Cyber Security: Pre & Post Breach Oliver Brew, Liberty International Underwriters John Mullen, Sr,...

Cyber Security: Pre & Post BreachOliver Brew, Liberty International UnderwritersJohn Mullen, Sr, Lewis, Brisbois, Bisgaard & SmithCharles Beard, PwCAmy Stanphill, Eisenhower Medical Center Theodore Kobus, III, Baker HostetlerDavid Lewison, AmWINS Brokerage Group

On The Cutting Edge!

28th Annual Blue Ribbon Conference – May 4-8, 2014

Proprietary and Confidential

Agenda

• Eisenhower Medical Center case study (45 mins)

• Short break (5 mins)

• Cyber security issues, pre-breach planning, issues and trends (70 minutes)

– Questions at end of each section

– 2 CE credits


Eisenhower Medical Center

• Case Study:– Incident Facts

– Claims and Coverage

– Incident Consequences

– Lessons Learned

– Recommendations


Eisenhower Medical Center

• Coachella Valley not-for-profit hospital

• High quality, compassionate care for over 40 years and accredited teaching hospital

• Main Campus in 130 acres within Rancho Mirage:– 476-bed hospital, Annenberg Center for Health Sciences

at Eisenhower

– Barbara Sinatra Children's Center at Eisenhower

– Outpatient facilities in Palm Springs, Cathedral City, Rancho Mirage and La Quinta

– Betty Ford Center

• Philanthropy and volunteerism allow EMC to fulfill its mission


EMC Case Study

• Friday, March 11, 2011– Television and computer stolen from EMC

• Monday, March 14, 2011– Discovered when employee arrived at work after weekend


EMC Case Study

• Is it a breach?

• Do you involve law enforcement?

• Do you hire a forensics company?

• Do you retain counsel?

• Do you involve regulatory agencies?

• Is crisis management necessary?

• Do you offer credit monitoring?

• Do you get relief from a “law enforcement” delay?


EMC Case Study

• Immediate First Steps:– Investigation

– Law enforcement

– Insurance

– Outside counsel

– Forensics

– Crisis management


EMC Case Study

• Investigation:– Computer was password protected, but not encrypted

– Computer contained limited patient index information used by EMC

– Information in index file included: patient names, ages, dates of birth, the last four digits of the Social Security number, and the hospital’s medical record numbers (MRNs)

– No medical records on the computer

– No financial or insurance information on the computer


EMC Case Study

• Notification – March 30, 2011:– Over half a million patients affected

– Limited personal data

– Notified in less than 3 weeks from theft

– Credit monitoring Vendor

– Mailing and Call Center Vendor

– Media

– Substitute notice

– Agency notifications


EMC Case Study


EMC Case Study

• Post-notification:– Patient inquiries and concerns

– Public relations

– State and federal agency inquiries and investigation

– Litigation

– Internal policy and procedure review


EMC Case Study

• Cost of response:– Forensics

– Notification costs

– Credit monitoring

– Call center

– Crisis response

– Legal fees

– Defense costs/settlement expenses

– Regulatory fines


EMC Case Study

• Insurance implications

• Communications

• Proactive measures

15


EMC Case Study

•Lessons learned:– Prepare and practice a

response plan

– Respond quickly

– Bring in the right team

– Preserve evidence

– Contain and remediate

– Let the forensics drive the decision making

– Law enforcement

– Document analysis

– Involve the C-Suite• Be guarded, consistent,

and honest in communications

– Plan for likely reaction of customers, employees and key stakeholders

– Mitigate harm


Short Break


Facebook funding…

18


19

Topics

• Brief history

• Scope of data

• Internal and external threats

• Regulatory issues

• Litigation trends

• Practical tips

• Future gazing


A brief history

20

Then…

1998

And now… 2014

Percentage of developed world

using internet17% 77%77%

Data storage cost

$60/GB 5₵/GB5₵/GB

Number of Smart phones

0 1.5 billion1.5 billion


21

Insurance history lesson

• 1997: First ‘internet liability’ policy written

• 1999: Y2K catalyst to focus on technology risk

• 1999 – 2002: Dot-com bubble - first phase growth

• 2003: CA 1386 (first notification law)

• 2005 – 2010: Breaches on the rise and increasing regulation

– 2007: TJX breach

– 2009: Heartland Payment Systems

• 2013: HIPAA final rule

• Compared to auto insurance…?


