Post on 26-Dec-2015
transcript
Leadership, Knowledge, Solutions…Worldwide.
Privacy & Data Security
Understanding Identity theftThe art of managing a crisis
Jim Leonard – Marsh FINPRO
Marsh—Leadership, Knowledge, Solutions…Worldwide. 2
Agenda
Industry issues
Fraud facts (myth busting)
The target
The thief/ threat environment
Case studies
Investigating & managing an event
Quantifying the cost
Available coverage
Best practices
Marsh—Leadership, Knowledge, Solutions…Worldwide. 3
Identity Theft and Fraud
Industry Issues– FTC Estimates nearly 10 Million victims per year– Many victims don’t know or don’t report– Fastest growing white collar crime in America– Average 175 hours and $1,500 to resolve– Tremendous media exposure
Common Types of Fraud– Current Credit – Credit Card, Debit Card, Phone Card– Identity Fraud using:
Your name and SS# to:- Establish new credit- Commit other criminal activity
ID Theft goes far deeper than your credit!
Marsh—Leadership, Knowledge, Solutions…Worldwide. 4
Fraud Facts
Other forms of Fraud
Driver’s License
Health Benefits
Insurance Fraud
Rental Housing
Utilities
Government Benefits
W-2 Fraud
Marsh—Leadership, Knowledge, Solutions…Worldwide. 5
The Target
Absolutely everyone with identifying information– Average consumer is most common victim– If you have:
A Social Security number Credit worthiness is a bonus
– Few consumers become victims because of their internet use
Common Identity Thief’s MO (Volume, not Value)– Gain access to large numbers of potential
victims– Keep a low profile– Victimize average consumers over long periods– Sell or Trade Identities
Marsh—Leadership, Knowledge, Solutions…Worldwide. 6
The Thief
Shadow Crew E-bay-like environment for buying/selling identities
Job Fairs Improper vetting of employers
Methamphetamines and Gangs Boxes of physical papers of identities Hospitals, Auto Dealerships
Fraud Rings Collaborative hiring
W2 Fraud and Arizona #1 ID Theft circumstance #1 State for ID Theft
Broken Business Practices Your employees Human factors are at hand
Identities are a currency
Marsh—Leadership, Knowledge, Solutions…Worldwide. 7
Threat Environment
What is your breach universe?
What do you think the most likely cause is of an event?
– Hacking– Extortion– Lost or stolen devices– B & E’s– Internal fraud– disgruntled employee
Marsh—Leadership, Knowledge, Solutions…Worldwide. 9
Case Studies
Internal Fraud (40 cases last year)
Laptops – laptops - laptops
Healthcare Provider loses 20 years worth of data
HR Employee takes work home over the weekend
Foreign National takes money and identities
Healthcare Provider believes it loses data on 275,000 patients
Employee receives email and sends it to personal email, then forwards again
Company instructs victims to “Freeze their Credit”
Marsh—Leadership, Knowledge, Solutions…Worldwide. 10
Identifying an Event
Do you have an investigative procedure?
Validate what information was lost, regardless of media– Laptop, CD, thumb drive, I-Pod, PDA, back ups, paper
files, third party, rogue employee– External counsel– Forensics investigator– General investigations– PR & Communications
Marsh—Leadership, Knowledge, Solutions…Worldwide. 11
Managing the Event
How do you notify victims of the event?– Mail? Email (E-sign act)? Publicly?
What is your deliverable to the victims?– You can’t just say “We breached your data and
here is a list of things you can do to protect yourself”
Notify correctly vs. quickly– What should you say?
Call center (questions and answers)
Credit reports and monitoring
Insurance vs. Resolution
Additional exposure– Current victims
Audience segments
Marsh—Leadership, Knowledge, Solutions…Worldwide. 12
2010 U.S. Cost of a Data Breach StudyPonemon Institute
Data breach incidents cost US companies $214 per compromised customer record in 2010, compared to $204 in 2009
The average total cost per incident increased to $6.75M, up from $6.65M in the previous year
The cost of a data breach as the result of malicious attacks and botnets were more costly and severe
Negligent insider breaches have decreased due to awareness and training on protecting private information. 58% have expanded their use of encryption
Third party organizations accounted for 42% of all breach cases. These remain the most costly due to additional investigation and consulting fees
The most expensive case in the study cost nearly $31,000,000 to resolve, the least was $750,000
The study was comprised of 45 breaches with a range of 5,000 to 101,000 compromised records
Marsh—Leadership, Knowledge, Solutions…Worldwide. 14
Available Coverage Overview
Network Security Liability: Liability to a 3rd party as a result of a failure of company's network security to protect against destruction, deletion or corruption of a 3rd party’s electronic data, denial of service attacks against Internet sites or computers; or transmission of viruses to third party computers and systems.
