA also carries criminal penalties for persons who
“knowingly” obtain or disclose PHI in violation of the
Privacy Rule, or who improperly use unique health
identifiers, under 42 U.S.C. § 1320d–6(a):
61
Fine Prison
Knowingly $50,000 One year
False Pretenses $100,000 Five years
For Profit, Gain, or Harm $250,000 10 years

RISKS OF BREACH ASSOCIATED WITH MOBILE
TECHNOLOGY
— Smartphones
— Laptops
— USB or flashdrives
• 5 million British Columbians’ data
breached (1/15/13)
 USB drive
— Compliance with 47 state breach
notification regulations
• E-mails
• Cloud vendors
62

RISKS OF CLOUD COMPUTING
— There are over 400 cloud computing providers
— Privacy and Security
— Confidentiality
— ‘True’ Ownership and Control
— Data Restoration and Data Retention, Longevity of Vendors
— Accessibility (i.e. all business hours, weekends, holidays; 24
hours a day)
— Unfamiliarity with Technology
— Integration with Firm Systems
— Jurisdictional Concerns if Dispute Arises
63

BEST PRACTICES FOR LAPTOPS & REMOVABLE
MEDIA
— Encryption
— Policies and procedures for removing devices and data
from business premises
— Do not permit employees to leave laptops and
removable devices in cars or hotel rooms
— Prohibition of down loading sensitive data on hard drive
of laptop or other removable media
— Remote wipe procedures
— BYOD policy

BEST PRACTICES USING E-MAIL
— Encryption
— Virtual Private Network/RSA
— Verify Selected Recipients
— Use Standard Confidentiality Disclaimer
— “Sensitive” Communications, Special
Protections against Disclosure to 3rd Parties
• It is the responsibility of the employee directing
the communication to determine if the
communication is “sensitive” in accordance with
RIOHHS policies and procedures

REPORTING SECURITY INCIDENTS
— Make sure all employees know
to report a privacy concern, a
suspected breach, information
security problem, theft of
computer equipment or if you
suspect there may be a
problem to the Security Officer
— When in doubt REPORT

CONCLUSION
— Identify all of your “electronic highways” and what they
connect with on the inside.
— Perform threat and risk assessment on a regularly basis
— Identify controls that will reduce risk to an acceptable level
— Review the effectiveness of controls periodically as well as
after incidents
— Ensure you have proper Incident Response Plans in place
— Present Key Risk Indicators (KRI) to management in order
to gain their support with regard to any proposed risk
mitigation efforts
— Insure risks

This presentation contains images used under license. Retransmission, republication, redistribution, and downloading
of this presentation, including any of the images as stand-alone files, is prohibited.
This presentation may be considered advertising under certain rules of professional conduct. The content should not be
construed as legal advice, and readers should not act upon information in this publication without professional counsel.
©2014. Nixon Peabody LLP. All rights reserved.
THANK YOU!
QUESTIONS?
Linn Foster Freedman, Esq.
T: 401-454-1108
lfreedman@nixonpeabody.com
Nixon Peabody LLP
One Citizens Plaza
Suite 500
Providence, RI 02903

EMERGING TRENDS IN
INFORMATION PRIVACY AND
SECURITY
PRESENTED BY BRIAN BONKOSKI – ACE USA

Disclaimer
The material presented in this presentation is not intended to provide
legal or other expert advice as to any of the subjects mentioned, but
rather is presented for general information only. You should consult
knowledgeable legal counsel or other knowledgeable experts as to any
legal or technical questions you may have. Further, the insurance
discussed is a product summary only. For actual terms and conditions
of any insurance product, please refer to the policy. Coverage may
not be available in all states.
70

Goals of Todays Presentation
 Coverage Overview by Insuring Agreement
 Network Security Liability
 Privacy Liability
 Data Breach Team
 Network Extortion
 Business Interruption Loss
 Digital Asset Loss
 Key Markets
 Claims Overview
 Industry Trends and Expenses
 Claims Examples
71

Network Security Liability
 Covers any liability of the organization arising out of the failure of network security,
including unauthorized access or unauthorized use of corporate systems, a denial of
service attack, or transmission of malicious code.
72

Privacy Liability
 Covers loss arising out of the organization’s failure to protect sensitive personal or
corporate information in any format. Provides coverage for regulatory proceedings
brought by a government agency alleging the violation of any state, federal, or foreign
identity theft or privacy protection legislation.
73

Data Breach Expenses – 1st Party
 Forensics
 Public Relations/Crisis Management Services
 Legal Services including but not limited to determining compliance with Privacy Regulations,
drafting notification letters and indemnification rights
 Notification/Credit Monitoring Services
 Call Center Services
 Fraud Consultation services provided through a licensed investigator or credit specialist
 Identity Restoration Services
74

