What is a privacy breach / security breach?

Similar documents
ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

Cyber Risks & Insurance

Healthcare Data Breaches: Handle with Care.

Cyber & Privacy Liability and Technology E&0

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

Cyber Risk Mitigation

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

Privacy and Data Breach Protection Modular application form

Cyber Liability Launch Event Moscow

Cyber, Data Risk and Media Insurance Application form

CyberRisk: What we know and what we don't know

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Cyber Risk Management

Cyber Liability & Data Breach Insurance Claims

Cyber Risks & Cyber Insurance

Cyber Risk Proposal Form

Cyber-Insurance: Fraud, Waste or Abuse?

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

HEALTHCARE INDUSTRY SESSION CYBER IND 011

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009

AFTER THE OMNIBUS RULE

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Cyber Risk Insurance. Frequently Asked Questions

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Cyber Enhancement Endorsement

RIMS Cyber Presentation

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

PRIVACY AND CYBER SECURITY

Cyber Security Liability:

Evaluating Your Company s Data Protection & Recovery Plan

Cyber Liability A New Must Have Coverage for Your Soccer Organization

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Cyber Liability Insurance for Sports Organizations

Determining Whether You Are a Business Associate

DEBUNKING MYTHS FOR CYBER INSURANCE

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

ARE YOU HIP WITH HIPAA?

CYBER LIABILITY REINSURANCE SOLUTIONS

OMNIBUS RULE ARRIVES

MANAGING DATA BREACH

Cyber Liability & Data Breach Insurance Nikos Georgopoulos Oracle Security Executives Breakfast 23 April Cyber Risks Advisor

Cybersecurity Privacy and Network Security and Risk Mitigation

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

2017 Cyber Security and Data Privacy Study

2015 Latin America Cyber Impact Report

When The Wind Blows: Renewable Energy Risk Management Strategies

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

Protecting Against the High Cost of Cyberfraud

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

HIPAA & The Medical Practice

Cyber Insurance I don t think it means what you think it means

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

HIPAA Security How secure and compliant are you from this 5 letter word?

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

H E A L T H C A R E L A W U P D A T E

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Compliance Guide

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

Cybersecurity Curveballs in Vendor Risk Management Programs

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

At the Heart of Cyber Risk Mitigation

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA Basic Training for Health & Welfare Plan Administrators

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

What we will cover. Best Practices in Insurance and Risk Management. This session driven by pub revision. Publication goals:

Vaco Cyber Security Panel

NZI LIABILITY CYBER. Are you protected?

Effective Date: 4/3/17

Cyber breaches: are you prepared?

Electronic Commerce and Cyber Risk

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Cyber Risk Insurance Policy Application

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Cyber Security & Insurance Solution Karachi, Pakistan

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

A GUIDE TO CYBER RISKS COVER

HEALTHCARE BREACH TRIAGE

H 7789 S T A T E O F R H O D E I S L A N D

HIPAA Final Omnibus Rule Playbook

The Anthem Data Breach:


HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

GUIDANCE ON HIPAA & CLOUD COMPUTING

Transcription:

What is a breach?

What is a privacy breach / security breach? Privacy breach Computer security breach: The theft, loss or unauthorized disclosure of personally identifiable non-public information (PII) or third party corporate confidential information that is in the care, custody or control of the organization or an agent or independent contractor that is handling, processing, sorting or transferring such information on behalf of the Organization. The inability of a third party, who is authorized to do so, to gain access to an organization s systems or services; The failure to prevent unauthorized access to an organization s computer systems that results in deletion, corruption or theft of data; A denial of service attack against an organization s internet sites or computer systems; or The failure to prevent transmission of malicious code from an organization s systems to a third party computers and/or systems. 2

How do data breaches occur? Accidental Intentional Internal Lost devices and inadvertent publication of data Disgruntled employees External Vendors and subcontractors Hackers and unsecured websites 3

The C-Suite Balancing the Needs CEO and Board Business & financial Technology CFO / COO CIO / CTO Legal & regulatory CLO / CRO 4

