Cyber/Privacy Insurance Information Exposures

advertisement
Cyber/Privacy Insurance
Information Exposures
• Credit Card Information
• Personally Identifiable Information
–
–
–
–
–
Social Security Numbers
Drivers License Numbers
Banking Information
Employment Information
Insurance Information
• Personal Health Information
• Business Information – Ever sign confidentiality
agreements or non-disclosure agreements? Private
co. financials?
Likely Causes of Loss
• Lost/stolen portable computers or media…Blackberry/iPhone
• Lost/stolen back up tapes.
• Improper disposal
– Paper records
– Computer Equipment (fax machines)
• Computer Hacking
• Employee Misuse
• Rogue Employee
– According to 2004 CSI/FBI computer crime security survey, inside
jobs represent 80% of reported security incidents.
• Vendor Negligence – big issue - Target
• Negligent Release
Value of Stolen Data:Symantec Corp Report on the Underground Economy
‘07-’08
Rank for
Sale
Rank
Requested
Goods
and
Services
% for
Sale
%
Requested
Range of
Prices
1
1
Bank
account
credential
s
18%
14%
$10$1,000
2
2
Credit
Card #’s
with
CVV@ #’s
16%
13%
$.50 - $12
3
5
Credit
Cards
13%
8%
$.10 - $25
4
6
E-mail
addresses
6%
7%
$.30 - $40
5
14
E-mail
passwords
6%
2%
$4 - $30
6
3
Full
identities
5%
9%
$.90 - $25
After Breach. What to do?
• First off, was there a breach? Voluntary notification costs are
huge.
• What happened and what data, hardware, and software was
affected? Computer forensics firm
• What regulations apply and how do we comply? Privacy
Attorneys
– Along these lines, is affected data for people in other
states? Other states notification laws?
• How do we restore trust/make it right with our customers?
Public Relations, Credit Monitoring, ID Theft Counseling
Current Developments
• High profile data breaches: Target, Neiman Marcus, Sony, RSA, Citibank,
Lockheed Martin, Google
• Cloud Computing
• Texas Medical Records Privacy Act (2012) – broader in scope than HIPAA
as it applies to health care providers, heath plans, and other entities,
individuals, businesses, or organizations that obtain, store, or possess PHI
• HIPAA provides that if a state law grants more privacy protection to a
patient, state law applies
• PCI Standards/Compliance – Started in 2006
• Cyber/Privacy Insurance Market Growth: Approx $800M premium in
2010, which is about double 2007 (Betterley Report)
• Down Economy means Crime goes up…Why wouldn’t Cyber Crime go
up?
– In 2009, more than 222M records were compromised in 469 reported
incidents (per Identity Theft Resource Center)
Current Developments –
Target & Neiman Marcus
• Hackers becoming more sophisticated – robbers are always ahead of the
cops
• One unanswered question from the Target and Neiman Marcus breaches
is how internal or external attackers managed to steal so much data
while avoiding detection. But people with knowledge of the Target
investigation told Reuters that the attackers' toolkit reportedly included
memory-parsing malware known as RAM scrapers. The malware can be
used to infect point-of-sale (POS) systems -- a fancy name for retailers'
digital cash registers -- and then intercept sensitive information such as
credit card numbers and magnetic-stripe data. While the data resides in
memory it remains in plaintext -- and thus easy to intercept -- even if it
later gets encrypted for storage or transmission.
• Visa reportedly published two security alerts last year -- in April and
August -- warning retailers about a rise in RAM-scraping attacks. But one
source told Reuters that the RAM scraping tools used by attackers were
more sophisticated than what's been seen before, meaning that even if
Target or any other retailer had bolstered its security defenses in the wake
of the Visa warning, they may have been unable to stop the new
malware.
Current Developments
•
SMALL BUSINESS IS THE TARGET:
– 2013 Symantec: Internet Security Threat Report :Targeted attacks on
businesses with fewer than 250 employees are growing. Small businesses
are now the target of 31 percent of all attacks, a threefold increase from
2011. While small businesses may feel they are immune to targeted
attacks, cybercriminals are enticed by these organizations’ bank
account information, customer data, intellectual property and the
knowledge that they often lack adequate security practices and
infrastructure.
