Note: This website, sponsored by Steve Anderson, provides business leaders with the information they need to identify, prioritize, and mitigate their vulnerabilities in the event private client information is breached. Click the About link to the right to read more detailed information about Steve and this site. |
Spammers will be Phishing for your Money
“On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some [Insert company name] customers were accessed by unauthorized entry into their computer system.”
During the last couple of weeks it’s likely that you have received a similar e-mail notifying you that your e-mail address was stolen. Epsilon, one of the largest e-mail marketing companies, had its database breached and “a subset of Epsilon clients’ customer data were exposed.” According to Epsilon the breach was limited to e-mail addresses and/or customer names only. No other personal identifiable information was stolen.
The scope of the breach and the list of large customers involved, make this one of the largest security breaches of its kind. While only about 50 clients were involved they include some of the largest companies such as Citigroup, Capital One, Walgreen, Best Buy, Target, Hilton, Kroger, Tivo, US Bank, Disney, The College Board, and Marriott.
Spear-Phishing
Even though the breach only included e-mail addresses and names, many security experts are concerned about the implications. Simply knowing someone's email address and their spending habits - or at least the brands with which they have some sort of relationship - may make it easy to craft a targeted and sophisticated phishing attack.
If scammers know that you have a credit card with Capital One, for example, they may send emails asking you to log into a website and provide personal information that will give them access to more data, including financial information. People do fall for these targeted “spear-phishing” attacks, because they appear to come from a company they have a relationship with.
Phishing Prevention
Phishing attacks are not uncommon, but, if you keep your guard up about where you click and what information you enter into a Website, you'll probably be safe. But phishing attacks do work, even if it's just for a small percentage of recipients. And as the breach at Epsilon has exposed tens of millions of email addresses, even that small percentage could prove to be a sizable number.
When you receive an email from any company you have a relationship with, make sure you scrutinize it fully. Look at the email address and verify the sender. Look for typos and strange URLs. But don't click on those links.
If you do get a suspicious email - particularly one with an urgent tone asking you to update your personal information - pick up the phone and call the company in question. Remember: very few (if any) companies will ask you for sensitive information via email. If in doubt, log into the company website directly and verify the request.
Explore Insurance
Any organization that maintains a database of customer information is at risk. Make sure you understand the liability you face and explore purchasing Network Security and Privacy Insurance.
Insurance for Data Breach Expenses
The vast majority of insurance agencies do not have any insurance coverage for reimbursement of the costs incurred due to a client data breach. Here are just a few of the reasons why a Network Security and Privacy (NSAP) policy makes sense for insurance agencies:
- Coverage for data and other non-physical perils is routinely excluded under Property policies.
- The “intentional acts” exclusion found in a standard E&O policy might eliminate coverage if the breach was caused intentionally by an employee.
- E&O coverage may not respond at all for acts that are outside the provision of professional services.
- Liability arising out of the destruction of electronic data is not typically covered under the standard General Liability or Property policies.
- Crime policies generally only cover theft of money, securities or other tangible property – not information theft or the destruction of electronic data.
Don't be the cobbler with holes in his shoes! You need to take the appropriate risk management steps to protect the private client information contained within your electronic and physical files.
If that does not work, you will be glad you have separate coverage.
Riskiest US Cities for Cybercrime
Seattle is the most dangerous city in the U.S. when it comes to cybercrime, at least according to Symantec in a report issues in March 2010.
The Northwest sported two of the top 10, with Portland, Ore., ranked No. 10 in the list of the nation's 50 largest metro areas. Rounding out the first five were Boston, Washington D.C., San Francisco and Raleigh, N.C. Atlanta, Minneapolis, Denver, and Austin, Texas completed the top 10.
At the bottom, as in least dangerous, were Detroit (No. 50); El Paso, Texas (No. 49); and Memphis, Tenn. (No. 48).
The complete 50-city ranking can be downloaded from Symantec's Web site ( download PDF ). A more detailed description of the rating methodology and the scores for each city are available in 16-page report ( download PDF ).
Symantec also released a similar ranking for Canadian cities ( download PDF ), which puts Burlington, Ontario, at the top of the list and Longueuil, Quebec, at the bottom. Vancouver, British Columbia, the host of the 2010 Winter Olympics, was rated the fourth-most-dangerous city in Canada.
RoboForm
One of the more difficult things in an agency is managing all of the users IDs and passwords required by various insurance companies. When you have a different user ID and password for each carrier, banking, news, airline and entertainment Web site you visit, it’s easy to forget the magic words.
Roboform manages all of your password-encrypted web sites with one master password. Just list your favorite secure sites and access information once in Roboform, and every subsequent time you visit those password-protected URLs, the program will log you in automatically. For added security, your Roboform master password encrypts the user IDs and passwords it manages, rendering them inaccessible to unauthorized users and unreadable by hackers even if they are stolen.