Data Breach Expenses – 1st Party Cont’d
 Network Extortion
 Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive
information or bring down a network unless consideration is made.
 Digital Asset Loss
 Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a
result of a network security failure.
 Business Interruption
 Covers loss of income and extra expense arising out of the interruption of network service due to an
attack on the insured’s network.
75

Markets
 ACE USA
 AIG
 Lexington
 Beazley
 C.N.A.
 AWAC
 Chubb
 Axis
 XL
76
 Hiscox
 Zurich
 Travelers
 Philadelphia Insurance
 One Beacon
 Hartford
 Swiss RE
 Endurance
 Houston Casualty

Claims and Industry Trends(as of 1/31/2014)
77
Paper 6%
Human Error
14%
Privacy Policy
9%
Hack 24%
Rogue Employee
15%
Software Error
3%
Unknown 7%
Laptops
15%
Hard Drives
5%
Other 2%
Lost/Stolen
Hardware
22%
Industry Breakout
• Healthcare – 31%
• Technology – 14%
• Professional Services – 12%
• Retail – 10%
• Financial Institutions – 8%
Targeted Attacks for PI:
• Lost/Stolen Devices
• 2008 – 41%
• 2012 – 17%
• 2013 – 17%
• Hacking and Rogue Employee
• 2008 – 31%
• 2012 – 44%
• 2013 – 44%
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied
or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014

Triggers by Industry Segment (as of 1/31/2014)
78
0%
5%
10%
15%
20%
25%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
4%
22%
25%
19%
11%
Healthcare
0%
5%
10%
15%
20%
25%
30%
35%
40%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
42%
17%
15%
6%
15%
Retail
0%
5%
10%
15%
20%
25%
30%
35%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
34%
10%
21%
9%
12%
Technology
0%
5%
10%
15%
20%
25%
30%
35%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
21%
14%
32%
14%
6%
Professional Services

Average Cost of First Party Expenses (as of 1/15/2014)
Every Breach Response is Unique
Cost Range of Each Service
 Legal Fees:
Under $5,000 up to about $250,000
 Forensics:
About $10,000 to Seven Figures
 Notification & Call Center:
Approximately $3 per Record
 Credit Monitoring:
Payment per Enrollee or
Restoration Service
 Minimal Crisis Management Costs
Objective: Limit Third Party Exposure
79
* ACE Data, Reflects Average Incurred Costs Across Paid Claims
$48,091.00
$192,049.00
$272,428.00
$157,577.00
$12,600.00
$-
$50,000.00
$100,000.00
$150,000.00
$200,000.00
$250,000.00
$300,000.00
Legal Fees Forensics Notification &
Call Center
Credit
Monitoring
Crisis
Management

Claims Process
 Pre-Breach Preparation
 Identify Decision Makers
 Consider Vendor Relationships and Selection for Breach Response
 Test Incident Response Plans
 Notice
 Contact key personnel internally
 Contact Insurance Carrier (if applicable)
 Engage Data Breach Vendors
 Data Breach Coach
 Forensic and Legal Investigation
 Notification and Call Center
 Credit Monitoring
 Crisis Management
 Third Party Claims
 Class Action Lawsuits
 PCI Assessments
 Regulatory Fines and Penalties
80

Third Party Claims
Three Types of Third Party Claims
 Regulatory Proceedings (Less than 2%)
 Pre-litigation Demands (8%)
 Class Action Lawsuits (10%)
Regulatory Fines
 Bad Actor – Lack of Proper Response or Compliance
 Repeat Offender
 Lack of Internal Privacy Policies and Procedures
Pre-Litigation Demands
 Mostly in Healthcare
 Disclosure of Extremely Sensitive Information
 Adverse Employment Action
81
Lawsuits – 10%
Non-Lawsuits – 8%
Regulatory Proceedings – 2%

Claims Examples – Retail
82
Website Breached
Users of a $250 million online retailer’s website began experiencing fraudulent credit card charges. The retailer’s IT group
contacted its web hosting company, which conducted a review of the data stored on the servers. Subsequently, a virus was found
and removed. The breach resulted in a compromise of close to 1 million records and the fraudulent use of 50 credit cards. The
retailer also incurred fines and penalties for not being Payment Card Industry (PCI) compliant.
Data Breach Fund Costs
$750,000 for notification, call center services, and legal fees to determine the insured’s regulatory obligations
Privacy Liability Costs
$500,000 in assessments for lack of PCI compliance
Credit Card Information Stolen by Employee
A $100 million retail company’s employee improperly obtained the credit card information of a client and fraudulently used the
information to make illegal purchases. The employee was caught and prosecuted. The client’s attorney demanded that the insured
provide credit monitoring services and compensate the client for her damages.
$75,000 for the settlement amount and legal fees

