Written by: Rick Betterley, President, Betterley Risk Consultants

Insurance against data loss has developed rapidly to protect organizations from the economic consequences of a data breach. Insurance companies have broadened their coverage to include not only the cost of notifying and monitoring affected persons, but also costs such as crisis response, legal guidance, and forensics.

But insurance isn’t enough – Cyber insurance policies also provide access to Risk Management services that help insureds avoid breaches. These services are typically educational in nature, providing insureds with training, reference material, and planning tools to help reduce the chance of a breach. Some even provide tools such as penetration testing and loss estimate calculators. For the mid-sized and smaller organization, these tools can be valuable in the fight against Cyber breach.

However, more can be done, as described in this year’s Cyber/Privacy Insurance Market Survey published in The Betterley Report (www.betterley.com).

Some insurers are now offering even broader services to help avoid breaches. Active Defense (products and services that independently protect organizations against breach) is now edging its way into the services a Cyber policy can provide. It is similar to the use of sprinklers to protect buildings against a fire – and property insurers against a claim. Active Defense can help organizations defend against breaches even when people err.

Insurers are also offering more personal services to help their insureds. These are in the form of staffed helplines to help an insured cope with its data security challenges. These go beyond the traditional Risk Management educational tools by giving access to an expert that can answer questions and direct insureds to additional resources. Although not a replacement for a Chief Information Security Officer, it is helpful to the organization that is too small to employ a CISO.

Why are these services noteworthy? They give insureds more direct assistance in the battle against data breach – a benefit that will be particularly important as more insureds come from the mid-sized and smaller organizational sector of our economy.

The reintroduced bill recently passed the House again but without any key fixes to the core issues about privacy plus the lack of civil liberties protection, the bill experienced the same fate it did last year in the Senate, failing to even come to the floor for a vote. In addition, President Obama voiced his refusal to sign CISPA in its current form which ultimately sealed the death of the bill. Currently, staff and senators on The U.S. Senate Committee on Commerce, Science and Transportation are reported to be dividing the key concerns regarding cybersecurity policies and drafting separate bills to address the issues.

For any cybersecurity bill to succeed, the concern about the lack of privacy and possible infringement on civil liberties must be resolved. The intent of the original CISPA was to facilitate information sharing between private businesses and intelligence agencies. It legally protected businesses that shared information with agencies about its employees and customers, including email and social media activity. Under the mandate of “protecting the national security of the United States,” intelligence agencies were also allowed to collect personnel information from businesses as needed. Vague language and fear of unaccountable surveillance spurred opposition from civil liberties groups who felt CISPA was more “surveillance legislation” than data protection and security legislation and gave too wide a berth to information gathering under the guise of national security.

On the other hand, Obama’s Executive Order (EO) allows government data to be shared with private companies but does not include legal immunity for private sector companies that share people’s personal information with government agencies. Instead, it mandates that government agencies monitor the civil liberty impact of their cyber security programs and report on its effect on personal privacy.
Another key issue is the redundancy of the information sharing provisions in CISPA are already covered in the EO which outlines procedures for national cyber security, information sharing and related privacy requirements. The EO already allows the Department of Homeland to share information on data breaches and cyber threats with private sector companies who work on the nation’s critical infrastructure and state and local governments.

As the debate over which piece of legislation ultimately becomes our nation’s cyber security standard, what’s clear is that there is a fine line between gathering data security information in the name of national security and privacy protection. Ultimately, the legislation that wins will be the one that recognizes the importance of both data security and personal privacy and provides defined boundaries for both.

Although accepted in some sectors, cyber insurance is still not an established part of many companies’ IT data security strategies.  This is commonly due to a lack of agreed risk management standards and the challenge of substantiating and quantifying losses, in addition to finding objective data to back up cyber insurance claims.  Some security experts feel that the federal government needs to kick start growth in this market by requiring government contractors to purchase cyber insurance to set a standard for other businesses, sending a message that any company who has cyber security insurance is a signal that the company is competently managing its data security.

As the cyber insurance industry evolves, here is a list of what cyber insurance policies generally cover and what to look for when considering cyber insurance:

 1)      First-party claims – Costs incurred by the loss of trade secrets and intellectual property.

2)      Third-party claims – Damages a business must pay to customers who sue them for lost or compromised personal information.

3)      Business interruption coverage – In the event a data breach incident prevents the company from operating or functioning, the company would receive payment reimbursement for expenses incurred due to loss of business.

4)      A forensic IT investigation – Policies can cover the cost of an examination into how the data breach occurred and some may even cover the costs of regulatory fines and penalties in addition to the crisis management control which includes data breach notification letters.

Security professionals stress that cyber insurance is not meant to be a substitute for data protection and security policies.  In fact, before underwriting a policy, an insurance company will be hyper vigilant in determining that their customers have proper protections and policies in place since the insurance company will want to reduce its own risk. And since insurance has been a positive influence on other industries to improve performance and safety due to risk mitigation, the theory is if a company has cyber insurance, the hope is they will implement proper preventative measures to ensure that they will never have to use it.

