Cyber Risk and Global Security Issues: is your business fully prepared
advertisement
Cyber Risk and Global Security Issues: is your business fully prepared Thursday 2 October 2014 © Copyright 2014 by K&L Gates LLP. All rights reserved. Identifying cyber risks and how they impact your business klgates.com klgates.com The Spectrum of Cyber Attacks Advanced Persistent Threats (“APT”) Cybercriminals, Exploits and Malware Denial of Service attacks (“DDoS”) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com The Practical Risks of Cyber Attacks Loss of “crown jewels,” IP and trade secrets Compromise of customer information, credit cards and other PII Loss of web presence and online business Interception of email and data communications Loss of customer funds and reimbursement of charges Brand tarnishment and reputational harm Legal and regulatory complications klgates.com Advanced Persistent Threats Targeted, persistent, evasive and advanced Nation state sponsored P.L.A. Unit 61398 “Comment Crew” klgates.com Advanced Persistent Threats United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.” Source: New York Times, June 1, 2013. klgates.com Advanced Persistent Threats The Director-General of MI5 warned that one London business suffered £800 million in losses following an attack The UK’s National Security Council has judged that the four highest priority risks are currently those arising from: International terrorism Cyber attack International military crises and Major accidents or natural hazards** *Source: Cyber crime a global threat, MI5 head warns (2012) http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/9354373/Cyber-crime-a-global-threat-MI5-head-warns.html ** Source: A Strong Britain in an Age of Uncertainty: The National Security Strategy (October 2010) klgates.com Advanced Persistent Threats A survey by anti-virus specialists Kaspersky found that cyber security measures taken by UK businesses were “woefully inadequate” Only 25% of IT specialists thought that their company was completely protected from cyber threats - although can there ever be complete protection? When questioned, 33% of IT managers did not know anything about the common cyber threats that have been targeting corporates *Source: BCS – The Chartered Institute for IT -http://www.bcs.org/content/conWebDoc/49048 klgates.com Advanced Persistent Threats Penetration: 67% of organisations admit that their current security activities are insufficient to stop a targeted attack.* Duration: average = 356 days** Discovery: External Alerts 55 percent are not even aware of intrusions* *Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html **Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units” klgates.com Advanced Persistent Threats: Penetration Spear Phishing Watering Hole Attack rely on insecurity of frequently visited websites Infected Thumb Drive *Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng es/advance-targeted-attacks/index.html **Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units” klgates.com Advanced Persistent Threats Target Profiles Industry: Government Information Technology Aerospace Telecom/Satellite Energy and Infrastructure Engineering/Research/Defense Chemical/Pharma Activities: Announcements of China deals China presence klgates.com Advanced Persistent Threats klgates.com The Spectrum of Cyber Attacks Advanced Persistent Threats (“APT”) Cybercriminals, Exploits and Malware Denial of Service attacks (“DDoS”) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com Cybercriminals, Exploits and Malware klgates.com Cybercriminals, Exploits and Malware 60,000 known software vulnerabilities 23 new zero-day exploits in 2014 Risk = threat + vulnerability klgates.com Cybercriminals, Exploits and Malware Ransomware UK Law Enforcement CryptoLocker klgates.com The Spectrum of Cyber Attacks Advanced Persistent Threats (“APT”) Cybercriminals, Exploits and Malware Denial of Service attacks (“DDoS”) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com Inadequate security and systems: thirdparty vendors Vendors with client data Vendors with password access Vendors with direct system integration Point-of-sale klgates.com Inadequate security and systems: thirdparty vendors klgates.com Cybercriminals, Exploits and Malware In the UK, a government report found that the cost of cyber security breaches nearly doubled in 2013 For large organisations the worst breaches cost between £600,000 and £1.158 million (up from £450-£850k a year ago) *Source: UK Government press release, 29 April 2014 https://www.gov.uk/government/news/cost-of-business-cyber-security-breaches-almost-double klgates.com Cybercriminals, Exploits and Malware Cost Per Record: Notification Costs: Post-Breach Costs: Business Loss: *Source: Symantec Internet Security Trend Report 2014 klgates.com $158 $509,000 $1.6M $3.3M Dangers of new and emerging risks klgates.com Cloud Computing Risks Exporting security function and control Geographical uncertainty creates exposure to civil and criminal legal standards Risk of collateral damage klgates.com Mobile Device Risks 52% of mobile users store sensitive files online 24% of mobile users store work and personal info in same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security klgates.com Social Media Risks Consumer harm and reputational damage klgates.com Example – “Peter Pan virus” phishing email (September 2014) Email purportedly came from real company BH Live Ticketing and entertainment company based in Bournemouth