Preventing the Unpreventable: Best Practices to Minimize Exposure to Information Losses

1. Preventing the Unpreventable:Best Practices to Minimize Exposure to Information Losses

2. Moderator: Toby Merrill, Assistant Vice President, ACE USA Panel: Tanya Forsheit, Esq., Partner, Proskauer Rose LLP Mark Greisiger, MS, President, NetDiligence Stephen Haase, MS, CEO, INSUREtrust.Com, LLC Roxanne Westfall, Vice President, Axis Reinsurance Preventing the Unpreventable

3. Overview Brief Introduction Best Practices for Data Security Responding to the Eventual Data Breach Evaluating Legal Liability Exposures Q&A

4. Best Practices for Data Security

5. Best Practices for Data Security Why the Problem… the Internet’s Open Network Many companies have a transactional website Businesses collect and store customer private data More data often collected than needed Data often Stored for too long Business servers (websites) are very porous and need constant care (hardening & patching). 4 out of 5 fail our scan test IDS is very weak (many biz learn of breach months/years too late) Bad buys rely on the prevalence of human error Unchanged default settings No applied patches Customer private records (paper) improperly disposed (dumpster)

6. Best Practices for Data Security Computer Crime Studies Deloitte (2007 Global Security Survey of Large FI’s) (169 ct): 70% reported repeated external breaches E&Y (1300 companies) 2007 Global survey on ‘Top privacy drivers’ 64 % compliance with regulations PWC The global state of information security 2007 (7200 respondents) Cause of event: employee/ contractor 84%, vs. hacker 40% (conflicts with Verizon study) Identity Theft Resource Center Total Breach Reports for 08 is 69% greater than 07 Kroll Fraud Solutions Study 2008 (263 healthcare sector companies) 56% of companies DO NOT report a breach of private data. Regulatory ‘loopholes’ are partly to blame (or failure of IDS process is my thought) UK Breach Study 2008 Average cost per breach -- $2.7 million FDIC Technology Incident Report Average bank loss per incident = $30,000. University of Toronto's business school (300 Canadian-based companies) Average public corporation = $637k per yr

7. Best Practices for Data Security Verizon Business Forensics Study Threat Source 73% resulted from external sources 39% implicated business partners Causes of Loss 62% significant error 59% hacking/ intrusions Unknown – Unknowns 9 out of 10 data breaches involved one of the following: A system impacted unknown to the org Stored data which the Biz did not even know existed on their system The Aftermath 75% of breaches not discovered by the business 87% of breaches were avoidable through reasonable controls

8. Best Practices for Data Security Common Weak Spots – Intrusion Detection System IDS - security software used to detect malicious activities against a computer system. It is an ‘early warning system’. IDS performs by collecting/ logging and analyzing network data and audit logs to detect signs of attack and anomaly. Problems: FTC and plaintiff lawyers (Class Action suits) often cite ‘failure to detect’ studies show that 75% of KNOWN breach events are NOT detected by the company, but by 3rd parties Bigger issue: many more go undetected completely, because lack of IDS policy & Tech. Why Problem: Some companies IDS can log millions/ billions of events against their network each month. How does IT Security Mgr reasonable review & respond to the ‘serious’ incidents? Need the capability to filter, correlate & prioritize key events. Need man power. False positives: events that appear to be harmful, but are actually quite harmless. IDS can alert to more than 70% false positives. Tuning an IDS to reduce false positives takes time (months). Outcome: InfoSec Mgrs can often dismiss a real attack as another false alarm. False negatives: events that go undetected by the IDS because the IDS "did not see any match". Vast Data: IDS output a large amount of audit data that often must be analyzed and examined by human operators in detecting intrusions and misuses

9. Best Practices for Data Security Common Weak Spots – Patch Management

10. Best Practices for Data Security Key Regulations

11. Best Practices for Data Security

12. Best Practices for Data Security Loss Prevention Approach Proactively Assess Safeguard Controls Surrounding: People: dedicated info sec personnel; Background checked; Proper security budget and vigilant about their job! Processes: enterprise ISO27002, GLBA/HIPAA ready; policies enforced daily; employee education/ training; change management processes, etc. Technology: managed firewall with proven IDS/IPS, hardened & patched servers (tested), event logging, ‘data at rest’ is encrypted , redundancy/ hot-site..

