Due to the overwhelming information that has been flowing over the internet as the WWW gets stronger, we thought that it was best to revisit the question of “How Private is Your Personal Information?”. More so, as a tech, are you responsible if your CLIENTS INFORMATION? Your thoughts?
I ran across an excellent web page that reminds us how seemingly private communications may not really be private and can be spread and detected for many years and possibly forever. The article discusses the pitfalls of hard drives, laptops, smart phones, social networks, Google caches, and fax machines.
“Online is Forever,” there are millions of old, orphaned web pages out there whose creators can’t access them to change them or take them down, Google caches pages so that web searches can still see them even after they have been removed from the web server, and backups of ancient data still languish on the shelves of numerous server rooms.
Source: WXPNews, May 4, 2010
“Cyber liability coverage has evolved from just liability insurance for information technology companies to coverage that nearly every class of business should have if they don’t already.” Many businesses including banks, restaurants, retailers, and medical offices are unaware of the great security technology exposure they face.
In addition, the internet is not the source of all data breach problems. Lower tech breaches commonly arise that are caused by leaving password notes out in plain view, theft of laptops, and improper disposal of medical records.
“Recent state laws require companies that have experienced a security breach to notify all customers that could be affected by the breach that their information has been compromised, even if the information hasn’t been used. In most cases, the notification also includes an option of one year credit monitoring services and a new card or account number for customers.”
More than 40 states have data breach notification laws and insurers expect a federal cyber notification law at some time in the near future. The average per customer cost for a security breach is $15 and this does not include loss of reputation.
Cybercriminals are using pfishing tactics to gain information from social network sites to tap into corporate networks to steal sensitive data that can result in breach of privacy lawsuits and the need for Cyber Liability insurance for both techs firms and regular businesses alike.
Here are the steps in the process:
1. Cybercriminals purchase Facebook user names and passwords on websites at a cost of $75 to $200 per 1000 matching pairs.
2. Cybercriminals enter accounts and get access to friends, emails, dates of birth, mother’s maiden names, home towns, and vital information from profiles and postings to start online conversations.
3. Messages are sent to friends with information of interest (based on postings) that include a link to a website that results in a malicious executable file being placed on the recipient’s PC.
4. Executable files contain keystroke loggers that capture all user keystrokes on a periodic basis that are emailed to free Gmail or Hot Mail accounts that are set up by the Cybercriminal.
5. Eventually, the user logs into the employer’s network through VPN or Citrix and the cybercriminal captures the user name and password.
6. The cybercriminal enters the corporate network and probes for weaknesses such as those caused by failure to update security patches.
7. A vulnerable server is found and breached resulting in the hacking of confidential information.
Source: http://www.usatoday.com/NEWS/usaedition/2010-03-04-1Anetsecurity04_CV_U.htm?csp=N009
In the recent Florida Supreme Court case of Penzer v. Transportation Insurance Company, the court ruled that the standard General Liability policy form covers lawsuits alleging that fax blasts are in violation of the federal Telephone Consumer Protection Act (TCPA).
In this case, a class action lawsuit was filed against Nextel (or its agent) for sending unsolicited fax blasts in violation of the TCPA. The TCPA is a federal law making it unlawful to use a fax, computer, or other device to send an unsolicited advertisement to a fax machine. Each fax sent in violation can result in the greater of actual damages or $500.
Transportation Insurance Company argued that the “advertising injury” coverage under its General Liability must be for “oral or written publication of material that violates a person’s right of privacy”. And, in the present case, no private content was communicated in the advertisement.
However, the court opined that the “right of seclusion” is a right of privacy that is provided for under the TCPA. Therefore, the “advertising injury” coverage under the General Liability form does provide coverage for sending unsolicited fax advertisements in violation of the TCPA.
In the Penzer case, the fax blast violation occurred in 2003. Since that time, the insurance industry has adopted form CG 00 67 03 05 entitled “Exclusion-Violation Of Statutes That Govern E-Mails, Fax, Phone Calls Or Other Methods Of Sending Material Or Information”. This policy endorsement should preclude coverage in the majority of these cases.
Source: John Sadler
I came across an excellent article that explains how easy it is for scammers to decode your Social Security number. I always wondered how they did this.
Carnegie Mellon University researchers only need two pieces of information to guess SSNs in a recent study published in the Proceedings of the National Academy of Sciences. The study implies that knowledge of your hometown and your birth date allows scammers to discover most of, if not all, of the nine digits of your Social Security number.
$50 can buy your SSN from dozens of websites used by private investigators, businesses conducting credit checks, and savvy scammers who know your name, birth date, and current address.
And if the scammer doesn’t have the information, Alessandor Acquisti, the study’s lead researcher, says it is easy to find. Acquistis states, “There are many websites and database where one can access the birth dates of thousands of people easily and cheaply.”
