Especially Prepared For: Knowledge is power Sir Francis Bacon – 1597 Especially Prepared For: Data Breach Risk Management: The Reality of ID Theft and Data Breach September 13, 2017

Today’s Agenda About Merchants Information Solutions, Inc. About Mark Pribish Data Breach Trends Identity Theft Trends The Threat Landscape Employee Education Data Breach Risk Management Questions and Answers

About Merchants Information Solutions Since 1912 ID Theft Risk Management Solutions Pioneer Small Business Data Breach Risk Management Over 10 Million Consumers Covered Business | Consumer | Data Breach – Identity Theft Solutions

About Mark Pribish Vice President & ID Theft Practice Leader Gannett / Arizona Republic guest columnist for cyber security, data breach, identity theft, and personal privacy Member of FBI Citizens Academy Class of 2012, FBI InfraGard Public Private Alliance, Guidepoint Global Advisors, Risk Insurance Management Society, and Arizona P&C License 27 years’ experience in helping consumers and businesses manage the risks associated with ID Theft and data breach events Served in senior sales positions for Aon and AIG Graduated from the University of Dayton in 1981

Data Breach Trends

Data Breach Trends Privacy Rights Clearinghouse Chronology of Data Breaches Timeline for 2005 – 2017 | September 2017 Since January 2005 there have been 7,650 data breaches affecting nearly 1 billion records Only 25% of these data breaches were impacted by hackers and IT related events 75% of these data breaches were impacted by social engineering (the human element)

Data Breach Trends Types of Data Breaches Hacking/Malware – electronic entry via outside party, malware and spyware Insider – someone with legitimate access intentionally breaches information Payment Card Fraud – fraud with debit and credit cards such as skimming devices Physical Loss – lost, discarded or stolen non-electronic records Portable Device – lost, discarded or stolen laptop, smartphone or flash drive Stationary Device – lost, discarded or stolen stationary electronic devices or servers Unintended Disclosure – sensitive information posted publicly Unknown or other

Data Breach Trends Ponemon Institute Study: Cost of Data Breach | June 2017 Total Costs – average $225 per lost/stolen customer record Direct Incremental Costs – including free/discounted services, notification letters, legal/accounting fees, etc. Lost Productivity Costs – including lost time of employees and contractors diverted from other tasks Customer Opportunity Costs – including cost of lost customers and cost of acquiring new customers

Data Breach Trends 2016 Symantec Internet Security Threat Report April 2017 Cyber Attacks on Small Businesses on the Rise Pushing many entrepreneurs to the verge of bankruptcy 43% of Cyberattacks were against small businesses with less than 250 workers The cyber crooks steal small business information to do things like rob bank accounts via wire transfers; steal customers’ personal identity information; file for fraudulent tax refunds; commit health insurance or Medicare fraud; or even steal intellectual property

Data Breach Trends 2016 Symantec Internet Security Threat Report April 2017 Data breaches are becoming more complex and are no longer confined to just IT The human element is again front and center as humans continue to play a significant role in data breaches and cybersecurity incidents, fulfilling the roles of threat actors, targeted victims and incident response stakeholders. Companies need to be prepared to handle data breaches before they actually happen in order to recover as quickly as possible. Breaches can lead to enterprise-wide damage that can have devastating and long-lasting consequences such as a loss of customer confidence

2017 Identity Fraud Javelin Strategy & Research Study Identity Theft Trends 2017 Identity Fraud Javelin Strategy & Research Study January 2017 Identity Fraud Hits Record Number – 15.4 million Americans Up 16% from 2015 ID Theft criminals stole $16 billion dollars A billion dollar increase from 2015 New chip cards lead to dramatic rise in online fraud

Identity Theft Trends 2017 Identity Fraud Javelin Strategy & Research Study January 2017 Card-not-present (CNP) fraud rises significantly: Online CNP fraud increases by 40 percent Account takeover (ATO) bounces back: Account takeover incidence and losses rose in 2016. Total ATO losses reached $2.3 billion, a 61 percent increase from 2015, while incidence rose 31 percent New-account fraud (NAF) continues: As Europay, MasterCard, and Visa (EMV) cards and terminals continue to permeate the U.S. Point-of-Sale (POS) environment, fraudsters shift to fraudulently opening accounts.

