How to make sure your cyber insurance policy pays out

IT Governance

Cyber insurance is big business these days. Find out how a ransomware victim used cyber insurance to guide its response effort >> A cyber insurance policy doesn’t necessarily guarantee that you will receive aid following a data breach.

The Multi-Cloud Era Creates New Encryption Challenges

Thales eSecurity

Key Findings from the 2018 Global Encryption Trends Study. No core technologies are more fundamental to data protection than encryption and key management. 39% encrypt extensively in public cloud services, a number which has grown significantly just in the past year.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Adventures in cyber litigation: Frozen crypto-assets and the role of cyber insurance

Data Protection Report

Given the level of interest in the case, we have prepared a deeper-dive into the facts and the implications of the decision, with a focus on the important role played in the case by cyber insurance. However, the involvement of the victim’s insurers has received less attention.

China: Navigating China: Episode 10: Stricter data localisation and security rules for financial and insurance data in China

DLA Piper Privacy Matters

The PFI Guidelines will apply to regulated banks, financial institutions and insurance companies. transaction logs, transaction amount, insurance orders, insurance claims); user’s personal and financial information (e.g. Carolyn Bigg, Hong Kong.

Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?

HL Chronicle of Data Protection

In the past two years, multiple state bills that have been introduced in the US to provide for cybersecurity requirements and standards to the insurance sector, with recent legislative activity taking place in particular within the States of Ohio, South Carolina, and Michigan. The entering into effect of multiple state laws in this area may present challenges for insurance providers operating in states where such cybersecurity requirements are provided for.

Regulatory Update: NAIC Spring 2019 National Meeting

Data Matters

The National Association of Insurance Commissioners (NAIC) held its Spring 2019 National Meeting (Spring Meeting) in Orlando, Florida, from April 6 to 9, 2019. ceding insurer could be eligible for the same reduced collateral requirements that would apply to qualifying EU reinsurers under the revised CFR Model Laws. To date, approximately 30 insurance groups, representing 15 lead states, have volunteered to participate in field testing. Virginia Insurance Commissioner Scott A.

A hierarchy of data security controls

Thales eSecurity

The controls used are typically full disk encryption (FDE), KMIP key management of encryption for arrays or SAN systems or encryption of a tape or a VM image. For laptops and transportable physical media (like tapes), this level of encryption is a great control.

How to handle a ransomware attack

IT Governance

That way, when crooks encrypt your systems, there’s no need to worry. For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.

Redcar and Cleveland Borough Council still offline after suffering cyber attack

IT Governance

Ransomware is a specific type of malware that encrypts computer files, essentially locking the owner out of their systems. Unlike an attack on retailers, for example, victims have no alternative when systems are down.

Tokenization: Ready for Prime Time

Thales eSecurity

For example, using a customer’s data to purchase goods from a merchant is different from using a customer’s data to identify a customer in a loyalty program or to provide health care services. For example, a national identity number of nine digits (123-45-6789) when tokenized (e.g.

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

The Last Watchdog

Office of Personnel Management , I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco. For example, the personal data obtained in one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches, and the Marriott breach only makes their task that much easier and more likely to succeed.

SHARED INTEL: How NTA/NDR systems get to ‘ground truth’ of cyber attacks, unauthorized traffic

The Last Watchdog

In another case, a device management tool was deployed in a hospital and used the WiFi network to insure data privacy, as it provisioned connected devices. But ExtraHop noticed that the tool also opening encrypted connections to vendor-owned cloud storage, a major HIPAA violation. LW: Banks are a good example of this. The digital footprints of U.S. consumers’ have long been up for grabs.

Cloud 119

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

The Last Watchdog

That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list. In addition, sensitive data was not encrypted at rest, and no one was auditing access logs. Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Have We Become Apathetic About Breaches?

Thales eSecurity

One such example is the recent disclosure that military personnel wearing Strava devices are revealing highly sensitive information about their locations and activities. For example, are they encrypting their data? Another day, another breach.

