bis eo cyber presentation
TRANSCRIPT
DATA BREACHES ARE VERY COSTLY
• In 2014 cost of an average breach for an organization in 2014 Ponemon study
increased to $5.9 million!
• In 2014 the average per-record cost of a data breach increased from $188 to $201.
Why Do You Need E&O?
• Your GL Policy specifically excludes data breaches
• Effective May 1, 2014 CG 21 06 05 14 — excludes coverage, under Coverages A and B, for injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.
Regulatory Demands
• HIPAA, FTC, GLB, and PCI DSS 3.0
▫ establishes responsibility for handling confidential information
• Property limitation of liability in UCC 7-204 does not apply to services
• Fines are just the tip of the iceberg
▫ Notification costs can be very high
▫ Lawsuits (example – patients sue covered entity who seeks to recover losses from you)
Critical Coverage Elements
• Privacy Wrongful Act
• Notification & Credit Monitoring Expenses
• Rogue Employee Protection
• Crisis Management/Public Relations Expenses
• Civil Fines & Penalties
• Extortion
• Bodily Injury
• Hammer Clause
• Limits/Sublimits
Claims: Perpetual Storage 2008
• Breach Costs without a Breach
• ~1.5M Patient Billing Records Potentially Involved
• Notification & Credit Monitoring Costs
• Public Relations Costs
• Client Costs (Univ of Utah - estimated at $3.3M)
• Legal Costs
Claims: Recall 2007
• Vendor Outsourcing/General Liability Issues
• ~500k Employee Potentially Involved
• Notification & Credit Monitoring Costs
• Public Relations Costs
• Client Costs (IBM estimated at $6M)
• Legal Costs
Claims: GRM - 2010
• Encryption and/or Employee Error Issue?
• ~1.7M People Potentially Involved
• Notification & Credit Monitoring Costs
• Public Relations Costs
• Client Costs (NYC HHC estimated at >$350M)
• Legal Costs
Claims: Iron Mountain - 2006
• Employee Error Issue
• 17,000 People Potentially Involved
• Notification & Credit Monitoring Costs
• Public Relations Costs
• Client Costs (Long Island Railroad)
• Legal Costs
How would a breach be handled under
a cyber policy purchased through BIS?• Make sure you have breach
response plan that includes insurance response info
• Call data breach hotline
• Activate incident response plan or DR/BCP
• Confer with carrier’s breach response team
• File incident data sheet with response team
• Response team assists in drafting a breach notification letter
• Law enforcement, regulators, client & management approve letter
• Notification letter sent to impacted parties
• Assistance provided in media relations and credit bureau notification if needed.
• Response team handles calls from impacted individuals
• Continued assistance with client claims, fines and litigation
• *Note – this scenario assumes first-party and third-party coverage in the example provided.
Final thoughts: Ops mitigation
• Best mitigation strategy is to avoid risk exposure▫ Require encryption wherever possible▫ Train employees completely▫ Ensure third-party vendors provide equal
protection & contract assurance
• Invest in adequate policies and processes like those advocated by PRISM Privacy Plus▫ Contact Brightstone Consulting for assistance in
crafting an information security policy, conducting a risk assessment, or training employees.
For insurance assessment or E&O quote information please contact Brian Jungeberg at Brightstone Insurance
440.260.1002 - [email protected]
For assistance with Privacy Plus preparation, compliance-related issues or other operational mitigation contact Jim Booth at Brightstone Consulting
919.696.7754 - [email protected]