Sharon Lyon NetDiligence® eRiskHub® Support Team President Lion’s Share Marketing Group, Inc.
Jan 18, 2016
Sharon LyonNetDiligence® eRiskHub® Support Team
PresidentLion’s Share Marketing Group, Inc.
Topics for Today’s Discussion What Counties are Facing – Recent County Breaches Loss Control
Pre-Planning Your Response Helping Counties Reduce Their Risk
eRiskHub® CRL + NetDiligence® + eRiskHub® + YOU• Resources in the eRiskHub®• Customizing the Hub for Your Pool• Getting Counties Engaged & Using the Hub
Real Incidents at Counties Osceola County, FL
Unknown Staff Mistake The names for every child charged in court cases and names of children in their foster system were
inadvertently exposed on the county website. Salt Lake County, UT
3,000 Third-Party Vendor Social Security numbers and personal medical information of Salt Lake County employees were exposed for
several months. Baltimore County, MD
6,600 Rogue Employee The Baltimore County Police Department says it has uncovered personal information of 6,600 county employees
on computers seized from a contractor.
Real Incidents at Counties Cumberland County, NC
180 Staff Mistake Sheriff's Office announced that a new software update intended to automatically post regular arrest lists on the
department's Facebook page was inadvertently set to release Social Security numbers of those arrested. Muscogee County, GA
20 Staff Mistake Employee sent an email intended to warn female deputies about a potential defect in Point Blank body armor
that contained the deputies' names, the serial numbers of their body armor, and their physical characteristics including height, weight, chest and bra cup size.
North East King County, WA 6,231 Hacker Security breach of a server that stored records of an estimated 6,000 medical responses for three different county
fire departments. The breached files also contained personnel data for 231 full-time and volunteer firefighters.
Real Incidents at Counties Bergen County, NJ
1,500 Rogue Employee Employee allegedly stole the names, Social Security Numbers, and birth dates of patients at The Valley Hospital
in Ridgewood, Englewood Hospital and Medical Center, and Holy Name Medical Center in Teaneck. Lancaster County, SC
100,000 Loss/Theft County EMS is notifying patients of a potential data breach after discovering two flash drives and two
hard drives missing from a county building. Tunica County, MS
Unknown Staff Mistake Personal information of students in the Tunica County School District was inadvertently posted on the
county website.
Real Incidents at Counties Prince George's County, MD
10,000 Staff Mistake A document that contained Prince George's County Public School System employees' personal information was
emailed outside of the district to the personal addresses of certain staff.
Tulare County, CA ??? Staff Mistake An employee sent an email containing PHI and neglected to encrypt and blind copy the recipients of the email.
Monterey County, CA 144,493 Hackers County residents’ personal data may have been exposed when a Monterey County computer was
compromised by unauthorized users from overseas.
Loss Control
Pre-Plan Breach ResponseBy working with your counties to help them pre-plan their response to the inevitable breach event, your pool can:
Reduce the cost to respond (crisis services)
Shorten the response timeline
Ensure compliance with regulatory requirements
Reduce/eliminate additional losses due to charges of negligence
Claim Payouts for Crisis Services
2011 2012 2013 2014 20150
100200300400500600700800900
1,000
Average CostMedian Cost
in thousands
800K728K
983K
250K195K 204K
455K
102K
Based on findings from annual NetDiligence® Cyber Liability & Data Breach Insurance Claims study
61K
500K
OCTOBER1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31
LOSS
MGMTAWARE
INSURER& COACH
– – – – – – FORENSICS – – – – – –
– – – – – – FORENSICS – – – – – – – – – NOTICE PREP – – –
– – –
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
NOVEMBER
– – PR ISSUED & NOTICES SENT – – – – – – – – – – –
– – – – – – – – – VICTIM INQUIRIES – – – – – – – – –
– – – STATE AG – – –
48 Days(used to take 60+ days)
Timeline of a Breach
The Role of Breach Coach® Prevent costly mistakes
Expedite recovery
Notify and coordinate with State AGs and regulatory agencies
Strengthen the county’s defensive position
Help Counties Reduce Their Risk Biggest risk for counties? INSIDERS! Verizon 2015 DBIR Confirms
People are the Weak Links – staff accounts for nearly 90% of all security incidents Errors - 30% Crimeware - 25% Insider Misuse - 20.6% Physical Theft/Loss -15%
Bad Guy Methods & Targets: Phishing (1-in-4 opened phish email and 1-in-10 clicked on infected attachment (EDUCATION!!!) Theft of $: Most web attacks followed this flow: phish -> get credentials -> abuse web application -> steal
money Leading Sectors: Public; Financial Services; Hospitality; Manufacturing; Retail; Healthcare
Comprehensive Resource for:
Prevention (pre-breach)
Recovery (post-breach)
Whether you want to help counties prevent
or recover from a cyber attack or data
breach, you can find what you need—when
you need it—in the eRiskHub portal.
+ + +YOU
A One-Stop-Shop for Cyber Services Homepage gives you a place to speak directly to pool members Incident Roadmap spells out the steps to take in the event of a breach
Risk Manager Tools help manage cyber risk more effectively
News Center monitors breach events and trends
Learning Center provides best-practices articles, white papers & on-demand webinars
Security Awareness provides downloadable guide to best-practices for employee security awareness training and full-length videos of onsite security training provided by CRL last year
eRisk Resources directory features qualified third-party providers of pre- and post-breach services
+ + +YOU
Customizing the Hub for Your Pool Branding – logo, colors, page banners, buttons, etc. Content
Homepage – information filtered and/or tailored for your counties Incident Roadmap – your pool’s breach response/cyber claim procedures and
contact information Unique login/registration page or access from your existing members-only (secured)
website
+ + +YOU
Initial Introduction to Counties Big Announcement: Press release, email blast, feature on your website Introduce your Hub via webinar (NetDiligence can host/demo for you) Be sure to send registration instructions!
Ongoing Promotion Feature content in newsletters, blog posts, website, meetings, etc. Watch the News Center for incidents involving counties – share the stories with your counties Ask NetDiligence to do an Cyber Risk educational webinar for your counties Share success stories (with permission)
Getting your Counties Engaged
+ + +YOU
Sharon LyonNetDiligence® eRisk Hub® Support Team
PresidentLion’s Share Marketing Group, Inc.
Thank you!