Cyber Bytes is S.H Smith & Company's Cyber, Security & Privacy blog – written by the experts you trust.
I just read an article about a recent breach at a clinic in North Carolina. I’m sure as you are reading this you are wondering “What is so strange about breach in a clinic; they're in the headlines everyday?” What is so strange about it (to me at least) is the motivation behind the breach.
It seems X-ray films were stolen not for the data that may reside on the films but for the silver content. Apparently, this is a lucrative theft given silver prices have risen and it is easily extracted from X-rays. In fact, it has been reported during the past year that similar thefts have occurred in hospitals located in several U.S. states as well as London and Canada.
So here you have X-rays containing protected health information which are accessed in an unauthorized manner and although it doesn’t appear as though the data will be used does it still constitute a privacy breach? You bet it does!
I know I have blogged about this breach before but I think it is important to dedicate another entry to this one and not just because it is the largest case of hacking to a state agency.
Late last year, a hacker was able to gain access to unencrypted data from SC’s tax collection agency on more than 6 million residents and businesses. Last week a judge dismissed a lawsuit over the breach due to the lack of “actual harm”.
So there might be some of you out there who say; “Since theses cases are all largely dismissed for the same reason, why do I need cyber risk insurance?” Well my friends, here is why: this agency had to apply for a $20M loan from the South Carolina’s insurance reserve fund to pay for breach response and $12M of that will go directly to pay for credit monitoring to those tax payers affected by the breach. Perhaps the other $8M is earmarked for defending the lawsuit up until its point of dismissal or the potential appeal. That is a large amount of money spent on situation with no “actual harm”. Breach response is one of the most important coverage parts of cyber risk insurance.
Betty Shepherd will be discussing Cyber Liability & Cloud Computing at the 2nd Annual National Cyber Liabilities Insurance ExecuSummit April 23 & 24, 2013 at Mohegan Sun in Uncasville, CT. The ExecuSummit is a comprehensive day and a half Cyber Liability Insurance Conference.
Betty will also be speaking at the PLUS Professional Risk Symposium (EPL, E&O, and Fiduciary) taking place on April 10-11, 2013 at the Hyatt Regency Chicago.
We are honored to have Betty represent S.H. Smith & Company as a Cyber, Security & Privacy expert at these national events.
I just read an article about a breach experienced by a restaurant chain that may have impacted 100 of the chain’s locations. After being notified by a credit card processor of potential fraud emanating from some of the locations, a forensic investigation found malware on the systems of many of its restaurants.
Although it is too early to determine the magnitude of this data breach, let’s think about how many consumers could be impacted if 100 locations were found to have malware on their systems. And what about the costs involved in responding to the data breach? To date, the company has already hired a forensic investigator to determine the cause of the breach. Perhaps this forensic investigation will help in identifying how many consumers have been impacted. The restaurant chain has locations in 13 states so multiple breach notification laws need to be complied with and ultimately regulatory agencies will want to investigate the circumstances surrounding the breach. Perhaps the restaurant will want to offer credit monitoring services to those affected.
You can see the costs to respond to a data breach can add up very quickly. I wonder if this restaurant chain has purchased cyber risk insurance…
Anyone who has filed a South Carolina tax return since 1998 may be affected by a breach experienced by SC’s Department of Revenue. It has been reported that 3.6 million social security numbers and 387,999 credit card numbers may have been exposed after hackers used state-approved credentials to access the Revenue Department’s computer system.
The state is offering one year of credit monitoring and up to $2M in insurance and lifetime credit-fraud resolution but unfortunately, crooks can hold the data for years after the attack before they sell it. Consumers can get new credit card and bank account numbers but a new social security number can be very difficult to obtain.
To date, the state will pay up to $12M for the credit monitoring services provided by Experian and has paid about $125,000 in forensic costs. They have also hired a law firm to assist with liability issues.
The costs to respond to a breach can come from different places: forensics, notification/credit monitoring, legal and lawsuits just to name a few. A comprehensive cyber risk insurance policy can help with these costs.