13. Best Practices for Data Security Where to Begin... A Wide-Angle Assessment

14. Best Practices for Data Security

15. Best Practices for Data Security(Discussion)

16. Responding to the Eventual Data Breach

17. Responding to the Eventual Data Breach Obtaining qualified expertise Investigating the event Securing the network Identifying and notifying affected individuals Providing necessary services Developing a formal Date Breach Response Plan

18. Responding to the Eventual Data Breach Unlikely your firm will avoid security breaches Preplanning is essential choose resources familiar with your business and that have proven expertise with security breaches prenegotiate rates and fees Consider insurance may pay for most of these services (balance sheet protection) may offer access to experts in the field Test the plan similar to a fire drill.

19. Responding to the Eventual Data Breach Determine scope of the breach. How reliable is the information? DSW and TJ Max kept increasing their estimates of how many customers were affected. Can the IT department mitigate the loss? Can they identify the access point? Did it occur at your facility or a hosted site? Notify affected parties and provide meaningful resources to resolve future problems.

20. Responding to the Eventual Data Breach Determine when or if your organization needs to disclose the breach to the affected individuals or businesses. Should an organization always send notification? If so, when? Opinions vary, however the FTC offers some specific guidelines. Use the legal representatives on your data breach response team to determine the following: State and federal laws and regulations that are applicable The probability that the information has been, or will be misused Whether regulators and customers need to be informed about the data breach, and developing the content of those communications Contractual obligations of the organization to disclose the data breach

21. Responding to the Eventual Data Breach Disclosing the Breach Unfortunately, there is no set standard for disclosure at the federal legislation level, though there are several bills up for consideration. What this means for your organization, is that you must determine what disclosure policies to follow. Especially if your organization conducts business across multiple states or around the world. ChoicePoint, an Alpharetta, GA based data aggregator and reseller of personal information, decided to send notices to over 163,000 people affected by their much publicized data breach two years ago. According to Vice President for Compliance Christopher Cwalina, the company followed the only legislation available at the time. 

22. Responding to the Eventual Data Breach Key considerations when responding to a data breach: Identify the applicable data breach disclosure law(s) and requirements Depending on the applicable data breach notification laws, your organization may be required to follow a data disclosure plan. The response team (legal, PR, or third party) may be required to disclose the breach via letter, email, or other mandated communication method to customers, legal organizations, third-party partners, State AG, FTC, etc. Manage data breach disclosures Research your organization's state data breach notification laws first. Follow guidelines of organizations like the FTC, SEC, FDIC, PCI DSS, etc. Understand magnitude of disclosure When making the decision as to when/if your organization should disclose the data breach, remember that the bad press, negative exposure and millions of dollars that could be lost in fines and judgments in class action law suits far outweigh the fallout from notifying the affected parties about the breach. The quicker the notification, the easier damage control will be between the organization and the customer.

23. Responding to the Eventual Data Breach Perform an audit after the event Once the data breach is contained and letters sent to the affected customers, businesses, law enforcement and any other third-party entity, this is the time for all members of the rapid response team to document the data breach from beginning to end. Each member of the team should maintain a log that contains the following information: All information concerning the specific breach All procedures followed, from the beginning to the containment and aftermath of the data breach. Document any outsourcing to third-party companies, which took place during the breach, and add any documentation from said third-party concerning the data breach. Document problem areas, if any, within your department. Publish a list of any resources used during data breach notification, such as the FTC website, or other information and supply it to the rapid response team, customers and third party vendors.

24. Responding to the Eventual Data Breach Harvard Business Review Case Study: “Boss, I Think Someone Stole Our Customer Data” Data breach suspected when bank discovered that the company was a common point of purchase by fraudulent credit card accounts. Executives are prepared to deal with stolen property but in this case the allegations are that data had possibly been obtained from Flaxton’s network – no actual crime seen to confirm it. Flaxton would not have caught this unless a third party reported it as the fraudulent purchases were being done elsewhere. It could take months before anyone detects the breach.

