Be#trendyandgetTwee-ng! - Insurance Bootcamp · CYBERRISKS!...
Transcript of Be#trendyandgetTwee-ng! - Insurance Bootcamp · CYBERRISKS!...
Be trendy and get Twee-ng!
#Insurancebootcamp
DIAMOND SPONSOR
SILVER SPONSOR
Points of discussion
1. Cyber Risks – Professional Liability and Third Party Computer Crime Presented by Chris@aan Erasmus, specialist liability regional manager, Hollard Broker Markets
2. Cyber Crime – A South African perspec-ve Presented Candice Sutherland, business development consultant: corporate solu@ons, Stalker Hutchison Admiral
3. Cyber Insurance – Taking the s-ng out of an informa-on security breach Natalie van de Coolwijk, managing director, CyGeist
CYBER RISKS Professional Liability and Third Party Computer Crime
Chris@aan Erasmus
Specialist liability regional manager, Hollard Broker Markets
Agenda Cyber Risks – Professional Liability and Third Party Computer Crime
• Introduc@on to Digital Marke@ng & Adver@sing Agencies • Professional Liability and Digital Marke@ng • Introduc@on to Internet Service and Consul@ng Firms • Professional Liability and IT Service and Consul@ng Firms • Commercial Crime and Third Party Computer Crime
Digital Marke-ng Back to Basics – How did tradi>onal Ad agencies evolve?
What is Digital Marke-ng?
• Marke@ng that makes use of electronic devices such as computers, smartphones and tablets to engage with stakeholders
• Products and services promoted through electronic devices to us (consumers) • Advantages to companies include segmenta@on (specific target markets) • Online behavioural adver@sing (web browser behaviour) • Social media marke@ng
Source: Wikipedia
Digital Marke-ng Back to Basics – Pro’s and Cons
Why & Why not?
• Type of direct marke@ng, percep@on that it is personal • Mo@vate poten@al customer to ac@on (immediate results) • Wider audience and measurable • Crea@ng touch points with customers and con@nuous interac@on • Campaign can be copied • Reputa@on damage by nega@ve feedback • Not yet embraced by everyone • Drowned by too much cluTer
Source: Smart Insights (Dave Chaffey)
Digital Marke-ng Agencies and Liability Back to Basics – What is Professional Liability?
Professional Liability
• Professional liability – protects organisa@ons against claims from others • Breach of Duty against an actual or alleged negligent act, error, omission or
breach of confiden-ality and defama@on • Defence costs • Damages – legally liable to pay a THIRD Party iro judgements against Insured • Extend to include infringement (unintended) • Extend to include Loss of Documents – documents include computer records • Computer records = electronically stored, digital or digi@sed informa@on or
media • Financial loss vs physical injury or damage to tangible property
Digital Marke-ng Agencies and Liability Back to Basics – Professional Liability & Data Protec>on Coverage
Professional Liability – Did Insurers move with the -mes?
• Insurers adapted to clients’ changing needs (slowly as usual but we did) • We can include digital marke@ng in the scope of coverage • We can include Breach of Data Extension in the scope of coverage
Digital Marke-ng Agencies and Liability Back to Basics – Professional Liability & Data Protec>on Coverage
Professional Liability – Defini-on of Digital Media
1. Web and mobile pla\orm design and development; 2. Design, development and management of social media pla\orms, and
related applica@ons 3. All online media and communica@on including ar@cles, designs, copywri@ng,
content publishing and page/community management across digital assets; 4. Digital adver@sing campaigns including Google Ad Words; 5. Database management; and 6. Development and execu@on of web and social media designed brand
compe@@ons.
Digital Marke-ng and Liability Back to Basics – Professional Liability & Data Protec>on Coverage
Professional Liability – Data Protec-on
• The Insurer will pay on behalf of any Insured, who is not the actual or contribu@ng perpetrator, all damages resul@ng from any claim brought under any data protec-on legisla-on and amendments thereto.
Digital Marke-ng and Liability Back to Basics – Professional Liability & Data Protec>on Coverage
Professional Liability – Some concerns
• Signing off on prin@ng and printers prin@ng incorrect material • Poten@al libel/slander/defama@on • Strategic planning, sedng of budgets, providing general marke@ng advice and
incorrect bookings • Copyright infringements (print media and digital media) • Intellectual property – the use of another person’s ideas or work without
permission including plagiarism, copyright infringement, misappropria@on.