Statistics

Verizon 2015 data breach investigations report By the numbers 28.5% POS intrusions 18.8% crimeware 18% cyber espionage 10.6% insider misuse 2,122 confirmed data breaches (up from 1,367 in 2014) 79,790 reported security incidents (up from 63,437 in 2014) 61 countries represented (down from 95 in 2015) Verizon: 2015 Data Breach Investigations Report using 50 contributing global organizations. 6

Verizon 2015 data breach investigations report Confirmed data breaches by industry 2,122 confirmed breaches top 3 industry classes 79,790 incidents how did they occur? Finance 465 Miscellanous errors 18% Public Sector 175 Crimeware 20% Retail 148 Insider misuse 25% Verizon: 2015 Data Breach Investigations Report using 50 contributing global organizations. 7

NetDiligence 2015 claims study Preliminary findings Data type Cause of loss Business sectors PII - 45% PHI - 27% PCI - 14% Hackers - 31% Malware/virus - 14% Staff mistakes and rogue employees tied 11%* Healthcare sector - 21% Financial services - 17% Retail 13%* *First time rogue employees in top 3 causes *Largest breaches occurred in retail Data Sample size 160 insured claims PII data type in 2014 study 41% PCI data type in 2014 study 19% PHI data type in 2014 study 21% Company size Nano-cap (under $50 million in revenue) experienced the most incidents 29% Small-cap (under $2B in revenue) followed closely at 25% Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence 20145Study (Sample size = 160 insured claims) 8

NetDiligence 2015 claims study Percentage of Breaches by Data Type 5% 1 7 1 27% 45% 14% PCI PHI PII Non-card Financial Trade secrets Other Unknown NetDiligence 2015 Cyber Claims Study (Sample size = 160 insured claims) 9

NetDiligence 2015 claims study Percentage of Breaches by Cause of Loss 11% 5% 11% 1% 3% 2% 7% 31% 10% Hacker Lost/stolen laptop/device Malware/Virus Paper records Rogue employee Staff mistake System glitch Theft of hardware Theft of money Wrongful data collection Other 5% 14% NetDiligence 2015 Cyber Claims Study (Sample size = 160 insured claims) 10

NetDiligence 2015 claims study Percentage of Breaches by Business Sector 13% 4% 8% 2% 1% 9% 1% 1% Energy 17% Entertainment Financial Services Gaming & Casino 1% Healthcare Hospitality Manufacturing Media Non-Profit 21% Other Professional Services Restaurant 11% Retail 4% 4 2 1% NetDiligence 2015 Cyber Claims Study (Sample size = 160 insured claims) 11

Changes in the landscape.. Neiman Marcus 7 th Circuit Court of Appeals Customers should not have to wait until hackers commit identify theft or credit card fraud in order to be given standing because there is an objectively reasonable likelihood that such an injury will occur. Coca-Cola The theft of encrypted laptops (55) by a former employee resulted in the breach of approximately 74,000 employee records Eastern District of Pennsylvania found that Here, plaintiffs' harm are not future harms but ongoing, present, distinct and palpable harms and allowed the allegations of breach of express and implied contract and unjust enrichment to survive. Wyndham Wyndham Ruling Boost FTC s Authority to Investigate Security Breaches Wyndham is now under increased scrutiny by the FTC for 20 years and must follow strict data privacy requirements. Concentra Concentra, HCA Health Plan HIPAA Settlements Emphasize HHS Focus on Breach Risks Relating to Unencrypted Laptops $1.7 million fine plus $250,000 to resolve OCR investigation. 12

Grander scheme of things A security event can have severely negative impact on your reputation and it could: Adversely impact your debt covenants Impair cash flow as funds are redirected to respond to the costs associated with the security event Affect your credit rating Redirect the focus of key employees from their daily jobs (the estimated people-hour cost for a breach is $30 per record breached) Cause an exodus of customers Create vulnerabilities that competitors can exploit 13

Current Regulatory and Legal Environment

Legal issues and the regulatory environment Legally mandated Industry Standard 47 states with privacy breach notification laws Recent federal executive orders will federal legislation finally be passed? Will it preempt? HIPAA/HITECH regulations FTC Federal Trade Commission Act Section 5, Red Flags State Consumer Protection Laws California s Song-Beverly Credit Card Act Foreign laws and regulations EU Privacy Directive Broader than US laws Other federal laws SEC Guidance, COPPA, FCRA, FACTA, etc. PCI DSS compliance Required if storing, processing or transmitting payment card data Significant fines, penalties and costs assessed Contractual obligations Increasingly included in insurance provisions of customer/vendor contracts 15