– Among the key findings of Symantec’s 2010 SMB Protection Survey, small
businesses:
• sustained an average loss of $188,000 per breach,
• comprised 73 percent of total cyber crime targets/victims,
• lost confidential data in 42 percent of all breaches, and
• suffered direct financial losses in 40 percent of all breaches.
– In 2010, the U.S. Secret Service and Verizon Communications Inc.'s
forensic analysis unit, which investigates attacks, responded to a
combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%,
were at companies with 100 employees or fewer. Visa Inc. estimates
about 95% of the credit-card data breaches it discovers are on its
smallest business customers.
– A 2010 survey by the National Retail Federation and First Data Corp. of
small- and medium-size retailers in the U.S. found that 64% believed their
businesses weren't vulnerable to card data theft and only 49% had
assessed their security safeguards.
Healthcare – Recent Data Privacy
Developments
• Federal Law: American Recovery and Reinvestment Act of 2009 (aka
the Stimulus Bill) – HITECH Act.
– Government spending $25.9B to promote and expand health
information technology
– Goal is to create a nationwide network of electronic health records
• U.S. Department of Health and Human Services office for Civil Rights
(OCR) has beefed up staff and oversight. (UCLA Healthcare Systems
had to pay $865K for celebrity patient disclosures – failed to restrict
employees from records.)
• Contrasts with lax enforcement for the past 15 years.
• Under HITECH, "business associates," or third parties such as a billing
company or cloud provider, now must follow the HIPAA privacy laws by
protecting patient information and reporting data breaches.
HITECH Act (cont’d)
• What changes for a “business associate”?
– They are subject to civil and criminal penalties (not just contractual
claims by the covered entity).
– Must comply with administrative, physical, and technical safeguards
and documentation requirements under the HIPAA security rule.
– Two-way policing: The business associate and the covered entity must
report known violations.
• Janitor in a hospital sees a doctor’s office throwing away sensitive medical
records – obligated to report
– Notification: Must notify the FTC of any breach, and violation is
considered an unfair and deceptive act.
– Covered entities: Must notify individuals within 60 days…If over 500
identities, they must notify “prominent media outlets” in the area as
well as the Department of Health and Human Services.
Cloud Computing
• IT purchasers realize the enormous potential for reduced
hardware and software costs. The cloud is becoming more
popular.
Issues/Thoughts:
- Large risk of data loss and business interruption when moving
data and applications from hardware based system to the
cloud.
- Access from any PC anywhere makes it more difficult for a
cloud computing provider to verify that the user is who the user
says they are via password.
- Cloud providers typically are not responsible for the data if there
is a breach. Liability is typically pushed back on the insured via
contract with the provider. Think Amazon and the massive
amounts of data they host in the cloud.
- Will the cyber marketplace pick up contingent business income
if the cloud service is unavailable? Remains to be seen.
Coverage Elsewhere?
• General Liability
– BI/PD – definition of property is typically limited to “tangible”
items
– Exclusion g. to coverage A of the ISO CGL form excludes
coverage for damages “arising out of the loss of, loss of use,
damage to, corruption of, inability to access, or inability to
manipulate electronic data (we have seen endorsements
broadening coverage by adding an exception to the exclusion
for damages because of “bodily injury”)
• Crime
– Almost all policies are limited to money and securities
Cyber Insurance
• 1st-Party - Direct loss due to “injury” to electronic data or
systems resulting from acts of others – no need for anyone to
come after you for money
– Breach response, extortion, restoration costs, business
income
• 3rd-Party - Liability for financial losses or costs sustained by others
resulting from Internet or other electronic activities
– Network liability, electronic media liability, regulatory defense
costs, privacy liability
Breach Response
• Usually triggered by unauthorized access, introduction of
malicious code, accidental or unauthorized release of private
information, and denial of service attacks.
