#ACIRisk

ACI’s 10th National Forum on Cyber Data Risk Insurance

Doing Business Abroad: Conflicting Security and Compliance Obligations in

and Across Varying Jurisdictions, Trends in International Claims for Cyber Attacks and

Breaches, and Market Conditions and Cyber Insurance Product Availability Outside of the U.S.

Marcello Antonucci, Esq.

Claims Manager

Technology, Media & Business

Beazley Group

Matthew McCabe

Senior Vice President,

Network Security & Data Privacy

Marsh FINPRO

March 23-24, 2015

Norma M. Krayem

Global Co-Chair,

Data Protection Cybersecurity

Squire Patton Boggs (US) LLP

Tweeting about this conference?

#ACIRisk

• Information knows no bounds

• Data migration issues

• People move too

• Doing business abroad

• Ok then, what’s going on in the rest of the world?

Wait, I’m a US company, why do I need to worry about global cyber and privacy liability?

2

#ACIRisk

Globalization and Trends in Cybersecurity and Data Privacy

• Global cybersecurity threats mean risks across all borders

• Post-Snowden concerns have continue to grow, not lessen

• Geopolitical risks have resulted in global alliances and splits

• Respected global entities ranked cyber attacks in the top global risks: • Ranked among top emerging and technological risks - The World

Economic Forum (2015)

• Ranked among top 3 threat worldwide - Lloyd’s of London’s Global Risk Index (2013 edition)

#ACIRisk

Overview: Global Changes in Cybersecurity and Data Privacy issues

• U.S. Debate Moves Both Cyber and Privacy Approaches Forward: • Moving to address key sectors who are not currently regulated for

cybersecurity • Executive Branch agencies ramping up oversight of insurance sector on cyber

preparedness and regulatory exams• Liability protections being debated for increased sharing of cyber threat

indicators for private to private and private to government • Move towards enhanced data privacy regime, federal preemption over

existing state patchwork of laws

• EU move towards more “U.S” like approach on cybersecurity: • Commission focusing on NIST Cyber Framework as a baseline• Move towards similar threat analysis and information sharing • Current EU privacy laws being reviewed in wake of awareness of overlap of

cybersecurity and privacy regimes • Cyber insurance looked as “incentive” to critical infrastructure sectors

#ACIRisk

EU Proposed Cybersecurity Approach

European Union: Network & Information Security Directive pending before EU Parliament:

• Proposed in 2009 together with EU-wide cybersecurity strategy “An Open, Safe and Secure Cyberspace”

• Targets operators of critical infrastructure, Internet enablers, public administrations – required to assess risk and adopt appropriate measures

• Legislation still being debated and EU Council (Member State Ministers) deciding on common approach

• Main points of contention:

• strict regulation versus guiding principles;

• inclusion/exclusion of particular services e.g. cloud or sectors e.g. information technology

• Expected to be finalised in 2015

#ACIRisk

Member States Approach to Cybersecurity

Germany: New cybersecurity Law unveiled in August 2014 – part of Digital Agenda 2014-2017. New rules came into force on December 17, 2014 where operators of critical infrastructures must implement a specific standard of technical measures.

UK: UK Cyber Essentials launched in 2014: Set of standards designed to provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. Also announced formal adoption of U.S.’ NIST Framework.

• France: Network and Information Security Agency (ANSSI) Strategy for information systems defense and security. Created new Cyber Defense General Officer.

• In 2013, adopted new standards and incident reporting procedures for operators of critical infrastructure, inserts new provisions into Defense and Penal Codes

#ACIRisk

EU Draft Data Protection Regulation

Highly controversial effort proposes sweeping changes to existing EU data protection landscape (1995 Data Protection Directive). European Parliament agreed text but process of review and negotiation with Commission and Council of Ministers.

Agreement on some provisions reached (December 2014) but many issues are still be debated:

Industry pushing to move away from a “one size fits all” approach towards a more risk-based Regulation on broad principles that can be adapted to context of data processing and data controller’s business. Some of the changes include:

• Only “high risk” data breaches now need to be notified to local data protection authorities and victims (e.g. financial loss, discrimination, damage to reputation etc.)

Goal is final text and adoption by end of 2015. Implementation likely in 2017.

#ACIRisk

Maximum fines of up to EUR 100 million or 5% of global turnover (whichever is higher) for non-compliance, and rights for victims to claim compensation, including for non-pecuniary loss.

