WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm
Dec 27, 2015
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT
DATA SECURITY
RIMS Rocky Mountain Chapter MeetingThursday, July 25, 2013
11:30 am – 12:30 pm
2 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
Presenter:
Joshua Gold, Esq.(212) 278-1886
3 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
Disclaimer
The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.
4 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
WHO IS VULNERABLE?
EVERYONE!
5 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
WHO IS VULNERABLE?
2012 Data Breaches.1
•Business – 36.9%
•Medical/Healthcare– 34.6%
•Educational – 13.6%
•Government/Military– 11.2%
•Banking/Credit/Financial – 3.8%
____________1Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr
6 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
WHAT IS THE EXPOSURE?• Government/Military – 7.7 million
records (44.4%)• Business – 4.6 million (26.7%)• Education – 2.3 million (13.3%)• Medical/Healthcare – 2.2 million
(12.9%)• Banking/Credit/Financial – 470k
(2.7%)2
________________2Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr
7 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
• Negligence – 39%
• Malicious or Criminal Attack – 37%
• System Error – 24%3
________________32011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012.
WHAT ARE THE CAUSES?
8 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
• Information Loss – 44%• Business Disruption – 30%• Revenue Loss – 19%• Equipment Damages – 5%• Other Miscellaneous Costs
– 2%4
________________42011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012
WHAT IS THE COST?
9 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
Average Resolution Time:24 days
Average Cost: $5.5 Million5
________________52011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012
WHAT’S THE REAL COST?
10 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
THIRD-PARTY DATAMANAGEMENT & RISKS.
• Cloud is the Trend
• Cost Savings
• Data Security Risks
• Lack of Control
• Can delegate the data management but not the responsibility
• What are the risks; Amazon/Sony Breach
11 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
BEST PRACTICES.
• SEC Guidance• FFIEC Guidance• Due Diligence on Vendors• Negotiate Strong Terms in Vendor/Cloud Contracts• Risk Transfer Indemnity/Insurance• Security Assessment of Vendor: Tricky in a Multi-
Tenant Cloud Platform• Make Sure There is Adequate Notice/Disclosure of
Use of Cloud to Stakeholders
12 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
RISK MANAGEMENT.• Notice of Incident (even if your data is not disclosed)
• Cooperation with regulation authorities and law enforcement
• Periodic audit rights
• Notification costs responsibility
• Costs of computer forensic experts
• Use of sub-contractors
• Cloud Services Termination: How does hosted data get disposed of? / Who pays?
• Representations and Warranties about firm protecting data
13 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
SECURITY & INSURANCE.
• Encryption
– Automatic red flag for AGs/FTC if data disclosed and not encrypted
• Contractual Indemnity/Hold Harmless
• Mandate insurance purchase by vendor
• Require additional insured status
14 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
DEALING WITH ASECURITY BREACH.
• Data Breach Team and Plan needs to be in place
• Compliance with State Notice
• Make sure your insurance provides cover where cloud used
• Notice all potentially applicable insurance
15 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
POLICIES COVERING LOSS.
• Take Inventory of Policies
• GL, D&O, E&O, Crime, All Risk Property, Cyber Policies
• 1st Party, 3rd Party, Hybrid Coverage Issues
16 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
• IP Exposure
• Data Loss
• Business Interruption
• Third Party Losses
• Privacy
COVERAGE UNDER CGL?
17 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
CYBER POLICIES!
WHEN CGL IS NOT ENOUGH.
18 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
CURRENTLY AVAILABLE CYBER INSURANCE.
• Privacy Injury Liability• Privacy Regulatory Proceedings and PCI
Fines• Network and Content Liability• Crisis Management Fund• Network Loss or Damage• Business Interruption• Electronic Theft• Network Extortion
19 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
• Virus Coverage or Exclusions• Virus Defined in a Manner that Might Affect
Hacker Coverage• “Confidential” Information vs. Trade Secrets vs.
Customer Information• Coverage for Regulatory Matters
(e.g., FTC)
RISK MANAGEMENT CONSIDERATIONS
20 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
RISK MANAGEMENT CONSIDERATIONS
• Data Security Efforts and Policyholder Protective Measures
• Coverage for Network Computers Only?
• What about Laptops?
• Insured Property / Locations / Premises
• Where are Servers / Computers Housed?
21 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
TIME SENSITIVE PROVISIONS.
• Fear of Reporting Claims?
• Timely Notice
• Proofs of Loss
• Suit Limitation Clauses
22 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
LITIGATION ISSUES.
• Not a Ton of Precedent
• What Exists is Not Uniform
• Careful What Gets Disclosed During Discovery:
– E.g., Sensitive Data, Customer Information, Network Security Blueprints
23 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
ONE LAST THOUGHT.
Side note for clients at risk due to a reduction in coverage:
•Duty of Insurer to advise of reduction in coverage at renewal
•Duty of Broker to inform client of reduction in coverage
24 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
QUESTIONS?
25 1016250v1©2013 Anderson Kill & Olick, P.C.
All Rights Reserved.
Thank You
Joshua Gold, Esq.(212) 278-1886