Data breach history

22

*Only Depicting Events with losses >30K Records

Total Cyber Events and Records Breached* (2004 – 2013)

450m!

Number of events Record count


Range of industries impacted

23

Cyber Events By Industry (2009 – 2014) *US Companies only

Healthcare

Financial services

Education

Government


What information is at risk?

•Personally identifiable information (PII)– email addresses, zip codes, phone numbers?

•Protected Health Information (PHI)

•Payment Card Industry (PCI) information


Threat landscape

• Internal threats: employee risk (malicious / inadvertent)

• External threats

• Regulatory regime

• Litigation on the increase


Internal threats

• Employee SNAFUs – 65% of data breaches due to lost paper files and devices*

• Malicious intent

• Poor practices

*Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) survey Nov 2013


Hacking: the glamorous threat

• Hacktivism - Anonymous

• Organized financial crime

• “Just because I can”

• State sponsored…?

27


Why the concern?

• Costs: Breach response

• Reputation: 76% of potential victims will close account with an organization if a breach occurs– 65% would publicly expose a company for failure to

safeguard information

• Litigation: 53% would be willing to sue

Source: Unisys Security Index, Lieberman Researcher Group & Newspoll


State Regulations: notice

•46+ states require notice to customers– Required time to notice: most expedient manner

possible (no later than 45 days in FL, OH, and WI)

• Affirmative state laws (e.g. NV, MA)

• Issues: competing definitions of “Breach”and other terms


Other regulations

• HIPAA / HITECH is 2009 expansion of Health Insurance Portability and Accountability Act (HIPAA)– Notice within 60 days when PHI is breached

– Requires notice to Secretary of HHS (within 60 days if breach involves 500 or more)

– Allows State AGs to bring civil actions for HIPAA violations including failure to notice

• PCI DSS – contractually driven obligations from card brands


Litigation trends

Injury and Standing

•Tri-West, Starbucks, Hannaford

Injury and Standing

•FTC v Wyndham

•Curry v AvMed


Prevention and preparation

“We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident.”

-Zappos CEO Tony Hsieh

“Everyone has a plan… until they get punched in the face”

- Mike Tyson


Safeguard controls

•People: proper security budget and vigilance

•Processes: ISO27002, HITECH ready; employee education and training; written management processes; breach response plan

•Technology: firewalls; intrusion detection software; hardened and patched servers (tested); encryption of PII


Practical issues on data risk

•Education and culture

•Handheld devices - BYOD

•Data hygiene (e.g passwords)

•Effective encryption


Practical issues on data risk

• Mock breaches – aka “tabletop exercises”

• Limit online access to data storage servers

• Destruction of hard drives to remove all PII


The future

• $5Bn market before 2020*

• Continued expansion of buyers

• Market consolidation:– Specialists

– Everyone else offering add-on

• IT risk integrated as part of enterprise risk management

• Network risk only increasing

*Advisen Research

*Advisen research

Thank You!

Oliver Brew, [email protected] Mullen, Sr, [email protected] Charles Beard, [email protected] Amy Stanphill, [email protected] Kobus, III, [email protected] David Lewison, [email protected]

Questions?

28th Annual Blue Ribbon Conference – May 4-8, 2014

mailto:[email protected]






Cyber Security: Pre & Post Breach Oliver Brew, Liberty International Underwriters John Mullen, Sr,...

Documents

Transcript of Cyber Security: Pre & Post Breach Oliver Brew, Liberty International Underwriters John Mullen, Sr,...