NTCA Insurance Program NetworkData Security: CPNI and Red Flag Exposures Risk Transfer Options for T - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

NTCA Insurance Program NetworkData Security: CPNI and Red Flag Exposures Risk Transfer Options for T

Description:

Personal information that is in a format that can be easily read and used by ... the parent company of TJ Maxx, Marshalls and other retailers, absorbed a $135 ... – PowerPoint PPT presentation

Number of Views:147
Avg rating:3.0/5.0
Slides: 39
Provided by: pje
Category:

less

Transcript and Presenter's Notes

Title: NTCA Insurance Program NetworkData Security: CPNI and Red Flag Exposures Risk Transfer Options for T


1
NTCA Insurance ProgramNetwork/Data Security
CPNI and Red Flag Exposures Risk Transfer
Options for Telecommunication CompaniesPresented
by Peter Elliott, CPCU
Telcom Insurance Group 800.222.4664
2
Seminar Topics
  • Definitions, Facts, and Figures
  • Insurance Coverage Review
  • Risk Management Controls

3
What Is A Breach?
Breach Definition Personal information that is in
a format that can be easily read and used by
thieves is stolen and personal information is in
unauthorized hands. Types of Breach Lost or
Stolen Computer Equipment Lost or Stolen Backup
Tapes Hackers Breaking Into a System Employees
Stealing from or Damaging Systems Information
Disposed of Improperly Random Malicious
Attacks Poor Business Practices
4
FCC- FTC and Telecommunications
  • CPNI is the data collected by telecommunications
  • companies about a consumer's telephone calls. It
  • includes the time, date, duration and destination
  • number of each call, the type of network a
  • consumer subscribes to, and any other
  • information that appears on the consumer's
  • telephone bill.
  • What Telecommunications Providers Must Do
  • Certify they comply with the rules
  • Notify and comply in the event of a breach

5
FCC- FTC and Telecommunications
  • Red Flag Rules is a newly passed Federal Law. The
    compliance deadline is November 1, 2008. All
    financial institutions and "creditors" with
    "covered accounts" fall under the new Red Flag
    Rules law. Creditors include any company that
    offers a good or service and delays billing
    (therefore having covered accounts.)
  • What Creditors Must Do
  • ESTABLISH A WRITTEN IDENTITY THEFT PREVENTION
    PROGRAM. (ITPP)
  • THE (ITPP) PROGRAM SHOULD INCLUDE
  • EMPLOYEE TRAINING
  • MITIGATION
  • OVERSIGHT OF SERVICE PROVIDERS
  • REQUIRES APPROVAL OF BOARD

6
Who Is Responsible?
  • Who Is Held Accountable for Breaches?
  • Board of Directors and Senior Management
  • Sarbanes OxleyShareholders Notification
  • State LawsConsumer Notification
  • By Contract-- 3rd Parties?
  • IT Services Providers

7
Data At Risk
  • What Data Do You Keep Beyond Call Records?
  • Credit Card Information on Customers
  • Social Security Numbers- Employees or Customers
  • Bank Routing Numbers- Employees and Customers
  • Drivers License Data- Employees
  • Credit Reports- Employees or Customers
  • Background Checks- Employees

8
Breach Examples
Charter Communications 7/15/2008- Electronic
Breach- 9,000 Records At Risk Laptops were
stolen from a Greenville SC location. 9,000
current and past employees information was on a
few of the laptops. The information included
names, date of birth and social security numbers.
9
Breach Examples
ATT 5/15/2008- Electronic Breach-113,000
Records At Risk A laptop with data that was not
encrypted was stolen and it included names,
social security numbers, salary and bonus
information on employees.
10
Data Facts And Figures
  • Known Breach Data As Of 9/22/2008
  • 2008 breaches identified by the Identity Theft
    Resource Center-breaches totaled 449 with over
    22,000,000 records exposed. (Thats more than all
    breaches in 2007 and the individual record count
    is climbing and will exceed 2207 as well)
  • 2007 breaches totaled 448 paper and electronic
    breaches with 127 million records exposed.
  • 2006 breaches totaled 315 affecting nearly 20
    million individuals.
  • 2005 breaches totaled 158 affecting more than
    64.8 million people.