25. Responding to the Eventual Data Breach Harvard Business Review Case Study: The company is now challenged with answering the following questions (all at the SAME TIME): Did the breach happen at our company? How extensive was it? Who do we have to notify? How do we prevent further damage? Where do we go for help? Authorities want them to continue to operate so they can possibly catch the perpetrators. If they do, does this put them at more risk?

26. Responding to the Eventual Data Breach Harvard Business Review Case Study: How does the company defend itself? Are they PCI compliant? Since testing a network is like a shower- unless you take one every day IT WEARS OFF Now that the press is aware of this, how do they rebuild the loss of trust with third parties? They struggle with the possible causes of the breach- A firewall was turned off There were some disgruntled former employees Without a definitive cause, proof of a breach, or definitive size of the breach – are they obligated to notify third parties? If not obligated to notify should they do it anyway? If they don’t report it – the press will leak it anyway.

27. Responding to the Eventual Data Breach Harvard Business Review Case Study – The Experts: “How you react to a breach is much more important than what actually happened.” James E. Lee, Chief Public and Consumer Affairs Officer of ChoicePoint “Businesses that are serious about protecting their data and preserving the data’s value should have a high-level official, such as a director or a vice president of information protection, who serves not merely as a manager but as a senior champion in this area.” Bill Boni, Corporate Information Security Officer of Motorola “Making data security a priority for the future – and communicating the specific policy changes that flow from that - may allow the company to become recognized as a leader in this area.” former President and CEO of Visa USA “The companies that are sued are not those that quickly disclose a breach but, rather, those that do so poorly.” Executive Director of the Identity Theft Resource Center

28. Responding to the Eventual Data Breach(Discussion)

29. Evaluating Legal Liability Exposures

30. Evaluating Legal Liability Exposures State data breach requirements have spawned a number of private suits, including class actions. Suits can arise from consumers, employees, business partners, financial institutions, shareholders, regulatory agencies, and more. Courts frequently, but not always, find injury too speculative and damages not sufficiently demonstrated.

31. Evaluating Legal Liability Exposures Why Privacy Class Actions are Tempting to Plaintiffs’ Bar: No clear uniform standard of care They see a natural “class” of all those who got a notice Breach notification letter viewed as an admission of negligence Playing on public anxiety about identity theft For consumers, remedy sought is credit monitoring Most common complaints include: Negligence Invasion of privacy Breach of contract Breach of fiduciary duty

32. Evaluating Legal Liability Exposures Pisciotta v. Old Nat. Bancorp 499 F.3d 629 (7th Cir. Aug. 21, 2007) Plaintiffs sought damages for potential economic losses and emotional distress/anxiety caused by potential misuse of personal information by third parties. No allegation of existing loss or identity theft Alternatively, plaintiffs sought cost of credit monitoring Court concluded: “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.” Id. at 637.

33. Evaluating Legal Liability Exposures Pisciotta v. Old Nat. Bancorp Pisciotta conclusion regarding damages and injury consistent with other decisions in various district courts: Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn.2006); Kahle v. Litton Loan Servicing, LP, 486 F.Supp.2d 705, 712-13 (S.D.Ohio 2007) (entering summary judgment for the defendant because the plaintiff had failed to demonstrate an injury); Guin v. Brazos Higher Educ. Serv. Corp., Inc., 2006 WL 288483 (D.Minn. Feb.7, 2006) (unpublished) (same); Hendricks v. DSW Shoe Warehouse, 444 F.Supp.2d 775, 783 (W.D.Mich.2006) (dismissing an action where “[t]here is no existing Michigan statutory or case law authority to support plaintiff's position that the purchase of credit monitoring constitutes either actual damages or a cognizable loss”).

