Note: This website, sponsored by Steve Anderson, provides business leaders with the information they need to identify, prioritize, and mitigate their vulnerabilities in the event private client information is breached. Click the About link to the right to read more detailed information about Steve and this site. |
Riskiest US Cities for Cybercrime
Seattle is the most dangerous city in the U.S. when it comes to cybercrime, at least according to Symantec in a report issues in March 2010.
The Northwest sported two of the top 10, with Portland, Ore., ranked No. 10 in the list of the nation's 50 largest metro areas. Rounding out the first five were Boston, Washington D.C., San Francisco and Raleigh, N.C. Atlanta, Minneapolis, Denver, and Austin, Texas completed the top 10.
At the bottom, as in least dangerous, were Detroit (No. 50); El Paso, Texas (No. 49); and Memphis, Tenn. (No. 48).
The complete 50-city ranking can be downloaded from Symantec's Web site ( download PDF ). A more detailed description of the rating methodology and the scores for each city are available in 16-page report ( download PDF ).
Symantec also released a similar ranking for Canadian cities ( download PDF ), which puts Burlington, Ontario, at the top of the list and Longueuil, Quebec, at the bottom. Vancouver, British Columbia, the host of the 2010 Winter Olympics, was rated the fourth-most-dangerous city in Canada.
Digital Copiers are a Security Risk
Digital copiers built since 2002 contain hard drives that store images of every document copied or scanned. Many of the stored documents include confidential data, leaving individuals vulnerable to identify theft if no safeguards are in place.
During a CBS News investigation in April 2010 an expert downloaded tens of thousands of documents from old copiers available for sale using a free forensic software program. One copier contained files from a police department sex crimes unit; one contained addresses and social security numbers along with $40,000 in copied checks; and yet another contained 300 pages of individual medical records from a health insurance company.
You can view the video report by Armen Keteyian, “Digital Photocopiers Loaded With Secrets,” (Apr. 19, 2010) by clicking here:
http://www.cbsnews.com/video/watch/?id=6412572n&tag=related;photovideo
Any company that maintains any type of health records have a particularly risky situation if that information is breached. Federal privacy laws including the Americans with Disabilities (ADA) require that employers keep employee health records private.
You might be able to obtain a security or encryption add-on to your copier that will automatically erase images and other data from the copier hard drive. Any organization should make sure that before they allow an old copier to be removed from their premises the hard drive is either removed or completely wiped of all data.
Colorado Casualty: “There is no coverage”
Colorado Casualty Insurance company is seeking a judicial ruling that it is not obligated to pay for costs incurred by the University of Utah in 2008 as a result of a client information breach.
On or about June 1, 2008 car burglars stole back-up tapes from the personal car of a Perpetual Storage employee containing medical billings records with sensitive personal information (including social security numbers) on 1.7 million university patients covering a time period of approximately 16 years.
University of Utah officials want Perpetual Storage, their backup storage vendor, to reimburse the cost the university incurred because of the client data breach. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on: (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.
Colorado Casualty Insurance Company wrote a commercial package policy and a commercial liability umbrella policy for Perpetual Storage that was in effect at the time of the client data breach. Ron Sutherland of United Insurance Services was Perpetual’s insurance agent at the time and placed the coverage with Colorado Casualty.
The University has brought Sutherland and United Insurance Services into the suit as a third party claimant alleging they were “careless, negligent and made various negligent misrepresentations about Perpetual’s insurance coverage from Colorado Casualty.”
The Colorado Casualty suit does not provide any specific details on why the company feels it is not obligated to pay for this claim. Notwithstanding what the Colorado Casualty policy may actually state, the above claim would probably have been covered under most network security and data breach privacy policies currently available.
Lesson learned: It is critical for every agency to inform their client’s about the coverage limitations for any claim arising from a client data and information breach. And, they should offer to provide them with a quote for a Network Security and Data Breach Privacy policy.
Here is an article from the Salt Lake Tribune.
Do you have the proper insurance coverage for the costs of a client information breach?
Cyber Breaks, Insurance & Data Breach Response Advice
Stroz Friedberg is a consulting firm that does computer forensics, mobile phone forensics, electronic discovery and cyber crime response, operating at the intersection of law, technology and behavioral sciences. In this Insurance Journal interview David Garrett, managing director of Stroz Friedberg’s San Francisco office, explains why clients may or may not have cyber risk insurance, whether those that have the insurance actually make a claim in the event of a cyber breach, and simple steps any company can take to reduce the exposure.
You can view the interview by going here: http://www.insurancejournal.tv/videos/3754/
FTC Extends Deadline for Red Flags Rule
The FTC announced in a press release on Friday May 28 that they would postpone enforcement of the Identity Theft Red Flags Rule.
“At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.”
The full release is available here.
