View
25
Download
1
Category
Tags:
Preview:
DESCRIPTION
Citation preview
CYBER RISKS
Cyber Security, Privacy and the Regulatory environment
What is cyber?What does the term “cyber” mean?
Refers to the use of computers, internet, computer networks, and electronic information databases
What creates cyber/privacy risk? internet connectivity e-commerce business websites and internet advertising customer forums and support/message boards credit card processing/online payment data storage, ISP, website design providing media content paper documents
What is a data/privacy breach?A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property.
Street values: $50/medical identity vs. $1/SSN*
*American Health Information management Association
What is 1st party and 3rd party?The Cyber Risks to which an organization is exposed fall into two general categories and Insurance coverage is available for both :
1) Those losses suffered by an organization (1st Party Losses) – extortion, employee theft, system failure, etc.
2) An organization's liability to third parties (3rd Party Losses) – hacker theft of data, Intellectual Property Infringement, etc.
Foundations of Cyber RiskFocus is on data about the person not the person
(e.g. traditional privacy torts)
Information technology and the Internet magnifies the risk
Multi-jurisdictional exposure
Data security v. data privacy
Data Security RisksProtection Risks (Information security):
failure to implement adequate measures to protect private information from theft by others or disclosure to unauthorized persons
Failure to Warn Risks: failure to warn of actual or suspected unauthorized access to Personal Identifiable Information (PII) - e.g. breach notice laws
Data Privacy Risks Collection Risk: intrusively or secretly collecting PII without the
consent of the individual Disclosure and Mishandling Risk: mishandling of PII, disclosing
PII in a fraudulent manner or providing PII to bad actors without consent
Choice/Consent Risks: failure to provide person with choice on how their PII is collected/handled, including failure to provide opt-in/opt-out
Notice Risks: failure to provide notice of PII handling practices or the provision of inadequate or fraudulent notice
Accuracy/Integrity Risks: disseminating inaccurate PII or failure to correct PII
Access Risks: failure to provide access to collected PII Lack of Privacy Policy/Inadequate Privacy Policy
Regulatory EnvironmentFlorida Law (as of 9/6/2011) Fla Stat.
817.5681(7/1/2005)
• Triggering Event: unlawful & unauthorized acquisition of computerized data that materially compromises security, confidentiality or integrity of PI unless investigation finds misuse of PI has not occurred or will not reasonably likely occur (retain documentation for 5 years)
• Civil or Criminal Penalties: Yes (gov’t agencies are exempt)
• Pre-breach measures required: No
• Timing of Notification: Without unreasonable delay, but no later than 45 days unless investigation finds misuse of PI has not occurred or will not reasonably likely will occur (must retain documentation for 5 years)
• Other parties to notify? : Consumer Reporting Agencies if notifying over 1,000 persons
Regulatory EnvironmentInformation Security Laws
Control Requirements: HIPAA FACTA ID Theft Red Flag Rules Data disposal laws (e.g. Colo. Rev. Stat. Ann. §6-1-713) Encryption laws (Mass and Nevada) State “reasonable security” laws (e.g. Cal. AB 1950) Gramm-Leach Bliley (GLB --Financial Industry) Written Information Security Program (Mass) International laws (EU Data Protection Directive)
Failure to Warn Laws: “Breach-Notice Laws” in about 46 States HITech Act (within HIPAA): 2011 Annual Report to Congress Statistics
The Value of Your Data• Information and Intellectual Property are an
organization’s most valuable asset today• No longer a “Bricks & Mortar” world• Impact of a data breach on an organization is huge
FinancialBusiness Distraction Loss of CustomersDamage to Reputation
• The “Next Product” – becoming a standard product
Other Coverage The Cyber Risks to which a corporation is exposed fall into two
general categories and insurance coverage is available for both:1) Those losses suffered by an Insured(1st Party Losses)2) An Insured's liability to third parties (3rd Party Losses)
Standard Property, Liability or Crime policies will not traditionally cover damage to or loss of intangible assets (data and systems) so there exists a significant gap in coverage, both in terms of exposure and because of the ever greater dependency on technology to be able to do business.
Traditional property/casualty programs do not meet the need !