IoT 98

Ephesoft Leads the Document Capture Industry to the Cloud with the First High- Performance Processing Hybrid Solution

Document Imaging Report

Examples include retailers’ invoices and credit card applications during Cyber Monday and other shopping holidays; tax firms’ form processing during tax season; mortgage lender applications or loans during prime real estate seasons; and insurance company claims after a natural disaster.

How to create an ISO 27001-compliant risk treatment plan

IT Governance

For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely. Cryptography : the encryption and key management of sensitive information.

Risk 67

Nevada and New Hampshire Data Security and Privacy Laws Take Effect

Hunton Privacy

For businesses that do not accept payment cards, the new Nevada law prohibits electronically transmitting a customer’s personal information “outside of the secure system of the business” or moving any data storage device containing a customer’s personal information “beyond the logical or physical controls” of the business unless the transmission or data storage device is encrypted.

Sorting Through the Whirlwind of News on the Proposed Equifax Settlement and Capital One Breach

ARMA International

Some payouts will be reduced pro rata if they exceed the amount designated for them.For example, only $31 million is designated for the alternative reimbursement. Though Capital One reports that it encrypts its data as a standard practice, the data was de-encrypted during the breach.

GDPR Compliance Obligations: The relationship between Data Controllers and Third-Party Processors


For example, under GDPR data subjects and/or regulators may now pursue direct remedies against data processors in the event of infringement of obligations, whereas such remedies did not exist under the prior data privacy regulation. This is the 11th post in a series on privacy by Andrew Pery.


How Cyber Essentials can help secure your access controls

IT Governance

eBay : the names, addresses, dates of birth, phone numbers and encrypted passwords of 145 million users were compromised when cyber criminals got into the organisation’s network using employee credentials. Reduce cyber insurance premiums.

Catches of the month: Phishing scams for January 2020

IT Governance

For example, the browser that the login apparently came from is “chrome” with a lowercase C. The symbol simply signifies that the site has an SSL certificate, which means the information shared between your computer and the website is encrypted.

US: Coronavirus – Cybersecurity considerations for your newly remote workforce

DLA Piper Privacy Matters

Where appropriate, employers may consider providing specific examples to illustrate how to spot malicious messages or engaging a security firm to send test phishing messages. Where feasible, consider using encryption and secure file transfer platforms for the transmission of sensitive data.

EUROPE: Latest WP29 Guidelines on Data Breach Notifications and Profiling

DLA Piper Privacy Matters

Guidance on where notification may not be required is provided, for example where: (i) the compromised data is already in the public domain; (ii) if the data is securely encrypted; or (iii) availability is not compromised because the controller has access to other sources of the data. On 18 October 2017, WP29 published proposed Guidelines on two key aspects of the GDPR – namely: Personal Data Breach Notification (Articles 33/34); and.

Extended Validation Certificates are Dead

Troy Hunt

For example, Microsoft failed to renew There are many, many more examples and they all adhere to the same underlying truth; if something is important and repetitive, automate it! Last up is the top insurance sites : United Services Automobile Association.

US: Surviving the service provider data breach

DLA Piper Privacy Matters

Last year, for example, a physician group settled a HIPAA enforcement action based on a website service provider’s exposure of patient billing data. Proof of adequate cyber insurance coverage. It’s summer, and life’s a breach. A data breach, that is.

Podcast Episode 119: EFF on Expanding Researchers Rights and AT&T talks IoT Security Fails

The Security Ledger

» Related Stories Podcast Episode 117: Insurance Industry Confronts Silent Cyber Risk, Converged Threats Spotlight Podcast: At 15 Cybersecurity Awareness Month Grows with Cyber Risk Spotlight Podcast: 15 Years Later Is Cybersecurity Awareness Month Working? Now the group is looking to expand its work throughout the Americas, drawing on rights recognized by the American Convention on Human Rights, and examples from North and South American jurisprudence.

Ransomware Is the No. 1 Cyber Threat This Year. Here’s What You Can Do

Adam Levin

While the sophistication and methods of attack may vary, the short answer is that ransomware is a type of malware that encrypts critical data on a computer or computer network so that users can’t regain access without paying a “ransom.”