Claimed recipients had tickets to see Peter Pan Invited people to open attached e-tickets Opening attachment may have downloaded viruses BH Live inundated with phone calls from worried recipients klgates.com Protection and Risk Mitigation klgates.com WHY MITIGATE CYBER RISK? Consequences of a cyber attack could be catastrophic Consider How long could a business that relies on internet sales survive if no one could access its website? What would be the impact on its sales if no one was prepared to enter their credit card details? klgates.com LEGAL CONSEQUENCES The Data Protection Act 1998 (“DPA”) requires the data controller to implement appropriate technical and organisational security measures against unauthorised or unlawful processing, accidental loss, destruction or damage of personal data. Regulatory penalties may be imposed on the company for breach of the DPA including: Fines; Enforcement notices; and Director disqualification Personal data owners may claim compensation from the data controller for such breaches under the DPA. klgates.com PRACTICAL CONSEQUENCES As important to companies subject to a cyber attack are what the consequences of such an attack are in practice for the business. Loss of customer information, credit card details and other personal information. Data owners seeks compensation against a business under the Data Protection Act, especially if the hacker cannot be identified. Prevention of sales. Retailers with an online presence that are subject to a Denial of Service attack lose customers to competitors. You may eventually get your site back up, but will the customer be back? This risk is heightened at times of traditional high online sales klgates.com PRO-ACTIVE MANAGEMENT AT BOARD LEVEL Not an IT problem - board level support is required to ensure that the resources both in time and capital are expended. Ensure that a cybercrime management policy is part of the company’s governance framework and that this is given the same level of attention as financial and other risk management regimes. klgates.com PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (2) How would the board answer the following questions: What strategy did you have in place to prevent this cyber attack from happening? Who was responsible for the strategy? What was done in advance to limit the damage from attacks of this nature? klgates.com PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (3) Basic information risk management will highlight potential cyber attacks, allowing a board to see what constitute the most potent risks to the company. Understand what data you hold how sensitive the data is which systems control the management of key information how critical is the information to the management of the business klgates.com ENSURING INTERNET SAFETY AND NETWORK SECURITY Methods to reduce cyber risk include: Mobile working - ensure that a mobile working policy is in place to ensure the security of documents away from the office. Control access to removable media such as memory sticks and removable hard drives and avoid their use where possible, especially with regards to storage of sensitive data. All removable data should be encrypted. Establish a policy on appropriate use and educate staff regarding the appropriate way to use the company’s IT systems. Implement an incident response plan to ensure effective response to a cyber attack. klgates.com ENSURING INTERNET SAFETY AND NETWORK SECURITY (2) Create an incident management team and provide specialist training to it who can carry out this process. Control and limit access - Only allow employees access to the information they require to carry out their roles. Scan all media before incorporating them into IT systems to detect any malware. Monitor ICT systems for unusual activity. Implement malware protection to all business areas and produce a policy on dealing with any malware issues. Install security patches Implement basic security controls on networks. Exemployees should immediately be denied access. klgates.com ADEQUATE TRAINING AND INTERNAL PROCEDURES A cyber attack can take many forms including deliberate attacks, technology issues or simple human error or negligence. Every company has a cyber defence weak spot in its own employees. An adequate defence system protecting a company from cyber attacks should not only have the relevant defences and policies in place, but staff must be trained on the relevant policies. klgates.com ADEQUATE TRAINING AND INTERNAL PROCEDURES (2) Implementing staff training and clear mechanisms for staff to report concerns regarding other members of staff noncompliance with polices Not knowing what devices are held significantly increases a company's cyber risk profile Every company should draft and implement a home and mobile working policy, and train staff to adhere to it klgates.com ONGOING MANAGEMENT Planning and analysis of risk serves no purpose unless a company also properly implements its findings. As cybercrime evolves over time, companies must constantly monitor the adequacy of their cyber defences and re-evaluate the threats pertinent to their business. klgates.com IMMEDIATE DAMAGE TO REPUTATION Cyber attacks naturally affect customer confidence, especially when customer information or funds are stolen. Exacerbated by online communication forums that spread news of such an attack Crisis management costs include: Informing affected customers; PR campaigns to restore reputation; Management time; Retrieving data; Suspending customer