SMB Data Breach Risk

Management Best Practices

By Mark Pribish

February 19, 2015

Presentation Agenda

About Mark Pribish

Information Governance

The Threat Landscape

Data Breach Trends

Legislative and Regulatory Updates

Creating Your Data Breach Response Plan

Questions and Answers

About Mark Pribish

Vice President & ID Theft Practice Leader

Certified Identity Theft Risk Management Specialist (CITRMS)

and Arizona P&C License

25 years’ experience in helping consumers and enterprise organizations

manage the risks associated with ID Theft and data breach events

Served in senior sales positions for Aon and AIG

Gannett / Arizona Republic guest columnist for cyber security, data

breach, identity theft, and personal privacy

Member of FBI Citizens Academy Class of 2012, FBI InfraGard Public

Private Alliance, Guidepoint Global Advisors, and Risk Insurance

Management Society

Graduated from the University of Dayton in 1981

Information Governance

What is Information Governance?

“Information governance is a holistic approach to managing corporate

information by implementing processes, roles, controls and metrics that treat

information as a valuable business asset.”

http://searchcompliance.techtarget.com/definition/information-governance

"Information governance is the activities and technologies that organizations

employ to maximize the value of their information while minimizing risks and

costs." http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-

Articles/T/The-IG-Initiative-Definition-of-Information-Governance.aspx#sthash.RxzcIMEl.dpuf

“Information governance is a set of established policies and procedures you and

your employees implement and follow in order to manage sensitive and

proprietary information.” John G. Iannarelli, Assistant Special Agent in Charge of the FBI Phoenix Division

Information Governance

Information Governance Program Checklist

Implement an information governance policy

Require annual information security training and education

Understand what type of employee, customer and member data is being

collected, stored, protected

Constantly assess and test your organization’s needs and requirements

Know your organization’s strengths and weaknesses

Implement baseline safeguards and controls

Vigilance – including annual pre-employment screening

Be aware of current and former employees, customers and vendors

Information Governance

SMBs handle customer, employee and

vendor information

including social security numbers,

bank/credit card/loan account information,

drivers license numbers, birth dates, etc.

SMBs use e-mail, computerized

accounting, electronic procurement, and/or stores electronic employee and

customer information

SMBs rely on electronic networks including the information, data and the e-

records within and outside these computer networks

Information Governance

Size Doesn’t Matter!

Small to medium size businesses are now

the target of cyber attacks and

ID Theft criminals

Why?

Because of large business financial and

IT resources, hackers and thieves are

going after small to medium size businesses

The Best Defense?

Web filtering, security software and employee and customer education

The Threat Landscape

of breaches are to businesses of

100 employees or fewer

of SMBs have

no formal cybersecurity plan

of companies who

experienced a

data breach didn’t know

it…Notified by 3rd party

The Threat Landscape

The Threat Landscape

Privacy Rights Clearinghouse Data Breach Timeline for 2005 – 2015 Jan 19, 2015

Since January 2005 there have been 4,478

data breaches affecting nearly 1 billion records

30 percent of these data breaches were impacted by hackers and IT related

events

70 percent of these data breaches were impacted by social engineering (the

human element)

Data Breach Trends

320 breaches reported between July and September, 2014 November 19, 2014 - http://www.net-security.org/secworld.php?id=17659

Data Breach Trends

Websense Warns Doctors to be on High Alert for 2015 Cyber Blitz 19 Nov 2014 | News

Security experts have warned healthcare organizations to prepare for tidal wave

of online attacks in 2015

600% increase in attacks targeting healthcare data since the start of 2014

Security is often seen as an inhibitor leaving dangerous gaps for hackers to

exploit

Social media platforms would increasingly be used by cyber-criminals as covert

C&C infrastructure

Data Breach Trends

Ponemon Institute Study: Cost of a Data Breach March 2014

Total Costs – averaged $201 per lost

customer record

Direct Incremental Costs – including free/discounted services, notification letters, legal/accounting fees, etc.

