By Karen D. Lorentz
Cyber security was one of the nationwide issues discussed at the recent National Ski Areas Association (NSAA) Eastern Winter Conference and Trade Show held at Killington Resort.
Because a data breach is a topic that poses a risk to all, The Mountain Times contacted cyber security expert Anne De Vries, who addressed this threat at the conference. De Vries is program manager in network security and privacy for Safehold Special Risk, a subsidiary of Wells Fargo. Safehold provides insurance programs and risk management solutions to a variety of companies, including over 200 ski resorts across the nation.
The following are highlights from her presentation and a client advisory that she provided to The Mountain Times, as well as her answers to our questions.
Data breaches: not a matter of if, but when
De Vries stresses that data breaches are a real threat that can happen to any company/business, citing as examples:
Healthcare data of 1 million N.J. patients compromised since 2009.
Hacker attacks on healthcare providers have jumped 600 percent.
Hackers have published 5 million gmail addresses, passwords.
Breach at Goodwill vendor lasted 18 months.
Home Depot data breach may hit 60 million.
Target puts data breach cost at $148 million.
Skimmer problem grows in Vermont.
Extortion threats in national news.
“You don’t need to be a healthcare company, retailer or financial services company, as companies of all shapes and sizes are targeted by the bad guys every day,” De Vries stated. Some of the ski areas that have experienced a data breach in recent years include Alta, Aspen/Snowmass, Canyons, Crested Butte, Greek Peak, Holiday Valley, Okemo, Snow Creek, Snow Time (breach occurred at payroll processor), Steamboat (human error), Taos, and Telluride.
Costs and impacts
Recovering from electronic disasters or privacy breaches has cost many companies millions of dollars. Lost revenue; crisis management costs (expenses for public relations, consumer breach notification, credit/identity monitoring and forensics); defense and other legal costs for any third party claims and regulatory action, including fines and penalties; and remediation expenses bring the total cost of a data breach to $217 per record [customer non-personal data], according to the Ponemon Institute’s 2015 Annual Study.
Intangible costs can include damage to brand, reputation and customer trust; lost productivity; abnormal customer churn rates; risk of consumer termination of their relationship with the company; and loss of competitive edge, De Vries added.
Who bears responsibility?
“Companies are constantly looking to outside vendors for a host of services requiring the sharing of sensitive data. Although partners, such as call centers, credit card processors, payroll and benefits administrators, cloud providers, and other business process outsourcers handle this information, it is the company for which they are providing such services that bears the ultimate responsibility to protect it—and to respond in the event that information is breached, regardless of where that breach or error may occur,” De Vries warned.
What you can do
De Vries emphasized the need to “be prepared and to have an incident response plan.”
Your insurance broker and carrier can assist with risk management strategies to employ to prevent a data breach from happening as well as with the development of a plan that outlines the steps to take following a breach so you can limit potential damage to your company, including litigation costs and reputational damage.
Since most data losses and thefts happen as a result of negligence or intentional actions by employees who have authorized access to the network, De Vries advises “storing the minimum amount of sensitive information needed in order to do business. Be sure to limit employee access to sensitive information to a need-to-know basis, and educate them on how sensitive data should be handled. When an employee leaves, disable his/her network access code immediately.”
If your business/company accepts credit/debit cards for payment, make sure to follow PCI (payment card industry) compliance standards. There are PCI self-assessments for smaller merchants and third-party assessments for larger ones.
For smaller merchants that do not store credit card numbers but outsource all card processing to a third party, be sure to ask the processor if they, and the POS (point of sale) equipment they provide, are fully PCI-compliant.
“For information that must be retained, be sure it is kept in an encrypted format. Companies often dismiss encryption because it costs money to implement, but it is inexpensive compared to costs for stolen data. If encrypting data in transit, at rest, and on mobile devices is prohibitive, at least focus on mobile devices, such as whole-disk encryption for laptops, and ensure that electronically transmitted data to third parties is submitted in an encrypted format,” De Vries advised.
Asked what businesses and customers can do regarding the current skimmer problem (devices added to credit card machines so perpetrators can steal information) hitting Vermont, De Vries said, “From a merchant perspective, keeping the machines in close proximity to the store clerks, camera surveillance, and anything that prevents the machines from being tampered with unnoticed is prudent. Also, end-to-end encryption and encryption at the PIN pad on all POS terminals is recommended.”
As for customers, she said, “There really isn’t much they can do about this particular threat as they would not be aware that such a device is present on the machine. But all consumers should check their monthly statements, bank accounts as well as their credit reports on a regular basis to be sure that there is nothing suspicious and to be able to act quickly if something is discovered. Many homeowner’s policies offer an endorsement for identity theft coverage and even credit monitoring services for a relatively low additional premium.”
Reminder: check insurance
De Vries added an important reminder: “Check your insurance because traditional insurance has limitations—data is not ‘tangible property’ and there are ‘intentional acts exclusions’ along with ‘territory restrictions.’ Property, general liability, crime, K&R (kidnap and ransom/extortion), E&O (errors and omissions) policies typically don’t cover First Party Privacy/Network risks such as virus/hacker damage to data only, denial of services attack, extortion or threat, sabotage of data; nor Third Party Privacy/Network Risks such as theft/disclosure of privatand/or information, confidential corporate info breach, media liability (electronic content), virus/malicious code transmission, and privacy breach expense and notification.
“Consider purchasing insurance specifically designed to protect one’s organization/business
in the event of a breach and/or to provide coverage for electronic infringements, defamation, misappropriation, plagiarism or unauthorized use of ideas, materials, etcetera.
“Insurance provides coverage for: costs incurred to comply with notification laws, including legal fees to determine a response; forensic costs to investigate what happened; defense and payments of fines due to governmental actions against your company after a privacy breach (such as the Federal Trade Commission, Office of Civil Rights, etc.); defense costs and payment of damages if there are any third-party claims.
“An important benefit is that the carrier offers guidance through a labyrinth of varying state and federal laws to help you comply with your legal obligations as well as to protect your reputation,” De Vries concluded.
Data Breach Preparation Checklist
How is the incident reported and documented?
Do you know who you are going to call?
Internal response team–to include representatives from executive management, information technology, customer service, risk management and security, compliance and audit, legal, public relations/marketing
External response team: First call—privacy counsel/breach coach to assist with determining compliance requirements, understanding of specific laws, when/how to engage law enforcement, timeline obligations for compliance, engagement of external response team players.
Forensic investigator
Notification letters/call center services
Credit/identity monitoring services
Consumer fraud protection–reporting agencies, banks
Public relations firm
How will the effort be funded–insurance?