XYZ Company - Northern Ohio AFP
advertisement
Data Security/Privacy (Cyber) 101 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar Executive Risk Monday September 21, 2015 Nicholas J Milanich , Vice President Hylant Executive Risk Phone # (216) 674-2413 nick.milanich@hylant.com hylantexecutiverisk.com AGENDA • The Risk • Cyber Attacks • Recent Data Breach Examples • Loss Statistics • Legislative Environment • Emerging Risks • The Insurance • 3rd Party Coverage • 1st Party Coverage • Coverage examples CYBER ATTACKS • Microsoft X-Box, Sony Playstation (denial of service) • US State Department (cyber vandalism) • US Weather Station (satellite system) • Sony Pictures (corporate information) • VeriSign (internet security company) • TD Waterhouse (unauthorized access) • YouTube (website content) • Care First of Maryland (website content) • Authorize.net (denial of service attack) • Six Apart, Ltd. (denial of service attack) • Paine Weber (malicious code) RECENT DATA BREACH EXAMPLES • Federal Government – Office of Personnel Management • Up to 20 million individuals PII – names, addresses, DOB’s, SS#’s • Key-point credentials compromised via zero-day malware (pre-patch) • Anthem • 80 million current and former members information • Unencrypted data; employee password compromised; State sponsored action • Mostly PII: names, addresses, social security #’s, medical ID #’s, birth dates, salaries, email addresses • Self-insured plans may have notice requirements • Home Depot • 56 million credit card numbers • Targeted attack at payment terminals • Announced estimated costs so far of $62 million • $27 million insurance recovery • 44 lawsuits consolidated to two: consumer and financial institution • Target • 110 million credit/debit card numbers • Malware at POS • $236 million direct data breach costs. Half for software upgrades • $90 million insurance recovery HISTORICAL LARGE DATA BREACH EXAMPLES • Heartland Payment Systems • 6th largest credit-card payment processor in the country • 100 million card transactions each month, 250,000 businesses • May-November 2008, spyware installed • Unencrypted credit card data – 250 million records • Magnetic strip & names • More than 220 banks effected • Hannaford Brothers • Grocery chain • 4.2million credit/debit card numbers • 1800 cases of identity theft • 26 lawsuits • TJ Max • 94 million individuals • Criminals had access for 17 months • 3 year credit monitoring/ victim assistance • Follow-on D&O, other litigation • Total estimated cost over $1.3 billion CYBER EXTORTION • Avid Life Media - Ashley Madison (8/15) • Credit card info, names, addresses, email addresses- demanded that the site be taken down and an undisclosed amount of money • Nokia (7/14) • Source code for operating system – “several million euros” • Dominos (6/14) • Customer data in Europe - $40,000 demand • Express Scripts (2/12) • PHI – unknown demand LOSS STATISTICS - FREQUENCY Summary from Risk Based Security, Inc. – 2014 Number of Breaches • 3,014 in 2014 – up 33% • 2,261 in 2013 Number of Records exposed • 1.1 billion in 2014 – up 34% • 823 million in 2013 How Records were exposed • Outside (hackers) – 76% • Inside, accidental – 9.5% • Inside, malicious – 6% • Inside, unknown – 4.5% • Unknown – 4% LOSS STATISTICS – FREQUENCY Type of Information Exposed in Breach Breaches by Industry 12% 80% 70% 60% 50% 40% 10% 53 51 49 32 30% 20% 10% 53% 9% 15 14 12 13 9 10 6 8 8 0% 16% Business Summary from Risk Based Security, Inc. – 2014 Governmental Education Medical Other LOSS STATISTICS Summary of Ponemon Institute’s 2014 Annual Cost of a Data Breach Report: – Average cost and per record cost increased modestly to $5.8 million and $201, respectively. – Direct costs are estimated at $66 per record. (notification letters, credit monitoring, forensic IT, etc.) Cost by industry class Per record Average $201 Education $294 Retail $105 Healthcare $359 Financial Institutions $206 LOSS STATISTICS Summary of NetDiligence 2014 Cyber Claims Study: – Insurance company database of actual claims between 2011 – 2013 – Average total cost was $733,109 – Only 12% of the claims resulted in follow-on litigation, only 5% in regulatory action and only 3% PCI fines/penalties Cost Type Average Cost Forensics $119,278 Notification $175,147 Legal Guidance $117,613 Public Relations $4,513 Legal Defense $698,797 Legal Settlement $558,520 Regulatory Defense $1,041,906 Regulatory Settlement $937,500 PCI fines/penalties $2,328,667 LOSS STATISTICS Possible Additional Costs Associated with Data Breach – Defense costs and settlements associated with follow-on litigation – Regulatory enforcement body (HHS, OCR, FTC, FCC, States Attorney General) – Private plaintiffs (common law privacy, breach of contract, emotional distress allegations) – HIPAA fines/penalties ($5k-$50k per offense, up to $1.5m cap) – FACTA fines/penalties ($1k-$2.5k per employee + puni’s, fees) – PCI compliance fines/penalties LEGISLATIVE ENVIRONMENT • Federal Statutes • Gramm Leach Bliley, HIPAA, GINA, FACTA • Consumer Fraud & Abuse Act, Stored Communications Act, Electronic Communication Privacy Act • Obama Personal Data Notification and Protection Act (pending) • 30 days, likely to pre-empt State Notification