Independent Audit Verifies Terrier Claims Services’ Internal Controls and Processes

Pleasantville, NY – Terrier Claims Services, a full-service insurance investigations firm, today announced that it has completed its annual SOC 2 Type II audit. This attestation provides evidence that Terrier Claims Services has a strong commitment, year-after-year, to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Terrier Claims Services’ controls to meet the standards for these criteria.

“Terrier Claims Services continues to be the best solution for claim investigation and trial preparation services. Now, with KirkpatrickPrice as our auditor and the SOC 2 certification, our clients can rest assured that their data is retained in a secure environment. Terrier Claims Services is the only SOC 2 Type II certified regional investigation company in the Northeast,” said Dan Sullivan, President of Terrier Claims Services.

“The SOC 2 audit is based on the Trust Services Criteria. Terrier Claims Services has selected the security category for the basis of their annual audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “By communicating the results of this audit, their clients can be assured of their reliance on Terrier Claims Services’ controls.”

About Terrier Claims Services

Founded in 1996 by brothers, Dan and Edward Sullivan, TCS is a full-service claims investigation firm dedicated exclusively to insurance defense, third party administrators, defense attorneys and government agencies.

The company’s mission is a simple one. Deliver a consistent, high-quality service at a fair price while maintaining the highest ethical standards.

Terrier Claims Service was established to create a new model of effectiveness, efficiency and excellence in an industry where adequate performance is not enough. We separate ourselves from other firms by combining cutting-edge computer tracking and processing technology with aggressive instinct to produce the ultimate end-product – results. Terrier Claims is excited at the prospect of demonstrating our abilities and exceeding the highest expectations.

Our investigations are customized to suit specific needs and are aggressively pursued to an economical and efficient disposition. Our extensive experience insures creative solutions to even the most challenging investigations and claims. Experts in Construction, Mass Transit, Worker’s Compensation, Liability, Medical Malpractice and Property claims investigation, our team is prepared to assist from incident to resolution with investigation, emergency response investigation, desktop background investigations, surveillance, trial preparation and property adjusting. Our services are available 24 hours a day, seven days a week. www.terrierclaims.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

CCPA Implications for Marketing

It’s no secret that digital marketing is undergoing a major transformation – one that is centered on giving consumers more autonomy over the way their personal information is collected, used, stored, sold, and transmitted. Last year, we saw how the EU’s General Data Protection Regulation changed the international landscape of marketing, and 2020 will be the year the US really feels the brunt of the data privacy revolution, starting with the California Consumer Protection Act (CCPA). What are the implications of the latest data privacy law to go into effect? What does CCPA mean for marketing? How can marketers prepare? Let’s find out.

How Can Marketers Prepare for CCPA?

Do you market or sell your products to California residents? Even if your business is not physically located within the borders of California, you are still required to comply with the new data privacy law as CCPA applies to any for-profit organization that meets any of the following criteria: has an annual gross revenues of over $25,000,000; buys, sells, or shares the personal information of 50,000+ consumers per year; or, derives 50% or more of their annual revenues from selling consumers’ personal information. This means that, for most organizations across the United States, there is an immediate tension between CCPA and  their marketing activities. Because today’s digital marketing landscape depends on the collection of personal information (i.e. names, emails, birthdays, phone numbers, Social Security Numbers, etc), marketers must make data privacy a priority. Here are some of the ways that marketers have gotten started on their CCPA compliance efforts.

  • Education: It’s hard to not see CCPA topics throughout webinars, blogs, infographics, white papers, videos, and social media. The experts are providing educational content to marketers. There’s no excuse not to learn and prepare for CCPA compliance.
  • Data Mapping: Data mapping is a critical area of data privacy. In order to ensure that the data you’ve collected is as secure as possible, you need to first know what data you’re collecting, why you’re collecting it, who interacts with the data, where it’s stored, and how it’s used, transmitted, and/or secured. Data mapping also gives you the opportunity to ensure your vendors, like email services, are also CCPA compliant.
  • Collecting Consent: When it comes to CCPA and marketing consent, entities must provide four easily accessible notices. According to the California Attorney General’s newly released regulations, organizations must provide a Notice at Collection of Personal Information, Notice of Right to Opt-Out of Sale of Personal Information, Notice of Financial Incentive, and Privacy Policy to consumers. This helps ensure that consent is affirmatively and freely given, and that consumers have been informed of their rights to access and erasure under CCPA.
  • List Cleaning: Data mapping and revising consent collection processes will help you create clean list; however, organizations must still work through cleaning the lists that they currently use. Organizations should evaluate how the data was collected, whether consent was freely given, and if the data is still being used and/or is necessary.

