How to Remediate After Data Breach Occurs

Cyber security has continued to evolve and dominate headlines. New data breaches in 2016 were revealed at popular hotels and fast-food chains following news from prior years on major data breaches in store retail chains. No one is immune to the threat.

A new Senate bill was introduced in December mandating companies to disclose the general knowledge of its board of directors on cyber security policies and procedures. How do companies and consumers recover their data and maintain their relationship?

Commercial Cyber Insurance

Commercially, risk mitigation begins with a combination of risk management practices and cyber liability insurance. Cyber liability products have grown from errors and omissions insurance, the addition of network and internet security coverage, to stand-alone policies that give specific attention to breaches of confidential information. Other types of companies outside of the technology industry began purchasing coverage to protect against loss of consumer data, provide consumer privacy and prevent theft. There are now a variety of ways to protect against specific cyber exposures. These policies have four general components:

Errors and Omissions covers claims from errors in service performance in traditional professions as well as technology services like software and consulting.

Media liability focuses on advertising injury claims involving infringement of intellectual property, copyright or trademark violation, and defamation.

Network Security deals with information accessed due to a failure of your security system leading to a consumer data breach, data destruction, transmission of viruses, or cyber extortion.

Privacy involves a breach of physical records, like files tossed in the trash, a lost corporate laptop, or accidentally sending a file of customer data to the wrong address. Most insurance policies exclude fines or penalties, but network security and privacy breach policies have components to cover fines related to a data breach.

Both privacy and network security additionally cover third-party liabilities such as when consumers sue or make claims against the business or when regulators request records. As with any insurance, individual policy sub-limits, deductibles, and limits in Cyber Liability Coverage apply and can vary.

Risk Management Practices

Developing a data breach response plan has become equally necessary. Businesses, by law, have 60 days to notify affected individuals of the security breach or face fines, risking their reputation and customer loyalty resulting in lost revenue. External help can be contracted for completing a response in areas of legal compliance, public relations, and a resolution partner experienced in carrying out different areas of the plan.

A company experiencing a breach must:

• Contact law enforcement
• Make a public announcement
• Launch a website explaining the details to consumers
• Notify consumers of pertinent facts by email and mail campaigns with instructions on how to prevent theft, offer free credit monitoring for identity protection
• Be prepared to respond to all inquiries.

Michael Bruemmer, Vice President at Experian Data Breach Resources explains, companies “need to take action to test their plans, practice them regularly, and improve their plan on a continual basis”. It’s just as important to update data breach response plans for constantly changing technology threats and adjustments to other internal company processes that might also affect them.

Quarterly checks:

• Update the response team contact list
• Verify the data breach response plan is broad
• Double check vendor contracts for security requirements
• Review guidelines on notification of affected individuals
• Check third parties accessing your data (The Healthcare industry needs to obtain business associate agreements (BAAs) and ensure they coincide with HIPAA law)
• Assess IT Security
• Verify staff security knows the plan response

As more companies attain a global presence, the potential for a global breach may be likely and similar to reacting to a natural disaster. It would involve communications in several languages, varying international laws, and many cultures with conflicting views of privacy. The more prepared a business is locally, the better they will be prepared for breaches of a larger scope.

Consumer Information Breach

Hundreds of data breaches occur yearly now and millions of personal records have been breached
from major brands to smaller ones in many types of industries including healthcare, retail and manufacturing.

After big data breaches are exposed, scammers take the opportunity to steal personal information. Fraudulent emails offer free credit monitoring and can lead to phony sites designed to grab bank information and passwords. It is safer to go to a store’s site directly instead of clicking on links.

Types of Breaches

Credit or debit card information
If you used a debit card, funds are easily stolen from your bank account leaving you with overdrafts fees and no access to money needed to pay your bills. If you used a credit card, you can dispute any falsified transactions before paying a bill and still have access to the money in your account.

Other existing financial account
Contact your bank, explain the information involved in the breach and inform them in writing about any suspicious transactions you may have noticed. Request to have the compromised card replaced. Set up text alerts for banking transactions and set up online banking for quicker, easier viewing of statements. You’ll need to check every month for unauthorized charges. Some may be surprisingly small amounts that can add up when multiplied by access to millions of accounts. Others may be a test to check if you are monitoring your account before making a larger purchase.

Driver’s license number and other government-issued ID
Contact the Department of Motor Vehicles or related agency and flag your file. You may have to order a replacement document.

Social Security number
Place a new account fraud alert on your credit report with any of the 3 major credit reporting agencies, (Experian, Transunion, Equifax), it can take a while to become aware of new accounts opened in your name and it will be monitored. Contact the Social Security Administration. You can also check your credit for free every 12 months at AnnualCreditReport.com.

