– to notify or not to notify – that is the question

2010 PLUS International Conference2010 PLUS International Conference2010 PLUS International Conference2010 PLUS International Conference

–– To Notify or Not to Notify –To Notify or Not to Notify –That is the QuestionThat is the Question

2010 PLUS International Conference2010 PLUS International Conference

MODERATOR: • Toby Merrill, Vice President, ACE USA

PANEL:• Beth D. Diamond, Esq., Claims Manager, Beazley Group

• John F. Mullen, Esq., Partner, Nelson, Levine, de Luca &Horst, LLC

• K Royal, JD, CIPP, Privacy & Security Officer, Assistant Vice President, Regulatory Affairs, Concentra Inc.

• Tom Srail, Senior Vice President, Technology, Willis

• Benjamin Stephan, CISSP, CISA, EnCE, QSA, PA-QSA, Director of Incident Management, FishNet Security

To Notify, or Not to NotifyTo Notify, or Not to NotifyThat is the QuestionThat is the Question


• Brief Introduction

• Privacy and Network Security Liability

• Privacy Regulations

• To Notify or Not to Notify

• Q&A

OverviewOverview


Privacy Insurance MarketPrivacy Insurance Market

To Notify or Not to NotifyPrivacy Insurance Market


Privacy Insurance MarketplacePrivacy Insurance Marketplace

• Evolution of the Coverage Origins focused on network security Evolution to ‘sensitive data’ and ‘unintentional error’

• Market Growth Standalone market estimated at $600M GWP* 1 in 3 purchase coverage and 1 in 4 plan to in next 18 mos*

• Drivers and Barriers- Price in a sluggish economy

+ Policies that include data breach services

+/- Product knowledge

*2010 Betterley Cyber Risk and Privacy Market Survey


• Average total cost per incident of $6.75M $6.6M, $6.3M & $4.8M in 2008, 2007 & 2006 Cost to resolve ranged from $750,000 to $31,000,000 Number of records ranged from 5,000 to 101,000

• 42% of breaches occurred due to external causes

Ponemon Institute StudiesPonemon Institute Studies

Breach Cost per Record

Avg. HC FI CP Retail

Cost of a Lost Laptop

Avg. HC Pharma


• Average cost of $204 per record $202, $197 & $182 in 2008, 2007 & 2006 Direct $69; Indirect $135 Defense 27%; Consulting 24%; Contact 22%; Forensics 16%;

Services 6% Malicious $215; Human Negligence $154; IT Glitch $166 1st Party $194; 3rd Party Vendor $217 First Timer $228; Second Offender $198 With CISO $157; Without CISO $236 With consultant $170; Without consultant $231 < 1 month to notify $219; >1 month $196

Ponemon Institute Studies Ponemon Institute Studies (cont’d)(cont’d)


Privacy/Cyber Insurance MarketplacePrivacy/Cyber Insurance Marketplace

• Pricing Aggressive competition Typical flat to slight decrease on renewals

• New/revitalized Markets Updated forms Blending with other policies (Managed Care, Misc E&O)

• Capacity Stable Primary Limits (10M-20M typical) Increased excess participation available $200M+ total available for most large risks



• Current Coverage Enhancements Privacy Expense

• Outside of Liability Limits options

• New express coverage (ID Theft restoration expense)

• Larger (Full+) Limits

Regulator and/or PCI Fines/Penalties - larger limits available



• Current Coverage Enhancements (cont’d) Excess “Drop Down”

• Privacy Expenses

• Fines/Penalties

Pre-arranged/recommended Vendors

First-Party Coverage

• Administrative Error Triggers

• Lower BI waiting periods


Privacy Insurance MarketPrivacy Insurance Market

Privacy Insurance Market:Panel Discussion


Privacy RegulationsPrivacy Regulations

Privacy Regulations;Overview


• Statutory – In the event of a security breach, most federal and state laws require notification to:

Customers Government Agencies Attorneys General Law Enforcement

(not necessarily required, but may be prudent) Credit Reporting Agencies (CRA's)

• Voluntary – When notification is not required by law, but for reasons of goodwill, etc. a company would prefer to notify its customers, etc.

What is Notification?What is Notification?


• To enable individuals to mitigate risk of identity theft or fraud when a breach occurs

• To enable the authorities to exercise their regulatory oversight functions

• To motivate organizations to implement more effective security measures to protect sensitive information

Purpose of NotificationPurpose of Notification


• Federal and state laws have unique requirements for: format of notification time frame within which to notify, and content of notification letter

• In many cases, failure to notify pursuant to a particular notification law may lead to fines and penalties

General Notification RequirementsGeneral Notification Requirements


• Generally require written notification to individual in the event of a breach of security

• However, each state varies in: the definition of what constitutes a breach

the definition of personal information (only a few include PHI)

inclusion of a “risk of harm” standard

content requirements for notice

authorities that must be notified

available penalties and private right of action

State Notification RequirementsState Notification Requirements


2003 – California Senate Bill 1386 (CA SB 1386)

2005 – 10 additional states2006 – 19 additional states 2007 – 9 additional states2008 – 7 additional states2009 – 1 additional state2010 – 1 additional state

Privacy/identity theft legislation in 46 states (+D.C.)