Digital Marke-ng Agencies and Liability Back to Basics – Professional Liability & Data Protec>on Coverage
Professional Liability – The Exclusions
• Misdeeds and inten@onal acts • An@ compe@@ve • Contractual disputes • Fines and penal@es (Cyber Liabs) • Loss of profits/fees (Cyber Liabs) • Trade secrets • Data security breach (Cyber Liabs) • Insured vs Insured • Trade debts • Investment performance
IT Service and Consul-ng Firms Back to Basics – Macro Environment
Overview
• South Africa boasts the largest Internet economy in Africa • Internet Economy to contribute 2.6% to GDP in 2016 (that’s ± USD9.1Billion) • Government spend on IT infrastructure at R59billion • 2009 B2B E-‐commerce was at R9billion • Biggest share – airlines • E-‐commerce growing at 30% year on year • 410 000 SME’s have a website • Opportunity for IT Service and Consul-ng Firms
Source: WorldwideWorx 2012
IT Service and Consul-ng Firms Back to Basics – Computer SoJware Firms & Professional Liability
Professional Liability (recap) • Professional liability – protects organisa@ons against claims from others • Breach of duty against an actual or alleged negligent act, error, omission or
breach of confiden-ality and defama@on • Defence costs • Damages – legally liable to pay a THIRD Party iro judgements against Insured • Extend to include infringement (unintended) • Extend to include Loss of Documents – documents include computer records • Computer records = electronically stored, digital or digi@sed informa@on or
media • Financial loss vs physical injury or damage to tangible property
IT Service and Consul-ng Firms Back to Basics – Computer SoJware Firms & Professional Liability
Professional Liability – Did Insurers move with the -mes?
• Insurers adapted to clients’ changing needs (slowly as usual but we did) • We included technology products in the scope of coverage (hardware and
firmware) • We included computer records in the scope of coverage • We included breach of data extension in the scope of coverage
IT Service and Consul-ng Firms Back to Basics – Computer SoJware Firms & Professional Liability
Professional Liability – Coverage for Technology Products & Failure
• The Insurer will pay on behalf of any Insured all damages resul@ng from any claim for any Technology Product Failure.
• Any computer hardware or firmware: sold, leased or otherwise supplied; licensed; or installed, modified or serviced.
• Technology Product Failure = any actual or alleged negligent breach of duty, act, error, misstatements, misleading statements or omission in connec@on with any Technology Product
• NB – Damages extended to include costs of replacing computer records
IT Service and Consul-ng Firms Back to Basics – Computer SoJware Firms & Professional Liability
Professional Liability – What is Computer Records & Data
• Computer records = any data stored within any: computer, data processing equipment, or any of their respec@ve components; or computer solware but does not include any currency, nego-able instruments or records thereof.
• Data = electronically stored, digital or digi@sed informa@on or media. • Wrongful act = Breach of duty, infringement, libel, slander, technology product
failure or fraud/dishonesty.
Data Protec-on Endorsement – ask for it!
IT Service and Consul-ng Firms Back to Basics – Computer SoJware Firms & Professional Liability
Professional Liability – Some concerns
• Professional Liability exposure is substan@al • Do NOT confuse Professional Liability with Gratuitous Negligent Advice • Breach of confiden@ality • Faulty design that require complete or par@al re installa@on • Proper tes@ng and sign off from clients • Systemic risks especially financial ins@tu@ons/pension funds • High risk industries = military, finance houses, architectural, engineering,
construc@on, aerospace and medical where the solware involved controls produc@on, real @me accoun@ng func@ons, design or guidance systems.
IT Service and Consul-ng Firms Back to Basics – Computer SoJware Firms & Professional Liability
Professional Liability – The Exclusions
• Misdeeds, inten@onal acts & trade secrets • An@ compe@@ve • Contractual disputes • Fines and penal@es (Cyber Liabs) • Loss of profits/fees (Cyber Liabs) • Data security breach (Cyber Liabs) • Insured vs Insured • Trade debts • Investment performance • Internet material, public key infrastructure & cer@fica@on
Third Party Computer Crime & Commercial Crime
Back to Basics – what is Computer Crime
TP Computer Crime – Phishing and Claims
• Confusion amongst risk professionals and clients • Phishing Scams – aTempt to acquire info by masquerading as a trustworthy site • Loss sustained by the Insured, arising directly from computer fraud commiTed
by a Third Party, with the intent to cause the Insured a Loss. • Loss means actual and direct financial loss of money… • Loss is NOT a breach, cancella@on or other termina@on of a contract, the non-‐
payment or other non-‐performance by a debtor
Third Party Computer Crime & Commercial Crime
Back to Basics – what is Computer Crime Third Party Computer Crime
• Computer fraud means the fraudulent access to, or the use of, or the disclosure, processing, dele@on, inser@on, amendment, intercep@on or manipula@on of, informa@on data or solware or systems of the Insured, or of any banking ins@tu@on holding or controlling or otherwise dealing with money or property of the Insured, or for which the Insured is responsible, which is ini@ated or implemented or completed electronically by the use of a computer.