Preventative Measures

Malicious software can be lurking in many check-out terminals at the store and online. There are measures to protect yourself.

• Newer ways to pay, such as PayPal or Apple Pay and any technology allowing you to avoid having your credit card with you in a store.
• Stored-value cards or apps like the ones used at coffee chains that are pre-paid, don’t expose credit card information at the register.
• If you’re planning on paying with a debit card, process the card as a credit card to avoid having to enter your PIN into a keypad.
• If you are really concerned, use cash. Security will get stronger, but hackers are resilient.
• Use a Chip-Enabled credit or debit card with (EMV) technology, recently implemented to help deter fraud by preventing duplicated transactions. Shop in stores that use the Chip-Enabled Card processing machines. Some stores have not completed the upgrade yet.
• An eCommerce website accepting credit card payments should show details of their security process, and display a “trusted mark” like an SSL certificate or Trusted Site Certified Privacy icon from Google. Look for this information to determine your safety.

Individual Homeowner’s Policies

Many homeowners’ insurance policies now have identity-theft coverage, including credit monitoring and a case manager who can help. Individuals who keep most of their money in bank checking or savings accounts and use credit cards are typically at a lesser risk because banks and credit-card issuers usually offer protection against fraud related liability. People with investment or other types of accounts should look to their advisor and ask whether they offer written guarantees protecting clients from a breach.

Some insurance companies take a step further with cyber protection offering home security audits and inspecting your home computers. These are aimed at individuals with large financial investments and assets that regularly access sensitive data from home and mobile systems. They should look at what their banks and brokerages have in place already and determine if they need extra protection.

A Specific Look at the Healthcare Industry

Data mining is notorious in the health care space. Carefully inspect the pages you visit to protect your privacy. A business in the health care industry gathers patient information according to the Health Insurance Portability and Accountability Act (HIPPA) laws and if they interact with children online, they must comply with the Children’s Online Privacy Protection Act (COPPA). The HIPAA Omnibus rule became law in September of 2013 to levy fines, conduct audits and add enforcement regarding requests for patients’ protected health information. Like all other companies, they need a risk management team to assess security breaches and be covered by cyber liability insurance and not all HIPAA-covered facilities have addressed the issue of a data breach or the resulting fines.

In an article by Lauri Floresca at Woodruff, Sawyer, and Company, in 2014, she explains a situation with a company called Triple-S Management Corp, a health insurance company in Puerto Rico. The data breach was a mistake, and it involved direct mail,” says Lauri, but it “displayed and compromised more than 13,000 Medicare Health Insurance Claim Numbers.”

There are cyber insurance policies in the health care industry that cover extensive forms of data exposure, from compromised technology to human error mistakenly revealing patient health information like the incident in Puerto Rico. There have been cases of improper destruction of patient health records. Unknowingly exposing patient information through data storage happened when Affinity Health Plan leased a photocopier and returned it with stored electronic private data inside.

Medical identity theft includes stolen Protected Health Information (PHI) and Personally Identifiable Information (PII) from another individual. Fraud is defined as using the health information of others for personal gain by another individual, and medical identity fraud can involve monetary gain from both the sale of and use of PHI/PII when obtaining health products and services. Victims are not only the people whose identity is stolen, unfortunately, the healthcare providers, insurance companies and taxpayers, and consumers paying higher prices resulting from losses caused by theft and fraud.

Reason for health care system breaches:

1. The sheer volume of electronic data considered Protected Health Information (PHI).
2. Continually changing regulations.
3. A recent substantial increase in individuals with healthcare benefits.
4. More alternative care and information delivery systems outside of health facilities.
5. PHI has become more valuable to hackers and criminal organizations.

Medical Identity Fraud Alliance (MIFA) is the first public/private cooperative specifically uniting those in the health care industry to jointly develop answers to health specific security problems and best practices for the prevention, detection and remediation of medical identity fraud. According to MIFA, investments and priorities are in the process of being made by the industry now.

The Age of Technology

There have been unbelievable advances in the world due to rapid growth in technology. Many companies have extensive amounts of private data and a responsibility to protect it. The potential losses can be great and the insurance industry has had to develop new policies to accommodate for data security. They will not cover losses for companies who have not attempted to prevent a catastrophic loss of private consumer data with the measures described in the breach response plan. Individuals need to understand the risks involved and learn how to safely access and provide information by understanding privacy laws, responding to breach notifications and asking questions, and identifying fraudulent or suspicious websites looking for personal information.