CYBER RISKS LOOMING IN THE TRANSPORTATION INDUSTRY September 2014 1
CYBER RISKS LOOMING IN THE TRANSPORTATION INDUSTRYSeptember 2014
1
HOUSEKEEPING
• Slide deck will be posted on hni.com
• Q&A at the end, but feel free to ask questions throughout
• Tweet @HNIRisk or using the
hashtag #hniu to win some HNI swag!
2
Thanks to our sponsors!
WHO’S ON THE LINE
4
MODERATORAndrea TarrellDirector of [email protected]
SUBJECT MATTER EXPERTKevin ZinterSenior Vice President [email protected]
Outline Summary
• Review of exposures
• Review of Wisconsin and state laws, and other Federal
Laws
• Explanation of Insuring Agreements
• Brokering Challenges
• Stats
• Underwriting Questions
• Sample Transportation Industry claims / incidents
• Risk Management Services
• Why AmWINS
Cyber/Privacy Exposures facing the
Transportation Industry
• Collection of sensitive personal information
• Exchanging information with vendors, providers, outsourced firms, etc.
• Use of network to provide services to others
• Holding confidential business information (your own or third parties
• Outsourcing services to third parties – i.e. logistics firms, freight
brokers, data processing, billing and collections, etc.
• Disseminating information and media online
Federal Laws
• Consumer notification of potential loss of data is required in 47
states, Puerto Rico, and DC.
• Personally identifiable information (PII) and protected health
information (PHI), is currently governed by a patchwork of federal
and state laws:
– The Family Educational Rights Privacy Act (FERPA)
– HIPAA
– Children’s Online Privacy Protection Act
– Gramm Leach Bliley Act (GLBA)
– Fair Credit Reporting Act
– Sarbanes-Oxley (SOX)
– Federal Privacy Act
– HITECH Act
– Red Flags Rule
– President Obama’s Cybersecurity Executive Order, among others.
Wisconsin Notification Requirements
Security Breach Definition
When an Entity whose principal place of business is located in WI or an Entity
that maintains or licenses PI in WI knows that PI in the Entity’s possession has
been acquired by a person whom the Entity has not authorized to acquire the
PI, or, in the case of an Entity whose principal place of business is not located
in WI, when it knows that PI pertaining to a resident of WI has been acquired by
a person whom the Entity has not authorized to acquire the PI.
Wisconsin Notification Requirements
Notification Obligation
Any Entity to which the statute applies shall make reasonable efforts to
notify each subject of the PI.
An Entity is not required to provide notice of the acquisition of PI if the
acquisition of PI does not create a material risk of identity theft or fraud to
the subject of the PI or if the PI was acquired in good faith by an
employee or agent of the Entity, if the PI is used for a lawful purpose of
the Entity.
An Entity shall provide the notice within a reasonable time, not to exceed
45 days after the Entity learns of the acquisition of PI. A determination as
to reasonableness shall include consideration of the number of notices
that an Entity must provide and the methods of communication available
to the Entity.
Wisconsin Notification Requirements
Penalties
No penalties defined or outlined.
Considerations
• Wisconsin does not require automatic offer of free credit-monitoring to
breached individuals.
• Wisconsin does not require entities to notify the state Attorney General
or any other governmental agencies, but it does require notice to all
consumer reporting agencies and credit bureaus if more than 1,000
residents are to be notified.
• Additional notification obligations apply pending the state where the
consumer (affected individual) is located.
http://www.beazley.com/business_lines/technology_media__business/data_breach_map.aspx
What is the difference between 1st Party Risk
and 3rd Party Risk in a Cyber Liability Policy?
1st Party Risks 3rd Party Risks
Direct loss incurred by our insured
because of “injury” to electronic data
or systems resulting from acts of
others:
Liability for financial losses or costs
sustained by others resulting from
internet or other electronic activities:
• Costs of fixing the problem
• Expenses to protect customers
(including notification and credit
monitoring costs)
• Other expenses to mitigate loss
(including PR and publicity costs)
• Theft of data & intangible property
• Loss of future income
• Cyber extortion
• Defense expenses
• Damages resulting from customer
suits and suits from others for
personal/content injury, intellectual
property claims, professional
services, and injury from a security
or privacy breach, or Regulatory
fines/penalties.
