A Brave New World of Cyber Security and Data Breach
Data Privacy
1. 1
2
3
"IS THIS YOUR FIRMS IDEA OF
DATA PRIVACY COVERAGE?"
4
Disclaimer
This presentation is advisory in nature and necessarily general in content.
No liability is assumed by reason of the information provided.
Whether or not or to what extent a particular loss is covered depends on the
facts and circumstances of the loss and the terms and conditions of the policy
as issued.
Please carefully review any policy and all endorsements delivered for the
precise coverage terms.
2. 2
5
Introduction
Foundation for Privacy FearsFoundation for Privacy Fears
•• Privacy is a rightPrivacy is a right
•• Private information has valuePrivate information has value
•• Technology has created new issues concerning breaches of privacyTechnology has created new issues concerning breaches of privacy
•• Privacy breaches can have a material impact on a company’sPrivacy breaches can have a material impact on a company’s
reputationreputation
•• Courts, legislatures and regulatory agencies are engaged inCourts, legislatures and regulatory agencies are engaged in
addressing privacy issuesaddressing privacy issues
•• Highly publicized security breaches are in the newsHighly publicized security breaches are in the news
6
Introduction
What are Data Theft and Privacy/Security Breaches?
• An organization’s unauthorized or unintentional exposure,
disclosure, or loss of sensitive personal information.
7
Industry Issues
- FTC estimates nearly 10 million victims per year
- Many victims don’t know or don’t report
- Fastest growing white collar crime in America
- Average 175 hours and $1,500 to resolve per individual
- Tremendous media exposure
Common Types of Fraud
- Current credit – credit card, debit card, phone card
- Use of name and social security number:
- Establish new credit
- Commit other criminal activity
Risks and Recent Developments
Increase in Numbers of Incidents
3. 3
8
Sources of Data BreachSources of Data Breach
49% lost laptop or other device (USB flash drives…)
16% third party outsourcer/vendor
9% malicious insider
9% paper records
7% lost electronic backup
5% hackers, crackers, social engineers, “phishers”
4% malicious code
2% unknown
Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC, 2007
9
Data Breaches – Growing In Numbers!
Between January 2005 and February 6, 2009 –
252,308,777
records containing “sensitive personal information”
have been involved in security breaches!
Source: Privacy Rights Clearinghouse
A Chronology of Data Breaches
Posted April 20, 2005
Updated February 9, 2009
www.privacyrights.org
Risks and Recent Developments
Increase in Numbers of Incidents
10
Recent high-profile data security breaches illustrate the nature of the risk
• Heartland Payment Systems, Inc. (100 million customer credit cards/debit
cards) 2008 (This had a companion D&O suit)
• Hannaford Brothers (4.2 million credit cards/debit cards) 2008
• Certegy Check Services (4.2 million customers) 2002-2007
• TJX (94 million records) 2006-2007
• Choicepoint (150,000 records) 2005
• Bank of America (1.2 million federal employees) 2005
• DSW (100,000 customers) 2005
• Lexis/Nexis (32,000 records) 2005
Sources: Computerworld, Boston Globe, Tampabay.com, ZDNet and 11Alive.com
Risks and Recent Developments
Prominent Examples
4. 4
11
California Security Breach Information Act (2003). Since passage, 47 states
and territories have passed similar laws
(http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm)
Essence of these laws is requirement that companies storing personal
information must promptly notify persons whose information has been
accessed by an unauthorized person
In addition to costs of notification, these laws create potential civil liability
if proper and timely notification of a data security breach is not given
Some states require notification to specific law enforcement and
consumer credit reporting agencies
Risks and Recent Developments
Applicable Laws
12
Graham Leach Bliley
Requires “financial institutions” to ensure the security and confidentiality
of private financial information (includes all businesses that are
“significantly engaged” in providing financial products or services
HIPPA – Health Insurance Portability and Accountability Act
Regulations for use and disclosure of Protected Health Information
which is any information about health status, provision of health care, or
payment for health care that can be linked to an individual
Covered entities are any health care related businesses that store or
transmit health care data in a way regulated by HIPAA
The Security Rule of HIPAA deals specifically with Electronic Protected
Health Information (EPHI).
