SlideShare a Scribd company logo

Data Risks In A Digital Age

P
padler01

This document discusses privacy and security risks in the digital age and strategies for managing those risks. It outlines increasing regulation at the federal, state, and international levels related to data breaches and privacy. This has led organizations to undertake multiple, siloed compliance efforts. The document proposes a unified approach to information security compliance that addresses all legal requirements and uses popular standards. It also discusses how risk transfer through insurance can help organizations manage security and privacy risks.

Technology
1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Privacy and Security Risks in a Digital Age Risk Management Strategies January 26, 2009 professional underwriters, inc .
Overview Rising tide of information security, privacy and identity theft regulation Federal State International Requires a Comprehensive approach to compliance The Unified Approach
Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing
A Sectoral Approach… National Security Corporate IT Governance Health Care Payment Cards Consumer Protection Financial Services Infrastructure Protection Other Higher Education
… Created Numerous Laws, Regulations and Standards… Int’l Law State Law SOX FTCA Infrastructure Protection Identify Theft Prevention Corporate Governance and Reporting Standards ( e.g., NIST and ISO 17799) The Payment Card Industry Data Security Standard (PCI DSS) FISMA HIPAA GLBA
…Which has Led to Compliance “Silos”
Creating Inefficiencies and other Problems for Our Clients Multiple Compliance Efforts Costs more money Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law) So multiple efforts are undertaken when essentially a single effort would suffice Undermine overall compliance effectiveness Redundancy, inconsistency, lack of centralized oversight FTCA Consultants PCI Consultants Int’l Consultants State Law Consultants
Managing Information Risks Avoid Mitigate Control Transfer Assume RISK
Response: A Unified Approach to Information Security Compliance Includes Insurance Coverage Addresses all of the legal requirements: Security, Privacy and Identity Theft Uses popular standards and compliance frameworks Risk Assumption, Mitigation and Control Risk Transfer Comprehensive Risk Management Program
Possibly Applicable Laws State Law Notice of Breach Law Data Security Laws Disposal and Destruction Rules Federal Sarbanes Oxley Federal Trade Commission Act EU Data Protection Directive International EU Data Protection Directive (e.g., UK and Ireland) PIPEDA and Canadian Provincial Australia
State Laws Notice, Data Security and Disposal all cover “personal information” Personal Information in most states does not include encrypted information
State Notice of Breach Laws The following states do not have a notice of breach law: Alabama Kentucky Missouri Mississippi New Mexico South Dakota 44 States PLUS: District of Columbia (B16-810, D.C. Code § 28-3851) Puerto Rico (Law 111 and Regulation 7207) Most require businesses and/or government to notify state residents if their computerized “personal information” is involved in a data breach Compliance obligations can differ significantly and requires research of key provisions in every state for which you have a resident’s PI
State Data Security Laws Ten States have laws requiring businesses to protect the “security and confidentiality” of personal information about residents Arkansas, California, Connecticut, Maryland, Massachusetts, Nevada, Rhode Island, Oregon, Texas, and Utah While most require “reasonable safeguards,” Oregon and Massachusetts have specific compliance requirements e.g., Massachusetts requires entities to Implement a risk-based “ comprehensive, written information security program” in accordance with a detailed list of requirements; and Encrypt all personal information stored on laptops or other portable devices, all records and files transmitted over public networks “to the extent technically feasible,” and all data transmitted wirelessly.
Massachusetts: Compliance Program Elements 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth requires entities with PI to create/implement policies and procedures to: Assign Responsibility Identify Information Assets : Identify the corporate information assets that need to be protected Conduct Risk Assessment Implement Security Controls Monitor Effectiveness Regularly Review Program Address Third Party Issues