Digital Copiers are a Security Risk
Digital copiers built since 2002 contain hard drives that store images of every document copied or scanned. Many of the stored documents include confidential data, leaving individuals vulnerable to identify theft if no safeguards are in place.
During a CBS News investigation in April 2010 an expert downloaded tens of thousands of documents from old copiers available for sale using a free forensic software program. One copier contained files from a police department sex crimes unit; one contained addresses and social security numbers along with $40,000 in copied checks; and yet another contained 300 pages of individual medical records from a health insurance company.
You can view the video report by Armen Keteyian, “Digital Photocopiers Loaded With Secrets,” (Apr. 19, 2010) by clicking here:
http://www.cbsnews.com/video/watch/?id=6412572n&tag=related;photovideo
Any company that maintains any type of health records have a particularly risky situation if that information is breached. Federal privacy laws including the Americans with Disabilities (ADA) require that employers keep employee health records private.
You might be able to obtain a security or encryption add-on to your copier that will automatically erase images and other data from the copier hard drive. Any organization should make sure that before they allow an old copier to be removed from their premises the hard drive is either removed or completely wiped of all data.
Colorado Casualty: “There is no coverage”
Colorado Casualty Insurance company is seeking a judicial ruling that it is not obligated to pay for costs incurred by the University of Utah in 2008 as a result of a client information breach.
On or about June 1, 2008 car burglars stole back-up tapes from the personal car of a Perpetual Storage employee containing medical billings records with sensitive personal information (including social security numbers) on 1.7 million university patients covering a time period of approximately 16 years.
University of Utah officials want Perpetual Storage, their backup storage vendor, to reimburse the cost the university incurred because of the client data breach. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on: (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.
Colorado Casualty Insurance Company wrote a commercial package policy and a commercial liability umbrella policy for Perpetual Storage that was in effect at the time of the client data breach. Ron Sutherland of United Insurance Services was Perpetual’s insurance agent at the time and placed the coverage with Colorado Casualty.
The University has brought Sutherland and United Insurance Services into the suit as a third party claimant alleging they were “careless, negligent and made various negligent misrepresentations about Perpetual’s insurance coverage from Colorado Casualty.”
The Colorado Casualty suit does not provide any specific details on why the company feels it is not obligated to pay for this claim. Notwithstanding what the Colorado Casualty policy may actually state, the above claim would probably have been covered under most network security and data breach privacy policies currently available.
Lesson learned: It is critical for every agency to inform their client’s about the coverage limitations for any claim arising from a client data and information breach. And, they should offer to provide them with a quote for a Network Security and Data Breach Privacy policy.
Here is an article from the Salt Lake Tribune.
Do you have the proper insurance coverage for the costs of a client information breach?
Cyber Breaks, Insurance & Data Breach Response Advice
Stroz Friedberg is a consulting firm that does computer forensics, mobile phone forensics, electronic discovery and cyber crime response, operating at the intersection of law, technology and behavioral sciences. In this Insurance Journal interview David Garrett, managing director of Stroz Friedberg’s San Francisco office, explains why clients may or may not have cyber risk insurance, whether those that have the insurance actually make a claim in the event of a cyber breach, and simple steps any company can take to reduce the exposure.
You can view the interview by going here: http://www.insurancejournal.tv/videos/3754/
FTC Extends Deadline for Red Flags Rule
The FTC announced in a press release on Friday May 28 that they would postpone enforcement of the Identity Theft Red Flags Rule.
“At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.”
The full release is available here.
A New Era in HIPAA Enforcement Has Begun
Connecticut AG files First HITECH Act Law Suit
In the first lawsuit to invoke the new provisions of the HITECH Act, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net for violating HIPAA requirements. Here is the actual complaint: CT Complaint Against HealthNet
The lawsuit was filed on January 13, 2010 and was described in a statement “Sadly . . . historic.” The suit alleges that Health Net failed to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach. This case is the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). The suit also alleges a violation of Connecticut’s breach notification statute.
On or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices. The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents. Health Net did not begin notifying affected individuals until November 2009.
Is this the first sign of the fines/lawsuits organizations will face in the future?
- Have you implemented new policies and procedures to ensure compliance with the HITECH requirements?
- Have you trained all employees on new requirements?
- Do you have tracking and documentation of employee acknowledgements and understanding?
- Have you implemented ongoing awareness training as risks, threats and best practices are constantly changing?
What have you done to inform your clients of the risks they also face and offered them data breach insurance coverage?
Data Backup & Recovery
Pages
Latest Release
Categories
- Client Data Breach
- Client Information Security
- Insurance
- Insurance Agent Breach
- Live Interviews
- Products
- Uncategorized
Blogroll
- Chris Christian's Professional Liability Tidbits
- Office of Inadequate Security
- Privacy Rights Clearinghouse
- Steve Anderson – Insurance technology Authority
- Womble Carlyle – Privacy and Data Protection