Risks and Recent Developments
Applicable Laws
13
Fair Credit Reporting Act (FCRA)
Enacted to promote efficiency in the country’s banking system and to
protect consumer privacy. See TRW, Inc. v. Andrews, 534 U.S. 19, 23
(2001)
Imposed obligations on three types of entities:
• Credit reporting agencies,
• Users of credit reports, and
• Furnishers of information to credit reporting agencies
Risks and Recent Developments
Applicable Laws
5. 5
14
Fair And Accurate Credit Transaction Act (FACTA)
Amendment to FCRA
Key provisions focused on reducing exposure to identity theft and
assisting consumer with credit problems
Requires truncation of credit card and social security numbers
Credit and Debit Card Receipt Clarification Act, June 3, 2008
Consequences for non-compliance: statutory and actual damages;
attorneys’ fees; punitive damages; possible class actions
Risks and Recent Developments
Applicable Laws
15
Red Flag Rule
Amendment to FCRA
Financial institutions and creditors must establish a written program to
“detect, prevent and mitigate identity theft in connection with the opening
of certain accounts or existing accounts”
Creditors must develop “Program” formalizing steps they intend to take to
prevent identity theft by May 1, 2009
Consequences for non-compliance: statutory and actual damages;
attorneys’ fees; punitive damages; possible class actions
Risks and Recent Developments
Applicable Laws
16
Risks and Recent Developments
Hypothetical Scenario #1
• Former employee of a financial institution provides accomplice with
access to financial institutions secure network.
Data includes sensitive personal information about company’s
customers and employees
Thief also gains access to financial institutions external website
• 2 weeks later, company receives ransom note from thief
• 2 weeks later, thief hacks into company’s system causing company’s
website to be down for 2 days with no ability to conduct online
transactions
• Media learns of issue – widespread media attention results in
cancellation and re-issuance of all client plastic cards, potential effected
members must be notified and provided with credit monitoring
• Various government agencies begin investigations
6. 6
17
Risks and Recent Developments
Hypothetical Scenario #2
• Employee innocently opens an email supposedly from the company’s IT
department
Email has a malicious code embedded to surreptitiously control the
employee’s computer
Outside hacker uses employee’s computer to launch additional
attacks on the company’s backend network
• Hacker gains widespread access to company’s various databases
including plastic cards
• Hacker emails company President with customer database, containing
personal confidential information and demands $500,000 or will publish
an email link with this information.
18
Risks and Recent Developments
Scenarios 1 and 2 result in various
potential losses
First Party Losses
Loss of Private Data
Notification/credit
monitoring costs
Cost to change account
numbers
Publicity costs
Business income loss
Data restoration expenses
Cyber Extortion
Ransom payments
Other expenses
Third Party Losses
Customer Suits
Customer alleging invasion
of privacy
Customers or other third
parties alleging financial
loss
Other Suits
Regulatory actions/fines or
penalties
19
First Party Losses
• Cost of $197 / record compromised, consists of:
• $128 lost business (lost customers/reduced orders)
• $46 ex-post response (PR costs, credit monitoring)
• $15 notification
• $9 detection & escalation
Source: Ponemon Institute, LLC – “2007 Annual Study: Cost of a Data Breach”
Risks and Recent Developments
Costs / Claims / Losses
7. 7
20
Third Party Losses (What might be pled if a suit is filed?)
• Failure to implement and maintain reasonable security procedures
(Currently, actual harm and damages are hard to prove)
• Negligence (based upon regulatory/industry standards)
• Unfair, deceptive and unlawful business practices
• Invasion of the customer’s right to privacy
• Breach of fiduciary duty
• Breach of contract
• Fraud / Misrepresentation
• Multiple Class Action filings increasing
• New legal theories yet to come in pleadings
Risks and Recent Developments
Costs / Claims / Losses
21
Third Party Losses (What might be pled if a suit is filed?) cont.
• Loss of wages due to time taken to prove “identity theft” to MasterCard or
Visa
• Expense of legal and other resources necessary to prove “identity theft”
to MasterCard and Visa
• Loss of business advantage due to effect of fraudulent charges on FICO
scores
• Damages claimed under applicable state privacy legislation
Risks and Recent Developments
Costs / Claims / Losses
22
Where is the Insurance Coverage?
Comprehensive General Liability (CGL)?
Computer/Commercial Crime Form?
Directors and Officers Liability?
Professional Liability Policy?
8. 8
23
CGL: Covers liability for “Property Damage” to a third party
“Property Damage” = “physical injury to tangible property” as well as “loss of
use of tangible property that is not physically injured”.
Whether electronic data is covered as “physical damage to tangible property”
or “loss of use of tangible property”.
Coverage B: Personal and Advertising Injury Liability
Oral and written publication, in any matter, of material that violates a person’s
right to privacy.
Is the “loss” of data in electronic form on a data base “oral or written
publication of material”?
