INSUREtrust

Digital records kept by medical providers contain highly sensitive data, such as test results, diagnoses, and financial information.  And chances are very good that somewhere there is medical data server holding information about you.  So, it’s easy to see why the all-too-frequent security breaches in hospitals and doctors offices are quite disturbing.

There have been several instances reported in the last quarter of 2011.  Back in October, a desktop computer was stolen from Sutter Medical Foundation’s office in Sacramento, California.  According to the Privacy Rights Clearinghouse, 4.2 million patients have potentially had data exposed.

Not surprisingly, lawsuits are already being filed against Sutter, claiming it failed to notify patients of the breach in a timely manner, and that it failed to adequately protect its computer equipment.

Also this fall, Emory Healthcare in Atlanta revealed a much different kind of data breach:  One of its former employees allegedly printed off copies of patients’ hospital bills and passed them off to a crime ring, which then allegedly used the data – including Social Security numbers and dates of birth – to file fraudulent tax returns in the patients’ names.  The Atlanta Journal Constitution reports that Emory mailed thousands of its patients a notification letter.

According to an article in the Sun Herald newspaper just last week, the University of Mississippi Medical Center fell victim to records theft when a laptop assigned to a faculty member was not secured properly and was subsequently stolen.  The data pertained to medical studies the university was conducting, and some records contained potentially sensitive information.

These three instances illustrate how easily customer and patient data can fall into the wrong hands.  If that data is lost or compromised, the cost to try to repair the damage can run into the thousands of dollars per record!

In spite of the steady stream of news reports about cyber hacking in the popular media, the vast majority of US businesses are still not covered by a cyber liability policy.  That’s a shame, because the costs associated with just one data breach incident could literally put many of these companies out of business.

Imagine yourself elbow to elbow with a crowd of pre-Christmas shoppers at your favorite department store or retail outlet. Your cell phone rings. It’s an automated call from your bank. The bank’s security department is calling to warn you that an identity thief may have compromised your checking account. They want you to call back right away so that the matter can be resolved before your account is completely drained.

Panicked, you immediately forget that once in a lifetime deal on a flat screen TV you were vying for only a moment earlier. Thank goodness your bank’s security team is on the ball! You call the number listed in the message and get an automated response asking you to verify your account information and password by typing it onto your phone’s keypad.

Or maybe you find yourself in a slightly different scenario: You receive a text message from your bank. This time you are asked to click on a link that takes you to a “security department” that asks you for that account and password information. Since you have a smart phone with a data plan, you can go directly to that link and ultimately provide the asked for personal information.

Even though you might feel an immediate sense of relief and be pleased that you have avoided financial disaster, you have actually just been fooled into diving right into a widespread hoax. In the first scenario you were “vished” and in the second you were “smished.”

Like phishing emails that computer users are by now well accustomed to seeing crop up on their home or office computers, vishing and smishing are fraudulent communications from confidence schemers and cyber hackers. Vishing gets its name from combining voice communications with phishing and smishing is the use of text messages, also known as SMS text, to do the phishing.

Plausibility of communication and the readily recognizable brand name of the sender are the cornerstones of this scheme. In fact, cyber criminals make their messages appear to come from some of the most well-known and trusted financial institutions. According to a USA Today article, among them are Bank of America, Wells Fargo, Capital One, Citibank, and Chase.

A report from MSNBC outlined a recent vishing attack under the banner of Santa Barbara Bank & Trust. An email blast was sent to cell phones in the Santa Barbara, California, area code asking account holders to respond to a customer service phone number that was also in the same area code. People who responded were asked to enter their 16 digit card numbers on their phone’s keypad. (With the advent of Voice over Internet Protocol, or VoIP, a local area code can be used from anywhere in the world.)

Using VoIP, computer criminals can set up automated dialing protocols to text or call large groups of cell phone users in specific areas and catch consumers at a most vulnerable moment. The Christmas shopping season is well known for stresses on consumers and receiving one of these phone warnings escalates that stress level 100%. Shoppers who have made a number of purchases with debit or credit cards are immediately affected by the sense of urgency that scammers want us to feel.

