Wells Fargo Insurance Services USA, Inc.

©2012 Wells Fargo Bank, N.A. All rights reserved. Confidential.

Privacy and Network Security Liability in Higher Education

EASFAA Annual Meeting

Boston, MA May 8th, 2013

John Farley, Wells Fargo Insurance Services

Mark Greisiger, NetDiligence

John Mullen, Nelson, Levine, de Luca & Hamilton

Agenda

Recent data breach studies

Causes of data breaches

High risk industries

What is at risk for higher education

Legal and financial consequences

Recent higher education breaches

Data breach best practices

Vendor management

Insurance coverage

State laws

Federal laws

Wells Fargo Insurance Services USA, Inc. 1

High Hazard Industry Classes

Schools, colleges, and universities

Healthcare

Financial institutions

Retail

eCommerce companies

Information and data

services companies

Credit card processors

Public entities

Wells Fargo Insurance Services USA, Inc. 2

Recent Cases

Ohio State University - December 2010

A hacker accessed a server that stored the names, social security numbers,

dates of birth and addresses of 760,000 current and former faculty, students,

applicants, and others affiliated with the university.

It is estimated that it could cost the university

$4 million.

University of Hawaii - 2009 through 2011

5 data breach events. A faculty member inadvertently uploaded files

containing the information to an unprotected server, exposing the names,

academic performance, disabilities, and other information of more than

100,000 students, alumni, faculty and staff.

The data was posted online for one year. A class action lawsuit was settled. It

was the largest class action settlement ever in the state of Hawaii.

Wells Fargo Insurance Services USA, Inc. 3

Source: Risk Based Security, Inc. February 2013 Data Breach QuickView Report

Data Breach Trends

Number of Incidents

Network Security / Data Risk

What data do you collect, and why?

Where is it? How well is it protected?

Who can access it?

When do you purge it? How do you purge it?

Data creates duties.

To protect, preserve and

defend.

5/24/2013 6

Technical Considerations: Mark Greisiger

Why the Concern? Malicious Threats Still Prevalent:

• Stealth Hackers, Malware, Extortionist; Rogue

contractors; Disgruntled IT Staffer

Non-Malicious (more often):

• Staff mistakes (lost laptop)

• Marketing mishap: innocent customer data

leaks

• Vendor leak

Network Operation & Sharing Trends:

• Points of failure are multiplied due to trends of

outsourcing computing needs (CLOUD)

• Massive dependencies & data-sharing between

organizations

Where is YOUR data?

A data breach: it’s not a matter of ‘if’ but ‘when’

Decentralized IT Operations

Hacking (SQL injection)

Laptop loss w/client data (very common)

Backup tape loss (not my fault…it was the shipper)

Staff Mistakes: Data Leaks via email, mailings or paper

disposal

Vendor & Biz Partner Breaches (VERY COMMON!)

Top Perils…That We Often See

Why the Problem?

Universities will collect/ store/share VAST private data !

• More data often collected than needed

• Data often stored for too long (no records retention

limits)

Websites are very porous & need constant care (hardening &

patching).

IDS (detection) is very weak: no matter size many

universities learn of breach too late …or not at all!

Bad buys still rely on the prevalence of human error

• unchanged default settings

• missing patches

• wide open laptop

• customer records (paper) improperly disposed

• guessable access

The Internet’s open network

“95% of all network intrusions could be avoided by keeping systems up-to-date” (CERT)

PROBLEM 1) IDS or ‘Intrusion Detection Software’ (bad guy alert sys)

Studies show that 70% of actual breach events are NOT detected by the victim-company,

but by 3rd parties (and many more go undetected completely).

