Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
#ACIRisk
ACI’s 10th National Forum on Cyber Data Risk Insurance
Doing Business Abroad: Conflicting Security and Compliance Obligations in
and Across Varying Jurisdictions, Trends in International Claims for Cyber Attacks and
Breaches, and Market Conditions and Cyber Insurance Product Availability Outside of the U.S.
Marcello Antonucci, Esq.
Claims Manager
Technology, Media & Business
Beazley Group
Matthew McCabe
Senior Vice President,
Network Security & Data Privacy
Marsh FINPRO
March 23-24, 2015
Norma M. Krayem
Global Co-Chair,
Data Protection Cybersecurity
Squire Patton Boggs (US) LLP
Tweeting about this conference?
#ACIRisk
• Information knows no bounds
• Data migration issues
• People move too
• Doing business abroad
• Ok then, what’s going on in the rest of the world?
Wait, I’m a US company, why do I need to worry about global cyber and privacy liability?
2
#ACIRisk
Globalization and Trends in Cybersecurity and Data Privacy
• Global cybersecurity threats mean risks across all borders
• Post-Snowden concerns have continue to grow, not lessen
• Geopolitical risks have resulted in global alliances and splits
• Respected global entities ranked cyber attacks in the top global risks: • Ranked among top emerging and technological risks - The World
Economic Forum (2015)
• Ranked among top 3 threat worldwide - Lloyd’s of London’s Global Risk Index (2013 edition)
#ACIRisk
Overview: Global Changes in Cybersecurity and Data Privacy issues
• U.S. Debate Moves Both Cyber and Privacy Approaches Forward: • Moving to address key sectors who are not currently regulated for
cybersecurity • Executive Branch agencies ramping up oversight of insurance sector on cyber
preparedness and regulatory exams• Liability protections being debated for increased sharing of cyber threat
indicators for private to private and private to government • Move towards enhanced data privacy regime, federal preemption over
existing state patchwork of laws
• EU move towards more “U.S” like approach on cybersecurity: • Commission focusing on NIST Cyber Framework as a baseline• Move towards similar threat analysis and information sharing • Current EU privacy laws being reviewed in wake of awareness of overlap of
cybersecurity and privacy regimes • Cyber insurance looked as “incentive” to critical infrastructure sectors
#ACIRisk
EU Proposed Cybersecurity Approach
European Union: Network & Information Security Directive pending before EU Parliament:
• Proposed in 2009 together with EU-wide cybersecurity strategy “An Open, Safe and Secure Cyberspace”
• Targets operators of critical infrastructure, Internet enablers, public administrations – required to assess risk and adopt appropriate measures
• Legislation still being debated and EU Council (Member State Ministers) deciding on common approach
• Main points of contention:
• strict regulation versus guiding principles;
• inclusion/exclusion of particular services e.g. cloud or sectors e.g. information technology
• Expected to be finalised in 2015
#ACIRisk
Member States Approach to Cybersecurity
Germany: New cybersecurity Law unveiled in August 2014 – part of Digital Agenda 2014-2017. New rules came into force on December 17, 2014 where operators of critical infrastructures must implement a specific standard of technical measures.
UK: UK Cyber Essentials launched in 2014: Set of standards designed to provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. Also announced formal adoption of U.S.’ NIST Framework.
• France: Network and Information Security Agency (ANSSI) Strategy for information systems defense and security. Created new Cyber Defense General Officer.
• In 2013, adopted new standards and incident reporting procedures for operators of critical infrastructure, inserts new provisions into Defense and Penal Codes
#ACIRisk
EU Draft Data Protection Regulation
Highly controversial effort proposes sweeping changes to existing EU data protection landscape (1995 Data Protection Directive). European Parliament agreed text but process of review and negotiation with Commission and Council of Ministers.
Agreement on some provisions reached (December 2014) but many issues are still be debated:
Industry pushing to move away from a “one size fits all” approach towards a more risk-based Regulation on broad principles that can be adapted to context of data processing and data controller’s business. Some of the changes include:
• Only “high risk” data breaches now need to be notified to local data protection authorities and victims (e.g. financial loss, discrimination, damage to reputation etc.)
Goal is final text and adoption by end of 2015. Implementation likely in 2017.
#ACIRisk
Maximum fines of up to EUR 100 million or 5% of global turnover (whichever is higher) for non-compliance, and rights for victims to claim compensation, including for non-pecuniary loss.
