– to notify or not to notify – that is the question
DESCRIPTION
– To Notify or Not to Notify – That is the Question. MODERATOR: Toby Merrill, Vice President, ACE USA PANEL: Beth D. Diamond, Esq., Claims Manager, Beazley Group John F. Mullen, Esq., Partner, Nelson, Levine, de Luca & Horst, LLC - PowerPoint PPT PresentationTRANSCRIPT
2010 PLUS International Conference2010 PLUS International Conference2010 PLUS International Conference2010 PLUS International Conference
–– To Notify or Not to Notify –To Notify or Not to Notify –That is the QuestionThat is the Question
2010 PLUS International Conference2010 PLUS International Conference
MODERATOR: • Toby Merrill, Vice President, ACE USA
PANEL:• Beth D. Diamond, Esq., Claims Manager, Beazley Group
• John F. Mullen, Esq., Partner, Nelson, Levine, de Luca &Horst, LLC
• K Royal, JD, CIPP, Privacy & Security Officer, Assistant Vice President, Regulatory Affairs, Concentra Inc.
• Tom Srail, Senior Vice President, Technology, Willis
• Benjamin Stephan, CISSP, CISA, EnCE, QSA, PA-QSA, Director of Incident Management, FishNet Security
To Notify, or Not to NotifyTo Notify, or Not to NotifyThat is the QuestionThat is the Question
2010 PLUS International Conference2010 PLUS International Conference
• Brief Introduction
• Privacy and Network Security Liability
• Privacy Regulations
• To Notify or Not to Notify
• Q&A
OverviewOverview
2010 PLUS International Conference2010 PLUS International Conference
Privacy Insurance MarketPrivacy Insurance Market
To Notify or Not to NotifyPrivacy Insurance Market
2010 PLUS International Conference2010 PLUS International Conference
Privacy Insurance MarketplacePrivacy Insurance Marketplace
• Evolution of the Coverage Origins focused on network security Evolution to ‘sensitive data’ and ‘unintentional error’
• Market Growth Standalone market estimated at $600M GWP* 1 in 3 purchase coverage and 1 in 4 plan to in next 18 mos*
• Drivers and Barriers- Price in a sluggish economy
+ Policies that include data breach services
+/- Product knowledge
*2010 Betterley Cyber Risk and Privacy Market Survey
2010 PLUS International Conference2010 PLUS International Conference
• Average total cost per incident of $6.75M $6.6M, $6.3M & $4.8M in 2008, 2007 & 2006 Cost to resolve ranged from $750,000 to $31,000,000 Number of records ranged from 5,000 to 101,000
• 42% of breaches occurred due to external causes
Ponemon Institute StudiesPonemon Institute Studies
Breach Cost per Record
Avg. HC FI CP Retail
Cost of a Lost Laptop
Avg. HC Pharma
2010 PLUS International Conference2010 PLUS International Conference
• Average cost of $204 per record $202, $197 & $182 in 2008, 2007 & 2006 Direct $69; Indirect $135 Defense 27%; Consulting 24%; Contact 22%; Forensics 16%;
Services 6% Malicious $215; Human Negligence $154; IT Glitch $166 1st Party $194; 3rd Party Vendor $217 First Timer $228; Second Offender $198 With CISO $157; Without CISO $236 With consultant $170; Without consultant $231 < 1 month to notify $219; >1 month $196
Ponemon Institute Studies Ponemon Institute Studies (cont’d)(cont’d)
2010 PLUS International Conference2010 PLUS International Conference
Privacy/Cyber Insurance MarketplacePrivacy/Cyber Insurance Marketplace
• Pricing Aggressive competition Typical flat to slight decrease on renewals
• New/revitalized Markets Updated forms Blending with other policies (Managed Care, Misc E&O)
• Capacity Stable Primary Limits (10M-20M typical) Increased excess participation available $200M+ total available for most large risks
2010 PLUS International Conference2010 PLUS International Conference
Privacy/Cyber Insurance MarketplacePrivacy/Cyber Insurance Marketplace
• Current Coverage Enhancements Privacy Expense
• Outside of Liability Limits options
• New express coverage (ID Theft restoration expense)
• Larger (Full+) Limits
Regulator and/or PCI Fines/Penalties - larger limits available
2010 PLUS International Conference2010 PLUS International Conference
Privacy/Cyber Insurance MarketplacePrivacy/Cyber Insurance Marketplace
• Current Coverage Enhancements (cont’d) Excess “Drop Down”
• Privacy Expenses
• Fines/Penalties
Pre-arranged/recommended Vendors
First-Party Coverage
• Administrative Error Triggers
• Lower BI waiting periods
2010 PLUS International Conference2010 PLUS International Conference
Privacy Insurance MarketPrivacy Insurance Market
Privacy Insurance Market:Panel Discussion
2010 PLUS International Conference2010 PLUS International Conference
Privacy RegulationsPrivacy Regulations
Privacy Regulations;Overview
2010 PLUS International Conference2010 PLUS International Conference
• Statutory – In the event of a security breach, most federal and state laws require notification to:
Customers Government Agencies Attorneys General Law Enforcement
(not necessarily required, but may be prudent) Credit Reporting Agencies (CRA's)
• Voluntary – When notification is not required by law, but for reasons of goodwill, etc. a company would prefer to notify its customers, etc.