Lack of Coverage in Traditional Policies
Comprehensive General Liability (CGL)?
24
Lack of Coverage in Traditional Policies
Comprehensive General Liability (CGL)? (cont.)
Professional Services exclusion (present on most General Liability policies)
will apply if you are a financial institution
Financial Professional Services. We won’t cover injury or damage or
medical expenses that results from the performance of or failure to perform
any financial professional service.
Breach of Contract exclusion (present on most General Liability policies)
Breach of Contract. We won’t cover personal injury or advertising injury that
results from the failure of any protected person to do what is required by a
contract or agreement…
25
Surety Association Computer Crime and ISO Commercial Crime policies
generally exclude:
• Loss directly or indirectly from theft of confidential information
• Indirect or consequential loss of any nature
• Potential income, including but not limited to interest/dividends
Specific Financial Institution Crime Policies can include:
• E-theft loss of money or securities as a result of fraudulent electronic
communications from a third party, theft of confidential customer
information
• Extortion, Business Income
• No 1st party losses
• Typically written with high deductible
Lack of Coverage in Traditional Policies
Crime?
9. 9
26
D&O:
• Possible source of coverage for third party suits
• Possible source of coverage for regulatory suits
• No First Party coverage
• Exclusions for invasion of privacy or violation of any right of privacy
right may preclude coverage for the Corporate Entity, or both the
Corporate Entity and all Individual Insureds
Lack of Coverage in Traditional Policies
Directors & Officers Liability (D&O)?
27
E&O:
• For wrongful acts committed solely
in the conduct of the Insured’s
“Professional Services”
• Policies for may include coverage
for negligence in failing to maintain
confidentiality/security of customers
information, invasion of privacy,
unauthorized access/unauthorized
use, introduction of malicious code
Lack of Coverage in Traditional Policies
Errors & Omissions Liability (E&O)?
28
Overview – covers direct first party losses that an insured may incur in
connection with an incident.
A. Data recovery expenses (costs to recover data)
B. Business interruption expenses – covers business income loss and
certain extra expenses the insured incurs during the “Period of
Recovery of Services” due to the actual impairment or denial of
operations resulting directly from fraudulent access or transmission
• Sometimes available by endorsement
• Sublimits can apply
Insurance Coverage Options
First Party
10. 10
29
C. Privacy Notification Expenses – means the reasonable and necessary
cost of notifying those persons who may be directly affected by the
misappropriation of a record
• Costs relating to changing their account numbers, other
identification numbers and security codes; and
• Costs of providing them, for a stipulated period of time and with
the prior approval of the company, with credit monitoring or other
similar services that may help protect them against fraudulent use
of the record
Insurance Coverage Options
First Party (cont.)
30
D. Pre-claim forensic costs to investigate a security breach
• Example: “Claim Expenses” means all other legal costs and
expenses resulting from the investigation…of a circumstance that
might lead to a claim with the prior written consent of the
underwriters
• Example: “Loss” does not include any amount incurred by an
insured in the defense or investigation of any action, proceeding,
demand or request that is not then a claim, even if such matter
subsequently gives rise to a claim
E. Crisis Management expenses
• Sublimits may apply
• See consent / procedural requirements
Insurance Coverage Options
First Party (cont.)
31
Overview – covers sums the insured is legally obligated to pay to third
parties as damages and claims expenses as a result of privacy breach or
breach of privacy regulations.
A. Regulatory Coverage
• See scope of definitions of “claim”
• Some policies may only cover regulatory defense costs
B. Regulatory Civil Penalties
• HIPAA, Gramm-Leach-Bliley Act, state privacy protection laws and
privacy provisions of FCRA impose civil penalties
• Check definition of “loss” or “damages” for exclusions
• Example: Damages includes a penalty or sanction imposed by a
federal, state or local regulatory body against you as a result of a
privacy breach or the breach of a privacy regulation by you as a person
including an independent contractor, for which you are legally
responsible
Insurance Coverage Options
Third Party Privacy
11. 11
32
C. Personal Injury Coverage
• See wording of exception to personal injury exclusion for scope
• Are claims for emotional distress, mental anguish included?
D. Privacy Breach Coverage (non-regulatory)
• Common law breach of privacy or confidentiality
Insurance Coverage Options
Third Party Privacy (cont.)
33
Overview – Covers sums that insured is legally obligated to pay as
damages and claims expenses arising out of computer attacks caused by
failures of security including theft of client information, identity theft,
negligent transmission of computer viruses and denial of service liability.