Massachusetts: Safeguards - Limit the amount of personal information (PI) collected, retention periods, and the persons who are allowed to access - Implement policies and procedures regarding: employee access and transport of records outside of business premises; Disciplinary measures for violations of the security program; To prevent terminated employees from accessing records; and - Provide Security education and training for employees. - Secure user authentication protocols; - Secure access, providing access to only to those require information to perform their job duties; assign unique ID and passwords to each person; - Encrypt records containing PI transmitted over the Internet, transmitted wirelessly, or are stored on laptops or other portable devices; - Monitor systems for unauthorized access or use; and - Keep current firewall protection, operating system security patches for systems connected to the Internet, and malware/virus software. - Implement reasonable restrictions on physical access to records; and - storage of records containing PI and data in locked facilities, storage areas or containers. Physical Administrative Technical
State Disposal Rules 23 States have laws on proper disposal of Personal Information Alaska, Arkansas, California, Colorado, Hawaii, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Montana, Nevada, New Jersey, New York, North Carolina, Oregon, South Carolina, Tennessee, Utah, Vermont, Washington , Wisconsin In most states, destruction is accomplished through shredding, erasure, redaction or rendering the information unreadable or indecipherable
SOX and Security Sa r b a n e s O x l e y A c t , 1 5 U . S . C . §§7241 and 7267 SOX is "basically silent" on information security, However Information Security is implicit: Certification of effectiveness of controls (404) Annual assessment and report on effectiveness of the controls (302) The SEC final rules rules require management to certify that two types of controls have been established and their effectiveness has been assessed Access Security Internal Controls COBIT and COSO
FTC Authority Section 5 of the FTC Act (“FTCA”) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course of commercial activities Deceptive trade practice is any commercial conduct that includes false or misleading claims or claims that omit material facts Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid
FTC Security Enforcement Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc. Deceptive Trade Practices Unfair Trade Practices Practices that "threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club ) GLBA Safeguards Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp. )
Recent Enforcement/Consent Orders - FTCA In re Reed Elsevier Inc. , FTC, File No. 052 3094, 3/27/08 In re TJX Cos. Inc. , FTC, File No. 072 3055 (3/27/08) United States v. ValueClick Inc. , C.D. Cal., No. CV08-01711, (3/17/08) Life is good Inc. , FTC, File No. 072-3046, (1/17/08) In re Guidance Software Inc. , FTC, File No. 062 3057 (11/16/06) United States v. ChoicePoint , 106-cv-0198 (N.D. GA, 2-15-06) In re CardSystems Solutions Inc ., FTC, File No. 052 3148 (9/5/06) Total of 18 Cases
FTC Consent Orders and Security Security Program Elements: designate an employee or employees to coordinate the information security program; identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place; design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness; develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs Implement administrative, technical, and physical safeguards appropriate to the size, the nature of the company’s activities, and the sensitivity of the personal information collected by each organization. Biennial outside assessment of security programs basis for 20 years. Auditors certification that the companies' security programs meet or exceed the requirements of the consent orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers' PI is being protected. Must be performed by a CISSP or equivalent
International Laws EU Data Protection Directive Purpose To protect individuals with respect to “processing” of personal information To ensure that personal data may be freely transferred Information Security (Article 17) Appropriate technical and organizational measures to protect data against destruction, loss, alteration, or unauthorized disclosure Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada) Purpose “every organization” that “collects, uses or discloses” personal information “in the course of commercial activities” must take steps to protect individual privacy Security Standards These must be made commensurate tithe the sensitivity of the information it holds Measures should address: The manner in which the information is stored Should protect against loss or theft as well as unauthorized access, disclosure, copying use, or modification of the data Others, including APEC
Inadequacy of U.S. Protections Article 25. Member States to enact laws prohibiting the transfer of personal data to countries outside the EU that fail to ensure an “adequate level of (privacy) protection US Privacy Laws Deemed Inadequate by EU The following methods can be used to obtain personal information from EU Countries Data Transfer Agreement Bind the (U.S.) importer to provide adequate protections (Article 26) US Safe Harbor Provisions Certify Compliance with Safe Harbor Unambiguous Informed Consent The EU company may transfer the data if it obtains an unambiguous informed consent from every data subject before each transfer is made. Binding Corporate Rules The use of internal policy rules, procedures and mechanisms to ensure the rights of data subjects
