Data Security Roundtable COMBINED.ppt · • Evaluating Insurance as an Option ... • Any information that relates to the past, present, or future physical or mental ... • Data

WELCOME

Data Security SeminarNovember 7, 2012

Data Security Seminar Technology, Legal and Risk Management Roundtable

November 7, 2012

L. Spencer Timmel, CITRMSPrivacy and Network Security Specialist Hylant Group

Chris Watson, MBA, CISA, CRISCInternal Audit and Risk Advisory ServicesSchneider Downs

3

Discussion• Sensitive Data

• High Risk Industries

• Unplanned Cash Flows

• Cost of a Data Breach Statistics

• Notable Privacy Incidents

• Legal Developments (Patrick Cornelius: Squire Sanders)

• Mitigating the Risk

• Traditional Insurance Policy Gap Analysis

• Privacy/Cyber Liability Risk Transfer Products

• Evaluating Insurance as an Option ‐What should you expect?

4

Sensitive DataPersonally Identifiable Information (PII‐Ohio):

• 46 States, plus DC, Guam, Puerto Rico and Virgin Islandshttp://www.ncsl.org/issues‐research/telecom/security‐breach‐notification‐laws.aspx

• Individuals name, consisting of the individual's first name or first initial and last name, in combination with…

• Social Security Number• Drivers License Number or State Identification Number• Credit Card, Debit Card, Financial Account Numbers

Protected Health Information (PHI‐HIPAA)

• Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral

Other “Confidential Information”

• Intellectual Property of Others; Address Details, Email Addresses, etc.

Ramifications of Non‐Compliance

• State, Civil and Punitive Monetary Penalties

• High Remediation Cost

• Unwanted Publicity

• Reputational Damage

• Loss of Proprietary Information

6

High Risk Industries

• Retail

• Healthcare

• Financial Services

• Education and Public Entities

• Data Processors & Aggregators; Technology Companies

• Public Traded Companies

Securities and Exchange Commission Guidance

– SEC CF Disclosure Guidance: Topic No. 2 – Cybersecurity

• Cyber Risk Factor Disclosures (Regulation S‐K Item 503(c)) and within Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A)

• Disclosure in Description of Business and Legal Proceeding

• Financial Statement Disclosure Related to Cyber Incidents

• Guidance Only, Not a Rule, Regulation, or Statement

– http://www.sec.gov/divisions/corpfin/guidance/cfguidance‐topic2.htm

8

Unplanned Cash Flows

• State and/or Federally Mandated Notification Costs

• Brand Preservation:

Voluntary Notification, Credit Monitoring, Public Relations Expense

• Regulatory Defense Costs

• Defense and Indemnity Expense from 3rd party allegations

• Regulatory / PCI Fines and Penalties

• Forensic Investigation, Data Restoration Expenses, Assets Damage

• Business Income Loss & Extra Expense

9

What is a privacy incident going to cost me?Summary of Ponemon Institute, LLC’s 2012 Annual Study: Cost of a Data Breach:

• Continued trend of increased average cost and per record cost, $5.5 million and $194, respectively.

• Direct costs are estimated at $59 per record. (legal counsel, notification letters, credit monitoring, etc.) The primary driver is legal defense costs.

Cost by Industry Class Per Record

Average $194

Education $112

Retail $185

Healthcare $301

Financial Institutions $353

10

Data Breach Calculator/Cat. Modeling ToolLoss Details: 1,000,000 Social Security Numbers

http://www.eriskhub.com/hylant.php

Type of Breach Expense Estimated Expense Amounts Estimated Total Cost

eDiscovery Litigation $100,000 + $1 per Record $1,100,000

Forensics Investigation $20,000 + $20 per Record $220,000

Public Relations $20,000 Flat Rate Estimate $20,000

Call Center 1M * $0.50 per person * 15% $75,000Attorney Fees for Notification

laws & State AG’s Flat Rate Estimate $10,000

Notification of 1M persons 1M * $1 per person $1,000,000

Optional Credit Monitoring 1M * $10 per person * 15%(Avg. of only 10%-20% accept it) $1,500,000

