Another example is unfolding of why almost every company’s data security risk management practices should include a hefty dose of vendor management. And below the surface, there lurks questions that may lead others to investigate their own practices and insurance coverage.
The Department of Defense runs a health insurance program, called TRICARE, for military personnel, retirees and their families. Last September a contractor for TRICARE disclosed that up to 4.9M of its health records may have been breached. The records were contained on computer backup tapes stolen from a parking garage. The information on the tapes was not encrypted, but the contractor – Science Applications International Corporation (SAIC) – asserted that there is little risk to patients because reading the tapes would require knowledge of and access to specific Read more…
Over the weekend it was disclosed that Global Payments, Inc., one of the nation’s largest credit-card processors, had suffered a data breach that exposed up to 1.5 million credit cards to hackers. Global Payments said that it had “identified and self-reported” the breach upon discovering it in early March.
The company said that it is working closely with law enforcement agencies in responding to the breach and containing its scope. According to Global Payments, “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”
Significantly, Global Payments said that while credit card numbers were exposed, other Read more…
Massachusetts has some of the nation’s most extensive requirements for the protection of personally identifiable information (PII), and on March 1, 2012, an additional provision will become effective. By that date, all companies subject to the Massachusetts Data Security Regulations must make sure that all of their service providers who have access to PII of Massachusetts residents are contractually obligated to comply with the Regulations by implementing appropriate security practices and procedures.
Many companies have been surprised to learn that they are even subject to Massachusetts’ Data Security Regulations. No matter where they are located, entities must comply with the Regulations if, in connection with employment or the provision of goods or services, they receive, process, store, maintain or otherwise have access to PII Read more…
Most companies that sell technology-based products or services purchase Errors and Omissions (E&O) Insurance to indemnify them from liability caused by the failure of their products or services. When the vendor’s products or services require access to the clients’ confidential information – and especially personally identifiable information (PII) or protected health information (PHI) – the nature and extent of the vendor’s obligations can get more complicated.
The combination of traditional E&O exposures with rapidly evolving privacy/data security exposures has created new insurance coverage and claims-handling uncertainties. As a result, technology companies that handle, store or transmit their clients’ or customers’ sensitive data are increasingly getting squeezed when they buy E&O insurance policies. Read more…
The New York Times published an article today predicting that there will be a surge in the purchase of what it refers to as “cyber insurance” – insurance covering a range of exposures relating to the breach of privacy and network security. The article has some significant exaggerations and misleading statements, and it quotes extensively from people whose livelihood depends upon cybersecurity breaches and the sale of insurance policies, but it provides a useful window on the current environment. The article places great importance on the recent guidelines issued by the SEC’s Division of Corporation Finance. Click here for WGA’s blog post and downloadable White paper discussing these new guidelines and their potential impact Read more…
The recent rash of cyber breaches at public companies and an outcry from federal lawmakers has prompted U.S. securities regulators to issue guidance for when companies must disclose cyber attacks to investors. The guidelines issued by the U.S. Securities and Exchange Commission are to help reporting companies determine whether they need to disclose the risks they face in protecting their electronic data, as well as the costs they have incurred or could incur because of cybersecurity breaches.
The increase in corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Breaches are now more frequent and severe. Public companies and their advisors should focus greater attention on how disclosure obligations under the Read more…
Six-figure losses common for even small businesses
A survey by Symantec of more than 3,000 businesses provides useful information about the current state of corporate cybersecurity. Symantec’s 2011 State of Security Survey found that 73% of small and midsize companies had suffered a cyber attack in the past year, and that 30% of the attacks were “somewhat/extremely effective” in compromising the victims’ data. Companies are on alert. According to the study, in fact, companies considered cybersecurity their greatest threat — greater than criminal activity, natural disasters, and terrorism.
Many companies are already bristling with perimeter weaponry designed to prevent external attacks, but their defenses are not impregnable. More than 70% of the respondents experienced cyber Read more…
Two Peas in Different Pods
Much ink has been spilled about Zurich Insurance’s recent denial of coverage for the massive Sony Playstation breach. Some of the early commentary has been useful (mostly by providing accurate descriptions of what has transpired so far), while some has been wildly amiss (mostly by mischaracterizing the kind of coverage at issue). In the end, Zurich’s coverage denial will probably be confirmatory rather than revelatory — that is, it will likely confirm the warnings of experienced insurance professionals and not uncover any shocking new facts about coverage for breaches of privacy and data security.
Less attention has been paid to a pair of claims involving Dropbox, a popular cloud-based storage service. One claim was filed with the FTC, alleging that Dropbox had made false claims about the security of its users’ data. The other claim, a class action lawsuit, followed a self-inflicted breach Read more…
Most businesses are now aware of the financial and reputational risks they face from breaches of their confidential information. Each week, sometimes even everyday, there are reports describing the theft or loss of sensitive data from companies, healthcare and educational institutions, or governments. Many of these incidents receive considerable media attention, such as the serial breaches at Sony. Security experts speculate about the costs companies incur in connection with data breaches, ranging from the hundreds of thousands to the hundreds of millions of dollars.
Much of the media attention is understandably directed at breaches of confidential consumer information. Those involve the compromise of personally identifiable information that can be used to engage in identity theft and cause terrible personal financial Read more…
The recent avalanche of news about stolen email addresses and/or passwords (Epsilon, Sony, Sega) is making people wonder if their confidential information has been wrongfully obtained by hackers. A new website, conveniently named “Should I Change My Password?” , makes it easy to see if your sensitive consumer information is in 13 publicly available databases that contain more than 800,000 stolen records. These databases have been published by hackers, such as LulzSec and Anonymous, who claim to be hacking for fun or to make a political point.
This site was created by a technology professional who says he wanted to give people an easy way to see if they have been affected by recent hacks, and also some basic advice about creating and using passwords safely. To check if your information is in the database Read more…
Another example is unfolding of why almost every company’s data security risk management practices should include a hefty dose of vendor management. And below the surface, there lurks questions that may lead others to investigate their own practices and insurance coverage.