We are also more likely to feel more urgency when the message comes via our cell instead of our computer. Smart phones also contain inherent physical characteristics that stimulate response to these scams. For example, phone screen size makes it more difficult to detect fake web addresses and other anomalies common in a scam.

Obviously, vishing and smishing pose dangers for individual consumers. Bank accounts and credit card accounts are at risk and criminals from all over the world are joyful at the seasonal opportunity to steal millions. But the danger extends beyond individuals.

Smart phones make companies vulnerable to vishing and smishing as well, if an employee is combining personal and company use on a single smart phone.  The device, once hacked, is a target for malware that can glean other information – such as proprietary company data.

Cyber criminals are smart.  They manipulate shoppers into a stressful situation, and trick them into giving away data during the busiest retail season. Phone users need to be even smarter: Never respond to any request for personal account data sent over a text or voice message. If in doubt, call the bank or credit card company from a phone number listed on an account statement, and never feel pressured to impulsively respond through an unknown web link.

In 2008, a Fox News article reported that two 18-year-olds in Orange County, California, hacked into their school’s computer network to alter grades and steal test material. One of the boys had infiltrated the school network multiple times and was charged with 69 felony counts which could add up to over 38 years in prison. The charges against him included altering and stealing public records, computer fraud, burglary, identity theft, receiving stolen property, and conspiracy.

Non-student criminals are also a concern for schools: Adult thieves may be involved in burglaries of hardware from laptops to smart phones to computer hard drives, in addition to remote hacking. These physical thefts give the perpetrators more time to lift data from stolen devices.

Because schools involve numerous operations beyond the classroom, they have a broad exposure to cyber risks: Schools present a multilayered profile that includes computer database administration, health care services, financial services, and possibly even retail merchandising activities. Data breach in any of these areas can be catastrophic.

In order to prevent such disasters, schools need to recognize all the businesses they are actually involved in and the cyber risks associated with these activities.

Here’s a checklist of some potential school data that is either sensitive and/or private:

• Personal information of students, including contact information and Social Security numbers;
• Financial information of tuition-paying parents, as well as that of students who receive financial aid;
• Financial information of teachers, including payroll, pension/401k, and tax withholding data;
• Student medical and health information, including health insurance documents;
• Teacher employment records, including background checks and peer reviews;
• Cognitive profiles of students receiving special services or accommodations;
• Credit card data of parents, students, or alumni who make purchases at a school store;
• Fundraising data, including financial information and donor names and contact information.

Web sites with parent portals and alumni web sites present privacy concerns, both in terms of data that can be accessed, as well as media content that may be subject to copyright or trademarks. Furthermore, data such as bus schedules can be used to stalk students, and vendor service companies can be defrauded electronically using data from sources like public school meal programs.

Schools that sponsor social media for teachers or alumni departments are subject to a whole different set of risks.

Schools’ duty to ensure the security of their records is regulated on both a federal and state level.

• FERPA affords parents or eligible students the right to inspect all personal records held by schools and requires schools to keep private all student records except under specified situations.
• HIPAA protects the privacy of personal health and health insurance information.
• FCRA regulates the privacy of financial transaction and information.
• PCI-SSC standards ensure the privacy and accuracy of credit card transactions.

Schools and their insurance advisors should review all the potential sources of data breach and devise strategies of data protection and crisis and notification planning.  Equally important, schools need to acquire insurance that includes protection for loss of data, regulatory costs, third party liability, and media content.

For more detailed information on cyber risks faced by schools, read our full-length article on the topic.

Nearly all computer users have experienced the invasion of tracking devices known as cookies. These devices invade a computer when a user visits merchant or other websites while looking for a great deal or just researching product information.

Consumers dislike cookies because these digital organisms collect personal information about you and send it back to their host: an advertising network. That information can include your purchasing habits, your location, your age or demographic group, and even your general financial status. Triggering your computer to send this information back to the host slows your computer’s responsiveness, however a far more intrusive aspect of cookies is the invasion of privacy.

Web surfers are accustomed to the process of deleting these pests on a regular basis to keep personal information personal and out of the hands of advertisers. But a new generation of cookies has been fighting back.