State regulations: notice 47 states and 4 U.S. jurisdictions require notice to customers after unauthorized access to PII Timing requirements for notifying residents without unreasonable delay (means not later than 30 days) FL was 45, is now 30 days Notify State Attorneys General, consumer protection agencies and credit reporting agencies New requirement in ND, OR, and FL Timing requirements for notifying regulators and credit reporting agencies 48 hours; fourteen days; before notice to residents Constant Change - Amendments bring changes in MT, NV, ND, OR, TN, UT, VA, WA, WY, LA, IO, CT Broader definitions of Personal Information and new protections for student data More specific content in notice letters CT to be first state to require by law that credit monitoring be provided 16

Network Security & Privacy Insurance

Network security and privacy insurance Continue to see insurers grow their loss prevention and loss mitigation services for midsize companies. Network security risk is not going away. For any market that has pulled capacity, or has been hesitant to enter, another has stepped in. Most organizations are looking to transfer the risk to an insurance product. Cyber insurance market to reach $5 billion in written premium by 2020 18

Network security and privacy GAP analysis Property General Network Liability Crime K&R E&O Security & Privacy 1 st Party Privacy / Network Risks Physical damage to data only x x ü Virus/hacker damage to data only x x x ü Denial of service (DOS) attack x x x ü Business interruption loss from security event x x x x ü Extortion or threat x x x ü x ü Employee sabotage of data only x x x ü Impostor fraud x x x x 3 rd Party Privacy / Network Risks Theft/disclosure of private information x x x ü Confidential corporate information breach x x x ü Technology E&O x x x x ü x Media liability (electronic content) x x x ü Privacy breach expense and notification x x x x ü Damage to 3 rd party s data only x x ü Regulatory privacy defense / fines x x x x ü Virus/malicious code transmission x x x ü x - No Coverage - Possible Coverage ü - Coverage 19

Network security and privacy liability Combines: Third party liability First party reimbursement insurance First party business interruption and data asset loss Different names depending on who you talk to Cyber Risk, Cyber Security, Data Security, Privacy Liability, Security Liability, Network Risk, etc. They all essentially refer to the same thing. Over 30+ markets with primary policy forms which carriers will be around 5 years from now? 20

Insurance solutions Third party liability coverage First party reimbursement coverage Other first party reimbursement coverages Privacy liability Network security Media liability Regulatory action* (sub-limit may apply) Privacy notification costs Crisis management expenses Credit monitoring costs Cyber extortion Business interruption Data restoration Forensic investigation Regulatory expenses, notification expenses, credit monitoring and other crisis management expenses are generally offered on a sub-limited basis and varies by carrier. 21

2015 Wells Fargo Insurance study Decision time for cyber and data privacy insurance purchase Decision-maker for purchase 28% Less than 3 months CEO (or equivalent) 43% 60% up to 6 months 32% 3 months to less than 6 months Risk Manager (or equivalent) CFO (or equivalent) 20% 15% Committee 11% 18% 13% 9% 6 months to less than 12 months 12 months to less than 18 months 18 months or more General Counsel (or equivalent) Other 2% 9% Base: Purchases cyber and Total data privacy insurance (n=84) Base: Purchases cyber and data privacy insurance (n=84) Q.A3: Who ultimately decided to purchase cyber and data privacy risk insurance? Q.A2: How long did it take to make the decision to purchase cyber and data privacy risk insurance? 22

2015 Wells Fargo Insurance study Reasons for purchasing cyber and data privacy insurance Most important reason To protect our business against financial loss 74% To protect our business against financial loss 33% To protect our shareholders 64% $R $100M to <$500M $500M+ 68% 89% To protect our shareholders 23% To help us prepare for data privacy events 61% To help us prepare for data privacy events 19% To protect our reputation 58% To protect our reputation 13% We were required by contract to carry this insurance 44% We were required by contract to carry this insurance 13% Base: Purchases cyber and data privacy insurance (n=84) Q.A4: Which of the following describes why your company purchased cyber and data privacy risk insurance? Q.A4_1: What was the most important reason why your company purchased cyber and data privacy risk insurance? Notes: Numbers shown in green in callout bubbles denote statistically higher proportions at 95% level 23