laws (below) • State Notification Laws (46 + D.C., Puerto Rico, V.I.) • Mass. – requires written security policy, min. standards) • CA. – Zip codes • Ohio: Section 1349.19 • Computer related only • Encryption safe-harbor • Notification ASAP, within 45 days • $1,000/day penalties which escalate after 60/90 days • Common law allegations • Invasion of privacy • Negligence • Breach of implied contract • Right of publicity ORC 2744 Ohio State Immunity • Very little information regarding immunity and data breaches • Expect to incur data breach expenses: notification, credit monitoring, forensic IT, etc. • Contractual obligations: PCI/DSS • Federal Statues: HIPAA, HITECH, FACTA EMERGING ISSUES • NIST to become de facto standard? • Supply chain data risk • Chip & Pin (EMV) – retail merchants • “Internet of Things” – open source, manufacturing • Article III standing • “Do not track” cases • Persistent identifiers (User ID’s, device identifiers, IP addresses) • Terms of service • Legal developments in Cloud computing and BYOD BASIC BEST PRACTICES • Inventory your data: • What kind? How much? Where is it? Who has access? How is it protected? • Evaluate contracts with outside service providers – especially 3rd party IT, payment processors, data storage or data processing vendors • Consider requiring certificates of insurance for both professional E&O and Data Security/Privacy (Cyber) coverage • Continuous 3rd party security and vulnerability assessments of your organization • Establish an incident response plan and team with experienced outside vendors • Test your incident response plan • Insurance is a “safety net”, but not a substitute for internal and external safeguards John Menefee CyberRisk Underwriting Manager Travelers Phone # (216) 643-2429 jmenefee@travelers.com travelers.com Network/Privacy Insurance Coverage Triggers Covered Data • Virus transmission • Insured’s systems • Failure to provide access • Data in transit • Unauthorized access or use of data • Non-electronic data • Failure to Notify • Website/Social Media Liability • Data residing on others’ systems • Employees’ data • Corporate data 18 Network/Privacy Insurance – First Party Costs Notification & Crisis Management Expenses • Breach Coach • Legal costs to determine applicability of breach laws • Computer forensics • Notification documents (preparing and sending) • Call center for incoming and outgoing communications • Payment card charge backs • Other fees to comply with requirements of breach laws • Public relations expenses to respond to negative publicity and restore brand reputation • ID Fraud Policies / Credit Monitoring to affected individuals 19 Network/Privacy Insurance – First Party Costs • Crime • – Computer fraud – Outgoing long distance phone calls – Funds transfer fraud • Cyber extortion – Threat of release of information, damage of data or systems, introduction of virus, or restriction of access to system resources • Fines/Penalties Telecommunications theft • Network business income/extra expense – Business interruption due to network event – typically some form of denial of service – Dependent Business Interruption (very limited market) – PCI contract penalties – Regulatory fines/penalties 20 Limitations to watch for • Specific exclusions to watch for – “Reckless Disregard” – Unencrypted laptops / mobile devices – Violating own policies & procedures – Keeping IT security up to date – Exclusions for known viruses / malicious software – Coverage limited to electronic data only 21 Coverage Examples • Employee Mistake • Unauthorized Access • Lost Laptop 22 Disclaimer: These examples are generic. • CGL, E&O, and Cyber Insurance forms differ greatly between companies. • Examples are exploring general coverage “intent” to illustrate the differences that may exist between the various coverages. • Individual claim circumstances and complaint wording can trigger or limit coverage in a variety of ways. 23 Scenario 1 – Employee Mistake What Happened: Your employee accidentally or deliberately publishes private customer information on your company’s website or via e-mail. Your customer sues. Coverage: Look for coverage under the personal injury section of the CGL. Publication of material that violates a right or privacy – check to see if your CGL excludes or limits this grant when the publication occurs in an electronic format. Look to a dedicated Cyber Liability policy. 24 Scenario 2 – Customer / Employee Info What Happened: A hacker gains unauthorized access to your network and steals personally identifiable information of employees and customers Coverage: • Look for coverage in a Cyber Insurance policy. 25 Scenario 3 – Lost Laptop What Happened: An employee’s laptop computer containing customer information is lost or stolen during travel. Coverage: • Cost to replace the physical property that was stolen may be covered under a property policy, however additional costs associated with an information breach typically will not. • May find coverage under a Cyber Liability policy • Check policy wording for limitations regarding whether the laptop needs to be part of the “communications network.” • Check policy wording for limitations regarding encryption of data. 26 Thank you!
