privacy breach coverage - intact insurance€¦ · • coverage extended from the us and eu to...
TRANSCRIPT
Privacy Breach Coverage
Commercial Lines
• Evolving Need for Insurance
• Enhanced Privacy Breach Endorsements
• New Privacy Breach Liability Coverage
• Ease of Underwriting
• Value Added Services
• What’s Next?
• Questions
2
Agenda
Evolving Need for Insurance
3
Privacy Breach4
• Any business that collects personal information has a legal liability
to protect it
• Breach of Security Safeguards Regulations (BSSR) - Nov 2018
• European Union General Data Protection Regulation (GDPR) - May 2018
2017 Stats from Breachlevelindex.com by Gemalto
Evolving Need for Insurance
Privacy Breach5
Breaches Occur Due to
Decreased revenue37%Small
businesses40% Lost customers49% Damage to
the brand43%
Privacy Breach6
Commercial Lines Privacy Breach Solution
Third party liability
coverage • Liability
• Legal fees or
defence expense
Enhanced New
Existing first party
endorsements• Remediation
expenses
• Business
interruption
• Legal expenses
Enhanced
Privacy Breach Endorsements
Form E127 (Version 3) Form E128 (Version 2)
7
Privacy Breach8
Effective August 2018
Cyber Expense Endorsement –
Form E127
Existing
Cyber Legal Expense
Endorsement – Form E128
Privacy Breach Expense
Endorsement – Form E127
Privacy Breach Legal Expense
Endorsement – Form E128
Name Change
Privacy Breach9
Defining Privacy Breach
• Failure to prevent unauthorized use of or
unauthorized access to data that are
non-public and personal information as
established by Canadian law and that are
possessed, managed, entrusted to or held
by the Named Insured
• Theft of non-computer data
What is a
privacy breach?
Privacy Breach10
Knowledge Check
What are some
examples of
personal
information?
• Social insurance number
• Bank account, credit card, debit card
information
• Drivers license number
• PIN numbers
• Medical diagnosis, patient history and
medications
Privacy Breach11
Coverage Overview
Privacy Breach Expense Endorsement
Form E127Privacy Breach Legal
Expense
Endorsement
Form E128
Privacy Breach Expense
CoverageInsuring Agreement A
Business Interruption
Coverage Insuring Agreement B
Coverage
Remediation Expenses
• Notification
• Computer Forensic
Services
• Public Relations
• Credit Monitoring
• Fraud Monitoring
• Loss of Income
• Extra Expense
(includes computer
forensic service
expenses)
• Applies to legal fees or
defence expense that are
made necessary by a civil
proceeding in regard to a
covered privacy breach
Value Added
ServicesAccess to CyberScout services without being subject to conditions, exclusions,
or coverage
Privacy Breach12
Coverage Enhancements
Business
Interruption
Waiting period reduced from 48 hours to 24 hours
• Coverage applies 24 hrs after a privacy breach is discovered
✓ Faster relief for the customer
Indemnity period increased from 30 days to 60 days
• Duration of the coverage can increase up to 60 days
✓ Longer relief for the customer
Privacy Breach Expense Endorsement
Privacy Breach13
Business Interruption Claim
The breach is proven:
• Loss of income covered from the 24th
hour versus 48th hour
✓ Customer gains a full of day of business
income
• Policy will cover up the applicable limit
up to 60 days versus 30 days
✓ Business interruption expenses are
covered for an additional 20 days
Claim: Computer systems were
hacked and they could not access
computers or operate POS
machines.
Business was shut down for three
days to prevent any damage to
customer records while forensic
work was done. It took 50 days to
return to prior level of income.