Basic Insuring Agreements Found in Most Forms
1. Privacy/Security Liability
Third party claims alleging failure to protect an individuals PII,
whether through a network & information security failure,
unauthorized access & unauthorized use, etc etc.
Basic Insuring Agreements Found in Most Forms
2. Notification Costs
The hot button sublimit, and main premium driver within a Cyber Liability policy.
When private/confidential information is lost, this insuring agreement covers the
cost to notify those individuals/victims that their private information was lost or
stolen. 47/50 states have laws outlining the requirements to notify, usually
described as a short period of time. Credit Monitoring is also often included with the
Notification limit. Some forms will include Credit Repair/Remediation Services – the
actual cost to repair a victim’s credit history if their information was used
fraudulently.
Basic Insuring Agreements Found in Most Forms
3. Crisis Management & Forensic Expenses
Costs of hiring an outside PR / consulting firm to handle media inquiries, restore
insured’s brand image in the media, assist with the drafting of notification letters to
breached individuals, and provide expert strategies/solutions in regards to the exact
claim scenario. Forensic Expenses covers the costs for an outside expert to help
determine the scope of the breach, what was exposed, and possibly eradicate the
intrusion.
Basic Insuring Agreements Found in Most Forms
4. Regulatory Defense & Penalties
The costs to handle inquiries & investigations, and the possible resulting
fines/penalties levied against the insured by a regulatory or governmental body.
An increasing number of regulations exist related to the protection of confidential
data, and all signs point towards increased enforcement (FTC, State Attorney
Generals, etc).
Basic Insuring Agreements Found in Most Forms
5. Extortion/Threat Expenses
If the insured is contacted by an individual threatening to hack the system,
shut down the system, and which might include a demand for payment
Basic Insuring Agreements Found in Most Forms
6. Business Interruption
Interruptions in business due to breaches of a company’s network (i.e. denial
of service attack).
Basic Insuring Agreements Found in Most Forms
7. Media/Content
Covers libel, slander, and other forms of disparagement with respect to display of
material, as well as copyright infringement. A well written Media insuring agreement will
also respond to Social Media exposures, such as disparaging statements made via a
company’s official Twitter/Facebook page which may result in a suit brought by a 3rd
party vendor/partner or an offended individual.
Basic Insuring Agreements Found in Most Forms
8. Hacker Damage
Covers the cost to repair/replace/restore damaged or destroyed data the insured had in
their possession, to the state it was in previously, as a result of a hack/incident.
Basic Insuring Agreements Found in Most Forms
9. PCI Fines/Penalties
Covers violations of the Payment Card Industry Data Security Standard, as levied
against the insured. Generally brought as a fine or penalty, and cited as a violation of a
PCI Standard as defined under Payment Card Company Rules. PCI governs the
safeguarding of sensitive payment card information, by merchants.
Brokering Challenges: Why It’s Not Covered
Elsewhere
• General Liability covers bodily injury and property damage, not stolen identities.
• Property Insurance does not consider data as property
• E&O policies are covering services for others for a fee. The primary intent of an E&O
policy is covering a mistake/error/omission in the course of an individual’s
professional service. While there is limited invasion of privacy coverage in an E&O
form, the intent is only to cover errors in the course of professional services. You
won’t get notification expense coverage or credit monitoring services coverage on an
E&O policy, which are your primary 1st party sublimits.
Brokering Challenges: Why It’s Not Covered
Elsewhere [Cont’d]
• Directors & Officers Coverage does not cover the key 1st party expenses that are
provided on a Cyber form. D&O is primarily for the directors’ & officers’ fiduciary duty
in running the company, and will not extend coverage for 1st party expenses
associated with a breach situation.