Unified Approach To Security      Security Awareness and Training      Contracts X X    Review/Evaluation      Contingency Planning      Security Incident Procedures      Management of Information Access      Workforce Security      Assigned Security Responsibility      Security Management Process Administrative Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practices
Unified Approach to Security      Transmission Security      Person or Entity Authentication      Integrity Controls      Audit Controls      Access Control Technical Safeguards      Device and Media Controls      Workstation Use and Security      Facility Access Controls Physical Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practice
Consider all of Your Security and Privacy Compliance Requirements SOX FTCA State International PCI DSS ISO FTCA (CO) COBIT COSO OECD AICPA PCI 1.2 Follow a UNIFIED APPROACH to Compliance
Part 2 Risk Transfer: A Valuable Tool for Risk Management Avoid Mitigate Control Transfer Assume RISK Transfer
Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing
Risk Transfer One risk management tactic is risk transfer. Business Interruption Crisis Management Network Extortion Protects you from attacks on your network Pays for costs associated with public relations damage control Protects you from threats of attack on your network Media Covers libel, slander, unfair trade practices via organization website or electronic media Network Security Covers liability caused by breach of network (e.g. hack or viruses) Privacy Protects organizations from losing or compromising employee and third party data
How do the policies work? They are all different Liability Policies Different Triggers on the regulatory costs It is important to understand what YOU want out of the insurance as different policies have different strengths in different areas
Important Coverage Trends Moving away from network security towards privacy Original policies focused on external breaches of network New policies also have privacy triggers Third Party Contractor coverage not limited to natural persons Emphasis on notification costs Regulatory fines and penalties coverage
The Application Process The underwriting (just like the coverage) for a privacy/security insurance policy varies depending on the carrier Policy-driven Technically-driven Very limited evaluation
Example: Darwin New Application that accounts for new security technology Many applications are dated, if by only a few years, which miss key areas such as wireless networks For larger organizations, we will sometimes ask for a conference call. This allows us to ‘meet’ the security personnel and get a more in-depth look at security processes and procedures. Pricing is based off of unique records and revenues
Risk Management Incident Response How do you respond to a breach? Who do you call? Privacy consultation Best Practices for Contracts
Darwin / Pepper Offering Darwin Privacy//403 Insurance Coverage, Including 1 Hour Consultation Annually (Pepper) Incident Response Services (Pepper) Breach Investigations Breach Notices Other Related Services from Darwin Other Services from Pepper Complex State, Federal and International Privacy and Security Compliance Programs Identity Theft Prevention and Response Assistance Agency Investigations/Compliance with Consent Orders Electronic Data Retention and Destruction Programs
So…How do you sell it? Issues No one understands the risks No one understands the coverage No one knows how much it should cost Limited transactional experience What has changed? More expertise from certain distributors Increased claims experience and examples Increased benchmarks on limit and price
Allied World/Darwin Financial Strength Darwin was recently acquired by Allied World and operates with an A “Excellent” rating by A.M. Best Darwin is a recognized errors and omissions market, both medical and non-medical Strong risk management culture
Takeaways The use of technology has triggered real consequences for the lack of data protection Government action and regulation is adding concern to all organizations Breaches can be very expensive, and are getting more expensive Consider risk transfer as one option for managing your risk
Thank You Adam Sills AVP, Technology Liability Underwriting (860)-284-1382 [email_address] M. Peter Adler Attorney at Law Direct: 202.220.1278 Direct Fax: 800.684.2749 [email_address] Hamilton Square 600 Fourteenth Street, N.W. Washington DC 20005-2004 202.220.1200 Fax: 202.220.1665 www.pepperlaw.com professional underwriters, inc

