Protecting the Public Trust Cyber Liability and Data Compromise; The New Risk Management Frontier Steve Spilde, Chief Executive Officer Brennan Quintus,

Slides:



Advertisements
Similar presentations
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Advertisements

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Red Flag Rules: What they are? & What you need to do
Springfield Technical Community College Security Awareness Training.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Security for Today’s Threat Landscape Kat Pelak 1.
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
IT Security Challenges In Higher Education Steve Schuster Cornell University.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Technological Security Implementation and Privacy Protection.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge America,
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Identity Theft  IDENTITY THEFT occurs when someone wrongfully acquires and uses a consumer’s personal identification, credit, or account information.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Legal Division CSAA Insurance Group, a AAA Insurer Protecting Your Identity: What to Know, What to Do 2015 Risky Business Week.
Florida Information Protection Act of 2014 (FIPA).
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
e-Learning Module Credit/Debit Payment Card Acceptance and Security
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Have the Time? Steps to Deal with Cybercrime HFTP Annual Conference Bellevue, Washington October 23, 2015 Presented by: John D. Daum, CPA Scott Perry (Just.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Protecting Yourself from Fraud including Identity Theft Personal Finance.
Protecting Your Assets By Preventing Identity Theft 1.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.
Treat it like it’s yours: best practices for handling student transcript data Bob Hughes Application Support Manager North Orange County CCD CCCTran Steering.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
Avoiding Frauds and Scams Barbara Martin-Worley Director, Consumer Fraud Protection 18 th Judicial District Attorney’s Office Serving Arapahoe, Douglas,
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Information Security and Privacy in HRIS
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Lesson 10A: The Three D’s of Identify Theft
Protecting Your Assets By Preventing Identity Theft
Electronic/Online Banking & Bill Pay
Florida Information Protection Act of 2014 (FIPA)
PENNSYLVANIA BAR ASSOCIATION PROFESSIONAL LIABILITY COMMITTEE
Florida Information Protection Act of 2014 (FIPA)
Cybersecurity Awareness
Cyber Issues Facing Medical Practice Managers
Red Flags Rule An Introduction County College of Morris
Information Security Awareness
Cyber Security: What the Head & Board Need to Know
Colorado “Protections For Consumer Data Privacy” Law
School of Medicine Orientation Information Security Training
Presentation transcript:

Protecting the Public Trust Cyber Liability and Data Compromise; The New Risk Management Frontier Steve Spilde, Chief Executive Officer Brennan Quintus, Risk Services Manager Protecting the Public Trust

What is the NDIRF? The North Dakota Insurance Reserve Fund (NDIRF) is a not-for-profit self-insurance pool owned by its members with a goal of providing a stable source of risk services to North Dakota’s political subdivisions. Located in Bismarck, ND Began in 1986 Today, the NDIRF lists approximately $40,000,000 in assets with over $12,000,000 in contributions per year NDIRF experienced a net loss of nearly $600,000 in 2015 The NDIRF has given back over $61,000,000 to its members through the conferment of benefits program $70,000 to be paid in the spring of 2016 for 2015 Over 2,550 of ND’s political subdivisions participated in the NDIRF in 2015

Protecting the Public Trust

Today’s Agenda What is a Data Breach? Data Breach Concerns Data Breach Causes Data Breach Risk Management

Protecting the Public Trust What is a Data Breach? NDCC Chapter defines “Breach of the Security System” “…unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.”

Protecting the Public Trust What is a Data Breach? (cont.) NDCC defines “Personal information” broadly. “…an individual's first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted: (1) The individual's social security number; (2) The operator's license number assigned to an individual by the department of transportation under section ; (3) A nondriver color photo identification card number assigned to the individual by the department of transportation under section ; (4) The individual's financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts; (5) The individual's date of birth; (6) The maiden name of the individual's mother; (7) Medical information; (8) Health insurance information; (9) An identification number assigned to the individual by the individual's employer; or (10) The individual's digitized or other electronic signature.

Protecting the Public Trust What is a Data Breach? (cont.) “Personal Information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records

Protecting the Public Trust What is a Data Breach? (cont.) North Dakota’s definition is very broad 47 other state laws with varying definitions Can include both electronic and paper formats

Protecting the Public Trust Are we at Risk? Employee Information Payment Information Medical Records Any other record containing personal information

Protecting the Public Trust Should We Be Concerned? According to the Identity Theft Resource Center, data breaches have increased by more than 500% from Technology evolves-more opportunity to steal data More content available online Mobile devices

Protecting the Public Trust Should We Be Concerned? (cont.) Notification Laws 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands require notification of security breaches involving personal information

Protecting the Public Trust North Dakota’s Breach Notification Law NDCC Chapter Anyone owning computerized data that includes personal information must disclose any breach of the system following discovery of the breach to any resident of the state whose unencrypted information was or is believed to have been acquired by an unauthorized person.