access to data and websites where relevant; Forensic investigation of the attack; and Repairing cyber defences. klgates.com IMMEDIATE DAMAGE TO REPUTATION (2) 82% of the UK public would stop dealing with an organisation if their online data was breached (Unisys survey, 2011) Brand damage may also come in the form of intellectual property infringement with fake websites or counterfeit products sold online. IP theft can result in loss of first-to-market advantage and a consequential loss of competitive advantage. klgates.com POSSIBLE LONG TERM IMPACT ON BUSINESS STRATEGY AND FINANCIAL STABILITY Research and development may be scaled back to preserve current financial stability or because frequent IP theft has made it unprofitable. Businesses may shy away from exploiting the online market for fear of incurring another costly cyber attack klgates.com A GROWING ISSUE Consumers are becoming increasingly receptive to interacting with businesses online As customer interaction with online technology grows, so too does their disclosure of sensitive, personal information. A cyber attack that results in a loss of customer information can cause huge reputational damage The prominence of social media and the speed at which information can be disseminated can cause reputational damage at an unprecedented speed. klgates.com COFFEE BREAK Personal Data Breaches and Notifications – a U.S. Perspective LEGAL AND REGULATORY FRAMEWORK Federal Privacy Laws Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH) Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act Federal Trade Commission Act State Privacy Laws/Consumer Protection Statutes http://www.ncsl.org/research/telecommunications-and-informationtechnology/security-breach-notification-laws.aspx SEC Cybersecurity Guidance NIST Cybersecurity Framework Payment Card Industry Data Security Standards (PCI DSS) 46 FEDERAL PRIVACY LAWS Gramm-Leach-Bliley Act U.S. financial services organisations “shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards-1. (1) to insure the security and confidentiality of customer records and information; 2. (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and 3. (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” (15 U.S.C. §6801.) 47 FEDERAL PRIVACY LAWS HIPAA “A covered entity or business associate must, in accordance with §164.306 [“Security standards: General rules”] … [i]Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart….” (45 C.F.R. §164.316(a).) HITECH “A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information … shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.” (42 U.S.C. §17932.) FEDERAL PRIVACY LAWS Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act “It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilisation of such information in accordance with the requirements of this subchapter.” (15 U.S.C. §1681.) Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR § 681.1.) 49 FEDERAL PRIVACY LAWS Federal Trade Commission Act Section 5 empowers the FTC to “prevent . . . unfair or deceptive acts or practices in or affecting commerce”: The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. § 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. § 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. § 45(a)(2).) 50 STATE PRIVACY LAWS/CONSUMER PROTECTION LAWS Pennsylvania: Breach of Personal Information Notification Act “(a) General rule.--An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. … [T]he notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.” (73 P.S. § 2303(a).) “The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation 51 SEC CYBERSECURITY GUIDANCE “[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences”; “To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”; “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”; “Risks related to cyber incidents that may remain undetected for an extended period”; and “Description of relevant insurance coverage.” Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/ 52 NIST CYBERSECURITY FRAMEWORK NIST Cybersecurity Framework—provides a common taxonomy and mechanism for organisations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity risk. The Framework is voluntary (for now) 53 NIST CYBERSECURITY FRAMEWORK 85% of security budgets currently go here According to Gartner: By 2020, 75% of security budgets will go towards detection and response NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/ 54 NIST CYBERSECURITY FRAMEWORK 55 PCI DSS “PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.” 56 TRENDS—ARTICLE III STANDING— CLAPPER 57 TRENDS—ARTICLE III STANDING— GALARIA TRENDS—ARTICLE III STANDING— NEIMAN MARCUS 59 TRENDS—ARTICLE III STANDING—SONY 60 TRENDS—ARTICLE III STANDING— MICHAELS STORES 61 TRENDS—ARTICLE III STANDING—ADOBE 62 TRENDS—SHAREHOLDER LITIGATION— TARGET 63 TRENDS—SHAREHOLDER LITIGATION— WYNDHAM 64 TRENDS—FTC REGULATORY ACTION— WYNDHAM 65 TRENDS—FTC REGULATORY ACTION— WYNDHAM 66 TRENDS—SEC—“THE NEW SHERIFF” 67 Personal Data Breaches and Notifications – a UK perspective LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. (Part 1(7), Schedule 1 to DPA) – 7th principle. No prescriptive requirements, unless sector specific regulation. No “one size fits all” but three principles: 1. 2. 