• Pays forensic investigation expenses, cost of advertisements,
notification expenses, credit monitoring services, cost of a
public relations consultant.
Why Breach Response Coverage is
Important:
• Easily the most likely coverage to be triggered
• Per Mark Greisinger,President of NetDiligence, a leading
cybersecurity assurances company.
www.NetDiligence.com
 Cyber-crime attorney: $700/hr
 Investigation/Computer Forensics Fees: $300 - $700/hour (find
out what happened, how to prevent/stop, type of data
breached, etc.)  pre negotiated rates are huge
 Notification costs: mail notice letter to customers as much as
$14/customer.
 Credit Monitoring: $10-$12/year per person.
 Public Relations Firm: $10,000/month or $400/hour.
• Side note – Mark Greisinger developed the E Risk Hub that
comes with probably 90% of cyber policies sold
Why Breach Response Coverage is
Important:
• Texas Security Breach Notification Law
The law requires written or electronic notice directly to the
affected residents, except that if the cost of direct notification
exceeds $250,000, the number of people to be notified
exceeded 500,000, or the data controller did not have complete
contact information, then the law allows for notification by
publication.
The law provides for a civil penalty of up to $1 million, plus the
amount of reasonable expenses incurred in obtaining the civil
penalty. The Texas attorney general or the prosecuting attorney
in the county in which a violation occurred can bring suit to
recover the civil penalty (payable to the state). This penalty
would be in addition to any other available remedy, which could
include damages suffered by the resident.
More Perspective…
Just Notification Costs
• If it is estimated that it costs $200 per Identity…
– A men’s clothing store that does 5 sales a day would end
up paying $365K for the data breach of a year’s worth of
customers.
– MRI clinic does 10 scans a day Monday through
Friday…$520K for all of the patients seen in one year.
Extortion
• Usually triggered by a threat to bring down a network (introduce
“malicious code”), divulge digital records without authorization,
or deny a company’s service to third parties (typically a retailer
that depends on customer traffic/sales on their website.)
• Pays investigation costs, costs for a negotiator, and “ransom.”
• Can be sublimited, but not always.
• Coverage used to not be that big of a deal, but a recent rise in
claims (especially in Europe) has increased the importance.
– Cryptolocker bigger in Europe
Extortion - Example
• Hackers demand $10 million to return patient records stolen
from Virginia state site.
The Washington Post reports, "Hackers last week broke into a
Virginia state website used by pharmacists to track prescription
drug abuse." After deleting records "on more than eight million
patients," they "replaced the site's homepage with a ransom
note demanding $10 million for the return of the records." The
event marks "the second major extortion attack related to the
theft of healthcare data in the past year. In October 2008,
Express Scripts, one of the nation's largest processors of
pharmacy prescriptions, disclosed that extortionists were
threatening to disclose personal and medical information on
millions of Americans if the company failed to meet payment
demands."
Restoration Costs
• Usually triggered by unauthorized access, introduction of
malicious code, accidental or unauthorized release of private
information, and denial of service attacks.
• Pays for Restoration of Data within computer system. If the data
cannot be restored or recreated, policy will pay the cost to
reach that determination.
• Can be directly related to extortion coverage.
Business Interruption
• Intent has to be malicious and direct. Will not be triggered if
power goes out, servers fail, etc.
• Pays normal gross margins for the time period in which the
network was disabled.
• Time Period Deductible (i.e. 10 hours)
• Direct – Loss of Sales.
• Indirect – Lose ability to Manage Inventory. Example:
WaWa stores
***Some markets playing around with customer
attrition/reputational damage products.
Network Liability
• Often confused with privacy coverage. Not so.
• Triggered by unauthorized access/use, computer virus, denial
of service attack, denial of access, mistake in administration of
network.
• Pays third party damages for inability to access website (e.g.
customer of a supplier), transmission of a virus to a third party
from insured’s computer system, use of insured’s network to
launch of a denial of service attack on a third party.
