2014 Ironshore Crisis Management MASTER

Crisis Management Assistance
Crisis Management
Presented by
Jack Cloonan
Crisis Management
Crisis Management
Crisis Management
Failing to Plan
is
Planning to Fail
IRONSHORE CRISIS
MANAGEMENT SEMINAR:
Facility Explosion
BREAKING NEWS
PANEL DISCUSSION
Stratton Horres – Panel Moderator
Christopher Kelly – Property: The Minute
After
Dawn Krigstin – How to Handle An
Environmental Crisis
Peter Duda – Managing Communication
Property:
The Minute After
Christopher Kelly, Vice President
Property Claims
Ironshore
PROPERTY:
THE MINUTE AFTER
Who
What
Where
Why
When
How?
© 2013 Wilson Elser. All rights reserved.
WHO:
•Do You Call?
–Employees - Facilities, Site Manager, Other sites, Accounting(?)
Contractors - Demolition/Clean up, Construction, Engineer
–Broker, Insurer, Adjuster
–Local Authorities - FD, PD, Bldg. Dept.
•Is Project Lead?
–Risk Manager, Plant Manager, Facilities Dept., Other?
•Does the Claim Belong To?
–The Insured
© 2013 Wilson Elser. All rights reserved.
WHAT:
• Is Damaged?
– Building, Premises, Property of Others, Equipment, Stock,
Operations
• Is Our Goal?
– Repair/Replace? “As Was” or Modified?
– Abandon/Exit?
• Resources are Needed?
– To keep business operating
– To satisfy authorities
– For Insurance Claim – inventory, asset register, workflows,
leases/contracts, involved parties.
© 2013 Wilson Elser. All rights reserved.
WHERE:
• Are the resources?
• Can/Should Operations Resume?
© 2013 Wilson Elser. All rights reserved.
WHY:
• To Satisfy Business Need?
• To Satisfy Authorities? Local, State, Federal
• To Satisfy Community?
• To Satisfy Insurance Company(ies)?
© 2013 Wilson Elser. All rights reserved.
WHEN:
• Sequence of Actions?
• Five Minutes or More – ago.
© 2013 Wilson Elser. All rights reserved.
HOW:
• Planning
– Pre Loss: Business Continuity Plan (BCP)
– Post Loss: Exercise/Adapt Plan
• Listening – To In-House Personnel, To Authorities, To
Adjustment Team, To Your Gut
• Communication – Cliché, but Key
© 2013 Wilson Elser. All rights reserved.
ADJUSTMENT PROCESS
• Insurer Adjustment Team
– Adjuster
• Accountant
• Salvor
• Engineer
• Building Consultant
• Attorneys
– Subrogation
– Coverage
© 2013 Wilson Elser. All rights reserved.
ADJUSTMENT PROCESS
• Reduce Loss – (NOT Coverage Oriented)
– Salvor
– Subrogation Counsel/Cause & Origin
• Evaluate Claim
– Adjuster
– Accountant
– Engineer
– Building consultant
– Coverage Counsel
• Evaluate Coverage
– Adjuster
– Coverage Counsel
© 2013 Wilson Elser. All rights reserved.
ADJUSTMENT TEAM
VALUE ADD
• Assist Insured In Making Informed Decisions
• May Have Worthwhile Suggestions
• May Be Able to Refer Resources
• May Be Able to Interface With Authorities/Contractors
• Prompt Issuance of Payments (Partial/Final)
© 2013 Wilson Elser. All rights reserved.
HARD FACTS
• It is the Insured’s Property, Business, Claim
• Adjustment Team Can Be Resource, But Does Not
“Authorize”
• Not All Business Decisions are Insured
© 2013 Wilson Elser. All rights reserved.
KEYS TO SUCESS
• PRE-LOSS
– Have A Plan
– Identify Resources
– Relationships
• POST LOSS
– Open Communication
• Documentation
• Verbal
• Relationships
© 2013 Wilson Elser. All rights reserved.
OPPORTUNITIES
• Potential Positive Impacts
– Employees
– Customers
– Community
– Operations
© 2013 Wilson Elser. All rights reserved.
How to Handle An
Environmental Crises
Dawn Krigstin, Vice President
Ironshore Environmental Claims
ENVIRONMENTAL CLAIMS
SOURCES OF ENVIRONMENTAL CLAIMS
 The discovery of persistent contaminants in soil or groundwater;
 The accidental or sudden release of contaminants that persist in
soil, groundwater, the atmosphere or structures; or
 An individual’s long-term or acute exposure to contaminants that
may leave lasting injuries.
CHARACTERISTICS OF AN ENVIRONMENTAL CLAIM
 Influence of regulatory agencies on claim resolution
 Uncertainty as to cause of damage or injury
 Disputable effectiveness of any particular cleanup strategy
 Immediate response/action is usually required
WHICH COMPANIES HAVE ENVIRONMENTAL EXPOSURES?
ENVIRONMENTAL CLAIMS
– All claims are fact specific and fact intensive
– Environmental claims are complicated
– Many parties are usually involved
- Regulatory agencies
- Claimants
- Insureds
- Brokers
- Multiple potentially responsible parties with various contributions
to the loss
- Multiple carriers (based on policy years, coverages)
– To complicate matters, it is often difficult to determine the cause of
an environmental claim as well as the effectiveness of a particular
cleanup strategy.
IDENTIFY PLAYERS
• Which carriers?
Professional liability
Property
Environmental
Tank Policies
Which Parties?
- Maintenance issue?
- Suppliers (defective product?)
- Contact Information?
Broker
Carrier
Crisis hotlines
Insured
Claims Managers
MANAGING
EXPECTATIONS
TEAM = Insured & Adjuster & Broker
• What is the process?
• What is expected?
• Contractors? Consultants? Expectations and strategies can be
established early
• Identify additional information needed and determine who is best to
provide
• Makes process more personable, sets tone
• Dilutes contentiousness or distrust
• Allows for informal discussion about application of policy terms
• Broker can help better explain policy and process to the insured
• Broker can help better explain policy and process to the insured
• Team can focus on resolution, fair compensation or satisfaction of the
applicable regulatory requirements
CONSIDERATIONS
(AKA: DAMAGE CONTROL)
•
•
•
•
•
•
•
•
Attorneys
Statements
Pictures
Accident Recreationists
“Boots-on-Ground” Adjusters
Environmental Consultants
Air Quality Monitoring/Tracking
Public Relations
NEED PR?
YES!
PREPARE!!!
• Pre-crisis planning
– Press releases with fill-in-the-blanks
– Meet your claims team
– Build relationships with local fire
stations/attorneys/etc.
– Have contract in place with ER companies
• Terms and rates can be addressed when cooler
heads prevail.
– Know who to call
– Manage internal processes
– Ask question to help understand the post-claim stages,
timelines and strategies
Managing Communication
is Critical
Peter K. Duda - Communications Specialist
Executive Vice President and
co-head of the global crisis
and issues practice
Weber Shandwick
managing communication is critical
Crisis requires prompt,
incremental response
With social media,
transparency and
speed
are even more
paramount
Pre-define (or quickly
define) roles and
responsibilities of
employees and advisors
local issues can quickly become national news
West Fertilizer Company ExplosionFreedom Industries Chemical Spill
Charleston, West Virginia (2014)
West, Texas (2013)
ExxonMobil Pegasus Pipeline
Release
Mayflower, Arkansas (2013)
•
•
•
•
•
•
ConEd Gas Explosion
New York, New York (2014)
Catastrophic business impact
Loss of enterprise value
Government investigations
Civil and criminal litigation
Media attention
Long-term community impact, distrust
COMMUNICATIONS RESPONSE:
How Not to Do It
COMMUNICATIONS RESPONSE:
Respond Rapidly When the Crisis Strikes
•
Prompt, incremental response
–
–
–
•
Rapid response through digital and traditional media
–
–
•
•
Activate necessary dark sites/pages; remove content when necessary/appropriate
Pre-and-post SEO, including optimizing keyword search, promoted tweets and ads
Close coordination with authorities
Round-the-clock monitoring
–
–
•
Rapid engagement of a pre-prepared crisis communications plan
Instant activation of 24/7 crisis management war room with team members from key
practices: operations, management, legal, communications, sales and influencer experts
• Pre-define (or quickly define) roles and responsibilities of employees and advisors
Establish secure flow of information, leak-proof security protocols
Clear mechanisms for notifications and alerts
Ongoing media coverage reports, social media impact analysis
Consistent messaging across all documents
© 2013 Wilson Elser. All rights reserved.
RECOVERY:
Restoring the Company’s Reputation
• Post-crisis analysis to help determine best practices moving forward
• Ongoing social media monitoring to maintain an ear to the ground
for potential issue spotting
• Use social media to continue outreach with key opinion leaders
• Keep internal community informed – let them know how they helped
drive the process
• Communicate the post-crisis corporate story and plan for operational
success and brand recovery by leverage strong media relations
© 2013 Wilson Elser. All rights reserved.
Kristin McMahon
James Gannon
Rhonda Barnat
Frank Milliken
Ricki E. Roer - Moderator
IRONSHORE CRISIS
MANAGEMENT SEMINAR:
Employer Liability for Workplace Violence
Employee Misconduct
• Foradori v. Harris, 523 F.3d 477, 481 -482 (5th. Cir. 2008)
Michael Foradori, a customer at a restaurant, was confronted by Al Cannon,
an older teenage restaurant employee, who was off-duty but dressed in his
restaurant uniform. Cannon was angry because he thought Foradori had
been hitting on his girlfriend. The manager on duty witnessed the beginning
of the altercation and ordered both to go outside, but did nothing else to
diffuse the escalating confrontation.
In the restaurant parking lot, Cannon continued to verbally challenge
Foradori. At this point, another restaurant employee, Garious Harris, a
football player over six feet tall and weighing nearly 250 pounds, sprinted
toward Foradori from behind and struck him with his fist in the back of his
neck. Harris was running at full speed when he delivered the blow,
described as a “hard punch” with a “balled-up fist.” Foradori was knocked
unconscious, causing him to fall head first to the concrete surface below.
Foradori suffered a broken neck and severed spine and was diagnosed with
permanent quadriplegia.
Question:
What liability does the Restaurant have over the off-duty conduct of
its employees?
Was the manager’s instruction to take the altercation outside
sufficient to sever liability?
What premise liability does the restaurant have?
Answer:
The jury found that the restaurant operator's negligent failures
to regulate, train, supervise, and control its off-duty employees
on its premises were proximate causes of Foradori’s injuries.
The jury returned a verdict in favor of Foradori, awarding him
approximately $10 million for past, present, and future physical
pain and suffering, mental anguish, and the loss of enjoyment
in life. This figure consisted of $1,581,884.41 for reasonable
and necessary medical expenses already incurred; $8 million
for the present value of the reasonable and necessary medical
expenses reasonably likely to be incurred in the future; and
$1,300,000 for the present value of loss of future earnings or
earning capacity resulting from his disability.
Employee Misconduct
• Doe v. Saint Francis Hosp. and Medical Center 309 Conn. 146-150,
934 (Conn.Super. July 16, 2013 )
Beginning in 1964, and continuing for decades, George E. Reardon, a
physician, purported to conduct a “child growth study” on the premises of
his employer, Saint Francis Hospital and Medical Center (“the Hospital”).
The Hospital had hired Dr. Reardon in 1964 as a physician specializing in
endocrinology. Immediately upon assuming that position, Dr. Reardon
began conducting a child growth study out of his office on the Hospital's
fourth floor. The study was approved by the Hospital's research committee
and was funded by the Saint Francis Hospital Association. The ostensible
purpose of the study was to measure the growth rates of normal children to
assist in the treatment of children with abnormally low rates of growth. In
fact, Dr. Reardon was a pedophile who used the so-called study as a ruse
to sexually exploit hundreds of unsuspecting children. Tim Doe was one of
those children.
Doe sues the Hospital alleging:
1) that the Hospital had negligently failed to supervise Dr. Reardon's
activities in connection with the study, and
2) that the Hospital had breached the special duty of care that it owes
to children in its custody.
Question:
What liability does the Hospital have over Dr. Reardon’s conduct?
Answer:
Following a trial, the jury found for the plaintiff on both claims and
awarded plaintiff $2,750,000.
Employee Misconduct
• Ten Broeck Dupont, Inc. v. Brooks, 283 S.W.3d 705 (Ky. 2009)
Ten Broeck is a psychiatric hospital located in Louisville, Kentucky where
Artemecia Brooks was voluntarily admitted as an in-patient. Prior to Brooks’
admission to Ten Broeck, a local police detective received information from
an employee that a sexual predator was employed at the facility. This
information was received during an investigation of a patient-on-patient
rape. The police officer informed Ten Broeck's Human Resources Director
that he had received a tip that an employee had lured and sexually attacked
patients, and, the police detective provided the Human Resources Director
with a description of the individual. The Human Resources Director did not
believe that any employees fit the description and did not conduct an
investigation. During Brooks’ hospitalization, an orderly named Feotis
Gilbert forced Brooks to have sexual intercourse. The police detective’s
description of the sexual predator matched many of Gilbert’s characteristics.
Question:
What liability does the Hospital have over Gilbert’s conduct?
What duty did Ten Broeck have:
1) to protect its patients from criminal misconduct of employees, and
2) to investigate the tip Human Resources received from the police
detective?
Answer:
Following a trial, the jury found for the plaintiff and awarded
$161,000 for pain and suffering, $130,000 for future pain and
suffering, and $1,800,000 in punitive damages based on Ten
Broeck’s failure to undertake any investigation.
Premise Liability
•
McBeth v TNS Mills, Inc., 458 SE2d 52 (SC App 1995)
Alice McBeth worked the evening shift at TNS Mills. At the end of her shift,
McBeth walked to her car in the fenced-in company parking lot and
encountered Juanita McCravy. McCravy was not a TNS Mills employee and
her presence in the employee parking lot was unauthorized. McCravy was
the girlfriend of another TNS Mills employee, Craig Miller; McCravy was
prohibited by TNS Mills from being anywhere on the premises due to prior
incidents of domestic disturbances between McCravy and Mills which had
occurred at the worksite.
McCravy confronted McBeth about McBeth's relationship with Miller and,
when McBeth admitted that the two had a romantic relationship, McCravy
hit and stabbed her. McBeth died of her wounds.
Question:
Did TNS Mills owe McBeth a duty to provide adequate security
measures in the company parking lot from third party criminal acts?
Did TNS Mills have a duty to protect McBeth from McCravy
specifically, due to the company’s knowledge of her prior aggressive
behavior towards TNS Mills employees?
Answer:
The court held that there is a duty to anticipate and guard others
from the criminal acts of third parties if a special relationship such as
employer-employee exists between the parties. An employer can be
held liable if it knows or should have known that the criminal acts of
third parties could cause harm to employees, and it failed to
reasonably protect employees.
Premise Liability
•
Aidroos v. Vance Uniformed Protection Services, Inc. 386 Ill.App.3d
167 (Ill.App. 1 Dist. 2008)
Willie Baker was terminated for theft by his former employer, Navistar
International Transportation Corp. Pursuant to company policy, Baker was
no longer allowed to be on company premises because he was a
terminated employee. Prior to his termination, Baker had never exhibited
any violent proclivities.
At about 9:45 a.m. one morning, Baker parked in Navistar's visitors' parking
lot and entered an unlocked door of a gate guardhouse station, carrying
weapons concealed in a golf bag. Although the buildings were supposed to
be locked, Baker was able to open the door and enter one of the buildings.
Inside, Baker randomly shot building occupants, killing four and wounding
others before killing himself.
Question:
What was Navistar’s duty in securing the premises against third
party criminal acts?
Can the families of the employee victims sue Navistar based on a
theory of negligent maintenance of the workplace?
Answer:
The Court granted summary judgment in favor of the employer
because the Court found that there was no duty to protect
employees from criminal acts of third parties. A critical element of
the Court’s analysis focused on whether the criminal acts of third
parties are “foreseeable,” and in this case, where the former
employee had no history of violence, there was no duty to protect
employees from Baker’s unanticipated criminal activity. The Court
noted that there is a duty to protect employees, when an employee
is in imminent danger and this is known to the employer.
Co-Worker Violence
•
Medlen v. Estate of Meyers, 476 F.Supp.2d 797, 799 -809 (N.D.Ohio 2007)
One day, a disgruntled employee, Myles Myers, entered the
DaimlerChrysler Toledo North Assembly Plant with a concealed shotgun,
which he used to kill and wound several coworkers in a mass shooting.
Meyers had worked at DaimlerChrysler for twenty-two years. His
disciplinary record included written warnings for attendance violations and
discipline for not ringing in his own time card. That record showed no
instances of violence in the workplace. The record did indicate, however,
that Meyers had had temperamental “outbursts” and on occasion been “out
of control.” The record also indicated that prior to the shootings Meyers
stated he was “going to get” the coworkers that he later shot.
Question:
What liability does the Plant have over Meyer’s conduct?
What duty did the Plant have:
1) to protect its employees from criminal misconduct of other
employees, and
2) to protect the employees that Meyers specifically threatened?
Does Workers’ Compensation preclude recovery by the injured
employees (or their estates)?
Answer:
In Ohio, as in the majority of states, an employer who negligently injures an
employee in the workplace cannot be sued by the employee for such
negligence where Workers’ Compensation insurance provides recovery.
The statute immunizes employers from negligence claims arising from
workplace injuries where the injured employee receives workers
compensation benefits.
However, an injured employee can circumvent the exclusivity of Workers’
Compensation by establishing that the injury did not occur within the scope
of employment and that 1) the employer knew about the dangerous
“process, procedure, instrumentality or condition” in the workplace; 2) the
employer knew and was “substantially certain” that, if subjected to this
danger in the workplace, the employee would be harmed; and 3) with the
aforesaid knowledge and certainty, the employer required the employee to
remain in the dangerous situation.
In this case, although the Court found that the Plant knew Meyers
had a history of verbal outbursts, there were insufficient indications
that Meyers would act violently toward his co-workers so as to
impute the requisite knowledge about the risk of harm he posed to
his coworkers.
Based on this finding, the victims’ estates were precluded from
pursuing negligence claims against the Plant, and were restricted to
proceeding under Workers’ Compensation insurance for recovery.
Co-Worker Violence
• Colas v. Watermain, 295 A.D.2d 775, 776 -777 (3d. Dept. 2002)
Alisha Bermudez was employed as a secretary and had been
romantically involved with a coworker, Robert Giles. One day Giles,
who was not scheduled to work that day, appeared at the
employer's workplace and spoke briefly with Bermudez before
holding her hostage and, ultimately, killing her.
Bermudez’s mother subsequently filed an amended claim for
workers' compensation death benefits on behalf of Bermudez’s
three minor children.
Question:
Can Bermudez’s Estate successfully claim workers’ compensation
benefits?
If Workers' Compensation benefits are not available, can the Estate
seek damages from the Employer on alternate theories of liability?
Answer:
In general, workers' compensation benefits apply to workplace
injuries that arise out of the course of employment. Because
Bermudez’s death resulted from a personal relationship conducted
exclusively outside of work with an individual who coincidentally was
a coworker, her estate was denied death benefits under the
Workers' Compensation laws because her death did not arise out of
the course of her employment. When Workers' Compensation does
not apply, employees may seek to establish liability under “common
law” theories of negligence.
Crisis Management Assistance
Terrorism
Presented by
Jack Cloonan
The Scenario
Terrorists attack a
shopping mall
Two groups of terrorists storm
shopping centre. Shoppers flee
in panic or hide in shops and
store rooms
Hundreds of
shoppers and
workers escape, but
others are left
trapped
Security forces arrive 30
minutes later. A fire fight
starts
Fighters are cornered in
shopping centre supermarket
overnight
Army and Special forces launch assault.
15 Terrorists and between 10 and 15
hostages
Batasang Pambansa Bombing
Remembrance Day Bombing
LO AIRPORT MASSACRE
Riyah Compound bombing
2007 Ankara Bombing
2002 Bali Bombings
2007 Tourist Attack Yemen
2003 Red Square Bombing
April 2005 Cairo Attack
2013 Woolwich attack
2004 Al Khobar Massacre
1995 Paris Metro Bombing
Oklahoma city bombing
Muna Hotel Attack
2008 Danish embassy Bombing
1998 OMAGH BOMBING
1991 Vic Bombing Spain
1973 PAN AM FLIGHT 110
1993 World Trade Centre Attack
Impact of Terrorism
•
•
•
•
•
Damage to Property
Loss of Life
Business Interruption
Duty of Care
Law Suits
Case Studies of Civil Liability of the
Land Owner and Security Provider for
a Mass Shooting Incident
Aurora
• Traynom –v.- Cinemark USA Inc., 2013 U.S. Dist. LEXIS 54981
(USDC-Col. 2013)
• Colorado Premise Security Act pre-empts Common Law Tort
principals
• The injured and deceased plaintiffs are found to be “Invitees” as
defined by the statute
• Landowner must use reasonable care to protect patrons against
only those dangers of which the landowner actually knew or which
the landowner should have known
Aurora (Continued)
• Defendants Motion to Dismiss on the Pleadings granted, but the
Judge says it’s a “close call”
• Factors in favor of Dismissal on the Pleadings:
– the unforseeablibity of the danger of a person such as James Holmes
committing a mass killing
• Factors against Dismissal on the Pleadings:
–
–
–
–
–
Some prior incidents of violence at the subject location
The back door used by Holmes was propped open and went undetected
Security did not stop the film or turn on the lights
Delays cited in calling the police
The size of the exits and the need for people to leave quickly in an
emergency
Columbine
• Castaldo –v.-Stone 192 F.Supp.2d 1124 (USDC-Col.
2001)
• Suit brought against sheriff, school district, and individual
teachers and supervisors
• Claims of fault were not about the subject event
• Claims of fault concerned multiple previous events,
which plaintiffs allege put sheriff and schools on notice
Columbine (Continued)
• The Court Grants Motion on Pleadings to Dismiss
• Factors against Dismissal:
– School and sheriffs knew of many prior acts of vandalism and
threats by Harris and Klebold
– School aware of violent videos and written homework
submission produced by shooter
– School aware of specific violent threats to school by shooters on
web postings
– ‘in-Loco-Parentis” status of the school
Columbine (Continued)
• Factors in Favor of Dismissal:
– Qualified governmental immunity
– No deliberate indifference
– No proximate causation under Colorado Law despite
awareness by the school defendants of warning signs
of potential violent behavior
– Harris and Klebold were the sole proximate cause
Premise Where Mass Violence
is Foreseeable
•
•
•
•
•
Seron v. Malagaliati 1998 Mass. Sup. LEXIS 46
Abortion clinic in Massachusetts
Shooter kills one and injures another
Injured security guard sues land owner
Motion for Summary Judgment denied
– This is the type of facility where the potential for armed violence
is foreseeable
– Question of Fact as the to adequacy of security despite presence
of an unarmed guard
Contacts and Post Orders
Key Issues to Avoid in Security Industry Contracts and Post
Orders
•
•
•
•
•
“warranty of service”
“third-party beneficiary status”
“guarantor of safety”
“crime prevention”
“security consultant”
No Warranty of Service
• Land owners use market forces to attempt transfer
liability to security providers
• Cross claims in litigation typically include cross claims or
third party claims against security service providers
• Claims are framed in terms of a guaranteed result
• NEVER WARRANTY A RESULT
Third Party Beneficiaries
• New York and Majority Rule is:
– Third parties, such as tenants or patrons, cannot
bring their own action against a security provider
unless the contract expressly provides for such a
benefit
– Bernal v. Pinkerton’s Inc., 52 A.D.2d 760, 382
N.Y.S.2d 769 (1st Dept. 1976)
Insurance and Risk Transfer
• Landowners also use market forces to transfer risk to the
security service provider
• Majority and New York rule is that an entity can not be
forced to indemnify another for that other entity’s sole
negligence
• This can be modified to the extent that the landowner
requires to be named as an additional insured on the
security service providers policy
• Indemnity provisions must be unequivocal
Data Privacy Risk
April 09, 2014
Panelists
Kurtis E. Suhs
Vice President
Ironshore, Professional Risk
Kurtis.Suhs@Ironshore.com
(404) 845-7549
Jane Devron
Executive Vice President
Reputation Partners, LLC
Jane@ReputationPartners.com
(312) 222-9886
Daniel Hecht,
Assistant Vice President
Ironshore, Claims
Daniel.Hecht@Ironshore.com
(646) 826-4869
Melissa K. Ventrone
Attorney at Law
Wilson Elser Moskowitz Edelman & Dicker, LLP
Melissa.Ventrone@WilsonElser.com
(312) 821-6105
Question
If you could only do one thing in preparation
for a breach, what would it be?
Who are the victims?
• 37%of breaches affected financial organizations (+)
• 24%of breaches occurred in retail environments and
restaurants (-)
• 20%of network intrusions involved manufacturing,
transportation, and utilities (+)
• 20%of network intrusions hit information and
professional services firms (+)
• 38%of breaches impacted larger organizations (+)
• 27different countries are represented
– A plus (+) sign indicates either a 10% or greater increase from
the previous year’s report
– A minus (-) sign indicates a 10% or greater decrease from the
previous year’s report
Source: Verizon 2013 Data Breach Investigations Report
Causes of Data Breaches
Advance Persistent Threats
• Internet Malware Infections
• Drive by downloads
• Email attachments
• File sharing
• Pirated software
• Spear Phishing
• DNS & Routing Mods
•
Physical Malware Infections
• Infected USB memory sticks
• Infected CD’s and DVD’s
• Infected memory cards
• Infected applications
• Backdoored IT equipment
Causes of Data Breaches
• Advance Persistent Threats
– External Exploitation
• Professional Hacking
• Mass vulnerability exploits
• Co-location Host Exploitation
• Cloud Provider Host Exploitation
• Supply Chain Partner Exploitation
• Rogue Wi-Fi penetration
• Human Error
Enterprise PrivaProtector 9.0 Coverage
Third Party Coverage
• Side A Excess D&O Liability Coverage
• Network Security Liability Coverage
• Privacy Liability Coverage
• Privacy Breach Expenses Coverage
• Regulatory Proceeding Coverage
• Internet Media Liability Coverage
First Party Coverage
• Digital Asset Loss Coverage
• Business Interruption Loss and Dependent Business Interruption Income
Loss Coverage
• Network Extortion Threat and Reward Payments Coverage
Highly Protected Information (HPI)
Enhancement
Benefits
• On-Call Chief Security Officer with 1 hour free telephone
consultation
• Data Breach Coach with 1 hour free telephone consultation
• Privacy Breach Expenses in addition to Policy Aggregate
• Notification for up to 10 million affected customers
• Access to Ironshore e-Risk Hub loss portal
https://www.eriskhub.com/ironshore.php
• Ability to qualify for the risk mitigation credit and achieve HPI
designation to reduce premium and/or Privacy Breach
Response SIR
Reputation: What’s at Stake?
The Target Data Breach Is Becoming
A Nightmare– 1/17/14
2 million Facebook, Gmail and Twitter passwords
stolen in massive hack – 12/4/13
Advocate Health Care sued following massive
data breach – 9/6/13
Facebook admits year-long data breach
exposed 6 million users – 6/21/13
Florida Hospital facing class-action suit for data Michaels Stores Sued After Reporting Possible Data
breaches – 4/16/13
Breach -1/27/14
Data Breach:
Mitigating Reputational Risk
Response (after a breach):
• Urgency – Don’t sit on it; Notify thoughtfully but quickly
• Don’t Under-React -- Resist the desire to soften the blow or
underestimate the scope of the breach; Will come back to bite you
• Transparency – Acknowledge what you know, how you expect
people to be impacted and specifically how you plan to remedy
• Empathy – Prepare for a range of reactions (anger, fear,
frustration); Assuage fears and offer support (credit monitoring and
resolution services, etc.)
Data Breach:
Mitigating Reputational Risk
Planning (before a breach):
• Develop a Plan – Messages/materials drafted,
spokespeople identified and trained, dark site developed,
roles/responsibilities defined
• Invest in Reputation – Build trust and a bank of
goodwill
Questions