Public databases and voter registration lists include this information. Over the years the first three digits of the SSN have been an “area number”. The fourth and fifth has been a “group number” and the last four digits which are more difficult to guess are issued sequentially depending on how long the Social Security application took to process.
Today’s highest risk group for decoding are those born since 1988 because that is the year the Social Security Administration began to order SSNs for newborns and older children who did not already have a SSN. The SSA plans to start a more arbitrarily process of assigning SSNs next year.
For those who use social networking websites such as Myspace, Facebook, Twitter, etc. or have online accounts, here are four easy ways to help prevent potential problems:
Do not use your birth date or any part of your SSN as a password.
Do not post any personal information such as your birth date, hometown and location of your high school.
If you post obituaries of loved ones, exclude hometowns and other personal information, as deceased are frequent targets.
Stay away from online security questions that ask for your hometown.
Source: Sid Kirchheimer AARPBULLETINtoday
YouTube, Facebook, and Twitter have become prevalent and the risks involved for the workplace are often not taken into account.
Here are a few threats that can be overlooked:
1. Your Friends List
“Social media” can be very helpful when making contact with customers, finding jobs, corresponding with potential clients, etc. But dangers lurk when all the people in your friends list have access to your comments. Ranting and raving about your boss and forgetting that he/she is listed as “your friend” can lead to obvious problems.
2. Employers Fail To Set Internet Usage Policy
Many companies are using blogs and social networking to their advantage; however, they can also become a liability risk. It is vital that policies are in place for how and when employees can use the Internet and that personal data is secured.
3. Hackers Look For Any Open Door
Any employee using these sites while on the job exposes the organization to phishing, being hit by spam, and malware attacks. One result shows that a quarter of all businesses have been affected by “social media” use in the workplace.
4. Providers Fail to Take Appropriate Safety Measures
Lawsuits are beginning to target the social media companies for privacy issues along with user-generated content. Several classmates set up a private group on Facebook. Now Facebook has been named in a lawsuit for over allegedly defamatory content contained in the private group’s comments.
5. Ignorance Is Your Loss
An even bigger danger is to ignore the social media frenzy. In doing so Companies lose the newest, most poplar opportunity to stay in touch with their markets, their clients, and build customer relationships. Just be wise in how your company uses social media.
Source: Patricia Vonwinkle Risk and Insurance
Tracey Vispoli, Chubb’s Cybersecurity Product Manager, refers to the rise in cyber liability claims, by stating, “It’s a frequency issue as well as severity”. Remedies for data breach now cost $202 per record.
According to Vispoli, more than half of the companies with less than 1,000 employees have experienced an online data breach. Thus showing that the need for cyber liability coverage is not limited to large technology and multi-national corporations.
With increased legal activity, attorneys are inserting the need to carry Cyber Liability into contract requirements.
Clients are also realizing the importance for cyber liability especially with expansions of federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Red Flag rules.
Policy Forms should address how carriers deal with the defense of regulatory matters. For the cost to defend the insured against investigation, some carriers will provide full policy limit. Others will have a sublimit and some forms may only cover costs if there is a civil suit.
Michael Carr, director of Information Technology and Cyber Liability at Markel Shand, refutes the common belief that the majority of data breaches covered by cyber liability policies occur on public Internet space. Carr states that most claims occur on companies’ networks where their client’s personal data is stored. A common misconception among many agents and insurers is that a client does not need cyber liability coverage if their business is not involved in e-commerce.
Paper records should be another concern as Carr states: “An awful lot of confidential information is still stored on paper. Businesses have the same duty to protect that as electronic forms. Many but not all (coverage) forms extend to paper records.”
Source: Big I E Newsletter, September 2009
New regulations are increasing at a rapid rate and it is vital that business owners and Chief Information Officers (CIO) become familiar with current regulations and compliance dates.
State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.
The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.
Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.
The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.
So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.
Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).
Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.
Source: David Perkins, September 7, 2009 www.insurancejournal.com
Cyber attack on U.S. and South Korean government agencies, companies and institutions have been called the “most aggressive in recent memory”.
Attackers use “botnets” or networks of “zombie” personal computers, which they have infected with a virus. Denial of service comes in to play when the controlled computers are instructed to contact target websites on a repeated basis until such target websites are overwhelmed.
More sophisticated e commerce websites protect against these attacks by using special software that detects and shuts down suspicious traffic.
Protect your computers! Viruses often attack and there are no apparent signs that your computer has been contaminated. Software is available to identify and flag dubious traffic flow. Many companies offer a free scan, so make sure you update your antivirus software and run regular scans. Also, potentially affected businesses should purchase Cyber Liability insurance to protect against this risk.
Source: http://www.msnbc.msn.com/id/31803381/ns/technology_and_science-security/