Third Party Computer Crime & Commercial Crime
Back to Basics – what is Computer Crime Third Party Computer Crime – Some concerns
• Difficult claims, heavy burden of proof on the Insured, costly iro Auditors • Sta@onery Fraud – realis@c and convincing leTers, faxes or e-‐mails are received,
purportedly from legi@mate creditors, reques@ng that the details of their bank accounts be changed for all future payments
• TP send fraudulent instruc@ons to bank, purpor@ng to be the Insured, reques@ng payment to X and Y (obviously crooks) Loss R600k
• Realis@c and convincing orders are received, purportedly from regular customers, reques@ng delivery of goods
Third Party Computer Crime & Commercial Crime
Back to Basics – what is Computer Crime Third Party Computer Crime – Basic Risk Management
• EFT payment procedures need to be reviewed to ensure that they are as secure • Staff who are authorised to load and/or release transac@ons -‐ Staff training • Banking details of payees need to be pre-‐approved and carefully checked • Solware updates, an@ virus updates, review of IT system, stress tes@ng • Changes to banking details should be verified with the customer • Staff -‐ check criminal records, credit history and previous employer references
QUESTIONS?
THANK YOU
Be trendy and get Twee-ng!
#Insurancebootcamp
DIAMOND SPONSOR
SILVER SPONSOR
CYBER CRIME: A South African perspec-ve
Candice Sutherland
Business development consultant: corporate solu@ons, Stalker Hutchison Admiral
• black market in marijuana, cocaine and heroin COMBINED ($288bn) and fast approaching the value of global drug trafficking market ($411bn)
• …the price tag Americans spend annually on fast food ($110bn)
• At $388bn, cyber crime is more than 100 -mes the annual expenditure of UNICEF ($3.65bn)
• If cyber crime were a na@on, it would be the 27th biggest in terms of GDP
• South African loss figures es@mated at R5.8bn
CYBER CRIME IS BIGGER THAN …
Cyber crime is any criminal ac>vity involving computers and networks
It is the unauthorised access to, interference with, fraud and forgery of data
BUT WHAT IS CYBER CRIME?
RECENT UNINSURED INCIDENTS
STATS
7000 users leg devices at airports over 12
months
37% of users don’t ac-vate their
auto-‐lock feature
48% have logged onto an unsecured
network
60% of users who find a random USB s-ck will plug it
into their computers
90% is the number that increases to if you add a company
logo
USER ERROR: HIGH
DDoS as a service: Commonly offered in the gaming community to temporarily freeze compe@ng players during cri@cal gaming sessions. Can be purchased ($5 to $1 000) depending on the length and magnitude of the aTack 4 most common causes of breaches: • Disgruntled employees • Negligence • Compe@tors • Hackers
How many records do YOU store? # of records x R200
10 000 x R200 = R2 000 000
This does NOT include: regulatory fines/penal@es, lost revenue, reputa@onal damage, legal fees, forensic auditors, loss adjusters and public rela@ons consultants (between R1 000 and R6 000 per hour PER provider).
IT IS MORE LUCRATIVE TO STEAL ONLINE THAN ON THE STREET
• Ensure all devices on company networks have adequate security protec@on • Be aggressive in upda@ng and patching • Enforce an effec@ve password policy (8-‐10 characters)
• Ensure regular backups • Restrict e-‐mail aTachments • Update An@virus regularly • Think before you click • Guard your personal data • Wi-‐Fi hotspots • Safeguard yourself with a Cyber Insurance policy
BEST PRACTICE
Gives effect to a cons@tu@onal right to privacy
• Informa@on rela@ng to the race, gender, sex, pregnancy, marital status, na@onal, ethnic or social origin, colour, sexual orienta@on, age, physical or mental health, well-‐being, disability, religion, conscience, belief, culture, language and birth of the person.
