New regulations are increasing at a rapid rate and it is vital that business owners and Chief Information Officers (CIO) become familiar with current regulations and compliance dates.
State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.
The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.
Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.
The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.
So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.
Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).
Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.
Source: David Perkins, September 7, 2009 www.insurancejournal.com
“Many employees disable the encryption solutions on their laptops, putting their employers at risk for data breaches, according to a study by Absolute Software Corp. and The Ponemon Institute.”
The study specifies “Corporate America” is being affected by the behavior of employees who destabilize data protection. This behavior is resulting in encryption not being enough to protect laptops and other mobile devices that have sensitive information stored on them. The number one source of data loss is from lost or stolen laptops. When a laptop has been stolen, 3 out of 4 companies will incur a data breach.
Necessary safety measures are not being taken by business owners to secure their laptops. Some business managers even deactivate their laptops’ encryption making themselves and their clients more vulnerable to identity theft. Additional layers of security can be utilized to identify data that has been accessed, even delete sensitive information remotely, and find a lost or stolen laptop. Employers can not afford to rely on the behavior of their employees nor encryption technology to provide the data protection they need according to this study.
Source: Absolute/Ponemon
http://www.insurancejournal.com/news/national/2009/04/27/99982.htm
Do you know how much of your organization’s data is getting into cyberspace? Daily vital information about your company and your employees is seeping out and probably into the wrong hands.
There are laws in place in more that 40 states that are requiring companies to notify customers if their data may have been compromised. Not only is damage done to the company’s reputation, but also in some states, if a company neglects to inform an individual of possible identity infringement, then they may face civil liability, regulatory and legal cost.
Founder and executive chairman of the board, Timothy Sullivan of Fidelis Security Systems has developed a risk management method that moves the focus from “intrusion” to “extrusion” prevention. Sullivan states that the way companies handle the personal data of their clients and employees are of utmost importance.
Fidelis Security System’s XPS is the only one that runs at such high speeds to thwart unauthorized transfer of sensitive data on all network channels according to Sullivan. The system provides content security to all e-mails, file transfers, and peer communications. Evidence of extrusions can be obtained to enforce laws that control privacy and financial data integrity, states Sullivan.
“Ninety-eight percent of computer investment today involves trying to prevent people from getting into a system. We believe some of that money would be well spent in trying to keep information from getting out.”
Source: Rough Notes Magazine, April 2009, Greg Davis http://www.roughnotes.com
“The latest U.S. Cost of a Data Breach Study… indicates a significant increase in not only the out of pocket cost of data breach incidents, but also the cost of lost business created by the turnover of customers due to the breach.”
At $202 per comprised customer, U.S. companies have felt the brunt of data breaches. Companies that have suffered the most from data breaches are healthcare and financial services type businesses.
In 2008, the average cost for these incidents was $6.65 million. And the most damaging effect is lost business averaging $4.59 million or $139 per record compromised.
Surprisingly, 49% of companies who responded to a current study stated that most breaches actually came from the theft or loss of paper documents, not electronic generated documents.
Source: S. H. Smith & Company, Inc.
The Commonwealth of Massachusetts has extended by at least four months a deadline for businesses to electronically encrypt digital records of their customers’ personal information.
The law follows a several years-long string of high profile data breaches by both private and government entities, the majority of which involved the theft of portable devices, such as laptops.
Source: Insurance Journal 11-20-08
Outside hackers, whether domestic or part of criminal gangs in Eastern Europe and Asia, get most of the media attention.
However, inside jobs by a company’s own employees account for 70% of all security incidents that result in losses according to some sources. This is know as authorized access for unauthorized use.
Employees, independent contractors, or employees of independent contractors who are disgruntled with management may steal confidential information such as credit card numbers, bank account information, or proprietary information such as trade secrets.
Most Cyber Liabilty policies only cover unauthorized access by outsiders. Make sure that your policy also covers authorized access for unauthorized reasons.
Source: Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
The following risk management controls can help companies avoid cyber losses due to viruses, hackers, trojan horses, malware, denail of service, extortion, errors & ommissions in delivering tech services, intellectual property violations, etc.:
* firewalls
* encryption
* password protection
* network security reviews
* disaster recovery services
* forensic services in response to security breaches
* emergency loss containment
* employee handbook provisions on internet and email security
* hacker vulnerability assessments
* review of your content and use terms by intellectual property attorney
Sources:
With Computers Under Siege Cyber Insurance Rides To The Rescue
Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
When analyzing a Cyber Liability policy for adequacy, the following specific risks may or not be covered:
* Errors & Omissions resulting in pue economic damages (needed for accounts that perform Cyber releated professional services for a fee for others)
* Personal injury such as libel (usually excluded under General Liability for accounts with Cyber exposure)
* Advertising injury such as inaccurate statement about a competitor (usually excluded under General Liability for accounts with Cyber exposure)
* Copyright infringement
* Trade or service mark infringement
* Patent infringement (difficult to obtain on Cyber Liability policy, may need to buy stand alone policy to insure this risk)
* Computer viruses, trojan horses, malware
* Unauthorized access by outsiders to confidential data
* Authorized access by insiders for illegal purposes
* Breach of security
* Loss of use
* Business interruption
Businesses should discuss the exposure to each of the above risks with their risk manager or insurance agent and decide which ones are necessary to be included in the coverage form. Don’t assume that all of these risks are covered without a specfic coverage grant in the policy language. Since Cyber Liability coverage forms are not standardized like may other policy forms, coverages tend to vary greatly from one carrier to the next.
Source: With Computers Under Seige, Cyber Insurance Rides To The Rescue
“We are experiencing a financial meltdown due to a fundamental misunderstanding and mismanagement of modern financial systems, which is generating a crisis of confidence in our core institutions. Today, all our critical infrastructures are reliant on cyber systems that are also misunderstood and mismanaged These vulnerabilities place both our financial and physical security in jeopardy unless we update the method we use to control our cyber systems”
Cyber Liability is one of top four priority security issues– Department Of Homeland Security
The estimated 2004 impact of cyber attacks on business was $226 billion– Congressional Research Service
A new guide from The American National Standards Institute (ANSI) and The Internet Security Alliance (ISA) is available to business executives to assist in limiting the impact of a cyber attack.
Over the past two and a half years, there have been over 225 million reported consumer data breaches. This year alone, there have been more than 30 million reported security breaches of consumer data. No one knows the actual numbers since it is suspected that most security breaches are unreported.
Most tech firms and regular businesses with exposure don’t have insurance to cover this exensive peril. Liability for the following categories of expenses are common in these breaches of security:
*Class action lawsuits
*Regulatory fines, fees, penalties
*Statutory notification expenses
Tech companies that collect confidential information or assist clients that do the same must make sure that their Professional Liability / Errors & Omissions policy is specially endorsed to respond to breach of security lawsuits. Non tech companies with exposure must make sure that their Cyber Liability policy does the same.
Source: S.H. Smith & Company, Inc. E Bulletin, 10-19-08