Focus is on “a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness.”

Notification of Data Breaches

Article 31: A change from “voluntary” to “compulsory.”

Where “severe or moral harm.”

Inform the Regulator first (without undue delay and, where feasible,within 72 hours).

Inform individuals where severely affected personal data or privacy(e.g. identity theft/fraud), but not if lost data was renderedunintelligible (i.e. encrypted).

EU (continued)

8

#ACIRisk

Right to be Forgotten Deletion of personal data upon request, or when redundant.

Right to Compensation (Art. 77)

• For damage caused as a result of an unlawful processing operationor of an action incompatible with the Regulation. Case lawdeveloping with respect to compensation awards for “distress”caused by breaches of DPA. See Halliday v. Creation ConsumerFinance [2013], Vidal-Hall v. Google [2014], AB v. MoJ [2014], CR19v. Chief Constable of the Police Service of Northern Ireland [2014].

Class or Collective Actions Spreading From US to France and maybe Germany next. How will this play out? If liability, need for insurance.

Developing Privacy Rights in EU

9

#ACIRisk

New Global Privacy Changes on the Horizon

Canada: May amend the PersonalInformation Protection andElectronic Documents Act (PIPEDA)soon. Provincial lawmakers andregulators already active.

Australia: Regulators becoming moreactive. Waiting for upcomingelections to amend their Privacy Act.

Brazil: No general data protectionlaw in Brazil. However, there arenumber of specific laws that addressvarious privacy and data protectionissues. Along with Chile, importantbarometer for South America onlegal trends. Also starting debate ondata localization laws.

India: Government collection ofbiometric data will be an interestingprocess to watch. Waiting for EU toamend their Information TechnologyAct.

Russia: New data “localization” lawsbecame effective Sept. 2015.Personal data collected in Russia(including via the internet) must bestored in data centers in Russia.Russia can block internet sourceswhich are used to process personaldata in breach of rules. Russiansubsidiary of any foreign companymust set up local servers for all data.

China: Currently debating similardata localization approach to Russia.New data protection and privacystandard about to take effect withvery broad definition of

Singapore: Developing dataprotection law. Regulatoryinvolvement. Recent breach. Couldbe sign of things to come in Asia.

#ACIRisk

• It’s the same, and different.

• Internal planning, global coordination and practice, practice, practice!

• Talk about a patchwork of laws!

• Let’s get real: consumer expectations and a commercial standard.

• Regulators coming out of the woodwork. Prepare for the unexpected.

Global Data Breach Response: Sounds Complicated?

11

#ACIRisk

• Logistics are key

• International sophistication, local touch

• What are you offering? The issue of credit and identity monitoring

• Insurance solutions, service and partnership

Keys for Global Breach Response?

12

#ACIRisk

Interest in Cyber Insurance Continues to Climb

7%

7%

10%

10%

32%

4%

8%

8%

10%

10%

19%

13%

37%

8%

10%

10%

13%

11%

22%

17%

45%

16%

14%

13%

16%

12%

32%

21%

50%

26%

21%

18%

All Industries

Communications, Media andTecnology

Education

Financial Institutions

Health Care

Hospitality and Gaming

Power and Utilities

Retail and Wholesale

2014 2013 2012 2011

#ACIRisk

Global Coverage

Cyber policies explicitly provide that the territory for coverage is

worldwide.

“This Insurance applies to Claims made, and acts, errors or omissions

committed, or Loss occurring anywhere in the world.”

“This Policy applies to Wrongful Acts occurring, Claims made, Privacy

Events occurring, and any other loss, cost, expense or damage claimed

under any other Coverage, anywhere in the world, to the extent permitted

by applicable law.”

“Where legally permissible, this policy shall apply to First Party Events

and Third Party Events occurring, Claims made or Losses suffered

anywhere in the world.”

#ACIRisk

Global Coverage (continued)

Cyber policies explicitly provide that the territory for coverage is worldwide.

“This Insurance applies to Claims made, and acts, errors or omissions committed, or Loss occurring anywhere in the world.”

“This Policy applies to Wrongful Acts occurring, Claims made, Privacy Events occurring, and any other loss, cost, expense or damage claimed under any other Coverage, anywhere in the world, to the extent permitted by applicable law.”

“Where legally permissible, this policy shall apply to First Party Events and Third Party Events occurring, Claims made or Losses suffered anywhere in the world.”

U.S. Cyber Premium

EU Cyber Premium

Other?