Typical Agreements/CapabilitiesThird party liabilities: Technology E&O Employee Privacy Intellectual Property(electronic media) Network/Privacy Liability Denial of Service Transmission of malicious code
First party losses: Unauthorized access Cyber extortion and cyber terrorism Unauthorized use Loss of digital assets Business interruption(non CGL) Security event costs
First Party Causes of Loss – May Include
• Accidental Damage or DestructionPhysical damage of data – no longer machine-
readableFailure of power supply that is under your
direct control• Administrative or Operational Mistakes
Entry or modification of your data• Computer Crime and Computer Attacks
Malicious code introduction; unauthorized access; unauthorized use; denial of service attack
Non-Physical Business Interruption
• Extra expenses incurred to avoid or minimize suspension of businessLost profits (net income)Fixed operating expenses incurred
during the period of restorationCosts related to outside consultants and
service providers
Network Security and Privacy Liability
• Damages and claim expenses arising from an alleged breach of security or privacy breach
• 3rd party suits involving Damages• Typically includes errors or omissions by
outside service providers for whom you are legally liable
Cyber Extortion Threat
• Extortion expenses and extortion monies resulting directly from a credible threat during the policy period
• Typically includes requirement to involve law enforcement, FBI (every reasonable attempt to consult with) prior to payment of extortion monies
Electronic Media Liability• Publishing liability for content on
your internet or intranet site Defamation, libel, slanderInvasion of privacyPlagiarism, misappropriationCopyright or domain name infringementExcludes any patent infringement
A Cyber Event Occurs: Now what?
Cyber/Privacy Insurance• Family Planning Council of Philadelphia: April 9th. Employee stole a
computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used.
• Gucci: April 6th. Network engineer who was terminated by the company used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours.
• New York Yankees: April 28th. Employee mistakenly sends email that contained a spreadsheet attachment with the personal information of 17,000 season ticket holders to other season ticket holders.
Cyber/Privacy Insurance• Family Planning Council of Philadelphia: April 9th. Employee stole a
computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used.
• Needs relating to this event:• - Investigation/Forensics (Network security team?)• - Defense and coverage counsel expenses• - Determine compliance with all relevant state and federal privacy
laws• - Notification and credit monitoring where necessary• - Public Relations• - Possible recovery of data• - Monitoring of data/investigation assistance• - Financial impact
Cyber/Privacy Insurance• Gucci: April 6th. Network engineer who was terminated by the company
used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours.
Needs relating to this cyber event:• - Investigation/Forensics (Network security team)• - Defense and coverage counsel expenses• - Determine compliance with all relevant state and federal privacy laws• - Notification and credit monitoring where necessary• - Public Relations• - Recovery/correction of data• - business interruption costs (cut email access to entire country)
Cyber/Privacy Insurance• New York Yankees: April 28th. Employee mistakenly sends email that
contained a spreadsheet attachment with the personal information (specifically the names, addresses, phone numbers and e-mail addresses, seat numbers) of ‘several hundred’* season ticket holders to other season ticket holders.
Needs relating to this cyber event:• - Investigation/Forensics (network security team?)• - Defense and coverage counsel expenses• - Determine compliance with all relevant state and federal privacy laws• - Notification and credit monitoring where necessary• - Public Relations
Cyber/Privacy InsuranceProfessionals Involved in Handling a Cyber Claim
• - Breach Notice and defense Counsel(privacy attorneys).• - Computer Forensics Companies.• - Breach Investigation.• - Public Relations Firms.• - Credit Monitoring Firms.
• -Breach Notification & Call Center• - data breach incident response planning;• - address list management;• - direct mail capability-prep, print and mail;• - call center;• - returned mail management
Cyber/Privacy InsuranceTop 10 Trends for 2011
• More small scale data breaches in news• “low-tech” theft will increase• Lost devices will continue to dominate• Data minimization will increasingly be seen as essential• Increased exchange and collaboration will increase risk• More social networking policies implemented• Data encryption = golden ticket• Business associates• Privacy awareness training• Overarching federal law?*Kroll Fraud Solutions, Top Ten Data Trends for 2011
Recommended