Cyber Security and Identify Theft - Protecting Our Local Governments

1. Cyber Security and Identify Theft - Protecting Our Local Governments

2. 1

3. 2 Topics for Discussion Third Party Liability Network Security Liability Privacy Liability First Party Expense Privacy Laws Associated Costs & Statistics Cyber Loss Examples Policy Gap Analysis

4. 3 What are some of the typical Cyber Risks? Third Party Liability Exposures: Internet Liability Exposures - Intellectual Property, personal injury and third party liability associated with a website including, domain name or trade name infringement, copyright, defamation, deep linking, meta tags, framing, etc. Network Security Liability is the liability associated with a virus, hacker or denial of service attack originating from your system, email or internet site (i.e. Contingent Business Income Loss) Privacy Liability is the liability arising from theft of personal data in electronic format or any other format, such as hard copy information

5. 4 What type of exposures are there related to Cyber Liability? First Party Loss/Expenses: Expenses associated with disclosure costs and/or credit monitoring fees from a theft of private and confidential information. Costs associated with utilizing a public relations firm to mitigate reputational damage associated with a denial of service attack, theft of confidential information, etc. Defense coverage for claims brought by the FTC or any regulatory authority for claims involving theft of personal and confidential information Fines and Penalties brought by the FTC or similar state authority due to the loss of personal and confidential information Punitive Damages. Expenses due to assets/systems/data being damaged from a virus, hacker attack, denial of service attack, etc.. Loss of your income from a hacker attack, denial of service attack, etc.

6. 5 OH Security Breach Notification Law (2/17/2006) Applicable to entities that �conduct business� in Ohio; a physical presence is not required Notification is required if the personal information of an Ohio resident is acquired, or reasonably believed to have been acquired through a �breach of security of a system A �breach of the security of a system� requires the following elements: Unauthorized person accesses and acquires computerized data The security and confidentiality of personal information is compromised Material risk of identity theft or other fraud to an Ohio resident Personal Information = individual�s first name or first initial and last name in combination with one of the following: Social Security Number Driver�s license number or state identification card number Account number or credit/debit card number in combination with any required access code Notification in writing or by telephone in the most expedient manner reasonable but in no event later than 45 days after learning of the breach Include date of breach, information disclosed, response to the breach, toll-free number/email for questions; pay for credit monitoring services

7. 6 Federal Identity Theft Laws HiTech Act: Effective February 17, 2009 - Amends and Modifies HIPAA to include notification requirements Red Flag Rules: Enforcement date: August 1, 2009 � Requirement to implement an Identity Theft Prevention Program �Creditor� � regularly extends credit / accepting payment over time �Covered Accounts� � credit accounts maintained primarily for personal, family or household use�and any other account for which there is a reasonable foreseeable risk of identity theft Federal Data Breach Notification: None Yet but Stay Tuned!

8. 7 Associated Costs & Public Entity Loss Examples Network security breaches cost companies an estimated $90-$305 per lost record (Source: Forrester Research). This figure includes: Legal fees Call center costs Lost employee productivity Regulatory fines Loss of investor / public confidence Customer losses Regional Transit Authority - Social Security numbers had been sent to dozens of health-insurance companies County MRDD -Three laptop computers were stolen from the agency�s office. They contained personal information on mental health clients, including SSNs Battle Creek City, MI - mayor posted a document with personnel information to a public Web site.

9. 8 Public Entity Loss Examples (cont.) Ohio City: population 15,000 � Hackers breached security in one of the city�s three computer servers containing personal informational on some city employees, including names and SSNs Ohio School District � A laptop containing personal information of current and former employees of Springfield City Schools including their names and SSNs we stolen from a state auditor employee�s vehicle while parked at home in a garage. New York Police Department �accused of stealing eight tapes containing the Social Security numbers and direct-deposit information for 80,000 current and retired cops. . Ohio City: population 30,000 - Police department published a report on their website containing names, SSNs and driver�s license numbers on nearly 200 people. County Clerk of Courts � SSNs and other personal data of residents was posted on the county web site. This information was used to commit identity theft.

10. 9 Policy Gap Analysis