• Educa@on, medical, financial, criminal or employment history
• ID number, physical address, telephone number
• Personal views, opinions and preferences, and private or confiden@al correspondence
Fine: R10 million or 10 years in prison
PoPI – WHAT IS INFORMATION
Subject to the Intercep@on and Monitoring Prohibi@on Act, 1992 (Act No. 127 of 1992), a person who inten-onally and without authority or permission to do so: 1. accesses or intercepts any data 2. interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffec@ve 3. produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including
a computer program or a component, which is designed primarily to overcome security measures for the protec@on of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully u@lise such item
4. u@lises any device or computer program in order to unlawfully overcome security measures designed to protect such data or access thereto
5. commits any act described in this sec@on with the intent to interfere with access to an informa@on system so as to cons@tute a denial, including a par@al denial, of service to legi@mate users is guilty of an offence.
A person convicted of an offence is liable to a fine or imprisonment for a
period not exceeding five years
ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT
• First Party Expenses (actual costs to restore, re-‐collect or replace data, costs and expenses of specialists, inves@gators, forensic auditors or loss adjusters, costs and expenses for the use of rented, leased or hired external equipment, services, labour, premises or addi@onal opera@ng costs including staff over@me) • Loss of Business Income (net income which would have been earned had the breach not occurred) • No-fica-on Expenses (expenses incurred to comply with privacy legisla@on such as legal expenses and communica@on expenses through mail, call centres, website and customer support expenses) • Crisis Management Expenses (services of a public rela@ons consultant, related adver@sing or communica@on expenses) • Associated regulatory fines and penal-es to the extent insurable by law
WHAT DOES COVER ENTAIL?
• PI policy: limited cover for loss of third party data, but only if it relates to provision of professional
services
• PI Tech policy: covers third party loss only
• GL policy: data is deemed to be an intangible form of property so no cover would be provided
• BI policy: material damage only and this would be considered non-‐material damage
• Computer All Risks: costs for repairing damaged hardware (tangible property) and would not
respond to claims for lost data (only as a result of physical damage) • FG: covers financial loss commiTed through dishonest or fraudulent acts by any employee
TRADITIONAL INSURANCE IS INADEQUATE, DUE TO THE INTANGIBLE NATURE OF DATA ASSETS
CYBER STANDALONE vs. OTHER POLICIES
QUESTIONS?
THANK YOU
Be trendy and get Twee-ng!
#Insurancebootcamp
DIAMOND SPONSOR
SILVER SPONSOR
CYBER INSURANCE Taking the s-ng out of an informa-on security breach
Natalie van de Coolwijk
CyGeist
Not so long ago in a land not so far away…
(Please note all characters are purely fic-onal)
Friday, 16h30 – MD’s office, NBD Retailers
Customer no-fies MD of poten-al privacy breach.
Friday, 16h45 – MD’s office, NBD Retailers
MD receives another very important phone call…
Monday, 9h00 – customer’s office
Customer contacts MD again to tell him there are fraudulent transac-ons on her account and to demand feedback.
Monday, 9h15 – MD’s office, NBD Retailers
MD contacts the IT department and asks them to inves-gate the allega-ons.
Monday, 16h30 – IT Dept, NBD Retailers
Privacy breach involving 100 000 customer records is confirmed…
Tuesday, 9h45 – MD’s office, NBD Retailers
The MD contacts the customer in an a[empt to smooth things over.
The agermath…
NBD Retailers makes front page news, and not for good reasons…
The agermath…
Meanwhile the call centre at NBD Retailers is dealing with excep-onally high call volumes…
The agermath…
An a[orney sees the ar-cle in the newspaper and decides to ini-ate a class ac-on suit against NBD Retailers.
The agermath…
Further consequences of the breach include shortcomings of the original breach inves-ga-on, escala-ng legal bills and loss of market share.
The agermath…
Some customers are more crea-ve than others…
Luckily…
The informa-on regulator has not been established yet, otherwise the company could also have been forced to pay fines and penal-es…
Recap: Risks posed by an informa-on security breach
• Reputa@onal damage, loss of compe@@ve advantage, lost revenue
• Costs incurred to reduce the impact of a breach
• Li@ga@on arising from compromised data
• Industry / regulatory fines and penal@es
• Systems unavailability and loss of data
How the situa-on would have unfolded, if NBD Retailers had a cyber insurance
policy…
Breach response with cyber insurance
BREACH OCCURS
1. No-fica-on to Insurer.
2. Service providers no-fied/deployed, e.g.: Technology/forensic specialists – contain the incident and restore services. Legal specialists -‐ guide and assist with legal and regulatory ac-ons to be taken. PR specialists -‐ assist with developing and implemen-ng a PR strategy.
3. Legal specialists – assist in making decision regarding no-fica-on of
par-es affected by a breach. Guidance will be given to ensure that all
methods of no-fica-ons and communica-on comply with regulatory
requirements and PR strategy.
4. No-fica-ons distributed to affected individuals, may include an offer to register for credit monitoring services. If required, call centre and dark website will be provided.
5. Affected individuals who elect to take up credit monitoring services are registered with the relevant service provider, provided with regular reports and alerts should there be any ac-vity on their credit record.
6. Legal specialists -‐ provide assistance in dealing with regulatory bodies and third party liability claims.
7. Throughout the claims process policyholder will be kept informed, insurer and best of breed service providers will remain in close contact to ensure that the breach response is managed as effec-vely and painlessly as possible.
So what is cyber insurance?
What is cyber insurance?
• Provides cover for informa@on and network security breaches
• Effec@vely transfers breach response func@on to insurer
• Specifically tailored to address intangible property and non-‐physical perils
• First party and third party cover
What does it cover?
Coverage is provided for the poten@al costs rela@ng to breach response, including:
• Crisis management, no@fica@ons and public rela@ons
• Forensic inves@ga@ons
• Ensuing li@ga@on
• Data and services recovery
• Poten@al fines and penal@es
Benefits of a cyber insurance policy
• Ini@al underwri@ng and risk assessment
• Ongoing training, awareness and assessment tools
• Breach response planning
• Access to highly skilled service providers
• Incident management and response
What to consider when buying a policy
• Gaps in exis@ng insurance cover
• Involve all relevant stakeholders
• Involve a knowledgeable broker
• Ask insurer about value-‐added services
• Integrate claims process with internal breach response
Overview of the US cyber insurance market
US cyber insurance market
• One of the fastest growing lines of insurance
• 20% of US businesses buy coverage
• Number of companies buying cover increased by 33% in 2012
• Services industry – 76% increase in number of policyholders
• Educa@on sector – 72% increase in number of policyholders
80 120 175
250 300 400
475 600
800 900
1 000
1 250
-‐
350
700
1 050
1 400
2002 2004 2006 2008 2010 2012
Prem
iums $
'm
US Market Growth
Cyber Premium US ($'m)
US cyber insurance premiums
Claims
Examples of claims
• Insurance consultancy -‐ breach of primarily unencrypted data
• Forensic analysis to determine the extent of the breach and type of informa@on
compromised
• Legal counsel and IT security experts determined that no@fica@on was required
• Call centre for escalated inquiries, credit monitoring offered to poten@ally
affected par@es
• Total breach response costs (6000 records): $250,000
Examples of claims
• Physician’s work laptop stolen, 37 000 records compromised
• Legal counsel – no@fica@on requirements, the response process
• Department of Health and Human Services inves@ga@on
• Counsel – provide proof of strong privacy controls and training procedures
• Es@mated cost to respond to the breach (at $10 per record): $370,000
Examples of claims
• Plas@c surgeon posted unauthorised ‘before and aler’ photos of several
pa@ents on her website
• Issue was discovered when a pa@ent performed a Google search on herself, and
the explicit pictures showed up in the search
• 15 invasion of privacy ac@ons against the plas@c surgeon to date, with several
seTling in the range of $150 000 per plain@ff
• Addi@onal legal expenses incurred: $50 000
NetDiligence® 2014 claims study – key findings
• Claims submiTed for the study ranged from $1 000 to $13.7 million
• Hackers most frequent cause of loss, followed by staff mistakes
• Healthcare and financial services most frequently breached sectors
• Smaller companies experienced the most incidents
• Third par@es accounted for 20% of claims submiTed
• Insider involvement in 32% of claims submiTed
NetDiligence® 2014 claims study – graphs
NetDiligence® 2014 claims study – graphs
NetDiligence® 2014 claims study – graphs
NetDiligence® 2014 claims study – graphs
NetDiligence® 2014 claims study – graphs
Who are we?
CyGeist
• 1st South African UMA specialising solely in cyber insurance
• In-‐depth knowledge of insurance, underwri@ng and IT
• Holis@c risk management package encompassing an informa@on centre, IT
security risk assessments, incident response coaching and planning
Partners
• Natsure (recognised specialist UMA business)
• Guardrisk (AA+ rated insurance paper)
QUESTIONS?
THANK YOU
DIAMOND SPONSOR
SILVER SPONSOR
Be trendy and get Twee-ng!