 ¹http://www3.cfo.com/article/2013/4/data-security_cyber-attacks-cybersecurity-liability-insurance-smb-growth-companies-risk-hogan-lovells

• You submitted a cyber insurance claim. Now what?
• Forensics, legal counsel, crisis management – who needs to be involved in data breach response?
• How and when does a claim conclude?

When it comes to a breach, you can be ready or you can be Experian ready. The difference is speed, precision and consolidated services. Experian helps take you from disaster to recovery, in part with comprehensive identity protection for the breach population.
Experian’s identity protection empowers affected individuals. Daily monitoring helps consumers identify the signs of identity theft and professional fraud resolution helps them cut down recovery time from 30+ hours* to approximately two. To date, our highly trained, US-based Fraud Resolution Agents have handled more than 100,000 consumer fraud cases, helping individuals recover in an efficient and timely manner.
A data breach puts everything, from your reputation to your profit margin, on the line. And when everything’s on the line, you need everything Experian has to offer, including proven solutions and experience.
Come see us at NetDiligence and learn more!

* 2011 Javelin Identity Fraud Survey Report

This was the subject of mock debate held recently at the IAPP Global Privacy Summit. The debate, sponsored by Experian®, pitted an employer against an employee who wanted to use his own devices.  Dan VanBelleghem, Chief Security Architect with NCI Information Systems, played the employee and Orrie Dinstein, Chief Privacy Leader & Senior IP Counsel with GE Capital, played an attorney for the employer.  Murray Johnston,  Director, Government Affairs and Public Policy at Experian, was the moderator. The debate sparked much interest, as it’s a conversation being heard in boardrooms across the globe.

So if you want to adopt a BYOD program, how do you get started? Well the best way, according to security experts, is to have employees sign a comprehensive agreement. Here are some important concepts to keep in mind when drafting this agreement.

The technology divorce separates your employee’s data from your data. There are various ways to accomplish this. For instance, you can put an encrypted container on your employee’s device and have all of your organization’s data live inside of that container. Your employee can then store all of his or her personal data outside the container. You can also use dual boot scenarios. So if Dan is your employee, he can log in either as an employee or individual. There are other ways to separate data but regardless of the method, security experts say it must be done.

The control freak needs to use some discipline. When an employee – let’s say Dan – uses his own device, can you restrict the types of sites he visits? What if there’s an investigation, can you get access to his text messages or emails? These are issues that need to be addressed upfront. Your employee agreement can stipulate that you need to have access to your employee’s device.  Also, that you need to install anti-virus software and have access to the employee’s email or text messages if there’s an investigation. But as an employer, you need to understand the complexity and legal ramifications surrounding BYOD and monitoring your employees.  There is a fine line between privacy and business needs that should be addressed when monitoring employee activity on devices.

Paying the tab needs to be addressed, too. If Dan wants to use his own smartphone instead of the company issued hardware and your anti-virus software breaks his phone, who pays for it? You can stipulate that Dan would pay because he wanted to use his device instead of the company-issued smartphone.

However, BYOD agreements need to be fair. If organizations use agreements that are too rigid and violate their employees’ privacy, then employees will either refuse to work for the organization or they’ll sign the agreement and violate it. In either case, you’ll be defeating the purpose of having a safe and secure BYOD program.

For a better understanding of the risks and challenges associated with BYOD programs, visit

http://www.ustream.tv\ExperianDBR    to watch the panel debate.

CISPA supporters say the act will help facilitate information sharing between private businesses and intelligence agencies since it legally protects businesses that shares suspicious data with agencies about its employees and customers, including email and social media activity.  Under the mandate of “protecting the national security of the United States,” intelligence agencies are also allowed to collect personnel information from businesses as needed.  However, CISPA drew heavy criticism from civil liberties groups and technology companies regarding its lack of consumer privacy protections. Vague language and fear of unaccountable surveillance spurred opposition from civil liberties groups who felt CISPA was more “surveillance legislation” than data protection and security legislation and gave too wide a berth to private information gathering under the guise of national security.

On the other hand, the Executive Order allows government data to be shared with private companies but does not include legal immunity for private sector companies that share people’s personal information with government agencies. Instead, it mandates that government agencies monitor the civil liberty impact of their cyber security programs and report on its effect on personal privacy.

In the current act, the rejection of four amendments regarding protecting privacy and personal information frustrated data privacy advocates.  One of the rejected changes to the act exempted the National Security Agency, the Department of Defense and all military branches from receiving cyber threat information from private companies. Another rejected suggestion would have given consumers the right to hold companies legally responsible for misusing their private information or any misuse leading to a data breach. A proposal for a President-selected officer to establish government policies and procedures on the “retention, use and disclosure” of shared data was also shot down.  However, the rejected amendment that was most disappointing was one proposing that companies should make reasonable efforts to remove all Personal Identifiable Information (PII) sharing information with the government.

CISPA still has some hurdles to cross before becoming law.  Members of the Senate voiced opposition to the failed passing of the PII amendment and expressed concern that the bill gives too much liability protection to companies that share information with the government.  Even if CISPA reaches the White House, President Obama has already released a statement that he will veto the bill in its current form citing the same concerns as the Senate.  In 2012, the original CISPA act also met with opposition from the Obama administration who now also has its own Executive Order to support.

