Determining True Data Breach Risk From Identification of PHI/PII to Right-Sized Remedies

October 1, 2013

TODAY’S SPEAKERS Panelists

• Cynthia Snyder – Director, Information

Privacy, Health Net, Inc.

• David Navetta, Esq., CIPP/US – Partner,

InfoLawGroup, LLP

• Jonathan Fairtlough – Managing Director,

Kroll

Moderator

• Jason Straight – Managing Director, Kroll

3

WHAT WE’LL COVER

• What information do you need to evaluate risk of harm during a data breach investigation?

• What is the true risk to affected individuals?

– What do attackers do with PII?

• What remedies are most effective in protecting against these risks?

– Getting beyond credit monitoring

4

EVALUATING RISK OF HARM

Initial Response: Victim

5

WHAT HAPPENED?

• Data breach investigation objectives:

– How did the breach occur?

To whom was data exposed?

– Has the incident been contained?

– Was PII or PHI exposed?

Whose information was compromised?

– Can you confirm what was done with the data?

6

WHAT DATA WAS EXPOSED?

• Different types of PII/PHI

– Personal PII

– Health PHI

– Financial PII

– Employment PII

• Other Data that can lead to risk of identity theft or other harm

7

“BUT IT WAS JUST USER NAMES AND PASSWORDS . . .”

• Passwords – compromise more than just a user account

– How many use the same password for multiple accounts?

• Hashed passwords are not invulnerable

– Rainbow tables

8

DETERMINING THE EXPOSURE

9

DETERMINING RISK OF HARM

• Risk of Harm - Defined

– “that compromises the security, confidentiality, or integrity of personal information”

– “that materially compromises the security or confidentiality of personal information”

– “the misuse of information about a Delaware resident has occurred or is reasonably likely to occur”

– “that creates a substantial risk of identity theft or fraud”

10

WAS PII/PHI EXPOSED?

1. Structured data

– Lends itself to data analytics, automated identification processes

2. Semi-structured data

– Combination of automated and manual techniques

3. Unstructured data

– Customized approach

11

THE PII/PHI IDENTIFICATION PROCESS

4. Data Analytics personnel for Structured Data

– Adept at using the tools and techniques of automated manipulation and formatting

5. Document/data reviewers for Semi-structured Data

– Comfortable with those same tools AND able to recognize PHI/PII identified as relevant

6. Legal Counsel for Unstructured Data

– Essential to define what constitutes PHI/PII under applicable statutes

12

TO WHOM WAS PII/PHI EXPOSED?

• Criminals

• Unauthorized but trusted party

• Public

• State sponsored group

• Hacktivists

• Unknown

13

Insider

• Disadvantages

– Deep knowledge of data

– Personal motivation to harm data holder

– Long term access

• Advantages

– Easier to legally restrain

– Tracking access possible to limit scope

Hacker

• Disadvantages

– Higher skillset in access

– Jurisdiction and collection issues

• Advantages

– Less knowledge of value of data and system

– Difficult to monetize all but financial PII

– More taking- less use

14

INSIDER V HACKER

MANAGING THE EXPOSURE

Legal Counsel

15

LEGAL CHALLENGES RELATED TO FORENSIC INVESTIGATION

• Proving the negative

– Circumstantial evidence of unauthorized access/acquisition

– How to establish that personal information was not actually accessed or acquired?

• “Inconclusive” findings

• Probabilities/opinions as to what most likely happened

16

CREATING NOTIFICATION LIST

• Creating the list of affected data subjects

• Scrubbing the list to identify duplicates

• Gathering accurate address information for notification

• Identifying minors and deceased data subjects for special treatment

• Handling notifications outside the US

17

SPECIAL CONSIDERATIONS FOR PHI BREACHES

18

HIPAA FINAL RULE

• New HIPAA Standard

– “Risk of harm” standard replaced with 4 factor test

• The nature and extent of the PHI.

• The unauthorized person involved.