More Related Content

PPTX
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
PDF
11 pp-cybersecurity-revised2 a
IT Strategy Group
 
PDF
Supply Chain Risk Management corrected - Whitepaper
NIIT Technologies
 
PDF
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Mafazo: Digital Solutions
 
PPTX
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
PPTX
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
PDF
Don't let them take a byte
lgcdcpas
 
PDF
Cybersecurity and The Board
Paul Melson
 
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
11 pp-cybersecurity-revised2 a
IT Strategy Group
 
Supply Chain Risk Management corrected - Whitepaper
NIIT Technologies
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Mafazo: Digital Solutions
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
Don't let them take a byte
lgcdcpas
 
Cybersecurity and The Board
Paul Melson
 

What's hot (19)

PDF
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
PDF
Implementing a Security Management Framework
Joseph Wynn
 
PPTX
Data Security and Regulatory Compliance
Lifeline Data Centers
 
PPTX
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
InfinIT - Innovationsnetværket for it
 
PPTX
A guide to Sustainable Cyber Security
Ernest Staats
 
PPTX
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
PDF
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
PDF
Protecting Corporate Information in the Cloud
Symantec
 
PDF
July 2010 Cover Story
Patrick Spencer
 
PPT
Securing Your "Crown Jewels": Do You Have What it Takes?
IBM Security
 
PPT
Boards' Eye View of Digital Risk & GDPR v2
Graham Mann
 
PPTX
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
PDF
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
PDF
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec
 
PPT
Protecting Donor Privacy
Raymond Cunningham
 
PPT
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers
 
PPTX
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
PPTX
Key Cyber Security Issues for Government Contractors
Government Technology and Services Coalition
 
PDF
ACFN vISO eBook
Patrick Whelan, CISA
 
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Implementing a Security Management Framework
Joseph Wynn
 
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
InfinIT - Innovationsnetværket for it
 
A guide to Sustainable Cyber Security
Ernest Staats
 
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Protecting Corporate Information in the Cloud
Symantec
 
July 2010 Cover Story
Patrick Spencer
 
Securing Your "Crown Jewels": Do You Have What it Takes?
IBM Security
 
Boards' Eye View of Digital Risk & GDPR v2
Graham Mann
 
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec
 
Protecting Donor Privacy
Raymond Cunningham
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Key Cyber Security Issues for Government Contractors
Government Technology and Services Coalition
 
ACFN vISO eBook
Patrick Whelan, CISA
 
Ad

Viewers also liked (12)

PPT
Information Security
Mohit8780
 
PPTX
Privacy and education in the internet age
Cliff Landis
 
PDF
India Top5 Information Security Concerns 2013
Dinesh O Bareja
 
PPT
Cyberstalking
Trevschic
 
PPTX
Privacy in the Digital Age
Pew Research Center
 
PPT
07 E-commerce Advertising
monchai sopitka
 
PDF
Copyright & related rights (1 of 2)
LawScienceTech
 
PPTX
Security issues in e business
Rahul Kumar
 
PPTX
E-Business & E-Commerce Basics
Abhishek Duttagupta
 
PPT
Skimming & Scanning
Unggul DJatmika
 
PPTX
PHISHING PROJECT REPORT
vineetkathan
 
PPTX
Security in E-commerce
m8817
 
Information Security
Mohit8780
 
Privacy and education in the internet age
Cliff Landis
 
India Top5 Information Security Concerns 2013
Dinesh O Bareja
 
Cyberstalking
Trevschic
 
Privacy in the Digital Age
Pew Research Center
 
07 E-commerce Advertising
monchai sopitka
 
Copyright & related rights (1 of 2)
LawScienceTech
 
Security issues in e business
Rahul Kumar
 
E-Business & E-Commerce Basics
Abhishek Duttagupta
 
Skimming & Scanning
Unggul DJatmika
 
PHISHING PROJECT REPORT
vineetkathan
 
Security in E-commerce
m8817
 
Ad

Similar to Data Risks In A Digital Age (20)

PPT
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
PPT
The New Massachusetts Privacy Rules (February 2, 2010)
stevemeltzer
 
PPT
The New Massachusetts Privacy Rules V4
stevemeltzer
 
PPT
The New Massachusetts Privacy Rules V4
stevemeltzer
 
PPT
The New Massachusetts Privacy Rules V4
stevemeltzer
 
PPTX
Cybersecurity Law and Risk Management
Keelan Stewart
 
PPT
ISSA Data Retention Policy Development
Bill Lisse
 
PDF
An Overview of the Major Compliance Requirements
DoubleHorn
 
PPTX
The new massachusetts privacy rules v5.35.1
stevemeltzer
 
PDF
Lecture 8.pdf
abdukadirabdullahuad
 
PPTX
Data Privacy Introduction
Prachi Gulihar
 
PPT
Mass Information Security Requirements January 2010
madamseane
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
PPTX
Basic terms and scope of audit in cyber security
alphaa2test
 
PDF
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
PPTX
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
PPTX
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
PPT
Legal issues of domain names & trademarks
Matt Siltala
 
PPS
Keeping Client Data Safe (Final)
AdvogadaZuretti
 
PDF
STUCOR_CS8792-LL.pdf
503SaranyaS
 
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
The New Massachusetts Privacy Rules (February 2, 2010)
stevemeltzer
 