Electronic Media Liability
• Personal Injury for Insured’s Network Communications.
Think of insured’s website as a newspaper.
• Libel, slander, product disparagement; violation of right of
privacy; misappropriation and plagiarism; infringement of
copyright, trademark, etc.
Electronic Media Coverage –
May be Worthless
•
Recent ISO CGL PI/AI coverage should pick it up…except:
j. Insureds In Media And Internet Type Businesses
"Personal and advertising injury" committed by an insured whose business is:
(1) Advertising, broadcasting, publishing or telecasting;
(2) Designing or determining content of web-sites for others; or
(3) An Internet search, access, content or service provider.
However, this exclusion does not apply to Paragraphs 14.a., b. and c. of
"personal and advertising injury" under the Definitions Section.
For the purposes of this exclusion, the placing of frames, borders or links, or
advertising, for you or others anywhere on the Internet, is not by itself,
considered the business of advertising, broadcasting, publishing or telecasting.
k. Electronic Chatrooms Or Bulletin Boards
"Personal and advertising injury" arising out of an electronic chatroom or
bulletin board the insured hosts, owns, or over which the insured exercises
control.
***A note on Chatrooms. The website owner is usually not responsible for “user”
content. If they screen “users” beforehand, the law assigns a higher standard.
Regulatory Defense Costs/Fines and
Penalties
• Covers the defense of regulatory actions by governmental
agencies against the insured for alleged violations of privacy
regulations/laws.
• Attorney’s Generals are becoming more and more aggressive in
enforcing regulations
• AG’s have historically been understaffed and cannot handle
enforcement, so some have engaged 3rd party law firms to
investigate random companies and make sure they are
compliant with state laws
• AG’s like to use high profile breaches to spring board their
political careers into the spotlight
– CT, NY, SD, MA AG’s have already indicated they will file suit
against Target due to the recent breach
Privacy Liability
• Usually triggered by misappropriation, theft or unauthorized
access. (Failure to secure data or errors and omissions in
handling data.)
• Data covered: Personal Information, Non-public data
(usually corporate information).
• *****Want all data covered, not just electronic data.
(Improperly disposed of or secured paper records.)
• Claims from individuals are rare but seen on the healthcare side
– class actions a bigger worry.
• National Institute of Standards and Technology (part of Dept of
Commerce) has issued cyber standards. They are informal and
voluntary, but…
– Gives plaintiff attorneys ammunition when it comes to class actions
– Seen as informal government regulations
– There is no negligence standard for safeguard of PII, but the NIST is
speculated to be used heavily to create one for those entrusted with PII
Why Don’t Insureds Buy?
• Firewalls are up to date/everything is encrypted – robbers are
always ahead of the cops.
• Cost – historically cost has been high. Carriers now have a
better grasp of exposures and have more premium across
their books, so pricing is significantly less than what it was just a
few years ago.
• App is too long – we can provide a standalone quote with full
limits with nothing more than a company name, revenues,
and an address. Will always turn around a quote in 24 hours,
but usually it’s flipped in less than an hour.
• Any other objections you hear?
Who Needs the Coverage (the most)?
• Who deals with confidential data?
– Healthcare
– Government
– Financial Institutions
– Schools/Universities
– Online Merchants
– Churches/Philanthropic Organizations
What can your clients do to
prevent/mitigate cyber losses?
• Policies
• Privacy Policies
• Information Security Policies
• Computer Usage Policies
• Employee Training
• Technical Security Controls
• Access Controls: Firewalls, passwords, etc.
• Anti-virus
• Physical Security Controls
• Incident Response Plan
• Erisk Hub is very useful for insureds
Conclusion
• Not a matter of “if” but “when”  almost nothing you can
do to prevent an attack
• Small business is a huge target  fewer controls and
resources to prevent/handle an attack
• 1st party coverage is huge  “tack on cyber” on a
Chubb, Hartford, etc
– E&O policy will typically sublimit 1st party cover to something silly
Download