FTC and plaintiff lawyers often cite ‘failure to detect’

Vast Data: companies IDS can log millions events against their network each month

False positives: 70%

PROBLEM 2) Patch Mgmt - Challenges:

All systems need constant care (patching) to keep bad guys out

Complexity of networking environments

Lack of time: Gartner Group estimates that “IT Managers spend an average of 2 hours per

day managing patches”

PROBLEM 3) - Encryption (of private data)

Problem spans all sizes & sectors

ITRC (Identity Theft Resource Center): only 2.4% of all breaches had ‘encryption’

Issues: budgets, complexities and partner systems

Key soft spots: Data ‘at rest’ for database & laptops (lesser extent)

Benefits: safe harbor (usually)

Common Weak Spots

Case Example University IT Operations - Environment

• No official “IT Security Mgr” . Often a limited security

budget (compared to corporations)

• University networks tend to include vast PII/PHI (e.g. credit

cards. health records, SSNs, Birth Date, financial aid,

college employee data, alumni & donor financial data etc.)

• IT decentralization creates risk: Independent “islands” of

computing owned/managed by individual

colleges/departments MAY or MAY NOT follow standards.

• Colleges of Medicine/Dentistry/Etc. at top tier universities

tend to be better protected “islands” because of ePHI

concerns.

• Public wireless networks often in place throughout a

University campus.

Current Events

Plan for the loss

CFO must understand that data / network security is NEVER 100%.....

4 Legs of Traditional Risk Mgmt:

• Eliminate: e.g. patch known exploits, encrypt laptops etc

• Mitigate: e.g. dedicated security staff; policies; IDS/ IPS; etc

• Accept: e.g. partner SLAs, capabilities (trusting their assurances)

• Cede: residual risk via privacy risk insurance

Wide-Angle Assess Safeguard Controls Surrounding:

People: they seem to ‘get it’…Proper security budget and vigilant about

their job!

Processes/ Policies: enterprise ISO27002, HITECH ready; employee

education/ training; change management processes, breach response

plan etc.

Technology: proven IDS/IPS capabilities, DLP solutions, hardened &

patched servers (tested), full encryption of PII.

Strategies for Risk Managers

Remote Cyber Risk Assessment

(common to insurance industry)

Step 1: Self-assessment: completed by client’s IT security

rep, this strives to gauge their industry security & privacy practices

against a industry standard (ISO 27002)

Step 2: Phone call interview: Purpose is to flush out any ‘red flag’ areas

identified ….gather more details or to clarify a ‘compensating control’.

Step 3 - Document Review: verify key security policies e.g. enterprise

security, privacy, BC/DR and 3rd party vendor assurances.

Step 4 - Network perimeter vulnerability scan test: ck SQL exploit in

Web aps. See if internet facing servers are properly patched to deflect

6000+ known exploits

Step 5 – Summary Report: These 4 tasks might be then pulled into

composite report which strives to measure client’s good faith practices to

industry expected standards.

key concept

…vigilance & layered safeguards

Example Due Diligence Process for University

Example Screen Shot From

NetDiligence Report

Purpose: Showcase Risk Mgmt Strengths

Reaffirm ‘reasonable’ safeguards

Benchmark to Standards & Peers

Good faith effort towards compliance

with Regs

Lessons learned from past loss/

incidents (are they now battle ready?)

Cyber Risk insurability assessment

Process should be collaborative

Educate Risk Mgr or CFO about their

own IT operations

Wide-Angle: people/process & tech

Assessment Value

Wells Fargo Insurance Services USA, Inc.

©2012 Wells Fargo Bank, N.A. All rights reserved. Confidential.

Cyber Risk Claims

a review of industry losses paid out 2012 Study

NetDiligence 2012 Cyber Claims Study - Highlights of Findings

Costs

– Average cost* per

– Breach was $3.7 million ($2.4 Mil in 2011) • Total claim cases in study = 135

• Claim range = $2K to $76 million

• Claim Cost mode = $25K to $200K (most typical claim)

– Average cost** per record was $3.94

– Legal (Defense & Settlement) represents the largest portion of costs

incurred • Average Cost of Defense $582K

• Average Cost of Settlement $2.1 million

– Crisis Services costs (forensics, legal counsel, notification & credit

monitoring) average about $983K per event

• Average calculated on all breaches in our sampling that reported claims paid ** Average calculated on breaches in our sampling that reported BOTH # of records & payouts, less 2 large claims of 100 million records each.