Identity Theft Trends 2016 FTC Consumer Sentinel Network Report Identity Theft Complaints by Victims’ Age - February 2017

Identity Theft Trends 2016 FTC Consumer Sentinel Network Report HOW Victims’ Information is Misused - February 2017 Reported ID Theft & Fraud: 51% Financial 49% Non Financial

Identity Theft Trends GAO Tax and Identity Theft Report January 2016 - 2017 According to the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $22.5billion in fraudulent identity theft refunds in 2014   The IRS also paid $3.1 billion that year for refund requests later determined to be fraud. Fraudulent Tax Filings Linked to Anthem Data Breach – according to IRS and FBI The IRS also paid $2.2 billion in 2015 for refund requests later determined to be fraud

Identity Theft Trends The Rise In Medical ID Theft August 2016 Medical ID theft soared 22 percent in 2014 Ponemon estimates more than 2.3 million adult medical ID theft victims 47% of Victims were harmed by relatives or people they know (the insider threat) 65 percent of the study's respondents paid average cost of $13,453

The Threat Landscape Cyber Threat Will Get More Difficult April 2017 - http://riskandinsurance.com/cyber-threat-will-get-difficult/  Companies should focus on Response, Resiliency and Recovery when it comes to cyber risks – Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, who currently is a principal at the Chertoff Group, a security consultancy At present, companies are focusing on the vulnerability aspect, and responding by building “high walls and deep moats” to keep attackers out, he said. If you do that successfully, it will prevent 80 percent of the attackers. But that still leaves 20 percent vulnerability, so companies need to focus on the consequences: It’s about Response, Resiliency and Recovery

The Threat Landscape SMB’s are the Target of Future Cyber Risks The Ponemon Institute Cost of a Data Breach Study reported “$225 per lost/stolen record” – June 2017 Experian 2017 Data Breach Forecast states “SMB data breaches will cause the most damage” – January 2017 Small to mid-size entities, often lack breach response policies, proper governance tools, and employee privacy training programs to prevent or promptly respond to breaches – Feb 2016 “Cyber risk jumps to No. 2” on Travelers Insurance Business Risk Index” – September 2016

43% 83% 92% The Threat Landscape of breaches are to businesses of 250 employees or fewer 83% of SMBs have no formal cybersecurity plan 92% of companies who experienced a data breach didn’t know it until notified by third party

The Threat Landscape Regulatory, Consumer and Data Security Laws HIPAA-HITECH Data Breach Requirements (2010) FACT Act Red Flags Rule (2010) PCI Data Security Standards (2006) COPPA Children’s Online Privacy Protection Act (2000) 48 State Security Breach Notification Laws New York Cyber Security Law (March 1, 2017)? http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

The Threat Landscape Business E-Mail Compromise February 27, 2017   According to the FBI “there has been a 1,300 percent increase in identified exposed losses which has victimized more than 22,000 organizations worldwide and is responsible for losses of more than $3 billion.” Spoofing e-mail accounts and websites: Slight variations on legitimate addresses (john.kelly@abccompany.com vs. john.kelley@abccompany.com) fool victims into thinking fake accounts are authentic. The victim thinks he is corresponding with his CEO, but that is not the case. Spear-phishing: Bogus e-mails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC perpetrators. Malware: Used to infiltrate company networks and gain access to legitimate e-mail threads about billing and invoices. That information is used to make sure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested.  