• Media Liability policies are only covering content for libel, slander and copyright, and
don’t fully respond to the interrelated nature of a breach incident that turns into a
Media claim.
• Crime Insurance covers employee theft of money, securities and property. A data
record can be stolen, but you may not see a financial loss for many years. In the
absence of the privacy/security policy, there wouldn’t be coverage for the notification
and credit monitoring, which are your primary 1st party sublimits. There can be some
overlap though, at least for financial institutions, and some carriers are now offering a
combo Cyber-Crime policy
Brokering Challenges: Non-Standard Policy
Language
COVERAGE TYPE AIG CHUBB TRAVELERS
Security Security & Privacy Liability Cyber Liability Network and Information
Security Liability
Privacy Security & Privacy Liability Cyber Liability Network and Information
Security Liability
Media/Content Media Content Insurance Content Injury and
Reputational injury
Communications and
Media Liability
Regulatory Regulatory Action Regulatory Defense Regulatory Defense
Business Interruption Network Interruption E-Business Interruption Business Interruption
Breach Response
Costs
Event Management Privacy Notification
Expenses and Crisis
Management Expenses
Crisis Management Event
Expenses and Security
Breach Remediation and
Notification Expenses
Extortion/Threat Cyber/Extortion E-Threat Expenses E-Commerce Extortion
Carriers use different language, and it can be difficult to decipher. Just a few examples
from various carriers:
Brokering Challenges: Exclusions to Watch For
• Losses arising out of unencrypted portable devices
• Notice of Claim Timing – are you required to report a claim within a certain
number of days of the event/incident
• Limitation of expenses paid out to within a certain number of days of the event
• Stacking of Retentions
• Failure, interruption, or outage to internet access service provided by the
internet service provider that hosts the insured’s website
• Failure / Requirement to update antivirus and maintain security levels referenced
on the application
Brokering Challenges: Exclusions to Watch For
• Failure to continuously implement the procedures and risk controls identified in
the application, whether orally or in writing
• Failure to follow in whole or in part, the Minimum Required Practices as listed by
Endorsement
• Failure to meet any service levels, performance standards, or metrics
• Failure to use best efforts to install commercially available software product
updates and releases, or to apply software patches
• Inability to use or inadequate performance of software programs due to the
expiration or withdrawal of technical support by the software vendor, or that are in
development or otherwise not authorized for general commercial release
Brokering Challenges: Exclusions to Watch For (cont)
• Inability to use or inadequate performance of software programs due to the
expiration or withdrawal of technical support by the software vendor, or that are in
development or otherwise not authorized for general commercial release
• Wear and tear, drop in performance, progressive deterioration, or aging of electronic
equipment and other property or computer hardware being used by the insured
• Malfunction or defect of any hardware, component or equipment
• Involving wireless networks that are not under your control, or information
exchanged over unsecured wireless networks
• Does Regulatory coverage include coverage for fines/penalties or just the Defense?
• Does Media coverage cover all forms of Media, or just online Media?
Privacy: Historical Data Breach Info
http://datalossdb.org
Privacy Incidents by Breach Type – All Time
http://datalossdb.org
Privacy Incidents by Breach Type – 2013
http://datalossdb.org
Privacy Incidents – Inside vs. Outside – 2013
http://datalossdb.org
Privacy: Costs of an Incident
$3.5m*Average total cost per reporting company. Of that figure, Defense ($575k)
and Settlement ($300k) continue to be a huge portion.
*NetDiligence June 2013 study
Privacy: Costs of an Incident
$737K Average cost for Crisis Services (forensics, notification, credit monitoring)
$50K The average PCI fine.
$150,000 The average Regulatory fine.
$3.94 Average per-record Notification Cost of a data breach. Per-record notification
estimates range from $2-$400, pending the sample size and claims studied. Other factors
include vendors used in the Notification process, and whether defense costs, PR costs, and
other expenses are lumped into the per-record estimates.
*NetDiligence June 2013 study
Privacy: Costs of an Incident
Breaches involving malware or spyware are 4.5x more
costly than breaches involving unintended/accidental disclosure**
**Beazley Analysis Findings 2014
Questions to consider:
• Do you hold any personally confidential data of any employees, customers, clients, etc?
