Six-figure losses common for even small businesses
A survey by Symantec of more than 3,000 businesses provides useful information about the current state of corporate cybersecurity. Symantec’s 2011 State of Security Survey found that 73% of small and midsize companies had suffered a cyber attack in the past year, and that 30% of the attacks were “somewhat/extremely effective” in compromising the victims’ data. Companies are on alert. According to the study, in fact, companies considered cybersecurity their greatest threat — greater than criminal activity, natural disasters, and terrorism.
Many companies are already bristling with perimeter weaponry designed to prevent external attacks, but their defenses are not impregnable. More than 70% of the respondents experienced cyber Read more…
Two Peas in Different Pods
Much ink has been spilled about Zurich Insurance’s recent denial of coverage for the massive Sony Playstation breach. Some of the early commentary has been useful (mostly by providing accurate descriptions of what has transpired so far), while some has been wildly amiss (mostly by mischaracterizing the kind of coverage at issue). In the end, Zurich’s coverage denial will probably be confirmatory rather than revelatory — that is, it will likely confirm the warnings of experienced insurance professionals and not uncover any shocking new facts about coverage for breaches of privacy and data security.
Less attention has been paid to a pair of claims involving Dropbox, a popular cloud-based storage service. One claim was filed with the FTC, alleging that Dropbox had made false claims about the security of its users’ data. The other claim, a class action lawsuit, followed a self-inflicted breach Read more…
Most businesses are now aware of the financial and reputational risks they face from breaches of their confidential information. Each week, sometimes even everyday, there are reports describing the theft or loss of sensitive data from companies, healthcare and educational institutions, or governments. Many of these incidents receive considerable media attention, such as the serial breaches at Sony. Security experts speculate about the costs companies incur in connection with data breaches, ranging from the hundreds of thousands to the hundreds of millions of dollars.
Much of the media attention is understandably directed at breaches of confidential consumer information. Those involve the compromise of personally identifiable information that can be used to engage in identity theft and cause terrible personal financial Read more…
The recent avalanche of news about stolen email addresses and/or passwords (Epsilon, Sony, Sega) is making people wonder if their confidential information has been wrongfully obtained by hackers. A new website, conveniently named “Should I Change My Password?” , makes it easy to see if your sensitive consumer information is in 13 publicly available databases that contain more than 800,000 stolen records. These databases have been published by hackers, such as LulzSec and Anonymous, who claim to be hacking for fun or to make a political point.
This site was created by a technology professional who says he wanted to give people an easy way to see if they have been affected by recent hacks, and also some basic advice about creating and using passwords safely. To check if your information is in the database Read more…
The Texas Comptroller notified about 3.5 million people last month that their personal information (including names, addresses and Social Security Numbers, and in some cases driver’s license numbers and dates of birth) was publicly exposed for about one year because of data security lapses by the government.
The Facts
The breach occurred after various state agencies and entities transferred information about individuals to the Comptroller’s office for use in verifying unclaimed property records. The information was required to be provided to the Comptroller by state law. Unfortunately, there were several missteps in how the data was transferred and handled. For starters, the transferred files were required to be encrypted — but they weren’t. Then, Read more…
On April 27, 2011, Sony publicly disclosed that hackers had breached its PlayStation Network (which includes its Qriocity video and music-streaming services) and had gained access to 77 million consumer records. This revelation came several days after Sony had shut down the Network, saying at the time only that an outage had been responsible for the interruption. On the 27th Sony disclosed that the compromised consumer information included names, addresses, email addresses, birth dates, login and password information, purchase history, and possibly credit card information. A statement indicated that the credit card information was encrypted, and that there was no evidence it had been taken.
The massive size of the breach has caused much speculation about the expenses that Sony will incur in dealing with the matter. One article said that the costs could rise as high as $24B (yes, billion) Read more…
The recent extended outage of Amazon’s “cloud computing” business has generated many questions about what insurance policies would be likely to provide indemnification for losses caused by the crash.
Amazon has a significant cloud computing business, which it calls Amazon Web Services (AWS). AWS rents data storage and web services to its customers. These customers use the outsourced services to avoid the expense and distraction of providing those services for themselves. As a risk management matter, cloud computing customers should make sure that their data is stored in different locations and that they have adequate backup and disaster recovery options in the event of outages or crashes. As such “redundancy” services can be expensive, some of Amazon’s smaller corporate customers did not purchase them. When Amazon’s data center in Northern Virginia experienced an extended outage, these customers did not have effective contingency plans, and their websites performed slowly or crashed. Read more…
Much has been written about the recent settlement by the Massachusetts Attorney General with the Briar Group in connection with a significant data breach that occurred in 2009. Some of the early postings are very helpful (see links below), some have important mistakes, but I haven’t yet seen any that address a key insurance issue raised by the matter.
The Facts
Some of the basic information, as gleaned primarily from the complaint filed by the Massachusetts Attorney General, is as follows:
- The Briar Group, LLC owns and operates several bars and restaurants in the Boston area.
- In April 2009, hackers breached Briar Group’s network security and installed malicious code on its computer systems. Read more…
All over the U.S., people have been receiving emails from familiar corporate giants (including Best Buy, Walgreens, Citi, Home Shopping Network, JPMorgan Chase, Kroger, The College Board, Brookstone, U.S. Bank, and Tivo, among others) informing them that their names and email addresses had been hacked and could possibly be used in phishing attacks attempting to perpetrate financial fraud by convincing individuals to reveal account information, passwords or other confidential information. The hackers’ capture of both names and emails has increased concerns about “spear phishing” – the use of personalized emails containing the customer’s name and maybe even address, as well as the logo of the relevant financial institution. Such personalized emails often appear authentic so that consumers reveal sensitive account or other information. Many of the affected companies have responded by advising their Read more…
Thomas Edison said that genius is 1% inspiration and 99% perspiration. In the realm of privacy breach responses, the formula for genius might be expressed as 1% perspiration and 99% preparation. The contrasting responses of Hamilton Beach Brands and of Health Net to recent breaches demonstrate the importance of being prepared to act swiftly when the time comes.
Hamilton Beach
In early January 2011, Hamilton Beach discovered that some malicious code had been placed on the server processing its online ordering. The hacker code captured credit card data entered by would-be purchasers, before that data was encrypted and sent for processing. The credit card information was then automatically Read more…
Six-figure losses common for even small businesses
