protecting your employees from identity theft docs/annual...identity theft may currently be the most...

ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™

Q:\2014\GBS\17\NicheName\20\DCN#.pptx

Protecting Your Employees from Identity Theft Date: May 16, 2016



Presentation Outline

GALLAGHER BENEFIT SERVICES, INC. 2

• Data breach

• Identity Theft

• Impact on public employers, employees

• Risk management considerations



��

Any scenario in which your employee's data might have been exposed.

Examples of just how many different things can be called a data breach:

Accidental Breaches (or employee error)

Employee sends email attaching documents with personal data

Healthcare employee sends patient data using a non-encrypted email

Employee works on a file from home on an unsecured home network

Company’s web hosting software glitch causes exposure of financial data

Intentional Breaches

Hacker breaks into a business’s network and downloads point-of-sale data

Malicious software (malware) on business servers to steal private data

A laptop is stolen containing company data

What is a Data Breach?



��

• 42 percent - intentional, caused by hackers or criminals

• 30 percent - caused by human/employee error (accidental breaches)

• 28 percent - system glitches and vulnerabilities

�

How Do Data Breaches Occur?



��

�

How Common are Data Breaches?

• Multiple major data breaches occur nearly every day in America

• Large scale data breaches made big headlines in 2015 as measured by:

the number of records compromised

the types of data stolen potential threat to specific

groups – example: public employees and their families, including children



Growing Threat & Worsening Consequences 2015 Data Breaches by Category (as of 1/4/2016)

�

Category Percent of Total Records Compromised

Medical/Healthcare 66.7% 112,832,082

Government/Military 20.2% 34,222,763

Business 9.7% 16,191,017

Banking/Credit/Financial 3% 5,063,044

Educational 0.4% 759,600

TOTAL 100% 169,068,506

Medical/Healthcare & Government/Military Comprise 86.9% of Records Compromised.

Source: Identity Theft Resource Center; Data Breach Reports 2015



��

• Identity theft occurs after a data breach

• Identity theft happens when cyber

criminals use stolen data to make

purchases, apply for loans, withdraw

money, or commit fraud

• If a data breach is the moment you lose

data, then identity theft is the moment

criminals use that data for malicious

purposes

�

What is Identity Theft?



Identity theft may currently be the most costly and pervasive crime in the U.S.

In the next 60 seconds, 19 people will become new victims of identity theft.

The most common types of identity theft and the malicious uses:

Driver's license ID Theft• Loan applications• New credit cards and bank accounts• Purchases of considerable value• Theft within your residence

Social Security ID Theft• Replacement Social Security card • Medical and dental care• False passports

Medical ID Theft• Filing false workers' compensation claims• Surgeries, including cosmetic surgeries• Fraudulent disability and liability claims• Insurance claims

Character/Criminal ID Theft• Commission of crimes in your name

http://www.nasdaq.com/article/credit-card-fraud-and-id-theft-statistics-cm520388

�

How Widespread is Identity Theft?



• Financial The average victim reports about $3,500 in losses

• Damaged creditPrevents you from being approved for legitimate purchases, and may never fully be restored

• Time The average victims spends 30 hours. Many spend hundreds of hours and have to take time off work to deal with it

• EmotionalThe mental and emotional stress takes a huge toll on you and your family

�

Repercussions of Identity Theft



��

��

• An individual’s identity is not limited to name, age and your Personally Identifiable Information (PII)

• An identity is comprised of many elements – a professional profile, social media posts, tagged photos and GPS location

The Threat of Identity Theft is Increasing



��

��

• Public employees are at greater risk than the general public

• Employment information is in the public domain

• Potential targets for retribution…Hacktivism is expected to make a comeback in 2016.*

• The U.S. Director of National Intelligence ranks cybercrime as the No. 1 national security threat, ahead of terrorism, espionage and weapons of mass destruction.*

• As nation-states continue to move their conflicts and espionage efforts to the digital world, we are likely to see more incidents aimed at stealing corporate and government secrets or disrupting military operations.*

Public Employees are at Heightened Risk

*2016 Experian Data Breach Industry Forecast



��

��

• Children are 51 times more likely to be victims of identity theft than adults

• Dependent SSNs typically go unmonitored for years

• Children SSNs yet to be filed with any credit agencies

• Fraudsters use children SSNs to establish their own credit, apply for loans and even get work

Children are Especially Vulnerable



�

Retirement Accounts Are Prime TargetsDefined contribution retirement asset theft is on the rise both from identity thieves and dishonest employees.

