The spammers and cyberthieves haven’t given up and gone home. Instead they are moving with the times and stirring up trouble in other ways, targeting smartphones and social networkds, which offer vast amounts of personal information.
The popularity of “apps” is opening the door to a wide range of suspicious and malicious applications. Locative services such as Foursquare and Fowalla are also a potential problem. These services allow you to easily search, track, and plot the wherabouts of friends and strangers. But cybercriminals can use this information to craft targeted attacks, according to McAfee.
The main way to combat breaches, [Beeson] said, is by encrypting the information. But the McAfee report noted that because of our historically fragile cellular infrastructure and slow strides toward encryption, user and corporate data may face serious risks.
Source: Patricia Vowinkel, February 17, 2011
I came across an eye opening article from Chartis Insurance Company about real claims scenarios of payments made by their Executive Liability policy form. Most of the payements are over $1,000,000 and involve data breach caused by hackers and rogue employees.
Read Article: Security & Privacy Claims Marketing Sheet
Source: Chartis Insurance Company, Security & Privacy Claims Scenarios, September 2010
I came across an excellent article that explains how easy it is for scammers to decode your Social Security number. I always wondered how they did this.
Carnegie Mellon University researchers only need two pieces of information to guess SSNs in a recent study published in the Proceedings of the National Academy of Sciences. The study implies that knowledge of your hometown and your birth date allows scammers to discover most of, if not all, of the nine digits of your Social Security number.
$50 can buy your SSN from dozens of websites used by private investigators, businesses conducting credit checks, and savvy scammers who know your name, birth date, and current address.
And if the scammer doesn’t have the information, Alessandor Acquisti, the study’s lead researcher, says it is easy to find. Acquistis states, “There are many websites and database where one can access the birth dates of thousands of people easily and cheaply.”
Public databases and voter registration lists include this information. Over the years the first three digits of the SSN have been an “area number”. The fourth and fifth has been a “group number” and the last four digits which are more difficult to guess are issued sequentially depending on how long the Social Security application took to process.
Today’s highest risk group for decoding are those born since 1988 because that is the year the Social Security Administration began to order SSNs for newborns and older children who did not already have a SSN. The SSA plans to start a more arbitrarily process of assigning SSNs next year.
For those who use social networking websites such as Myspace, Facebook, Twitter, etc. or have online accounts, here are four easy ways to help prevent potential problems:
Do not use your birth date or any part of your SSN as a password.
Do not post any personal information such as your birth date, hometown and location of your high school.
If you post obituaries of loved ones, exclude hometowns and other personal information, as deceased are frequent targets.
Stay away from online security questions that ask for your hometown.
Source: Sid Kirchheimer AARPBULLETINtoday
Tracey Vispoli, Chubb’s Cybersecurity Product Manager, refers to the rise in cyber liability claims, by stating, “It’s a frequency issue as well as severity”. Remedies for data breach now cost $202 per record.
According to Vispoli, more than half of the companies with less than 1,000 employees have experienced an online data breach. Thus showing that the need for cyber liability coverage is not limited to large technology and multi-national corporations.
With increased legal activity, attorneys are inserting the need to carry Cyber Liability into contract requirements.
Clients are also realizing the importance for cyber liability especially with expansions of federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Red Flag rules.
Policy Forms should address how carriers deal with the defense of regulatory matters. For the cost to defend the insured against investigation, some carriers will provide full policy limit. Others will have a sublimit and some forms may only cover costs if there is a civil suit.
Michael Carr, director of Information Technology and Cyber Liability at Markel Shand, refutes the common belief that the majority of data breaches covered by cyber liability policies occur on public Internet space. Carr states that most claims occur on companies’ networks where their client’s personal data is stored. A common misconception among many agents and insurers is that a client does not need cyber liability coverage if their business is not involved in e-commerce.
Paper records should be another concern as Carr states: “An awful lot of confidential information is still stored on paper. Businesses have the same duty to protect that as electronic forms. Many but not all (coverage) forms extend to paper records.”
Source: Big I E Newsletter, September 2009
New regulations are increasing at a rapid rate and it is vital that business owners and Chief Information Officers (CIO) become familiar with current regulations and compliance dates.
State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.
The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.
Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.
The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.
So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.
Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).
Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.
Source: David Perkins, September 7, 2009 www.insurancejournal.com
“Many employees disable the encryption solutions on their laptops, putting their employers at risk for data breaches, according to a study by Absolute Software Corp. and The Ponemon Institute.”
The study specifies “Corporate America” is being affected by the behavior of employees who destabilize data protection. This behavior is resulting in encryption not being enough to protect laptops and other mobile devices that have sensitive information stored on them. The number one source of data loss is from lost or stolen laptops. When a laptop has been stolen, 3 out of 4 companies will incur a data breach.
Necessary safety measures are not being taken by business owners to secure their laptops. Some business managers even deactivate their laptops’ encryption making themselves and their clients more vulnerable to identity theft. Additional layers of security can be utilized to identify data that has been accessed, even delete sensitive information remotely, and find a lost or stolen laptop. Employers can not afford to rely on the behavior of their employees nor encryption technology to provide the data protection they need according to this study.
Source: Absolute/Ponemon
http://www.insurancejournal.com/news/national/2009/04/27/99982.htm
“The latest U.S. Cost of a Data Breach Study… indicates a significant increase in not only the out of pocket cost of data breach incidents, but also the cost of lost business created by the turnover of customers due to the breach.”
At $202 per comprised customer, U.S. companies have felt the brunt of data breaches. Companies that have suffered the most from data breaches are healthcare and financial services type businesses.
In 2008, the average cost for these incidents was $6.65 million. And the most damaging effect is lost business averaging $4.59 million or $139 per record compromised.
Surprisingly, 49% of companies who responded to a current study stated that most breaches actually came from the theft or loss of paper documents, not electronic generated documents.
Source: S. H. Smith & Company, Inc.
The Commonwealth of Massachusetts has extended by at least four months a deadline for businesses to electronically encrypt digital records of their customers’ personal information.
The law follows a several years-long string of high profile data breaches by both private and government entities, the majority of which involved the theft of portable devices, such as laptops.
Source: Insurance Journal 11-20-08
Outside hackers, whether domestic or part of criminal gangs in Eastern Europe and Asia, get most of the media attention.
However, inside jobs by a company’s own employees account for 70% of all security incidents that result in losses according to some sources. This is know as authorized access for unauthorized use.
Employees, independent contractors, or employees of independent contractors who are disgruntled with management may steal confidential information such as credit card numbers, bank account information, or proprietary information such as trade secrets.
Most Cyber Liabilty policies only cover unauthorized access by outsiders. Make sure that your policy also covers authorized access for unauthorized reasons.
Source: Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
The following risk management controls can help companies avoid cyber losses due to viruses, hackers, trojan horses, malware, denail of service, extortion, errors & ommissions in delivering tech services, intellectual property violations, etc.:
* firewalls
* encryption
* password protection
* network security reviews
* disaster recovery services
* forensic services in response to security breaches
* emergency loss containment
* employee handbook provisions on internet and email security
* hacker vulnerability assessments
* review of your content and use terms by intellectual property attorney
Sources:
With Computers Under Siege Cyber Insurance Rides To The Rescue
Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