3. Risk assessment – what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach. Reliability of employees Vet your data processors – written contracts Guidance from regulator (UK Information Commissioner’s Office): Encryption? Data storage vs. transmission. International Standard 27001 / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies – IT Internet use / data retention and destruction / data security / training Processes and security protocols – staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing DO WE NEED TO NOTIFY TO UK ICO? What sector are you in? PECR 2003 - Notifications only compulsory for “publically available electronic communication services” – same across all of EU – i.e. telcoms / ISPs. 24 hours after breach detection. Everyone else – no legal requirement, but ICO guidance. Should notify if “serious”. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying. Notify data subjects? Do they need to take steps to protect themselves? Contractual obligation to notify? Public sector bodies may have own requirements – health service organisations – IG Toolkit Incident Reporting Tool. Financial institutions – FCA / FMSA. Police / insurers / professional bodies / bank or credit card companies. UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to £500,000 – serious breaches “contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it”. (s.55(A) DPA). Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences – failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted). ENFORCEMENT TRENDS Leading video games provider (Jan 2013) Network platform subject to several DDoS (“distributed denial of service”) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn’t keep up to date with technical developments. Didn’t deal with system vulnerabilities even though update available Didn’t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn’t react quickly enough Voluntarily reported (mitigating factor) £250,000 fine Internal cost to Data Controller thought to be in region of $171 million. Booking agent for travel services (Dec 2012) SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active). Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills) No evidence of actual harm / fraud Voluntarily reported (mitigating factor) £150,000 fine. APRIL – MARCH 2014 APRIL – MARCH 2014 FUTURE DEVELOPMENTS CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices Nov 2011 - Cyber Security Strategy produced. Set agenda for 2015. Set up National Cyber Security Programme (NCSP) with £650 million funding for four years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec 2013. Most recent progress published on 10 Sep 2014. September 2012 - BIS issued guidance for companies 5 Jun 2014 - New ISO Standard – based on ISO27000. Certification to demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified. CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field – as will be required under upcoming European Cyber-Security Directive. No UK specific legislation on horizon – but watch out for European Data Protection Regulation and Network and Information Security Directive. Personal Data Breaches and Notifications – a German perspective LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal Data Protection Act (BDSG) Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular: 1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access. 2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to. 3. Input control: Ensuring possibility to trace alteration or deletion of data. 4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions 5. Availability control: Ensuring personal data is protected against accidental destruction or loss WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT? General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG): Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy) Threatening serious harm to the rights or legitimate interests of data subjects Information to DPA: Without undue delay Nature of the disclosure and possible harmful consequences Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is not endangered Nature of the disclosure; recommendations to minimise possible harm klgates.com ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG): Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections Notify data subjects in case of violation and report to prosecution authorities Order measures to remedy violations (e.g. prohibiting data processing) Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG) ENFORCEMENT TRENDS There still is no common code of practice among DPAs, which leads to varying practices in different German states (“Länder”). In the past, German DPAs were not very strict in enforcing data protection laws by raising fines. Example 1: Google StreetView (2008-2010): Google provides panorama pictures for ‘Street View’ While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000 Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA NUMBERS AND TABLES No absolute numbers on breaches and notifications; all DPAs are obliged to publish data protection reports, but they vary and can hardly be compared Statement of Federal Commissioner for Data Protection: March 2011 – October 2013: 501 notifications in total TelCom Sector: 2012: 27 notifications 2013: 66 notifications FUTURE DEVELOPMENTS Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation Personal Data Breaches and Notifications A French perspective LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of 1978 Directive 2009/136/EC “ePrivacy” implementing data breach requirements in August 2010 “Breach of personal data” - The French definition and scope Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public. Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed “by electronic communication service providers operating electronic communication networks with open public access.” LEGISLATIVE REQUIREMENTS Two categories of notifications 1. To the French DPA Within 24 hours of the effective knowledge, through an electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the “affected parties”, Spontaneous information of the “affected parties”. LEGISLATIVE REQUIREMENTS Two categories of notifications 2. To the “affected parties” If said breach is likely to breach personal data security or the privacy of a subscriber or any other individual. Unless the French DPA has found that appropriate protection measures have been implemented by the service provider to ensure that the personal data are made undecipherable to any unauthorised individuals and have been applied to the data affected by said breach. Failing this, the French DPA may serve the service provider with a formal notice to inform the “affected parties” as well, after investigating the severity of the breach. LEGISLATIVE REQUIREMENTS Recording of all breaches Each provider of electronic communication services must keep and make available to the French DPA upon request, an updated record of all breaches of personal data, listing the conditions, effects and measures taken as remedies. ANALYSIS PERFORMED BY THE FRENCH DPA The DPA has up to two months to: Consider the potential impacts of the breach on data security and privacy protection; Estimate whether security measures implemented before the breach were appropriate; Evaluate whether information measures taken towards the "affected parties" were sufficient. ENFORCEMENT The DPA may: Require the company (Telcos and ISPs) to inform “affected parties” or the general public. Apply any administrative fine up to €150,000 After an adversarial public or closed procedure where the company may be assisted by its counsel. Publish a description of the breach: on its website, or on any appropriate medium at the company’s expense. Publish whole or part of the ruling against the company on its website, or on any appropriate medium at the company’s expense. ENFORCEMENT As of now: 7 condemnations in 2013 16 between January and September 2014 Fines between €20,000 and €150,000 (max.) The French DPA has systematically been publishing its rulings regarding data breaches Next year: A draft bill will be discussed starting January 2015: extending data breach notification requirements to any data controller or processor, in any sector (public or private) providing for penalties up to: €1,000,000, or 2% of the global annual turnover, whichever the highest. New Draft EU Data Protection Regulation – Mandatory Data Breach Notification INTRODUCTION Draft EU Data Protection Regulation COM(2012)0011 – C7-0025/2012 – 2012/0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC What are the goals ? Protection of individuals with regard to the processing of personal data Free movement of personal data Protection of the fundamental rights and freedoms of natural persons Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; cooperation and consistency; remedies, liability and sanctions THE "DATA BREACH" REGULATION 2013/611 “Electronic communications service providers” must report any personal data breach to the relevant national data protection authorities and, as the case may be, to the data subjects themselves. The notification requirement targets Internet service providers and telco operators. Email service providers are not impacted… yet. The draft Privacy Regulation will extend data breach notification to any controller (expected in 2016) Non-compliance with the notification requirement is subject to criminal sanctions MANDATORY NOTIFICATION OBLIGATION DETAILS Art. 31: Notification Art. 32: Communication Who has to notify? All data processors and commissioned data processors Who has to communicate? All data processors To whom? Data processors to the competent DPA Commissioned data processors to data processor To whom? Data subject Reason? Personal data breach Reason? Personal data breach is likely to adversely affect the protection of personal data or privacy klgates.com 94 MANDATORY NOTIFICATION OBLIGATION DETAILS Art. 32: Communication Art. 31: Notification When has to be notified? Without undue delay and where feasable not later than 24 hours after having become aware of the breach When has to be communicated? After notification to DPA without undue delay What has to be communicated? Nature of the breach and measures to mitigate the possible adverse effects What has to be notified? Nature and consequences of the breach, contact information, measures to mitigate possible adverse effects klgates.com 95 ENFORCEMENT Competent supervisory authority may sanction administrative offences Amount of fine shall depend on the technical and organisational measures implemented and on the collaboration with the supervisory authority Fine can be fixed up to EUR 100,000,000 or 5 % of annual worldwide turnover, whichever is higher klgates.com Maximising insurance coverage for cyber risks AGENDA What do Cyber Policies Actually Cover? The Types of Risk Covered What About the Risk Associated With Vendors/Outsourcing? What About Paper Records? Can We Not Simply Reply On The Coverage Provided by Existing Policies? Potential Coverage The Limitations of “Legacy” Policies Questions for Any Insured Thinking Of Taking Out Cyber Cover What Happens in the Event of a Claim or Investigation Which Impacts the Policy? Conclusion And Takeaways 98 What