If so how many individual records?
• Do you hold any corporate information or trade secrets, for any of your clients?
• Are you aware of the notice requirements in each state if you lose control of that data?
• What steps would you take/who would you call if you lost those private records?
• Do you have a corporate wide privacy policy?
• Do you have a disaster plan specific to data breaches?
• Are your records stored electronically? Paper? Are the records secure? Do you shred?
Questions to consider:
• Do any employees have access to private client records? Do you allow use of USB
drives on computers with access to private data?
• Are any records ever handled by a third party?
• Are all of your laptops, mobile devices, and wireless connections encrypted?
• Are you confident your antivirus and firewall systems are 100% effective?
• How would your clients respond if you lost their private records? Do your contracts
promise to do the notification if you lose their records – or will they do the notification
process?
• If your network was damaged or disabled by a virus or hacker attack, would it be material
to your revenues/income? Do you have a backup system? How long would it take
you to recover?
Additional Underwriting Questions that go into
quoting a risk:
Review of controls & protocols on portable devices:
• How many portable computers are in circulation and what % are encrypted?
• Are users able to store data to the hard drive?
• Is the actual data on the portable device encrypted?
• Is tracking software installed on portable devices?
• Have workstations been configured to prevent the storage of data to USB dvices?
• Do you have back up tapes, and if so, are they stored offsite? How are they
transported?
• Are the back up tapes encrypted?
• Do you issue company smart phones to employees? Are they encrypted?
• Do employees access confidential information on their smart phones?
• Is all data backed up on a daily basis?
• In the event of a breach, do your contracts put the requirement to do notification on the
vendor who lost your information, or are you doing the notification?
The Biggest Breaches of All Time
Heartland Payment Systems 134m records lost
Target 110m records lost
eBay Inc. 145m records lost
Adobe 152m records lost
TJ Maxx 94m records lost
Home Depot 56m records lost
Epsilon 60m records lost
RSA Security 40m records lost
Stuxnet Attack on Iran’s nuclear power program
Department of Veterans Affairs 26.5m records lost
Sony’s PlayStation 77m records lost
ESTsoft 35m records lost
Gawker Media 1.3m records lost
Google Chinese govt infiltrated systems & stole intellectual property
VeriSign Not disclosed
CardSystems 40m records lost
AOL 650k records lost
SC Dept of Revenue 4m records lost
WikiLeaks Ongoing…
Advocate Medical Group 4m records lost
Trucking/Transportation Claims Examples
CorporateCarOnline
11/4/13 – Kirkwood, MO.
Hackers stole and stored information online related to customers who
used limousine and other ground transportation. The online information
included plain text archives of credit card numbers, expiration dates,
names, and addresses. Many of the customers were wealthy and used
credit cards that would be attractive to identity thieves.
Records from this breach: 850,000
Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
Yusen Logistics10/25/13 – Secaucus, NJ
An unencrypted laptop was stolen from an employee's vehicle sometime around
September 23. It contained a spreadsheet with payroll deduction information for
former and current Yusen Logistics Americas employees. It contained names,
Social Security numbers, addresses, and payroll benefit deduction amounts from
the period of July 2013 to September 2013.
Records from this breach: unknown
Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
US Department of Transportation 8/9/06 – Washington, DC
The DOT's Office of the Inspector General reported a special agent's laptop was stolen on
July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It
contained names, addresses, SSNs, and dates of birth for 80,670 persons issued
commercial drivers licenses in Miami-Dade County, 42,800 persons in FL with FAA pilot
certificates and 9,000 persons with FL driver's licenses. A suspect was arrested in the
same parking lot where the theft occurred, but the laptop has not been recovered.
Investigators found a theft ring operating in the vicinity of the restaurant parking lot.
Records from this breach: 132,470
Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
Allied Waste
4/12/08 – Boston, MA.
A strap on a garage truck snapped and sent reams of intact financial
reports over downtown Boston streets.
