ORIMS Professional Development Day
Privacy & Network Security Liability
Murn Meyrick & Jonathan Ashall
April 9, 2008
Agenda

Privacy legislation & framework

Exposures

Recent Examples

Insurance Response

Underwriting
2
The Path to Privacy Legislation……




Growth and importance of IT systems and
technology through 1980’s and 1990’s meant past
legislation outdated.
Data being collected, stored and transmitted in ways
not contemplated when existing legislation enacted.
Clear that new legislation was required to ensure its
relevance to the modern world.
Realisation of such led to a raft of legislation being
enacted the world over, including……
3
Privacy Legislation Around the World




Europe – EU Data Protection Act, overseeing various
laws at Member State level including UK Data Protection
Act.
USA – Fair Credit Reporting Act (FCRA), Gramm Leach
Bliley Act (GLB), Health Insurance Portability &
Accountability Act (HIPAA), Children’s Online Privacy
Protection Act (COPPA) and various State acts.
Australia – Commonwealth Privacy Act, amended by
Privacy Amendment (Private Sector) Act.
Canada – Privacy Act and Personal Information
Protection & Electronic Documents Act (PIPEDA)
4
Common Themes…




All seek to address the collection, storage and use of
“personal information” by both Government agencies
and the private sector.
All seek to outline appropriate technical and
organisational measures to protect such data.
“Personal Information” usually described as any data
that can be used to identify a living person, with focus
upon financial and healthcare related data.
All seek to outline the rights of individuals and potential
sanctions for breaches of such legislation.
5
Legislation Continuing to Evolve




Initial legislative efforts focused on rights of individuals to
know what information is being stored by an organisation and
to gain access to it but…..
Little or no right to know when such information has been
tampered with or leaked illegitimately to a third party as a
result of a security or administrative breach.
US has led the way in implementing breach notification laws,
mandating that organisations inform those individuals
potentially affected by such a breach (notification laws now in
place in 40 states and counting)
Following recent well publicised security breach events
pressure being put on legislators in other jurisdictions to
follow suit.
6
Canadian Privacy Law: The Framework
Public Sector


Privacy Acts( federal &
provincial)
Private Sector

PIPEDA

Quebec Legislation
Criminal Code

BC, Alta, Ontario Health
Privacy Act

Charter of Rights

Common Law

Sector specific rules/regs

Collective Agreements

Criminal Code

Common law

Collective Agreements
7
The Exposures




Negligent or intentional disclosure of personal
information- mistakes, rogue employee
Cyber Attacks- hackers, extortion, sabotage
Fraud & other criminal offences- new offences
proposed November 2007
Network & website disruptions due to glitches or
malicious code
8
The Exposures continued

Electronic theft/loss of proprietary competitive
business data

Conflicting laws

New exposures?
9
Exposures
Ponemon Institute - Primary Source of Breach 2007
Malicious Code
4%
Hacked System
5%
Electronic Backup
7%
Malicious Insider
9%
Undisclosed
2%
Lost Laptop/Device
48%
Paper Records
9%
3rd Party/Outsourcer
16%
10
The Aftermath:
Losses associated with a breach

Third Party Liability
–
Compensation to clients or employees
–
Class actions
–
Third party subrogation costs
–
Contingent business interruption- downstream loss
–
Contractual obligations
11
Losses continued

Regulatory/law enforcement
–
–
–
Complaint to Privacy Commissioner/Federal Court
Recommendations/orders to change practices, damages(
including humiliation with no cap), fines/penalties( PIPEDA$100k)
Audit by commissioner

Criminal Code sanctions

Defence Costs for all of above
12
Losses continued
Direct Damages to Insured:



Decline in revenue
Restoration/Reconstruction costs
Response Plan
–
–
–
–

Notification costs
Law enforcement authorities
Auditors
Changes to internal processes
Mitigation/Crisis management costs
–
–
–
Credit monitoring
Call centre & website
PR
13
The Reality: Survey results

FusePoint Data Confidence Survey 2007:
–
–
–

Symantec Corp. survey 2007:
–
–

62% of executives felt security breach would impact their brand
Only 37% have confidence their data is protected against attacks
20% of companies do not use anti-virus software, 25% do not
have a firewall
91% IT organizations carry out “full scenario” testing of disaster
recovery plans. Nearly 50% failed.
23% of city dwellers have themselves, or know someone who
has, fallen victim to fraud or identity theft
IDC Canada Survey 2007:
–
there is an “irrationally” high level of confidence among Canadian
firms regarding their security measures
14
Current Events:
A Sample of Incidents Worldwide….
USA

TJX- Intruder gained access to 47 million customers info.
Settlements with banks ~$65M

Harvard- hacker attacks server accessing up to 10,000 student
accounts and posting some of info on web

Hannaford Bros grocery- over 4 million credit and debit card
numbers stolen during authorization process, leading to 1,800 cases
of fraud
UK

Inland Revenue lost unencrypted discs containing sensitive
information of 25 million British citizens.

Nationwide Building Society – theft of laptop containing unencrypted
details of 11 million savers. Led to notification letters being sent to
all 11 million individuals potentially affected and £980,000 fine being
levied by FSA for inadequate systems and controls to address
information security risk.
15
…and in Canada

TJX/Winners:
–

CIBC: Jan.07
–

loss of computer file in transit between offices with data on
470,000 customers. Regulatory investigation follows.
Club Monaco: Jan.07
–

In Canada alone, thousands of cases of fraud reported on stolen
cards. Lawsuits follow from banks, shareholders( pension funds),
class action by customers, regulatory probes in US and Canada.
sought help from police and forensic experts to investigate
privacy breach of credit card processor
Canada Post: Dec.07
–
security breach- login records of scores of small businesses
using shipping website available
16
continued…

Passport Canada: Dec. 07
–

Air Canada: Nov.07
–

AC flights in GTA grounded for hours after computer “glitch”
between reservation system and airport locale
Canadian Bar Association:
–

Security flaw allows access to passport applicants personal
information
Unauthorized access to online orders and credit card information
Bell Canada: Feb.08
–
3.3million customers have their personal information stolen.
Suspect arrested in Montreal following which public disclosure
made.
17
The Insurance Response
Evolution of Privacy Liability:

Cyber Insurance

Multimedia insurance

Network liability

Privacy

Disaster recovery analysis
18
Coverage under “traditional” policies





Hodge podge of policies may historically respond including:
– Errors & Omissions, General Liability, Data, Property, Media,
Crime/Fraud, Directors & Officers, Cyber
Traditional policy response dependant on cause, impact and
claimant- not all encompassing
In general limited to the Personal Injury aspect of privacy losses,
usually covered under General Liability or Professional Liability
policies
Even more specific Cyber Liability policies do not address the unique
liabilities presented by the changing legislative environment.
As awareness grows of potential privacy related liabilities, more likely
that exclusionary language will be added to traditional policies.
19
Privacy Liability Coverage

Privacy breach

Crisis Management and Notification Expenses

Network Security breach
20
Underwriting

Privacy Statement

Application

Audit

Meetings
21
Questions?