Focus is on “a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness.”
Notification of Data Breaches
Article 31: A change from “voluntary” to “compulsory.”
Where “severe or moral harm.”
Inform the Regulator first (without undue delay and, where feasible,within 72 hours).
Inform individuals where severely affected personal data or privacy(e.g. identity theft/fraud), but not if lost data was renderedunintelligible (i.e. encrypted).
EU (continued)
8
#ACIRisk
Right to be Forgotten Deletion of personal data upon request, or when redundant.
Right to Compensation (Art. 77)
• For damage caused as a result of an unlawful processing operationor of an action incompatible with the Regulation. Case lawdeveloping with respect to compensation awards for “distress”caused by breaches of DPA. See Halliday v. Creation ConsumerFinance [2013], Vidal-Hall v. Google [2014], AB v. MoJ [2014], CR19v. Chief Constable of the Police Service of Northern Ireland [2014].
Class or Collective Actions Spreading From US to France and maybe Germany next. How will this play out? If liability, need for insurance.
Developing Privacy Rights in EU
9
#ACIRisk
New Global Privacy Changes on the Horizon
Canada: May amend the PersonalInformation Protection andElectronic Documents Act (PIPEDA)soon. Provincial lawmakers andregulators already active.
Australia: Regulators becoming moreactive. Waiting for upcomingelections to amend their Privacy Act.
Brazil: No general data protectionlaw in Brazil. However, there arenumber of specific laws that addressvarious privacy and data protectionissues. Along with Chile, importantbarometer for South America onlegal trends. Also starting debate ondata localization laws.
India: Government collection ofbiometric data will be an interestingprocess to watch. Waiting for EU toamend their Information TechnologyAct.
Russia: New data “localization” lawsbecame effective Sept. 2015.Personal data collected in Russia(including via the internet) must bestored in data centers in Russia.Russia can block internet sourceswhich are used to process personaldata in breach of rules. Russiansubsidiary of any foreign companymust set up local servers for all data.
China: Currently debating similardata localization approach to Russia.New data protection and privacystandard about to take effect withvery broad definition of
Singapore: Developing dataprotection law. Regulatoryinvolvement. Recent breach. Couldbe sign of things to come in Asia.
#ACIRisk
• It’s the same, and different.
• Internal planning, global coordination and practice, practice, practice!
• Talk about a patchwork of laws!
• Let’s get real: consumer expectations and a commercial standard.
• Regulators coming out of the woodwork. Prepare for the unexpected.
Global Data Breach Response: Sounds Complicated?
11
#ACIRisk
• Logistics are key
• International sophistication, local touch
• What are you offering? The issue of credit and identity monitoring
• Insurance solutions, service and partnership
Keys for Global Breach Response?
12
#ACIRisk
Interest in Cyber Insurance Continues to Climb
7%
7%
10%
10%
32%
4%
8%
8%
10%
10%
19%
13%
37%
8%
10%
10%
13%
11%
22%
17%
45%
16%
14%
13%
16%
12%
32%
21%
50%
26%
21%
18%
All Industries
Communications, Media andTecnology
Education
Financial Institutions
Health Care
Hospitality and Gaming
Power and Utilities
Retail and Wholesale
2014 2013 2012 2011
#ACIRisk
Global Coverage
Cyber policies explicitly provide that the territory for coverage is
worldwide.
“This Insurance applies to Claims made, and acts, errors or omissions
committed, or Loss occurring anywhere in the world.”
“This Policy applies to Wrongful Acts occurring, Claims made, Privacy
Events occurring, and any other loss, cost, expense or damage claimed
under any other Coverage, anywhere in the world, to the extent permitted
by applicable law.”
“Where legally permissible, this policy shall apply to First Party Events
and Third Party Events occurring, Claims made or Losses suffered
anywhere in the world.”
#ACIRisk
Global Coverage (continued)
Cyber policies explicitly provide that the territory for coverage is worldwide.
“This Insurance applies to Claims made, and acts, errors or omissions committed, or Loss occurring anywhere in the world.”
“This Policy applies to Wrongful Acts occurring, Claims made, Privacy Events occurring, and any other loss, cost, expense or damage claimed under any other Coverage, anywhere in the world, to the extent permitted by applicable law.”
“Where legally permissible, this policy shall apply to First Party Events and Third Party Events occurring, Claims made or Losses suffered anywhere in the world.”
U.S. Cyber Premium
EU Cyber Premium
Other?