Murn Meyrick & Jonathan Ashall

April 9, 2008

ORIMS Professional Development Day

Privacy & Network Security Liability

2

Agenda

Privacy legislation & framework

Exposures

Recent Examples

Insurance Response

Underwriting

3

The Path to Privacy Legislation……

Growth and importance of IT systems and technology through 1980’s and 1990’s meant past legislation outdated.

Data being collected, stored and transmitted in ways not contemplated when existing legislation enacted.

Clear that new legislation was required to ensure its relevance to the modern world.

Realisation of such led to a raft of legislation being enacted the world over, including……

4

Privacy Legislation Around the World

Europe – EU Data Protection Act, overseeing various laws at Member State level including UK Data Protection Act.

USA – Fair Credit Reporting Act (FCRA), Gramm Leach Bliley Act (GLB), Health Insurance Portability & Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA) and various State acts.

Australia – Commonwealth Privacy Act, amended by Privacy Amendment (Private Sector) Act.

Canada – Privacy Act and Personal Information Protection & Electronic Documents Act (PIPEDA)

5

Common Themes…

All seek to address the collection, storage and use of “personal information” by both Government agencies and the private sector.

All seek to outline appropriate technical and organisational measures to protect such data.

“Personal Information” usually described as any data that can be used to identify a living person, with focus upon financial and healthcare related data.

All seek to outline the rights of individuals and potential sanctions for breaches of such legislation.

6

Legislation Continuing to Evolve

Initial legislative efforts focused on rights of individuals to know what information is being stored by an organisation and to gain access to it but…..

Little or no right to know when such information has been tampered with or leaked illegitimately to a third party as a result of a security or administrative breach.

US has led the way in implementing breach notification laws, mandating that organisations inform those individuals potentially affected by such a breach (notification laws now in place in 40 states and counting)

Following recent well publicised security breach events pressure being put on legislators in other jurisdictions to follow suit.

7

Canadian Privacy Law: The Framework

Public Sector

Privacy Acts( federal & provincial)

Criminal Code

Charter of Rights

Common Law

Collective Agreements

Private Sector

PIPEDA

Quebec Legislation

BC, Alta, Ontario Health Privacy Act

Sector specific rules/regs

Criminal Code

Common law

Collective Agreements

8

The Exposures

Negligent or intentional disclosure of personal information- mistakes, rogue employee

Cyber Attacks- hackers, extortion, sabotage

Fraud & other criminal offences- new offences proposed November 2007

Network & website disruptions due to glitches or malicious code

9

The Exposures continued

Electronic theft/loss of proprietary competitive business data

Conflicting laws

New exposures?

10

Exposures

Ponemon Institute - Primary Source of Breach 2007

Lost Laptop/Device48%

3rd Party/Outsourcer16%

Paper Records9%

Malicious Insider9%

Electronic Backup7%

Hacked System5%

Undisclosed2%Malicious Code

4%

11

The Aftermath:Losses associated with a breach

Third Party Liability

– Compensation to clients or employees

– Class actions

– Third party subrogation costs

– Contingent business interruption- downstream loss

– Contractual obligations

12

Losses continued

Regulatory/law enforcement– Complaint to Privacy Commissioner/Federal Court

– Recommendations/orders to change practices, damages( including humiliation with no cap), fines/penalties( PIPEDA- $100k)

– Audit by commissioner

Criminal Code sanctions

Defence Costs for all of above

13

Losses continued

Direct Damages to Insured: Decline in revenue Restoration/Reconstruction costs Response Plan

– Notification costs– Law enforcement authorities– Auditors– Changes to internal processes

Mitigation/Crisis management costs– Credit monitoring– Call centre & website– PR

14

The Reality: Survey results

FusePoint Data Confidence Survey 2007:– 62% of executives felt security breach would impact their brand– Only 37% have confidence their data is protected against attacks– 20% of companies do not use anti-virus software, 25% do not

have a firewall

Symantec Corp. survey 2007:– 91% IT organizations carry out “full scenario” testing of disaster

recovery plans. Nearly 50% failed.– 23% of city dwellers have themselves, or know someone who

has, fallen victim to fraud or identity theft

IDC Canada Survey 2007:– there is an “irrationally” high level of confidence among Canadian

firms regarding their security measures

15

Current Events:A Sample of Incidents Worldwide….

USA TJX- Intruder gained access to 47 million customers info.

Settlements with banks ~$65M Harvard- hacker attacks server accessing up to 10,000 student

accounts and posting some of info on web Hannaford Bros grocery- over 4 million credit and debit card

numbers stolen during authorization process, leading to 1,800 cases of fraud

UK Inland Revenue lost unencrypted discs containing sensitive

information of 25 million British citizens. Nationwide Building Society – theft of laptop containing unencrypted

details of 11 million savers. Led to notification letters being sent to all 11 million individuals potentially affected and £980,000 fine being levied by FSA for inadequate systems and controls to address information security risk.

16

…and in Canada

TJX/Winners:– In Canada alone, thousands of cases of fraud reported on stolen

cards. Lawsuits follow from banks, shareholders( pension funds), class action by customers, regulatory probes in US and Canada.

CIBC: Jan.07 – loss of computer file in transit between offices with data on

470,000 customers. Regulatory investigation follows.

Club Monaco: Jan.07 – sought help from police and forensic experts to investigate

privacy breach of credit card processor

Canada Post: Dec.07 – security breach- login records of scores of small businesses

using shipping website available

17

continued…

Passport Canada: Dec. 07 – Security flaw allows access to passport applicants personal

information

Air Canada: Nov.07 – AC flights in GTA grounded for hours after computer “glitch”

between reservation system and airport locale

Canadian Bar Association: – Unauthorized access to online orders and credit card information

Bell Canada: Feb.08 – 3.3million customers have their personal information stolen.

Suspect arrested in Montreal following which public disclosure made.

18

The Insurance Response

Evolution of Privacy Liability:

Cyber Insurance

Multimedia insurance

Network liability

Privacy

Disaster recovery analysis

19

Coverage under “traditional” policies

Hodge podge of policies may historically respond including:– Errors & Omissions, General Liability, Data, Property, Media,

Crime/Fraud, Directors & Officers, Cyber

Traditional policy response dependant on cause, impact and claimant- not all encompassing

In general limited to the Personal Injury aspect of privacy losses, usually covered under General Liability or Professional Liability policies

Even more specific Cyber Liability policies do not address the unique liabilities presented by the changing legislative environment.

As awareness grows of potential privacy related liabilities, more likely that exclusionary language will be added to traditional policies.

20

Privacy Liability Coverage

Privacy breach

Crisis Management and Notification Expenses

Network Security breach

21

Underwriting

Privacy Statement

Application

Audit

Meetings

Questions?