Known as Flash cookies, these tracking bugs are dead cookies resurrected by hijacking legitimate Adobe Flash software you have previously installed. The cookies are re-spawned inside your computer faster than a dead G.I. in a combat video game. Moreover, they are hiding in computer directories not governed by traditional web browser privacy controls; directories which users are not normally aware of, such as “etag” cache files or Flash local storage. Controls and privacy settings cannot be found on your computer or web browser. They exist only on Adobe’s Flash software website and are not easily located.

In fact, the surprise and privacy concerns over these zombies specifically results from the fact that computer users, believing they have purged their systems, do not realize they are still being tracked. Infuriated online consumers have brought a number of lawsuits against the technology companies that have engineered this tracking as well as suits targeting customers of those web technology firms.

An article on wired.com reported in July 2010 of an imminent group of legal cases and over the last 14 months, there have been six class-action lawsuits. One set of defendants consisted of the technology firm Quantcast and its customers, NBC Universal and HULU. Another set centered on Clearspring Technologies and its customers, Disney/ABC and Warner Brothers Records. These lawsuits and another one against Specific Media, Inc. were settled for $3.4 million.

The lawsuits are about privacy rights, specifically the right of users of online services to determine for themselves how their Internet activities and personal information can be “harvested and disseminated,” according to a New York Times article.  However, plaintiffs are finding the court process hard going.

A suit against advertising firm Interclick and its customers, which include McDonalds, Microsoft, and Mazda, failed on the grounds that no significant damage to the plaintiffs has occurred. According to a legal blog, the claim was brought under New York State’s Computer Fraud and Abuse Act and alleged impairment to the plaintiff’s computer, injury due to the collection of private information, and injury from Internet service interruption.

The court rejected the plaintiff’s injury claims saying that damage, if any, was negligible under the requirements of the CFAA. In other words, the plaintiff had not been sufficiently injured in terms computer impairment, the unauthorized collection of personal information, or service interruption in order for the court to sanction the defendants. The court also declared that the various advertisers who used Interclick services were not legitimate targets of such lawsuits.

Plaintiffs, on the other hand, said their desire to not be tracked was clearly declared by the action of deleting the cookies they knew about and the very act of countermanding that desire is an unacceptable invasion of privacy no matter what economic or technological damages may result.

Plaintiffs are now asking where the Federal Trade Commission stands in this matter and whether national and state privacy legislation will be strengthened. Ultimately, the court of public opinion expressed in purchasing habits that move away from the Internet and toward brick and mortar merchants may influence Internet advertising networks.  In the meantime, Flash cookies will continue to be a nuisance for online consumers as long as the courts do not see merit in the complaints.

The global security firm RSA, a major provider of data encryption and identity assurance, announced back in March that it had been hacked.  As disturbing as the initial revelation was, there is now even more bad news:  The cyber attack that compromised RSA also targeted more than 700 other companies, including nearly 20% of all Fortune 100 firms!

A full list of the businesses which fell victim to the attack have been given to Congress, and have also been published by security expert Brian Krebs in a blog post on his web site.  Some of the companies named include Charles Schwabb, eBay, Wachovia, and Wells Fargo.

Even tech titans like Cisco, Facebook, Google, IBM, and Intel fell prey.  So did the military contractor Northrop Grumman, as well as government entities including the IRS and Freddie Mac.

Are you nervous yet?  Obviously, it is disconcerting to learn that even giant corporations, which spend millions on security, can’t fortify their networks against raids on sensitive data.  But it is important to note that in this particular instance, experts believe that the attacks were conducted by a nation-state, and that many of the networks used in the attacks are in China.  Still, the US has not yet formally accused any country of wrongdoing.

OK, so your company probably isn’t on the radar of any group sophisticated enough to wage an international cyber war.  But this developing story demonstrates how dangerous data breaches can be, and how difficult they are to prevent.  And since the chances are very high that your network security is nowhere nearly as robust as Google’s, it’s worth pausing to reflect on your exposure to cyber risks.

