executive risk monday september 21, 2015 northern ohio association for financial professionals 2015...
TRANSCRIPT
Executive Risk
Monday September 21, 2015 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar
Data Security/Privacy (Cyber) 101
Nicholas J Milanich , Vice President
Hylant Executive Risk
Phone # (216) 674-2413
hylantexecutiverisk.com
AGENDA• The Risk
• Cyber Attacks
• Recent Data Breach Examples
• Loss Statistics
• Legislative Environment
• Emerging Risks
• The Insurance
• 3rd Party Coverage
• 1st Party Coverage
• Coverage examples
CYBER ATTACKS
• Microsoft X-Box, Sony Playstation (denial of service)
• US State Department (cyber vandalism)
• US Weather Station (satellite system)
• Sony Pictures (corporate information)
• VeriSign (internet security company)
• TD Waterhouse (unauthorized access)
• YouTube (website content)
• Care First of Maryland (website content)
• Authorize.net (denial of service attack)
• Six Apart, Ltd. (denial of service attack)
• Paine Weber (malicious code)
RECENT DATA BREACH EXAMPLES
• Federal Government – Office of Personnel Management• Up to 20 million individuals PII – names, addresses, DOB’s, SS#’s• Key-point credentials compromised via zero-day malware (pre-patch)
• Anthem• 80 million current and former members information• Unencrypted data; employee password compromised; State sponsored action• Mostly PII: names, addresses, social security #’s, medical ID #’s, birth dates,
salaries, email addresses• Self-insured plans may have notice requirements
• Home Depot• 56 million credit card numbers• Targeted attack at payment terminals• Announced estimated costs so far of $62 million• $27 million insurance recovery• 44 lawsuits consolidated to two: consumer and financial institution
• Target• 110 million credit/debit card numbers• Malware at POS• $236 million direct data breach costs. Half for software upgrades• $90 million insurance recovery
HISTORICAL LARGE DATA BREACH EXAMPLES
• Heartland Payment Systems• 6th largest credit-card payment processor in the country• 100 million card transactions each month, 250,000 businesses• May-November 2008, spyware installed• Unencrypted credit card data – 250 million records• Magnetic strip & names• More than 220 banks effected
• Hannaford Brothers• Grocery chain• 4.2million credit/debit card numbers• 1800 cases of identity theft• 26 lawsuits
• TJ Max• 94 million individuals• Criminals had access for 17 months• 3 year credit monitoring/ victim assistance• Follow-on D&O, other litigation• Total estimated cost over $1.3 billion
CYBER EXTORTION
• Avid Life Media - Ashley Madison (8/15)• Credit card info, names, addresses, email addresses- demanded that the site be taken
down and an undisclosed amount of money
• Nokia (7/14)• Source code for operating system – “several million euros”
• Dominos (6/14)• Customer data in Europe - $40,000 demand
• Express Scripts (2/12)• PHI – unknown demand
LOSS STATISTICS - FREQUENCY
Summary from Risk Based Security, Inc. – 2014
Number of Breaches• 3,014 in 2014 – up 33%• 2,261 in 2013
Number of Records exposed• 1.1 billion in 2014 – up 34%• 823 million in 2013
How Records were exposed• Outside (hackers) – 76%• Inside, accidental – 9.5%• Inside, malicious – 6% • Inside, unknown – 4.5%• Unknown – 4%
LOSS STATISTICS – FREQUENCY
Summary from Risk Based Security, Inc. – 2014
53%
16%
9%
10%
12%
Breaches by Industry
Business Governmental Education Medical Other
Passw
ords
Usern
ames
E-Mai
l
Name
Addre
ssSSN
DOBM
isc.
Phone
Med
ical In
fo.
Accou
nt #
CC #
Other
Fin
ancia
ls0%
10%
20%
30%
40%
50%
60%
70%
80%
53 51 49
32
15 14 12 139 10
6 8 8
Type of Information Exposed in Breach
LOSS STATISTICS
Summary of Ponemon Institute’s 2014 Annual Cost of a Data Breach Report:
– Average cost and per record cost increased modestly to $5.8 million and $201, respectively.
– Direct costs are estimated at $66 per record. (notification letters, credit monitoring, forensic IT, etc.)
