Ritman Insurance Insights

Ritman Insurance Insights


Posted 9:41 PM

Data records compromised over time:

2008 60,000,000 Hackers figured out ways around security
2009 144,000,000 Drop due to added security
2010 4,000,000 Further added security
2011 174,000,000 Hackers figured out ways around security
2012 44,000,000 IT catching more hackers before breach but only matter of time before hackers will have figured out new ways to breach data so 2013 should see a rise in data records breached

Data Breach Insurance (RITMAN Insurance)80% of 2011 data breaches investigated by the Secret Service were avoidable through simple or intermediate controls.

Companies with 250+ employees were focus of 31% of all cyber attacks in 2012 representing a 58% for 2012 from 18% in 2011.

# Employees # Breaches
1-100 193
101-1,000 57
1,001 - 10,000 71
10,001 - 100,000 122
100,001+ 42
Unknown 136

2012 Average Cost per Comprised Record = $188 (this figure is low due to increased cost of investigation, notification, PR expense, costs to manage data breach, legal fees and payments of any judgments.)

49 states have state specific laws regarding data breach. Over one-half of the 49 states, notification have to be sent not only to the affected individual but to other third parties such as: Credit Bureaus, State Attorney General Office, State Police and the State Department of Consumer Affairs.

Three Biggest Security Threats:

  1. Employee Theft or Inadvertent Mistake
  2. Physical loss or theft of a computer, portable device, backup tape, jump drives, PAPER, or other
  3. Loss or theft of passwords

Other threats include:

  1. Misdirected email or fax
  2. Hacking
  3. Unintentional transmission of a virus other malware to a third party computer system or network. Business causing the loss could be held responsible for the loss of business income the third party suffered as a result of being unable to use their systems for some period of time.

A data breach may take weeks to discover but data breach results in immediate costs being incurred by a business. For example, a business suffering a data breach must launch a simultaneous investigation into:

  1. What was breached (how many and whose records)
  2. How data was breached and fixing the hole that enabled the breach which means hiring forensic experts and a specialized attorney
  3. What obligations are required by the State and Federal Regulations
  4. How to notify the affected individuals
  5. What to offer the affected individuals (credit monitoring)

What can you do about it?

  1. Know what you have (Inventory server, software, computers, mobile devices)
  2. Scale down # of records
  3. Lock data down (password protection, firewalls, antivirus software, data encryption, outsource data security functions to 3rd party vendors that provide these services as part of their service)
  4. Shred unneeded documents
  5. Plan ahead for data breach - have a Rapid Response Plan
  6. Implement a Privacy policy
  7. Perform Employee background checks at hiring
  8. Limit access to data based on job function
  9. Immediate restricted access to data upon employee termination
  10. Log management/review of data access
  11. Period purging of sensitive data from computer systems and files

Business that are not already armed with a rapid response plan and who have not purchased a cyber insurance product to help fund the costs of the required responses also face an increased risk of loss of business reputation resulting in the loss of customers, now and in the future.

First Party Coverage (Coverage for losses incurred by Insured):

  1. Notification Expense
  2. Legal & Forensic services
  3. Crisis Management
  4. Good Faith Advertising
  5. Services for impacted individuals, i.e., credit monitoring, help line
  6. Limits available: $10k, $25k, $50k, $100,000k with deductibles of $1k or $2,500

Third Party Coverage (Coverage for losses arising from civil awards, settlements and judgments that insured is legally required to pay):

  1. Claims Made
  2. No deductible
  3. Limits available: $50k, $100k, $250k, $500k

Resource: Hartford EBC website - Identity Theft 911 has many resources for how to avoid data breach, what to do if you have a data breach.