Protecting Intellectual Property (IP) Evan Kuenzli Grant Miller.
Protecting Your Business From Privacy/Data...
Transcript of Protecting Your Business From Privacy/Data...
Protecting Your Business
From Privacy/Data Breach
Presented by:
Steve Robinson
Area President
RPS ISG International
June 25, 2013
RPS ISG International
Agenda
Privacy risks in today’s business – what makes us
susceptible?
Real privacy events
Risk prevention
Risk transfer
Chronology of a Breach & Insurance Response
Cost Determination
Conclusion / Q&A
RPS ISG International
Privacy Risks in today’s business environment
What makes us susceptible?
Types of information stored:
• Protected Health Information (PHI)
• Personally Identifiable, Non-Public
Information (PII)
• Financial information
• Other types of data
Lack of institutional controls
Demand for portability of EMR’s
(healthcare)
Black market for PII & PHI
RPS ISG International
Black Market value of Medical Records
RPS ISG International Source: Digital Health Conference Panel, NYC 12/1/2011
• Why?
• PHI = data rich
• Unable to cancel
• Uses:
• Fraudulent ins. claims
• Medical treatment
• Prescription drugs
• Surgeries
• Resale to black market
Source: Open Security Foundation
Real Privacy Events
04/02/2013 www.atq.state.vt.us: “Online purchasers’ personal information
and credit card numbers exfiltrated and misused after malware
inserted into system.”
06/18/2013 http://fox4kc.com: “Former applicants and tenants’ SS#’s,
bank statements and other personal info found in apartment
complex dumpster.”
06/12/2013 Palo Alto Online: “Laptop stolen from Packard Hospital
contained medical information on pediatric patients.”
03/12/13 http://doj.nh.gov: “Newsletter mailing to employees and retirees
embedded Social Security Numbers in mailing labels.”
02/14/13 http://news.sonomaportal.com: “1,386 surgery patients information
accidentally uploaded by an employee to hospital website.”
RPS ISG International
A Threat To Small Business
RPS ISG International Source: StaySafeOnline.org
A Threat To Small Business
RPS ISG International Source: StaySafeOnline.org
Risk Prevention
RPS Technology & Cyber
How Can Businesses
Reduce Their Risk? Data Management*
Collection
What customer/employee data are you storing?
Do you need to store it?
Access
Who in your organization has access to sensitive information?
Do those with access absolutely need access to perform their job?
Is any sensitive information publically available?
Use
Are you using employee and customer data info in a manner it was originally intended
(and consistent with the way you communicated?)
Storage
Where is your data stored?
Is the stored information protected by access controls that change regularly?
Does sensitive employee or customer information exist in multiple formats?
Eradication
How long do you keep private employee/applicant information?
What do you do with info (in any format) you no longer need?
3rd party vendor agreements for EMR, doc storage, disposal, janitorial services, etc.
Source: NTEN – Nonprofit Technology Network
How Can Businesses
Reduce Their Risk? Policies & Procedures
Privacy
Do you have a written privacy policy in place?
Have employees been trained?
Social Media
Inventory your social media presence - regularly
Restrict authority for creation and content management on behalf of your busienss to
one or two designated employees
Are there restrictions for social media access on systems that connect to your network
containing personal information on customers, employees, etc.?
Websites, Intellectual Property & Electronic Communication
Consistency of content and message?
Legal review?
Have appropriate rights been secured?
Staff training in email etiquette?
Network Security
Software, patch management, spam filters, firewall protection, etc. & Credentialing
Encryption of data - at rest and in a mobile state
Vulnerability testing
Mobile Devices
BYOD policies
How Can Businesses
Reduce Their Risk? Risk Transfer
Vendor Agreements
Appropriate transfer of liability language in vendor contracts?
