370 likes | 622 Views
On The Cutting Edge!. Cyber Security: Pre & Post Breach. Oliver Brew , Liberty International Underwriters John Mullen, Sr , Lewis, Brisbois, Bisgaard & Smith Charles Beard , PwC Amy Stanphill , Eisenhower Medical Center Theodore Kobus , III , Baker Hostetler
E N D
On The Cutting Edge! Cyber Security: Pre & Post Breach Oliver Brew, Liberty International Underwriters John Mullen, Sr, Lewis, Brisbois, Bisgaard & Smith Charles Beard, PwC Amy Stanphill, Eisenhower Medical Center Theodore Kobus, III, Baker Hostetler David Lewison, AmWINS Brokerage Group 28th Annual Blue Ribbon Conference – May 4-8, 2014
Agenda • Eisenhower Medical Center case study (45 mins) • Short break (5 mins) • Cyber security issues, pre-breach planning, issues and trends (70 minutes) • Questions at end of each section • 2 CE credits
Eisenhower Medical Center • Case Study: • Incident Facts • Claims and Coverage • Incident Consequences • Lessons Learned • Recommendations
Eisenhower Medical Center • Coachella Valley not-for-profit hospital • High quality, compassionate care for over 40 years and accredited teaching hospital • Main Campus in 130 acres within Rancho Mirage: • 476-bed hospital, Annenberg Center for Health Sciences at Eisenhower • Barbara Sinatra Children's Center at Eisenhower • Outpatient facilities in Palm Springs, Cathedral City, Rancho Mirage and La Quinta • Betty Ford Center • Philanthropy and volunteerism allow EMC to fulfill its mission
EMC Case Study • Friday, March 11, 2011 • Television and computer stolen from EMC • Monday, March 14, 2011 • Discovered when employee arrived at work after weekend
EMC Case Study Is it a breach? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies? Is crisis management necessary? Do you offer credit monitoring? Do you get relief from a “law enforcement” delay?
EMC Case Study • Immediate First Steps: • Investigation • Law enforcement • Insurance • Outside counsel • Forensics • Crisis management
EMC Case Study • Investigation: • Computer was password protected, but not encrypted • Computer contained limited patient index information used by EMC • Information in index file included: patient names, ages, dates of birth, the last four digits of the Social Security number, and the hospital’s medical record numbers (MRNs) • No medical records on the computer • No financial or insurance information on the computer
EMC Case Study • Notification – March 30, 2011: • Over half a million patients affected • Limited personal data • Notified in less than 3 weeks from theft • Credit monitoring Vendor • Mailing and Call Center Vendor • Media • Substitute notice • Agency notifications
EMC Case Study • Post-notification: • Patient inquiries and concerns • Public relations • State and federal agency inquiries and investigation • Litigation • Internal policy and procedure review
EMC Case Study • Cost of response: • Forensics • Notification costs • Credit monitoring • Call center • Crisis response • Legal fees • Defense costs/settlement expenses • Regulatory fines
EMC Case Study Insurance implications Communications Proactive measures
EMC Case Study • Lessons learned: • Prepare and practice a response plan • Respond quickly • Bring in the right team • Preserve evidence • Contain and remediate • Let the forensics drive the decision making • Law enforcement • Document analysis • Involve the C-Suite • Be guarded, consistent, and honest in communications • Plan for likely reaction of customers, employees and key stakeholders • Mitigate harm
Topics • Brief history • Scope of data • Internal and external threats • Regulatory issues • Litigation trends • Practical tips • Future gazing
A brief history Then… 1998 Percentage of developed world using internet And now… 2014 17% 77% Data storage cost $60/GB 5₵/GB Number of Smart phones 0 1.5 billion
Insurance history lesson • 1997: First ‘internet liability’ policy written • 1999: Y2K catalyst to focus on technology risk • 1999 – 2002: Dot-com bubble - first phase growth • 2003: CA 1386 (first notification law) • 2005 – 2010: Breaches on the rise and increasing regulation • 2007: TJX breach • 2009: Heartland Payment Systems • 2013: HIPAA final rule • Compared to auto insurance…?
Data breach history Total Cyber Events and Records Breached* (2004 – 2013) 450m! Record count Number of events *Only Depicting Events with losses >30K Records
Range of industries impacted Cyber Events By Industry (2009 – 2014) *US Companies only Financial services Government Education Healthcare
What information is at risk? • Personally identifiable information (PII) • email addresses, zip codes, phone numbers? • Protected Health Information (PHI) • Payment Card Industry (PCI) information
Threat landscape • Internal threats: employee risk (malicious / inadvertent) • External threats • Regulatory regime • Litigation on the increase
Internal threats *Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) survey Nov 2013 • Employee SNAFUs – 65% of data breaches due to lost paper files and devices* • Malicious intent • Poor practices
Hacking: the glamorous threat Hacktivism - Anonymous Organized financial crime “Just because I can” State sponsored…?
Why the concern? • Costs: Breach response • Reputation: 76% of potential victims will close account with an organization if a breach occurs • 65% would publicly expose a company for failure to safeguard information • Litigation: 53% would be willing to sue Source: Unisys Security Index, Lieberman Researcher Group & Newspoll
State Regulations: notice • 46+ states require notice to customers • Required time to notice: most expedient manner possible (no later than 45 days in FL, OH, and WI) • Affirmative state laws (e.g. NV, MA) • Issues: competing definitions of “Breach”and other terms
Other regulations • HIPAA / HITECH is 2009 expansion of Health Insurance Portability and Accountability Act (HIPAA) • Notice within 60 days when PHI is breached • Requires notice to Secretary of HHS (within 60 days if breach involves 500 or more) • Allows State AGs to bring civil actions for HIPAA violations including failure to notice • PCI DSS – contractually driven obligations from card brands
Litigation trends Injury and Standing • Tri-West, Starbucks, Hannaford Injury and Standing • FTC v Wyndham • Curry v AvMed
Prevention and preparation “Everyone has a plan… until they get punched in the face” - Mike Tyson “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident.” • Zappos CEO Tony Hsieh
Safeguard controls People: proper security budget and vigilance Processes: ISO27002, HITECH ready; employee education and training; written management processes; breach response plan Technology: firewalls; intrusion detection software; hardened and patched servers (tested); encryption of PII
Practical issues on data risk • Education and culture • Handheld devices - BYOD • Data hygiene (e.g passwords) • Effective encryption
Practical issues on data risk • Mock breaches – aka “tabletop exercises” • Limit online access to data storage servers • Destruction of hard drives to remove all PII
The future • $5Bn market before 2020* • Continued expansion of buyers • Market consolidation: • Specialists • Everyone else offering add-on • IT risk integrated as part of enterprise risk management • Network risk only increasing *Advisen Research *Advisen research
Questions? Thank You! Oliver Brew, oliver.brew@libertyiu.com John Mullen, Sr, john.mullen@Lewisbrisbois.com Charles Beard, charles.e.beard@us.pwc.com Amy Stanphill, AStanphill@emc.org Theodore Kobus, III, tkobus@bakerlaw.com David Lewison, david.lewison@amwins.com 28th Annual Blue Ribbon Conference – May 4-8, 2014