Benefits of Data Privacy and Compliance for Marketers

Although compliance may seem daunting right now, embracing data privacy regulations will prove to be fruitful for organizations in the long run. Why? Because when organizations demonstrate their compliance with data privacy laws, like CCPA, GPDR, or PIPEDA, they reap the following benefits:

  • Building customer trust is a difficult task in this day and age; digital consumers are fearful of unwanted follow-up, sales pitches, cold calls, and spam. CCPA compliance is an opportunity to present your organization as a secure and trustworthy service or source, and even has the potential to rebuild the trust that many digital consumers have lost. This trust may actually result in greater sharing of personal data.
  • Complying with CCPA pushes marketers to put the user experience first and demonstrate that you respect user preferences.
  • CCPA compliance gives marketers the opportunity to improve their data security as they engage with prospects and consumers.
  • Because email marketing strategies may need to be shifted for CCPA compliance, this gives marketers an opportunity to focus on areas that may not be so heavily impacted by GDPR, like social media, SEO strategies, and content creation.
  • CCPA compliance may bring a competitive advantage for two reasons. First, meeting CCPA compliance demonstrates to prospects and consumers that your organization prioritizes data security and user privacy. Second, once you’ve taken steps towards CCPA compliance, you can reduce the likelihood that your organization or your clients will face regulatory investigations and fines.

As a data-centric industry, marketing departments and agencies alike will have to swiftly adopt data privacy best practices, or they’ll be left in the dust. If your organization is just starting out on your CCPA compliance efforts or has questions about how your marketing practices need to evolve in order to become CCPA-compliant, contact us today to speak to one of our data privacy experts.

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

More CCPA Resources

5 Facts to Know About CCPA

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

When headlines about companies like Capital One, Imperva, Marriott, Target, or Home Depot becoming victims of a data breach are released, we understand why small and medium size businesses start wondering if their efforts put towards an information security audit are worth it. If enterprise-level companies and household names can’t protect themselves, why should startups and smaller companies even try? If they can’t do it, no one else can either, right? Wrong. If your organization tends to align with this dangerous, unproductive line of thinking, then this blog post is for you. The threats you’re up against are real, but you can protect yourself and your clients’ data – you may just need some help establishing an information security program.

You vs. Them

Hackers don’t discriminate based on company size, industry, or location. They’re after sensitive assets like PHI, CHD, passport information, dates of birth, travel reward numbers, and Social Security numbers. The methods they use to go after small, medium, and enterprise-level businesses are different, though.

Hackers cast a wide net to catch small and medium businesses in their areas of weakness. When they can send phishing emails to 100 companies with 100 employees, the odds are good that an untrained, unaware employee will fall for it – even better if it’s an employee who should know better. There are plenty of breaches that happen each day that could have easily been prevented by security testing, employee training, or a basic information security program. How frustrated would you be if one employee clicked on a malicious link and it cost you hundreds of thousands of dollars, when security awareness training could’ve prevented this entire situation?

For enterprise-level businesses, hackers have more to gain, so they can spend more time planning and executing an attack. They can spend months testing their methods and observing vulnerabilities, maybe even collaborating with other hackers. This is something that, unless you have extremely sensitive data, you probably don’t have to worry about. Does that mean you shouldn’t have an information security program? Absolutely not.

Protect Yourself

When a data breach happens, it’s not just your clients who are impacted. Your name is in the headlines, and you’re the one who will pay for it (literally).

