On March 2, 2016

Expert shares tips regarding cyber security

By Karen D. Lorentz

Cyber security was one of the nationwide issues discussed at the recent National Ski Areas Association (NSAA) Eastern Winter Conference and Trade Show held at Killington Resort.

Because a data breach is a topic that poses a risk to all, The Mountain Times contacted cyber security expert Anne De Vries, who addressed this threat at the conference. De Vries is program manager in network security and privacy for Safehold Special Risk, a subsidiary of Wells Fargo. Safehold provides insurance programs and risk management solutions to a variety of companies, including over 200 ski resorts across the nation.

The following are highlights from her presentation and a client advisory that she provided to The Mountain Times, as well as her answers to our questions.

Data breaches: not a matter of if, but when

De Vries stresses that data breaches are a real threat that can happen to any company/business, citing as examples:

Healthcare data of 1 million N.J. patients compromised since 2009.

Hacker attacks on healthcare providers have jumped 600 percent.

Hackers have published 5 million gmail addresses, passwords.

Breach at Goodwill vendor lasted 18 months.

Home Depot data breach may hit 60 million.

Target puts data breach cost at $148 million.

Skimmer problem grows in Vermont.

Extortion threats in national news.

“You don’t need to be a healthcare company, retailer or financial services company, as companies of all shapes and sizes are targeted by the bad guys every day,” De Vries stated. Some of the ski areas that have experienced a data breach in recent years include Alta, Aspen/Snowmass, Canyons, Crested Butte, Greek Peak, Holiday Valley, Okemo, Snow Creek, Snow Time (breach occurred at payroll processor), Steamboat (human error), Taos, and Telluride.

Costs and impacts

Recovering from electronic disasters or privacy breaches has cost many companies millions of dollars. Lost revenue; crisis management costs (expenses for public relations, consumer breach notification, credit/identity monitoring and forensics); defense and other legal costs for any third party claims and regulatory action, including fines and penalties; and remediation expenses bring the total cost of a data breach to $217 per record [customer non-personal data], according to the Ponemon Institute’s 2015 Annual Study.

Intangible costs can include damage to brand, reputation and customer trust; lost productivity; abnormal customer churn rates; risk of consumer termination of their relationship with the company; and loss of competitive edge, De Vries added.

Who bears responsibility?

“Companies are constantly looking to outside vendors for a host of services requiring the sharing of sensitive data. Although partners, such as call centers, credit card processors, payroll and benefits administrators, cloud providers, and other business process outsourcers handle this information, it is the company for which they are providing such services that bears the ultimate responsibility to protect it—and to respond in the event that information is breached, regardless of where that breach or error may occur,” De Vries warned.

What you can do

De Vries emphasized the need to “be prepared and to have an incident response plan.”

Your insurance broker and carrier can assist with risk management strategies to employ to prevent a data breach from happening as well as with the development of a plan that outlines the steps to take following a breach so you can limit potential damage to your company, including litigation costs and reputational damage.

Since most data losses and thefts happen as a result of negligence or intentional actions by employees who have authorized access to the network, De Vries advises “storing the minimum amount of sensitive information needed in order to do business. Be sure to limit employee access to sensitive information to a need-to-know basis, and educate them on how sensitive data should be handled. When an employee leaves, disable his/her network access code immediately.”

If your business/company accepts credit/debit cards for payment, make sure to follow PCI (payment card industry) compliance standards. There are PCI self-assessments for smaller merchants and third-party assessments for larger ones.

For smaller merchants that do not store credit card numbers but outsource all card processing to a third party, be sure to ask the processor if they, and the POS (point of sale) equipment they provide, are fully PCI-compliant.

“For information that must be retained, be sure it is kept in an encrypted format. Companies often dismiss encryption because it costs money to implement, but it is inexpensive compared to costs for stolen data. If encrypting data in transit, at rest, and on mobile devices is prohibitive, at least focus on mobile devices, such as whole-disk encryption for laptops, and ensure that electronically transmitted data to third parties is submitted in an encrypted format,” De Vries advised.

