1 / 19

Privacy Liability and Network Security

Privacy Liability and Network Security. May 17, 2011. Eric M. Wright , CPA, CITP PRESENTER Shareholder, Technology Advisory Services Schneider Downs & Co., Inc. L. Spencer Timmel , CITRMS PRESENTER Privacy and Network Security Specialist Hylant Executive Risk Practice.

sovann
Download Presentation

Privacy Liability and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy Liability and Network Security May 17, 2011 Eric M. Wright, CPA, CITP PRESENTER Shareholder, Technology Advisory Services Schneider Downs & Co., Inc. L. Spencer Timmel, CITRMS PRESENTER Privacy and Network Security Specialist Hylant Executive Risk Practice

  2. Table of Contents • Privacy Related Risks – What are we talking about? • Legal Perspective • Target Industries • Privacy Incident Loss Examples • Unplanned Cash Flows • Privacy Incident Costs • Traditional Insurance Policy Gap Analysis • Mitigating the Risk and Questions for your IT Staff • Cyber/Privacy Products • Evaluating Insurance as an Option - What should you expect?

  3. PII and PHI Personally Identifiable Information (PII): • Individuals name, consisting of the individual's first name or first initial and last name, in combination with… • Social Security Number • Drivers License Number or State Identification Number • Credit Card, Debit Card, Financial Account Numbers Protected Health Information (PHI) • Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral

  4. Legal Perspective State Privacy Breach Notification Law • 48 states/territories with legislation, including D.C. and Puerto Rico • Kentucky and Alabama have introduced bills • South Dakota and New Mexico have yet to make a move • Massachusetts: A bit watered down since its initial form, but still requires organizations who do business in the state to inventory personal information and educate employees about safeguards • Subject to the state the affected party resides, not where you are headquartered or where the breach occurred Health Insurance Portability and Accountability Act (HIPAA) “…maintain a reasonable and appropriate administrative, technical, and physical safeguard to prevent use or disclosure of protected health information.” Federal Privacy Breach Notification Law: “not yet, but…” Obama’s recent push & Kerry/McCain Privacy Bill of Rights

  5. Legal Perspective (cont.) Gramm-Leach-Bliley Act (GLBA) • Businesses that are engaged in traditional banking, lending and insurance functions • Privacy Rule “…insure the security and confidentiality of customer information: protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer” “FACT” Act (Red Flags Rule) • Creditors and Financial Institutions with covered accounts • Implementation of an Identity Theft Prevention Program that accomplishes the following: • Identify and outline “Red Flags” • Monitor for and detect “Red Flags” • Mitigate when “Red Flags” are detected • Update the Identity Theft Prevention Program periodically

  6. Target Industries • Retail • Healthcare • Financial Services • Colleges, Universities and Municipalities • Data Processors and Data Storage Companies

  7. Privacy Incidents • Heartland Payment Systems (01/09): 130 million credit card numbers breached • Sony Corp (4/11): 102 million records, 12 million credit card numbers; dual attack • Michaels Stores (05/11): 10,000 credit card numbers; pin pad tampering • Starbucks (11/08): 97,000 social security numbers of employees: lost laptop • HealthNet (01/11): 1.9 million PHI records: 9 servers missing (05/09): 1.5 million PHI records: portable disk drive missing • BC/BS Tennessee (10/10): 1 million+ PHI 57 hard drives stolen • State University (12/2010): 750,000 PII records: Unauthorized access • E-mail data management firms (12/10) & (3/11)

  8. Unplanned Cash Flows • State and/or Federally Mandated Notification Costs • Forensic Investigation, Data Restoration Expenses, Assets Damage • Brand Preservation: Voluntary Notification, Credit Monitoring, Public Relations Expense • Defense and Indemnity Expense from 3rd Party Allegations • Regulatory Defense Costs • Regulatory / PCI Fines and Penalties • Business Income Loss

  9. What is a privacy incident going to cost me? Summary of Ponemon Institute, LLC’s 2010 Annual Study: Cost of a Data Breach: • Continued trend of increased average cost and per record cost, $7.2 million (+7%) and $214 (+5%), respectively. • Direct costs increased 22% to $73 per record. (legal counsel, notification letters, credit monitoring, etc.) The increase is driven by the rising legal defense costs.

  10. What is a privacy incident going to cost me? Ponemon Institute 2010 (cont.) • Data Breaches from malicious attacks are up 7% from 2009 having doubled the year before. The cost per compromised record for these types of breaches has skyrocketed to $318 per record. This increase reinforces the extreme danger hostile breaches pose. • Class Action suits from breach victims have yet to gain traction as it is difficult to prove damages. (It’s just a matter of time, Sony? RockYou?) • More organizations favor rapid response than ever before, but it seems to be costing them. Notification within one month of discovery increases the cost per record by $94, totaling $268. Is this tied to overreaction, a business decision to protect the brand, or a response to meet more stringent data breach notification laws?