AG Fines & Penalties Average $100 to $300 per Record with a Cap. of $500,000 $500,000

FTC Fines and Penalties Estimate based upon required audits for 10 years at $75k per Audit $750,000

Legal Defense/Damages $5 per Record $5,000,000Total Cost - $10,175,000

11

Notable Privacy Incidents• South Carolina Department of Revenue: 3.6 million SS#s & 367,000 CC#s

• Barnes & Noble & Michaels Stores: Pin Pad tampering

• Retailers: Song Beverly California Class Actions

• Google: Do‐Not‐Track Class Actions

• Sony Corp (4/11): 102 million records, 12 million credit card numbers; dual attack

• Starbucks (11/08): 97,000 social security numbers of employees: lost laptop

• Office of Civil Rights under Health & Human Services: HIPAA Fines

• HIPAA Massachusetts Eye and Ear Associates ($1.5mm)• Massachusetts General Hospital ($1 million) • Blue Cross and Blue Shield of Tennessee ($1.5 million) • Phoenix Cardiac Surgery ($100,000) • Providence Health & Services ($100,000)

37 Offices in 18 Countries

An Overview of Legal Developments and Requirements in Data Security and Protection in the Domestic and EU Markets

Technology, Legal and Insurance Roundtable – November 7, 2012

13

Data Security & ProtectionUS Legal Framework:• The United States (US) regulatory framework consists of federal

laws, state laws and common law principles that govern data security. Additionally, there are “best practices” that are suggested by both governmental agencies and industry groups; compliance with these principles is not enforced by law.

• Penalties for failure to comply with data security laws include: Civil and criminal sanctions; Fines and damage awards from private law suits (which may include

class actions); and Potential damage to a company’s reputation, customer confidence and

trust.

• Federal Laws: There are many existing federal laws that relate to the collection and use of personal information. Regulation of data security is generally separated by the nature of the data. The most significant federal acts include: The Federal Trade Commission Act (FTC Act); The Financial Services Modernization Act (Gramm-Leach-Bliley Act

(GLBA)); The Health Insurance Portability and Accountability Act (HIPAA); and The Children’s Online Privacy Protection Act.

14

Data Security & ProtectionUS Legal Framework:• Federal Laws: FTC Act

The FTC Act prohibits unfair or deceptive commercial practices and is often applied to business practices involving data security and protection. The FTC Act does not regulate specific categories of personal information, instead it applies to all consumer personal information. The FTC Act does not expressly require a company to have or disclose a privacy policy, but if a company does disclose a policy, it must comply with it.

The FTC brings enforcement actions under this Act against companies for:– Failing to comply with posted privacy policies;– Materially changing privacy policies without adequate notice to

customers; and– Failing to provide reasonable and appropriate protections for sensitive

consumer information. Companies that change their privacy policies must provide consumers

an opportunity to opt-out of the new privacy policy.

15

Data Security & Protection

US Legal Framework:• Federal Laws: FTC Act

Previously cited violations of the FTC Act:– Failing to encrypt information while it was in transit or stored on

the network.– Storing personally identifiable information in a file format that

permitted anonymous access.– Failing to use readily accessible security measures to limit access.– Failing to employ sufficient measures to detect unauthorized

access or conduct security investigations.– Creating unnecessary business risks by storing information after

the company no longer had any use for the information, in violation of the company’s rules.

16

Data Security & ProtectionUS Legal Framework:• Federal Laws: Gramm-Leach-Bliley Act (GLBA) (also referred to as the

Financial Modernization Act) GLBA regulates the collection, use and protection of non-public personal

information by financial institutions. GLBA requires that financial institutions:

– Notify their customers about the company’s privacy practices and provide customers with the opportunity to opt-out if they do not want their information shared with certain unaffiliated third parties.

– Implement a written security program to protect non-public personal information from unauthorized disclosure. This program must include a written information security plan. The plan must be appropriate to the sensitivity of the information being stored, the complexity of the company, and the size of the company.

