Tag Archive for Breach

| July 19, 2012
Comments Off on Cyber Insurance

Cyber Insurance

Cyber InsuranceJohn Moccia with Innovation Guard wrote a good primer on what happens when a firm needs to buy cyber insurance in a thread at Internet Evolution. The author writes that loss control/security precautions are built into the process of acquiring cyber insurance. There are firms like NetDiligence that partner with insurers. Apparently, when you buy a cyber insurance policy, the coverage is contingent upon a successful security audit performed by NetDiligence (penetration testing, ethical hack, etc).

Cyber InsuranceThe article goes on to state that when a company outsources their technologies, such as with a co-hosting facility where their actual servers reside, the insurer will seek information on the Colo firm’s security protocols, protection, and redundancy. In the end, those companies with better procedures/protections in place will get better rates…..those with worse or no security will get higher rates – or not be afforded coverage at all.

There are first and third-party implications to Cyber insurance according to Mr. Moccia.

The first party = your losses…such as the cost to notify the thousands or tens of thousands of people whose info has been compromised.

Third-Party = losses of others where they would seek restitution from you. A class action claim for failure to secure confidential data – defense costs, settlements, etc.

This whole area is still evolving. Some insurers offer just third-party, others offer both. They have different approaches to the way they offer the coverage’s, too. For example, while one insurer may offer you up to $250K for breach notification costs, another provides coverage for up to 2 million affected people with no specific dollar amount.

Coverage can be incorporated on some insurer’s policies to address the acts of “rogue” employees/insiders.

Read the fine printThe author points out that the insurance industry is a very old industry. It is also one that is slow to change its ways of doing business. Insurers package their policies the way they want to sell them, as opposed to the way people/businesses want to buy them. For example, the types of claims that we are discussing here are relevant and likely for any kind of company today. General Liability claims are very uncommon and unlikely (at least for vanilla office-based companies, like Tech businesses and professional service companies)…and traditional business interruption coverage doesn’t address these cyber issues. Yet, these coverage’s are part of the standard policy that all businesses carry. In order to get the total protection that a business needs, it has to buy several policies, usually from multiple insurers. The first progressive insurer that is willing to incorporate coverage for these modern exposures (even if they just dip their toe in the water… offer $10K or some other nominal amount!), as part of what is their standard commercial policy, will have a huge advantage on the rest of the market.

rb-

I am sure that many SMB organizations have holes in their coverage when it comes to their cyber insurance. I really doubt that they can pass the security audit. Many of the organizations I deal with have very low-security postures. Conversations about password policies, document retention, and user account life-cycle are a big deal, even when my counterpart has come from industry to industry to education.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| June 15, 2011
Comments Off on Investigating Internet Liability Insurance

Investigating Internet Liability Insurance

Investigating Internet Liability InsuranceEnterprises now face the question of determining the right kinds of cyber insurance to buy in addition to the other traditional insurance that covers the risk of doing business. Internet Evolution asks, “What would you pay to be insured against data loss or theft“? While cyber insurance of all kinds has been around for a while, more firms than ever are seriously considering it, as data breaches, Web fraud, and security breaches continue to make headlines.

chubb_logoTracey Vispoli, global financial fidelity manager for Chubb, told Internet Evolution, “Although I would still characterize business interest in cyber insurance as emerging, we saw a 40 percent growth in firms securing some form of Internet liability insurance in 2009.” Chubb provides Internet liability and other insurance coverage for businesses worldwide. “I’ve been talking with several insurance companies now about entering the cyber-insurance area,” says Paul Sop, CTO for computer security and consulting firm Prolexic Technologies Inc.

For insurers like Chubb, the Internet provides an opportunity to develop new products to meet emerging business needs. For potential business clients, Internet insurance plugs gaps in coverage that current business insurance policies don’t address. The article says the gaps include:

  • Website-related losses,
  • Website copyright infringements,
  • Cyber-attacks and
  • Unauthorized online access to customer information.

We encourage companies to think not only about their Web-based assets but also about their entire technology base when they consider insurance,” Ms. Vispoli told Internet Evolution. This includes not only cyber-attacks that directly target the Website from the Internet but also breaches of confidential corporate data such as customer and employee records. Ms. Vispoli explained that at least 45 states require a company whose data is compromised to send out official notifications to all those affected.

Someone from the outside can hack into your employee or customer information, and then there’s the financial pressure of not only fixing the breach and taking action, but also of notifying potentially hundreds of thousands of individuals whose information has been compromised.

The article says that the cost of notification alone can be worth insuring, but there are other costs as well. As recently as five years ago, companies were not required to send out notices nor did they spend the amount of money that it takes today to bring in a forensics team to analyze a cyber breach and find the hack.

The cost of Internet liability and other e-commerce-related insurance varies, depending on the risk factors a given organization presents. Internet Evolution says one of the variables is the amount of online sales it books each year. Common types of cyber-insurance that are available today include:

  • Technology professional liability,
  • Media errors and omissions,
  • Telecommunications professional liability and
  • Computer information and data security liability.

