murn meyrick & jonathan ashall april 9, 2008 orims professional development day privacy &...
Post on 18-Dec-2015
216 views
TRANSCRIPT
Murn Meyrick & Jonathan Ashall
April 9, 2008
ORIMS Professional Development Day
Privacy & Network Security Liability
2
Agenda
Privacy legislation & framework
Exposures
Recent Examples
Insurance Response
Underwriting
3
The Path to Privacy Legislation……
Growth and importance of IT systems and technology through 1980’s and 1990’s meant past legislation outdated.
Data being collected, stored and transmitted in ways not contemplated when existing legislation enacted.
Clear that new legislation was required to ensure its relevance to the modern world.
Realisation of such led to a raft of legislation being enacted the world over, including……
4
Privacy Legislation Around the World
Europe – EU Data Protection Act, overseeing various laws at Member State level including UK Data Protection Act.
USA – Fair Credit Reporting Act (FCRA), Gramm Leach Bliley Act (GLB), Health Insurance Portability & Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA) and various State acts.
Australia – Commonwealth Privacy Act, amended by Privacy Amendment (Private Sector) Act.
Canada – Privacy Act and Personal Information Protection & Electronic Documents Act (PIPEDA)
5
Common Themes…
All seek to address the collection, storage and use of “personal information” by both Government agencies and the private sector.
All seek to outline appropriate technical and organisational measures to protect such data.
“Personal Information” usually described as any data that can be used to identify a living person, with focus upon financial and healthcare related data.
All seek to outline the rights of individuals and potential sanctions for breaches of such legislation.
6
Legislation Continuing to Evolve
Initial legislative efforts focused on rights of individuals to know what information is being stored by an organisation and to gain access to it but…..
Little or no right to know when such information has been tampered with or leaked illegitimately to a third party as a result of a security or administrative breach.
US has led the way in implementing breach notification laws, mandating that organisations inform those individuals potentially affected by such a breach (notification laws now in place in 40 states and counting)
Following recent well publicised security breach events pressure being put on legislators in other jurisdictions to follow suit.
7
Canadian Privacy Law: The Framework
Public Sector
Privacy Acts( federal & provincial)
Criminal Code
Charter of Rights
Common Law
Collective Agreements
Private Sector
PIPEDA
Quebec Legislation
BC, Alta, Ontario Health Privacy Act
Sector specific rules/regs
Criminal Code
Common law
Collective Agreements
8
The Exposures
Negligent or intentional disclosure of personal information- mistakes, rogue employee
Cyber Attacks- hackers, extortion, sabotage
Fraud & other criminal offences- new offences proposed November 2007
Network & website disruptions due to glitches or malicious code
9
The Exposures continued
Electronic theft/loss of proprietary competitive business data
Conflicting laws
New exposures?
10
Exposures
Ponemon Institute - Primary Source of Breach 2007
Lost Laptop/Device48%
3rd Party/Outsourcer16%
Paper Records9%
Malicious Insider9%
Electronic Backup7%
Hacked System5%
Undisclosed2%Malicious Code
4%
11
The Aftermath:Losses associated with a breach
Third Party Liability
– Compensation to clients or employees
– Class actions
– Third party subrogation costs
– Contingent business interruption- downstream loss
– Contractual obligations
12
Losses continued
Regulatory/law enforcement– Complaint to Privacy Commissioner/Federal Court
– Recommendations/orders to change practices, damages( including humiliation with no cap), fines/penalties( PIPEDA- $100k)
– Audit by commissioner
Criminal Code sanctions
Defence Costs for all of above
13
Losses continued
Direct Damages to Insured: Decline in revenue Restoration/Reconstruction costs Response Plan
– Notification costs– Law enforcement authorities– Auditors– Changes to internal processes
Mitigation/Crisis management costs– Credit monitoring– Call centre & website– PR
14
The Reality: Survey results
FusePoint Data Confidence Survey 2007:– 62% of executives felt security breach would impact their brand– Only 37% have confidence their data is protected against attacks– 20% of companies do not use anti-virus software, 25% do not
have a firewall
Symantec Corp. survey 2007:– 91% IT organizations carry out “full scenario” testing of disaster
recovery plans. Nearly 50% failed.– 23% of city dwellers have themselves, or know someone who
has, fallen victim to fraud or identity theft
IDC Canada Survey 2007:– there is an “irrationally” high level of confidence among Canadian
firms regarding their security measures
15
Current Events:A Sample of Incidents Worldwide….
USA TJX- Intruder gained access to 47 million customers info.
Settlements with banks ~$65M Harvard- hacker attacks server accessing up to 10,000 student
accounts and posting some of info on web Hannaford Bros grocery- over 4 million credit and debit card
numbers stolen during authorization process, leading to 1,800 cases of fraud
UK Inland Revenue lost unencrypted discs containing sensitive
information of 25 million British citizens. Nationwide Building Society – theft of laptop containing unencrypted
details of 11 million savers. Led to notification letters being sent to all 11 million individuals potentially affected and £980,000 fine being levied by FSA for inadequate systems and controls to address information security risk.
16
…and in Canada
TJX/Winners:– In Canada alone, thousands of cases of fraud reported on stolen
cards. Lawsuits follow from banks, shareholders( pension funds), class action by customers, regulatory probes in US and Canada.
CIBC: Jan.07 – loss of computer file in transit between offices with data on
470,000 customers. Regulatory investigation follows.
Club Monaco: Jan.07 – sought help from police and forensic experts to investigate
privacy breach of credit card processor
Canada Post: Dec.07 – security breach- login records of scores of small businesses
using shipping website available
17
continued…
Passport Canada: Dec. 07 – Security flaw allows access to passport applicants personal
information
Air Canada: Nov.07 – AC flights in GTA grounded for hours after computer “glitch”
between reservation system and airport locale
Canadian Bar Association: – Unauthorized access to online orders and credit card information
Bell Canada: Feb.08 – 3.3million customers have their personal information stolen.
Suspect arrested in Montreal following which public disclosure made.
18
The Insurance Response
Evolution of Privacy Liability:
Cyber Insurance
Multimedia insurance
Network liability
Privacy
Disaster recovery analysis
19
Coverage under “traditional” policies
Hodge podge of policies may historically respond including:– Errors & Omissions, General Liability, Data, Property, Media,
Crime/Fraud, Directors & Officers, Cyber
Traditional policy response dependant on cause, impact and claimant- not all encompassing
In general limited to the Personal Injury aspect of privacy losses, usually covered under General Liability or Professional Liability policies
Even more specific Cyber Liability policies do not address the unique liabilities presented by the changing legislative environment.
As awareness grows of potential privacy related liabilities, more likely that exclusionary language will be added to traditional policies.
20
Privacy Liability Coverage
Privacy breach
Crisis Management and Notification Expenses
Network Security breach
21
Underwriting
Privacy Statement
Application
Audit
Meetings
Questions?