Cloud providers
Payment processors
Website hosting services
Document disposal, storage and janitorial services
Insurance
Cyber/Privacy Liability Insurance
Risk Transfer Cyber/Privacy/Network Security Liability Insurance
RPS Technology & Cyber
Exclusions exist in traditional
insurance policies for privacy breach
• General Liability
▫ Limitations on privacy injury
▫ Exclusions for copyright, trademark, etc.
▫ Exclusions for social media
• Property – Exclusions for electronic data & cost to re-
create
• Business Interruption coverage will not respond to
outages caused by computer viruses or hackers
• Erosion of limits
How Policies Respond to
Business Needs – 3rd Party
Privacy Liability
• Release of PII & PHI and resulting litigation
• Breach of cloud provider network where
customer/employee information is held
• Breach involving other 3rd party information
holders, processors, etc.
How Policies Respond to
Client Needs – 3rd Party
Privacy Liability • Release of PHI & PII and the resulting lawsuits
• Breach of cloud provider network where patient information is held
• Breach involving other 3rd party information holders, processors,
etc.
Media/Website Liability • Social networking – sponsored by a business – defamation,
slander
• Copyright/trademark infringement – websites and social media
• YouTube promotional or educational materials sponsored by the
business
How Policies Respond to
Client Needs – 3rd Party
Network Security Liability
• Transmission of virus, etc. via your network to outside
computers or other outside networks
• Inaccessibility of network due to cyber event
“Malware threatens diagnostic
equipment and magnetic resonance
imaging devices.”
www.technologyreview.com
December 17, 2012
How the Breach Plays Out &
How Insurance Can Respond
RPS ISG International
Cyber/Privacy/Network Security Insurance
RPS ISG International
Exposure Category Description
Privacy Liability Provides liability coverage for failure to protect electronic or non-electronic information in your
care custody and control. Can include coverage for acts of vendors as well.
Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security
Breach, becomes inaccessible to those who need it or unintentionally transmits a virus to a
3rd party.
Media Content Liability Provides liability coverage for Intellectual Property and Personal Injury lawsuits stemming
from your website or social media content under your direct control.
Regulatory Liability Defense coverage for legal proceedings or investigations by Federal, State, or Foreign
regulators relating to Privacy Laws.
Crisis Management
Legal Assistance Expense Expenses incurred to hire an attorney to help navigate the breach response process in
accordance with the multitude of State and federal laws.
Forensic Expense Expenses incurred to hire a firm to conduct IT forensics investigations following a data
breach.
Notification Expense Expenses incurred to notify members of a breach in accordance with State and Federal laws.
Credit Monitoring Expense Expenses incurred to provide members with access to identity protection services.
Public Relations Expense Expenses incurred to hire a public relations consultancy, media expenses, etc. in the wake of
a data breach.
Data Recovery/Restoration Expenses incurred to re-create data that is damaged as a result of a cyber incident.
Business Interruption The reduction of business income as a result of an interruption or use of a computer system
as a result of a network breach to their system.
Cyber Extortion Expenses incurred resulting from threats to introduce a system hack, virus, etc. or from
threats to disseminate or use information contained in your computer systems to destroy or
alter your computer systems.
Fines and Penalties Where permissible by law, expenses incurred as a result of a State, Federal or other (PCI
DSS) fine or penalty resulting from a data breach.
Cost Determination
RPS ISG International
Pricing
What Impacts Cost?
• Nature of PHI being held
• Number of records held/transactions processed
• Type of business
• HIPAA compliance (medical)
• Annual revenue
• IT systems, defenses, policies in place
• Loss history
Summary
Identity theft is the fastest-growing white collar crime in the U.S.
A data breach does not have to involve a computer or a crime
Privacy breach liabilities are not limited to customer data – think
employees, applicants, retirees, etc.
Traditional insurance policies leave these exposures uncovered
There are critical differences between insurance options
We are here to help your business transfer this risk with
expertise in Cyber/Privacy Liability
Additional Information
Steven R. Robinson
Area President
RPS ISG International
www.RPSins.com
410-901-0704 direct
800-336-5659 toll free
@CyberCoverage