Why the increase:

• More electronic records • Increased use of technology• Accounts are not monitored as frequently as day-to-day accounts

What can you do:

• Work with a professional financial advisor to monitor your retirement plans• Monitor your account online frequently, looking for drops in your account total• Educate retirees and employees about scammers who target pensioners by encouraging them to give

up future pension payments in exchange for a lump sum of cash (notwithstanding the fact that the assignment of some government pensions is prohibited by federal law).

http://www.themoneyalert.com/ProtectingyourNestEgg.htmlNorth American Securities Administrators Association



https://www.privacyrights.org/ar/PreventITWorkplace.htm

��

Steps An Employer/Plan Sponsor Can Take

• Employee/retiree education is CRITICAL

• Store data in secure systems and use the most up-to-date encryption methods

• Dispose of sensitive material properly (both electronic and hard copy)

• Conduct employee background checks and hold frequent training

• Limit employee access to sensitive information - only those with legitimate needs should have access

• Conduct regular audits to ensure privacy and information are being handled properly



��

Steps An Individual Can Take

• Become familiar with the online fraud policies and recommendations of your financial institution

• Check your accounts every week or two

• Use strong and unique usernames, passwords, and security questions – and change periodically

• Maintain up-to-date anti-virus, anti-spyware, and firewall protection

• As much as possible, don't check your accounts at work, from public computers, or by using a public wireless network, and – log out of your account when finished



��

Steps An Individual Can Take

• Don't give your user name or password to anybody, including financial advisors.

• If you give this information to another person and that person executes a transaction, it's usually considered an authorized transaction that invalidates any protection the institution might offer.

• Never provide personal information, such as your name, account number, or Social Security number, in response to an email.

• Educate family members about the unique risks to public employees and their families from posting personal information or scheduling online or on social media.



��

Early Detection Critical to Mitigating Risk

• Increasing prevalence of companies offering “identity theft protection service”

• Employers considering offering vetted programs to employees, whether via direct pay or payroll deduction• Employer paid coverage now considered a tax favored benefit, regardless of evidence

of breach• Important to understand what you’re buying

• First generation focused on early identification of a possible incidence of ID theft, via credit bureaus

• Evolving programs seeking to identify potential exposure before PII is used



��

Key Features of a Theft Protection Program

• Social Security Number monitoring• Credit monitoring• Near real time alerts• Family coverage options, especially dependent children• Online “Black Market” monitoring of your Personally Identifiable

Information (PII)• Lost wallet protection• Identity theft monitoring• ID verification alerts• Victim recovery assistance• Insurance (not just a service guarantee)…look for “Unauthorized

Funds Transfer”



Data Breach – Fund Perspective

Date: May 16, 2016



Data Breach and Public Entities

http://map.norsecorp.com/#/



• Maybe?– Immunity may not extend as far as you think

• Most states have passed law that even apply to public agencies

• Even if your state has granted immunity you may still have obligations to respond:– Immunity in your home state doesn’t extend to other

states/countries– PR nightmare– Internal nightmares – Federal laws like HIPAA/FERPA

We have Immunity!



Instilling a culture of data privacy awareness• Employees, employees, employees• Meetings, webinars, email campaigns

– Define PII and PHI– Educate on incident reporting procedures– “Report early/report often”

• Reducing risk– Data management – collection, access, storage, eradication– Vendor management

• Unrecognized pathways for breaches

– Policies and procedures

Loss Prevention



Vendor Management

• Controlling contractors and consultants– Centralize engagements– Agreements– Indemnification

• Do contractors/consultants have coverage?– Tech E&O and subtleties between CGL

(1) financial loss of a third party arising from failure of the insured’s product to perform as intended or expected, and

(2) financial loss of a third party arising from an act, error, or omission committed in the course of the insured’s performance of services for another



Procedures and Training

• Institute procedures for reporting:– Laptop thefts– Malware and social engineering threats– Control of removable drives

• Training – Covers all the above



Suggested (Needed?) Policies

• Acceptable use/non-access• Social media/external postings/blogs/instant messaging• Website content• Personal device• Medical privacy

– Internal/external



Breach Readiness• Build the response team

• Internal and external team members

• Draft the breach response plan

• Train employees

• Test the plan



Retain or Transfer the Risk

• Retaining the risk– Have to be aware of the risk

• Financial• Operational• Reputational

– Have experts in place to help with the response• Transfer the risk

– Insurance program– Market has been relatively soft, good time to buy!– Not all policies are created equal– Know your policy



Cyber Liability Insurance

• What does it cover?– Privacy liability– Breach notification– Media liability– System damage & business interruption– Regulatory proceedings– Threats & extortion– PCI fines




• What does it cover?– Claims made policy form – Pre-approved counsel– Definition of a claim– Retentions can vary – flat dollar and time




• Know how to use the policy!– Expert resources … experience matters– Negotiated partnerships with privacy counsel, incident

response vendors = more value for your insurance dollars– Helps ensure compliance, protects reputation, ensures

operational efficiencies, preserves jobs




• Claims are on the rise:

– 2015 broke the record of 2012

– Is it a cyber claim or a crime claim?



THANK YOU!

Don R. HeilmanArea Sr. Vice PresidentGallagher Benefit Services, [email protected]

Brandon C. ColeArea Vice PresidentArthur J. Gallagher & [email protected]

protecting your employees from identity theft docs/annual...identity theft may currently be the most...

Documents