Lost Productivity Costs – including lost time of employees and contractors diverted from other tasks

Customer Opportunity Costs – including cost of lost customers and cost of acquiring new customers

Regulatory, Consumer and Data Security Laws

HIPPA Data Breach Requirements (February 17, 2010)

FACT Act Red Flags Rule (December 31, 2010)

47 State Security Breach Notification Laws

http://www.ncsl.org/research/telecommunications-and-information-

technology/security-breach-notification-laws.aspx

Legislative Changes/Updates

Creating a Breach Response Plan

Data Breach Responsibility is on the SMB or “Data Owner”

Whether the business data is accidentally lost or it is stolen with malicious intent

Any business that experiences a data breach should work with legal counsel to

determine regulatory requirements including but not limited to state breach

notification laws:

the FACT Act Red Flags Rule

the HIPAA HITECH Data Breach Requirements

the PCI Data Security Standards

COPPA (Children’s Online Privacy Protection Act)

the 47 state breach notification laws

Creating a Breach Response Plan

Small business data breach risk factors include people, processes and

technologies:

• People – the insider threat, whether accidental or malicious, can include current

and former employees, customers, associates, vendors, and independent

contractors.

• Processes – including information technology, enterprise risk management,

marketing/sales and human resources need to be aligned, defined, and

documented.

• Technologies – that are relied on to conduct and grow your business are also

being used to identify vulnerabilities and cyber threats on your business.

Creating a Breach Response Plan

What can a small business do?

Complete a data assessment of the type of information that is being collected, used,

stored and transmitted by asking the following questions:

What type of data (e.g. current and former employee / customer / patient

information) is in your electronic and hard copy files?

What type of Personally Identifiable, non-public Information (PII) is included in

your business data (e.g. name, address, social security number, driver’s license,

bank account information, credit/debit card, medical plan information)?

What percentage of your data involves the collection, storage, usage, and

transmittal of current and former PII?

What aspects of your business products, services and technology are performed

within and outside your business?

Creating a Breach Response Plan

What can a small business do?

Complete a data assessment (continued)

What is the value of your data assets if they were stolen and made public?

Is data that you store subject to civil fines and penalties if breached?

What is your overall financial risk if data you control is breached?

Which states does your business conduct business in and what states are your

customers / employees / patients domiciled?

Could a data breach damage your brand and if so what is the potential impact?

Does your business insurance include cyber/network liability insurance?

Creating a Breach Response Plan

Your Data breach response plan should include “5” components

1. Breach source - determine the source and make sure the data compromise is

isolated and access is closed. If you cannot determine the source of breach you

should engage a forensic investigation company.

2. Breach assessment - determine the scope of the data breach event and the

privacy and data security regulatory requirements associated with the type of

records in addition to the state of domicile.

3. Response plan - include internal employee education and talking points; public

relations press releases, customer education, and resources; the small business

or consumer solution(s) to be considered; and the content and timely release of

notification letters.

Creating a Breach Response Plan

Your data breach response plan should include “5” components

4. Protection plan - include the small business or consumer protection services to

be offered to the compromised record group and the confirmation of professional

call center and recovery advocate support services.

5. Breach victim resolution plan - provide access to professional certified

identity fraud recovery advocates that will work on behalf of the victims to

mitigate and resolve the issues caused by breach.

Creating a Breach Response Plan

Cyber Insurance Becomes Small-Business Necessity www.Advisen.com, Nov 18, 2014

Cyber liability insurance is now as important for small businesses as property

and liability insurance

A data breach can damage a small business far more than a big business

because it can put you out of business

Any firm that has a website, uses social media or stores customers' personal

records in its computers is vulnerable to a cyber-attack

Like other types of insurance, cyber insurance pays for a legal expenses to

defend the business in a lawsuit and money to cover losses

Creating a Breach Response Plan

Cyber Insurance Becomes Small-Business Necessity (continued)

Cyber insurance can provide a dedicated call center so that customers can call

a third party specializing in data breach response

Cyber insurance can include identity restoration after a breach could tie up a

business for weeks

Cyber insurance can include social media liability where libel and slander on

social media isn't covered by most standard business policies

Cyber insurance can include data recovery where a virus could destroy the

business's software and data and infect customers' computers.

Cyber insurance pays for the cost of restoring the computers or buying new

ones if necessary

Contact Information

Mark Pribish VP & ID Theft Practice Leader

Merchants Information Solutions, Inc.

602-744-3736

mpribish@merchantsinfo.com

www.merchantsinfo.com