Records from this breach: unknown.
Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
Laboratory Corporation of America 3/27/10 – Burlington, VT.
Thousands of medical documents fell out of a truck bed while in transit. The
scattered documents contained billing information and possibly medical records
from 1993 or later.
Records from this breach: unknown
Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
Federal Reserve Bank of Dallas 8/9/05 – Dallas, TX
A truck driver lost thousands of Federal Reserve Bank checks headed to Houston.
It seems that the back door of the truck was not closed when the driver left the
loading area. Paid and canceled checks with Social Security numbers, names,
addresses and signatures were scattered on the highway between Dallas and
Houston. Most of the checks were not recovered.
Records from this breach: unknown
Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
Various Taxi Cab Companies in Chicago
3/13/14 – Chicago, IL.
In an unprecedented move, First American Bank made a public announcement regarding
fraudulent activity they were seeing on both credit and debit cards of customers with their
bank specifically related to cab rides in the city of Chicago. The bank is urging both
residents and tourists to avoid paying for their cab rides with either debit or credit cards.
The ongoing breach appears to be related to the card processing systems used by a
significant amount of taxis in the city of Chicago. The bank has reported the breach to
MasterCard. They have also reached out to Banc of America Merchant Services and Bank
of America, the payment processors for the affected payment systems within the affected
taxi cab companies. First American Bank is urging that Banc of America Merchant Services
and Bank of America discontinue payment processing for the taxi companies who have
been targeted in this breach. So far, neither entity is commenting on the breach or appear
to be halting the processing services.
Records from this breach: 500+Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
Various Trucking firmsOctober 2008
A group of Russian immigrants used their hacking skills to effectively run a
trucking company that didn't exist. They would hack into a Department of
Transportation website (Safersys.org) that listed licensed trucking firms to change
the contact info (temporarily) on certain firms to their own address and phone
number. Then, they would go to another online site that listed cargo in need of
transportation. They'd pose as the firm whose contact info they'd replaced, get the
deal, and then go find another trucking firm to actually deliver the cargo.
The cargo itself would get delivered, and the scammers would contact the original
cargo owners to get paid. Then, the company that actually delivered the cargo
would contact the company these scammers pretended to be working for, and
discover that it had no clue what they were talking about. This scam was effective
enough to net the scammers over a half-million dollars. The scammers were
eventually arrested.Source: www.Privacyrights.org
Trucking/Transportation Claims Examples
ZombieZeroJuly 2014
Logistics firms that purchase a handheld scanner used to track shipments as they
are loaded and unloaded from ships, trucks, and airplanes are being warned the
scanners may be infected with malware. The inventory scanners are made in
China, and are allegedly being implanted with the malware purposely by the
manufacturer, in an attempt to steal corporate data as well as the ‘manifests’ –
what’s on the particular load and where is it going. This could in turn be used to
re-route or steal the inventories/loads.
Source: www.Privacyrights.org
Cyber Summary
Security Failure of network and information security
Privacy Failure to protect private or confidential information
Media Libel, slander, and other forms of disparagement with
respect to display of material, or infringement of a
copyright / trademark
Regulatory Coverage Fines/penalties and defense costs incurred during an
investigation from a governmental or regulatory
agency
First Party Coverages Privacy Notification & Credit Monitoring Expenses
Crisis Management / PR Expenses
Forensic Expenses
Extortion/Threat Expenses
PCI Fines & Penalties
Business Interruption
Risk Management is the Key
• eRisk Hub - http://eriskhub.com/
• Beazley – www.nodatabreach.com - Q&A sections, incident examples, white
papers on security ‘best practices’, etc. Access to security professionals who
only work with Beazley policyholders in answering questions and dealing with
incidents.
• Expect the unexpected
• Need expertise and experience immediately
• Know what vendors and partners to call
50
WHO’S ON THE LINE
51
MODERATORAndrea TarrellDirector of [email protected]
SUBJECT MATTER EXPERTKevin ZinterSenior Vice President [email protected]