beazley breach response select
play

Beazley Breach Response Select p g Making the connection on data - PDF document

1 Making the connection on data breach complexities Beazley Breach Response Select p g Making the connection on data breach complexities P Presented by d b Jeffrey Norton underwriter Jeffrey Norton, underwriter, Beazley US Private


  1. 1 Making the connection on data breach complexities Beazley Breach Response Select p g

  2. Making the connection on data breach complexities P Presented by d b Jeffrey Norton underwriter Jeffrey Norton, underwriter, Beazley US Private Enterprise Technology, Media & Business Services team jeffrey.norton@beazley.com jeffrey.norton@beazley.com Marcello Antonucci, claims manager, Beazley US Technology, Media & Business Services team Business Services team marcello.antonucci@beazley.com 2

  3. Making the connection on data breach complexities Making the connection on data breach complexities • Data breach exposures • Data breach exposures • Data breach costs for small businesses • Claims scenarios for small businesses • Coverage misconceptions Coverage misconceptions • Beazley Breach Response Select 3

  4. Making the connection on data breach complexities Data breaches are a big concern for small businesses… • The U.S. Chamber of Commerce estimates that Th U S Ch b f C ti t th t employee theft costs American employers more than $50 billion dollars each year, and one third of all small business failures can be attributed to employee dishonesty... • Based on estimates, cybercriminals steal as much as US$1 billion a year from SMBs in the United States and Europe alone. Source: TrendMicro • Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with less than 100 employees less than 100 employees. 4

  5. Focus has shifted to small businesses since they are easier targets for cyber they are easier targets for cyber criminals... 5

  6. Making the connection on data breach complexities Making the connection on data breach complexities Most small business owners and their employees still lack understanding on the inherent risks and how best to protect their risks and how best to protect their data - and business. 6

  7. Making the connection on data breach complexities Making the connection on data breach complexities Response costs add up for a com pany w ith lim ited cash flow Costs for a small business can be as much as that faced by a larger company: o Small businesses typically have less internal resources and expertise to handle a o Small businesses typically have less internal resources and expertise to handle a breach response, so they are more likely to have to pay outside experts such as attorneys, consultants, crisis management and public relations professionals to assist. • Complexity of the business will drive costs for legal and forensics p y g • Response costs alone: Hiring a forensics expert to determine the size and scope of a breach -- can range from $ 1 0 ,0 0 0 to $ 1 0 0 ,0 0 0 - whatever size the business. • Once notifications go out – public relations/ damage control is critical to reputation! • The lion's share of response costs comes from the duty to notify those whose data has been breached or potentially breached -an estimated $ 2 0 0 ,0 0 0 in costs associated with breach response services. 7

  8. Making the connection on data breach complexities Making the connection on data breach complexities Direct Data Breach Costs in 2 0 1 0 • $214 per compromised customer/ client record p p • $7,200,000 in average total per-incident costs (forensics, legal, notification, customer fallout) ( U.S. Cost of a Data Breach Study, PGP Corporation and Ponemon Institute, 2011 ) • Small businesses typically have less internal resources and expertise to handle a S ll b i t i ll h l i t l d ti t h dl breach response, so they are more likely to have to pay outside experts such as attorneys, consultants, crisis management and public relations professionals. • Once customers are notified that their information has been breached, dam age control is critical control is critical. • Leveraging the services of experienced claims professionals is key… 8

  9. Making the connection on data breach complexities Making the connection on data breach complexities Regulatory I nvestigations & Third-Party Claim s • Mandatory breach notification in 46 states, the District of Columbia, and Puerto Rico. y • Notification brings potential for AG regulatory action and provides plaintiffs' bar with tempting lure for putative class actions. • PHI: HIPPA and HiTech • Regulatory proceedings can result in fines and corrective action plans that require R l t di lt i fi d ti ti l th t i significant expenditures on administrative, technical, and physical safeguards for data. • Third-party class action lawsuits entail potentially enormous exposure, and at the very least, cost a lot of money to defend. AI M of BBR Services: m itigate any potential regulatory investigations and respond clearly and w ith confidence 9

  10. Making the connection on data breach complexities Making the connection on data breach complexities How Do Breaches Occur? • Employee loses a portable device (blackberry, laptop, thumb drive, backup tape) • • Stray faxes emails Stray faxes, emails • Property crimes (computers prime targets) • Inside job (employee steals information, particularly upon separation) • Phishing scams (“Nigerian prince”), and increasingly, Spear-Phishing (social s g s a s ( g a p ), a d as g y, Sp a s g (so a engineering) • Malware / virus attacks (especially when working remotely on an unsecured network) 10

  11. Making the connection on data breach complexities Making the connection on data breach complexities Exam ples of Publically Reported Breaches ( continued) • The Briar Group LLC: owner of a number of bars and restaurants in the Boston area used default usernames and passwords on its point-of-sale system, which were shared by employees on an unsecured w ifi netw ork . Malware quickly made its way onto the network, and several custom ers began experiencing credit card fraud . The Massachusetts Attorney General learned of the incident from affected customers, and filed a lawsuit resulting in a $ 1 1 0 ,0 0 0 penalty and mandatory compliance with the rigorous Payment Card Industry Data Security Standards. g y y y • Roanoke State Community College: A USB drive and a personal handheld device were stolen from an employee's car when he took information home to do after-hours work. The nam es and Social Security num bers of 9,747 current or former students were on the handheld device, along with 1,194 current or former employees. Credit m onitoring alone for a breach of this size would typically exceed $100,000. it i l f b h f thi i ld t i ll d $100 000 11

  12. Making the connection on data breach complexities Making the connection on data breach complexities Exam ples of Publically Reported Breaches • The Surgeons of Lake County ("SLC"): a medical facility in northern Illinois, had hackers breach its computer network, infiltrating a server where e-mails and electronic medical records were stored. Hackers encrypted access to the system, and tried to exhort m oney from SLC in exchange for the decryption key. Hackers threatened to start spamming pornography from SLC's email addresses if not paid within 72 hours. SLC had to purge all systems and notify over 7 ,0 0 0 patients of the incident . • Phoenix Cardiac Surgery ("PCS"): a five physician practice posted clinical and surgical • Phoenix Cardiac Surgery ( PCS ): a five-physician practice posted clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. One patient Googled her own name, discovered the calendar, and reported the incident to federal regulators. In turn, regulators fined PCS $ 1 0 0 ,0 0 0 , and instituted a m andatory corrective action plan with the ability to audit PCS for six years . Just the tip of the iceberg: in five out of every six breaches, the infiltration rem ained undetected for w eeks at a tim e. See, “2 0 1 2 Data Breach I nvestigations Report,” Verizon Com m unications, at 3 ( 2 0 1 2 ) ( http:/ / bit ly/ GFfpdk) ( http:/ / bit.ly/ GFfpdk) . 12

  13. Top five list of small businesses misconceptions Top five list of small businesses misconceptions 5) Most breaches happen to big companies 4) The cost to respond to a breach is a postage stamp to mail a letter ) p p g p 3) Our information is well-protected by our IT consultants 2) My employees would never act maliciously, and know how to protect our data And the top m isconception is… 13

  14. Top five list of small businesses misconceptions Top five list of small businesses misconceptions # 1 – Every security breach is covered by m y general liability policy 14

  15. Beazley Breach Response Select : What makes it different? Beazley Breach Response Select : What makes it different? Our top tw o reasons: p 1) Very few businesses have the resources to manage a breach (we do it all!) 2) Notify by number of affected individuals outside the liability limit 15

Recommend


More recommend