Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Data Breach Risks Overview Heather Pixton www2.idexpertscorp.com 1 Agenda • What you need to know about data breaches – – – – 2 What Are Data Breaches? Cyber Threats and Trends Recommended Proactive Efforts Breach Response Best Practices What is a Data Breach*? Data Breach is a “Legal” Construct • All breaches start as incidents, but not all incidents end up as breaches – "Incident" = attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI/PII – "Breach" = acquisition, access, use, or disclosure of PHI/PII [that poses a significant risk of financial, reputational, or other harm]* * The definition of “data breach” varies across specific legislation and rules. In US states, many include a “harm threshold” 3 Data Privacy, Security, Breach Notification Regulatory Complexity • 46 states and three territories have breach laws – PII/PHI; 33 Have Harm-Test; Exceptions; Notification Thresholds • FCRA, FACT Act, PCI-DSS – Provide for security of financial data – FTC enforcement • HIPAA/HITECH Privacy, Security, Breach Notification – Omnibus Rule just issued; HHS/OCR enforcement 4 Annual Data Breaches By the Numbers 855* 174,000,000* $33.7 billion** Estimated incidents (excluding healthcare) Number of affected individuals Estimated economic impact * Verizon 2012 Data Breach Investigations Report ** Derived from Ponemon Institute 2011 Cost of Data Breach Study, March 2012 5 Leading Causes of Data Breaches* 46% 49% 41% Lost or stolen computing device Unintentional employee action 42% 41% 45% Third-party snafu 42% 46% 34% Criminal attack 20% 33% 30% 31% 33% 31% Technical systems glitch 14% 14% 15% Malicious insider 8% 9% 10% Intentional non-malicious employee action 0% FY 2012 10% FY 2011 20% 30% 40% FY 2010 Source: Ponemon Institute 2012 Cost of Data Breach Study, March 2013 6 6 50% 60% A Couple Breach Examples Careless 7 Malicious Three Key Steps to Managing Risk* Best Practice Based on ENISA Framework for Effective Governance • Risk assessment: the basis for security governance; assets in scope, dependencies, transparency • Security measures: take appropriate measures; logical redundancy, monitoring & audits • Incident reporting: mandatory reporting, legal consequences, data breach regulatory requirements * European Network and Information Security Agency (ENISA), Critical Cloud Computing, December, 2012 8 If You Do Nothing Else… Do a privacy and security risk assessment • A risk assessment will – Inventory your organization’s data to understand your data breach risk exposure – Review privacy & security policies/procedures to identify gaps – Evaluate security technologies and controls – Review insurance for data breach coverage 9 When a Data Breach Occurs Have a Plan • Small/medium-sized businesses must rely on a trusted partner – Help you determine if your incident is a breach – Develop a proportionate and compliant breach response – Provide the proper level of concern and care to the affected individuals (customers) 10 YourResponse™ The only structured, repeatable methodology for data breach response that leads to reduced risks and positive outcomes 11 Looks Complicated. Does That Make it Expensive? Not Necessarily. • Using YourResponse, you will realize lower costs by – Formulating response that is least costly based on a victim risk profile – Reducing risks of fines/penalties due to use of a rigorous and documented methodology – Breach response managed by experienced firm with volume cost structure 12 Questions? Jeremy Henley Insurance Solutions Executive [email protected] 760-304-4761 13