2:30 - 4:00 pm – Session 3 Regulatory & Policy Track – “Cyber Security/Data Integrity” • Moderator - Kevin Szczepanski, Partner, Barclay Damon, LLP • Mickey Garcia, Director, Medical Device Industry Solutions, MasterControl • Wayne Stewart, Director, EWA-Canada, An Intertek Company • Bryan Marlatt - Director Advisory, Cyber Security, KPMG LLP, Life Sciences
15
Embed
Kevin Szczepanski, Partner, Barclay Damon, LLPData Breach Statistics • NYS AG –March 29, 2018 Press Release –1583 data breach notifications filed with AG in 2017 –highest since
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Source: Ponemon Institute’s “2017 Cost of Data Breach Study”
Risk & Cost Mitigation Measures
Increasing Risk & Cost
Average cost of a breach, per record: $141
Listed factors increase or decrease the average cost per record of a data breach
Data Breach Statistics
• NYS AG – March 29, 2018 Press Release
– 1583 data breach notifications filed with AG in
2017 – highest since tracking started in 2006
and up 23% from 2016
– 9.2 million NY residents had private
information exposed – 4X more than 2016
– 44% of breaches attributed to outside hacking
– 26% of breaches attributable to some form of
“employee negligence”
2017 NY Breach Causes
SECURING THE ECOSYSTEM
Start with Secure Products
Products that have undergone rigorous security evaluation against industry accepted standards such as FIPS 140-2, Common Criteria and/or ANSI/UL 2900 or equivalent.
Build a secure networking and computing infrastructure using evaluated products
Follow best practices such as NIST Risk Management Framework (RMF), ISO 27001, or other industry specific standards (eg. PCI-DSS for credit card processing networks).
Ongoing security assessments
A secure ecosystem should be monitored and maintained. Regularly scheduled audits, hiring outside teams for red-teaming (penetration testing, etc.).
Regular security awareness training
Employees should be regularly trained on security best practices as they perform their jobs.
ANSI/UL 2900-2-1 OVERVIEW
7
Threat Risk Assessments
Security Design Review
Consultation
Document Development
Security Vulnerability /
Penetration Testing
Gap Assessments
Compliance Assessments
Compliance Certificates
IOT/MEDICAL DEVICE SECURITY THROUGHOUT THE DEVELOPMENT PROCESS
8
What Are You Required to Do?
If there is a breach, you have to provide notice to New York residents potentially affected by the breach!
• Timing = “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement…or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.”
• Notice can be made in writing, by e-mail (subject to certain requirements), or by telephone (subject to certain requirements)
• “Substitute Notice” may be authorized by Attorney General in business demonstrates cost of providing notice under permitted methods would exceed $250,000, or if the number of individuals affected exceeds 500,000, or if the business does not otherwise have sufficient contact information
What Else are You Required to Do?
• If you are required to provide notice to New York Residents, you must also provide notice to:
1. NY Attorney General;
2. NY Department of State (Division of Consumer Protection); AND
3. NY State Police
• Form for reporting available at: https://its.ny.gov/sites/default/files/documents/Business-Data-Breach-Form.pdf
• NY AG’s office also offers Internet submission option
2. Damages for actual costs/losses incurred by an affected individual;
3. “Consequential financial losses” – IF notice was not provided as required by statute;
4. Civil Penalties of the greater of $5,000 or $10 per instance of failed notification (up to $150,000) – IF a court determines that a business “knowingly or recklessly” violated the statute
• Does NOT limit any other lawful remedy available
Traditional Insurance Forms
May Not Apply
• General Liability Insurance
• Property Damage; Personal and Advertising Injury
• No Coverage For:
− privacy expenses
− first-party loss
• Traditional Forms Not Written to Cover Cyber Risks
• Limited Experience with Cyber Risks
First-Party Coverage
First-Party Coverage for costs incurred by the insured itself:
breach investigation and notification costs
credit-monitoring and -repair expenses
administrative and postage costs
reputation-rehabilitation services
client data-restoration expenses
business interruption due to, e.g., denial-of-service attack
e-commerce extortion
Third-Party Coverage
Third-Party Liability Coverage
Privacy: failure to protect private or confidential
information
Security: failure of network or information security to
safeguard against viruses, hacker, or theft
Communications and Media: defamation, trade libel,
disparagement torts; invasion of right of publicity,
commercial appropriation; plagiarism or unauthorized
use; infringement of copyright, title, trademark, or logo
Regulatory: defense costs incurred in investigation,
defense, settlement, and appeal, including costs of