Protecting Your Business

From Privacy/Data Breach

Presented by:

Steve Robinson

Area President

RPS ISG International

June 25, 2013

RPS ISG International

Agenda

Privacy risks in today’s business – what makes us

susceptible?

Real privacy events

Risk prevention

Risk transfer

Chronology of a Breach & Insurance Response

Cost Determination

Conclusion / Q&A

RPS ISG International

Privacy Risks in today’s business environment

What makes us susceptible?

Types of information stored:

• Protected Health Information (PHI)

• Personally Identifiable, Non-Public

Information (PII)

• Financial information

• Other types of data

Lack of institutional controls

Demand for portability of EMR’s

(healthcare)

Black market for PII & PHI

RPS ISG International

Black Market value of Medical Records

RPS ISG International Source: Digital Health Conference Panel, NYC 12/1/2011

• Why?

• PHI = data rich

• Unable to cancel

• Uses:

• Fraudulent ins. claims

• Medical treatment

• Prescription drugs

• Surgeries

• Resale to black market

Source: Open Security Foundation

Real Privacy Events

04/02/2013 www.atq.state.vt.us: “Online purchasers’ personal information

and credit card numbers exfiltrated and misused after malware

inserted into system.”

06/18/2013 http://fox4kc.com: “Former applicants and tenants’ SS#’s,

bank statements and other personal info found in apartment

complex dumpster.”

06/12/2013 Palo Alto Online: “Laptop stolen from Packard Hospital

contained medical information on pediatric patients.”

03/12/13 http://doj.nh.gov: “Newsletter mailing to employees and retirees

embedded Social Security Numbers in mailing labels.”

02/14/13 http://news.sonomaportal.com: “1,386 surgery patients information

accidentally uploaded by an employee to hospital website.”

RPS ISG International

A Threat To Small Business

RPS ISG International Source: StaySafeOnline.org

A Threat To Small Business

RPS ISG International Source: StaySafeOnline.org

Risk Prevention

RPS Technology & Cyber

How Can Businesses

Reduce Their Risk? Data Management*

Collection

What customer/employee data are you storing?

Do you need to store it?

Access

Who in your organization has access to sensitive information?

Do those with access absolutely need access to perform their job?

Is any sensitive information publically available?

Use

Are you using employee and customer data info in a manner it was originally intended

(and consistent with the way you communicated?)

Storage

Where is your data stored?

Is the stored information protected by access controls that change regularly?

Does sensitive employee or customer information exist in multiple formats?

Eradication

How long do you keep private employee/applicant information?

What do you do with info (in any format) you no longer need?

3rd party vendor agreements for EMR, doc storage, disposal, janitorial services, etc.

Source: NTEN – Nonprofit Technology Network

How Can Businesses

Reduce Their Risk? Policies & Procedures

Privacy

Do you have a written privacy policy in place?

Have employees been trained?

Social Media

Inventory your social media presence - regularly

Restrict authority for creation and content management on behalf of your busienss to

one or two designated employees

Are there restrictions for social media access on systems that connect to your network

containing personal information on customers, employees, etc.?

Websites, Intellectual Property & Electronic Communication

Consistency of content and message?

Legal review?

Have appropriate rights been secured?

Staff training in email etiquette?

Network Security

Software, patch management, spam filters, firewall protection, etc. & Credentialing

Encryption of data - at rest and in a mobile state

Vulnerability testing

Mobile Devices

BYOD policies

How Can Businesses

Reduce Their Risk? Risk Transfer

Vendor Agreements

Appropriate transfer of liability language in vendor contracts?

Cloud providers

Payment processors

Website hosting services

Document disposal, storage and janitorial services

Insurance

Cyber/Privacy Liability Insurance

Risk Transfer Cyber/Privacy/Network Security Liability Insurance

RPS Technology & Cyber

Exclusions exist in traditional

insurance policies for privacy breach

• General Liability

▫ Limitations on privacy injury

▫ Exclusions for copyright, trademark, etc.

▫ Exclusions for social media

• Property – Exclusions for electronic data & cost to re-

create

• Business Interruption coverage will not respond to

outages caused by computer viruses or hackers

• Erosion of limits

How Policies Respond to

Business Needs – 3rd Party

Privacy Liability

• Release of PII & PHI and resulting litigation

• Breach of cloud provider network where

customer/employee information is held

• Breach involving other 3rd party information

holders, processors, etc.

How Policies Respond to

Client Needs – 3rd Party

Privacy Liability • Release of PHI & PII and the resulting lawsuits

• Breach of cloud provider network where patient information is held

• Breach involving other 3rd party information holders, processors,

etc.

Media/Website Liability • Social networking – sponsored by a business – defamation,

slander

• Copyright/trademark infringement – websites and social media

• YouTube promotional or educational materials sponsored by the

business

How Policies Respond to

Client Needs – 3rd Party

Network Security Liability

• Transmission of virus, etc. via your network to outside

computers or other outside networks

• Inaccessibility of network due to cyber event

“Malware threatens diagnostic

equipment and magnetic resonance

imaging devices.”

www.technologyreview.com

December 17, 2012

How the Breach Plays Out &

How Insurance Can Respond

RPS ISG International

Cyber/Privacy/Network Security Insurance

RPS ISG International

Exposure Category Description

Privacy Liability Provides liability coverage for failure to protect electronic or non-electronic information in your

care custody and control. Can include coverage for acts of vendors as well.

Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security

Breach, becomes inaccessible to those who need it or unintentionally transmits a virus to a

3rd party.

Media Content Liability Provides liability coverage for Intellectual Property and Personal Injury lawsuits stemming

from your website or social media content under your direct control.

Regulatory Liability Defense coverage for legal proceedings or investigations by Federal, State, or Foreign

regulators relating to Privacy Laws.

Crisis Management

Legal Assistance Expense Expenses incurred to hire an attorney to help navigate the breach response process in

accordance with the multitude of State and federal laws.

Forensic Expense Expenses incurred to hire a firm to conduct IT forensics investigations following a data

breach.

Notification Expense Expenses incurred to notify members of a breach in accordance with State and Federal laws.

Credit Monitoring Expense Expenses incurred to provide members with access to identity protection services.

Public Relations Expense Expenses incurred to hire a public relations consultancy, media expenses, etc. in the wake of

a data breach.

Data Recovery/Restoration Expenses incurred to re-create data that is damaged as a result of a cyber incident.

Business Interruption The reduction of business income as a result of an interruption or use of a computer system

as a result of a network breach to their system.

Cyber Extortion Expenses incurred resulting from threats to introduce a system hack, virus, etc. or from

threats to disseminate or use information contained in your computer systems to destroy or

alter your computer systems.

Fines and Penalties Where permissible by law, expenses incurred as a result of a State, Federal or other (PCI

DSS) fine or penalty resulting from a data breach.

Cost Determination

RPS ISG International

Pricing

What Impacts Cost?

• Nature of PHI being held

• Number of records held/transactions processed

• Type of business

• HIPAA compliance (medical)

• Annual revenue

• IT systems, defenses, policies in place

• Loss history

Summary

Identity theft is the fastest-growing white collar crime in the U.S.

A data breach does not have to involve a computer or a crime

Privacy breach liabilities are not limited to customer data – think

employees, applicants, retirees, etc.

Traditional insurance policies leave these exposures uncovered

There are critical differences between insurance options

We are here to help your business transfer this risk with

expertise in Cyber/Privacy Liability

Additional Information

Steven R. Robinson

Area President

RPS ISG International

Steven_Robinson@RPSins.com

www.RPSins.com

410-901-0704 direct

800-336-5659 toll free

@CyberCoverage