Privacy Liability: Liability to a 3rd party as a result of company's failure to properly handle, manage, store or otherwise control personally identifiable information, corporate information identified a confidential and protected under a nondisclosure agreement and unintentional violation of privacy regulations.
Regulatory: Defense expenses and civil fines or penalties paid to a governmental entity in connection with an investigative demand or civil proceeding regarding actual or alleged violation of privacy laws
Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a public relations firm for the purpose of protecting/restoring company's reputation as a result of the actual or alleged violation of privacy regulations.
Marsh—Leadership, Knowledge, Solutions…Worldwide. 15
Available Coverage Overview
Network Business Interruption: reimbursement of the company's own loss of income or extra expense resulting from an interruption or suspension of its systems due to a failure of network security to prevent a security breach.
Data Asset Protection: recovery of the company's costs and expenses incurred to restore, recreate or regain access to any software or electronic data from back-ups or from originals or to gather, assemble and recreate such software or electronic data from other sources to the level or condition in which it existed immediately prior to its alteration, corruption, destruction, deletion or damage.
Cyber Extortion: ransom or investigative expenses associated a threat directed at the company to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the Insured, introduce malicious code into the company's computer system; corrupt, damage or destroy company's computer system, or restrict or hinder access to the company's computer system.
Marsh—Leadership, Knowledge, Solutions…Worldwide. 16
Coverage Overview with Examples
Coverage Example Limit of Liability Retention
Security Liability Hacking, virus transfer
Up to $150,000,000 $25,000 and up
Privacy Liability Customer information breach
Up to $150,000,000 $25,000 and up
Forensics Investigation Up to $10,000,000 Ranges from NIL and up
Privacy Breach Notification Costs
State privacy laws require notification
Up to $10,000,000 or 2,000,000 records
Ranges from NIL and up
Loss mitigation coverage Credit monitoring Up to $10,000,000 Ranges from NIL and up
1st Party Data Protection Rebuild your damaged data from computer attack
Up to $100,000,000 $25,000 and up
1st Party Network Bus. Int. (“NBI”)
Loss of revenue due to computer attack
Up to $100,000,000 A combination of the greater of $25,000 + or 8 to 12 hours
Defense Costs/Fines & Penalties for Regulatory Actions
FTC or AG claims for privacy breach
Up to $25,000,000 Ranges from NIL and up
Marsh—Leadership, Knowledge, Solutions…Worldwide. 17
Your risk identification…..
Potential Risk Event LikelihoodPotential Impact
Website copyright/trademark infringement claims
Legal liability to others for computer security breaches(non-privacy)
Legal liability to others for privacy breaches
Privacy breach notification costs & credit monitoring
Privacy regulatory action defense and fines
Costs to repair damage to your information assets
Loss of revenue due to a failure of security or computer attack
Loss of revenue due to a failure of security at a dependent technology provider
Cyber Extortion Threat
Marsh—Leadership, Knowledge, Solutions…Worldwide. 18
Best Practices for Breach Preparedness and Prevention
Pre-Arrange a Breach Service Provider, External Counsel and Reputational Risk Advisor – all specializing in Privacy Law and “Breach” Crisis Management
Provide “Certification” through e-Learning to employee base on safeguarding data
Develop an Incident Response Plan– Internal Staff– Outside Counsel– Reputational Risk Advisor– Breach Service Provider
Conduct annual Risk Assessments and Tabletop Exercises
Hold an internal “Privacy Summit” to identify vulnerabilities– Risk– Compliance and Privacy– HR– Legal– IT– C-level representation (CFO)– Physical Security / Facilities