What is Notification?What is Notification?
2010 PLUS International Conference2010 PLUS International Conference
• To enable individuals to mitigate risk of identity theft or fraud when a breach occurs
• To enable the authorities to exercise their regulatory oversight functions
• To motivate organizations to implement more effective security measures to protect sensitive information
Purpose of NotificationPurpose of Notification
2010 PLUS International Conference2010 PLUS International Conference
• Federal and state laws have unique requirements for: format of notification time frame within which to notify, and content of notification letter
• In many cases, failure to notify pursuant to a particular notification law may lead to fines and penalties
General Notification RequirementsGeneral Notification Requirements
2010 PLUS International Conference2010 PLUS International Conference
• Generally require written notification to individual in the event of a breach of security
• However, each state varies in: the definition of what constitutes a breach
the definition of personal information (only a few include PHI)
inclusion of a “risk of harm” standard
content requirements for notice
authorities that must be notified
available penalties and private right of action
State Notification RequirementsState Notification Requirements
2010 PLUS International Conference2010 PLUS International Conference
2003 – California Senate Bill 1386 (CA SB 1386)
2005 – 10 additional states2006 – 19 additional states 2007 – 9 additional states2008 – 7 additional states2009 – 1 additional state2010 – 1 additional state
Privacy/identity theft legislation in 46 states (+D.C.)
States with no Data Breach Legislation:
• Alabama, Kentucky (passed but not yet enacted)
• New Mexico, South Dakota (no data breach law)
State Data Breach LawsState Data Breach Laws
2010 PLUS International Conference2010 PLUS International Conference
• Must be in “plain language”
• Must include at a minimum: Name and contact info of the reporting agency Types of personal information involved When it happened If notification was delayed due to law enforcement investigations General description of the breach Estimated number of persons affected Toll-free telephone numbers and addresses of major credit
reporting agencies (if breach exposed bank account/credit card number, SSN, or driver’s license/ID card number)
California Notification RequirementsCalifornia Notification Requirements
2010 PLUS International Conference2010 PLUS International Conference
• Other discretionary data may be included (e.g. information about what agency has done to protect affected individuals, advice on how to protect self, etc.)
• Notice may be given in writing or electronically. Substitute notice permitted if:
cost of providing written notice will exceed $250,000, affected class to be notified exceeds 500,000 residents, or insufficient contact information to provide notice
California Notification RequirementsCalifornia Notification Requirements
2010 PLUS International Conference2010 PLUS International Conference
• State: An individual’s first name or first initial and last name in
combination with any one or more of the following, when either the name or the data elements are not encrypted:
• SSN• Driver’s license No. or CA ID Card No.• Account, credit or debit card number in combination with any
required security code, access code, or password that would permit access to an individual’s financial account
• Up to ten other factors added in many states (e.g. biometric data in NE, IA and WI)
What is Personal Information?What is Personal Information?
2010 PLUS International Conference2010 PLUS International Conference
• Must be given to: Massachusetts AG; Director of Consumer Affairs and
Business Regulation; and affected Massachusetts residents
• Notice to AG and Director of Consumer Affairs and Business Regulation must include:
nature of breach;
the number of Massachusetts residents affected by such incident at the time of notification; and
any steps the person or agency has taken or plans to take relating to the incident
Massachusetts RequirementsMassachusetts Requirements
2010 PLUS International Conference2010 PLUS International Conference
• Notice to affected Massachusetts residents must include: the resident's right to obtain a police report how to request a security freeze on her/his credit report
• Notice to affected MA residents must not include: Nature of breach; nor Number of Massachusetts residents affected by the breach
• Notice may be given in writing, by telephone or electronically. Substitute notice permitted if:
cost of providing written notice will exceed $250,000, affected class of Massachusetts residents to be notified exceeds 500,000 residents, or insufficient contact information to provide notice
Massachusetts RequirementsMassachusetts Requirements
2010 PLUS International Conference2010 PLUS International Conference
• Written notice via US mail to individual or next of kin
• Substitute notice if there are 10 or more individuals for whom there is insufficient contact information.