11
Just A Few Additional Items
  • A Financial Example- Incredible Numbers!
  • TJX, the parent company of TJ Maxx, Marshalls and
    other retailers, absorbed a 135 million loss
    from its 2007 incident.
  • The cost per share was 28 cents which is more
    than originally estimated which was 2 to 3 cents
    per share
  • They expect another 21 million in losses or an
    expense of 5 cents per share
  • 45 million credit and debit card records were
    e-stolen

12
Data Facts And Figures
  • Breaches By Business Category
  • Based on ITRCs categorization, the breaches
    break down as follows
  • 25 from government/military agencies
  • 25 from educational institutions
  • 29 from general businesses
  • 14 from health care facility companies
  • 7 from banking / credit / financial services
    entities

13
What Is The Cost Of A Breach?
  • In 2006 IT Research Firm Gartner Inc. Reported
  • The cost of a breach can range from 90-120 per
    customer file affected, all inclusive. Based on
    1,000 customers this is a 90,000 loss at a
    minimum
  • In 2007 Ponemon Institute Study based on 35
    actual incidents
  • Average cost is 197 per record
  • Lost business churn is 128 per record
  • So, the same 1,000 customers would cost 325,000

14
What Laws Exist?
Federal There are bills under consideration-
Senate's Notification of Risk to Personal Data
Act and Personal Data Privacy and Security Act,
as well as the Data Accountability and Trust Act,
Social Security Number Protection Act, and
Prevention of Fraudulent Access to Phone Records
Act -- all of which are under consideration in
the House.
15
What Laws Exist?
State State Security and Data Breach Laws- New
laws are literally being passed on a monthly
basis but as of the date of this presentation the
following states have laws AR, AZ, CA, CO, CT,
DE, FL, GA, ID, IN, KS, LA, MD, ME, MN, MT, NE,
NH, NJ, NY, NC, ND, OH, PA, RI, TN, TX, UT, WA,
WI
16
Who Is Regulating?
Beyond the State-Federal Trade Commission (FTC)
and NOT just Red Flag Rules!!!! Originally, this
consumer protection agency reasoned that a
companys failure to follow a published policy
was a deceptive act and should be regulated by
the FTC. Later, the agency expanded enforcement
under the theory that a companys failure to take
reasonable measures to protect customers personal
information is, in itself, an unfair practice.
They will levy fines, requiring higher security
and also the payment of the FTCs legal costs.
17
Insurance Coverage
  • Where To Start?
  • 1st Party- An entity has an insurable interest in
    property and in the event of damage will have
    direct loss of value and potentially indirect
    financial loss of use or lost income.
  • Examples of 1st Party Property with Data/Network
    Exposure
  • Computers (Hardware/Software) and Peripheral
    Devices
  • Networks
  • Data/Records/Paper

18
Insurance Coverage
What Coverage Is Available For 1st Party
Exposure? Computers (Hardware and Software) and
Peripheral Devices- Computers need coverage for
electronic disturbances and malicious activity.
Standard property forms often do not provide
this. Computer Specialty Forms often DO provide
electronic disturbance protection, accidental
breakage, dust damage, temperature change,
malicious code or intrusion, and electronic
vandalismalso known as Hacker damage. Coverage
is usually on a replacement basis.
19
Insurance Coverage
What Coverage Is Available For 1st Party
Exposure? Networks- Servers, Phone Systems and
Copying Machines Most insurers offer coverage via
their property form but a specialized computer
form would be more appropriate because of the
potential loss types. Coverage will be for owned,
leased, or rented equipment. The covered causes
of loss are the typical broad coverage but most
only specialty forms add electronic
disturbances, accidental breakage, malicious code
or intrusion, and electronic vandalism which
means damage from a hacker. In the event of a
loss, coverage normally pays on a replacement
cost basis.
20
Insurance Coverage
What Coverage Is Available For 1st Party
Exposure? Software, Data and Media
Coverage Software is covered by most forms but by
strict definition that means the cost of the
program will be reimbursed and not the value of
the data or the time and labor to populate the
program to make it useful. Pay careful attention
to how your policy is worded in this area. Even
if media is covered is the time and effort to
duplicate the data covered? Remember policy
construction is very important. If you do not
have the hacker related peril coverage do you
really have much protection? Finally, does your
policy cover data of others and is that
important?
21
Insurance Coverage
What Coverage Is Available For 1st Party
Exposure? Direct to Indirect Loss on Computers
and Networks When a specialty form is used, is it
tied via policy construction back into the
indirect loss of use or income protection? Often
policy construction does this. The EDP and AR
will not have BI/EE protection.
BPP
EDP
AR
BI/EE
22
Insurance Coverage
What Coverage Is Available For 1st Party
Exposure? What if Your Property is Stolen By Use
of a Computer by a 3rd party? Theft of property
from your premises is a covered cause of loss on
almost all property policies, but a gray area
exists when there is no physical evidence of the
theft and the property is actually received at an
unscheduled location. There is coverage
available via a 1st party crime form that will
protect an insured against this type of theft and
coverage is provided by a computer fraud policy.
23
Insurance Coverage
  • Additional Coverage Available For 1st Party
    Exposure Generally Only on Network Security
    Forms
  • Data and Media Coverage Offsite
  • Voluntary Parting
  • Access to Your Network is Blocked Denial of
    Service
  • Cyber Extortion
  • Regulatory Proceeding Expense
  • Crisis Coverage Expense