Retail Company
Privacy Breach14
Coverage EnhancementsPrivacy Breach Expense Endorsement
Worldwide
coverage up to
60 days
If a privacy breach arises from business activities outside
Canada
• Coverage extended from the US and EU to worldwide
• Coverage period extended from 30 to 60 days
✓ More employees travel worldwide and for longer period
✓ Wider scope and longer indemnity for the customer
Privacy Breach15
Coverage EnhancementsPrivacy Breach Expense Endorsement
Privacy breach coverage is extended to smart phones as part
of bring your own device to work (BYOD) extension
✓ Peace of mind to customer as privacy breach attacks to
smart phones are on the riseSmart phones
Privacy Breach16
Knowledge Check
• A demand made by an outside entity to the
customer for money or something in value
in exchange for not carrying out a threat to
commit privacy breach
• A threat to disseminate, without
authorization, data that are non-public and
personal information or to deny, to impede,
to make unavailable or to otherwise disrupt
access to such data
What is cyber
extortion?
Privacy Breach17
Knowledge Check
• Investigation and analysis of, and
documentation for, computer or computing
equipment by a certified individual or
organization from outside the customer entity
• If approved by Intact Insurance, these
services can also be provided by an IT
employee of the customer
What are computer
forensic services?
Privacy Breach18
Cyber Extortion
• Computer forensic services irrespective of an actual
privacy breach, approved in writing by Intact beforehand
• Other remediation expenses due to privacy breach caused
directly by cyber extortion
• Business interruption loss due to privacy breach caused
directly by cyber extortion
✓ Mitigates or prevents the cyber extortion
✓ Relieves customer of additional expenses while dealing with
extortion
Coverage EnhancementsPrivacy Breach Expense Endorsement
Payments towards ransom, extortion or blackmail payments are
excluded
Exclusion for cloud storage is removed
✓ Benefits customers who are increasingly using cloud
services for data storage
“Cloud Storage Market is projected to witness a compound annual
growth rate of 29.73% to reach a total market size of US$92.488
billion by 2022, from US$25.171 billion in 2017.”
Research and Markets Report
Cloud Storage
Privacy Breach19
Coverage EnhancementsPrivacy Breach Expense Endorsement
Privacy Breach20
Remediation
Expenses
includes
Required notification of a privacy breach to a governmental
entity with authority to regulate the privacy of non-public and
personal information of Canadians
✓ Support customers to comply with mandatory reporting of
Breach of Security Safeguards Regulations (BSSR) of
PIPEDA and European Union General Data Protection
Regulation (GDPR)
Coverage EnhancementsPrivacy Breach Expense Endorsement
Fines, penalties or assessments of any nature including those
related to Payment Card Industry (PCI) Standards are excluded
Privacy Breach21
Existing Key Exclusions - Reminder
Expenses arising from any fact or circumstance known
prior to the effective date of coveragePrior Knowledge
Third Party LiabilityLoss, damage, expense or costs arising out of liability
to a third party
Information Technology
Security
Privacy breach from failure to diligently deploy updated
functional security software
Computer Forensic
Services
• Computer, device hardware or software costs
• Payments for service or maintenance
• Remuneration expense unless approved
Privacy Breach22
Cyber Extortion Claim
✓ Expenses for computer forensic services
if agreed in writing by Intact for cyber
extortion
If breach is proven, covers:
✓ Cloud data
✓ Remediation expenses such as
notification to authorities and clients
✓ Business interruption expenses
Claim: Customer experienced a
ransonware attack and a ransom
of $4,000 of bitcoin was
requested. Credit card information
of 5,000 guests may be at risk,
include European guests.