The New Massachusetts Privacy Rules V4
stevemeltzer
 
The New Massachusetts Privacy Rules V4
stevemeltzer
 
The New Massachusetts Privacy Rules V4
stevemeltzer
 
Cybersecurity Law and Risk Management
Keelan Stewart
 
ISSA Data Retention Policy Development
Bill Lisse
 
An Overview of the Major Compliance Requirements
DoubleHorn
 
The new massachusetts privacy rules v5.35.1
stevemeltzer
 
Lecture 8.pdf
abdukadirabdullahuad
 
Data Privacy Introduction
Prachi Gulihar
 
Mass Information Security Requirements January 2010
madamseane
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Basic terms and scope of audit in cyber security
alphaa2test
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
Legal issues of domain names & trademarks
Matt Siltala
 
Keeping Client Data Safe (Final)
AdvogadaZuretti
 
STUCOR_CS8792-LL.pdf
503SaranyaS
 

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

Data Risks In A Digital Age

  • 1. Privacy and Security Risks in a Digital Age Risk Management Strategies January 26, 2009 professional underwriters, inc .
  • 2. Overview Rising tide of information security, privacy and identity theft regulation Federal State International Requires a Comprehensive approach to compliance The Unified Approach
  • 3. Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing
  • 4. A Sectoral Approach… National Security Corporate IT Governance Health Care Payment Cards Consumer Protection Financial Services Infrastructure Protection Other Higher Education
  • 5. … Created Numerous Laws, Regulations and Standards… Int’l Law State Law SOX FTCA Infrastructure Protection Identify Theft Prevention Corporate Governance and Reporting Standards ( e.g., NIST and ISO 17799) The Payment Card Industry Data Security Standard (PCI DSS) FISMA HIPAA GLBA
  • 6. …Which has Led to Compliance “Silos”
  • 7. Creating Inefficiencies and other Problems for Our Clients Multiple Compliance Efforts Costs more money Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law) So multiple efforts are undertaken when essentially a single effort would suffice Undermine overall compliance effectiveness Redundancy, inconsistency, lack of centralized oversight FTCA Consultants PCI Consultants Int’l Consultants State Law Consultants
  • 8. Managing Information Risks Avoid Mitigate Control Transfer Assume RISK
  • 9. Response: A Unified Approach to Information Security Compliance Includes Insurance Coverage Addresses all of the legal requirements: Security, Privacy and Identity Theft Uses popular standards and compliance frameworks Risk Assumption, Mitigation and Control Risk Transfer Comprehensive Risk Management Program
  • 10. Possibly Applicable Laws State Law Notice of Breach Law Data Security Laws Disposal and Destruction Rules Federal Sarbanes Oxley Federal Trade Commission Act EU Data Protection Directive International EU Data Protection Directive (e.g., UK and Ireland) PIPEDA and Canadian Provincial Australia
  • 11. State Laws Notice, Data Security and Disposal all cover “personal information” Personal Information in most states does not include encrypted information
  • 12. State Notice of Breach Laws The following states do not have a notice of breach law: Alabama Kentucky Missouri Mississippi New Mexico South Dakota 44 States PLUS: District of Columbia (B16-810, D.C. Code § 28-3851) Puerto Rico (Law 111 and Regulation 7207) Most require businesses and/or government to notify state residents if their computerized “personal information” is involved in a data breach Compliance obligations can differ significantly and requires research of key provisions in every state for which you have a resident’s PI
  • 13. State Data Security Laws Ten States have laws requiring businesses to protect the “security and confidentiality” of personal information about residents Arkansas, California, Connecticut, Maryland, Massachusetts, Nevada, Rhode Island, Oregon, Texas, and Utah While most require “reasonable safeguards,” Oregon and Massachusetts have specific compliance requirements e.g., Massachusetts requires entities to Implement a risk-based “ comprehensive, written information security program” in accordance with a detailed list of requirements; and Encrypt all personal information stored on laptops or other portable devices, all records and files transmitted over public networks “to the extent technically feasible,” and all data transmitted wirelessly.
  • 14. Massachusetts: Compliance Program Elements 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth requires entities with PI to create/implement policies and procedures to: Assign Responsibility Identify Information Assets : Identify the corporate information assets that need to be protected Conduct Risk Assessment Implement Security Controls Monitor Effectiveness Regularly Review Program Address Third Party Issues
