protecting your employees from identity theft docs/annual...identity theft may currently be the most...
TRANSCRIPT
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Protecting Your Employees from Identity Theft Date: May 16, 2016
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Presentation Outline
GALLAGHER BENEFIT SERVICES, INC. 2
• Data breach
• Identity Theft
• Impact on public employers, employees
• Risk management considerations
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
������������������
Any scenario in which your employee's data might have been exposed.
Examples of just how many different things can be called a data breach:
Accidental Breaches (or employee error)
Employee sends email attaching documents with personal data
Healthcare employee sends patient data using a non-encrypted email
Employee works on a file from home on an unsecured home network
Company’s web hosting software glitch causes exposure of financial data
Intentional Breaches
Hacker breaks into a business’s network and downloads point-of-sale data
Malicious software (malware) on business servers to steal private data
A laptop is stolen containing company data
What is a Data Breach?
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
������������������
• 42 percent - intentional, caused by hackers or criminals
• 30 percent - caused by human/employee error (accidental breaches)
• 28 percent - system glitches and vulnerabilities
�
How Do Data Breaches Occur?
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
������������������
�
How Common are Data Breaches?
• Multiple major data breaches occur nearly every day in America
• Large scale data breaches made big headlines in 2015 as measured by:
the number of records compromised
the types of data stolen potential threat to specific
groups – example: public employees and their families, including children
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Growing Threat & Worsening Consequences 2015 Data Breaches by Category (as of 1/4/2016)
�
Category Percent of Total Records Compromised
Medical/Healthcare 66.7% 112,832,082
Government/Military 20.2% 34,222,763
Business 9.7% 16,191,017
Banking/Credit/Financial 3% 5,063,044
Educational 0.4% 759,600
TOTAL 100% 169,068,506
Medical/Healthcare & Government/Military Comprise 86.9% of Records Compromised.
Source: Identity Theft Resource Center; Data Breach Reports 2015
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
������������������
• Identity theft occurs after a data breach
• Identity theft happens when cyber
criminals use stolen data to make
purchases, apply for loans, withdraw
money, or commit fraud
• If a data breach is the moment you lose
data, then identity theft is the moment
criminals use that data for malicious
purposes
�
What is Identity Theft?
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Identity theft may currently be the most costly and pervasive crime in the U.S.
In the next 60 seconds, 19 people will become new victims of identity theft.
The most common types of identity theft and the malicious uses:
Driver's license ID Theft• Loan applications• New credit cards and bank accounts• Purchases of considerable value• Theft within your residence
Social Security ID Theft• Replacement Social Security card • Medical and dental care• False passports
Medical ID Theft• Filing false workers' compensation claims• Surgeries, including cosmetic surgeries• Fraudulent disability and liability claims• Insurance claims
Character/Criminal ID Theft• Commission of crimes in your name
http://www.nasdaq.com/article/credit-card-fraud-and-id-theft-statistics-cm520388
�
How Widespread is Identity Theft?
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
• Financial The average victim reports about $3,500 in losses
• Damaged creditPrevents you from being approved for legitimate purchases, and may never fully be restored
• Time The average victims spends 30 hours. Many spend hundreds of hours and have to take time off work to deal with it
• EmotionalThe mental and emotional stress takes a huge toll on you and your family
�
Repercussions of Identity Theft
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
���������������������
��
• An individual’s identity is not limited to name, age and your Personally Identifiable Information (PII)
• An identity is comprised of many elements – a professional profile, social media posts, tagged photos and GPS location
The Threat of Identity Theft is Increasing
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
���������������������
��
• Public employees are at greater risk than the general public
• Employment information is in the public domain
• Potential targets for retribution…Hacktivism is expected to make a comeback in 2016.*
• The U.S. Director of National Intelligence ranks cybercrime as the No. 1 national security threat, ahead of terrorism, espionage and weapons of mass destruction.*
• As nation-states continue to move their conflicts and espionage efforts to the digital world, we are likely to see more incidents aimed at stealing corporate and government secrets or disrupting military operations.*
Public Employees are at Heightened Risk
*2016 Experian Data Breach Industry Forecast
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
���������������������
��
• Children are 51 times more likely to be victims of identity theft than adults
• Dependent SSNs typically go unmonitored for years
• Children SSNs yet to be filed with any credit agencies
• Fraudsters use children SSNs to establish their own credit, apply for loans and even get work
Children are Especially Vulnerable
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
�
Retirement Accounts Are Prime TargetsDefined contribution retirement asset theft is on the rise both from identity thieves and dishonest employees.
