When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois.
Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)
ARIZONA NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION
Contact Information Pursuant to State Data Breach Notification Laws
Ariz. Rev. Stat. § 18-551 et seq. *(Ariz. Rev. Stat. § 18-551 is the notification/reporting section). (Exemption for those subject to GLBA, such as Alliant National Title; see A.R.S. § 18-552(N)(1))
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
No Insurance Data Security Law Courtesy/Optional contact information: *Cary W. Cook, Chief Financial Compliance Officer Arizona Department of Insurance and Financial Institutions 100 N. 15th Ave., Suite 261 Phoenix, AZ 85007-2630 Email: cary.cook@difi.az.gov Ph: (602) 364-3986
Virtual private networks (VPNs) are a type of technology that allow businesses like yours to secure and encrypt connections to corporate networks and resources from remote locations. If you think back to the COVID-19 pandemic and the explosion of remote work, then it becomes easy to understand why VPNs have surged in popularity in recent years. If you’re considering taking the plunge and purchasing a VPN solution for your agency, you’ll want to read on for some best practices and tips.
Why VPN?
VPNs are used across industry verticals and are particularly common in finance, healthcare and, yes, insurance. These fields routinely deal with large amounts of highly sensitive information. Ensuring data security and cyber resilience is integral to business longevity, making selecting a VPN provider a strategic business decision.
Focus on top features and industry compliance
As you explore the market, you will quickly see there are many VPN providers to choose between. Cut through the noise by focusing on key priorities and features like:
Robust encryption: Look for a VPN provider that offers 256-bit encryption, which is the industry standard for ensuring that data sent over your network is unreadable to unauthorized parties.
Secure cybersecurity protocols: Verify that your provider offers tunneling protocols like OpenVPN, L2TP/IPsec or IKEv2/IPsec.
No logging: Unprotected online activity is logged by a variety of sources – including internet service providers,cookies, search engines and third-party services.A VPN service will protect you from this type of surveillance and tracking.
Any VPN you choose must also be compliant. Before implementing a service, stay apprised of all regulations that your title agency may be subject to and verify that your VPN will meet and exceed any requirements.
User management and ease of use
Ease of use and intuitive management are critical factors when considering VPNs. This goes double if you are working with a team that is heavily dispersed. Inquire with vendors about the learning curve involved with adding this tool to your security stack. Any worthwhile provider will walk you through how to set up or remove users, add permission levels or implement two-factor authentication.
Scalability and flexibility
Your business is always evolving. Therefore, you need to work with a VPN provider whose product is flexible and scalable enough to support your team as it continues to grow. Some factors to consider include:
Network capacity: You will want to inquire into any provider’s network and carrying capacity. Remind yourself to ask about how they handle fluctuations in network traffic and how they prevent service quality from degrading during periods of high use.
Remote work: Your VPN provider should also support remote work – regardless of whether your agency currently has a telecommuting policy. You need to know that your provider’s solution can handle simultaneous, dispersed connections.
Load balancing: Another critical point to investigate is load balancing and redundancy. A VPN that can scale effectively along with your business should come with strong measures in place for distributing network traffic in a way that avoids failures and downtime.
Stay safe and productive online
When your team is armed with a good VPN, they can stay productive and secure regardless of whether they are in the office or working at home. Following these tips can help you gain this additional level of protection, allowing you to then do what you do best: continuing to meet the needs of your customers.
Harnessing the Power of AI for Better Antivirus Protection
Endpoint Detection and Response (EDR) is a next generation cyber security solution that provides more advanced and comprehensive protection for your devices compared with traditional, static antivirus applications that only address simple signature-based malware threats. While traditional antivirus programs detect and remove known malware, EDR is designed to detect and respond to more complex and sophisticated threats that often bypass or get through traditional antivirus protection. A good EDR solution can identify existing threats already hiding on a network, which is important as current threats are often undetected for several months. Since most malware intrusions originate at the end-user, it is critically important to have the very best antivirus protection on individual computers and laptops.
Here are some reasons to consider EDR as a preferred antivirus solution:
Smarter Detection: Traditional antivirus programs rely on pre-defined signatures to identify known threats. However, EDR takes a different approach. It uses behavioral analytics to detect suspicious activity in real-time, even if there are no known signatures. By monitoring file changes, registry modifications, and network traffic, EDR can detect and respond to the latest, advanced threats faster than traditional antivirus programs.
Complete Visibility: EDR provides security teams with a centralized management console to monitor and investigate activity across all devices in an organization. This makes it easier to deploy and manage security policies. Some vendors offer a fully managed model for businesses who cannot or do not want to deal with the administration or management of the EDR tool. With EDR, you don’t need to worry about manually updating antivirus software on individual devices. The central console ensures that the latest EDR protection is deployed, saving time and effort. In case of a security breach, EDR allows for a coordinated and rapid response to investigate and minimize the damage.
Real-time monitoring and continuous threat-hunting: EDR keeps a constant watch over servers, laptops, and mobile devices in real-time. It allows security teams to proactively identify and address threats before they can breach the system. By analyzing suspicious behavior, EDR can act before a breach occurs, reducing the risk of data loss or compromise.
Monitoring of servers, laptops, and mobile devices by EDR is critical to allow fast and effective solutions to threats before they breach, and in the event of a breach, to contain and solution the threat before there is contagion throughout the network. EDR has a proactive threat hunting feature that allows security teams to identify threats before they become an incident. Suspicious behavior is analyzed and reacted to before a breach occurs.
Forensic Capabilities: In the event of a security breach, EDR provides forensic capabilities that assist security teams to investigate and understand system events and scope of the attack. Detailed logs are available showing system events and user behavior. The logs may be used to identify the source of the attack, measure the extent of damage or intrusion, then develop a plan to prevent a future, similar attack. This is very useful to provide evidence of rapid response and the scope, extent, and timing of an event that is required with many state breach notification requirements.