10 Personal Finance Lessons for Technology Professionals

Troy Hunt

In fact, those guys are all pretty good examples of the ability to build amazing things from the ground up and I'm sure that many of you reading this have sat down and started building something with the same enthusiasm as, say, Zuckerberg did with Facebook in 2004. Patience. Frugality.

OCR Provides Insight into Enforcement Priorities and Breach Trends

HL Chronicle of Data Protection

Regulators, industry experts, and researchers provided insight into health privacy and security enforcement trends, emerging threats, and new tools at a recent conference focused on the Health Insurance Portability and Accountability (HIPAA) regulatory framework.

“But the emails” – companies’ SEC filings reflect ransomware risks

Data Protection Report

In one example of a post-attack disclosure, FedEx’s most recent 10-K (May 2017) discusses the impact of the WannaCry and Petya attacks on FedEx systems and subsidiaries. The 10-K also warns that FedEx is unable to “estimate when TNT Express services will be fully restored” and that it may be “unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted.”.

Risk 40

The debate on the Data Protection Bill in the House of Lords

Data Protector

For example, although there are clear benefits to medical research from giving researchers access to anonymised medical data, it remains a matter of concern to the public, the media and the profession itself. I will highlight, rather at random, some other examples which need reflection. The example I would give is the recruitment of 20,000 suitable people for the Heart Protection Study on statins, which has helped transform medical practice throughout the world.

GDPR 120

Gmail, Google Apps for Business HIPAA Business Associate Agreements


The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. Google uses Ernst and Young third party evaluated and ISO 27001 certified encryption and authentication.

UK: Liability Limits for GDPR in commercial contracts – the law and recent trends

DLA Piper Privacy Matters

For example, while it is reasonably clear what is meant by the requirement to stipulate that the Processor should process the Personal Data only on the documented instructions from the Controller, it is not specified in GDPR how detailed or precise these instructions need to be, nor what the Processor should do where it has notified the Controller that it considers the instructions to be inconsistent with GDPR.


Global Ransomware Attacks Raise Key Legal Considerations

Hunton Privacy

The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. Certain federal laws, such as the Health Insurance Portability and Accountability Act (“HIPAA”), also require notification for certain breaches of covered information, and there is an increasing number of breach notification laws being adopted internationally.

Gmail, Google Apps for Business HIPAA Business Associate Agreements


The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. Google uses Ernst and Young third party evaluated and ISO 27001 certified encryption and authentication.

The Good, Bad, And The Ugly: Key Takeaways From California’s New Privacy Law

Privacy and Cybersecurity Law

The CCPA, as adopted, contains important exemptions for businesses already collecting “personal information” (as that phrase is defined under the CCPA) under the Confidentiality of Medical Information Act (“CMIA”), Health Insurance Portability and Availability Act of 1996 (“HIPAA”), Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), and Driver’s Privacy Protection Act of 1994 (“DPPA”). Consumer privacy rights in California are well established.

An Approach to Cybersecurity Risk Oversight for Corporate Directors

Data Matters

Encrypting critical data assets. Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach. Encrypting Critical Data Assets. Directors should develop at least a high-level familiarity with how data is secured ( e.g. , encryption of critical company data, both while at rest and in motion).

MY TAKE: What it takes to beat cybercrime in the age of DX and IoT: personal responsibility

The Last Watchdog

Uber is a prime example of an Internet-centric enterprise comprised of a collection of tools and services hosted by myriad partners. A report from insurance underwriting giant Lloyd’s of London and risk modeling consultancy, Air Worldwide, showed how a three-day outage of the top cloud services providers would cause $15 billion in damage to the U.S.

IoT 113

California’s GDPR? Sweeping California Privacy Ballot Initiative Could Bring Sea Change to U.S. Privacy Regulation and Enforcement

Data Matters

The CCPA also exempts data covered by Health Insurance Portability and Accountability Act and consumer report data governed by the Fair Credit Reporting Act. Examples of categories of personal information: identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, Social Security number, driver’s license number, and passport number.

Sales 60

2019 end-of-year review part 1: January to June

IT Governance

For example, customers might want to change passwords for other sites or check their bank account for signs of fraud. This meant they weren’t encrypted, making them freely accessible to as many as 20,000 employees, most of whom had no legitimate reason to access the information.