Leadership, Knowledge, Solutions…Worldwide. Privacy & Data Security Understanding Identity theft The art of managing a crisis Jim Leonard – Marsh FINPRO.

Slides:



Advertisements
Similar presentations
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Advertisements

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Travelers CyberRisk for Insurance Companies
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Springfield Technical Community College Security Awareness Training.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Privacy & Cyber Risks Virginia Leaders in Export & Trade October 28, 2011 Matthew McDavid Vice President.
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
General Awareness Training
NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.
Overview of Cybercrime
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
PCI COMPLIANCE Compliance is mandatory for all organizations that accept credit cards.
AUGUST 25, 2015 Cyber Insurance:
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Cyber Risk Insurance. Some Statistics Privacy Rights Clearinghouse o From 2005 – February 19, 2013 = 607,118,029 records reported breached. Ponemon Institute.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
0 Marsh Issues in Risk Management: Privacy and Data Breach Risk Review & Discussion John McLaughlin, Marsh USA.
The State of Computer & Data Security in Corporations Independent Survey.
Preventing a Sensitive Data Loss: Laptops Marc Scarborough.
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave. Chicago,
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Have the Time? Steps to Deal with Cybercrime HFTP Annual Conference Bellevue, Washington October 23, 2015 Presented by: John D. Daum, CPA Scott Perry (Just.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff.
Protecting Yourself from Fraud including Identity Theft Personal Finance.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Cyber Summit 2016 Data Bytes and Frights Presented by: President and CEO Peter J. Elliott, CPCU.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
PCI COMPLIANCE Compliance is mandatory for all organizations that accept credit cards.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.
Cyber Liability Insurance for an unsecure world
Cyber Insurance Risk Transfer Alternatives
Breaking Down Cyber Liability
Financial Institutions – Cyber Risk
E&O Risk Management: Meeting the Challenge of Change
Managing a Cyber Event Steven P. Gibson President
September 18, 2018.
Cyber Insurance Overview
Chapter 3: IRS and FTC Data Security Rules
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
Society of Risk Management Consultants Annual Conference
Cyber Issues Facing Medical Practice Managers
Cyber Trends and Market Update
Ethics, Part 2 Chapter 5 pp National Income Tax Workbook™
Forensic and Investigative Accounting
Cyber Security: What the Head & Board Need to Know
Presentation transcript:

Leadership, Knowledge, Solutions…Worldwide. Privacy & Data Security Understanding Identity theft The art of managing a crisis Jim Leonard – Marsh FINPRO

Marsh—Leadership, Knowledge, Solutions…Worldwide. 2 Agenda  Industry issues  Fraud facts (myth busting)  The target  The thief/ threat environment  Case studies  Investigating & managing an event  Quantifying the cost  Available coverage  Best practices

Marsh—Leadership, Knowledge, Solutions…Worldwide. 3 Identity Theft and Fraud  Industry Issues – FTC Estimates nearly 10 Million victims per year – Many victims don’t know or don’t report – Fastest growing white collar crime in America – Average 175 hours and $1,500 to resolve – Tremendous media exposure  Common Types of Fraud – Current Credit – Credit Card, Debit Card, Phone Card – Identity Fraud using:  Your name and SS# to: - Establish new credit - Commit other criminal activity  ID Theft goes far deeper than your credit!

Marsh—Leadership, Knowledge, Solutions…Worldwide. 4 Fraud Facts Other forms of Fraud  Driver’s License  Health Benefits  Insurance Fraud  Rental Housing  Utilities  Government Benefits  W-2 Fraud

Marsh—Leadership, Knowledge, Solutions…Worldwide. 5 The Target  Absolutely everyone with identifying information – Average consumer is most common victim – If you have:  A Social Security number  Credit worthiness is a bonus – Few consumers become victims because of their internet use  Common Identity Thief’s MO (Volume, not Value) – Gain access to large numbers of potential victims – Keep a low profile – Victimize average consumers over long periods – Sell or Trade Identities

Marsh—Leadership, Knowledge, Solutions…Worldwide. 6 The Thief  Shadow Crew  E-bay-like environment for buying/selling identities  Job Fairs  Improper vetting of employers  Methamphetamines and Gangs  Boxes of physical papers of identities  Hospitals, Auto Dealerships  Fraud Rings  Collaborative hiring  W2 Fraud and Arizona  #1 ID Theft circumstance  #1 State for ID Theft  Broken Business Practices  Your employees  Human factors are at hand Identities are a currency

Marsh—Leadership, Knowledge, Solutions…Worldwide. 7 Threat Environment  What is your breach universe?  What do you think the most likely cause is of an event? – Hacking – Extortion – Lost or stolen devices – B & E’s – Internal fraud – disgruntled employee

Marsh—Leadership, Knowledge, Solutions…Worldwide. 8 Threat Environment

Marsh—Leadership, Knowledge, Solutions…Worldwide. 9 Case Studies  Internal Fraud (40 cases last year)  Laptops – laptops - laptops  Healthcare Provider loses 20 years worth of data  HR Employee takes work home over the weekend  Foreign National takes money and identities  Healthcare Provider believes it loses data on 275,000 patients  Employee receives and sends it to personal , then forwards again  Company instructs victims to “Freeze their Credit”