According to one industry expert, 40% of all cyber crimes are committed against small businesses.  Furthermore, FCC Chairman Julius Genachowski told an audience of business leaders last summer that the average cost of cyber attack against a small-to-medium sized business is a whopping $200,000!  With number like that, it’s easy to see how vulnerable an unprotected firm can be.

Your company has valuable data, and there are criminals out there who want it.  So, what are you doing to protect your company from cyber threats?

THE SCENE OF THE CRIME

DATELINE: Your Town, USA. It was a dark and stormy night and a crime was being committed: the felonious theft of precious goods for material gain. The victim was an organization engaged in a variety of businesses including computer database administration, health care services, financial services, and a retail merchandising business.

As a database administrator, the victim managed vital records of others including names, addresses, birth dates, phone numbers, email addresses, and social security numbers. Beyond these basic identity records there were also bank records including account numbers and bank routing numbers.

There were also patient health records and health insurance information. And there was other information in the database of an even more sensitive nature that might not have a dollar value but was precious from a personal reputation standpoint.

The financial services sector of this organization was privy to a lot more than checking or savings account information. It actually made electronic payroll deductions on behalf of individuals and allocated those deductions to a menu of retirement accounts. It even processed income tax withholding.

The retail arm sold logo clothing, books, laptop accessories, and sundries. It accepted cash, checks, and credit card payments for the items it sold. The retail establishment was well run and physically well protected. Cash and checks received were kept in a secure location until bank deposits could be made and there was a failsafe system of accounting for all monies coming in and flowing out to avoid fraud.

In fact, each of these sectors of the organization was well protected from a physical premises standpoint and used a system of checks and balances to ensure that no data could end up being taken away from the premises either surreptitiously or inadvertently.

The IT department had been vigilant in securing computer networks also. Their main interest was making sure that computer viruses did not infiltrate the network and corrupt databases but they had also instituted a system of password protection for each member of the organization’s computer network.

Still, the theft was an inside job. It occurred at 12:15 in the morning and took only a short time to accomplish. After the crime, police searched for physical evidence of a break-in but found nothing. In fact, the crime had taken place on a computer from a remote location.

There were two perpetrators who were eventually arrested but who were not suspected at first because they did not appear to fit the routine profile of thieves. They were teenage boys. They made outstanding grades in school, dressed respectfully, were active in clubs and had no record of prior burglaries, not even a misdemeanor shoplifting charge. They were not connected to drug use. They obeyed curfew requirements. They were cyber hackers and had breached their school’s computer system.

THEY’RE JUST KIDS

Who are these teens? They may live on your block. A survey in 2009 by Panda Security sampled 4000 fifteen to eighteen year olds and found that 67% had tried hacking into their friends’ social media accounts. In another survey in New York City in 2010 by Tuffin Technologies, 16% of the 1000 kids surveyed said they had tried hacking.[i]

In Orange County, California, two eighteen year olds hacked into their school’s computer network to alter grades and steal test material. One of the boys had infiltrated the school network multiple times and was charged with 69 felony counts which could add up to over 38 years in prison. The charges against him include: altering and stealing public records, computer fraud, burglary, identity theft, receiving stolen property, and conspiracy.

The other boy was charged with a single count on each of four crimes from conspiracy to attempted altering of public records. People who knew both boys and their families attested that both were good kids. Their high school, which has 2,800 students, is highly ranked.[ii]

Other cases of such crimes range across the continent from California to New Jersey and Maryland. The students are highly tech savvy, possibly more so than most of the adults in their schools and clearly more so than adults give them credit for being.

Some of the crimes have involved the use of keystroke- recording malware that students have clandestinely installed in school networks. In other cases, students have explored YouTube for readily available instructional videos on the art of hacking everything from Facebook accounts to school databases. Some more attentive students have proved adept at observing teachers entering their own passwords on their desktops or laptops during class periods.

This does not mean that students are the only people who might hack into high school or even university databases and computer networks. Adult thieves may be involved in the crime and are perhaps more likely to steal physical property during a break in at the school premises. Burglaries can include anything from laptops to smart phones to computer hard drives, all of which enable cyber breaches down the road.

