Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009

Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance

October 6, 2009

2

Overview of Identity Theft, Data Breaches

and Cyber/Privacy Liability Insurance

Michelle Lafferty – Corporate Counsel, Specialty Claims Counsel, Executive Risk Practice

• Hylant Group

• Cleveland Office

3



Agenda• Examples & Statistics – Data Breach

• Examples & Statistics - Cyber attack

• Legislative Environment

• Insurance Coverage

• Policy Gap Analysis

• Insurers

4



Who is this man?!?

5



Laptop anyone?

6



Data Breach ExamplesHistorical Large Losses America Online: 30 Million US Dept. of Veterans Affairs: 26.5 Million Citigroup: 30 Million TJX: 94 Million (double the original estimate)

♦ Required to provide three years of credit monitoring and

three years of victim assistance as part of their

class action settlement♦ Criminals had access to the TJX system for 17 months♦ TJX loss is estimated to be over $1.35 billion (source: Forrester

Research)

7



Data Breach Examples

Last 12 Months Countrywide Financial: 2 Million (customers) Hannaford Bros.: 1.5 Million (customers) Fallon Community Health Plan: 30,000 (patients) Harvard Law School: 21,000 (clients) Barclays Bank: 17,000 (customers) National Guard Bureau: 131,000 (soldiers) Naval Hospital Pensacola: 38,000 (pharmacy customers) Network Solutions: 573,000 (credit card holders)

8



Data Breach Examples Heartland Payment Systems

6th largest credit-card payment processor in the country 100 million card transactions each month, 250,000 businesses May – November, 2008 spyware installed Unencrypted credit card data – 250 million records Magnetic strip data & names More than 220 banks affected

Defense: No PII breached – 3 class action lawsuits anyway $12.6MM expenses to date

9



Data Breach Examples

More than 150 million American’s have had their information put at risk in the last 2 years.

www.privacyrights.org

10



Personal Data StatisticsSummary of Ponemon Institute, LLC’s 2006 Annual Study: Cost of a Data

Breach:• Total Average Cost:

• $182 per lost record• $4.8 million per breach • Range of $226,000 to $22 million per breach

• Lost productivity costs averaged $30 per lost record

• Customer opportunity costs averaged $98 per lost record (turnover of existing customers and increased difficulty acquiring new customers)

• Direct incremental costs averaged $54 per lost record (unbudgeted spending for legal counsel, notification letters, discounted product offers, etc.)

11



Personal Data Statistics• 23 million U.S. adults have received notification of a breach from companies

• 60% of respondents terminated or considered terminating their relationship with the company

• 14% were not concerned

• Almost 30% of reported breaches originated with external partners, consultants, outsourcers, or contractors

• More than 90% of all breaches were in digital form (laptops, electronic backups, and hacked or attacked systems)

• 47 states have passed some version of a database notification law

12



Cyber Attack Examples Express Scripts (cyber extortion) TD Waterhouse (unauthorized access) YouTube (web site content) Care First of Maryland (web site content) Authorize.net (denial of service attack) Six Apart, ltd. (denial of service attack) Paine Weber (malicious code)

13



Cyber Statistics (2008 Computer Security Survey Report)• 43% of companies surveyed experienced Cyber Security incidents in 2008 • 27% of the companies surveyed experience targeted attacks• Companies that experienced incidents, reported the following types

• Virus (50%)• Insider Abuse (44%)• Laptop theft/compromise (42%) • Unauthorized access (29%)• Bots (internet/web robots) (20%)• Computer related financial fraud (12%)• DNS compromised (domain names system) (8%)

• Over $500 per employee is spent by U.S. companies on IT Security

• The average direct financial loss reported was $289,000

14



Legislative Environment• State Notification Laws

• HIPAA

• Gramm-Leach-Bliley

• FTC Red Flag Rules

15



Red Flag Rules recently became effective in January 2008 and compliance is required by November 1, 2009. Under these rules, covered accounts, creditors and businesses:

Must develop and implement a written privacy and security program

Must obtain approval of the initial written program from either its Board of Directors or an appropriate committee of the board of directors

Small businesses are not exempt

A covered entity cannot escape its obligation to comply by outsourcing

Businesses must exercise appropriate and effective oversight of service providers.

Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft

FACTA Red Flag Rules

16



Insurance – First Party Liability Business Interruption

• Lost income realized as a result of a hacker attack or a virus• Extra expense• Dependant business interruption

Crisis Expenses• Public relations expenses • Notification expenses• Regulatory defense• Credit-monitoring and other services to customers

Digital Asset Coverage• Cost to restore or recollect data lost or stolen

Extortion & Criminal Reward Fund• Extortion monies paid and the cost of a cyber investigator• Reward for information leading to arrest of hacker, cyber criminal

17



Insurance – Third Party Coverage

• Network Security Liability• Protection for claims brought by third parties for the following:

• Theft of personally identifiable data• Denial of service attack• Virus transmitted to the third party

• Electronic Media Liability/Internet Liability • Protection for claims brought by third parties alleging invasion of

privacy, libel, defamation, copyright, title or trademark infringement with regard to information posted on an Insured’s website

• Privacy Extension• Protection from claims arising out of theft or compromise of personally identifiable data regardless of method

18



Policy Gap Analysis • General Liability Insurance - Coverage for bodily injury or property damage

- Intentional acts are excluded- Intangible property is excluded

• Property Insurance - Coverage for loss of tangible property caused by a covered peril

- Computer viruses are excluded- Intangible property is excluded- Business interruption coverage only applies if there has been a direct physical loss

• Crime Insurance - Coverage for theft of money, securities or other property

- No coverage for theft of information, trade secrets and other types of confidential information

• Directors & Officers Liability Insurance - Coverage for claims alleging acts, errors and/or omissions

committed by directors or officers of a company in such capacity

• Technology Errors & Omissions Liability Policy - Coverage for claims resulting from an Insured’s rendering or

failure to render professional services to others for a fee

19



Policy Gap Analysis

Cyber Peril Property/ EDP

General Liability

Crime K&R E&O D&O Corporate ID Theft

Full Cyber Risk

Physical Loss 1 2 Mechanical Breakdown 1 Loss of revenue/ extra expense due to computer attack

Loss of revenue/ extra expenses due to computer attack on dependent business

Loss of, damage to corporate data/information

Theft of corporate data/information

Cyber threats or extortion Liability to others for computer security breaches

3 4 5 6

Information technology services errors and omissions

Copyright/ trademark infringement

7 8

Content and advertising injury/ offense

9 8

Legal liability to others for privacy breaches

10 6

Identity Theft of personal data (including employee, customer)

Identity Theft expenses (crisis management, notification, credit monitoring)

20



Cyber Risk Insurers

• AIG

• Arch

• Beazley

• Chubb

• C.N.A.

• Darwin

• Hartford

• Hiscox U.S.

• Lloyd’s of London (AGM Syndicate)

21



Property | Casualty | Employee Benefits | Medical Risk | Personal | Captives | Environmental

Executive Risk | Claims Advocacy | Risk Control | International | Wealth Management

HYLANTGROUP

EXECUTIVE RISK PRACTICE hylantexecutiverisk.com

Documents

Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009