Sharon LyonNetDiligence® eRiskHub® Support Team

PresidentLion’s Share Marketing Group, Inc.

Topics for Today’s Discussion What Counties are Facing – Recent County Breaches Loss Control

Pre-Planning Your Response Helping Counties Reduce Their Risk

eRiskHub® CRL + NetDiligence® + eRiskHub® + YOU• Resources in the eRiskHub®• Customizing the Hub for Your Pool• Getting Counties Engaged & Using the Hub

Real Incidents at Counties Osceola County, FL

Unknown Staff Mistake The names for every child charged in court cases and names of children in their foster system were

inadvertently exposed on the county website. Salt Lake County, UT

3,000 Third-Party Vendor Social Security numbers and personal medical information of Salt Lake County employees were exposed for

several months. Baltimore County, MD

6,600 Rogue Employee The Baltimore County Police Department says it has uncovered personal information of 6,600 county employees

on computers seized from a contractor.

Real Incidents at Counties Cumberland County, NC

180 Staff Mistake Sheriff's Office announced that a new software update intended to automatically post regular arrest lists on the

department's Facebook page was inadvertently set to release Social Security numbers of those arrested. Muscogee County, GA

20 Staff Mistake Employee sent an email intended to warn female deputies about a potential defect in Point Blank body armor

that contained the deputies' names, the serial numbers of their body armor, and their physical characteristics including height, weight, chest and bra cup size.

North East King County, WA 6,231 Hacker Security breach of a server that stored records of an estimated 6,000 medical responses for three different county

fire departments. The breached files also contained personnel data for 231 full-time and volunteer firefighters.

Real Incidents at Counties Bergen County, NJ

1,500 Rogue Employee Employee allegedly stole the names, Social Security Numbers, and birth dates of patients at The Valley Hospital

in Ridgewood, Englewood Hospital and Medical Center, and Holy Name Medical Center in Teaneck. Lancaster County, SC

100,000 Loss/Theft County EMS is notifying patients of a potential data breach after discovering two flash drives and two

hard drives missing from a county building. Tunica County, MS

Unknown Staff Mistake Personal information of students in the Tunica County School District was inadvertently posted on the

county website.

Real Incidents at Counties Prince George's County, MD

10,000 Staff Mistake A document that contained Prince George's County Public School System employees' personal information was

emailed outside of the district to the personal addresses of certain staff.

Tulare County, CA ??? Staff Mistake An employee sent an email containing PHI and neglected to encrypt and blind copy the recipients of the email.

Monterey County, CA 144,493 Hackers County residents’ personal data may have been exposed when a Monterey County computer was

compromised by unauthorized users from overseas.

Loss Control

Pre-Plan Breach ResponseBy working with your counties to help them pre-plan their response to the inevitable breach event, your pool can:

Reduce the cost to respond (crisis services)

Shorten the response timeline

Ensure compliance with regulatory requirements

Reduce/eliminate additional losses due to charges of negligence

Claim Payouts for Crisis Services

2011 2012 2013 2014 20150

100200300400500600700800900

1,000

Average CostMedian Cost

in thousands

800K728K

983K

250K195K 204K

455K

102K

Based on findings from annual NetDiligence® Cyber Liability & Data Breach Insurance Claims study

61K

500K

OCTOBER1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31

LOSS

MGMTAWARE

INSURER& COACH

– – – – – – FORENSICS – – – – – –

– – – – – – FORENSICS – – – – – – – – – NOTICE PREP – – –

– – –

1 2

3 4 5 6 7 8 9

10 11 12 13 14 15 16

17 18 19 20 21 22 23

24 25 26 27 28 29 30

NOVEMBER

– – PR ISSUED & NOTICES SENT – – – – – – – – – – –

– – – – – – – – – VICTIM INQUIRIES – – – – – – – – –

– – – STATE AG – – –

48 Days(used to take 60+ days)

Timeline of a Breach

The Role of Breach Coach® Prevent costly mistakes

Expedite recovery

Notify and coordinate with State AGs and regulatory agencies

Strengthen the county’s defensive position

Help Counties Reduce Their Risk Biggest risk for counties? INSIDERS! Verizon 2015 DBIR Confirms

People are the Weak Links – staff accounts for nearly 90% of all security incidents Errors - 30% Crimeware - 25% Insider Misuse - 20.6% Physical Theft/Loss -15%

Bad Guy Methods & Targets: Phishing (1-in-4 opened phish email and 1-in-10 clicked on infected attachment (EDUCATION!!!) Theft of $: Most web attacks followed this flow: phish -> get credentials -> abuse web application -> steal

money Leading Sectors: Public; Financial Services; Hospitality; Manufacturing; Retail; Healthcare

Comprehensive Resource for:

Prevention (pre-breach)

Recovery (post-breach)

Whether you want to help counties prevent

or recover from a cyber attack or data

breach, you can find what you need—when

you need it—in the eRiskHub portal.

+ + +YOU

A One-Stop-Shop for Cyber Services Homepage gives you a place to speak directly to pool members Incident Roadmap spells out the steps to take in the event of a breach

Risk Manager Tools help manage cyber risk more effectively

News Center monitors breach events and trends

Learning Center provides best-practices articles, white papers & on-demand webinars

Security Awareness provides downloadable guide to best-practices for employee security awareness training and full-length videos of onsite security training provided by CRL last year

eRisk Resources directory features qualified third-party providers of pre- and post-breach services

+ + +YOU

Customizing the Hub for Your Pool Branding – logo, colors, page banners, buttons, etc. Content

Homepage – information filtered and/or tailored for your counties Incident Roadmap – your pool’s breach response/cyber claim procedures and

contact information Unique login/registration page or access from your existing members-only (secured)

website

+ + +YOU

Initial Introduction to Counties Big Announcement: Press release, email blast, feature on your website Introduce your Hub via webinar (NetDiligence can host/demo for you) Be sure to send registration instructions!

Ongoing Promotion Feature content in newsletters, blog posts, website, meetings, etc. Watch the News Center for incidents involving counties – share the stories with your counties Ask NetDiligence to do an Cyber Risk educational webinar for your counties Share success stories (with permission)

Getting your Counties Engaged

+ + +YOU

Sharon LyonNetDiligence® eRisk Hub® Support Team

support@eriskhub.com

PresidentLion’s Share Marketing Group, Inc.

slyon@lionsshare.com281.919.1033

Thank you!