Marsh—Leadership, Knowledge, Solutions…Worldwide. 10 Identifying an Event  Do you have an investigative procedure?  Validate what information was lost, regardless of media – Laptop, CD, thumb drive, I-Pod, PDA, back ups, paper files, third party, rogue employee – External counsel – Forensics investigator – General investigations – PR & Communications

Marsh—Leadership, Knowledge, Solutions…Worldwide. 11 Managing the Event  How do you notify victims of the event? – Mail? (E-sign act)? Publicly?  What is your deliverable to the victims? – You can’t just say “We breached your data and here is a list of things you can do to protect yourself”  Notify correctly vs. quickly – What should you say?  Call center (questions and answers)  Credit reports and monitoring  Insurance vs. Resolution  Additional exposure – Current victims  Audience segments

Marsh—Leadership, Knowledge, Solutions…Worldwide U.S. Cost of a Data Breach Study Ponemon Institute  Data breach incidents cost US companies $214 per compromised customer record in 2010, compared to $204 in 2009  The average total cost per incident increased to $6.75M, up from $6.65M in the previous year  The cost of a data breach as the result of malicious attacks and botnets were more costly and severe  Negligent insider breaches have decreased due to awareness and training on protecting private information. 58% have expanded their use of encryption  Third party organizations accounted for 42% of all breach cases. These remain the most costly due to additional investigation and consulting fees  The most expensive case in the study cost nearly $31,000,000 to resolve, the least was $750,000  The study was comprised of 45 breaches with a range of 5,000 to 101,000 compromised records

Marsh—Leadership, Knowledge, Solutions…Worldwide. 13 Privacy Event - Quantification

Marsh—Leadership, Knowledge, Solutions…Worldwide. 14 Available Coverage Overview Network Security Liability: Liability to a 3 rd party as a result of a failure of company's network security to protect against destruction, deletion or corruption of a 3 rd party’s electronic data, denial of service attacks against Internet sites or computers; or transmission of viruses to third party computers and systems. Privacy Liability: Liability to a 3 rd party as a result of company's failure to properly handle, manage, store or otherwise control personally identifiable information, corporate information identified a confidential and protected under a nondisclosure agreement and unintentional violation of privacy regulations. Regulatory: Defense expenses and civil fines or penalties paid to a governmental entity in connection with an investigative demand or civil proceeding regarding actual or alleged violation of privacy laws Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a public relations firm for the purpose of protecting/restoring company's reputation as a result of the actual or alleged violation of privacy regulations.

Marsh—Leadership, Knowledge, Solutions…Worldwide. 15 Available Coverage Overview Network Business Interruption: reimbursement of the company's own loss of income or extra expense resulting from an interruption or suspension of its systems due to a failure of network security to prevent a security breach. Data Asset Protection: recovery of the company's costs and expenses incurred to restore, recreate or regain access to any software or electronic data from back-ups or from originals or to gather, assemble and recreate such software or electronic data from other sources to the level or condition in which it existed immediately prior to its alteration, corruption, destruction, deletion or damage. Cyber Extortion: ransom or investigative expenses associated a threat directed at the company to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the Insured, introduce malicious code into the company's computer system; corrupt, damage or destroy company's computer system, or restrict or hinder access to the company's computer system.

Marsh—Leadership, Knowledge, Solutions…Worldwide. 16 Coverage Overview with Examples CoverageExampleLimit of LiabilityRetention Security LiabilityHacking, virus transferUp to $150,000,000$25,000 and up Privacy LiabilityCustomer information breach Up to $150,000,000$25,000 and up ForensicsInvestigationUp to $10,000,000Ranges from NIL and up Privacy Breach Notification Costs State privacy laws require notification Up to $10,000,000 or 2,000,000 records Ranges from NIL and up Loss mitigation coverageCredit monitoringUp to $10,000,000Ranges from NIL and up 1 st Party Data ProtectionRebuild your damaged data from computer attack Up to $100,000,000$25,000 and up 1 st Party Network Bus. Int. (“NBI”) Loss of revenue due to computer attack Up to $100,000,000A combination of the greater of $25,000 + or 8 to 12 hours Defense Costs/Fines & Penalties for Regulatory Actions FTC or AG claims for privacy breach Up to $25,000,000Ranges from NIL and up

Marsh—Leadership, Knowledge, Solutions…Worldwide. 17 Your risk identification….. Potential Risk EventLikelihood Potential Impact Website copyright/trademark infringement claims Legal liability to others for computer security breaches (non-privacy) Legal liability to others for privacy breaches Privacy breach notification costs & credit monitoring Privacy regulatory action defense and fines Costs to repair damage to your information assets Loss of revenue due to a failure of security or computer attack Loss of revenue due to a failure of security at a dependent technology provider Cyber Extortion Threat

Marsh—Leadership, Knowledge, Solutions…Worldwide. 18 Best Practices for Breach Preparedness and Prevention  Pre-Arrange a Breach Service Provider, External Counsel and Reputational Risk Advisor – all specializing in Privacy Law and “Breach” Crisis Management  Provide “Certification” through e-Learning to employee base on safeguarding data  Develop an Incident Response Plan – Internal Staff – Outside Counsel – Reputational Risk Advisor – Breach Service Provider  Conduct annual Risk Assessments and Tabletop Exercises  Hold an internal “Privacy Summit” to identify vulnerabilities – Risk – Compliance and Privacy – HR – Legal – IT – C-level representation (CFO) – Physical Security / Facilities

Leadership, Knowledge, Solutions…Worldwide. Questions? Thank you !