Network Security & Privacy Landscape

Network Security & Privacy Landscape

AIG Professional Liability Division Jennifer Bolling, Account Executive

Agenda

• Network Security – Overview

– Latest Threats – Exposure Trends – Regulations

• Claim Examples

• Security & Privacy Coverage

– Coverage Parts

– Gaps in Traditional Coverage

Data Security – Not Just an IT Problem

• Information security viewed as an IT Problem vs.

Enterprise-wide risk management issue

- Misconception that IT alone can safeguard the

organization

- Failure to address the human element and not just

the technology

• Negligence is the leading cause of a data breach, at 41%

of all reported cases

• Physical breaches accounted for 29% of all data

breaches in 2010, up 14% from 2009

Sources: Ponemon Institute Cost of a Data Breach Report 2010 & Verizon Business 2011 Data Breach Investigations Report

Some Quick Stats

Sources: Carnegie Mellon Governance of Enterprise Security: CyLab 2010 Report, Ponemon Institute Cost of a Data Breach Report 2010 & Verizon Business 2011 Data Breach Investigations Report

• $214 per record is the average cost of a data breach, with

an average total per-incident cost of $7.2 million in 2011

• 98% of senior executives indicated that their boards were

not “actively addressing” IT operations and vendor

management in a 2010 Carnegie Mellon survey

• 96% of breaches could have been avoided if reasonable

data security controls had been in place at the time of

incident

Causes of Publicly

Reported Breaches

Lost Media Back Up: 5% Social Engineering: 5% External Hackers: 15% Negligent Employee: 22% System Failure: 10% 3rd Parties - Partner, Outsourcer: 10% Laptop Theft or Other Device: 33%

Highly Targeted Information

• Personal Identifiable Information (PII)

– For example, first name, last name, Social Security number, Date of Birth (Current breaches: http://www.privacyrights.org)

• Financial Account Information

– Credit Card data

– Bank account and PIN information

• Patient Healthcare Information (PHI)

– Patient medical information can be stolen & sold

• Corporate Confidential Information

Impact of Social Media Networks

• How can a Social Media Network lead to a breach?

– Provides a source of information for hackers looking to create a Phishing scheme on an intended target.

– Provides different avenues with which a person can disseminate private or confidential information.

– Provides opportunities for viruses, trojan horses, etc to infiltrate a system

• 20% of companies have investigated the exposure of confidential,

sensitive or private information via a post to a social networking site.

• 53% of companies identify Facebook and LinkedIn as a high

concern for information leakage.

Source: “Fear of data loss, social media security risks rising” by Joan Goodchild

What Can Cause a Breach…

• Storage of prohibited / unnecessary data (magnetic

stripe, secret PIN, old data)

• Malware impacting computer systems

• Employee / Contractor privileged access misuse

• Vendor default settings and passwords

• Physical security breach

Regulatory Environment

• Increased industry, regulatory and legislative focus on security due

to high profile data compromises

– Massachusetts 201 CMR 17 + State Notification Laws

– Revised Health Insurance Portability and Accountability Act (HIPAA) > HITECH act for Protected Health Information (PHI) to include

business associates doing business with healthcare organizations – Payment Card Industry Data Security Standards (PCI DSS)

– Fair and Accurate Credit Transaction Act (FACTA)

– “Red Flag Rules” imposed by Federal Trade Commission – Pending Federal Legislative initiatives

State Notification Laws

Source: NCSL State Security Breach Notification Laws; http://www.ncsl.org

• Only 3 states do not have notification provisions:

Alabama, New Mexico and South Dakota

• Most states define a “breach” as unauthorized access to

unencrypted, computerized personal information which is generally first name, or first initial and last name, plus:

- Social Security number; or

- Driver’s license or state ID card number; or

- Financial account, credit or debit card number, along with required access code or password

• Massachusetts law requires any businesses handling personal

information of state residents to proactively develop, execute and maintain a program to protect this information

HIPAA Data Breach Notification

• HITECH act altered HIPAA

- Privacy and Security rules implemented under HIPAA to cover business associates (legal, accounting, claim, data aggregation, finance, benefits management) 45 CFR 160.103

- A business associate is someone on behalf of a covered entity, performs activity involving Protected Healthcare Information (PHI)

- A covered entity is a health plan, clearinghouse, physician, or hospital

• What does this mean for business associates?

- Business associates have affirmative duty to protect PHI and it should be stated in written agreement with covered entities

- They need to implement policies to prevent, detect and contain security violations of unsecured electronic PHI and develop safeguards

- Compromised business associate must report breach to covered entity

- For over 500 individuals annually, breaches are posted on Health and Human Services (HHS) website along with notice to individual

PCI-DSS

• Pressure to Enforce Tighter Standards due to recent breaches

- Estimated that less than 10% of Level 4 merchants are compliant - Payment processors are held to higher standards by VISA

Level / Tier

Merchant Criteria Validation Requirements

1 Any merchant processing over 6M

transactions

Annual report on Compliance Quarterly scan by ASV

2 Any merchant processing 1M to 6M

transactions

Annual self assessment Quarterly scan by ASV

3 Any merchant processing 20,000 to

1M e-commerce transactions

Annual Self-assessment Quarterly scan by ASV

4 Any merchant processing less than

1 million transactions (20,000 e-commerce)

Recommended self-assessment Scan requirement set by acquirer

Red Flags Rule

• Purpose:

- FTC requires certain entities to protect against identity theft

- Implement policies and procedures to detect suspicious activity

• Red Flag is a pattern, practice or specific account activity that indicates

possibility of Identity theft on covered account. www.ftc.gov/redflagsrule

• Red Flag Compliance requires:

- Initial Risk Assessment and Policies manual - Staff Training and Program Implementation - Change of Address Verification

- Confirm Authentication and Risk Reduction

• Who has to comply?

