Your weakest cyber security leak may be outside your own network. In another demonstration of how an organization can face significant financial and reputational exposure from another’s failure of cyber security, Massachusetts General Hospital announced on this week that one of its vendors suffered a cyber breach — on the vendor’s own network — that exposed more than 4,000 records of MGH patients. Some of the compromised information may have included patient names, dates of birth and Social Security numbers.
On Monday a Federal appeals court in Virginia upheld a lower federal court ruling that held a Commercial General Liability (CGL) may in fact cover a data breach. The legal battle involves the Personal Injury insuring agreement and the coverage under the Personal Injury coverage part is often ambiguous.
In the underlying case, The Travelers Indemnity Company of America was required to provide a defense for its insured, Portal Healthcare Solutions, LLC, for an underlying data breach class action filed against Portal by customers whose private medical information was posted on the intranet.
Cyber risk for most organizations has a focus on the personal data of customers. Primarily this means social security numbers, date of birth, address, credit card numbers and the like. All of that is bad enough when lost in connection with a data breach, but companies must now also be aware of growing threats of cyber extortion schemes.
The recent announcement that Ashley Madison, the marital-affair-promoting website, has been hacked and subject to extortion takes these problems to a new level. Disapproving hackers have told Ashley Madison to shut down the site or the extortionists will release customer data. Reports say that despite Ashley Madison’s policy that private data can be scrubbed from the site for $19, the data is still available to hackers. The motives of the hackers are still unclear, but what is unusual is that it is not a demand for money. Read more…
In a sluggish world economy, hacking has unfortunately been a robust business. Recent reports issued by the Ponemon Institute, Symantec and others have detailed the stunning growth in cybersecurity breaches (such as a greater than 60% increase in breaches in 2013) and given vivid support to the now-common warning about breaches: “It’s not if, it’s when.”
The avalanche of cyber breaches has alarmed companies — and insurers. Cyber liability exposures include the following, among others:
- First-party costs incurred in dealing with the breach (forensics, legal, notification, credit monitoring, call center, etc.)
- Third-party exposures to individuals and entities affected by the breach
- Regulatory enforcement (SEC, FTC)
- Intellectual property exposures (often via corporate espionage)
- Reputational exposures
- Extortion exposures
- Theft exposures (such as hacks of bank accounts or phishing-induced erroneous transfers of money)
- Business interruption costs
- Data restoration costs
“A game changer changes the way that something is done, thought about, made or addressed.” The game changer as it relates to the risk management and risk transfer of Cyber/Data Liability comes in the aftermath of the Target breach that occurred earlier this year.
Data protection is fast becoming the responsibility of an organization’s CEO and Board of Directors; or both private or public companies. Board and Audit Committee oversight should involve:
- Education and knowledge of data breach exposures and how they should be monitored, managed and addressed in order to protect a company’s assets and reputation.
- Data security should be part of an organization’s Board member orientation and an on-going agenda item.
- Understanding of an organization’s risk profile (credit card systems, employee personnel data, customer Personal Identifiable Information (PII), etc.) at the Board level is paramount.
- Implementation of a complete data security plan.
- Board level reporting system and disclosure framework.
- Continual review of risk management and risk transfer mechanisms.
Over the weekend it was disclosed that Global Payments, Inc., one of the nation’s largest credit-card processors, had suffered a data breach that exposed up to 1.5 million credit cards to hackers. Global Payments said that it had “identified and self-reported” the breach upon discovering it in early March.
The company said that it is working closely with law enforcement agencies in responding to the breach and containing its scope. According to Global Payments, “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”
Significantly, Global Payments said that while credit card numbers were exposed, other Read more…
Investigation into the rise in electronic economic espionage against U.S. corporations has recently shined a spotlight on law firms’ data security. The Federal Bureau of Investigation (FBI) found that many law firms are targeted by hackers seeking to gather information not on the firm itself, but the firm’s clients. FBI officials say that law firms’ systems and controls were much less secure than those of their clients, meaning hackers accessed proprietary, confidential and sensitive client information stored on the firms’ servers.
Data security varies dramatically from one firm to the next, but with the recent affirmation that cyber-attacks targeting law firms are on the rise, security should be at the forefront of discussions amongst firms’ management teams. Managing partners and executive committees need to drive a culture of security from the top down by instituting controls, Read more…