Protecting the Public Trust North Dakota’s Breach Notification Law (cont.) Notification: Written notice; Certain electronic notice options; Or, substitute notice if the cost will exceed $250,000 or there are over 500,000 affected persons , Website Posting, and Media Notification

Protecting the Public Trust Cost of a Breach Breach Expenses (IDT 911, LLC) Legal Costs ($300-$600 per hour) Forensics ($250-$600 per hour) Notification ($1-$3 per record) Call Handling ($7-$25 per call) Credit and Fraud Monitoring ($8-$75 per record) Identity Theft Resolution ($400 per case)

Protecting the Public Trust Cost of a Breach (cont.) RecordsAverage Cost 100$18,000 - $36,000 1,000$52,000 - $87,000 10,0000$143,000 - $223, ,0000$367,000 - $615,000 1,000,0000$892,000 - $1,775,000

Protecting the Public Trust Cost of a Breach (cont.) True Cost Varies Type of Data Type of Breach Legal or IT Assistance Vendor Costs will Vary Breach Fall-Out

Protecting the Public Trust Data Breach Causes

Protecting the Public Trust Employee Error Know who has access to data Limit access to those that need to know Educate and train employees Culture Change Employee Awareness Stolen passwords Use strong, unique passwords Avoid password reset questions that anyone can answer by researching your family

Protecting the Public Trust Insider and Privilege Misuse Know what data you have, where it is and who has access to it Only gather data you need Know where you need additional auditing and fraud- detection

Protecting the Public Trust Crimeware Patch anti-virus software (keep up to date) 99.9% of successful exploitations used vulnerabilities for which software update patch fixes were available for more than a year Use two-factor authentication eg: a bank card and a PIN; smartphone and a fingerprint Educate and train employees Avoid opening and responding to anything suspicious

Protecting the Public Trust Physical Theft and Loss Encrypt your devices and sensitive data Run regular backups to prevent loss and downtime Allow for the wiping of device Make it easy for employees to report lost or stolen devices to mitigate the potential damage

Protecting the Public Trust Points to Ponder A data breach is not always a disaster, mishandling it is! In the last year, 23% of recipients opened phishing messages and 11% clicked on attachments. On average, it’s just 82 seconds before a phishing campaign gets its first click. Be vigilant!

Protecting the Public Trust Data Breach Timeline In the majority of breaches, it takes only minutes for an attacker to compromise a system Once a system is compromised, data can be stolen within minutes In some studies, it has been shown to take days, weeks, even months to contain the incident

Protecting the Public Trust We Think We Had a Breach, Now What? First and foremost, do not panic However, time is critical Investigate the potential breach IT Forensics If a breach did occur, consult legal counsel regarding obligations Document, document, document

Protecting the Public Trust So where do we go from here?

Protecting the Public Trust Analyze Your Risk What kind of information do you collect and retain? How long do you retain personal information? Where is the information stored? Who has access to the information? Is the information located on a computer system? Do you have a data security policy?

Protecting the Public Trust Avoid/Eliminate Don’t collect data, unless it is necessary Remove data as soon as you are able Restrict access to data to only those who need it Data has become an asset and a liability.

Protecting the Public Trust Reduce/Prevent Educate and Train Employees 78% of breaches could have been avoided with better practices and training (IDT 911, LLC) practices Password practices Eliminate work-arounds Improve awareness

Protecting the Public Trust Reduce/Prevent (cont.) Be vigilant Be on the look-out for odd activity Patch anti-virus software Encrypt sensitive data Helps reduce/prevent breach costs Not useful, if stolen Run regular back-ups Evaluate data disposal procedures

Protecting the Public Trust Transfer Data breach exposures correspond to the current NDIRF Liability Memorandum Coming in the summer of 2016, the NDIRF will begin including coverage for first and third-party data breach costs within its Liability Memorandum $250,000 annual aggregate limit Option to purchase higher limits with additional underwriting Pricing will be included in the annual Liability Memorandum contribution

Protecting the Public Trust Wrap-Up What is a data breach? Areas of concern Types of data Notification laws Data breach costs Causes of data breaches What to do if you have a breach Ways to protect against a data breach

Protecting the Public Trust Questions/Comments/Concerns? Brennan Quintus

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.