But such breaches may be easier for students to accomplish without a premises break in since they have a presence on campus, at least during school hours, and legitimate access to institutional networks at some level. Students may be motivated to alter academic records or get previews of test questions like the fraternity brothers of Delta Tau Chi in the movie Animal House. However, cyber crime can be even more sinister and include hijacking web sites with hate speech or pornography.

BUT WE’RE JUST A SCHOOL

Whoever is doing the hacking and perpetrating the breach, schools need to recognize all the businesses they are actually involved in and the cyber risks related to those activities. Universities and private schools may be involved in a wider variety of exposures than public schools but all educational institutions should consider their risk broadly.

All schools possess personal identification data that includes physical and electronic contact information, phone numbers, and social security numbers. The theft of any portion of this information is a big business and compromises the personal security of individuals. It is the risk that we most commonly associate with school cyber risk, but in addition to that basic information, schools also store financial data- some of it obvious and some not.

School sports departments may require health evaluations in order for students to participate in sports such as wrestling or lacrosse or soccer. Student athletes may even be required to provide evidence of health insurance that is kept on school databases.

Even public K-12 schools may be in the financial services business in ways that are not readily apparent. Besides providing direct deposits to personal bank accounts for employees and making tax and 401k or pension deductions, schools may store bank account information of students or their parents. Most parents have experienced paying for school organized events and field trips with a check and while that may not entail a debit or credit transaction, checks may be scanned and information recorded by schools for accounting purposes. In some cases, credit payments are possible.

Public school Parent Teacher Associations as well as private school development offices raise money for a variety of causes. While PTA fundraisers support fine arts programs, purchase sports equipment, and augment classroom supplies, private school development offices promote capital projects as well as scholarships. In some states, individuals can also allocate tax refunds to scholarship programs at their favorite school directly through the IRS. In all these cases, a donor list is a highly confidential item that bears not only financial information but identities that many donors desire to remain private.

Most schools today, public and private, also have websites that provide parental access to their student’s grades, class schedules, teacher phone numbers, email addresses and websites, home pages, or even a social media presence. These parent portals are generally password protected however a breach could open up a world of private information.

School stores where students purchase textbooks and supplies may accept a variety of forms of payments including credit. In addition to books, both public and private schools may give students the opportunity to purchase spirit wear, food, and other items. School merchandising in private schools and universities may include a broad array of goods and even reach out to alumni via the school website.

University websites also promote or sponsor summer education opportunities for alumni as well as overseas excursions led or directed by university professors. These are often announced in electronic alumni newsletters and posted on alumni office websites linked to the university’s website. These postings offer online registration and credit payments that capture personal records.

Alumni websites also often include social media facilities offering everything from social networking to job searching or job posting. These sites allow users to set up password protected profiles, similar to Facebook and LinkedIn, with a variety of private personal information.

Finally, all schools store sensitive information about students, teachers, and other staff. For students, this can include psychological evaluations that enable them to have additional time on tests as well as college entrance or admission information and SAT registration data. For teachers, such information contains performance reviews, salary and ranking comparisons, and professional conduct records.

BREACH REPERCUSSIONS

No matter what activity segment of a school network is compromised by a student or other hacker, the repercussions are both personally invasive and legalistic. The direct and immediate consequence of that midnight raid by two students may be the alteration and theft of privileged matter such as grades and test data. However, once the breach is made the misappropriation of a wide variety of data can quickly imperil everything from personal finances to personal safety to personal reputations.

More than that, the fact that many of us use the same passwords for all of our password protected electronic sites affords hackers with more opportunity than just the school database. A breach of the school network may lead to breaches of our personal collections of online payment and social media accounts.

Schools also have a duty to ensure the security of their records and that duty is regulated on both a federal and state level.

• FERPA is the Family Education Rights Privacy Act and is administered by the US Department of Education. It affords parents or eligible students the right to inspect all personal records held by schools and requires schools to keep private all student records except under specified situations.

• HIPAA is the Health Insurance Portability and Accountability Act administered by the Health and Human Services Department. In tandem with the HITECH Act, it protects the privacy of personal health and health insurance information.

• FCRA is the Fair Credit Reporting Act administered by the Federal Trade Commission. Along with sections of the Graham-Leach-Bliley Act, FCRA regulates the privacy of financial transaction and information.

