makinggp the connection on data breach com plexities ... · making the connection on data breach...

Making the connection on data breach complexitiesg pBeazley Breach Response Select

1

Making the connection on data breach complexitiesP d b

Jeffrey Norton underwriter

Presented by

Jeffrey Norton, underwriter, Beazley US Private Enterprise Technology, Media & Business Services [email protected]@beazley.com

Marcello Antonucci, claims manager, Beazley US Technology, Media & Business Services team Business Services team [email protected]

2

Making the connection on data breach complexities

• Data breach exposures


• Data breach exposures

• Data breach costs for small businesses

• Claims scenarios for small businesses

• Coverage misconceptionsCoverage misconceptions

• Beazley Breach Response Select

3


Th U S Ch b f C ti t th t

Data breaches are a big concern for small businesses…

• The U.S. Chamber of Commerce estimates that employee theft costs American employers more than $50 billion dollars each year, and one third of all small business failures can be attributed to employee dishonesty...

• Based on estimates, cybercriminals steal as much as US$1 billion a year from SMBs in the United States and Europe alone.Source: TrendMicro

• Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with less than 100 employeesless than 100 employees.

4

Focus has shifted to small businesses since they are easier targets for cyber they are easier targets for cyber criminals...

5

Making the connection on data breach complexitiesMaking the connection on data breach complexitiesMost small business owners and their employees still lack understanding on the inherent risks and how best to protect their risks and how best to protect their data - and business.

6

Making the connection on data breach complexitiesResponse costs add up for a company with limited cash flow

Costs for a small business can be as much as that faced by a larger company:

o Small businesses typically have less internal resources and expertise to handle a


o Small businesses typically have less internal resources and expertise to handle a breach response, so they are more likely to have to pay outside experts such as attorneys, consultants, crisis management and public relations professionals to assist.

• Complexity of the business will drive costs for legal and forensicsp y g

• Response costs alone: Hiring a forensics expert to determine the size and scope of a breach -- can range from $10,000 to $100,000 - whatever size the business.

• Once notifications go out – public relations/damage control is critical to reputation!

• The lion's share of response costs comes from the duty to notify those whose data has been breached or potentially breached -an estimated $200,000 in costs associated with breach response services.

7


Direct Data Breach Costs in 2010

• $214 per compromised customer/client record


p p

• $7,200,000 in average total per-incident costs (forensics, legal, notification, customer fallout)

(U.S. Cost of a Data Breach Study, PGP Corporation and Ponemon Institute, 2011)

S ll b i t i ll h l i t l d ti t h dl • Small businesses typically have less internal resources and expertise to handle a breach response, so they are more likely to have to pay outside experts such as attorneys, consultants, crisis management and public relations professionals.

• Once customers are notified that their information has been breached, damage control is critical control is critical.

• Leveraging the services of experienced claims professionals is key…

8


Regulatory Investigations & Third-Party Claims

• Mandatory breach notification in 46 states, the District of Columbia, and Puerto Rico.


y

• Notification brings potential for AG regulatory action and provides plaintiffs' bar with tempting lure for putative class actions.

• PHI: HIPPA and HiTech

R l t di lt i fi d ti ti l th t i • Regulatory proceedings can result in fines and corrective action plans that require significant expenditures on administrative, technical, and physical safeguards for data.

• Third-party class action lawsuits entail potentially enormous exposure, and at the very least, cost a lot of money to defend.

AIM of BBR Services: mitigate any potential regulatory investigations and respond clearly and with confidence

9

Making the connection on data breach complexitiesHow Do Breaches Occur?

• Employee loses a portable device (blackberry, laptop, thumb drive, backup tape)

• Stray faxes emails


• Stray faxes, emails

• Property crimes (computers prime targets)

• Inside job (employee steals information, particularly upon separation)

• Phishing scams (“Nigerian prince”), and increasingly, Spear-Phishing (social s g s a s ( g a p ), a d as g y, Sp a s g (so aengineering)

• Malware / virus attacks (especially when working remotely on an unsecured network)

10

Making the connection on data breach complexitiesExamples of Publically Reported Breaches (continued)

• The Briar Group LLC: owner of a number of bars and restaurants in the Boston area used default usernames and passwords on its point-of-sale system, which were shared


by employees on an unsecured wifi network. Malware quickly made its way onto the network, and several customers began experiencing credit card fraud. The Massachusetts Attorney General learned of the incident from affected customers, and filed a lawsuit resulting in a $110,000 penalty and mandatory compliance with the rigorous Payment Card Industry Data Security Standards. g y y y

• Roanoke State Community College: A USB drive and a personal handheld device were stolen from an employee's car when he took information home to do after-hours work. The names and Social Security numbers of 9,747 current or former students were on the handheld device, along with 1,194 current or former employees. Credit

it i l f b h f thi i ld t i ll d $100 000monitoring alone for a breach of this size would typically exceed $100,000.