Percentage of Breaches by Business Sector

20%

26% 10%

8%

3%

5%

1%

7%

8%

1%

5% 4%

Third-Party Liability

Percentage of Breaches by Business Sector

Crisis Service Costs (Break Out)

Range & Typical Forensics:

- Range: $350 – 1 Mil - Typical: $10k - $225k

Notice:

- (R): $300 - $2.5 Mil - (T): $20k - $100k

Call Ctr:

- ( R ): $0 - $1 Mil - ( T ): $5k - $40k

Credit Monitor:

- ( R): $0 - $15 Mil - (T): $6k - $300k

Legal (Breach Coach® type):

- (R ): $0 - $1 Mil - (T): $5k - $100k

Are you at risk? Ask your team:

Has your University ever experienced a data breach or system attack event?

Some studies show 80-100% of execs admitted to a recent breach incident

Does your organization collect, store or transact any personal, financial or health data?

Do you outsource any part of computer network operations to a third-party service

provider?

Your security is only as good as their practices and you are still responsible to your

customers

Do you allow outside contractors to manage your data or network in any way?

The contractor is often the responsible party for data breach events

Do you partner with entities and does this alliance involve the sharing or handling of

their data?

You may be liable for a future breach of your business partners

Does your posted Privacy Policy align with your actual data management practices?

If not you may be facing a deceptive trade practice allegation

Has your organization had a recent cyber risk assessment of security/ privacy practices

to ensure that they are reasonable and prudent and measure up with your peers?

Doing nothing is a plaintiff lawyers dream.

5/24/2013 23

Legal Considerations: John Mullen

Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information

Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies

Some states allow private right of action for violations

Data-at-rest (disc level) encryption often a safe harbor

State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI.

Regulatory Exposures

State Data Breach Notice Laws - Considerations

Access vs. acquisition (i.e., Connecticut vs. Delaware)

Risk of harm analysis (i.e., Massachusetts)

Individual notice requirements

– Timing

– Method (written notice vs. substitute notice)

– content

State regulator notice requirements

– Timing

– Method

– content

Consumer reporting agency notice requirements

– Timing

– content Wells Fargo Insurance Services USA, Inc. 25

VERMONT -notice to affected individuals within 45 days of breach discovery -notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) CONNECTICUT -Department licensees and registrants to notify Department [Commissioner] as soon as incident affecting Connecticut residents is discovered, but no later than 5 calendar days after Notice to CT AG not later than time when notice provided to Connecticut residents TEXAS -notice to affected individuals pursuant to law of individual’s state of residence or, if none, then pursuant to TX CALIFORNIA -notice (electronic) to CA AG if more than 500 California residents affected -HIPAA provisions augmented -Notice to California Department of Health and affected individuals within 5 business days -statutory damages/fines, private cause of action MASSACHUSETTS -”written information security plan” for businesses storing MA resident personal information NEVADA -data collectors doing business in NV to comply with PCI-DSS

Evolving Exposures

FACTA ‘Red Flags’ Program

• Mandates “creditors” create Identity Theft Prevention Program.

• must include reasonable policies and procedures for

detecting,

preventing, and mitigating identity theft

HITECH Act

• Extends HIPAA to “business associates” of HIPAA

covered entities

• First national breach notification requirement

> 500 HHS < 500 year end

• Permits state Attorneys General to enforce HIPAA

• ACO (accountable care organization ) could make things more

risky for healthcare sector clients with emerging e-record

exchanges

Regulatory Exposures

FERPA

Prohibits funding of an educational institution that has a

practice of disclosing educational records, or PII contained

in educational records, without consent of parent (if student

<18) or student (if student >18)

No legal requirement to provide notice of breach, only to

keep records of record disclosures and requests for

disclosure

– U.S. DOE recommended response

Educational institution must still comply with applicable

state data breach notice laws

Wells Fargo Insurance Services USA, Inc. 28

Litigation Trends Single Plaintiff

– Identity Theft

– Privacy

Government Action

• Attorney General (Goldthwait,

South Shore, Accretiv, Health Net)