A. Unauthorized access (hacker attack) of the insured’s computer
systems
B. Unauthorized use of insured’s and insured’s customers computer
systems by authorized person or third party
C. Independent contractor - Vendor coverage (acts of outside vendors)
• Example: Coverage for “your wrongful acts”, where “your” does
not include independent contractors
• Example: Coverage for wrongful acts by any insured, where
insured includes independent contractors who are natural persons
and are acting written scope on behalf of the named insured
Insurance Coverage Options
Network Security
34
D. Denial of service attack (third parties cannot access insured’s website)
E. Transmission of computer virus
Insurance Coverage Options
Network Security (cont.)
12. 12
35
• Electronic content coverage: Information disseminated on
website including extension for Copyright / Trademark
Example: Coverage for injury sustained by a third party
because of the actual or alleged infringement of a
trademark name, copyright, the name of a title or the title
of an artistic or literary work from information on website
• Personal Injury
• Advertising Injury (of company’s own products but only in
electronic format)
Insurance Coverage Options
Internet / Media Liability (optional coverage)
36
• Expenses incurred in responding to an extortion demand
• Extortion payment (not all forms cover)
• Policies have prior consent provisions
Insurance Coverage Options
Cyber Extortion
37
A. Some policies exclude coverage for “claims” related to the insured’s
failure to maintain or upgrade their security
• Example: No coverage arising out of or resulting from the failure
of computer systems or data assets to the protected by computer
security equal to or superior to that disclosed in response to
specific questions in the application
B. Some policies exclude coverage for “claims” alleging fraudulent or
malicious acts by employees
• Example: “Privacy Peril” does not include any intentional,
fraudulent, criminal or malicious act, error or omission if
committed by any employee if any elected or appointed officer
possessed any knowledge of the act
Insurance Coverage Pitfalls
Watch The Exclusions!
13. 13
38
C. Some policies exclude certain operations of the insured, or may not
cover various types of computer or peripheral devices
• Example: No coverage for theft of data via laptops unless
whole disc encryptions or equivalent grade encryption is used
D. Some policies will not cover actions of independent contractors
working on behalf of the Insured
Insurance Coverage Pitfalls
Watch The Exclusions!
39
Key coverage to look for in Policies
Privacy Breach Coverage
• Coverage includes Employee Personal Information
• Regulatory defense
• Regulatory civil monetary, penalties and fines?
• Breach of privacy regulations/laws?
40
Key coverage to look for in Policies
Network Security Coverage
• Unauthorized Access
• Unauthorized use (rogue employee)
• Denial of service attacks of systems of third parties
• Transmission of malicious code/virus to third parties
• Identity theft/theft of data
• Inability of authorized third party to access insured’s computer
systems
• Damage, destruction, deletion, tampering or alteration to electronic
data of third parties
• Data in any form other than electronic (loss of paper records i.e..,
dumpster diving)
• Data definition extended to private, proprietary confidential corporate
information
• Theft of laptops (laptops do not have to be encrypted)
14. 14
41
Key coverage to look for in policies
Extortion Coverage
• Expenses only
• Ransom payments
Crisis Management Expenses
• Public relations expenses
• Notification expenses
• Credit monitoring costs
• Forensic systems investigations
• Crisis management expenses limited only to breach of privacy
or breach of privacy regulations
42
Key coverage to look for in policies
First Party Data Protection or E-Vandalism Expenses
• Costs or expenses vary by form (generally incurred to restore,
remediate, or replace damaged, deleted, destroyed or
inaccessible data)
First Party Network Business Interruption
• Extra expenses during restoration
• Business income loss
Independent Contractors
• Insured protected if I.C.’s commit wrongful act
• Coverage extended to I.C.’s
43
Costs to repair damage to your information
assets
Privacy regulatory action defense and fines
Privacy breach notification costs & credit
monitoring
Legal liability to others for privacy breaches
Damage to 3rd party information assets
Website copyright/trademark infringement
claims
Potential Impact
(Low Med High)
Likelihood
(Low Med High)Potential Risk Event
Risks That Could Impact Client Companies
15. 15
44
Wrongful acts by independent contractors
Need to engage crisis management firm if an
incident occurs
Regulated Industry? Identify any unique risks
/ regulations
Cyber Extortion threat
Loss of revenue due to a failure of security at
a dependent technology provider
Loss of revenue due to a failure of security or
computer attack
Potential Impact
(Low Med High)
Likelihood
(Low Med High)Potential Risk Event
Risks That Could Impact Client Companies
45
Contact:
Cliff Rudolph
crudolph@psfinc.com
425.709.3705