Settlement for Countrywide Financial ID Theft Victims Advanced
A federal judge in Kentucky has given preliminary approval to a settlement between Countrywide Financial Corp., and millions of customers whose detailed financial information was exposed in a security breach.
See the full story at InsuranceJournal.com
http://www.insurancejournal.com/news/national/2009/12/28/106227.htm
Countrywide (and Bank of America, its new owner) are finding out how expensive a client data security breach can be.
Does your organization have a client information security plan in place?
The Number-One Way Criminals Steal Your Identity
Identity fraud increased substantially in 2008, reversing a four-year trend of decreasing incidents. Researchers say identity fraud increased by 22% last year and they anticipate another 22% jump in 2009, attributing the increases to crimes of opportunity driven by the economic downturn. What’s more, despite recent headlines and growing fears about online security and data breaches, old-fashioned theft is the most popular way thieves steal identities and perpetrate identity fraud.
According to 2008 claim data compiled by Travelers, burglary and theft of wallets, purses, and personal computers provide thieves the best opportunity to gain access to personal information. In instances where the victim knew their identity had been stolen, it was the result of personal property being stolen nearly 78% of the time. Travelers identifies the following as the top known causes of identity fraud:
- 78%—burglary and theft of wallet/purse/personal identification/computer
- 14%—online or data breach
- >5%—change of address/postal fraud
- 3%—lost credit card and other miscellaneous causes
More than 75% of the time, criminals use stolen information to open new credit card accounts or use the existing credit cards to make charges. Twenty percent of identity thieves will withdraw money from existing checking, savings, and online accounts and 16% open utility accounts in the victim’s name.
Steps you can take to protect your identity include guarding Social Security numbers and financial information and shredding documents such as receipts, credit/insurance applications, and bank statements.
Travelers Identity Fraud Expense Coverage is available as an endorsement on their homeowner’s policy for $25 annually and offers protection up to $25,000 with no deductible. Check with the companies you represent to see what coverage is available. This coverage is a great opportunity to educate your clients and offer them broader coverage for a small premium.
Protect Client Information
On September 1, 2009, Portland insurance agent Robert Spruill of Brooke Auto Insurance consented to a Cease and Desist order from the Oregon Department of Insurance. Spruill had not properly disposed of business records that contained sensitive client information.
According to the order, “On or before April 28, 2009, Spruill discarded over 1,000 insurance business records and/or other documents related to insurance transactions of Brooke Auto and Brooke Corporation into an unlocked garbage dumpster.”
“At the time he discarded the documents, Spruill had not developed reasonable safeguards to protect the security, confidentiality, and integrity of the personal information or data collected or acquired in the course of conducting his business, including disposal of that data.”
In his defense Spruill said that when he inquired of local police and the state of Oregon insurance division back in the fall of 2008, no one told him that discarding these records was wrong. Spruill was hit with an $11,000 fine. Fortunately for Spruill, $8,500 of that fine was suspended as long as he complied with the requirement of creating and implementing a client security policy for his agency.
It may seem obvious that you should never discard unshredded documents into an open and unlocked dumpster at the back of your office. Still, don’t be too smug. Do your producers have unencrypted laptops that are left in locked cars that could be stolen? Could employees take home files with sensitive client information in them even though doing so is against company policy?
Sensitive client information is the most radioactive element in today’s agencies. If leaked, it can cause serious repercussions to an agency’s reputation and brand, loss of revenues, loss of customers, regulatory or legal action, and damage to employee relationships. In the last 10 years, the need for client information security to be integrated into the overall risk management of every organization across the globe has increased tremendously.
The insurance industry deals with sensitive and personal client information. Client records contain data that include financial information, medical histories, birth dates, driver’s license numbers, and Social Security numbers. Such confidential data has to be protected at all times—during storage, access, transmission, and destruction—or the organization risks serious losses.
More than 88% of all data breach cases involve employee negligence. In 2008, data breach and information breach incidents cost U.S. companies $202 per compromised customer record. These costs include civil and regulatory penalties, administrative expenses, legal liability, defense costs, and cost of future business due to loss of customer confidence. Not only that, according to Factiva, a Dow Jones company, media coverage of companies that suffered an information security breach accounted for more than half the stories written about those companies.
Seventy percent of customers state they would consider moving their business if they became victims of a data breach. Clients today expect strong security practices from all companies they do business with. The way a business copes with these expectations decides whether the company survives or not.
Client information security should be a concern for every agency, regardless of size. Check out The Anderson Report on Client Data Security for some tools to help you start or enhance your security process.
Data Backup & Recovery
Pages
Latest Release
Categories
- Client Data Breach
- Client Information Security
- Insurance
- Insurance Agent Breach
- Live Interviews
- Products
Blogroll
- Chris Christian's Professional Liability Tidbits
- Office of Inadequate Security
- Privacy Rights Clearinghouse
- Steve Anderson – Insurance technology Authority
- Womble Carlyle – Privacy and Data Protection