The Threat Landscape Ransomware According to the FBI in 2017 Ransomware - disables digital networks but usually does not steal data Hacking victims in the U.S. have paid more than $1 billion in ransom payments in 2016 Compared with $25 million in all of 2015 Paying the ransom does not guarantee the encrypted files will be released Decrypting files does not mean the malware infection itself has been removed Ransomware has evolved into stealing and deleting data Train employees to NOT open digital attachments or click on unfamiliar web links

The Threat Landscape Threat of identity theft played a role in record Anthem settlement June 26, 2017 - http://www.modernhealthcare.com/article/20170626/NEWS/170629915   Anthem is paying a $115 million settlement making it the biggest payout in U.S. history for a data breach Target and Home Depot, two companies that suffered well-documented data breaches each paid less than a fifth of what Anthem agreed to pay to settle their claims 80 million records were exposed in the 2015 Anthem breach, revealing names, birth dates, Social Security numbers and other information – information that lends itself to identity theft   The Anthem breach happened because an employee opened a phishing email and that it took almost an entire year for Anthem to notice anything

Employee Education What is Information Security Governance? Information security governance has many definitions but for the sake of this presentation it is: The creation of an information security governance strategy Within an organization’s governance framework That can support the detection, prevention of, and response to identity theft and data breach events

Employee Education Why Have an Information Security Governance Program? Because poor communication and lack of leadership are barriers to effective information security governance employee education To support employee education and data breach response To communicate current and future ID theft and data breach risk management trends To help safeguard employee and customer information To help safeguard intellectual property All of which are targets for identity thieves and cyber criminals

Employee Education How to Support Information Security Awareness? An effective security awareness program should include education on specific threat types, including but not limited to: Social engineering Phishing/Vishing/Smishing Password Management Malware/Trojans/Viruses Communicate ID Theft and Data Breach Trends Regularly

Employee Education Are You Aware of The Insider Threat? Negligent and malicious insiders are considered the biggest security risks to any size organization Including current and former employees, contractor and vendors Small business owners and senior executives should be more concerned about the threat within, than with external risks caused by cyber criminals As you develop your organization’s employee education program on information security governance, you will also enhance your incident response plan

Data Breach Risk Management Response and Recovery (Before it Happens) Create and Implement an information governance policy Require annual information security training and education Understand type of employee, customer and proprietary data is being collected, stored, and transferred Constantly assess and test your organization’s needs and requirements Define document destruction and retention polices Be aware of current and former employees, customers and vendors Understand the state and federal breach notification laws that apply to your business Vigilance – including annual pre-employment screening Implement baseline safeguards and controls

Data Breach Risk Management Response and Recovery (After it Happens) Breach source - determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of breach you should engage a forensic investigation company. Breach assessment - determine the scope of the data breach event and the privacy and data security regulatory requirements associated with the type of records in addition to the state of domicile. Response plan - include internal employee education and talking points; public relations press releases, customer education, and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters. Protection plan - include the small business or consumer protection services to  be offered to the compromised record group and the confirmation of professional call center and recovery advocate support services. Breach victim resolution plan - provide access to professional certified identity fraud recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.

Data Breach Risk Management Response and Recovery (After it Happens) 48-Hour Data Breach Response Plan Response to State and Federal Notification Laws Develop Customized Customer/Employee Notification Develop Employee Talking Points and FAQs Develop Call Center Scripting Need to minimize the negative impact when news of breach is released

Data Breach Risk Management Response and Recovery (After it Happens) Notify - contact employees within the organization and affected individuals outside the organization Notify - law enforcement if criminal activity is suspected Notify - know that 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have notification laws in place to notify any individual whose personally identifiable information has been breached Notify – know the two Federal laws including the FTC Red Flag Rule and HIPAA HITECH Data Breach Notification Rule

Conclusion: Understanding Data Breach Risk Factors People The insider threat, whether accidental or malicious, can include current and former employees, customers, associates, vendors, and independent contractors Including information technology, enterprise risk management, marketing/sales and human resources need to be aligned, defined, and documented Processes That are relied on to conduct and grow your business are also being used to identify vulnerabilities and cyber threats on your business Technologies People “No One Company Can EVER Prevent Itself from Experiencing a Data Breach Event” The Arizona Republic/Gannett News …… Mark Pribish 2008

THANK YOU! Mark Pribish Vice President & ID Theft Practice Leader Merchants Information Solutions, Inc. 602-744-3736  mpribish@merchantsinfo.com THANK YOU!