PRIVACY RISK MANAGEMENT AND INSURANCE Or September 2012 “CYBER” INSURANCE TIMELINE Cyber Insurance Introduced Notice Costs Covered Broad Privacy Ins. Vendor Coverage Corp Confidential Info PCI Fines & Penalties Reg. Fines &Penalties 1996 HIPAA 1998 2000 GLB 2002 2004 SB1386 PCI Card Systems Insurance History Regulatory/Industry History Claims/Losses History 2006 2008 2010 HITECH TJX Heartland NETWORK SECURITY / DATA RISK What Data do you collect? - Personally Identifiable Info. (PII) - Protected Health Info. (PHI) - Credit Card Numbers Where is it? How well is it protected? How long do you keep it? What is a Breach? - Unauthorized disclosure - Unauthorized acquisition - Data compromised WHAT IS DIFFERENT TODAY? Familiar mediums - SQL injections; man-in the-middle; spear phishing; malware & spyware; denial of service attacks; web site defacing New culprits - Loosely formed groups of people who are very good at hacking and work together to do so (e.g., Anonymous, Lulzsec) - State actors (China, Iran) New information targeted - Corporate data and trade secrets; inside information; embarrassing information; corporate weaknesses New victims - Data Security consultants - Utilities / infrastructure - Government contractors New motives - Political, ideological, personal, war/terrorism, revenge - “Hacktivism” CAUSE OF A DATA BREACH © Kroll 2010 ORGANIZATIONAL PRIVACY RISKS Customer/Personal Data Credit card Medical SSNs/Gov’t IDs Student transcripts HR/Payroll Loyalty programs Motor vehicle Insurance claims Financial transactions Financial records Contracts Corporate Data Customer lists Price lists Bid data Confidential 3rd party information (NDA) eDiscovery / litigation Merger/Acquisition targets / plans Financial records Marketing / advertising plans Contracts New product development plans / release dates Security policy and assessments Network architecture Emergency response / Disaster recovery plans Restructuring / RIF plans Reporters notes Reporter confidential sources Scripts and other content in draft or development Critical Infrastructure Assurance data Patent applications WHAT IS PERSONAL IDENTFIABLE INFORMATION (PII)? Generally defined as including any combination of the following: Name; address; telephone number; electronic mail address; fingerprints; photographs or computerized images; a password; an official state or governmentissued driver's license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; date of birth; medical information; financial information; tax information; and disability information. COST OF A DATA BREACH Cost per record: $214 (2010) (up $10 from 2009) DIRECT COSTS Notification Call Center Identity Monitoring (credit/non-credit) Identity Restoration Discovery / Data Forensics Loss of Employee Productivity INDIRECT COSTS Restitution Additional Security and Audit Requirements Lawsuits Regulatory Fines Loss of Consumer Confidence Loss of Funding $73.00 $141.00 © Ponemon Institute 2011 NOTIFICATION LAWS It all started in California….. California led the way (Civil Code Section 1798.81.5(b)) “A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure” 46 Other States Have Data Security Laws: Most Mandate “Reasonable” data security measures and proper data disposal Others are More specific: Connecticut, Michigan, New Mexico, Texas (SSN Policies) Nevada (encryption for external electronic communications) Minnesota (Minn. Stat. 365E.64 - card magnetic stripe data) Massachusetts Regulations PRIVACY RISK MANAGEMENT Ask Your Privacy/IT professionals: Incident Response Plan (tested?) Vendor Contracts / Insurance Requirements Privacy Risk Assessment (sources, vulnerabilities, processes, perils) Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R) New coverage terms must integrate With Response Plans With Traditional Policies VENDOR CONTRACTUAL REQUIREMENTS IT/Software Companies Request Tech E&O, plus Privacy/Network Coverage Some Tech E&O policies have security/privacy exclusions Breach could occur without “wrongful act” being committed Business Services – Payroll, Auditors, Counsel Request appropriate E&O coverage Request Privacy/Network coverage Credit Card Processors/Acquiring Banks Request Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage) Other Vendors that transport, touch, interact with your systems or sensitive information Request Privacy/Network coverage TRADITIONAL INSURANCE GAPS Theft or disclosure of third party information (GL) Security and privacy – “Intentional Act” exclusions (GL) Data is not “tangible property” (GL, Prop, Crime) Bodily Injury & Property Damage triggers (GL) Value of data if corrupted, destroyed, or disclosed (Prop, GL) Contingent risks (from external hosting, etc.) Commercial Crime policies require intent, only cover money, securities and tangible property. Territorial restrictions Sublimit or long waiting period applicable to any virus coverage available (Prop) PRIVACY & NETWORK COVERAGES Liability Coverage •Privacy Liability •Network Security Liability •Media, IP and Content Liability •Technology Services Liability (if required) Direct (Loss Mitigation) Coverage •Data Breach Expenses: Public relations expenses, consumer notification and credit monitoring service costs (sub-limit) Forensics/Investigations Direct (First Party) Coverage •Revenue Loss •Data Reconstruction •Extortion Costs BEST PRACTICES Maintain a Risk Transfer Instrument Have a Proper Background Screening Program for new hires and vendors. Pre-Arrange a Breach Service Provider, Outside Counsel and Reputational Risk Advisor All specializing in Privacy Law and Breach Crisis Management Provide “Certification” through e-Learning to employee base on safeguarding data #1 preventative initiative being adopted by CISOs and CPOs in 2010 (as per Ponemon 2011 Study) Develop an Incident Response Plan (required on several federal and state fronts – HTIECH, MA201, et al.) Internal Staff, Outside Counsel, Reputational Risk Advisor, Breach Service Provider Conduct annual Risk Assessments and Tabletop Exercises. Hold an internal “Privacy Summit” to identify vulnerabilities Risk, Compliance and Privacy, HR, Legal, IT, C-level representation (CFO), Physical Security / Facilities – “Technology, Processes and People.” Keep General Counsel’s office current to state disclosure laws, federal regulations, foreign requirements and updates MANAGING A DATA BREACH What information was involved? - Personally Identifiable Info. (PII) - Protected Health Info. (PHI) - Credit Card Numbers Was the information computerized/ what type of media? Was the information encrypted? Is there a “reasonable” belief that personal information was accessed or acquired by an unauthorized person? POSSIBLE STAKEHOLDERS Affected individuals Board of Directors/ Senior Management Law Enforcement State and Federal Regulators Financial Markets Payment Card Issuers Employees Shareholders Auditors The General Public CONSEQUENCES OF A DATA BREACH Forensic Investigations Notification: $1/individual Credit monitoring costs: $15-$50+ per individual Call Centers, Fraud Alerts, Database Scanning, Restoration Services Civil penalties and fines Class Action suits Legal defence costs: Civil, regulatory and possibly criminal defense Data Privacy counsel can cost $700 per hour. A major data breach will cost millions in legal costs Business Interruption Costs/Data Damage? FOR MORE INFORMATION Contact: Karl Pedersen FINEX North America Privacy, Network Security, Media & Intellectual Property National Team (213) 550 9806 karl.pedersen@willis.com