- Any “financial institution” or “creditor” (extends or renews credit) - Often will include retailers, automobile dealers, utilities, health care

Claim Example – Hacking

The Claim:

Try Media’s ActiveStore application (POS software) was

hacked and credit card information was obtained on roughly 12,500 individuals. The intruders were able to steal

information from approximately a month at the end of 2011.

How to Apply This to You:

•No such thing as impenetrable IT systems

•Often times you don’t even know you’ve been hacked •What is your response plan?

Claim Example – Employee Negligence

The Claims:

1. An employee of Towers Watson accidentally posted personal information of nearly 400 current and former

Sequoia Hospital employees. Names and social security numbers were disclosed.

2. Approximately 2,000 patient records including names,

Social Security numbers, addresses and more were found in a trash can. They were traced to Ayuda Medical Case Management. The boxes were auctioned off after the owner failed to pay the rental fee on a storage unit.

How to Apply This to You:

• Employee training matters

• Monitor employee access to sensitive data

Claim Example – Stolen Portable Media

The Claim:

A laptop was stolen from Triumph, LLC with over 2,000 people’s confidential data on it. 2 men distracted the receptionist, while a third stole the laptop from down the hallway. Names, dates of birth, medical records, insurance numbers and Medicaid numbers were disclosed.

How to Apply This to You:

•Physical controls & employee training •Remote wipe capabilities

•Encryption (whole disk) for sensitive data on portable media

Claim Example – Rogue Employee

The Claims:

1. A rogue employee at Hackensack Medical Center was accessing and stealing patient information including names, Social Security numbers, address, dates of birth, driver’s license numbers, health insurance cards and other

information. Around 500 people were affected.

2. A Staples cashier used a skimming device to steal credit card information and selling them to a third party. Only 50 numbers were stolen, which amounted to $181,000 in

fraudulent purchases.

How to Apply This to You:

•Rogue employees can circumvent your IT security

•Large black market for personal information with growing connection to organized crime

Claim Example – Mailing / Vendor Error

The Claim:

A mailing error at the Illinois State Treasurer's Office led to the social security numbers of over 36,000 people to be visible from the outside of envelopes mailed in October of

2011. The sensitive data was printed on the wrong part of the letter.

How to Apply This to You:

•Know your vendors and your responsibilities in the event of a loss

•Contractual indemnity language is important

Cost Variation-

Dependent on Vendor Selection

Insured's Vendor Cost

Chartis IDT

Vendor Cost Savings Legal Assistance with

Notification Letters $24,190 $10,000 $14,190

Print/Mail Letters $63,551 $56,341 $7,209

Call Center Services $118,642 $66,852 $51,790

Identity Monitoring Services $683,996 $317,297 $336,698

Totals $885,379 $450,490 $439,888

• Healthcare organization

• Breach of approx 50,000 records, including social security numbers • Two years of credit monitoring services provided to victims

What are the Consequences of a Breach

•Breach Notification Costs

- Average industry consumer notification cost approx $12 per individual

•Identity Monitoring

- Estimated approx $40 per person per year

•Regulatory Actions

- Always changing

- Costs to defend and fines/penalties

•Lawsuits & Defense Costs

- Liability for damages

- Costs of defense are rising

•Unbudgeted Expenses

- Lost man hours and resources

•Reputational Damage

- Lost customers/revenues – estimated 66% of the financial impact on a

company from a data breach

Security & Privacy Insurance

• Security and Privacy Liability (3rd _party)

- A successful computer attack against an insured that causes

harm to a third party

- A wrongful disclosure or breach of private or confidential data

• Event Management/ Information Asset (1st _party)

- Notification costs (print/mail letters)

- Identity Monitoring/Consumer ID Protection

- Forensic investigation

- Legal assistance to determine appropriate response - Public relations to restore the insured's reputation

Gaps in Traditional Coverage

• Traditional insurance policies frequently exclude intangible

exposures, such as data loss due to virus, web attacks, and lost laptops

• The following coverage is confined to physical perils such as fire,

flood, fraud and theft:

– Commercial General Liability (CGL) – Property

– Crime / Fidelity

• Although most cyber incidents are not covered by traditional

insurance, 65% of respondents in Carnegie Mellon study indicated that their boards are not reviewing insurance coverage for cyber related risks.

Risk Mitigation at the Enterprise Level

•Commitment from Senior Level Management •Information Technology

• Most Recent Technologies and Change Management

• Limit Access to Sensitive Data

•Legal

• Understand the Changing Regulatory Environment

• Implement Plans to Respond to a Breach in a Timely and Compliant Manner

•Vendor Management

• Proper Vetting of 3rd _{Party Vendors}

• Contract Management

•Human Resources

• Proper Hiring and Termination Techniques

• Employee Training on How to Classify and Handle Data

•Data Retention

• Don’t Keep What You Don’t Need

• Safe & Secure Methods of Disposing of Data

•Risk Control

• Physical Security

• Written security policies

Questions and Answers

Pam Townley;

[email protected]

; 770-671-2282

Jennifer Bolling;

[email protected]

; 205-986-7711

www.aig.com www.ajgrms.com