Cyber Facts and Prevention Presentation Gianino

CYBER LIABILITY FACTS AND PREVENTION

WHAT GOES THROUGH YOUR MIND?

What is Cyber Liability?

“Liability for loss of customer or employee data is not typically covered under a corporate insurance policy. Some existing business insurance policies that offer general liability and

directors and officers liability may provide a measure of coverage for those areas; however, most CEOs discover significant gaps in what is and what isn’t covered after an attack.

Unfortunately, by then it’s too late.” Forbes 10/18/2012

Examples: transactions for many goods and services are conducted online, including money transfers, bill/invoice payments, and even payments for many services such as

insurance coverage, for example.

• CYBER BREACHES 2013

• Target says 40 million credit, debit cards possibly breached Through remote access to two websites used by employees and suppliers

• LivingSocialDaily-deal website LivingSocial confirmed that its computer systems were hacked, resulting in “unauthorized access.” The company updated its password encryption method after the breach impacted more than 50 million users. Names, email addresses, dates of birth, and salted passwords were stolen.

• Washington state Administrative Office of the CourtsAfter the public website of the Washington state Administrative Office of the Courts was hacked, sensitive data of individuals whose cases were making their way through the state court system was compromised. Names, Social Security numbers, and driver’s license numbers were accessed.

• EvernoteThe popular notetaking software service Evernote had to reset the passwords of all of its 50 million users following a network breach. The company did not find any indication that content or payment information was stolen. Usernames, email addresses, and encrypted passwords of users were accessed.

• Drupal.orgThe servers of the open source content management platform were hacked, and the sensitive information of close to one million accounts was stolen. As a safety measure, the company reset all passwords. Usernames, email addresses, country information, and hashed passwords were all exposed.

• Federal Reserve internal siteThe Fed admitted that hacking collective Anonymous breached one of its internal websites, accessing the personal data of 4,000 bank executives. Mailing addresses, phone numbers, business emails and fax numbers were accessed and published by the hackers online.

Catagories of Losses• “In 2010, the U.S. Secret Service and Verizon Communication Inc.’s forensic analysis unit, which

investigates cyber attacks, reported 761 data breach cases, up from 141 in 2009.Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa also estimates that about 95% of the credit-card data breaches it discovers are on its smallest business customers.”1

» Negligence» • Breach of warranty» • Failure to protect data» • Failure to disclose defects in products or services regarding capabilities of

protecting data» • Unreasonable delay in remedying suspension of service or loss of data» • Violations of various applicable state/federal laws» • False advertising» • Unfair or deceptive trade practices

• Consumer claims are typically filed as class action lawsuits, but tend to have limited success given the difficulty in proving injury in the absence of actual identity theft. However, new legal theories continue to evolve and so may the outcome of such claims. While it is uncertain whether consumers may successfully prove damages, it is certain that the breached company will face significant costs in hiring legal counsel to defend itself

Federal & State Cyber Liability Requirements

• S.B. 46 Adds Notification Requirements for Breaches of an Individual’s User Name or Email Address in Combination with a Password or Security Question and Answer that Permit

• Access to an Online Account that expands the coverage of California’s existing breach law to include breaches of individuals’ online user names and email addresses, when acquired in combination with passwords or a security question and answer that would permit access to their online accounts. The bill passed the California legislature unanimously, by a final vote of 38-0 in the Senate on September 4, 2013, following final passage of an amended bill by the Assembly (77-0) on September 3, 2013. Governor Brown signed the bill on September 27th 2013. 

• Provisions of the Existing and Amended California Breach Notification Law• The new law amends the existing California data breach notification law, California Civil

Code Section 1798.82, which has been in effect in California since July 1, 2003. That law already requires businesses and governmental agencies to notify consumers when a security breach occurs involving “an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver’s license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (4) Medical information. (5) Health insurance information.” Cal. Civ. Code Section 1798.82(h).  

Products Available for Cyber Liability

• Forensic Examination – The cost of obtaining a third party forensics firm is covered under most network risk policies.

• Notification of Affected Third-parties – Covered by most network risk insurance policies.

• Call Centers– Typically covered under a network risk policy.

• Credit/Identity Monitoring– Identity Monitoring and Identity Restoration are covered by a limited number of policies in the market.

• Public Relations– The direct cost of obtaining a PR firm is covered under most network risk policies

• Coverage for Legal Defense costs and Indemnity payments to third parties – is available under Cyber Risk policies

• Fines and Penalties from Regulatory Proceedings and PCI DSS violations Coverage for general Fines and Penalties

– is available from some markets, however, insurability varies depending on jurisdiction and circumstances. Defense of a regulatory investigation/proceeding is typically covered under most policies.

• Comprehensive Written Information Security Program – Typically not covered by cyber policies

Costs

• They start at $1,500 and up• The average cost for legal defense was

$500,000 while the average legal settlement was $1 million. Zurich Study