Legal Ramifications – New, state-level breach notification, cybersecurity, and privacy laws are consistently passed, with non-compliance resulting in hefty fines. When you ignore these laws or try to find loopholes, there will be legal ramifications to face.

Regulatory Responsibility – If you are subject to a regulatory body, what will happen if they find your organization non-compliant?

Costly ConsequencesAccording to IBM, the average cost of a data breach in the United States is $8.19 million, with 67% of the cost occurring within in the first year, coming from data breach detection and escalation, notification cost, incident response, and lost business. Does this cost outweigh your hesitancy to establish an information security program?

Competitive Disadvantage – If you don’t establish an information security program and have a data breach, your competitors can learn from your mistakes and use your data breach during sales conversations. If you don’t establish an information security program and haven’t been a victim of an attacker yet, your competitors can still have an advantage over you by pursuing information security audits to prove their commitment.

Protect Your Clients

When a client trusts you with their sensitive data and you can’t even provide them with evidence of your commitment to protect that data, do you think they’ll be loyal clients? Is the cost of an audit or information security personnel worth more to you than client data being sold on the dark web? According to Symanetc, here’s what hackers earn after stealing the personal data you are responsible for:

  • Online banking account – 0.5%-10% of value
  • Cloud service account – $5-$10
  • Hacked email accounts (groups of 2,500+) – $1-$15
  • Hotel loyalty from reward program accounts with 100,000 points – $10-20
  • Stolen medical records – $0.10-$35
  • ID or passport – $1-35

When you have no formal information security program in place and no way of showing it even if you do, your clients won’t be satisfied with your service. In some cases, a client legally cannot contract your service without seeing your audit report or policies.

Partner with KirkpatrickPrice

When you have the right partner, information security best practices can be an integral, sustaining part of your business. Audits are hard. We get it. But, they’re the only way to prove your commitment to protecting your clients and protecting yourself. Let’s partner together to define an accurate scope, implement industry best practices, and establish an information security program that will protect you and your clients.

KirkpatrickPrice is an audit firm whose goal is to provide the guidance you need to embark on a successful compliance journey. You don’t have to settle for choosing a partner that conducts an audit and leaves you with unanswered questions and worries, or who holds you to unrealistic expectations. Contact KirkpatrickPrice to get the partner your organization deserves to have on its compliance journey.

More Information Security Resources

Was the Audit Worth It?

Audits are Hard, Period.

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

If you knew a hurricane or car accident was going to happen, wouldn’t you do your best to prepare for it? You’d want to know every detail of its likelihood so your plan of action would prevent as much damage as possible. The same principle applies to information security breaches – that’s why it’s important for your organization to be aware of and remediate common security gaps so you can avoid the vulnerabilities that hackers use to breach data systems. Each type of audit comes with different security gaps to be aware of, even if the frameworks are similar, like SOC 1 and SOC 2. No matter the audit, it’s valuable to know how to avoid unnecessary security risks by catching these common gaps in your system. Even by reading this blog post, you’re already far ahead of many organizations in securing your systems.

Most Common SOC 1 Gaps

The most common SOC 1 gaps include gaps in change management, risk assessment, application development, vulnerability testing, logical access, networking monitoring, physical security, and organization overview. Organizations that don’t place a priority on mitigating these security gaps are faced with costly breaches after hackers infiltrate their systems. You don’t want to be caught in the same situation. Let’s talk about a few of these common SOC 1 gaps by looking into some massive security breaches.