Cost by industry class Per record
Average $201
Education $294
Retail $105
Healthcare $359
Financial Institutions $206
LOSS STATISTICSSummary of NetDiligence 2014 Cyber Claims Study:
– Insurance company database of actual claims between 2011 – 2013
– Average total cost was $733,109
– Only 12% of the claims resulted in follow-on litigation, only 5% in regulatory action and only 3% PCI fines/penalties
Cost Type Average Cost
Forensics $119,278
Notification $175,147
Legal Guidance $117,613
Public Relations $4,513
Legal Defense $698,797
Legal Settlement $558,520
Regulatory Defense $1,041,906
Regulatory Settlement $937,500
PCI fines/penalties $2,328,667
LOSS STATISTICSPossible Additional Costs Associated with Data Breach
– Defense costs and settlements associated with follow-on litigation
– Regulatory enforcement body (HHS, OCR, FTC, FCC, States Attorney General)
– Private plaintiffs (common law privacy, breach of contract, emotional distress allegations)
– HIPAA fines/penalties ($5k-$50k per offense, up to $1.5m cap)
– FACTA fines/penalties ($1k-$2.5k per employee + puni’s, fees)
– PCI compliance fines/penalties
LEGISLATIVE ENVIRONMENT
• Federal Statutes• Gramm Leach Bliley, HIPAA, GINA, FACTA• Consumer Fraud & Abuse Act, Stored Communications Act, Electronic Communication
Privacy Act• Obama Personal Data Notification and Protection Act (pending)
• 30 days, likely to pre-empt State Notification laws (below)
• State Notification Laws (46 + D.C., Puerto Rico, V.I.)• Mass. – requires written security policy, min. standards)• CA. – Zip codes• Ohio: Section 1349.19
• Computer related only• Encryption safe-harbor• Notification ASAP, within 45 days• $1,000/day penalties which escalate after 60/90 days
• Common law allegations• Invasion of privacy• Negligence• Breach of implied contract• Right of publicity
ORC 2744 Ohio State Immunity
• Very little information regarding immunity and data breaches
• Expect to incur data breach expenses: notification, credit monitoring, forensic IT, etc.
• Contractual obligations: PCI/DSS
• Federal Statues: HIPAA, HITECH, FACTA
EMERGING ISSUES
• NIST to become de facto standard?
• Supply chain data risk
• Chip & Pin (EMV) – retail merchants
• “Internet of Things” – open source, manufacturing
• Article III standing
• “Do not track” cases
• Persistent identifiers (User ID’s, device identifiers, IP addresses)
• Terms of service
• Legal developments in Cloud computing and BYOD
BASIC BEST PRACTICES
• Inventory your data:• What kind? How much? Where is it? Who has access? How is it protected?
• Evaluate contracts with outside service providers – especially 3 rd party IT, payment processors, data storage or data processing vendors
• Consider requiring certificates of insurance for both professional E&O and Data Security/Privacy (Cyber) coverage
• Continuous 3rd party security and vulnerability assessments of your organization
• Establish an incident response plan and team with experienced outside vendors
• Test your incident response plan
• Insurance is a “safety net”, but not a substitute for internal and external safeguards
18
Network/Privacy Insurance
Coverage Triggers
• Virus transmission
• Failure to provide access
• Unauthorized access or use of data
• Failure to Notify
• Website/Social Media Liability
Covered Data
• Insured’s systems
• Data in transit
• Non-electronic data
• Data residing on others’ systems
• Employees’ data
• Corporate data
19
Network/Privacy Insurance – First Party Costs
Notification & Crisis Management Expenses
• Breach Coach
• Legal costs to determine applicability of breach laws
• Computer forensics
• Notification documents (preparing and sending)
• Call center for incoming and outgoing communications
• Payment card charge backs
• Other fees to comply with requirements of breach laws
• Public relations expenses to respond to negative publicity and restore brand reputation
• ID Fraud Policies / Credit Monitoring to affected individuals
20
Network/Privacy Insurance – First Party Costs
• Crime
– Computer fraud
– Funds transfer fraud
• Cyber extortion
– Threat of release of information, damage of data or systems, introduction of virus, or restriction of access to system resources
• Fines/Penalties
– PCI contract penalties
– Regulatory fines/penalties
• Telecommunications theft
– Outgoing long distance phone calls
• Network business income/extra expense
– Business interruption due to network event – typically some form of denial of service
– Dependent Business Interruption (very limited market)
21
Limitations to watch for
• Specific exclusions to watch for
– “Reckless Disregard”
– Unencrypted laptops / mobile devices
– Violating own policies & procedures
– Keeping IT security up to date
– Exclusions for known viruses / malicious software
– Coverage limited to electronic data only
23
These examples are generic.
• CGL, E&O, and Cyber Insurance forms differ greatly between companies.
• Examples are exploring general coverage “intent” to illustrate the differences that may exist between the various coverages.
• Individual claim circumstances and complaint wording can trigger or limit coverage in a variety of ways.
Disclaimer:
24
Scenario 1 – Employee Mistake
What Happened:
Your employee accidentally or deliberately publishes private customer information on your company’s website or via e-mail. Your customer sues.
Coverage: Look for coverage under the personal injury section of the CGL.
Publication of material that violates a right or privacy – check to see if your CGL excludes or limits this grant when the publication occurs in an electronic format.
Look to a dedicated Cyber Liability policy.
25
Scenario 2 – Customer / Employee Info
What Happened:
A hacker gains unauthorized access to your network and steals personally identifiable information of employees and customers
Coverage:
• Look for coverage in a Cyber Insurance policy.
26
Scenario 3 – Lost Laptop
What Happened:
An employee’s laptop computer containing customer information is lost or stolen during travel.
Coverage:
• Cost to replace the physical property that was stolen may be covered under a property policy, however additional costs associated with an information breach typically will not.
• May find coverage under a Cyber Liability policy
• Check policy wording for limitations regarding whether the laptop needs to be part of the “communications network.”
• Check policy wording for limitations regarding encryption of data.