Small Hotel
Privacy Breach23
Endorsement Amounts of InsurancePrivacy Breach Expense Endorsement
Form E127 Privacy Breach Legal Expense
Endorsement
Form E128Privacy Breach Expense
Coverage
Business Interruption
Coverage
$25,000 $25,000 $25,000
$50,000 $50,000 $50,000
$75,000 $75,000
$100,000 $100,000
Higher amounts introduced
$150,000 $150,000
$200,000 $200,000
$250,000 $250,000
Privacy Breach24
Pricing – Introductory Limits
Introductory
Premium Deductible
• $1,000 - Privacy Breach Expenses
• 24-hour waiting period for Business Interruption
• No waiting period for Extra Expenses
• Provided that the actual loss sustained under Business
Interruption exceeds the 24-hour waiting period
$120
$25,000
Privacy Breach25
Pricing – Higher Limits
Low Medium High
• Building Owners
• Apartments & Condos
• Wholesaling
• Farms
• Contracting
• Forestry
For limits > $25,000, premium is rated based on major class’ relative degree
of privacy breach exposure
Co
mm
on
Exam
ple
s
• Financial Institutions
• Healthcare
• Services
New
Privacy Breach Liability Coverage
Form E161 (Version 1)
26
Effective
August 2018
New coverage for
third party liability
Privacy Breach27
Privacy Breach Liability – Form E161
• Protects the Intact customer from claims or
actions due to a breach of personal information
• Recommended as a coverage to complement
the first party endorsements
Privacy Breach28
Coverage OverviewPrivacy Breach Liability
Form E161
Privacy Breach LiabilityInsuring Agreement A
Legal Fees or Defence Expense
– Liability for Privacy BreachInsuring Agreement B
Coverage
Privacy breach compensatory
damages that the customer is
legally obligated to pay
Legal fees or defence expense
Value-Added
Services
Access to CyberScout services without being subject to conditions,
exclusions, or coverage
Privacy Breach29
Coverage Highlights
Claims made
Worldwide coverage
Employees, Directors & Officers covered as claimants
No cloud exclusion
No deductible
Per Claim and Aggregate Limit
Privacy Breach Liability
Form E161
Per Claim Limit Aggregate limit
$50,000 $50,000
$75,000 $75,000
$100,000 $100,000
$250,000 $250,000 / $500,000
$500,000 $500,000 / $1,000,000
$1,000,000 $1,000,000 / $2,000.000
$2,000,000 $2,000,000
✓Aggregate limit must
equal the 'Per Claim'
limit when limit is
$100,000 or less
✓For limits of
$250,000 and over,
aggregate can be
doubled of the 'Per
claim' limit.
Privacy Breach30
Privacy Breach31
Key Exclusions
Bodily Injury or
Property Damage
Information Technology
Security
Privacy breach from failure to diligently deploy updated
functional security software
Any claim, privacy breach compensatory damages, or
legal fees or defence expense, arising directly or
indirectly from bodily injury or property damage
Mechanical Breakdown
and Service InterruptionInterruption of internet or electrical service
Privacy Breach32
Retail Company
Privacy Breach Liability Claim
Claim: POS machine was hacked
and ransom of $4,000 bitcoin was
requested. Credit card information
of the store’s clients was stolen
and they became victims of
identity theft. Clients sued the
retail company.
✓Compensatory damages that the
customer becomes legally obligated to
pay
✓Legal fees and defence costs
Privacy Breach33
Claim: Patient records were
breached. Victims had fraudulent
charges to their credit cards and
two of them became victims of
identity theft. They seek
compensation for costs and
losses.
Dental Clinic
Privacy Breach Liability Claim
✓Compensatory damages that the
customer become legally obligated to pay
✓Legal fees and defence costs
Privacy Breach34
Claim: Spreadsheet containing
confidential personal information
of employees had been
mistakenly sent out to public.
Several of the employees brought
legal actions against the
customer.
Construction Company
Privacy Breach Liability Claim
✓Compensatory damages that the
customer become legally obligated to pay
due to affected employees
✓Legal fees and defence costs
Privacy Breach35
Claim: Laptop case is stolen.
Smart phone with confidential
client information was also in the
case. The victimized clients sue
the real estate agency, submitting
proof that the stolen details were
used for fraudulent activities.
Real Estate Agency
Privacy Breach Liability Claim
✓Compensatory damages that the
customer becomes legally obligated to
pay to the clients that suffered loss due to
breach
✓Legal fees and defence costs
Privacy Breach36
Pricing
Low Medium High
• Building Owners
• Apartments & Condos
• Wholesaling
• Farms
• Contracting
• Forestry
Premium is rated based on major class’ relative degree of
privacy breach exposure
Co
mm
on
Exam
ple
s
• Financial Institutions
• Healthcare
• Services
Privacy Breach37
Pricing Examples Low exposure: Building construction company
Base scenario Scenario 1 Scenario 2
Remediation expenses $25,000 $50,000 $100,000
Business interruption $25,000 $50,000 $100,000
Legal expense $25,000 $50,000 $50,000
Annual premium (Form E127/E128) $120 $165 $271
Privacy Breach Liability Coverage $50,000 $75,000 $100,000
Annual premium (Form E161) $77 $115 $146
Total annual premium $197 $280 $417
Privacy Breach38
Pricing Examples Medium exposure: Wholesaler
Base scenario Scenario 1 Scenario 2
Remediation expenses $25,000 $50,000 $100,000
Business interruption $25,000 $50,000 $100,000
Legal expense $25,000 $50,000 $50,000
Annual premium (Form E127/E128) $120 $239 $394
Privacy Breach Liability Coverage $50,000 $75,000 $100,000
Annual premium (Form E161) $100 $150 $190
Total annual premium $220 $389 $584
Privacy Breach39
Pricing Examples High exposure: Dental clinics
Base scenario Scenario 1 Scenario 2
Remediation expenses $25,000 $50,000 $100,000
Business interruption $25,000 $50,000 $100,000
Legal expense $25,000 $50,000 $50,000
Annual premium (Form E127/E128) $120 $359 $584
Privacy Breach Liability Coverage $50,000 $75,000 $100,000
Annual premium (Form E161) $150 $225 $285
Total annual premium $270 $584 $877
Ease of Underwriting
40
$100,000Privacy Breach Liability
coverage
Privacy Breach41
Ease of Underwriting < $100K
Privacy Breach Legal
Expense Endorsement
Privacy Breach Expense
Endorsement$100,000
$50,000
Amounts/LimitsCoverage
✓ Ideal for small to medium
sized business customers
✓ No restrictions by class
✓ No application is required
Privacy Breach42
Ease of Underwriting
Privacy Breach Legal
Expense Endorsement
Privacy Breach Liability
coverage
Privacy Breach Expense
Endorsement ✓ Not separable
✓ Must have
property
coverage
✓ No need for
base CGL
✓ Recommended first party
and third party coverage as
a complete solution
✓ Add to entire portfolio (up
to $100K) or individual
customer
Amounts/LimitsCoverage
$250,000
$500,000
$1,000,000
$2,000,000
Privacy Breach Liability
coverage
Underwriting > $100K
Privacy Breach Expense
Endorsement
$150,000
$200,000
$250,000
Amounts/limitsCoverage
✓ No change in the wordings
✓ Application is required
✓ Portfolio addition is not
available
Privacy Breach43
Value Added Services
44
.
Breach protectionTo guard against a data loss
incident with proactive
measures that mitigate riskBreach response To defend against a breach
with guidance from breach
response team
Privacy Breach45
Privacy Breach46
Value Added ServicesExpert Breach Response
✓ Crisis management
✓ Breach notification writing
✓ Documentation during remediation
process
✓ Industry best practices for
handling a breach
Privacy Breach47
Value Added ServicesProactive Breach Protection
www. intactinsurance.breachresponse.ca
Global Username: Intactinsurance1
Global Password: Intactinsurance1
Privacy Breach48
1. Call 24/7 Intact Insurance claims service
1-866-464-2424
Value Added ServicesIn the event of a breach
2. Intact claims collaborate with CyberScout™ experts for an effective privacy breach response
Privacy Breach49
Selling Tips
1.Educate to raise awareness of this growing threat
2.Explain how breaches occur
3.Help them assess their vulnerabilities
4.Focus on the extra services included as part of their coverage
5.Walk them through our coverage
6.Put the value in perspective
What’s Next?
50
Underwriters
• Questions
Business Development Consultants
• Follow-up Meetings
Reference materials
• Presentation
• Product Sales Sheets
• Microsite
Questions
52