• FTC (Choice Point, American United

Mortgage)

• HHS (Hospice of North Idaho,

Massachusetts Eye and Ear, Alaska

Dept. of HHS)

Banks

• Cost of replacing credit cards

• Reimbursement of fraudulent

charges

• Business interruption

Wells Fargo Insurance Services USA, Inc. 29

Class Action

• Failure to protect data

• Failure to properly notify

• Failure to mitigate

• NO VERDICTS. . . YET

Defenses Eroding

Stollenwerk v. Tri West – assert actual identity theft

Krottner v. Starbucks Corp. – increased risk of identity theft constitutes

an injury-in-fact

Anderson v. Hannaford – alleged fraud in population and money spent in

mitigation efforts sufficient (instead of time/effort)

----------------------------------------------------------

ITERA (Identity Theft Enforcement and Restitution Act) – pay an amount

equal to the value of the time reasonably spent

In re Hannaford Bros. Data Security Breach Litigation - does time equal

money? No. But if there is fraud, credit monitoring damages may

be due.

ChoicePoint Data Breach Settlement - FTC paid for “time they may

have spent monitoring their credit or taking other steps in

response”

Lawsuit Basics:

Duty + Breach + Causation + Damages

Law School 101

Multiple Jurisdictions (MDL)

Plaintiffs’ attorneys will find a representative

plaintiff with actual identity theft (4.8% of U.S.

population will have ID theft regardless1)

Krottner decision – future harm

Hannaford – money spent

Raise time as measure of damages (ITERA, FTC,

Hannaford)

FTC Recognition of 20 years of damages2

1 Better Business Bureau and Javelin Research report that for 2009, 11.1 million consumers (4.8 percent of the U.S. population) were victims of identity theft

2 Choice Point Settlement includes 20 years of system auditing

Tomorrow’s Class Action

Breach Costs

– Forensics vendor

– Notification vendor

– Call centers

– PR vendor

– ID theft insurance

– Credit monitoring

– ID restoration

– Attorney oversight

Planning and Data Management

– Breach planning (Mass.)

– ID Theft monitoring (Red Flags)

– PCI DSS (Nevada and merchants)

– HIPAA

Regulator/Compliance Costs

Litigation

– Breach guidance

– Investigation

– Notification

– e-discovery

– Litigation prep

– Contractual review

– Defense (MDL?)

Plaintiff Demands

– Fraud reimbursement

– Credit card replacement

– Credit monitoring/ repair/ insurance

– Civil fines/ penalties

– Statutory damages (CMIA)

– Time

Costs

Anatomy of a Breach Response BREACH DISCOVERY

EXPERTS

-breach coach

-forensics

-public relations

INVESTIGATION — internal/forensic/criminal

-how did it happen

-when did it happen

-is it still happening

-Who did it happen to

-what was accessed/acquired

-encrypted/protected

NOTICE OBLIGATIONS

-state

-federal

-other (i.e., PCI, FDIC, OCC)

NOTICE METHODS

-written

-electronic

-substitute

-media

DEADLINES

-can be from 48 hours to “without unreasonable delay”

INQUIRIES

-state regulators (i.e. AG, PD)

-federal regulators (i.e. OCR)

-federal agencies (i.e. SEC, FTC)

-consumer reporting agencies

LITIGATION

-subrogation

-class action

Breach Response, continued…

Empowered Senior Executive

Talk to your IT Security folks. Gain an appreciation of the many

challenges

Not many Firms can say: how many records they have; what

type of data is being collected, stored, shared, protected; where

does all this data reside; when is it purged??

Assess & Test your own staff and operations

Document your due care measures

Insurance

Red Flags, data security and breach response plans - affirmative

duties

Easier said than done…

Proactive Risk Manager Steps

What can be done

What can be Covered Under a Network Security and Privacy Policy?

Breach of Security: Your liability to third parties arising out of a

failure of your network security that results in a computer attack. Such

failure can be caused by unauthorized access or use, transmission of a

computer virus or a denial of service attack.