– identify and assess risks to customer information in each relevant area of the operation; evaluate the effectiveness of the current safeguards for managing these risks; include plans to regularly monitor and test the program.

– Implement protections such as data encryption, authentication mechanisms, background checks and frequent testing of information security protocols and systems. Implement an identity theft prevention program in connection with company customer accounts. Implement regulations requiring company personnel to notify the regulator for security breaches.

GLBA does not require notice of a data breach, but most banking regulators consider such notice a best practice.

17

Data Security & ProtectionUS Legal Framework:• Federal Laws: Health Insurance Portability and Accountability Act

(HIPAA) HIPAA regulates the collection, use and protection of individually

identifiable health information. HIPAA requires that covered entities use, request and disclose only

the minimum amount of protected health information (PHI) necessary. HIPAA requires that covered entities implement reasonable security

procedures and policies, including:– Administrative safeguards such as creating a security program and

training the company’s employees;– Physical safeguards such as limited access to PHI to authorized

individuals; and– Technical safeguards such as use authentication controls and

encryption tech. HIPAA requires notification to customers following data breaches

involving unsecured PHI. HIPAA does not apply to health information that is either not

individually identifiable (aggregate data) or used by companies or organizations that are not “covered entities” under the Act (for example, a report about an employee’s fitness for work used for employment decisions by a company may not qualify under the Act).

18

Data Security & ProtectionUS Legal Framework:• Federal Laws: Children’s Online Privacy Protection Act (COPPA)

COPPA applies to the online collection of information by websites and online services that collect personal information from children and have actual knowledge that they are collecting personal information from children.

Under COPPA, personal information includes:– Full name– Home address– Email address– Telephone Number– Any other identification or contact information for children

COPPA requires that covered entities:– Publish a privacy notice on the website that states their data security

practices;– Before collecting, using or disclosing children’s personal information:

» Provide direct notice to parents» Obtain verifiable parental consent

– On request, provide parents a description of the information being collected, an opportunity to prevent any further use or collection of information and reasonable means to obtain the specific information collected.

– Maintain procedures to ensure the confidentiality, security and integrity of the personal information collected.

19

Data Security & ProtectionUS Legal Framework:• State Laws: There are many laws that regulate the use, protection

and disclosure of personal data at the state level. The most significant types of state regulations include: Broad acts similar to the FTC Act GLBA and HIPAA additions: Both GLBA and HIPAA allow states to

provide additional protection for personal information so long as these state laws are not inconsistent with GLBA or HIPAA.

Social Security number laws: many states have enacted legislation specifically protecting Social Security numbers.

Records disposal laws: Several states, including California, New Jersey and New York, require specific disposal procedures for records containing personal information.

Data security laws: Several states, including California and Massachusetts, have specific data security laws that mandate howcertain personal information must be protected.

Breach notification laws: As of August 2012, 46 states and the District of Columbia, Puerto Rico and the US Virgin Islands require notification of security breaches involving personal information.

20

Data Security & ProtectionUS Legal Framework:• State Laws:

California:– Companies that own or license personal information about a California

resident are required to implement and maintain “reasonable security procedures and practices” to prevent the unauthorized disclosure of such information.

– The complexity of the security procedures chosen must be appropriate to the nature of the information to be protected.

As of 2012, Massachusetts has enacted the most rigorous data security requirements imposed on businesses for the protection of personal customer information. Companies are required to:– Develop, implement and maintain a comprehensive, written

information security program.– Implement physical, administrative and extensive technical security

controls, including the use of encryption.– Provide a comprehensive, written information security program that

must include safeguards which are appropriate to the:» Size, scope and type of business holding the information» Amount of resources of the business holding the information» Amount of stored data» Need for security and confidentiality of both consumer and

employee information

21

Data Security & ProtectionUS Legal Framework:• State Laws:

(Massachusetts continued.) Companies are also required to:– Secure user authentication protocols including:

» Control of user IDs and other identifiers» A reasonably secure method of assigning and selecting

passwords or use of unique identifier technologies» Control of data security passwords to ensure that these

passwords are kept in a location and/or format that does not compromise the security of the data they protect

» Restricting access to active users and active user accounts only» Blocking access to user identification after multiple unsuccessful

attempts to gain access– Secure access control measures that:

» Restrict access to records and files containing personal information to those who need that information to perform their job duties

– Encrypt all transmitted records and files containing personal information that will travel across public networks

– Encrypt all personal information stored on laptops or other portable devices

– Educate and train employees on the proper use of the computer security system and the importance of personal information security

22

Data Security & ProtectionEU Legal Framework:• European Union (EU) regulatory framework governs the protection of

personal data (information relating to an identified or identifiable natural person).

• Personal data includes: Family and lifestyle details Education and training Medical details Employment details Financial details Contractual details (including goods and services provided)

• Special rules apply to “sensitive personal data” (racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, and the processing of data concerning health)

• The laws apply to the processing of data which includes:

Collection Recording Organization Storage Adaptation or alteration

Retrieval Consultation Use Disclosure by transmission Destruction

23

Data Security & ProtectionEU Legal Framework:• Jurisdictional Scope of Regulation: EU Data Protection Directive’s

regulations apply where the data controller (entity that holds the personal data) is any of the following: Established within the territory of an EU member state; Not established in an EU member state, but in a place where a

member state’s national law applies by virtue of international public law; or

Not established within the EU, but makes use of equipment (automated or otherwise) situated within the territory of a member state, except where that equipment is used only for the purposes of mere transit through that territory.

• Under EU regulations, the data controller must notify the appropriate national authority before the data controller begins processing the private data.

24

Data Security & ProtectionEU Legal Framework:• Data Protection Requirements:

To process the data fairly and lawfully. To collect data only for specified, explicit and legitimate purposes, and

not to further process it in any manner incompatible with those purposes.

To collect and store data only to the extent that is adequate, relevant and not excessive to the purposes for which it is collected and further processed.

To ensure that all data held is accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.

Prohibited from keeping data in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data was collected or for which it is further processed.

• Member states may restrict the scope of these provisions if the restriction constitutes a necessary measure to safeguard: National security Defense Public security

The prevention, investigation, detection and prosecution of crimes

An important economic interest of an EU member state

25

Data Security & ProtectionEU Legal Framework:• Framework also requires justification for processing: A data controller

is required to justify the processing of personal data before it will be considered lawful. The processing of ordinary personal data (as opposed to sensitive personal data) is only lawful if it satisfies one or more of the following: The data subject has unambiguously given consent. It is necessary for entering or performing a contract with the data

subject. It is necessary for compliance with a legal obligation to which the data

controller is subject. It is necessary to protect the vital interests of the data subject or to

perform a task in the public interest. It is necessary for the purposes of legitimate interests pursued by the

data controller, except where these interests are overridden by the interests for the fundamental rights and freedoms of the data subject.

26

Data Security & ProtectionEU Legal Framework:• Additional justification required for processing sensitive personal

data: The data subject has given explicit consent. In processing the data, the data controller exercises a legal right or

performs a legal obligation under employment law. The processing is necessary to protect the vital interests of the

data subject or of another person where the data subject is physically or legally incapable of giving his consent.

• The data must be protected against unlawful (or accidental) destruction, loss, alteration or any other forms of unlawful processing.

• The technological measures to protect the data must be kept up to date with technological development, however data controllers are allowed to balance the effectiveness of the measures against their cost.

• Dealing with Breaches Notification is generally not required, however, European regulators

have long debated the need for explicit legislation of a notification requirement. Many countries have adopted statutory requirements that obligate companies to report data breaches. The EU is expected to institute a general notification obligation but not until 2015 or later.

27

Data Security & ProtectionRecent Trends:• United States Trends

In March 2012, the FTC issued its final report on consumer privacy protection with recommendations for improving best privacy practices for companies in the following areas:– Implementing “Do Not Track” tools (allowing customers to choose not

to be tracked);– Improving privacy for mobile devices;– Provide more information to customers on the data broker; and– Promote additional self-regulatory codes.

• Global Trends In January 2012, Vice President of the European Commission and

Commissioner for Justice, Fundamental Rights and Citizenship proposed a new framework for the EU.

Among other things, the proposal seeks to enlarge the rights of the citizen. Regulations requiring explicit consent, notification of breach, a right to be forgotten and the portability of data are all included in the proposal.

28


Cross-border Issues:• There are very few limits on the transfer of personal information to

countries outside of the US. Several US states have enacted laws that limit or discourage outsourcing of data processing beyond US borders, but these laws typically apply only to state government agencies and their private contractors.

• The FTC and other US regulators posit that entities based in the US remain responsible for the protection of exported personal information pursuant to US laws and regulations.

• Multi-national companies (or domestic companies with foreign operations) with operations in the US must comply with data protection laws in each jurisdiction in which they operate.

• The EU general prohibits the transfer of personal data to a country outside of the European Economic Area unless that country ensures an “adequate level of protection.”

29

Exporting Data under the EU Protection Framework:• EU takes a strict approach regarding the protection of personal data,

such data may not be exported to, or accessed remotely from outside, the EU unless certain procedures and rules are followed.

• The two most common options for achieving compliance with the EU adequacy standard include: Safe Harbor self-certification, and Execution of the EU Standard Contractual Clauses.

• Choosing between Safe Harbor and the EU Standard Contractual Clauses depends on a variety of factors specific to each case, but in general the Safe Harbor is preferable because there are no third party beneficiaries and it does not involve entering into multiple contracts.


30

US-EU Safe Harbor Framework:• EU approved the Safe Harbor Framework in 2000; similar

arrangements exist between Switzerland and the US.• US organizations can self-certify to the Safe Harbor Principles:

Notice Choice Onward Transfer (Transfers to Third Parties) Access Security Data integrity Enforcement

• US law applies to questions of interpretation and compliance with the Safe Harbor Principles (including the “Frequently Asked Questions” (“FAQs”) and privacy policies adopted by Safe Harbor organizations, except where organizations have committed to cooperate with European Data Protection Authorities (mandatory for HR data)).


31

Safe Harbor Framework (continued):• Onward Transfer (Principle III):

To disclose personal information to a third party, organizations must apply the Notice and Choice Principles (i.e. they must inform the individual and give them the option to opt-out. This includes cloud providers, web hosters and other outsourcing agents.)

Where the information to be disclosed is defined as legally “sensitive” (i.e. relating to medical or health conditions, racial or ethnic origin, etc.) the individual must opt-in.

If the third party is a processor, the third party must either:– subscribe to the Safe Harbor Principles;– be subject to the EU Directive; or– enter into a written agreement that provides at least the same level of

privacy protection as is required by the relevant Safe Harbor Principles.


32

Safe Harbor Framework:• Security (Principle V):

Entities that create, maintain, use or release personal information you must take reasonable precautions to protect from:– loss, – misuse and unauthorized access,– inadvertent or unauthorized disclosure,– alteration, and– destruction of the data whether by deleting or otherwise.

Examples include: locking rooms containing computers and servers and limiting access; organizational controls, by using strong passwords and limiting access to those who “need to know”; security and privacy technologies such as anti-virus, firewalls and encryption.

Level of security required is commensurate with potential harm of disclosure of the type(s) of data involved.


33

EU Standard Contractual Clauses:• The standard contractual clauses are used where one party

transfers EU personal data from within in the EU to another entity outside the EU where Data Protection is not deemed “adequate” (including between affiliates of the same company) – alternative to Safe Harbor for transfers to the US.

• There are two forms of standard contractual clauses: Controller-to-Processor Controller-to-Controller clauses

Note:– “Controllers” determine the purposes and the means of the

processing of personal data.– “Processors” store and process personal data as directed by the

controller, and do not decide on the purpose/use of data processed.


34

Security Provisions of Controller-to-Processor Clauses:• The agreement between the controller and processor must include

“technical and organizational security measures” to protect from: accidental or unlawful destruction; accidental loss; alteration; unauthorized disclosure or access; and all other unlawful forms of processing.

• The controller must assess the necessary security measures and ensure that these are detailed in the agreement with the processor.

• Particular care should be taken where data is transmitted over both local and wide area networks.

• The processor must demonstrate that the security measures have been implemented before data can be transferred.

• EU Standard Contractual Clauses Appendix 2 must identify relevant security measures.


35

Security Provisions of Controller-to-Controller clauses:• The obligations in Controller-to-Controller agreements are broader in

scope than Controller-to-Processor agreements and include a number of data processing principles similar to the Safe Harbor Principles.

• Security provisions include: Technical and organizational security measures, and Limitation on onward transfers of data to third parties.

• Controllers must employ additional security measures to protect “sensitive personal data” (as defined under national data protection laws, e.g., racial or ethnic origin and religious or political beliefs). These may include stronger encryption techniques, strict access

limitations, and an audit trail of who has accessed the data and how it has been used.


36

Security Provisions of Controller-to-Controller Clauses (continued):• Under the EU’s E-Privacy Directive, specific data breach notification

obligations apply to telecommunications operators and Internet Providers.

• Otherwise, under the General Data Protection Directive there are currently no obligations to notify a data breach to enforcement authorities.

• Different EU Member States have dealt with data breach obligations in different ways at the national level (e.g., UK, Germany and France).


37

UK:• There are no specific obligations to notify affected individuals or the

Information Commissioner’s Office (“ICO”) under the Data Protection Act 1998.

• However, ICO issued guidance stating that it should be notified regarding: Large amount of data; Particularly sensitive data (even if a small amount); or Significant damage or distress to individuals.

• ICO has also issued guidance on when affected individuals should be informed.

• NOTE: ICO can impose monetary penalties. failure to notify has been listed as a factor in determining when

penalties may be issued and the severity.


38

Germany:• Special obligations apply to:

sensitive data, personal data subject to a professional secrecy, personal data referring to criminal or administrative offenses or to

suspected criminal or administrative offenses, or personal data concerning bank or credit card accounts,

• If such data is unlawfully disclosed to third parties and threatens serious harm to the rights or legitimate interests of data subjects, the company must notify the competent authority and the data subjects without delay.

• Data subjects must be informed as soon as appropriate measures to safeguard the data have been taken.

• Where notifying the data subjects would require a disproportionate effort, public advertisements will suffice.

• Failure to notify the authorities and/or the data subjects in case of data loss is an administrative offense in Germany.


39

France:• Currently there are no additional obligations in France and no

further guidance has been issued pending the revision of the EU Data Protection Directive.


40

Data Security & ProtectionData security as part of an effective compliance program:• Having an effective compliance program provides benefits under the

Federal Sentencing Guidelines• Data security and protection have a number of compliance-related

implications, so it should be included as part of overall structure of an organization’s compliance program

• For an effective compliance program, in addition to “tone at the top”, an organization needs employee involvement They are the eyes and ears Employee engagement also increases compliance

• Also, it should have the following elements: Risk assessments, Board involvement, Dedicated compliance personnel, Written code of conduct and compliance and ethics policies, Training, Communication (2-way; regarding plan and reporting misconduct), Auditing, Consistent enforcement, Positive incentives, and Evaluation and improvement

41


Squire Sanders (US) LLP

Patrick D. Cornelius2000 Huntington Center

41 South High StreetColumbus, Ohio 43215Direct: +1.614.365.2781

[email protected]

Steps to an Effective Program

1. Obtain Management Support and Build Awareness– Every successful project needs management’s support– Determine who will be responsible for compliance– Assemble a team from the various areas within your organization– Educate employees on the need for compliance and potential penalties

2. Inventory and Document the Flow of Data– Identify where sensitive data exists within your system – Determine the volume of data transactions processed annually and how

those transactions are initiated– Develop a flow chart documenting the processes a transaction undertakes

within your organization

Steps to an Effective Program

3. Assess Risk– Perform a risk assessment of your environment and identify the potential

data breach opportunities that could occur or have occurred in the past

– Some typical processes that should be reviewed as part of your assessment are:

• Methods used to store data;• Changes and process of changing data; and• Who has access to data and how can it be accessed?