States with no Data Breach Legislation:

• Alabama, Kentucky (passed but not yet enacted)

• New Mexico, South Dakota (no data breach law)

State Data Breach LawsState Data Breach Laws


• Must be in “plain language”

• Must include at a minimum: Name and contact info of the reporting agency Types of personal information involved When it happened If notification was delayed due to law enforcement investigations General description of the breach Estimated number of persons affected Toll-free telephone numbers and addresses of major credit

reporting agencies (if breach exposed bank account/credit card number, SSN, or driver’s license/ID card number)

California Notification RequirementsCalifornia Notification Requirements


• Other discretionary data may be included (e.g. information about what agency has done to protect affected individuals, advice on how to protect self, etc.)

• Notice may be given in writing or electronically. Substitute notice permitted if:

cost of providing written notice will exceed $250,000, affected class to be notified exceeds 500,000 residents, or insufficient contact information to provide notice

California Notification RequirementsCalifornia Notification Requirements


• State: An individual’s first name or first initial and last name in

combination with any one or more of the following, when either the name or the data elements are not encrypted:

• SSN• Driver’s license No. or CA ID Card No.• Account, credit or debit card number in combination with any

required security code, access code, or password that would permit access to an individual’s financial account

• Up to ten other factors added in many states (e.g. biometric data in NE, IA and WI)

What is Personal Information?What is Personal Information?


• Must be given to: Massachusetts AG; Director of Consumer Affairs and

Business Regulation; and affected Massachusetts residents

• Notice to AG and Director of Consumer Affairs and Business Regulation must include:

nature of breach;

the number of Massachusetts residents affected by such incident at the time of notification; and

any steps the person or agency has taken or plans to take relating to the incident

Massachusetts RequirementsMassachusetts Requirements


• Notice to affected Massachusetts residents must include: the resident's right to obtain a police report how to request a security freeze on her/his credit report

• Notice to affected MA residents must not include: Nature of breach; nor Number of Massachusetts residents affected by the breach

• Notice may be given in writing, by telephone or electronically. Substitute notice permitted if:

cost of providing written notice will exceed $250,000, affected class of Massachusetts residents to be notified exceeds 500,000 residents, or insufficient contact information to provide notice

Massachusetts RequirementsMassachusetts Requirements


• Written notice via US mail to individual or next of kin

• Substitute notice if there are 10 or more individuals for whom there is insufficient contact information.

• >500 residents of a state or jurisdiction are affected by breach: notify prominent media outlets in that state or jurisdiction

• >500 individuals in total are notified, Secretary must be notified immediately (i.e. within timeframe to individuals)

• <500 individuals, Secretary may be notified in an annual report

HITECH Notification RequirementsHITECH Notification Requirements


• Description of event, including date of breach and date of discovery, if known

• Description of Protected Health Information (PHI) affected

• Steps individuals should take to protect themselves

• Description of what entity is doing to investigate, mitigate harm to individuals and protect against further breaches

• Contact procedures for more information (toll-free number, an email address, website, or postal address)

• Must be written in clear, plain language

HITECH Notice - Content RequirementsHITECH Notice - Content Requirements


•State Attorneys General

•State regulators DOI

Medicaid regulators

Consumer Protection Offices

Potential Agencies to be NotifiedPotential Agencies to be NotifiedWhen a HITECH Breach OccursWhen a HITECH Breach Occurs


• HIPAA: ANY “Unsecured” PHI = protected health information

that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary

Encryption and destruction of PHI are the only acceptable methods

What is Personal Information?What is Personal Information?


• HIPAA: Breach poses: “[a] significant risk of financial, reputational, or

other harm to the individual” Notification is only necessary if the breach poses a significant

risk of harm Covered Entities & Business Associates must document their

risk assessment to demonstrate that notification was not required

•State Law: NJ disclosure not required if “misuse of the information is not

reasonably possible”. CA and TX without explicit “risk of harm” trigger

Risk of Harm StandardRisk of Harm Standard


Privacy RegulationsPrivacy Regulations

Privacy Regulations:Panel Discussions


Data Breach ScenariosData Breach Scenarios

To Notify or Not to Notify:Data Breach Scenarios


Scenario #1Scenario #1

• Minnesota retailer notified by Visa of potential hack

• Forensics determines 1.5M credit cards were likely compromised

• Roughly 1M of the records were encrypted

• Hackers were in the system for 14 months

• Cardholders reside in MN, ND, SD, IA, IL, WI



• A trash company discovers the printed records of a SC community bank dumpster

• The information contains the loan applications for more than 10,000 residents in NC, SC & GA



• A hospital in Massachusetts discovers that a desktop computer has been stolen

• Forensics determines 100,000 medical records were located on the desktop

• None of the records were encrypted

• Patients reside in MA, CT, RI, AZ and NH



• A community college in New Mexico discovers that its alumni list was searchable on its website

• Visitors of the site would be able to obtain alumni grade point averages and job history if searched by name

• Forensics is unable to determine whether any searches had been made on alumni records

• Roughly 500,000 records were potentially compromised

• All alumni were New Mexico residents

• What if forensics later determines S.S.#’s were involved? Some residents were from New York? Or both??



• A technology hosting company discovers that hackers had accessed a number of servers

• Forensics determines that millions of records were located on these servers

• The records belong to more than a dozen financial institutions, hospitals and retailers

• Some of the data was encrypted

• Cardholders reside in more than 30 states


Takeaways and PredictionsTakeaways and Predictions

Key Takeawaysand

Predictions


QuestionsQuestions&&

AnswersAnswers


Many Thanks To…Many Thanks To…

• Toby Merrill

• Beth Diamond

• John Mullen

• K Royal

• Tom Srail

• Benjamin Stephan

– to notify or not to notify – that is the question

Documents