• PCI-SSC is the council that regulates standards for the payment card industry. These standards ensure the privacy and accuracy of credit card transactions.

All of these regulations, as well as various state regulations, include mandates regarding an organization’s response to a data breach. In most cases, notification is required to be sent to potentially damaged parties within certain time frames. These are often called “red flags” and can cost as much as $400 per record.

RISK MANAGEMENT

Any situation involving risk as well as the potential of regulatory action is a serious matter and the possibility of student hacking into a school databases is growing. The internet itself provides both an open forum for hackers to advise and encourage each other as well as step by step instructional videos.

Schools and their insurance advisors should review all the potential sources of data breach and devise strategies including a system of strong passwords and authentication procedures. Passwords of users should not be repeated among an individual’s other secure zones and schools should separate various database networks so that a breach in one area is not an open door to the entire system. Encryption of information is the gold standard.

Appropriate insurance is also a key aspect of cyber risk management. The right coverage can compensate for first party loss as well as lawsuits from third party damage. Cyber insurance coverage can also include:

• cost of data restoration
• insurable portions of breach notification costs
• business interruption and the costs of service denial
• cyber extortion
• web content liability
• non-digital data files
• tech errors and omissions.

The best risk management for cyber crime is a combination of prevention and appropriate insurance coverage. Vigilance is crucial. So, whether you’re a public or private school or even a university, check your watch. It’s midnight. Is your data tucked in?

Last week’s revelations that one, and possible multiple, Certificate Authorities (CA) had been breached really rocks the basic foundation of
information security as we know it.  When you couple this news with the RSA breaches reported earlier this year, there are clearly some large and
foreboding cracks in some of the foundational underpinnings of security – SSL and Public Key Infrastructure (PKI), for example –  that require us to take a hard look at the entire concept of trust.

Early last week, news broke out about the hack of Dutch certificate authority (CA) DigiNotar, which followed the patterns of an earlier hack of Comodo, another CA.  The hacker taking credit for this breach claims he has infiltrated four other CAs, including GlobalSign, although GlobalSign is rejecting the claim.  Analysis has shown that the hacker used some very sophisticated techniques to penetrate the CA servers at DigiNotar and obtain root access for five of the company’s root certificates.

Without getting too deep into digital certificates, it is useful to know that CA like DigiNotar issue certificates that are at the heart of SSL and PKI. The issued certificate is linked through a chain of trust back to the certificate authority’s root certificate.  The security of issued certificates, and the security of the implementations that use them, is only as good as the security of the root.  If the root is compromised, all of the issued certificates are compromised… To read the rest of the article, please click here.

No one likes tossing out cookies, but privacy gurus say clearing them off your hard drive is one of the best ways to 0diggsdigg protect your ID from falling into the hands of online thieves. But if Adobe Systems has anything to do about it, keeping your browser’s cupboard free of cookie crumbs is going to remain a task that won’t be easy for you to accomplish. And this has identity theft experts worried.

What it means to you
In addition to seeing a lot more ads relating to searches you performed and sites you visited, experts say Adobe Systems’ “Flash cookies” (and traditional cookies, too) can leave consumers open to identity theft.

Cookies, the little bits of stored information embedded in web browsers that remember sites you visit, help advertisers target you for their latest marketing promotions. All that personalized attention makes surfers feel known and cared for, as ads claiming such things as “Local mom in (your city) made thousands doing this …” show up while they’re online.

Unfortunately, the cookies, particularly the Flash version, can also lead to your personal details being at risk for identity theft. “Flash cookies can store much more information than the standard cookie, are usually undetected, and can remain indefinitely on a hard drive,” says Scott Stevenson, founder and CEO of Eliminate ID Theft, a credit-monitoring agency. And depending on where you’re surfing the web, some of that information can be hacked into by identity thieves.

Where you are when surfing the web is important. George K. Tsantes, executive vice president and chief technology officer of Intersections Inc. says the most important question you need to ask regarding Flash, or any other type of cookie, is this: Does the cookie in question reside on a trusted computer?… To read the rest of the article, please click here.