2015 Wells Fargo Insurance study Challenges to obtaining cyber and data privacy insurance It was difficult to find policies that fit my company's needs Cost My company was not required to have this insurance My company did not believe the risk was big enough to have this insurance Previous lack of management support Was unsure how to begin looking into this type of insurance 47% 42% 37% 36% 31% 27% Our company did not experience any challenges while purchasing this coverage 6% Base: Purchases cyber and data privacy insurance (n=84) Q.A5: Which of the following, if any, have been challenges to obtaining cyber and data privacy risk insurance? (Select all that apply.) 24

Managing the risks

2015 Wells Fargo Insurance study Top cyber and data privacy concerns Leaking private data 35% Private mobile device may cause corporate data leakage. Hackers Security breach Viruses/disruption of operations Loss of data Software vulnerabilities Maintaining reputation/ keeping compliant 25% 20% 10% 10% 7% 4% I feel like we're not so secure against thirdparty hackers who want to learn our secrets. Data security is important. How to maintain security for our customers and the company while maintaining a seamless environment for our customer base. Breach of information and the loss of valuable information and money. $R $100M to <$500M $500M+ Other 12% $R $100M to <$500M $500M+ 0% 13% 14% 0% Base: Total (n=72^) Q.A1_1: What are your primary cyber and data privacy concerns for your company? (Open end) Notes: ^ Refused answers excluded from base Numbers shown in green in callout bubbles denote statistically higher proportions at a 95% confidence level 26

2015 Wells Fargo Insurance study Effectiveness of network security intrusion plan % of plan revised after most recent use of network security intrusion plan (Base too small to show percentages) 45% Completely effective Percentage Frequency 92% Effective (T2B) 0% 2 1-25% 4 47% Effective 26-50% 5 51-75% 10 Not effective1 % 7% Total Base: Has had to use network security intrusion plan (n=69) Neutral 76-99% 4 100% 2 Base: Has had to use network security intrusion plan (n=27**) Q.B4: Thinking about the most recent time you used your plan for a network security intrusion, how effective was the plan? Notes: **B4 scale: 1=Not at all effective; 5=Completely effective **B5_N: Results gathered from a re-contact survey among respondents who completed the initial survey; resulting frequencies are not weighted 27

The digital shadow Can you answer the following questions: 1. What information is being captured? Assets Race Schedule Age City Bank Routing SSN Plan ID Credit Card Number DOB 2. 3. 4. 5. Where is information being captured? What is the value of our information set? With whom is our information shared? How do we protect it? 6. How do we destroy it? 28

Where is the payroll file? Dropbox Email Cloud Payroll Laptops Printer Thumb drives, external portable hard drives System servers Text messaging services 29

Managing the risks Response: Discovery of data event/ timing Incident Response Plan Facts Law Vendors Regulatory investigation Overreact or underreact? Quick responders spend 54% more than slow responders. but Response can factor into lawsuits and reputational harm! Source: Ponemon Institute 30

Managing the risks Education Awareness of exposure of internal data Handheld devices BYOD Limit data maintained or made available Managing the risks Encrypting laptops, smartphones, etc. Mock breaches aka tabletop exercises Limit online access to data storage servers Policies not enough Destruction of hard drives to remove all PII 31

Wells Fargo Insurance Dena L. Cusick Tel: (704) 553-6002 Email: dena.cusick@wellsfargo.com Greg Jones Tel: (843-573-3560) Email: greg.a.jones@wellsfargo.com 32

Thank you This material is for informational purposes and is not intended to be exhaustive nor should any discussions or opinions be construed as legal advice. Contact your broker for insurance advise, tax professional for tax advice, or legal counsel for legal advice regarding your particular situation. Products and services are offered through Wells Fargo Insurance Services USA, Inc., a non-bank insurance agency affiliate of Wells Fargo & company, and are underwritten by unaffiliated insurance companies. Some services require additional fees and may be offered directly through third-party providers. Banking and insurance decisions are made independently and do not influence each other. 2015 Wells Fargo Insurance Services USA, Inc. All rights reserved. Confidential. 33

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback