Upload
lehuong
View
221
Download
0
Embed Size (px)
Citation preview
Wells Fargo Insurance Services USA, Inc.
©2012 Wells Fargo Bank, N.A. All rights reserved. Confidential.
Privacy and Network Security Liability in Higher Education
EASFAA Annual Meeting
Boston, MA May 8th, 2013
John Farley, Wells Fargo Insurance Services
Mark Greisiger, NetDiligence
John Mullen, Nelson, Levine, de Luca & Hamilton
Agenda
Recent data breach studies
Causes of data breaches
High risk industries
What is at risk for higher education
Legal and financial consequences
Recent higher education breaches
Data breach best practices
Vendor management
Insurance coverage
State laws
Federal laws
Wells Fargo Insurance Services USA, Inc. 1
High Hazard Industry Classes
Schools, colleges, and universities
Healthcare
Financial institutions
Retail
eCommerce companies
Information and data
services companies
Credit card processors
Public entities
Wells Fargo Insurance Services USA, Inc. 2
Recent Cases
Ohio State University - December 2010
A hacker accessed a server that stored the names, social security numbers,
dates of birth and addresses of 760,000 current and former faculty, students,
applicants, and others affiliated with the university.
It is estimated that it could cost the university
$4 million.
University of Hawaii - 2009 through 2011
5 data breach events. A faculty member inadvertently uploaded files
containing the information to an unprotected server, exposing the names,
academic performance, disabilities, and other information of more than
100,000 students, alumni, faculty and staff.
The data was posted online for one year. A class action lawsuit was settled. It
was the largest class action settlement ever in the state of Hawaii.
Wells Fargo Insurance Services USA, Inc. 3
Source: Risk Based Security, Inc. February 2013 Data Breach QuickView Report
Data Breach Trends
Number of Incidents
Network Security / Data Risk
What data do you collect, and why?
Where is it? How well is it protected?
Who can access it?
When do you purge it? How do you purge it?
Data creates duties.
To protect, preserve and
defend.
Why the Concern? Malicious Threats Still Prevalent:
• Stealth Hackers, Malware, Extortionist; Rogue
contractors; Disgruntled IT Staffer
Non-Malicious (more often):
• Staff mistakes (lost laptop)
• Marketing mishap: innocent customer data
leaks
• Vendor leak
Network Operation & Sharing Trends:
• Points of failure are multiplied due to trends of
outsourcing computing needs (CLOUD)
• Massive dependencies & data-sharing between
organizations
Where is YOUR data?
A data breach: it’s not a matter of ‘if’ but ‘when’
Decentralized IT Operations
Hacking (SQL injection)
Laptop loss w/client data (very common)
Backup tape loss (not my fault…it was the shipper)
Staff Mistakes: Data Leaks via email, mailings or paper
disposal
Vendor & Biz Partner Breaches (VERY COMMON!)
Top Perils…That We Often See
Why the Problem?
Universities will collect/ store/share VAST private data !
• More data often collected than needed
• Data often stored for too long (no records retention
limits)
Websites are very porous & need constant care (hardening &
patching).
IDS (detection) is very weak: no matter size many
universities learn of breach too late …or not at all!
Bad buys still rely on the prevalence of human error
• unchanged default settings
• missing patches
• wide open laptop
• customer records (paper) improperly disposed
• guessable access
The Internet’s open network
“95% of all network intrusions could be avoided by keeping systems up-to-date” (CERT)
PROBLEM 1) IDS or ‘Intrusion Detection Software’ (bad guy alert sys)
Studies show that 70% of actual breach events are NOT detected by the victim-company,
but by 3rd parties (and many more go undetected completely).
FTC and plaintiff lawyers often cite ‘failure to detect’
Vast Data: companies IDS can log millions events against their network each month
False positives: 70%
PROBLEM 2) Patch Mgmt - Challenges:
All systems need constant care (patching) to keep bad guys out
Complexity of networking environments
Lack of time: Gartner Group estimates that “IT Managers spend an average of 2 hours per
day managing patches”
PROBLEM 3) - Encryption (of private data)
Problem spans all sizes & sectors
ITRC (Identity Theft Resource Center): only 2.4% of all breaches had ‘encryption’
Issues: budgets, complexities and partner systems
Key soft spots: Data ‘at rest’ for database & laptops (lesser extent)
Benefits: safe harbor (usually)
Common Weak Spots
Case Example University IT Operations - Environment
• No official “IT Security Mgr” . Often a limited security
budget (compared to corporations)
• University networks tend to include vast PII/PHI (e.g. credit
cards. health records, SSNs, Birth Date, financial aid,
college employee data, alumni & donor financial data etc.)
• IT decentralization creates risk: Independent “islands” of
computing owned/managed by individual
colleges/departments MAY or MAY NOT follow standards.
• Colleges of Medicine/Dentistry/Etc. at top tier universities
tend to be better protected “islands” because of ePHI
concerns.
• Public wireless networks often in place throughout a
University campus.
Current Events
Plan for the loss
CFO must understand that data / network security is NEVER 100%.....
4 Legs of Traditional Risk Mgmt:
• Eliminate: e.g. patch known exploits, encrypt laptops etc
• Mitigate: e.g. dedicated security staff; policies; IDS/ IPS; etc
• Accept: e.g. partner SLAs, capabilities (trusting their assurances)
• Cede: residual risk via privacy risk insurance
Wide-Angle Assess Safeguard Controls Surrounding:
People: they seem to ‘get it’…Proper security budget and vigilant about
their job!
Processes/ Policies: enterprise ISO27002, HITECH ready; employee
education/ training; change management processes, breach response
plan etc.
Technology: proven IDS/IPS capabilities, DLP solutions, hardened &
patched servers (tested), full encryption of PII.
Strategies for Risk Managers
Remote Cyber Risk Assessment
(common to insurance industry)
Step 1: Self-assessment: completed by client’s IT security
rep, this strives to gauge their industry security & privacy practices
against a industry standard (ISO 27002)
Step 2: Phone call interview: Purpose is to flush out any ‘red flag’ areas
identified ….gather more details or to clarify a ‘compensating control’.
Step 3 - Document Review: verify key security policies e.g. enterprise
security, privacy, BC/DR and 3rd party vendor assurances.
Step 4 - Network perimeter vulnerability scan test: ck SQL exploit in
Web aps. See if internet facing servers are properly patched to deflect
6000+ known exploits
Step 5 – Summary Report: These 4 tasks might be then pulled into
composite report which strives to measure client’s good faith practices to
industry expected standards.
key concept
…vigilance & layered safeguards
Example Due Diligence Process for University
Purpose: Showcase Risk Mgmt Strengths
Reaffirm ‘reasonable’ safeguards
Benchmark to Standards & Peers
Good faith effort towards compliance
with Regs
Lessons learned from past loss/
incidents (are they now battle ready?)
Cyber Risk insurability assessment
Process should be collaborative
Educate Risk Mgr or CFO about their
own IT operations
Wide-Angle: people/process & tech
Assessment Value
Wells Fargo Insurance Services USA, Inc.
©2012 Wells Fargo Bank, N.A. All rights reserved. Confidential.
Cyber Risk Claims
a review of industry losses paid out 2012 Study
NetDiligence 2012 Cyber Claims Study - Highlights of Findings
Costs
– Average cost* per
– Breach was $3.7 million ($2.4 Mil in 2011) • Total claim cases in study = 135
• Claim range = $2K to $76 million
• Claim Cost mode = $25K to $200K (most typical claim)
– Average cost** per record was $3.94
– Legal (Defense & Settlement) represents the largest portion of costs
incurred • Average Cost of Defense $582K
• Average Cost of Settlement $2.1 million
– Crisis Services costs (forensics, legal counsel, notification & credit
monitoring) average about $983K per event
• Average calculated on all breaches in our sampling that reported claims paid ** Average calculated on breaches in our sampling that reported BOTH # of records & payouts, less 2 large claims of 100 million records each.
Percentage of Breaches by Business Sector
20%
26% 10%
8%
3%
5%
1%
7%
8%
1%
5% 4%
Third-Party Liability
Crisis Service Costs (Break Out)
Range & Typical Forensics:
- Range: $350 – 1 Mil - Typical: $10k - $225k
Notice:
- (R): $300 - $2.5 Mil - (T): $20k - $100k
Call Ctr:
- ( R ): $0 - $1 Mil - ( T ): $5k - $40k
Credit Monitor:
- ( R): $0 - $15 Mil - (T): $6k - $300k
Legal (Breach Coach® type):
- (R ): $0 - $1 Mil - (T): $5k - $100k
Are you at risk? Ask your team:
Has your University ever experienced a data breach or system attack event?
Some studies show 80-100% of execs admitted to a recent breach incident
Does your organization collect, store or transact any personal, financial or health data?
Do you outsource any part of computer network operations to a third-party service
provider?
Your security is only as good as their practices and you are still responsible to your
customers
Do you allow outside contractors to manage your data or network in any way?
The contractor is often the responsible party for data breach events
Do you partner with entities and does this alliance involve the sharing or handling of
their data?
You may be liable for a future breach of your business partners
Does your posted Privacy Policy align with your actual data management practices?
If not you may be facing a deceptive trade practice allegation
Has your organization had a recent cyber risk assessment of security/ privacy practices
to ensure that they are reasonable and prudent and measure up with your peers?
Doing nothing is a plaintiff lawyers dream.
Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information
Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies
Some states allow private right of action for violations
Data-at-rest (disc level) encryption often a safe harbor
State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI.
Regulatory Exposures
State Data Breach Notice Laws - Considerations
Access vs. acquisition (i.e., Connecticut vs. Delaware)
Risk of harm analysis (i.e., Massachusetts)
Individual notice requirements
– Timing
– Method (written notice vs. substitute notice)
– content
State regulator notice requirements
– Timing
– Method
– content
Consumer reporting agency notice requirements
– Timing
– content Wells Fargo Insurance Services USA, Inc. 25
VERMONT -notice to affected individuals within 45 days of breach discovery -notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) CONNECTICUT -Department licensees and registrants to notify Department [Commissioner] as soon as incident affecting Connecticut residents is discovered, but no later than 5 calendar days after Notice to CT AG not later than time when notice provided to Connecticut residents TEXAS -notice to affected individuals pursuant to law of individual’s state of residence or, if none, then pursuant to TX CALIFORNIA -notice (electronic) to CA AG if more than 500 California residents affected -HIPAA provisions augmented -Notice to California Department of Health and affected individuals within 5 business days -statutory damages/fines, private cause of action MASSACHUSETTS -”written information security plan” for businesses storing MA resident personal information NEVADA -data collectors doing business in NV to comply with PCI-DSS
Evolving Exposures
FACTA ‘Red Flags’ Program
• Mandates “creditors” create Identity Theft Prevention Program.
• must include reasonable policies and procedures for
detecting,
preventing, and mitigating identity theft
HITECH Act
• Extends HIPAA to “business associates” of HIPAA
covered entities
• First national breach notification requirement
> 500 HHS < 500 year end
• Permits state Attorneys General to enforce HIPAA
• ACO (accountable care organization ) could make things more
risky for healthcare sector clients with emerging e-record
exchanges
Regulatory Exposures
FERPA
Prohibits funding of an educational institution that has a
practice of disclosing educational records, or PII contained
in educational records, without consent of parent (if student
<18) or student (if student >18)
No legal requirement to provide notice of breach, only to
keep records of record disclosures and requests for
disclosure
– U.S. DOE recommended response
Educational institution must still comply with applicable
state data breach notice laws
Wells Fargo Insurance Services USA, Inc. 28
Litigation Trends Single Plaintiff
– Identity Theft
– Privacy
Government Action
• Attorney General (Goldthwait,
South Shore, Accretiv, Health Net)
• FTC (Choice Point, American United
Mortgage)
• HHS (Hospice of North Idaho,
Massachusetts Eye and Ear, Alaska
Dept. of HHS)
Banks
• Cost of replacing credit cards
• Reimbursement of fraudulent
charges
• Business interruption
Wells Fargo Insurance Services USA, Inc. 29
Class Action
• Failure to protect data
• Failure to properly notify
• Failure to mitigate
• NO VERDICTS. . . YET
Defenses Eroding
Stollenwerk v. Tri West – assert actual identity theft
Krottner v. Starbucks Corp. – increased risk of identity theft constitutes
an injury-in-fact
Anderson v. Hannaford – alleged fraud in population and money spent in
mitigation efforts sufficient (instead of time/effort)
----------------------------------------------------------
ITERA (Identity Theft Enforcement and Restitution Act) – pay an amount
equal to the value of the time reasonably spent
In re Hannaford Bros. Data Security Breach Litigation - does time equal
money? No. But if there is fraud, credit monitoring damages may
be due.
ChoicePoint Data Breach Settlement - FTC paid for “time they may
have spent monitoring their credit or taking other steps in
response”
Multiple Jurisdictions (MDL)
Plaintiffs’ attorneys will find a representative
plaintiff with actual identity theft (4.8% of U.S.
population will have ID theft regardless1)
Krottner decision – future harm
Hannaford – money spent
Raise time as measure of damages (ITERA, FTC,
Hannaford)
FTC Recognition of 20 years of damages2
1 Better Business Bureau and Javelin Research report that for 2009, 11.1 million consumers (4.8 percent of the U.S. population) were victims of identity theft
2 Choice Point Settlement includes 20 years of system auditing
Tomorrow’s Class Action
Breach Costs
– Forensics vendor
– Notification vendor
– Call centers
– PR vendor
– ID theft insurance
– Credit monitoring
– ID restoration
– Attorney oversight
Planning and Data Management
– Breach planning (Mass.)
– ID Theft monitoring (Red Flags)
– PCI DSS (Nevada and merchants)
– HIPAA
Regulator/Compliance Costs
Litigation
– Breach guidance
– Investigation
– Notification
– e-discovery
– Litigation prep
– Contractual review
– Defense (MDL?)
Plaintiff Demands
– Fraud reimbursement
– Credit card replacement
– Credit monitoring/ repair/ insurance
– Civil fines/ penalties
– Statutory damages (CMIA)
– Time
Costs
Anatomy of a Breach Response BREACH DISCOVERY
EXPERTS
-breach coach
-forensics
-public relations
INVESTIGATION — internal/forensic/criminal
-how did it happen
-when did it happen
-is it still happening
-Who did it happen to
-what was accessed/acquired
-encrypted/protected
NOTICE OBLIGATIONS
-state
-federal
-other (i.e., PCI, FDIC, OCC)
NOTICE METHODS
-written
-electronic
-substitute
-media
DEADLINES
-can be from 48 hours to “without unreasonable delay”
INQUIRIES
-state regulators (i.e. AG, PD)
-federal regulators (i.e. OCR)
-federal agencies (i.e. SEC, FTC)
-consumer reporting agencies
LITIGATION
-subrogation
-class action
Breach Response, continued…
Empowered Senior Executive
Talk to your IT Security folks. Gain an appreciation of the many
challenges
Not many Firms can say: how many records they have; what
type of data is being collected, stored, shared, protected; where
does all this data reside; when is it purged??
Assess & Test your own staff and operations
Document your due care measures
Insurance
Red Flags, data security and breach response plans - affirmative
duties
Easier said than done…
Proactive Risk Manager Steps
What can be done
What can be Covered Under a Network Security and Privacy Policy?
Breach of Security: Your liability to third parties arising out of a
failure of your network security that results in a computer attack. Such
failure can be caused by unauthorized access or use, transmission of a
computer virus or a denial of service attack.
Invasion of Privacy: Your liability arising from disclosure and release
of confidential or personally identifiable information stored on your
computer system caused by a failure of your network security.
Enterprise Privacy: Your liability arising from any breach of privacy
including violations of HIPAA, GLB or any state, federal or foreign
privacy protection law (including regulatory defense expenses,
notification expenses, credit monitoring, crisis management expenses)
Identity Theft: Your liability arising from theft of personal information
of your employees, customers or clients.
Wells Fargo Insurance Services USA, Inc. 38
What can be covered under a network security and privacy policy?
Cyber Extortion: Protection against threats or demands made
against you involving your computer network.
Internet Media: Defamation, Libel and Slander/Personal Injury –
Liability arising out of the content disseminated on your Internet
site; includes intellectual property infringement exposures
Business Interruption: Business Interruption losses sustained by
you arising from the interruption or suspension of your computer
network, due to failure of security (including extra expenses)
Data Asset Coverage: Information asset protection for you for
property losses involving data, computer systems and information
assets arising from a computer attack.
Wells Fargo Insurance Services USA, Inc. 39
John Farley provides advisory services to our clients and teams with our
Professional Risk Group as a network security and data privacy breach consultant.
John is based in our New York City office and brings 19 years of claims and risk
consulting experience to Wells Fargo Insurance Services. John is our internal lead
resource for pre and post breach services. His role is to apply his extensive
knowledge in data breach response best practices and to work diligently with our
clients to achieve optimal results in cost mitigation. When and if a breach occurs,
John will act as the coordinator between all parties involved - our client, the
carrier(s) and any outsourced service provider hired, including but not limited to,
forensic experts, privacy legal attorneys, public relations firms, call center operators
and other similar breach response service providers. John also facilitates online
access to the Wells Fargo Insurance Services e-Risk Hub. This online database
serves clients ongoing educational needs in the ever-changing network security and
privacy risk environment. It offers real time informational resources including the
latest news articles, learning tools, an incident road map, breach calculators and a
vendor directory.
John Farley [email protected] (212) 209-0227
Mark Greisiger leads NetDiligence®, a Cyber Risk Management
company. For the decade NetDiligence has been offering unique
cybersecurity e-risk assessment services to organizations of all
sectors. Their services supports the data risk management &
compliance needs for many businesses. NetDiligence supports
the loss control needs of many US and UK insurers that offer
network liability coverage (aka 'privacy insurance'). Mr. Greisiger
is also to a frequently published contributor for various insurance
& risk management publications on similar topics.
Mark Greisiger [email protected] (610) 525-6383
John Mullen, Sr. leads the Privacy and Data Security Practice at Nelson Levine de Luca & Hamilton. His team of over a dozen attorneys focuses on the defense of information security and privacy matters, with particular emphasis on response to data loss events and suits. John serves as legal Breach Counsel, advising clients on issues related to IT forensics, customer and government notification and compliance, public relations, customer remedies, litigation hold/e-discovery requirements, and class action/multi-district litigation (MDL) issues. John frequently speaks to insurers, insureds, risk managers and brokers, has authored articles and presents via webinars and video broadcasts throughout the United States and the European Union. Mr. Mullen holds a B.S. from Pennsylvania State University (1987) and a J.D. from Arizona State University, College of Law (1991).
John F. Mullen, Sr. [email protected] 215-358-5154
CONTACT
John Farley, Vice President, Data Breach Consultant Wells Fargo Insurance Services USA, Inc. , New York, NY 10017 Phone: 212-209-0227 Email: [email protected]
MARK GREISIGER, Founder NetDiligence, Philadelphia, PA Phone: 610) 525-6383 Email: [email protected]
JOHN MULLEN, Chair, Privacy and Data Security Team Nelson Levine de Luca & Hamilton, Blue Bell, PA 19422 Phone: 215-358-5154 Email: [email protected]
Wells Fargo Insurance Services USA, Inc. 44