Ping Service
Feedback Forms

Risk Based Security’s 2013 Data Breach QuickView Report

The following was provided by my friend Jake Kouns of Risk Based Security, a leading-edge security and threat intelligence company. that provides comprehensive vulnerability and data breach intelligence services.   Thanks Jake.

Rick

Risk Based SecurityWe  are pleased to release our Data Breach Quick view report that shows 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents.  The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record (2011).

Although overshadowed by the number of exposed records, 2013 is also ranked #2 in total reported  data breach incidents, just behind 2012. “When you analyze the data breach activity in 2013 it’s hard to  find any bright-side, said Barry Kouns, CEO of Risk Based Security. “Four of the “Top 10” data breaches all time, were reported in 2013, including the top spot. “

Read the rest of this entry »

Cyber Security and Data Breaches: Why Directors and Officers Should Be Concerned

Following is an excerpt from the leading chapter in Willis London’s Executive Risks: A Boardroom Guide 2012/2013. If you would like to read the entire chapter, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

sec1

Cyber insurance has become a necessity. Every company that maintains, houses or moves sensitive information is at risk of a data breach, primarily due to the growth and increased sophistication of hackers, malicious software and, most recently, ‘hacktavists’. Even mere employee negligence can lead to a data breach. High-profile companies such as Sony can attest that cyber-intrusions can lead to hundreds of millions, if not billions, of dollars in legal exposure.

Equally troublesome, our expanding online society has introduced new financial risks and exposures that may not be covered under general and professional liability insurance products, including standard directors’ and officers’ (D&O) policies. As such, corporate directors and officers, and their risk-management professionals, must ensure that they buy appropriately tailored policies that provide protection against the rapidly expanding risks to which they could be vulnerable, both personally and professionally.

The risks and costs of a data breach

It has become known as the Year of the Breach: in 2011, companies of all sizes experienced malicious intrusions or employee negligence that affected their operations and/or businesses. For example, in April 2011, computer hacktavists unlawfully accessed the Sony PlayStation Network (PSN) and obtained the personal and financial information of roughly 77 million PSN users. Since then, Sony and its insurers likely have spent tens, if not hundreds, of millions of dollars to remedy and mitigate the resulting security and commercial crises — an amount that grows by the day as lawyers prosecute class action lawsuits on behalf of allegedly affected users whose personal and financial information was improperly accessed.

Equally problematic for Sony, it has been sued by its commercial general liability (CGL) insurer, which sought to avoid coverage by arguing that its general liability policies do not and never were intended to cover data breaches.

The TJX Companies also fell victim to a cyber intrusion that security experts predict will have long-term costs of between US$4 billion and US$8 billion in fines, legal fees, notification expenses and brand impairment. In the TJX case, the retail group reported that 45.6 million credit and debit card numbers were stolen from one of its systems during the period July 2005 to January 2007. Of critical import, the January 2007 intrusion occurred after TJX already had knowledge of the initial breaches.

Of course, big corporations are not the only entities that are vulnerable to hackers and hacktavisits; indeed, half of all companies that have experienced data breaches have fewer than 1,000 employees.

 

Create PDF    Send article as PDF   

Cyber, Privacy and Technology Best Practices and Reputational Harm: Why Legal Professionals Need a Lawyer’s Advice, Counsel and Privileges

BabyB_LPlate_improvedIntroduction

Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CBT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.

Executive Summary

An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is incumbent that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.

Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information (“PII”), personal health information (“PHI”) and/or confidential commercial information (“CCI”). It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).

In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.

In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.

To continue reading, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

Fax Online    Send article as PDF   

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

Who Owns Patient Data in Electronic Health Records?

Following is a guest post by Doug Pollack, CIPP/US, chief strategy officer at ID Experts, a leading provider of healthcare privacy and data breach solutions. The article explores the thorny issue of “ownership” as it applies to patient data stored in and shared by electronic health record systems.

Cheers.

Rick

I recently began exploring the question of who, or what entity, owns the data that is incorporated in our patient electronic health records (EHRs). I originally began thinking about this because I was imagining that the “owner” would be responsible under circumstances where there was an unauthorized disclosure of such protected health information (PHI), in other words a data breach. It seemed like such a simple question, I had assumed I would find the answer to be just as straightforward. As it turns out, many have pondered this question and suggest that the question of “ownership” of medical data may be a misplaced one, an unanswerable question, and that the more relevant question is what control the patient, and other members of the health ecosystem, have relative to accessing, modifying, appending and transmission of this data. In other words, how is patient privacy provided for within the new EHR universe?

Read the rest of this entry »

WARNING: HHS Now Combating HIPAA Violations With HITECH Weaponry

On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).


The HITECH Act and HIPAA Enforcement

HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”

Read the rest of this entry »

The Coverage Question

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

An Insurer’s View: Examining the Rising Costs of Breaches

The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

Read the rest of this entry »

New Cybersecurity Disclosure Guidance for Public Companies: Focusing Attention, Raising Questions

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

Securities Law and Cyber Disclosures… Perfect Together…Especially for Cyber and Tech Underwriters and Brokers. And Me

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that “the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s “recommendations.”

Read the rest of this entry »

Underwriters and Their Policyholders Agree: Less Is More When It Comes to Crisis Management Expenses

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…

At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Read the rest of this entry »

Cyber Liability Insurance for Universities: Incentivizing Best Practices as a Condition to Coverage (a.k.a “Reverse Underwriting”)

Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.

One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.

In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »