Leadership, Knowledge, Solutions…Worldwide. Privacy & Data Security Understanding Identity theft...

Leadership, Knowledge, Solutions…Worldwide.

Privacy & Data Security

Understanding Identity theftThe art of managing a crisis

Jim Leonard – Marsh FINPRO

Marsh—Leadership, Knowledge, Solutions…Worldwide. 2

Agenda

Industry issues

Fraud facts (myth busting)

The target

The thief/ threat environment

Case studies

Investigating & managing an event

Quantifying the cost

Available coverage

Best practices


Identity Theft and Fraud

Industry Issues– FTC Estimates nearly 10 Million victims per year– Many victims don’t know or don’t report– Fastest growing white collar crime in America– Average 175 hours and $1,500 to resolve– Tremendous media exposure

Common Types of Fraud– Current Credit – Credit Card, Debit Card, Phone Card– Identity Fraud using:

Your name and SS# to:- Establish new credit- Commit other criminal activity

ID Theft goes far deeper than your credit!


Fraud Facts

Other forms of Fraud

Driver’s License

Health Benefits

Insurance Fraud

Rental Housing

Utilities

Government Benefits

W-2 Fraud


The Target

Absolutely everyone with identifying information– Average consumer is most common victim– If you have:

A Social Security number Credit worthiness is a bonus

– Few consumers become victims because of their internet use

Common Identity Thief’s MO (Volume, not Value)– Gain access to large numbers of potential

victims– Keep a low profile– Victimize average consumers over long periods– Sell or Trade Identities


The Thief

Shadow Crew E-bay-like environment for buying/selling identities

Job Fairs Improper vetting of employers

Methamphetamines and Gangs Boxes of physical papers of identities Hospitals, Auto Dealerships

Fraud Rings Collaborative hiring

W2 Fraud and Arizona #1 ID Theft circumstance #1 State for ID Theft

Broken Business Practices Your employees Human factors are at hand

Identities are a currency


Threat Environment

What is your breach universe?

What do you think the most likely cause is of an event?

– Hacking– Extortion– Lost or stolen devices– B & E’s– Internal fraud– disgruntled employee


Threat Environment


Case Studies

Internal Fraud (40 cases last year)

Laptops – laptops - laptops

Healthcare Provider loses 20 years worth of data

HR Employee takes work home over the weekend

Foreign National takes money and identities

Healthcare Provider believes it loses data on 275,000 patients

Employee receives email and sends it to personal email, then forwards again

Company instructs victims to “Freeze their Credit”


Identifying an Event

Do you have an investigative procedure?

Validate what information was lost, regardless of media– Laptop, CD, thumb drive, I-Pod, PDA, back ups, paper

files, third party, rogue employee– External counsel– Forensics investigator– General investigations– PR & Communications


Managing the Event

How do you notify victims of the event?– Mail? Email (E-sign act)? Publicly?

What is your deliverable to the victims?– You can’t just say “We breached your data and

here is a list of things you can do to protect yourself”

Notify correctly vs. quickly– What should you say?

Call center (questions and answers)

Credit reports and monitoring

Insurance vs. Resolution

Additional exposure– Current victims

Audience segments


2010 U.S. Cost of a Data Breach StudyPonemon Institute

Data breach incidents cost US companies $214 per compromised customer record in 2010, compared to $204 in 2009

The average total cost per incident increased to $6.75M, up from $6.65M in the previous year

The cost of a data breach as the result of malicious attacks and botnets were more costly and severe

Negligent insider breaches have decreased due to awareness and training on protecting private information. 58% have expanded their use of encryption

Third party organizations accounted for 42% of all breach cases. These remain the most costly due to additional investigation and consulting fees

The most expensive case in the study cost nearly $31,000,000 to resolve, the least was $750,000

The study was comprised of 45 breaches with a range of 5,000 to 101,000 compromised records


Privacy Event - Quantification


Available Coverage Overview

Network Security Liability: Liability to a 3rd party as a result of a failure of company's network security to protect against destruction, deletion or corruption of a 3rd party’s electronic data, denial of service attacks against Internet sites or computers; or transmission of viruses to third party computers and systems.

Privacy Liability: Liability to a 3rd party as a result of company's failure to properly handle, manage, store or otherwise control personally identifiable information, corporate information identified a confidential and protected under a nondisclosure agreement and unintentional violation of privacy regulations.

Regulatory: Defense expenses and civil fines or penalties paid to a governmental entity in connection with an investigative demand or civil proceeding regarding actual or alleged violation of privacy laws

Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a public relations firm for the purpose of protecting/restoring company's reputation as a result of the actual or alleged violation of privacy regulations.


Available Coverage Overview

Network Business Interruption: reimbursement of the company's own loss of income or extra expense resulting from an interruption or suspension of its systems due to a failure of network security to prevent a security breach.

Data Asset Protection: recovery of the company's costs and expenses incurred to restore, recreate or regain access to any software or electronic data from back-ups or from originals or to gather, assemble and recreate such software or electronic data from other sources to the level or condition in which it existed immediately prior to its alteration, corruption, destruction, deletion or damage.

Cyber Extortion: ransom or investigative expenses associated a threat directed at the company to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the Insured, introduce malicious code into the company's computer system; corrupt, damage or destroy company's computer system, or restrict or hinder access to the company's computer system.


Coverage Overview with Examples

Coverage Example Limit of Liability Retention

Security Liability Hacking, virus transfer

Up to $150,000,000 $25,000 and up

Privacy Liability Customer information breach

Up to $150,000,000 $25,000 and up

Forensics Investigation Up to $10,000,000 Ranges from NIL and up

Privacy Breach Notification Costs

State privacy laws require notification

Up to $10,000,000 or 2,000,000 records

Ranges from NIL and up

Loss mitigation coverage Credit monitoring Up to $10,000,000 Ranges from NIL and up

1st Party Data Protection Rebuild your damaged data from computer attack

Up to $100,000,000 $25,000 and up

1st Party Network Bus. Int. (“NBI”)

Loss of revenue due to computer attack

Up to $100,000,000 A combination of the greater of $25,000 + or 8 to 12 hours

Defense Costs/Fines & Penalties for Regulatory Actions

FTC or AG claims for privacy breach

Up to $25,000,000 Ranges from NIL and up


Your risk identification…..

Potential Risk Event LikelihoodPotential Impact

Website copyright/trademark infringement claims

Legal liability to others for computer security breaches(non-privacy)

Legal liability to others for privacy breaches

Privacy breach notification costs & credit monitoring

Privacy regulatory action defense and fines

Costs to repair damage to your information assets

Loss of revenue due to a failure of security or computer attack

Loss of revenue due to a failure of security at a dependent technology provider

Cyber Extortion Threat


Best Practices for Breach Preparedness and Prevention

Pre-Arrange a Breach Service Provider, External Counsel and Reputational Risk Advisor – all specializing in Privacy Law and “Breach” Crisis Management

Provide “Certification” through e-Learning to employee base on safeguarding data

Develop an Incident Response Plan– Internal Staff– Outside Counsel– Reputational Risk Advisor– Breach Service Provider

Conduct annual Risk Assessments and Tabletop Exercises

Hold an internal “Privacy Summit” to identify vulnerabilities– Risk– Compliance and Privacy– HR– Legal– IT– C-level representation (CFO)– Physical Security / Facilities

Leadership, Knowledge, Solutions…Worldwide.

Questions?

Thank you !

Leadership, Knowledge, Solutions…Worldwide. Privacy & Data Security Understanding Identity theft...

Documents

Transcript of Leadership, Knowledge, Solutions…Worldwide. Privacy & Data Security Understanding Identity theft...