24
Insurance Coverage
Back To The Beginning For 3rd Party Exposure 3rd
Party-Allegations by someone other than the
Named Insured that the policyholder is legally
liable for an incident that has caused
injury. Common Injuries Bodily Injury
(BI)CGL Property Damage (PD) CGL Personal Injury
(PI)CGL Advertising Injury (AI)CGL Special
Damages CGL Financial Loss EO Specialty
25
Insurance Coverage
What Coverage Is Available For 3rd Party
Exposure? Commercial General Liability which
covers BI/PD and PI/AI does not offer much
protection and suffers from the following flaws
PD is limited to coverage from loss to tangible
property. The PI section of policies does not
cover damages due to failure to protect data, the
coverage territory might be limited to the US
only, subcontractors are not automatically part
of the named insured definition on most
policies, and there is no claims trigger for
financial loss (only that is not part a result of
a covered allegation).
26
Insurance Coverage
What Coverage Is Available For 3rd Party
Exposure? Network and Data Liability coverage is
available. It will pay for damages incurred by
claimants from a breach and expense incurred due
to the violation. It will also cover the
regulatory fines from failure to abide by laws
and regulations and this will include CPNI, Red
Flag Rules, Cable TV Operators, and any
applicable state issues. Generally, punitive
damages are covered if allowable by state
law. It is more than identity theft which is a
veneer of protection. ID theft is partial help
after a loss of data occurs, but it is not
protection before an event happens.
27
Insurance Coverage
  • A Simple Recap of Coverage that is Available
    Today
  • Fines for Failing to File Paperwork- NO
  • Breach and Alleged Damages- Yes
  • Fines and Penalties from a Breach- Yes
  • PR Expense for Company- Yes
  • Crisis Expenses for Victims- Yes

28
Insurance Coverage
What Coverage Isnt Available For 3rd Party
Exposure? Network and Data Liability standard
coverage exclusions include fraud, SEC
violations, fiduciary claims, RICO and collusion
events, ERISA, EPLI, DO, insured vs. insured,
war, terrorism, pollution, and BI/PD.
29
Managing Risk
  • Layered Approach
  • Risk Management and Transfer
  • Recognize the risk, analyze the exposure, plan
    for the possibility, implement a plan, and
    re-visit frequently.
  • Determine security gaps and fill them with
    technology or business practice answers. If this
    still leaves doubt, transfer the risk.
  • Insurance is a transfer that allows access to
    counsel, monitoring, and coverage for all aspects
    of restoration.

30
Managing Risk
  • Identify and Recognize1st Step
  • Business processes and who has access to what
    information lock down what you can
  • Review security processes and procedures
  • Know what your outside vendors/suppliers/
    business partners do with your data
  • Identify VPN, extranets, intranet,
  • Internet exposures

31
Managing Risk
  • Analyze Defense MechanismsBusiness Practices
  • Virus control (anti-virus updates)
  • Perimeter defenses (firewalls, remote access)
  • Physical security (restrict access, passwords,
    timeout, laptop/smart phone procedures)
  • Confidentiality (collect/distribute only needed
    information on employees and customers)

32
Managing Risk
  • Plan and Implement Defense Mechanisms
  • Security policy (patches, procedures for
    distribution of sensitive information)
  • Disaster recovery (identify IT resources/
    backups)
  • Incident response plan (notification requirements
    by state if a breach of confidential information)

33
Managing Risk
Inside Jobs Deserve More Attention IT Managers
should analyze the whole operation
Know Your Data
Track The Flow
Monitor Sensitive Data
34
Managing Risk
Sample Flowchart to Use IT Managers should
analyze the whole operation.
Limit Access
Restrict Use Of Portable Devices
Update Often
35
Managing Risk
  • Who, What and Why?
  • Personal information has street value. Consider a
    wider use of background checks. Might a clerical
    employee who is modestly compensated be tempted
    by easy money for supplying data to another?
  • Pay special attention to portable devices and set
    standards/restrictions on the data that can be
    stored on them and in what format.

36
Managing Risk
  • Risk Management Business Practices
  • Limit access to sensitive information and even
    potentially encrypt it
  • Watch the disposal of paper records or files.
    Its so easy to forget this exposure, but recent
    claims prove this to be a real risk. Shred paper
    files and records and destroy old hard drives by
    drilling holes in them
  • Keep security patches up to date

37
Managing Risk
Resources www.sans.org www.cert.org www.windows
ecurity.com www.slashdot.org www.cio.com www.in
fosyssec.net www.idtheftcenter.org
38
Contact Information
  • For more information about Network Security,
    contact Telcom Insurance Group
  • Peter Elliott, CEO
  • PJE_at_TelcomInsGrp.com
  • www.TelcomInsGrp.com 800-222-4664
Write a Comment
User Comments (0)
About PowerShow.com