Integration with other security solutions: EDR seamlessly integrates with other security solutions, enabling automated incident response workflows, event logging, and monitoring across multiple platforms. This integration enhances the overall effectiveness of your cybersecurity infrastructure.
With the rapid evolution of advanced threats and sophisticated malware, relying solely on traditional antivirus programs isn’t enough. Having a robust EDR solution provides the best available antivirus resource, deploying a tool that uses artificial intelligence to reiterate and continually evolve an endpoint defense. The combination of advanced detection, rapid response, real-time central monitoring, and enhanced forensic features provides a powerful tool to protect and secure your organization’s critical and sensitive data. Antivirus protection is a vital cyber-security shield on the frontline of defense, and it is imperative that defense is effective, today more than ever.
Interested in learning more about EDR? Notable companies that offer EDR solutions include SentinelOne, CrowdStrike, and Cisco. If you have questions about EDR and other tools and strategies to protect your networks and your business, feel free to contact me: tweyant@alliantnational.com
October evokes many things: skeletons, ghosts, pumpkins and, of course, Halloween. Yet for anyone wanting their workplace to operate efficiently and safely, October should be known for something else:
#CybersecurityAwarenessMonth!
This 31-day period is a perfect reminder for businesses to review and, if needed, revise their cybersecurity strategy for the year ahead. Let’s learn more about this awareness month and how you can seize the moment to fortify your company’s cyber approach.
Where it All Began
Cybersecurity Awareness Month started in 2004 when the U.S. Congress gave October that official designation. Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative, public-private effort to raise cybersecurity awareness nationally and internationally.
Each year, Cybersecurity Awareness Month initiatives are organized under a different theme, with 2022’s being “See Yourself in Cyber” – an urgently important message. It advocates for people to stop seeing cybersecurity as an inaccessible topic for the select few and instead view it as something in which everyone can play a role.
Four Main Pillars
According to CISA, beginning to “See Yourself in Cyber” involves acting on four key priorities, some of which we’ve already discussed on this blog:
By taking these basic steps to protect your information and privacy, everyone can gain more ownership over their online life and prevent costly incidents.
Become a Cybersecurity Paragon
The silver lining when talking about cybercrime is that more attention is being paid to cybersecurity these days. A trickledown benefit of this enhanced awareness is that more resources are now available that can help even those unfamiliar with cybersecurity improve their firm’s digital defenses.
One such example are the efforts of the CISA. Each year during Cybersecurity Awareness Month, CISA invites interested parties to join them as “cybersecurity partners.” Those that do receive a toolkit with everything they need to audit their own security posture and raise awareness within their company and industry. Elements of the toolkit include cybersecurity 101 presentations, tip sheets, content assets and much more.
Visit CISA’s website for more information and to sign up as a cybersecurity partner.
You Can Prevent Cybercrime
Do you remember seeing those U.S. Forest Service ads where the iconic Smokey the Bear would proclaim, “Only you can prevent forest fires”? You don’t have to be a marketing whiz to see the beauty of that campaign. Simple, direct and powerful, it outlines the essential role we all play in preventing a widespread problem that can carry a terrible cost if it goes unchecked.
The same message holds true for cybercrime. A ubiquitous problem that can lay waste to individuals, businesses and even entire communities, cybercrime is nothing to joke about. If you’re a small business owner, for example, one bad attack can threaten your longevity as an enterprise.
But instead of becoming intimidated and reactive, events like Cybersecurity Awareness Month can inspire us to become empowered and proactive. We can all choose to “See Ourselves in Cyber” and take action to create a safer digital community.
Cybersecurity was a major topic during the past 12 months. Here are a few of the top trends.
2021 was another whirlwind year – full of both difficult challenges and encouraging developments. Naturally, this extends to the cybersecurity field as well. Let’s look forward to some of the biggest cybersecurity developments and what they mean for the workplace.
Malware in the News
Most people these days have a basic understanding of malware. At the very least, they’ve heard the term before, as well as its many variations like computer viruses, worms, Trojan horses, ransomware, spyware or adware. However, 2021 was definitely the moment where cybersecurity awareness went fully mainstream. Whether it be the Colonial Pipeline and SolarWinds attacks to the explosion in phishing related to COVID-19, cybersecurity issues dominated the headlines this year like never before.
Business Responses
Unsurprisingly, this explosion in malware activity has brought a wide range of responses – many of which are quite good and include elements I’ve previously advocated for on this blog. For example, during 2021 it became abundantly clear that cybersecurity should not solely fall under the purview of IT. A secure organization requires everyone to practice safe online behavior, but to do that, employees need guidance on identifying potential threats and acting accordingly when they encounter one. Additionally, end-users often require instruction and training on proper password management.
Remote Work Security
Of course, this is only one piece of the puzzle, particularly as remote work has skyrocketed over the past year. IT professionals have had to push themselves to their limits to support their organizations through such a profound paradigm shift. They have had to contend with employees potentially using unsecured personal devices and networks; the prospect of corporate devices being stolen, lost or misused; and cybersecurity knowledge gaps amongst dispersed workforces. To compensate, businesses have adopted a wide range of approaches, including advocating for multi-factor authentication, conducting extensive WFH (work from home) security training or deploying new solutions such as virtual desktops or DaaS.
Here’s to a Successful 2022
As one year ends and another begins, it’s important to look back in addition to looking ahead. 2021 has been a difficult period for cybersecurity, affecting both IT professionals and end-users. However, by practicing due diligence, ensuring that staff is trained on best practices and making investments where necessary, firms can face the new year with a sense of optimism, knowing that they’re well-positioned to operate safely and effectively in our digital-first economy.