Privacy Liability and Network Security May 17, 2011 L. Spencer Timmel, CITRMS PRESENTER Privacy and Network Security Specialist Hylant Executive Risk Practice.

Privacy Liability and Network SecurityMay 17, 2011

L. Spencer Timmel, CITRMSPRESENTERPrivacy and Network Security Specialist Hylant Executive Risk Practice

Eric M. Wright, CPA, CITPPRESENTERShareholder, Technology Advisory ServicesSchneider Downs & Co., Inc.

2

Table of Contents• Privacy Related Risks – What are we talking about?• Legal Perspective • Target Industries• Privacy Incident Loss Examples• Unplanned Cash Flows• Privacy Incident Costs • Traditional Insurance Policy Gap Analysis• Mitigating the Risk and Questions for your IT Staff• Cyber/Privacy Products• Evaluating Insurance as an Option - What should you expect?

3

PII and PHIPersonally Identifiable Information (PII):

– Individuals name, consisting of the individual's first name or first initial and last name, in combination with…• Social Security Number• Drivers License Number or State Identification Number• Credit Card, Debit Card, Financial Account Numbers

Protected Health Information (PHI)

– Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral

4

Legal PerspectiveState Privacy Breach Notification Law

– 48 states/territories with legislation, including D.C. and Puerto Rico– Kentucky and Alabama have introduced bills– South Dakota and New Mexico have yet to make a move– Massachusetts: A bit watered down since its initial form, but still requires

organizations who do business in the state to inventory personal information and educate employees about safeguards

– Subject to the state the affected party resides, not where you are headquartered or where the breach occurred

Health Insurance Portability and Accountability Act (HIPAA)“…maintain a reasonable and appropriate administrative, technical, and physical safeguard to prevent use or disclosure of protected health information.”

Federal Privacy Breach Notification Law: “not yet, but…” Obama’s recent push & Kerry/McCain Privacy Bill of Rights

5

Legal Perspective (cont.)Gramm-Leach-Bliley Act (GLBA)

– Businesses that are engaged in traditional banking, lending and insurance functions

– Privacy Rule“…insure the security and confidentiality of customer information: protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer”

“FACT” Act (Red Flags Rule)– Creditors and Financial Institutions with covered accounts

– Implementation of an Identity Theft Prevention Program that accomplishes the following:

1. Identify and outline “Red Flags”2. Monitor for and detect “Red Flags”3. Mitigate when “Red Flags” are detected4. Update the Identity Theft Prevention Program periodically

6

Target Industries

• Retail

• Healthcare

• Financial Services

• Colleges, Universities and Municipalities

• Data Processors and Data Storage Companies

7

Privacy Incidents• Heartland Payment Systems (01/09): 130 million credit card numbers breached

• Sony Corp (4/11): 102 million records, 12 million credit card numbers; dual attack

• Michaels Stores (05/11): 10,000 credit card numbers; pin pad tampering

• Starbucks (11/08): 97,000 social security numbers of employees: lost laptop

• HealthNet (01/11): 1.9 million PHI records: 9 servers missing

(05/09): 1.5 million PHI records: portable disk drive missing

• BC/BS Tennessee (10/10): 1 million+ PHI 57 hard drives stolen

• State University (12/2010): 750,000 PII records: Unauthorized access

• E-mail data management firms (12/10) & (3/11)

8

Unplanned Cash Flows

• State and/or Federally Mandated Notification Costs

• Forensic Investigation, Data Restoration Expenses, Assets Damage

• Brand Preservation:

Voluntary Notification, Credit Monitoring, Public Relations Expense

• Defense and Indemnity Expense from 3rd Party Allegations

• Regulatory Defense Costs

• Regulatory / PCI Fines and Penalties

• Business Income Loss

9

What is a privacy incident going to cost me?Summary of Ponemon Institute, LLC’s 2010 Annual Study: Cost of a Data Breach:

– Continued trend of increased average cost and per record cost, $7.2 million (+7%) and $214 (+5%), respectively.

– Direct costs increased 22% to $73 per record. (legal counsel, notification letters, credit monitoring, etc.) The increase is driven by the rising legal defense costs.

Cost by industry class Per record

Average $214

Education $112

Retail $185

Healthcare $301

Financial Institutions $353

10

What is a privacy incident going to cost me?Ponemon Institute 2010 (cont.)• Data Breaches from malicious attacks are up 7% from 2009 having doubled the

year before. The cost per compromised record for these types of breaches has skyrocketed to $318 per record. This increase reinforces the extreme danger hostile breaches pose.

• Class Action suits from breach victims have yet to gain traction as it is difficult to prove damages. (It’s just a matter of time, Sony? RockYou?)

• More organizations favor rapid response than ever before, but it seems to be costing them. Notification within one month of discovery increases the cost per record by $94, totaling $268. Is this tied to overreaction, a business decision to protect the brand, or a response to meet more stringent data breach notification laws?