Asked what businesses and customers can do regarding the current skimmer problem (devices added to credit card machines so perpetrators can steal information) hitting Vermont, De Vries said, “From a merchant perspective, keeping the machines in close proximity to the store clerks, camera surveillance, and anything that prevents the machines from being tampered with unnoticed is prudent. Also, end-to-end encryption and encryption at the PIN pad on all POS terminals is recommended.”

As for customers, she said, “There really isn’t much they can do about this particular threat as they would not be aware that such a device is present on the machine. But all consumers should check their monthly statements, bank accounts as well as their credit reports on a regular basis to be sure that there is nothing suspicious and to be able to act quickly if something is discovered. Many homeowner’s policies offer an endorsement for identity theft coverage and even credit monitoring services for a relatively low additional premium.”

Reminder: check insurance

De Vries added an important reminder: “Check your insurance because traditional insurance has limitations—data is not ‘tangible property’ and there are ‘intentional acts exclusions’ along with ‘territory restrictions.’ Property, general liability, crime, K&R (kidnap and ransom/extortion), E&O (errors and omissions) policies typically don’t cover First Party Privacy/Network risks such as virus/hacker damage to data only, denial of services attack, extortion or threat, sabotage of data; nor Third Party Privacy/Network Risks such as theft/disclosure of privatand/or information, confidential corporate info breach, media liability (electronic content), virus/malicious code transmission, and privacy breach expense and notification.

“Consider purchasing insurance specifically designed to protect one’s organization/business
in the event of a breach and/or to provide coverage for electronic infringements, defamation, misappropriation, plagiarism or unauthorized use of ideas, materials, etcetera.

“Insurance provides coverage for: costs incurred to comply with notification laws, including legal fees to determine a response; forensic costs to investigate what happened; defense and payments of fines due to governmental actions against your company after a privacy breach (such as the Federal Trade Commission, Office of Civil Rights, etc.); defense costs and payment of damages if there are any third-party claims.

“An important benefit is that the carrier offers guidance through a labyrinth of varying state and federal laws to help you comply with your legal obligations as well as to protect your reputation,” De Vries concluded.

Data Breach Preparation Checklist

How is the incident reported and documented?

Do you know who you are going to call?

Internal response team–to include representatives from executive management, information technology, customer service, risk management and security, compliance and audit, legal, public relations/marketing

External response team: First call—privacy counsel/breach coach to assist with determining compliance requirements, understanding of specific laws, when/how to engage law enforcement, timeline obligations for compliance, engagement of external response team players.

Forensic investigator

Notification letters/call center services

Credit/identity monitoring services

Consumer fraud protection–reporting agencies, banks

Public relations firm

How will the effort be funded–insurance?

Do you want to submit feedback to the editor?

Send Us An Email!

Related Posts

Hot laps and powder dreams: Living the Killington lifestyle

December 18, 2024
We were skiing everything the weeks around World Cup. Over 5 feet of snow fell in Killington on top of no real base, and man, did we ski it all—Hot laps in the Canyon on 100% natural snow with no end to the greatness in sight. It was a glorious few weeks that will go…

Ski Vermont’s passport program offers free skiing to fifth graders everywhere

December 18, 2024
On Dec. 12, Ski Vermont launched its popular Fifth Grade Passport for the 2024-25 season. Regardless of state or country of residence, the program provides any fifth grader access to 90 days of skiing at ski areas across Vermont. “The passport program gets kids outside to experience skiing and snowboarding. It’s a chance to learn…

Meet John Neal: Master of a versatile, enjoyable career

December 11, 2024
By Karen D. Lorentz When someone has worked their entire adult life in as many different ski-industry positions as John Neal, it’s not too surprising to hear him say, “The people and the passion for the sport and lifestyle have given me the opportunity to have a career I enjoy.”  Neal grew up in Ludlow,…

Pico Mountain opens for the season on Friday the 13th

December 11, 2024
Pico Mountain will kick off its 2024/25 winter season at 9 a.m. on Friday, Dec. 13, welcoming skiers and riders for another season of snowy adventures.  The mountain will operate Thursday through Monday throughout the season, with daily operations during holiday weeks. “This season is already shaping up to be an exciting one,” said Rich…