  • Risk Assessment: Establishing a formal risk assessment process allows organizations to do their due diligence and prioritize risk. Risk assessments often lead to an understanding the types of risks that your vendors carry into your environment. Earlier this year, FEMA exposed over two million disaster victims’ data with a vendor. Could a risk assessment have detected the 11 vulnerabilities on that vendor’s network?
  • Application Development: The ICIT says that software security is national security – and a lack of software security is a national threat. First American Corporation was breached after a vulnerability in a product application was found, compromising over 885 million records because of a design defect in the application. Had First American Corporation known about that application development was an extremely common SOC 1 gap, would it have recognized the vulnerability during the development phase?
  • Vulnerability Testing: SOC 1 audits within AWS environments often reveal a gap in vulnerability testing. Organizations must test their S3 buckets for vulnerabilities in order to prevent a system breach. The Democratic Senatorial Campaign Committee knows this firsthand after their misconfigured s3 bucket was exposed. More than 6 million email addresses were exposed on the internet, able to be viewed by any person with a free AWS account. Testing for vulnerabilities and misconfigurations is invaluable to your information security program.
  • Networking Monitoring: When Timehop was breached in 2018, their engineers responded to the event within 2 hours of discovering the network intrusion. Although the hacker had access to Timehop’s cloud for about six months, when the active attack actually occurred, Timehop’s network monitoring tools reported that the service was down, and Timehop engineers worked to restart services. If not for network monitoring, how much time could’ve passed before Timehop recognized the attack?
  • Physical Security: In April 2018, a New Jersey man was found to have infiltrated two companies’ physical security systems to install a hardware keylogger. The breach was orchestrated for over 2 years after the man fraudulently gained access with an employee badge. He was able to breach the system and access personal information, intellectual property, and plans for new technology that each company was developing. If these companies had properly disposed of unused access badges and limited access to secure areas, they might have prevented major breaches.

Other common SOC 1 gaps to be prepared for are Change Management, Logical Access, and Organization Overview. You can remediate gaps by ensuring all company employees understand the company’s security and ethics expectations and are using MFA on company equipment. Having a structured plan of action for system changes can lead to more security when your organization implements both small-scale and large-scale adjustments.

Learning to Remediate the Gaps

The first step to avoiding common hacker tactics is to remediate your gaps. What gaps should you look for? You can start reviewing common SOC 1 gaps in areas of change management, risk assessment, application development, vulnerability testing, logical access, networking monitoring, physical security, and organization overview.

If you want to avoid fines, loss of customers, and everything else these companies have to face after a massive security breach, you need to ensure your organization is taking every precaution against hackers. Contact KirkpatrickPrice today to learn more about remediating your SOC 1 gaps and staying one step ahead of hackers.

More SOC 1 Resources

Understanding Your SOC 1 Report: What is a Gap Analysis?

7 Reasons Why You Need a Manual Penetration Test

SOC 1 Compliance Checklist

Common Ways Wireless Devices, Applications, and Networks are Exploited

From hand-held wireless devices to wireless networks, your organization probably depends on the convenience and accessibility of wireless devices to conduct business – but wireless devices are just as likely as any other technology to be compromised by hackers. Do you know what vulnerabilities your wireless devices, applications, and networks are up against? In this short webinar, KirkpatrickPrice expert pen tester, Mark Manousogianis, discusses the most common vulnerabilities found in wireless applications and how pen testing can keep them secure.

Wireless devices were intended to make everyday life easier, but the vulnerabilities that persist within wireless devices, applications, and networks makes using such tools risky. Knowing the common ways wireless devices, applications, and networks are exploited, though, can give you the head start you need to prepare against advancing threats. When introducing any wireless device, application, or network to your environment, be wary of the following:

  • Default SSIDs and passwords
  • Access point where tampering can occur
  • Out-of-date firmware
  • Vulnerable wired equivalent privacy (WEP) protocols
  • WPA2 Krack vulnerability
  • WPS attacks
  • Rogue access points
  • Evil twins
  • Man-in-the-Middle attacks

Securing Wireless Technologies with Penetration Testing

There are many ways for malicious hackers to compromise wireless environments and the people who use them. Organizations would be wise to use strong protocols, implement and enforce strong password best practices, keep firmware updated, and educate users regularly on updates and vulnerabilities as baseline, proactive measures for securing wireless technologies. However, while these proactive steps can be used to secure your wireless devices, applications, and networks as much as possible, you will still never know how well they’ll stand against an attack until you’ve submitted them to penetration testing.

How sure are you that you have found all of the vulnerabilities in your wireless devices, applications, and networks? Could there be more you’re unaware of? Watch the full webinar now to learn about common vulnerabilities in wireless devices, applications, and networks or contact us today to speak to one of our Information Security Specialists about our wireless penetration testing services.