#Insurancebootcamp
POPI and actual case studies
Tim Timmerman Group training officer, Garrun Group
SUMMARY • In RSA each company must have an Informa@on Officer. • The IO must be registered with the Informa@on Regulator.
Implementa-on • Looks good on paper • In line with EU
But
• How well will the regulator be equipped to deal with complaints?
• Will his office be adequately staffed?
• City of Johannesburg (pre POPI) – Security flaw: customers could read customer billing informa@on including: Name, Account Number, Contact details.
• Zurich Insurance (RSA): – Lost an unencrypted back up disc. – The fine: £2 300 000
Case Studies
Let’s look at actual case studies to see the impact of this legisla@on overseas. Consider: • Cases that we can relate to • Rulings • Fines or penal@es
Consumer rights in EU protected by the Data Protec@on Act of 1988. The Data Protec@on Amendment Act, 2003, updated the legisla@on, implemen@ng the provisions of EU Direc@ve 95/46. The Acts set out the general principle that individuals should be in a posi@on to control how data rela@ng to them is used. This lead to the forma@on of the Data Protec-on Commissioner.
• The Data Protec@on Commissioner is responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obliga@ons upon data controllers.
• The Commissioner is appointed by Government and is independent in the exercise of his or her func@ons.
• Individuals who feel their rights are being infringed can complain to the Commissioner, who will inves@gate the maTer, and take whatever steps may be necessary to resolve it.
Case Studies
Case Study 8: Excessive data sought by Direct Insurers: • Quinn Insurance in comple@ng proposal telephonically-‐sought informa@on da@ng back 5 years – driving demerit points.
• Road Traffic Act s@pulates records only kept for 3 years. • Policy wording required 5 years. • Reported to ICO • Insurers revised their wording. • ICO comments:
– Data controllers should exercise restraint when seeking personal data and they should ensure that only the minimal amount of personal data necessary is processed.
Case Study 17: Files / documents sent to incorrect e-‐mail address: • GP sent pa@ent details to incorrect e-‐mail address • No@ced only when the intended recipient did not receive e-‐mail and called. • Fortunately only recipients with specific solware could open the file. • Because the informa@on was protected it was recorded as non-‐breach but the data controller wanted the poten@al disaster noted in public forum.
• Comment from ICO: – This issue highlights the necessity for sending sensi@ve data via secure means. It shows how easy it is for e-‐mails to be issued to an incorrect recipient and without some means of securing the data contained in the e-‐mail.
Case Study 15: Client list taken by ex-‐employee to new employer • Person lel one company with client list and joined a new similar company. • New company began wri@ng to the clients. • Complaint by a person who was aggrieved because her details were in the hands of a company of which she had no knowledge.
• Act requires personal data to be fairly obtained and not be further processed without prior knowledge of the individual.
• Reported to the ICO who contacted the new company and the maTer was resolved. • Later it transpired the ex-‐employee con@nued sending leTers and they were subsequently subjected to an audit during which the new MD cooperated fully.
Case Study 13 of 2012: Phone companies prosecuted for loss of personal data • Eircom and Meteor appeared in the Dublin District Court in September 2012 to face charges rela@ng to the loss of customer personal data which was stored on two unencrypted laptops, which had been stolen several months prior
• Data breach only reported 2 February 2012 whilst date of loss was between 28/12 and 02/01/12
• Approximately 7 000 clients’ personal data breached • Clients only no@fied of breach in late February and March • Regula@ons put the onus of protec@on on the company • Further audit showed about 160 more computers that were not protected
Case Study 13 of 2012: Phone companies prosecuted for loss of personal data…(con-nued)
• “….data breaches of this nature should normally be reported to us within two working days of the data controller becoming aware of the incident,”
• No@fica@on of a data breach to affected individuals quickly is also cri@cal and essen@al as it allows them to take remedial ac@on to protect themselves and their iden@@es – par@cularly in cases where financial and iden@fica@on documenta@on is stolen.
• In the ruling the two defendants were ordered to make a charitable dona@on of €15 000 to chari@es nominated by the Court.
What can I do in the interim? • Familiarise yourself with the Act. • Ensure that laptops / smartphones are secured by passwords to prevent unauthorised access.
• Try to implement systems that lost laptops / smartphones can be remotely ‘wiped clean’. Eg. Samsung Remote
• Limit access to informa@on to a ‘need to know’ basis. • Check physical security at premises where informa@on is stored. Eg. Alarm, security gates etc.
QUESTIONS?
THANK YOU
DIAMOND SPONSOR
SILVER SPONSOR