• Whether the PHI was actually acquired or viewed.

• Extent to which any risk has been mitigated.

- Burden shifted to CE/BA to show “low probability” of exposure

- Documentation Requirement

19

PATIENT DATA RISKS

• Unique Risks

– Medical insurance fraud

– Public embarrassment

– Blackmail/extortion risk

– Employment discrimination risk

20

WHAT REMEDIES ARE MOST EFFECTIVE?

21

THE IMPORTANCE OF REMEDIATION

Proper Remediation

• Remedy customer concerns

• Show proactive response

• Address class based harms

• Satisfy legal requirements

Improper remediation

• Highlight breach failures

• Create social media victim response and coordination

• Open up provider to other Class based Claims

• Provide a basis for regulatory punishment

22

THE FOUR CONSUMER SERVICES DECISION FACTORS

1. What were the circumstances of the exposure?

2. To whom was the information exposed?

3. What type of PHI/PII was exposed?

4. Who is the impacted population?

23

LEGAL DRIVERS FOR CREDIT MONITORING

• Regulator “recommendations” – red flag

• 2 years versus 1 year of credit monitoring

• “Discrimination” between the affected individuals within a population (offering some, but not others)

24

LEGAL DRIVERS FOR CREDIT MONITORING

• Eliminating a “damages” element in litigation

• Will credit monitoring distract/be effective:

– Health information breaches (EOBs)

– Payment card breaches (Card statements)

25

SCENARIO 1

• Exposure: – Names, email address, account numbers

• Population:

– 200,000 people

• Breached entity: – Large Financial Institution

26

CHALLENGES OF REMEDIATION OFFERS

• Not offered … In 2011, Citigroup was criticized for not offering credit monitoring to its breached audience. But the PII that was exposed was not likely to lead to the type of fraud readily identified by monitoring credit reporting activity.

27

SCENARIO 2

• Exposure: – Names, addresses, Social Security numbers,

dates of birth, medical diagnostic information, medical insurance numbers.

• Population: – 4,000,000 patients

• Breached entity:

– Large healthcare system

28

CHALLENGES OF REMEDIATION OFFERS

• Offered, deemed insufficient …offered 1 year of credit monitoring. Consumer advocates noted that credit monitoring is insufficient to protect patients against actual harm from the breach. Federal and state regulators still investigation the breach.

29

• Illinois attorney general advises organizations to:

– “determine when to offer credit monitoring and when to contract for an alternative form of monitoring.”

– explore their options because “credit monitoring may not be appropriate in all breach situations.”

30

PUBLISHED GUIDANCE FROM THE IL AG

PUBLISHED GUIDANCE FROM THE CA AG

• California Office of Privacy Protection advises organizations:

– “If you are considering offering notice recipients credit monitoring or another identity theft assistance service as a mitigation, make sure it is relevant to the situation.”

– “Credit monitoring is not helpful for breaches of account numbers only.”

31

TARGETED RESOURCES SAVE COST, REPUTATION

• Size of the event may often define what consumer services are most practical

• Location of the population may reveal a higher propensity to a consumer becoming a victim of identity theft

• VIPs, Clients, Employees, Deceased, Expatriates, Age? Helps to further refine services being offered to the impacted population

32

If this data is exposed …

• Name, address, date of birth

• Credit card numbers

• Bank account numbers

… alternative monitoring might be: • A way to search for additional

addresses associated with that person – often an early indicator of identity theft activity

• Internet monitoring of sites where criminals buy and sell financial details

• A service that scans for short-term, pay-day or cash advance loans where no credit check is required

MATCHING RISK AND REMEDY

THANK YOU!

Panelists

• Cynthia Snyder – Director, Information Privacy, Health Net, Inc.

• David Navetta, Esq., CIPP/US – Partner, InfoLawGroup, LLP

• Jonathan Fairtlough – Managing Director, Kroll

Moderator

• Jason Straight – Managing Director, Kroll

34

www.krollcybersecurity.com