11

Making the connection on data breach complexitiesExamples of Publically Reported Breaches

• The Surgeons of Lake County ("SLC"): a medical facility in northern Illinois, had hackers breach its computer network, infiltrating a server where e-mails and electronic


medical records were stored. Hackers encrypted access to the system, and tried to exhort money from SLC in exchange for the decryption key. Hackers threatened to start spamming pornography from SLC's email addresses if not paid within 72 hours. SLC had to purge all systems and notify over 7,000 patients of the incident.

• Phoenix Cardiac Surgery ("PCS"): a five physician practice posted clinical and surgical • Phoenix Cardiac Surgery ( PCS ): a five-physician practice posted clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. One patient Googled her own name, discovered the calendar, and reported the incident to federal regulators. In turn, regulators fined PCS $100,000, and instituted a mandatory corrective action plan with the ability to audit PCS for six years.

Just the tip of the iceberg: in five out of every six breaches, the infiltration remained undetected for weeks at a time. See, “2012 Data Breach Investigations Report,” Verizon Communications, at 3 (2012) (http://bit ly/GFfpdk) (http://bit.ly/GFfpdk).

12

Top five list of small businesses misconceptions

5) Most breaches happen to big companies

4) The cost to respond to a breach is a postage stamp to mail a letter


) p p g p

3) Our information is well-protected by our IT consultants

2) My employees would never act maliciously, and know how to protect our data

And the top misconception is…

13

Top five list of small businesses misconceptions#1 – Every security breach is covered by my general

liability policy


14

Beazley Breach Response Select: What makes it different?Beazley Breach Response Select: What makes it different?

Our top two reasons:p

1) Very few businesses have the resources to manage a breach (we do it all!)

2) Notify by number of affected individuals outside the liability limit

15

Beazley Breach Response Select: What makes it different?Services, services, services…

• Best in Class Breach Response Services: forensic, legal, notification, credit monitoring and health record restoration services, call center services

• Hand-picked, vetted vendors, because expertise makes a big difference for claim outcome, but most companies don’t have the in-house expertise to respond to a breach. You can be confident in our breach response services!

• Ensures that when a breach or suspected breach occurs the insured can move swiftly and sure• Ensures that when a breach or suspected breach occurs the insured can move swiftly and sure-footedly to protect its reputation with its customers. Your client can be confident in our breach response services!

16

BBR Select Timeline

17

BBR Select Timeline

18

Beazley Breach Response Select: What makes it different?

• Notification/Credit monitoring limit provided on a number of affected individuals basis not a dollar amount 25 000; 50 000 or up to 100 000 limits for individuals basis, not a dollar amount. 25,000; 50,000 or up to 100,000 limits for most small businesses make it easy to ensure adequate limits!

• Dedicated / Outside the Liability Limit Breach Response Services, since breaches are very different from liability claims (a large breach will not exhaust the policy y y ( g p yliability limits!)

• Free loss control information service (nodatabreach.com), including compliance and data security policy information, email alerts of key legal and regulatory developments and expert on line support for client questions on data security issuesdevelopments, and expert on-line support for client questions on data security issues.

• Unmatched liability coverages, including PCI fines and costs, crisis management and public relations, Red Flags Rule coverage, and much, much more!

• All of this with low retentions and affordable premiums for small businesses!

19

BBR Select- Target MarketBBR Select- Target Market

• Any business with the legal duty to notify the consumer/patient in the event of a data breach.

• Sample industries include:

o Healthcare (doctors, dentists, nursing homes, long-term care, hospitals etc)o Retail

Higher education or K 12 schoolso Higher education or K-12 schoolso Hospitality (hotels, motels, restaurants, property managers)o Small commercial bankso Law firmso Manufacturers / Wholesale distributorso Insurance agents/Brokerso Staffing firms / Employment agencieso CPA/tax preparation/wealth management/financial advisory firms

20

BBR Select Product Offering• Usual liability limits offered:

o $1 000 000 or $2 000 000

BBR Select Product Offering • Usual notifications limit offered:

o 25 000 50 000 or up to 100 000o $1,000,000 or $2,000,000

• Usual Regulatory Defense & Penalties limits offered:

o $250,000 or $500,000

o 25,000, 50,000 or up to 100,000

• Legal/forensics limits offered:

o $50,000 or $100,000

• Minimum retention:• Usual Crisis Management and

Public Relations limits offered:

o $100,000

• Usual PCI Fines & Costs limits

Minimum retention:

o $1,000

• In-house breach response team• Usual PCI Fines & Costs limits offered:

o $50,000 or $100,000

ouse b eac espo se tea

21

BBR Select Product Offering

• Additional Coverage available:


• Additional Coverage available:o Cyber Extortiono First Party Data Protectiono First Party Network Business Interruptiono First Party Network Business Interruption

22


• Premiums Starting at:


• Premiums Starting at:o $1,000 for non-healthcare accountso $2,000 for healthcare accounts

23

For more information

Jeffrey NortonBeazley USA1+ 215 446 84531+ 215 446 [email protected]

Or go to: www.beazley.com/pe

24

Official NoticeThe descriptions contained in this presentation are for preliminary informational The descriptions contained in this presentation are for preliminary informational purposes only. The exact coverage afforded by the products described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk.

25

makinggp the connection on data breach com plexities ... · making the connection on data breach...

Documents