PRIVACY RISK MANAGEMENT AND INSURANCE Or September 2012.

PRIVACY RISK MANAGEMENT AND INSURANCE

Or

September 2012

“CYBER” INSURANCE TIMELINE

20001996 2002 2006

HIPAA

Cyber Insurance Introduced

2004 2008 2010

Broad Privacy Ins. Vendor Coverage Corp Confidential Info

1998

GLB SB1386 HITECH

TJX Heartland Card

Systems

NoticeCosts Covered

PCI

Reg. Fines

&Penalties

Insurance History

Regulatory/Industry History

Claims/Losses History

PCI Fines

& Penalties

NETWORK SECURITY / DATA RISK

What Data do you collect?

- Personally Identifiable Info. (PII)

- Protected Health Info. (PHI)

- Credit Card Numbers

Where is it?

How well is it protected?

How long do you keep it?

What is a Breach?

- Unauthorized disclosure

- Unauthorized acquisition

- Data compromised

WHAT IS DIFFERENT TODAY?Familiar mediums- SQL injections; man-in the-middle; spear phishing; malware & spyware; denial of service attacks; web site defacingNew culprits- Loosely formed groups of people who are very good at hacking and work together to do so (e.g., Anonymous, Lulzsec)- State actors (China, Iran)New information targeted- Corporate data and trade secrets; inside information; embarrassing information; corporate weaknessesNew victims- Data Security consultants- Utilities / infrastructure- Government contractorsNew motives- Political, ideological, personal, war/terrorism, revenge- “Hacktivism”

CAUSE OF A DATA BREACH

© Kroll 2010

ORGANIZATIONAL PRIVACY RISKSCustomer/Personal Data Credit card Medical SSNs/Gov’t IDs Student transcripts HR/Payroll Loyalty programs Motor vehicle Insurance claims Financial transactions Financial records Contracts

Corporate Data Customer lists Price lists Bid data Confidential 3rd party information (NDA) eDiscovery / litigation Merger/Acquisition targets / plans Financial records Marketing / advertising plans Contracts New product development plans / release dates Security policy and assessments Network architecture Emergency response / Disaster recovery plans Restructuring / RIF plans Reporters notes Reporter confidential sources Scripts and other content in draft or

development Critical Infrastructure Assurance data Patent applications

WHAT IS PERSONAL IDENTFIABLE INFORMATION (PII)?Generally defined as including any combination of the following:

Name; address; telephone number; electronic mail address; fingerprints; photographs or computerized images; a password; an official state or government-issued driver's license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; date of birth; medical information; financial information; tax information; and disability information.

COST OF A DATA BREACH

DIRECT COSTSNotificationCall CenterIdentity Monitoring (credit/non-credit)Identity RestorationDiscovery / Data ForensicsLoss of Employee Productivity

INDIRECT COSTSRestitutionAdditional Security and Audit RequirementsLawsuitsRegulatory FinesLoss of Consumer ConfidenceLoss of Funding

$73.00

Cost per record:$214 (2010) (up $10 from 2009)

© Ponemon Institute 2011

$141.00

NOTIFICATION LAWSIt all started in California…..California led the way (Civil Code Section 1798.81.5(b)) “A business that owns or licenses personal information about a

California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure”

46 Other States Have Data Security Laws:Most Mandate “Reasonable” data security measures and proper data disposal Others are More specific: Connecticut, Michigan, New Mexico, Texas (SSN Policies) Nevada (encryption for external electronic communications) Minnesota (Minn. Stat. 365E.64 - card magnetic stripe data) Massachusetts Regulations

PRIVACY RISK MANAGEMENTAsk Your Privacy/IT professionals:

Incident Response Plan (tested?)

Vendor Contracts / Insurance Requirements

Privacy Risk Assessment (sources, vulnerabilities, processes, perils)

Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R)

New coverage terms must integrate

With Response Plans

With Traditional Policies

VENDOR CONTRACTUAL REQUIREMENTS IT/Software Companies

Request Tech E&O, plus Privacy/Network Coverage Some Tech E&O policies have security/privacy exclusions Breach could occur without “wrongful act” being

committed Business Services – Payroll, Auditors, Counsel

Request appropriate E&O coverage Request Privacy/Network coverage

Credit Card Processors/Acquiring Banks Request Privacy/Network Coverage (Gaps in Bond or

Professional Liability coverage) Other Vendors that transport, touch, interact with your

systems or sensitive information Request Privacy/Network coverage

TRADITIONAL INSURANCE GAPS Theft or disclosure of third party information (GL)

Security and privacy – “Intentional Act” exclusions (GL)

Data is not “tangible property” (GL, Prop, Crime)

Bodily Injury & Property Damage triggers (GL)

Value of data if corrupted, destroyed, or disclosed (Prop, GL)

Contingent risks (from external hosting, etc.)

Commercial Crime policies require intent, only cover money, securities and tangible property.

Territorial restrictions

Sublimit or long waiting period applicable to any virus coverage available (Prop)

PRIVACY & NETWORK COVERAGESLiability Coverage

•Privacy Liability •Network Security Liability•Media, IP and Content Liability•Technology Services Liability (if required)

Direct (Loss Mitigation) Coverage •Data Breach Expenses:

Public relations expenses, consumer notification and credit monitoring service costs (sub-limit)

Forensics/Investigations

Direct (First Party) Coverage

•Revenue Loss•Data Reconstruction•Extortion Costs

BEST PRACTICES Maintain a Risk Transfer Instrument

Have a Proper Background Screening Program for new hires and vendors.

Pre-Arrange a Breach Service Provider, Outside Counsel and Reputational Risk Advisor All specializing in Privacy Law and Breach Crisis Management

Provide “Certification” through e-Learning to employee base on safeguarding data#1 preventative initiative being adopted by CISOs and CPOs in 2010 (as per Ponemon 2011 Study)

Develop an Incident Response Plan (required on several federal and state fronts – HTIECH, MA201, et al.)Internal Staff, Outside Counsel, Reputational Risk Advisor, Breach Service Provider

Conduct annual Risk Assessments and Tabletop Exercises.

Hold an internal “Privacy Summit” to identify vulnerabilitiesRisk, Compliance and Privacy, HR, Legal, IT, C-level representation (CFO), Physical Security / Facilities – “Technology, Processes and People.”

Keep General Counsel’s office current to state disclosure laws, federal regulations, foreign requirements and updates

MANAGING A DATA BREACHWhat information was involved?

- Personally Identifiable Info. (PII)

- Protected Health Info. (PHI)

- Credit Card Numbers

Was the information computerized/ what type of media?

Was the information encrypted?

Is there a “reasonable” belief that personal information was accessed or acquired by an unauthorized person?

POSSIBLE STAKEHOLDERSAffected individuals

Board of Directors/ Senior Management

Law Enforcement

State and Federal Regulators

Financial Markets

Payment Card Issuers

Employees

Shareholders

Auditors

The General Public

CONSEQUENCES OF A DATA BREACH Forensic Investigations Notification: $1/individual Credit monitoring costs: $15-$50+ per individual Call Centers, Fraud Alerts, Database Scanning, Restoration

Services Civil penalties and fines Class Action suits Legal defence costs:

Civil, regulatory and possibly criminal defense

Data Privacy counsel can cost $700 per hour. A major data breach will cost millions in legal costs

Business Interruption Costs/Data Damage?

FOR MORE INFORMATION

Contact:

Karl Pedersen

FINEX North America

Privacy, Network Security, Media & Intellectual Property National Team

(213) 550 9806

[email protected]