  11. Policy Gap Analysis General Liability Insurance– Coverage for bodily injury or property damage - Intentional acts are excluded - Intangible property is excluded Property Insurance– Coverage for loss of tangible property caused by a covered peril - Computer viruses are excluded - Intangible property is excluded - Business interruption coverage only applies if there has been a direct physical loss or damage to covered property Crime Insurance– Coverage for theft of money, securities or other property - No coverage for theft of information, trade secrets and other types of confidential information Directors & Officers Liability Insurance– Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity as such

  12. Mitigating the Risk – “a RM Perspective” There are several ways that Risk Management can help to mitigate the risk to cyber related losses: • Understand the role of IT and their perspective on this area of risk (How do they prevent internal and external breaches, where are the vulnerabilities, what has been the history of breach incidents, what is the process for responding to a breach, involvement of RM in that process, etc.) • Evaluation of contracts with outside service providers, specifically 3rd party IT, data storage or data processing vendors • Require and obtain certificates of insurance for both Professional E&O and Privacy/Cyber Liability coverage • Outside Quiet Audit by a third party IT Security assessment firm • Evaluate the need for insurance as a “safety net” to other internal and external safeguards

  13. Top Data Breach Prevention and Detection Controls to Ask • Sensitive Data Storage • Do we know what types of sensitive data (if any) we have and how we are storing and transmitting it? • Have we performed a risk assessment to understand what kind of impact a breach may have on our organization? • Access to Sensitive Data • Have we restricted access to any sensitive data or systems appropriately? (Unique accounts, strong passwords, etc.) • Encryption • Do we have encryption in place regarding: • transmission of secure data files? (FTP) • communications that may contain sensitive information? (Email) • Handling of devices that contain sensitive information? (Laptops, Backup Media, etc.) 13

  14. Top Data Breach Prevention and Detection Controls to Ask 4. Server Patching • Do we have a patch management solution in place to ensure that all critical patches are installed on our servers in a timely manner? 5. Firewall Protection • Do we have a firewall in place that has been updated to reflect the most recent best practice settings? 6. Intrusion Detection • Do we have an appropriate solution in place in order to detect and alert us to suspicious activity that is taking place on our Network? 7. Anti-Virus Protection • Do we have a central anti-virus solution in place that updates all workstations and servers regularly? 14

  15. Top Data Breach Prevention and Detection Controls to Ask 8. Vulnerability Testing and Internal Control Reviews • Do we regularly test our Network resources and security in order to evaluate it for any weaknesses? • Do we evaluate our internal controls for weaknesses? 9. Information Security Policy • Do we have a policy in place that addresses our approach and our internal requirements regarding Information Security and our expectations to our employees? 10. Incident Response Plan • Have we identified our responsibilities in the event of a data breach and the steps that we need to take to reduce the damage and maintain forensic evidence of the breach and any data lost? 11. Know whom you’re sharing your data with • Do we have a strong vendor management policy? 15

  16. Cyber/Privacy Liability Insurance Cyber/Privacy Liability coverage can provide protection for: • Privacy Violations – Electronic and Non-Electronic • Intellectual property infringement • Security breaches • Internet, network programming errors and omissions • Business interruption causing loss of revenue and extra expense • Destruction, disclosure and theft of electronic data • Fines and Penalties and Punitive Damages • Post-Event Crisis Management Expenses • Regulatory Defense, Fines and Penalties Coverage • Cyber Extortion Market Place • Market Evolution: Lloyd’s vs. Domestic • Capacity

  17. Evaluating Insurance as an option - What to Expect? Exposure Analysis and Policy Review: • Every policy is different and careful analysis of risk will allow the broker to tailor the most appropriate coverage at the most competitive price • Work with a broker that is a technical specialist on this coverage – many of the policy forms available in the marketplace need to be enhanced in order to obtain the broadest available coverage Obtaining a proposal: • A relatively simple process – Depends on Industry, Size and Operations • Application, Financials, conference call with IT Security or CIO

  18. Spencer Timmel, CITRMSHylant Group As a member of Hylant Group’s Executive Risk Practice, Spencer serves as the Cyber Security and Privacy Liability specialist. He provides consultative support to clients and oversees the placements of this and other Executive Risk insurance in all industry classes. Prior to joining Hylant, he was an Executive Protection Underwriter for the Chubb Group of Insurance Companies and the Cincinnati Insurance Company. Bachelors degree in Business, Finance from Ohio University Masters in Business Administration from Xavier University Specialties Cyber Security and Privacy Liability;Directors and Officers Liability;E&O Liability;Employment Practices Liability;Fiduciary Liability;Crime/Workplace Violence/Kidnap/Ranson & Extortion Coverage Contact Information: Office (513) 354-1656 Cell: (513) 518-1535 E-mail: spencer.timmel@hylant.com

  19. Eric M. Wright, CPA, CITPSchneider Downs & Co., Inc. Eric has been involved with Information Technology with Schneider Downs since 1983. He is responsible for the firm’s IT compliance services. Eric has performed IT audits on a number of systems, including SAP, Oracle, J.D. Edwards and Lawson and has a strong understanding of the application controls that are available in each of these systems. In addition to helping our clients with their SOX initiatives, he has also assisted clients with becoming PCI-DSS compliant, ISO 27001 certified and performed NIST security audits. Bachelors Degree in Mathematics and Computer Science from Waynesburg University Member— Pennsylvania Institute of Certified Public Accountants Ohio Society of Certified Public Accountants The American Institute of Certified Public Accountants - M.I.S. and High Tech Division Contact Information: Office (412) 697-5328 E-mail: ewright@schneiderdowns.com

More Related