Invasion of Privacy: Your liability arising from disclosure and release

of confidential or personally identifiable information stored on your

computer system caused by a failure of your network security.

Enterprise Privacy: Your liability arising from any breach of privacy

including violations of HIPAA, GLB or any state, federal or foreign

privacy protection law (including regulatory defense expenses,

notification expenses, credit monitoring, crisis management expenses)

Identity Theft: Your liability arising from theft of personal information

of your employees, customers or clients.

Wells Fargo Insurance Services USA, Inc. 38

What can be covered under a network security and privacy policy?

Cyber Extortion: Protection against threats or demands made

against you involving your computer network.

Internet Media: Defamation, Libel and Slander/Personal Injury –

Liability arising out of the content disseminated on your Internet

site; includes intellectual property infringement exposures

Business Interruption: Business Interruption losses sustained by

you arising from the interruption or suspension of your computer

network, due to failure of security (including extra expenses)

Data Asset Coverage: Information asset protection for you for

property losses involving data, computer systems and information

assets arising from a computer attack.

Wells Fargo Insurance Services USA, Inc. 39

Questions

40

John Farley provides advisory services to our clients and teams with our

Professional Risk Group as a network security and data privacy breach consultant.

John is based in our New York City office and brings 19 years of claims and risk

consulting experience to Wells Fargo Insurance Services. John is our internal lead

resource for pre and post breach services. His role is to apply his extensive

knowledge in data breach response best practices and to work diligently with our

clients to achieve optimal results in cost mitigation. When and if a breach occurs,

John will act as the coordinator between all parties involved - our client, the

carrier(s) and any outsourced service provider hired, including but not limited to,

forensic experts, privacy legal attorneys, public relations firms, call center operators

and other similar breach response service providers. John also facilitates online

access to the Wells Fargo Insurance Services e-Risk Hub. This online database

serves clients ongoing educational needs in the ever-changing network security and

privacy risk environment. It offers real time informational resources including the

latest news articles, learning tools, an incident road map, breach calculators and a

vendor directory.

John Farley john.farley@wellsfargo.com (212) 209-0227

Mark Greisiger leads NetDiligence®, a Cyber Risk Management

company. For the decade NetDiligence has been offering unique

cybersecurity e-risk assessment services to organizations of all

sectors. Their services supports the data risk management &

compliance needs for many businesses. NetDiligence supports

the loss control needs of many US and UK insurers that offer

network liability coverage (aka 'privacy insurance'). Mr. Greisiger

is also to a frequently published contributor for various insurance

& risk management publications on similar topics.

Mark Greisiger mark.greisiger@NetDiligence.com (610) 525-6383

John Mullen, Sr. leads the Privacy and Data Security Practice at Nelson Levine de Luca & Hamilton. His team of over a dozen attorneys focuses on the defense of information security and privacy matters, with particular emphasis on response to data loss events and suits. John serves as legal Breach Counsel, advising clients on issues related to IT forensics, customer and government notification and compliance, public relations, customer remedies, litigation hold/e-discovery requirements, and class action/multi-district litigation (MDL) issues. John frequently speaks to insurers, insureds, risk managers and brokers, has authored articles and presents via webinars and video broadcasts throughout the United States and the European Union. Mr. Mullen holds a B.S. from Pennsylvania State University (1987) and a J.D. from Arizona State University, College of Law (1991).

John F. Mullen, Sr. jmullen@nldhlaw.com 215-358-5154

CONTACT

John Farley, Vice President, Data Breach Consultant Wells Fargo Insurance Services USA, Inc. , New York, NY 10017 Phone: 212-209-0227 Email: john.farley@wellsfargo.com

MARK GREISIGER, Founder NetDiligence, Philadelphia, PA Phone: 610) 525-6383 Email: mark.greisiger@NetDiligence.com

JOHN MULLEN, Chair, Privacy and Data Security Team Nelson Levine de Luca & Hamilton, Blue Bell, PA 19422 Phone: 215-358-5154 Email: jmullen@nldhlaw.com

Wells Fargo Insurance Services USA, Inc. 44