As the debate over which piece of legislation ultimately becomes our nation’s cyber security standard, what’s clear is that there is a fine line between gathering data security information in the name of national security and privacy protection.  Ultimately, the legislation that wins will be the one that recognizes the importance of both data security and personal privacy while providing defined boundaries for both.

This article is provided for general guidance and information. It is not intended as, nor should be construed to be, legal advice. Please consult with your attorney to discuss any legal issues.

¹House approves cybersecurity overhaul in bipartisan vote; http://thehill.com/blogs/hillicon-valley/technology/294771-house-votes-to-let-companies-government-share-info-on-cyber-threats#ixzz2QqjPoRFF

If you find your organization represented in the summary-findings below, click the image to download the study.

The “HHS/OCR Reports on the New HIPAA Rules” panel included officials from The U.S. Health and Human Services Department and Office for Civil Rights who discussed a data breach scenario, its impact and how to develop a data breach response plan.  The importance the role Business Associates now play in compliance issues and protecting PHI as outlined in the HIPAA Omnibus rule was stressed as a critical area for healthcare organizations to address. In addition, new enforcement provisions as they related to the updated Omnibus Rule were also discussed.

Another panel that highlighted these issues was one where compliance experts spoke about “The Defining Moments of a Data Breach” that covered the unique vulnerabilities healthcare companies have to data breaches and medical identity theft due to their widespread access to PHI and sensitive data.  The panelists explained what happens during a data loss incident and the expensive costs of a data breach including the consequences.  The key takeaway here was that healthcare organizations need to increase their efforts in monitoring fraud and have an incident response plan including breach of data resolution practices in place.

A discussion called “Conducting a Privacy Risk Assessment” examined enterprise privacy risk assessments, especially topical given the HIPAA Omnibus Rule’s current definition of a data breach that directs companies to assess whether a breach compromises PHI.  In addition, HIPAA Risk Analysis Requirements mandates organizations to implement policies to perform a risk assessment to prevent, detect and correct security violations therefore risk assessment is vital to any data protection program. Electronic privacy risks as they pertained to PHI was examined as well as how to evaluate risk mitigation techniques.  Similar themes were again raised in a panel on “Mobile Threats and How Healthcare can Reduce Risks.” In addition to executing annual risk assessments, mobile device security and updating business associate agreements, the panelists again stressed the importance of having a breach of data resolution policy.

Clearly, adherence to HIPAA compliance and Omnibus Rule regulations were on the minds of the panelists and attendees of the 2013 HCCA conference.  Compliance and security experts offered varied suggestions and solutions on how to follow government regulations in implementing a data breach protection plan.  The overarching theme recommendation they all seem to agree on is prevention is the first step and resolution is the second.

But along with the rewards, comes risk.  Big data can result in a big data breach. And, a big data breach can mean the loss of customers, patients and your overall reputation. In fact, 75 percent of the respondents in a new Ponemon Institute study say they had, or expect to have, a big data breach that results in negative public opinion. The study, “Is Your Company Ready for a Big Data Breach,” was sponsored by Experian®Data Breach Resolution.

Negative publicity and the loss of customers were two of the top concerns of respondents in the study, which was designed to determine how prepared organizations are to respond to a big data breach. The study defines a big breach as one involving more than 1,000 records containing sensitive or confidential information. The study also looks at ways organizations can reduce the negative consequences of a material breach.

Here are three tips to help your organization save customers or patients – along with your hard-earned reputation – following a big data breach.

1. Communication is vital

Although most of the respondents in the study have an incident response team, only 21 percent have an internal communications team trained to notify victims, regulators and the media. With large breaches, it’s often necessary to hire a breach resolution provider to assist with the notification and large volume of calls that usually follows. Still organizations need to have a trained internal team to work with the resolution provider and with regulators, the press and their own customers after the breach response process is complete.

2. Contact every victim

Organizations need to improve communications and reach out to all victims, according to the study. Only 11 percent of the respondents check to see if every victim was contacted about the breach. The study also found that only 10 percent of the organizations have a process for receiving feedback from the victims

It would be wise for organizations to establish a process in which victims could provide feedback on how they were notified of the breach, if the notification was written clearly, and if their questions were answered when they called to get more information.

3. Strive for accuracy

Only 23 percent of the respondents in the survey could determine the potential or actual harm to their data breach victims. In order to become more accurate, organizations should establish processes to help them determine who was affected by the breach so they can avoid over-reporting or under-reporting the incident. It also might be helpful to restrict or limit disclosure of the incident until the analysis and investigation are complete.

The bottom line is that a large material data breach is never going to be a pleasant experience.  But if you communicate clearly, honestly and promptly with everyone involved, your efforts will go a long way toward retaining customers and salvaging your public image.

Footnotes

¹ “Understanding Big Data,” IBM, 2012.

Legal Notice

The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality

information but make no claims, promises or guarantees about the accuracy, completeness or

adequacy of the information contained.