1 / 37

Cyber Security: Pre & Post Breach

On The Cutting Edge!. Cyber Security: Pre & Post Breach. Oliver Brew , Liberty International Underwriters John Mullen, Sr , Lewis, Brisbois, Bisgaard & Smith Charles Beard , PwC Amy Stanphill , Eisenhower Medical Center Theodore Kobus , III , Baker Hostetler

olive
Download Presentation

Cyber Security: Pre & Post Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. On The Cutting Edge! Cyber Security: Pre & Post Breach Oliver Brew, Liberty International Underwriters John Mullen, Sr, Lewis, Brisbois, Bisgaard & Smith Charles Beard, PwC Amy Stanphill, Eisenhower Medical Center Theodore Kobus, III, Baker Hostetler David Lewison, AmWINS Brokerage Group 28th Annual Blue Ribbon Conference – May 4-8, 2014

  2. Agenda • Eisenhower Medical Center case study (45 mins) • Short break (5 mins) • Cyber security issues, pre-breach planning, issues and trends (70 minutes) • Questions at end of each section • 2 CE credits

  3. Eisenhower Medical Center • Case Study: • Incident Facts • Claims and Coverage • Incident Consequences • Lessons Learned • Recommendations

  4. Eisenhower Medical Center • Coachella Valley not-for-profit hospital • High quality, compassionate care for over 40 years and accredited teaching hospital • Main Campus in 130 acres within Rancho Mirage: • 476-bed hospital, Annenberg Center for Health Sciences at Eisenhower • Barbara Sinatra Children's Center at Eisenhower • Outpatient facilities in Palm Springs, Cathedral City, Rancho Mirage and La Quinta • Betty Ford Center • Philanthropy and volunteerism allow EMC to fulfill its mission

  5. EMC Case Study • Friday, March 11, 2011 • Television and computer stolen from EMC • Monday, March 14, 2011 • Discovered when employee arrived at work after weekend

  6. EMC Case Study Is it a breach? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies? Is crisis management necessary? Do you offer credit monitoring? Do you get relief from a “law enforcement” delay?

  7. EMC Case Study • Immediate First Steps: • Investigation • Law enforcement • Insurance • Outside counsel • Forensics • Crisis management

  8. EMC Case Study • Investigation: • Computer was password protected, but not encrypted • Computer contained limited patient index information used by EMC • Information in index file included: patient names, ages, dates of birth, the last four digits of the Social Security number, and the hospital’s medical record numbers (MRNs) • No medical records on the computer • No financial or insurance information on the computer

  9. EMC Case Study • Notification – March 30, 2011: • Over half a million patients affected • Limited personal data • Notified in less than 3 weeks from theft • Credit monitoring Vendor • Mailing and Call Center Vendor • Media • Substitute notice • Agency notifications

  10. EMC Case Study

  11. EMC Case Study

  12. EMC Case Study

  13. EMC Case Study • Post-notification: • Patient inquiries and concerns • Public relations • State and federal agency inquiries and investigation • Litigation • Internal policy and procedure review

  14. EMC Case Study • Cost of response: • Forensics • Notification costs • Credit monitoring • Call center • Crisis response • Legal fees • Defense costs/settlement expenses • Regulatory fines

  15. EMC Case Study Insurance implications Communications Proactive measures

  16. EMC Case Study • Lessons learned: • Prepare and practice a response plan • Respond quickly • Bring in the right team • Preserve evidence • Contain and remediate • Let the forensics drive the decision making • Law enforcement • Document analysis • Involve the C-Suite • Be guarded, consistent, and honest in communications • Plan for likely reaction of customers, employees and key stakeholders • Mitigate harm

  17. Short Break

  18. Facebook funding…

  19. Topics • Brief history • Scope of data • Internal and external threats • Regulatory issues • Litigation trends • Practical tips • Future gazing

  20. A brief history Then… 1998 Percentage of developed world using internet And now… 2014 17% 77% Data storage cost $60/GB 5₵/GB Number of Smart phones 0 1.5 billion

  21. Insurance history lesson • 1997: First ‘internet liability’ policy written • 1999: Y2K catalyst to focus on technology risk • 1999 – 2002: Dot-com bubble - first phase growth • 2003: CA 1386 (first notification law) • 2005 – 2010: Breaches on the rise and increasing regulation • 2007: TJX breach • 2009: Heartland Payment Systems • 2013: HIPAA final rule • Compared to auto insurance…?

  22. Data breach history Total Cyber Events and Records Breached* (2004 – 2013) 450m! Record count Number of events *Only Depicting Events with losses >30K Records

  23. Range of industries impacted Cyber Events By Industry (2009 – 2014) *US Companies only Financial services Government Education Healthcare

  24. What information is at risk? • Personally identifiable information (PII) • email addresses, zip codes, phone numbers? • Protected Health Information (PHI) • Payment Card Industry (PCI) information

  25. Threat landscape • Internal threats: employee risk (malicious / inadvertent) • External threats • Regulatory regime • Litigation on the increase

  26. Internal threats *Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) survey Nov 2013 • Employee SNAFUs – 65% of data breaches due to lost paper files and devices* • Malicious intent • Poor practices

  27. Hacking: the glamorous threat Hacktivism - Anonymous Organized financial crime “Just because I can” State sponsored…?

  28. Why the concern? • Costs: Breach response • Reputation: 76% of potential victims will close account with an organization if a breach occurs • 65% would publicly expose a company for failure to safeguard information • Litigation: 53% would be willing to sue Source: Unisys Security Index, Lieberman Researcher Group & Newspoll

  29. State Regulations: notice • 46+ states require notice to customers • Required time to notice: most expedient manner possible (no later than 45 days in FL, OH, and WI) • Affirmative state laws (e.g. NV, MA) • Issues: competing definitions of “Breach”and other terms

  30. Other regulations • HIPAA / HITECH is 2009 expansion of Health Insurance Portability and Accountability Act (HIPAA) • Notice within 60 days when PHI is breached • Requires notice to Secretary of HHS (within 60 days if breach involves 500 or more) • Allows State AGs to bring civil actions for HIPAA violations including failure to notice • PCI DSS – contractually driven obligations from card brands

  31. Litigation trends Injury and Standing • Tri-West, Starbucks, Hannaford Injury and Standing • FTC v Wyndham • Curry v AvMed

  32. Prevention and preparation “Everyone has a plan… until they get punched in the face” - Mike Tyson “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident.” • Zappos CEO Tony Hsieh

  33. Safeguard controls People: proper security budget and vigilance Processes: ISO27002, HITECH ready; employee education and training; written management processes; breach response plan Technology: firewalls; intrusion detection software; hardened and patched servers (tested); encryption of PII

  34. Practical issues on data risk • Education and culture • Handheld devices - BYOD • Data hygiene (e.g passwords) • Effective encryption

  35. Practical issues on data risk • Mock breaches – aka “tabletop exercises” • Limit online access to data storage servers • Destruction of hard drives to remove all PII

  36. The future • $5Bn market before 2020* • Continued expansion of buyers • Market consolidation: • Specialists • Everyone else offering add-on • IT risk integrated as part of enterprise risk management • Network risk only increasing *Advisen Research *Advisen research

  37. Questions? Thank You! Oliver Brew, oliver.brew@libertyiu.com John Mullen, Sr, john.mullen@Lewisbrisbois.com Charles Beard, charles.e.beard@us.pwc.com Amy Stanphill, AStanphill@emc.org Theodore Kobus, III, tkobus@bakerlaw.com David Lewison, david.lewison@amwins.com 28th Annual Blue Ribbon Conference – May 4-8, 2014

More Related