  • 15. Massachusetts: Safeguards - Limit the amount of personal information (PI) collected, retention periods, and the persons who are allowed to access - Implement policies and procedures regarding: employee access and transport of records outside of business premises; Disciplinary measures for violations of the security program; To prevent terminated employees from accessing records; and - Provide Security education and training for employees. - Secure user authentication protocols; - Secure access, providing access to only to those require information to perform their job duties; assign unique ID and passwords to each person; - Encrypt records containing PI transmitted over the Internet, transmitted wirelessly, or are stored on laptops or other portable devices; - Monitor systems for unauthorized access or use; and - Keep current firewall protection, operating system security patches for systems connected to the Internet, and malware/virus software. - Implement reasonable restrictions on physical access to records; and - storage of records containing PI and data in locked facilities, storage areas or containers. Physical Administrative Technical
  • 16. State Disposal Rules 23 States have laws on proper disposal of Personal Information Alaska, Arkansas, California, Colorado, Hawaii, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Montana, Nevada, New Jersey, New York, North Carolina, Oregon, South Carolina, Tennessee, Utah, Vermont, Washington , Wisconsin In most states, destruction is accomplished through shredding, erasure, redaction or rendering the information unreadable or indecipherable
  • 17. SOX and Security Sa r b a n e s O x l e y A c t , 1 5 U . S . C . §§7241 and 7267 SOX is "basically silent" on information security, However Information Security is implicit: Certification of effectiveness of controls (404) Annual assessment and report on effectiveness of the controls (302) The SEC final rules rules require management to certify that two types of controls have been established and their effectiveness has been assessed Access Security Internal Controls COBIT and COSO
  • 18. FTC Authority Section 5 of the FTC Act (“FTCA”) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course of commercial activities Deceptive trade practice is any commercial conduct that includes false or misleading claims or claims that omit material facts Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid
  • 19. FTC Security Enforcement Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc. Deceptive Trade Practices Unfair Trade Practices Practices that "threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club ) GLBA Safeguards Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp. )
  • 20. Recent Enforcement/Consent Orders - FTCA In re Reed Elsevier Inc. , FTC, File No. 052 3094, 3/27/08 In re TJX Cos. Inc. , FTC, File No. 072 3055 (3/27/08) United States v. ValueClick Inc. , C.D. Cal., No. CV08-01711, (3/17/08) Life is good Inc. , FTC, File No. 072-3046, (1/17/08) In re Guidance Software Inc. , FTC, File No. 062 3057 (11/16/06) United States v. ChoicePoint , 106-cv-0198 (N.D. GA, 2-15-06) In re CardSystems Solutions Inc ., FTC, File No. 052 3148 (9/5/06) Total of 18 Cases
  • 21. FTC Consent Orders and Security Security Program Elements: designate an employee or employees to coordinate the information security program; identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place; design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness; develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs Implement administrative, technical, and physical safeguards appropriate to the size, the nature of the company’s activities, and the sensitivity of the personal information collected by each organization. Biennial outside assessment of security programs basis for 20 years. Auditors certification that the companies' security programs meet or exceed the requirements of the consent orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers' PI is being protected. Must be performed by a CISSP or equivalent
  • 22. International Laws EU Data Protection Directive Purpose To protect individuals with respect to “processing” of personal information To ensure that personal data may be freely transferred Information Security (Article 17) Appropriate technical and organizational measures to protect data against destruction, loss, alteration, or unauthorized disclosure Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada) Purpose “every organization” that “collects, uses or discloses” personal information “in the course of commercial activities” must take steps to protect individual privacy Security Standards These must be made commensurate tithe the sensitivity of the information it holds Measures should address: The manner in which the information is stored Should protect against loss or theft as well as unauthorized access, disclosure, copying use, or modification of the data Others, including APEC