Why the increase:
• More electronic records • Increased use of technology• Accounts are not monitored as frequently as day-to-day accounts
What can you do:
• Work with a professional financial advisor to monitor your retirement plans• Monitor your account online frequently, looking for drops in your account total• Educate retirees and employees about scammers who target pensioners by encouraging them to give
up future pension payments in exchange for a lump sum of cash (notwithstanding the fact that the assignment of some government pensions is prohibited by federal law).
http://www.themoneyalert.com/ProtectingyourNestEgg.htmlNorth American Securities Administrators Association
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
https://www.privacyrights.org/ar/PreventITWorkplace.htm
��
Steps An Employer/Plan Sponsor Can Take
• Employee/retiree education is CRITICAL
• Store data in secure systems and use the most up-to-date encryption methods
• Dispose of sensitive material properly (both electronic and hard copy)
• Conduct employee background checks and hold frequent training
• Limit employee access to sensitive information - only those with legitimate needs should have access
• Conduct regular audits to ensure privacy and information are being handled properly
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
��
Steps An Individual Can Take
• Become familiar with the online fraud policies and recommendations of your financial institution
• Check your accounts every week or two
• Use strong and unique usernames, passwords, and security questions – and change periodically
• Maintain up-to-date anti-virus, anti-spyware, and firewall protection
• As much as possible, don't check your accounts at work, from public computers, or by using a public wireless network, and – log out of your account when finished
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
��
Steps An Individual Can Take
• Don't give your user name or password to anybody, including financial advisors.
• If you give this information to another person and that person executes a transaction, it's usually considered an authorized transaction that invalidates any protection the institution might offer.
• Never provide personal information, such as your name, account number, or Social Security number, in response to an email.
• Educate family members about the unique risks to public employees and their families from posting personal information or scheduling online or on social media.
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
��
Early Detection Critical to Mitigating Risk
• Increasing prevalence of companies offering “identity theft protection service”
• Employers considering offering vetted programs to employees, whether via direct pay or payroll deduction• Employer paid coverage now considered a tax favored benefit, regardless of evidence
of breach• Important to understand what you’re buying
• First generation focused on early identification of a possible incidence of ID theft, via credit bureaus
• Evolving programs seeking to identify potential exposure before PII is used
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
��
Key Features of a Theft Protection Program
• Social Security Number monitoring• Credit monitoring• Near real time alerts• Family coverage options, especially dependent children• Online “Black Market” monitoring of your Personally Identifiable
Information (PII)• Lost wallet protection• Identity theft monitoring• ID verification alerts• Victim recovery assistance• Insurance (not just a service guarantee)…look for “Unauthorized
Funds Transfer”
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Data Breach – Fund Perspective
Date: May 16, 2016
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Data Breach and Public Entities
http://map.norsecorp.com/#/
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
• Maybe?– Immunity may not extend as far as you think
• Most states have passed law that even apply to public agencies
• Even if your state has granted immunity you may still have obligations to respond:– Immunity in your home state doesn’t extend to other
states/countries– PR nightmare– Internal nightmares – Federal laws like HIPAA/FERPA
We have Immunity!
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Instilling a culture of data privacy awareness• Employees, employees, employees• Meetings, webinars, email campaigns
– Define PII and PHI– Educate on incident reporting procedures– “Report early/report often”
• Reducing risk– Data management – collection, access, storage, eradication– Vendor management
• Unrecognized pathways for breaches
– Policies and procedures
Loss Prevention
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Vendor Management
• Controlling contractors and consultants– Centralize engagements– Agreements– Indemnification
• Do contractors/consultants have coverage?– Tech E&O and subtleties between CGL
(1) financial loss of a third party arising from failure of the insured’s product to perform as intended or expected, and
(2) financial loss of a third party arising from an act, error, or omission committed in the course of the insured’s performance of services for another
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Procedures and Training
• Institute procedures for reporting:– Laptop thefts– Malware and social engineering threats– Control of removable drives
• Training – Covers all the above
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Suggested (Needed?) Policies
• Acceptable use/non-access• Social media/external postings/blogs/instant messaging• Website content• Personal device• Medical privacy
– Internal/external
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Breach Readiness• Build the response team
• Internal and external team members
• Draft the breach response plan
• Train employees
• Test the plan
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Retain or Transfer the Risk
• Retaining the risk– Have to be aware of the risk
• Financial• Operational• Reputational
– Have experts in place to help with the response• Transfer the risk
– Insurance program– Market has been relatively soft, good time to buy!– Not all policies are created equal– Know your policy
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Cyber Liability Insurance
• What does it cover?– Privacy liability– Breach notification– Media liability– System damage & business interruption– Regulatory proceedings– Threats & extortion– PCI fines
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Cyber Liability Insurance
• What does it cover?– Claims made policy form – Pre-approved counsel– Definition of a claim– Retentions can vary – flat dollar and time
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Cyber Liability Insurance
• Know how to use the policy!– Expert resources … experience matters– Negotiated partnerships with privacy counsel, incident
response vendors = more value for your insurance dollars– Helps ensure compliance, protects reputation, ensures
operational efficiencies, preserves jobs
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
Cyber Liability Insurance
• Claims are on the rise:
– 2015 broke the record of 2012
– Is it a cyber claim or a crime claim?
ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Q:\2014\GBS\17\NicheName\20\DCN#.pptx
THANK YOU!
Don R. HeilmanArea Sr. Vice PresidentGallagher Benefit Services, [email protected]
Brandon C. ColeArea Vice PresidentArthur J. Gallagher & [email protected]