WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT

DATA SECURITY

RIMS Rocky Mountain Chapter MeetingThursday, July 25, 2013

11:30 am – 12:30 pm

2 1016250v1©2013 Anderson Kill & Olick, P.C.

All Rights Reserved.

Presenter:

Joshua Gold, Esq.(212) 278-1886

[email protected]



Disclaimer

The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.



WHO IS VULNERABLE?

EVERYONE!



WHO IS VULNERABLE?

2012 Data Breaches.1

•Business – 36.9%

•Medical/Healthcare– 34.6%

•Educational – 13.6%

•Government/Military– 11.2%

•Banking/Credit/Financial – 3.8%

____________1Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr



WHAT IS THE EXPOSURE?• Government/Military – 7.7 million

records (44.4%)• Business – 4.6 million (26.7%)• Education – 2.3 million (13.3%)• Medical/Healthcare – 2.2 million

(12.9%)• Banking/Credit/Financial – 470k

(2.7%)2

________________2Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr



• Negligence – 39%

• Malicious or Criminal Attack – 37%

• System Error – 24%3

________________32011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012.

WHAT ARE THE CAUSES?



• Information Loss – 44%• Business Disruption – 30%• Revenue Loss – 19%• Equipment Damages – 5%• Other Miscellaneous Costs

– 2%4

________________42011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012

WHAT IS THE COST?



Average Resolution Time:24 days

Average Cost: $5.5 Million5

________________52011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012

WHAT’S THE REAL COST?



THIRD-PARTY DATAMANAGEMENT & RISKS.

• Cloud is the Trend

• Cost Savings

• Data Security Risks

• Lack of Control

• Can delegate the data management but not the responsibility

• What are the risks; Amazon/Sony Breach



BEST PRACTICES.

• SEC Guidance• FFIEC Guidance• Due Diligence on Vendors• Negotiate Strong Terms in Vendor/Cloud Contracts• Risk Transfer Indemnity/Insurance• Security Assessment of Vendor: Tricky in a Multi-

Tenant Cloud Platform• Make Sure There is Adequate Notice/Disclosure of

Use of Cloud to Stakeholders



RISK MANAGEMENT.• Notice of Incident (even if your data is not disclosed)

• Cooperation with regulation authorities and law enforcement

• Periodic audit rights

• Notification costs responsibility

• Costs of computer forensic experts

• Use of sub-contractors

• Cloud Services Termination: How does hosted data get disposed of? / Who pays?

• Representations and Warranties about firm protecting data



SECURITY & INSURANCE.

• Encryption

– Automatic red flag for AGs/FTC if data disclosed and not encrypted

• Contractual Indemnity/Hold Harmless

• Mandate insurance purchase by vendor

• Require additional insured status



DEALING WITH ASECURITY BREACH.

• Data Breach Team and Plan needs to be in place

• Compliance with State Notice

• Make sure your insurance provides cover where cloud used

• Notice all potentially applicable insurance



POLICIES COVERING LOSS.

• Take Inventory of Policies

• GL, D&O, E&O, Crime, All Risk Property, Cyber Policies

• 1st Party, 3rd Party, Hybrid Coverage Issues



• IP Exposure

• Data Loss

• Business Interruption

• Third Party Losses

• Privacy

COVERAGE UNDER CGL?



CYBER POLICIES!

WHEN CGL IS NOT ENOUGH.



CURRENTLY AVAILABLE CYBER INSURANCE.

• Privacy Injury Liability• Privacy Regulatory Proceedings and PCI

Fines• Network and Content Liability• Crisis Management Fund• Network Loss or Damage• Business Interruption• Electronic Theft• Network Extortion



• Virus Coverage or Exclusions• Virus Defined in a Manner that Might Affect

Hacker Coverage• “Confidential” Information vs. Trade Secrets vs.

Customer Information• Coverage for Regulatory Matters

(e.g., FTC)

RISK MANAGEMENT CONSIDERATIONS



RISK MANAGEMENT CONSIDERATIONS

• Data Security Efforts and Policyholder Protective Measures

• Coverage for Network Computers Only?

• What about Laptops?

• Insured Property / Locations / Premises

• Where are Servers / Computers Housed?



TIME SENSITIVE PROVISIONS.

• Fear of Reporting Claims?

• Timely Notice

• Proofs of Loss

• Suit Limitation Clauses



LITIGATION ISSUES.

• Not a Ton of Precedent

• What Exists is Not Uniform

• Careful What Gets Disclosed During Discovery:

– E.g., Sensitive Data, Customer Information, Network Security Blueprints



ONE LAST THOUGHT.

Side note for clients at risk due to a reduction in coverage:

•Duty of Insurer to advise of reduction in coverage at renewal

•Duty of Broker to inform client of reduction in coverage



QUESTIONS?



Thank You

Joshua Gold, Esq.(212) 278-1886

[email protected]

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

Documents

pdr slide

stakeholders slide

pm slide

cost of data breach

risks amazonsony breach

data breaches

breach report

real cost