11

Policy Gap Analysis General Liability Insurance – Coverage for bodily injury or property damage

- Intentional acts are excluded- Intangible property is excluded

Property Insurance – Coverage for loss of tangible property caused by a covered peril- Computer viruses are excluded- Intangible property is excluded- Business interruption coverage only applies if there has been a direct physical loss or damage to covered property

Crime Insurance – Coverage for theft of money, securities or other property- No coverage for theft of information, trade secrets and other types of confidential information

Directors & Officers Liability Insurance – Coverage for claims alleging acts, errors and/or omissions committed by directors or officers of a company in their capacity as such

12

Mitigating the Risk – “a RM Perspective”There are several ways that Risk Management can help to mitigate the risk to cyber

related losses:

1. Understand the role of IT and their perspective on this area of risk (How do they prevent internal and external breaches, where are the vulnerabilities, what has been the history of breach incidents, what is the process for responding to a breach, involvement of RM in that process, etc.)

2. Evaluation of contracts with outside service providers, specifically 3 rd party IT, data storage or data processing vendors

3. Require and obtain certificates of insurance for both Professional E&O and Privacy/Cyber Liability coverage

4. Outside Quiet Audit by a third party IT Security assessment firm

5. Evaluate the need for insurance as a “safety net” to other internal and external safeguards

Top Data Breach Prevention and Detection Controls to Ask

1. Sensitive Data Storage• Do we know what types of sensitive data (if any) we have and how we are

storing and transmitting it?• Have we performed a risk assessment to understand what kind of impact a

breach may have on our organization?

2. Access to Sensitive Data• Have we restricted access to any sensitive data or systems appropriately?

(Unique accounts, strong passwords, etc.)

3. Encryption • Do we have encryption in place regarding:

– transmission of secure data files? (FTP)– communications that may contain sensitive information? (Email) – Handling of devices that contain sensitive information? (Laptops,

Backup Media, etc.)

13

Top Data Breach Prevention and Detection Controls to Ask

4. Server Patching• Do we have a patch management solution in place to ensure that all

critical patches are installed on our servers in a timely manner?

5. Firewall Protection• Do we have a firewall in place that has been updated to reflect the most

recent best practice settings?

6. Intrusion Detection• Do we have an appropriate solution in place in order to detect and alert

us to suspicious activity that is taking place on our Network?

7. Anti-Virus Protection• Do we have a central anti-virus solution in place that updates all

workstations and servers regularly?

14

Top Data Breach Prevention and Detection Controls to Ask

8. Vulnerability Testing and Internal Control Reviews• Do we regularly test our Network resources and security in order to

evaluate it for any weaknesses?• Do we evaluate our internal controls for weaknesses?

9. Information Security Policy• Do we have a policy in place that addresses our approach and our

internal requirements regarding Information Security and our expectations to our employees?

10. Incident Response Plan• Have we identified our responsibilities in the event of a data breach and

the steps that we need to take to reduce the damage and maintain forensic evidence of the breach and any data lost?

11. Know whom you’re sharing your data with• Do we have a strong vendor management policy?

15

16

Cyber/Privacy Liability InsuranceCyber/Privacy Liability coverage can provide protection for:

– Privacy Violations – Electronic and Non-Electronic– Intellectual property infringement– Security breaches– Internet, network programming errors and omissions– Business interruption causing loss of revenue and extra expense – Destruction, disclosure and theft of electronic data– Fines and Penalties and Punitive Damages– Post-Event Crisis Management Expenses– Regulatory Defense, Fines and Penalties Coverage– Cyber Extortion

Market Place – Market Evolution: Lloyd’s vs. Domestic – Capacity

17

Evaluating Insurance as an option - What to Expect?

Exposure Analysis and Policy Review:

• Every policy is different and careful analysis of risk will allow the broker to tailor the most appropriate coverage at the most competitive price

• Work with a broker that is a technical specialist on this coverage – many of the policy forms available in the marketplace need to be enhanced in order to obtain the broadest available coverage

Obtaining a proposal:

• A relatively simple process – Depends on Industry, Size and Operations• Application, Financials, conference call with IT Security or CIO

Spencer Timmel, CITRMSHylant Group

As a member of Hylant Group’s Executive Risk Practice, Spencer serves as the Cyber Security and Privacy Liability specialist. He provides consultative support to clients and oversees the placements of this and other Executive Risk insurance in all industry classes. Prior to joining Hylant, he was an Executive Protection Underwriter for the Chubb Group of Insurance Companies and the Cincinnati Insurance Company.

Bachelors degree in Business, Finance from Ohio UniversityMasters in Business Administration from Xavier University

SpecialtiesCyber Security and Privacy Liability;Directors and Officers Liability;E&O Liability;Employment Practices Liability;Fiduciary Liability;Crime/Workplace Violence/Kidnap/Ranson & Extortion Coverage

Contact Information: Office (513) 354-1656 Cell: (513) 518-1535 E-mail: [email protected]

18

Eric M. Wright, CPA, CITPSchneider Downs & Co., Inc.

Eric has been involved with Information Technology with Schneider Downs since 1983. He is responsible for the firm’s IT compliance services. Eric has performed IT audits on a number of systems, including SAP, Oracle, J.D. Edwards and Lawson and has a strong understanding of the application controls that are available in each of these systems. In addition to helping our clients with their SOX initiatives, he has also assisted clients with becoming PCI-DSS compliant, ISO 27001 certified and performed NIST security audits.

Bachelors Degree in Mathematics and Computer Science from Waynesburg University

Member— Pennsylvania Institute of Certified Public Accountants Ohio Society of Certified Public Accountants The American Institute of Certified Public Accountants - M.I.S. and High Tech Division

Contact Information: Office (412) 697-5328 E-mail: [email protected]

19