Steps to an Effective Program4. IMPLEMENT CONTROLS

– Develop and implement controls to remedy any gaps

5. TEST YOUR CONTROLS– Validate operating effectiveness through testing and auditing procedures

– Address any significant gaps immediately

6. PERFORM REGULAR UPDATES– Regulatory compliance is a continuous effort that requires regular updates

and enhancements

– Remediation roadmap and gap monitoring

– Regular training of employees

44

Data Breach Prevention and Detection Controls

1. Sensitive Data Storage• Do we know what types of sensitive data (if any) we have and how

we are storing it and transmitting it?• Have we performed a risk assessment to understand what kind of

impact a breach may have on our organization?2. Access to Sensitive Data

• Have we restricted access to any sensitive data or systems appropriately? (Unique accounts, strong passwords, etc.)

3. Encryption • Do we have encryption in place regarding:

– transmission of secure data files? (FTP)– communications that may contain sensitive information?

(Email) – Handling of devices that contain sensitive information?

(Laptops, Backup Media, etc.)45


4. Server Patching• Do we have a patch management solution in place to ensure that

all critical patches are installed on our servers in a timely manner?5. Firewall Protection

• Do we have a firewall in place that has been updated to reflect the most recent best practice settings?

6. Intrusion Detection• Do we have an appropriate solution in place in order to detect and

alert us to suspicious activity that is taking place on our Network?7. Anti‐Virus Protection

• Do we have a central anti‐virus solution in place that updates all workstations and servers regularly?

46


8. Vulnerability Testing and Internal Control Reviews• Do we regularly test our Network resources and security in order to

evaluate it for any weaknesses?• Do we evaluate our internal controls for weaknesses?

9. Information Security Policy• Do we have a policy in place that addresses are approach and our

internal requirements regarding Information Security and our expectations to our employees?

10. Incident Response Plan• Have we identified our responsibilities in the event of a data breach

and the steps that we need to take to reduce the damage and maintain forensic evidence of the breach and any data lost?

47

48

Additional Risk Mitigation Techniques

• Contract Review: Evaluation of contracts with outside service providers, specifically 3rd party IT, data storage or data processing vendors

• Insurance Certificates: Require and obtain certificates of insurance for both Professional E&O and Privacy/Cyber Liability coverage

• Risk Transfer Through Insurance: Evaluate the need for insurance as a “safety net” to other internal and external safeguards

49

Traditional Insurance Policy Gap Analysis

General Liability Insurance – Coverage for bodily injury or property damage‐ Intentional acts are excluded‐ Intangible property is excluded

Property Insurance – Coverage for loss of tangible property caused by a covered peril‐ Computer viruses are excluded‐ Intangible property is excluded‐ Business interruption coverage only applies if there has been a direct physical loss or damage to covered property

Crime Insurance – Coverage for theft of money, securities or other property‐ No coverage for theft of information, trade secrets and other types of confidential information

Directors & Officers Liability Insurance – Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity as such

50

Insurable Risks

• State and/or Federally Mandated Notification Costs

• Brand Preservation:

Voluntary Notification, Credit Monitoring, Public Relations Expense

• Regulatory Defense Costs

• Defense and Indemnity Expense from 3rd party allegations

• Regulatory / PCI Fines and Penalties

• Forensic Investigation, Data Restoration Expenses, Assets Damage

• Business Income Loss & Extra Expense

52

Chris Watson, MBA, CISA, CRISCInternal Audit and Risk Advisory Services

Schneider DownsPhone # (614) 586‐7108

[email protected]

Spencer Timmel, CITRMSPrivacy and Network Security Specialist

Hylant GroupPhone # (513) 354‐1656

[email protected]

Patrick D Cornelius Squire Sanders (U) LLPPhone # (614) 365‐2781

[email protected]

Documents

Data Security Roundtable COMBINED.ppt · • Evaluating Insurance as an Option ... • Any information that relates to the past, present, or future physical or mental ... • Data