1

Data Breach Risks OverviewHeather Pixton

www2.idexpertscorp.com

2

Agenda

• What you need to know about data breaches– What Are Data Breaches?– Cyber Threats and Trends– Recommended Proactive Efforts– Breach Response Best Practices

3

What is a Data Breach*?

• All breaches start as incidents, but not all incidents end up as breaches– "Incident" = attempted or successful unauthorized access,

use, disclosure, modification, or destruction of PHI/PII– "Breach" = acquisition, access, use, or disclosure of

PHI/PII [that poses a significant risk of financial, reputational, or other harm]*

Data Breach is a “Legal” Construct

* The definition of “data breach” varies across specific legislation and rules. In US states, many include a “harm threshold”

4

Data Privacy, Security, Breach Notification

• 46 states and three territories have breach laws– PII/PHI; 33 Have Harm-Test; Exceptions; Notification

Thresholds• FCRA, FACT Act, PCI-DSS

– Provide for security of financial data– FTC enforcement

• HIPAA/HITECH Privacy, Security, Breach Notification – Omnibus Rule just issued; HHS/OCR enforcement

Regulatory Complexity

5

Annual Data BreachesBy the Numbers

855*174,000,000*$33.7 billion**

Estimated incidents (excluding healthcare)

Number of affected individuals

Estimated economic impact

* Verizon 2012 Data Breach Investigations Report** Derived from Ponemon Institute 2011 Cost of Data Breach Study, March 2012

6

Leading Causes of Data Breaches*

Intentional non-malicious employee action

Malicious insider

Technical systems glitch

Criminal attack

Third-party snafu

Unintentional employee action

Lost or stolen computing device

0% 10% 20% 30% 40% 50% 60%

10%

15%

31%

20%

34%

45%

41%

9%

14%

33%

30%

46%

41%

49%

8%

14%

31%

33%

42%

42%

46%

FY 2012 FY 2011 FY 2010

6Source: Ponemon Institute 2012 Cost of Data Breach Study, March 2013

7

A Couple Breach Examples

MaliciousCareless

8

Three Key Steps to Managing Risk*

• Risk assessment: the basis for security governance; assets in scope, dependencies, transparency

• Security measures: take appropriate measures; logical redundancy, monitoring & audits

• Incident reporting: mandatory reporting, legal consequences, data breach regulatory requirements

* European Network and Information Security Agency (ENISA), Critical Cloud Computing, December, 2012

Best Practice Based on ENISA Framework for Effective Governance

9

If You Do Nothing Else…

• A risk assessment will– Inventory your organization’s data to understand your data

breach risk exposure– Review privacy & security policies/procedures to identify

gaps– Evaluate security technologies and controls– Review insurance for data breach coverage

Do a privacy and security risk assessment

10

When a Data Breach Occurs

• Small/medium-sized businesses must rely on a trusted partner– Help you determine if your incident is a breach– Develop a proportionate and compliant breach response– Provide the proper level of concern and care to the

affected individuals (customers)

Have a Plan

11

YourResponse™The only structured, repeatable methodology for data breach response that leads to reduced risks and positive outcomes

12

Looks Complicated. Does That Make it Expensive?

Not Necessarily.• Using YourResponse, you will realize lower costs by

– Formulating response that is least costly based on a victim risk profile

– Reducing risks of fines/penalties due to use of a rigorous and documented methodology

– Breach response managed by experienced firm with volume cost structure

13

Jeremy Henley

jeremy.henley@idexpertscorp.com760-304-4761

Insurance Solutions Executive

Questions?