34. Evaluating Legal Liability Exposures Pisciotta decision departs from other district courts that held data breach plaintiffs lacked Article III standing for failure to allege injury in fact: Held that alleging “threat of future harm or . . . act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced” sufficient to allege injury in fact. Drew upon cases considering toxic torts and medical monitoring, not data breaches. Some courts considering data breaches have reached the opposite conclusion. See examples: Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 10 (D.D.C.2007); Bell v. Acxiom Corp., 2006 WL 2850042, at *2 (E.D.Ark. Oct.3, 2006) (unpublished); Giordano v. Wachovia Sec., LLC., 2006 WL 2177036, at *5 (D.N.J. July 31, 2006) (unpublished). Key v. DSW, Inc., 454 F.Supp.2d 684, 690 (S.D.Ohio 2006);

35. Evaluating Legal Liability Exposures Shafran v. Harley-Davidson, Inc. No. 07 Civ. 01365, 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008) dismissed the plaintiff’s lost laptop lawsuit because it found that the alleged claimed injury – credit monitoring costs sought to protect against speculative identity theft that might occur because of the data loss – was not actual, legally cognizable injury. "Courts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff has not presented any case law or statute, from any jurisdiction, indicating otherwise. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur. Plaintiff has failed to show an actual resulting injury that might support a claim for damages. As damages are an essential element of each of plaintiff’s claims, plaintiff’s claims fail as a matter of law."

36. Evaluating Legal Liability Exposures Stollenwerk v. Tri-West Healthcare Alliance Case No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007) (unpublished) affirming summary judgment for defendants with respect to plaintiffs who failed to provide evidence of injury, but reversing summary judgment with respect to plaintiff who produced evidence from which a jury could infer a causal relationship between the theft of the hard drives and the incidents of identity fraud plaintiff suffered following the Tri-West burglary. “Brandt need not show [under Arizona law] that the Tri-West burglary was the sole cause of the identity fraud incidents, only that it was, more likely than not, a ‘substantial factor in bringing about the result,’ . . . and a factor ‘without which the injury would not have occurred.’”

37. Evaluating Legal Liability Exposures Ruiz v. Gap, Inc. 540 F.Supp.2d 1121 (N.D. Cal. 2008) holding that plaintiff’s allegation that the defendant's loss of his social security number placed him "at an increased risk of identity theft” sufficiently pled "injury in fact" to establish standing and survive a motion to dismiss his negligence claim.

38. Evaluating Legal Liability Exposures Data Breach Settlements TJX Settlement On January 17, 2007, hackers stole personal and financial data of approximately 45.7 million consumers. Breach possibly result of unsecured wireless network in store. Proposed settlement would provide credit monitoring for some consumers, worth approximately $177 million. Monitoring package worth $389.95, according to company official. Would provide cash and/or store vouchers November 30,2007 News: TJX to pay up to $40.9 million to fund CS Stars LLC Settlement with New York AG On May 9, 2006, CS Stars employee noticed a computer was missing. Company waited until June 29, 2006 to notify NY Special Funds Conservation Committee, who owned the data, or the FBI.

39. Evaluating Legal Liability Exposures Data Breach Settlements CS Stars LLC Settlement (cont’d) The NY AG determined that the data was not improperly accessed. However, CS Stars was subject to action by the NY Attorney General because it failed to notify Special Funds, the owner of the data. CS Stars and the AG settled the case on April 26, 2007. $60,000 to the AG’s office for costs of investigation Implementation of precautionary measures Injunction requiring compliance with NY’s breach notification laws. BJ’s Wholesale Club, Inc. Settlement Counterfeiters obtained the credit and debit card information of thousands of BJ’s Club members and used magnetic strip information to make millions of dollars of fraudulent purchases. Settlement required BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.

40. Evaluating Legal Liability Exposures (Discussion)

41. Takeaways Preventing the unpreventable Most data breaches are easily avoidable Keep sensitive information secure (KISS) Develop the proper controls(organizational, administrative and electronic) Best response comes from proper planning Response will most likely drive legal liability

42. Q & A

43. Many Thanks to Toby Merrill Tanya Forsheit Mark Greisiger Stephen Haase Roxanne Westfall