privacy risk management and insurance or september 2012
TRANSCRIPT
PRIVACY RISK MANAGEMENT AND INSURANCE
Or
September 2012
“CYBER” INSURANCE TIMELINE
20001996 2002 2006
HIPAA
Cyber Insurance Introduced
2004 2008 2010
Broad Privacy Ins. Vendor Coverage Corp Confidential Info
1998
GLB SB1386 HITECH
TJX Heartland Card
Systems
NoticeCosts Covered
PCI
Reg. Fines
&Penalties
Insurance History
Regulatory/Industry History
Claims/Losses History
PCI Fines
& Penalties
NETWORK SECURITY / DATA RISK
What Data do you collect?
- Personally Identifiable Info. (PII)
- Protected Health Info. (PHI)
- Credit Card Numbers
Where is it?
How well is it protected?
How long do you keep it?
What is a Breach?
- Unauthorized disclosure
- Unauthorized acquisition
- Data compromised
WHAT IS DIFFERENT TODAY?Familiar mediums- SQL injections; man-in the-middle; spear phishing; malware & spyware; denial of service attacks; web site defacingNew culprits- Loosely formed groups of people who are very good at hacking and work together to do so (e.g., Anonymous, Lulzsec)- State actors (China, Iran)New information targeted- Corporate data and trade secrets; inside information; embarrassing information; corporate weaknessesNew victims- Data Security consultants- Utilities / infrastructure- Government contractorsNew motives- Political, ideological, personal, war/terrorism, revenge- “Hacktivism”
CAUSE OF A DATA BREACH
© Kroll 2010
ORGANIZATIONAL PRIVACY RISKSCustomer/Personal Data Credit card Medical SSNs/Gov’t IDs Student transcripts HR/Payroll Loyalty programs Motor vehicle Insurance claims Financial transactions Financial records Contracts
Corporate Data Customer lists Price lists Bid data Confidential 3rd party information (NDA) eDiscovery / litigation Merger/Acquisition targets / plans Financial records Marketing / advertising plans Contracts New product development plans / release dates Security policy and assessments Network architecture Emergency response / Disaster recovery plans Restructuring / RIF plans Reporters notes Reporter confidential sources Scripts and other content in draft or
development Critical Infrastructure Assurance data Patent applications
WHAT IS PERSONAL IDENTFIABLE INFORMATION (PII)?Generally defined as including any combination of the following:
Name; address; telephone number; electronic mail address; fingerprints; photographs or computerized images; a password; an official state or government-issued driver's license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; date of birth; medical information; financial information; tax information; and disability information.
COST OF A DATA BREACH
DIRECT COSTSNotificationCall CenterIdentity Monitoring (credit/non-credit)Identity RestorationDiscovery / Data ForensicsLoss of Employee Productivity
INDIRECT COSTSRestitutionAdditional Security and Audit RequirementsLawsuitsRegulatory FinesLoss of Consumer ConfidenceLoss of Funding
$73.00
Cost per record:$214 (2010) (up $10 from 2009)
© Ponemon Institute 2011
$141.00
NOTIFICATION LAWSIt all started in California…..California led the way (Civil Code Section 1798.81.5(b)) “A business that owns or licenses personal information about a
California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure”
46 Other States Have Data Security Laws:Most Mandate “Reasonable” data security measures and proper data disposal Others are More specific: Connecticut, Michigan, New Mexico, Texas (SSN Policies) Nevada (encryption for external electronic communications) Minnesota (Minn. Stat. 365E.64 - card magnetic stripe data) Massachusetts Regulations
PRIVACY RISK MANAGEMENTAsk Your Privacy/IT professionals:
Incident Response Plan (tested?)
Vendor Contracts / Insurance Requirements
Privacy Risk Assessment (sources, vulnerabilities, processes, perils)
Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R)
New coverage terms must integrate
With Response Plans
With Traditional Policies
VENDOR CONTRACTUAL REQUIREMENTS IT/Software Companies
Request Tech E&O, plus Privacy/Network Coverage Some Tech E&O policies have security/privacy exclusions Breach could occur without “wrongful act” being
committed Business Services – Payroll, Auditors, Counsel
Request appropriate E&O coverage Request Privacy/Network coverage
Credit Card Processors/Acquiring Banks Request Privacy/Network Coverage (Gaps in Bond or
Professional Liability coverage) Other Vendors that transport, touch, interact with your
systems or sensitive information Request Privacy/Network coverage
TRADITIONAL INSURANCE GAPS Theft or disclosure of third party information (GL)
Security and privacy – “Intentional Act” exclusions (GL)
Data is not “tangible property” (GL, Prop, Crime)
Bodily Injury & Property Damage triggers (GL)
Value of data if corrupted, destroyed, or disclosed (Prop, GL)
Contingent risks (from external hosting, etc.)
Commercial Crime policies require intent, only cover money, securities and tangible property.
Territorial restrictions
Sublimit or long waiting period applicable to any virus coverage available (Prop)
PRIVACY & NETWORK COVERAGESLiability Coverage
•Privacy Liability •Network Security Liability•Media, IP and Content Liability•Technology Services Liability (if required)
Direct (Loss Mitigation) Coverage •Data Breach Expenses:
Public relations expenses, consumer notification and credit monitoring service costs (sub-limit)
Forensics/Investigations
Direct (First Party) Coverage
•Revenue Loss•Data Reconstruction•Extortion Costs
BEST PRACTICES Maintain a Risk Transfer Instrument
Have a Proper Background Screening Program for new hires and vendors.
Pre-Arrange a Breach Service Provider, Outside Counsel and Reputational Risk Advisor All specializing in Privacy Law and Breach Crisis Management
Provide “Certification” through e-Learning to employee base on safeguarding data#1 preventative initiative being adopted by CISOs and CPOs in 2010 (as per Ponemon 2011 Study)
Develop an Incident Response Plan (required on several federal and state fronts – HTIECH, MA201, et al.)Internal Staff, Outside Counsel, Reputational Risk Advisor, Breach Service Provider
Conduct annual Risk Assessments and Tabletop Exercises.
Hold an internal “Privacy Summit” to identify vulnerabilitiesRisk, Compliance and Privacy, HR, Legal, IT, C-level representation (CFO), Physical Security / Facilities – “Technology, Processes and People.”
Keep General Counsel’s office current to state disclosure laws, federal regulations, foreign requirements and updates
MANAGING A DATA BREACHWhat information was involved?
- Personally Identifiable Info. (PII)
- Protected Health Info. (PHI)
- Credit Card Numbers
Was the information computerized/ what type of media?
Was the information encrypted?
Is there a “reasonable” belief that personal information was accessed or acquired by an unauthorized person?
POSSIBLE STAKEHOLDERSAffected individuals
Board of Directors/ Senior Management
Law Enforcement
State and Federal Regulators
Financial Markets
Payment Card Issuers
Employees
Shareholders
Auditors
The General Public
CONSEQUENCES OF A DATA BREACH Forensic Investigations Notification: $1/individual Credit monitoring costs: $15-$50+ per individual Call Centers, Fraud Alerts, Database Scanning, Restoration
Services Civil penalties and fines Class Action suits Legal defence costs:
Civil, regulatory and possibly criminal defense
Data Privacy counsel can cost $700 per hour. A major data breach will cost millions in legal costs
Business Interruption Costs/Data Damage?
FOR MORE INFORMATION
Contact:
Karl Pedersen
FINEX North America
Privacy, Network Security, Media & Intellectual Property National Team
(213) 550 9806