3 minute read
Information Security Breaches
By Judy Payne, Executive Director, SDPAA
You’ve heard it before, but it’s worth repeating – it’s not a matter of “if”, it’s a matter of “when” a local governmental entity or any other business or organization will suffer an information security breach. Many public entities will suffer a data breach event in the near term. Many have already sustained a breach but failed to identify it.
Advertisement
Information security breach incidents can occur internally and externally. They can be accidental or intentional. They may be caused by lost devices, inadvertent leaks of data, disgruntled employees, system glitches, vendors and subcontractors, hackers, and unsecured websites. Although we hear a lot about Chinese hackers, according to a recent post from Business Insurance magazine, it’s probably much more likely that you will be penetrated by employee error or malfeasance than a Chinese hacker.
Local government entities’ records may include employee personnel files containing protected information, law enforcement data containing protected information, financial data including bank account numbers which could allow hackers to siphon funds in accounts, county voter registration lists which contain Social Security numbers, bank accounts and credit card numbers of citizens who have utility bills paid via EFT, protected information regarding citizens who receive benefits from local governments, Clerk of Courts records which may contain Social Security numbers and other protected personal data of county residents.
Here are some examples of public entity breaches: j A town in Washington had to warn residents that they could be the target of identity theft after hackers compromised a system used to run an online automatic utility billing system, emptying $400,000 from a city bank account. j An employee in a city in Florida accidentally gave the public temporary internet access to restricted city documents containing 330 city employees’ Social
Security numbers. j A hacker broke into a town’s bank account in New
York and stole $378,000 by transferring funds to banks in Ukraine.
j A public entity pool in Tennessee had a claim where as part of a Member’s public invitation to bid on their insurance, they erroneously included a roster of 200 police department employees’ names and Social
Security numbers. The information was posted on the purchasing department’s website and not discovered for a week. In that week, the information was accessed from within fourteen US states, the Philippines,
Canada, Japan, India, and South Korea. j A Member of a pool in Florida accidently sent retirement data of 170 of their employees to their actuary at an AOL account. The email address they used was off by one digit and went to another party’s
AOL account.
According to the IBM research sponsored Ponemon Institute’s 2016 Cost of Data Breach Study, the average per record cost to an organization which suffered a cyber breach was $221 in the United States. A breach of 1000 records would mean $221,000 in costs.
To protect our Members, this year the South Dakota Public Assurance Alliance (SDPAA) provides its Members with a $400,000/Member Aggregate limit of Cyber Liability Coverage. Members may elect to purchase higher limits.
We also want to provide you with some information and risk management ideas to help minimize exposure to and mitigate damages from cyber claims. Among things you can do to manage cyber risk are: j Developing an incident response plan similar to a disaster recovery plan j Ensuring firewalls and antivirus programs are regularly updated j Ensuring personnel are knowledgeable and careful about setting strong passwords, using caution when opening websites and emails, and installing and maintaining critical software updates j Developing system security procedures and conducting periodic staff training to support the procedures j Developing appropriate segregation of responsibilities with multiple users j Safeguarding personal information of employees and customers j Safeguarding laptops and other mobile devices j Using appropriate encryption for electronic confirmation j Adopt an equipment disposal policy
While in today’s world there is no way to protect your information 100% of the time, having cyber insurance coverage and practicing cyber risk management can mitigate against loss.
For more information regarding the Cyber Liability coverage provided through the SDPAA or if you are interested in securing higher limits of coverage for further protection, please contact us at sdpaa@sdmunicipalleague.org or 800658-3633, Option 2.