  • 23. Inadequacy of U.S. Protections Article 25. Member States to enact laws prohibiting the transfer of personal data to countries outside the EU that fail to ensure an “adequate level of (privacy) protection US Privacy Laws Deemed Inadequate by EU The following methods can be used to obtain personal information from EU Countries Data Transfer Agreement Bind the (U.S.) importer to provide adequate protections (Article 26) US Safe Harbor Provisions Certify Compliance with Safe Harbor Unambiguous Informed Consent The EU company may transfer the data if it obtains an unambiguous informed consent from every data subject before each transfer is made. Binding Corporate Rules The use of internal policy rules, procedures and mechanisms to ensure the rights of data subjects
  • 24. Unified Approach To Security      Security Awareness and Training      Contracts X X    Review/Evaluation      Contingency Planning      Security Incident Procedures      Management of Information Access      Workforce Security      Assigned Security Responsibility      Security Management Process Administrative Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practices
  • 25. Unified Approach to Security      Transmission Security      Person or Entity Authentication      Integrity Controls      Audit Controls      Access Control Technical Safeguards      Device and Media Controls      Workstation Use and Security      Facility Access Controls Physical Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practice
  • 26. Consider all of Your Security and Privacy Compliance Requirements SOX FTCA State International PCI DSS ISO FTCA (CO) COBIT COSO OECD AICPA PCI 1.2 Follow a UNIFIED APPROACH to Compliance
  • 27. Part 2 Risk Transfer: A Valuable Tool for Risk Management Avoid Mitigate Control Transfer Assume RISK Transfer
  • 28. Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing
  • 29. Risk Transfer One risk management tactic is risk transfer. Business Interruption Crisis Management Network Extortion Protects you from attacks on your network Pays for costs associated with public relations damage control Protects you from threats of attack on your network Media Covers libel, slander, unfair trade practices via organization website or electronic media Network Security Covers liability caused by breach of network (e.g. hack or viruses) Privacy Protects organizations from losing or compromising employee and third party data
  • 30. How do the policies work? They are all different Liability Policies Different Triggers on the regulatory costs It is important to understand what YOU want out of the insurance as different policies have different strengths in different areas
  • 31. Important Coverage Trends Moving away from network security towards privacy Original policies focused on external breaches of network New policies also have privacy triggers Third Party Contractor coverage not limited to natural persons Emphasis on notification costs Regulatory fines and penalties coverage
  • 32. The Application Process The underwriting (just like the coverage) for a privacy/security insurance policy varies depending on the carrier Policy-driven Technically-driven Very limited evaluation
  • 33. Example: Darwin New Application that accounts for new security technology Many applications are dated, if by only a few years, which miss key areas such as wireless networks For larger organizations, we will sometimes ask for a conference call. This allows us to ‘meet’ the security personnel and get a more in-depth look at security processes and procedures. Pricing is based off of unique records and revenues
  • 34. Risk Management Incident Response How do you respond to a breach? Who do you call? Privacy consultation Best Practices for Contracts
  • 35. Darwin / Pepper Offering Darwin Privacy//403 Insurance Coverage, Including 1 Hour Consultation Annually (Pepper) Incident Response Services (Pepper) Breach Investigations Breach Notices Other Related Services from Darwin Other Services from Pepper Complex State, Federal and International Privacy and Security Compliance Programs Identity Theft Prevention and Response Assistance Agency Investigations/Compliance with Consent Orders Electronic Data Retention and Destruction Programs
  • 36. So…How do you sell it? Issues No one understands the risks No one understands the coverage No one knows how much it should cost Limited transactional experience What has changed? More expertise from certain distributors Increased claims experience and examples Increased benchmarks on limit and price
  • 37. Allied World/Darwin Financial Strength Darwin was recently acquired by Allied World and operates with an A “Excellent” rating by A.M. Best Darwin is a recognized errors and omissions market, both medical and non-medical Strong risk management culture
  • 38. Takeaways The use of technology has triggered real consequences for the lack of data protection Government action and regulation is adding concern to all organizations Breaches can be very expensive, and are getting more expensive Consider risk transfer as one option for managing your risk
  • 39. Thank You Adam Sills AVP, Technology Liability Underwriting (860)-284-1382 [email_address] M. Peter Adler Attorney at Law Direct: 202.220.1278 Direct Fax: 800.684.2749 [email_address] Hamilton Square 600 Fourteenth Street, N.W. Washington DC 20005-2004 202.220.1200 Fax: 202.220.1665 www.pepperlaw.com professional underwriters, inc