Claims Examples – Healthcare
83
External Vendor Misplaced Laptops
A large healthcare provider contracted with a national vendor to assist with an office relocation. During the course of the
relocation, the provider discovered a discrepancy of several laptops that contained protected health information belonging to its
members. The provider retained legal counsel to analyze its regulatory obligations as well as vendors to conduct forensics, to
notify impacted individuals, and to offer credit monitoring services. Subsequently, the provider was the subject of a regulatory
inquiry and was named as a defendant in a class action lawsuit.
$7,000,000 for forensics, legal fees, notification, call center services, and credit monitoring
$2,000,000 for legal fees related to the class action suit and responses to regulatory inquiries
Employee Lost Flash Drive
An employee of an $800 million healthcare provider lost a flash drive containing the protected health information of
approximately 600 individuals. The provider notified the affected individuals and provided credit monitoring services. Various
state regulators were also notified in accordance with applicable law.
$110,000 for notification, call center services, credit monitoring, and legal fees to determine the insured’s regulatory
obligations

Claims Examples – Misc Services
84
Private Information Disclosed Due to Printing Error
A $50 million business services company conducted a mailing project for a customer and inadvertently mailed out approximately
60,000 envelopes bearing account numbers on the outside of the envelopes.
$320,000 for notification and credit monitoring services
Laptops Stolen from Office
Five laptops were stolen from the office of a professional services company. The laptops contained personal information of
approximately 35,000 customers, including names and social security numbers. The insured incurred notification and credit
monitoring costs.
$200,000 for notification, credit monitoring services, and legal fees
Personal Information Posted Online
A local municipality inadvertently posted tax licensing applications on its website, resulting in the improper release of personal
information. The insured conducted forensics, retained the services of both legal counsel and a public relations firm, and is in the
process of notifying the impacted individuals and offering credit monitoring services.
$150,000 to date for legal fees, notification, credit monitoring, and Public Relations services

Questions?
85
Contact:
Brian Bonkoski
ACE Professional Risk
Vice President
(215) 640-5934
brian.bonkoski@acegroup.com

 How do I mitigate my risk with
the growing use of mobile and
portable technologies?
 Policies and Education
 Social networking awareness
 Encryption
 Remote Wipes/Autolocks
 Obtaining employee consent
 Backing up company
information on an employee
device
 Do’s and Don’ts of mobile use
 Laptop Safety

 What should I be doing to prepare
my Company for the increased
regulations related to IT Security?
 Understand business activities
subject to regulation for privacy
considerations
▪ Disclosure of PI collections and
sharing procedures
▪ Website and mobile app privacy
 Know how changes in business
operations impact compliance
requirements
 Accept responsibility for
compliance
▪ EXECUTIVE MANAGEMENT
▪ BOARD OF DIRECTORS

 What are some of the things I need to consider when using 3rd
party service providers?
 For all vendors:
▪ Due diligence on their data
security
▪ Coordination of
representations in privacy
policies
▪ Allocation of responsibilities in
event of breach
▪ Terms in vendor agreements:
▪ Indemnification provisions
▪ Access provisions
▪ Insurance requirements (cyber
and other)
 Cloud computing
▪ Identify the assets for cloud
deployment
▪ Evaluate the assets
▪ Map the assets to the cloud
deployment model
▪ Evaluate potential cloud
service models
▪ Map out data flow

 What should I be doing to prepare
the Company for a breach?
 Screen new hires and vendors
 Annual risk assessments
 Educate employees
 Discuss privacy by design with
operations people
 Pre-arrange breach service providers
 Develop a cross functional privacy
committee for breach planning and
response
 Discuss information collection and
disclosure practices with all
departments
 Consider insuring against risks

 What can I do to better
protect my data from cyber
crime?
 Data Mapping - Understand
WHAT your sensitive data is
and WHERE it resides
 Perform a security risk
assessment
 Set security standards
 Develop comprehensive
policies
 Provide security training
 Adopt a business plan
 Spear Phishing Do’s and
Don’ts

Michael Camacho, CPA, Partner
mcamacho@lgcd.com
(401) 421-4800 x233

Emerging Trends in Information Security and Privacy

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Emerging Trends in Information Security and Privacy

Similar to Emerging Trends in Information Security and Privacy (20)

More from lgcdcpas

More from lgcdcpas (6)

Recently uploaded

Recently uploaded (20)

Emerging Trends in Information Security and Privacy