• >500 residents of a state or jurisdiction are affected by breach: notify prominent media outlets in that state or jurisdiction
• >500 individuals in total are notified, Secretary must be notified immediately (i.e. within timeframe to individuals)
• <500 individuals, Secretary may be notified in an annual report
HITECH Notification RequirementsHITECH Notification Requirements
2010 PLUS International Conference2010 PLUS International Conference
• Description of event, including date of breach and date of discovery, if known
• Description of Protected Health Information (PHI) affected
• Steps individuals should take to protect themselves
• Description of what entity is doing to investigate, mitigate harm to individuals and protect against further breaches
• Contact procedures for more information (toll-free number, an email address, website, or postal address)
• Must be written in clear, plain language
HITECH Notice - Content RequirementsHITECH Notice - Content Requirements
2010 PLUS International Conference2010 PLUS International Conference
•State Attorneys General
•State regulators DOI
Medicaid regulators
Consumer Protection Offices
Potential Agencies to be NotifiedPotential Agencies to be NotifiedWhen a HITECH Breach OccursWhen a HITECH Breach Occurs
2010 PLUS International Conference2010 PLUS International Conference
• HIPAA: ANY “Unsecured” PHI = protected health information
that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary
Encryption and destruction of PHI are the only acceptable methods
What is Personal Information?What is Personal Information?
2010 PLUS International Conference2010 PLUS International Conference
• HIPAA: Breach poses: “[a] significant risk of financial, reputational, or
other harm to the individual” Notification is only necessary if the breach poses a significant
risk of harm Covered Entities & Business Associates must document their
risk assessment to demonstrate that notification was not required
•State Law: NJ disclosure not required if “misuse of the information is not
reasonably possible”. CA and TX without explicit “risk of harm” trigger
Risk of Harm StandardRisk of Harm Standard
2010 PLUS International Conference2010 PLUS International Conference
Privacy RegulationsPrivacy Regulations
Privacy Regulations:Panel Discussions
2010 PLUS International Conference2010 PLUS International Conference
Data Breach ScenariosData Breach Scenarios
To Notify or Not to Notify:Data Breach Scenarios
2010 PLUS International Conference2010 PLUS International Conference
Scenario #1Scenario #1
• Minnesota retailer notified by Visa of potential hack
• Forensics determines 1.5M credit cards were likely compromised
• Roughly 1M of the records were encrypted
• Hackers were in the system for 14 months
• Cardholders reside in MN, ND, SD, IA, IL, WI
2010 PLUS International Conference2010 PLUS International Conference
Scenario #2Scenario #2
• A trash company discovers the printed records of a SC community bank dumpster
• The information contains the loan applications for more than 10,000 residents in NC, SC & GA
2010 PLUS International Conference2010 PLUS International Conference
Scenario #3Scenario #3
• A hospital in Massachusetts discovers that a desktop computer has been stolen
• Forensics determines 100,000 medical records were located on the desktop
• None of the records were encrypted
• Patients reside in MA, CT, RI, AZ and NH
2010 PLUS International Conference2010 PLUS International Conference
Scenario #4Scenario #4
• A community college in New Mexico discovers that its alumni list was searchable on its website
• Visitors of the site would be able to obtain alumni grade point averages and job history if searched by name
• Forensics is unable to determine whether any searches had been made on alumni records
• Roughly 500,000 records were potentially compromised
• All alumni were New Mexico residents
• What if forensics later determines S.S.#’s were involved? Some residents were from New York? Or both??
2010 PLUS International Conference2010 PLUS International Conference
Scenario #5Scenario #5
• A technology hosting company discovers that hackers had accessed a number of servers
• Forensics determines that millions of records were located on these servers
• The records belong to more than a dozen financial institutions, hospitals and retailers
• Some of the data was encrypted
• Cardholders reside in more than 30 states
2010 PLUS International Conference2010 PLUS International Conference
Takeaways and PredictionsTakeaways and Predictions
Key Takeawaysand
Predictions
2010 PLUS International Conference2010 PLUS International Conference
QuestionsQuestions&&
AnswersAnswers
2010 PLUS International Conference2010 PLUS International Conference
Many Thanks To…Many Thanks To…
• Toby Merrill
• Beth Diamond
• John Mullen
• K Royal
• Tom Srail
• Benjamin Stephan