We are seeing an aggressive trend in businesses subscribing to cyber-insurance, especially in industry sectors like healthcare, financial services, retail, services companies like hotel chains and media,” Ms. Vispoli said in the article. “Depending on the size of the organization, we might be contacted for coverage information by a Chief Security Officer, or possibly by a CFO or CIO.” All of them see growing exposures from e-theft, e-fraud, compromise of critical data, loss of goodwill, e-threats, and vandalism, denial of service, copyright infringement, and regulatory compliance issues.

What do you think?

Does your organization have cyber insurance?

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 15, 2010
Comments Off on Paper Based Data Breaches Growing

Paper Based Data Breaches Growing

Paper Based Data Breaches GrowingBrian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center, a San Diego-based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that was lost, stolen, inadvertently distributed, or improperly disposed of.

The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.

“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”

Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers and in some cases state authorities. Concerned about the mounting costs of complying with so many state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breach is in electronic or paper form.

rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.

Related articles
  • Identity theft and data breaches increased in 2010 (lexingtonlaw.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| February 21, 2009
Comments Off on Costs of Data Breach is Increasing

Costs of Data Breach is Increasing

Costs of Data Breach's IncreasingThe annual Cost of Data Breach survey conducted by the Traverse City, MI-based Ponemon Institute and funded by encryption vendor PGP Corp. found the total average costs associated with data breaches rose slightly since 2007.

The fourth annual U.S. Cost of a Data Breach Study (registration required) surveyed 43 firms that experienced a data breach and asked them to give estimates for their expenses. The total average costs of a data breach grew to $202 per record compromised, an increase of 2.3% since 2007 ($197 per record) and 11% compared to 2006 ($182 per record).

Depending on the size of the breach, costs could become astronomically expensive, said Dr. Larry Ponemon, chair and founder of The Ponemon Institute. Some in the privacy community have a view that people over time will become indifferent to a data breach notification. But the Ponemon breach found the costs associated with lost business continue to climb. The lost business now accounts for 69% of data breach costs, up from 65% in 2007.

“Our model suggests that people haven’t reached the point of indifference yet,” Ponemon said. “When people reach that point the cost of churn should decline, but our findings show the costs continue to creep up year by year.”

The survey also found many firms having trouble preventing data breaches. Of the firms surveyed, 84% said they experienced more than one breach, though the costs are higher for companies experiencing a breach for the first time. Per victim cost for a first-time data breach is $243 versus $192 for experienced companies.

“It’s impossible to create an environment where you cannot have a data breach,” Ponemon said. “Data breaches will probably continue even for the best of companies, but it’s how you detect it, how you respond to it, and how you manage the risk that matters most.”

Companies are fearful of malicious insiders getting access to sensitive data. The rising tide of layoffs as a result of the poor economy has put a focus on the insider threat. But insider negligence continued to play a major role in causing a data breach. More than 88% of all cases involved incidents of insiders mishandling data. Far fewer breaches were from malicious insiders. The Ponemon study found that the per victim cost for data breaches involving negligence cost $199 per record versus malicious acts costing $225 per record.

Fewer firms are investing in additional technologies. Encryption was the first technology implemented after a breach. Of the technology options, 44% of companies have expanded their use of encryption, the Ponemon survey found.

“One of the mistakes people make with encryption is they’ll go and encrypt a laptop and forget about thumb drives, email or FTP servers,” he said. “People are addressing some issues but not addressing the entire problem.”

Some companies turn to the use of third-party services to handle personal information such as payment transactions and customer loyalty programs. But the Ponemon survey found that those services may increase the risk of data leakage and increase the cost of a breach. Breaches by outsourcers, contractors, consultants and business partners were reported by 44% of respondents, up from 40% in 2007. Third-party vendors often take more time to investigate and conduct forensic analysis. Services sometimes lose information due to poor processes or inadequate data protection technologies, Ponemon said.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| April 26, 2007
Comments Off on Three+ Years to Recover From a Data Breach

Three+ Years to Recover From a Data Breach

Over Three Years to Recover a Reputation After Data BreachIn an article on Todays Facilities’ Manager website reports that it takes over three years for a firm to recover from a crisis like a data breach hat damages its reputation, according to the market research firm BursonMarsteller. The firm points out that quickly disclosing the details of a scandal or corporate misstep and making visible progress toward recovery should be the first steps any organization takes to rebuild its reputation.

Not only will it take over three years to recover a corporate reputation, but Forrester is reporting it can take a lot of money. In an April 11, 2007 article at Information Week, Forrester analysts report that the average data breach can cost a company between $90 and $305 per lost record.

Information that firms like TJX Companies and Menu Foods seem to have missed.

(updated 06-17-07)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized | Tags: , , , , , , ,
  Recent Entries »