do cyber policies actually cover? back klgates.com 100 THE TYPES OF RISK COVERED Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data breaches, transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats Regulatory Liability Provides coverage to deal with regulators and liability arising out of administrative or regulatory investigations, proceedings, fines and penalties Crisis Management Provides coverage for forensics experts to determine the cause of the breach, notify individuals whose PII may have been compromised, call centers, ID theft monitoring, PR and other crisis management activities Media Liability Provides coverage for liability (defense and indemnity) for claims alleging invasion of privacy, libel, slander, defamation, infringement of IP rights (not patent), and other web-based acts (e.g., improper deep-linking) 101 THE TYPES OF RISK COVERED Network Interruption And Extra Expense (and CBI) Coverage lost business income and extra expense caused by malicious code, DDoS attacks, unauthorised access to, or theft of, information, and other security threats to networks (e.g., a website goes down and orders cannot be taken). Information Asset Coverage Coverage for damage to or theft of the insured’s own systems and hardware, and may cover the cost of restoring or recreating stolen or corrupted data. Extortion Coverage for losses resulting from extortion (payments of an extortionist’s demand to prevent network loss or implementation of a threat). Emerging Market For First-Party Property Damage Emerging Market For Third-Party Bodily Injury and Property Damage Coverage 102 THE TYPES OF RISK COVERED—A TARGET INCIDENT Defense And Indemnity For Claims Regulatory Defense, Fines And Penalties Crisis Management 103 104 105 Can we not simply rely on the coverage provided by existing policies? POTENTIAL COVERAGE Directors’ and Officers’ (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy) Property? Commercial General Liability (CGL)? 107 POTENTIAL COVERAGE Coverage B provides coverage for damages because of “personal and advertising injury” “Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” What is a “Person’s Right of Privacy”? What is a “Publication”? 108 LIMITATIONS OF “LEGACY” POLICIES 109 LIMITATIONS OF “LEGACY” POLICIES 110 LIMITATIONS OF “LEGACY” POLICIES— SONY 111 STATE OF THE UK CYBER INSURANCE MARKET THE CHANGING "TRADITIONAL CYBER" MARKET Recognition of need for a specialist market First Cyber policy AIG 1997 Emergence of Lloyd’s Syndicates in 2000s 2008 Growth - 36 Insurers writing US domiciled business 18 Insurers/MGA writing UK domiciled business More joining, but question on capability Move from a policy to a service proposition – but why? Attritional loss concern 113 WHAT UK COMPANIES ARE CURRENTLY PURCHASING? Data owners – retail, financial institutions Network dependent – hospitality, retail Those able to financially quantify a loss Toe in the water v Catastrophic Confusion about what to buy – security/privacy, breach, cyber business interruption 114 QUESTIONS FROM INSUREDS THINKING OF TAKING OUT CYBER COVER COMMON QUESTIONS What disclosures are required in terms of IT and Network security? As such a new market, you cannot have had any claims? Do the policies vary much in terms of coverage? What extent can we amend the policy wordings? How much limit is available? / What limit should we purchase? 116 What happens in the event of a claim or investigation which impacts the policy? THE IMPORTANCE OF PROMPT NOTICE Notification to insurers may seem “low agenda” item in event of data breach or cyber attack BUT most cyber policies impose time restrictions regarding notification of claims or events to insurers Can vary from specified time limit, to immediately or as soon as practicable Compliance with notice provisions essential to avoid potential denials of cover klgates.com 118 THE IMPORTANCE OF PROMPT NOTICE Many cyber policies provide for notification of potential claims or circumstances Can prove beneficial to insured as operates as extension of cover Also avoids potential gaps in cover at renewal Crystal ball gazing: real risk of a claim or loss (not remote or fanciful) Particular issues in cyber context: discovery, awareness and communication klgates.com 119 CLAIMS CO-OPERATION Cyber policies typically impose express obligation on insured not (without prior consent of insurer) to: incur defence costs settle any claim make any admissions of liability Another reason prompt notification essential Many policies also impose express duty to mitigate Reinforces need for pro-active approach to cyber risk klgates.com 120 CONDUCT AND DEFENCE OF CLAIMS Cyber policies typically provide for insured to conduct and to co-operate with insurer in defence and management of any claim, investigation or event BUT many policies are silent as to choice of law firm or provide for insurers own panel firms Consider reserving right to appoint own choice of firm or agreeing suitable firms up front Selection of lawyers important issue in cyber context : most claims require specialist legal counsel with particular experience in this area klgates.com 121 TAKE-AWAYS TAKE-AWAYS More traditional policies unlikely to provide sufficient cover for cyber risks Consider the need for specific cyber insurance Adopt a pro-active approach both to mitigating risk and to assessing adequacy of cover Identify suitable legal counsel at an early stage Avoid delays in notification which can jeopardise insurance cover klgates.com 123 ANY QUESTIONS?
