cyber risks

26
CYBER RISKS Cyber Security, Privacy and the Regulatory environment

Upload: rickwaldman

Post on 02-Nov-2014

23 views

Category:

Documents


1 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Cyber Risks

CYBER RISKS

Cyber Security, Privacy and the Regulatory environment

Page 2: Cyber Risks

What is cyber?What does the term “cyber” mean?

Refers to the use of computers, internet, computer networks, and electronic information databases

Page 3: Cyber Risks

What creates cyber/privacy risk? internet connectivity e-commerce business websites and internet advertising customer forums and support/message boards credit card processing/online payment data storage, ISP, website design providing media content paper documents

Page 4: Cyber Risks

What is a data/privacy breach?A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property.

Street values: $50/medical identity vs. $1/SSN*

*American Health Information management Association

Page 5: Cyber Risks

What is 1st party and 3rd party?The Cyber Risks to which an organization is exposed fall into two general categories and Insurance coverage is available for both :

1) Those losses suffered by an organization (1st Party Losses) – extortion, employee theft, system failure, etc.

2) An organization's liability to third parties (3rd Party Losses) – hacker theft of data, Intellectual Property Infringement, etc.

Page 6: Cyber Risks

Foundations of Cyber RiskFocus is on data about the person not the person

(e.g. traditional privacy torts)

Information technology and the Internet magnifies the risk

Multi-jurisdictional exposure

Data security v. data privacy

Page 7: Cyber Risks

Data Security RisksProtection Risks (Information security):

failure to implement adequate measures to protect private information from theft by others or disclosure to unauthorized persons

Failure to Warn Risks: failure to warn of actual or suspected unauthorized access to Personal Identifiable Information (PII) - e.g. breach notice laws

Page 8: Cyber Risks

Data Privacy Risks Collection Risk: intrusively or secretly collecting PII without the

consent of the individual Disclosure and Mishandling Risk: mishandling of PII, disclosing

PII in a fraudulent manner or providing PII to bad actors without consent

Choice/Consent Risks: failure to provide person with choice on how their PII is collected/handled, including failure to provide opt-in/opt-out

Notice Risks: failure to provide notice of PII handling practices or the provision of inadequate or fraudulent notice

Accuracy/Integrity Risks: disseminating inaccurate PII or failure to correct PII

Access Risks: failure to provide access to collected PII Lack of Privacy Policy/Inadequate Privacy Policy

Page 9: Cyber Risks

Regulatory EnvironmentFlorida Law (as of 9/6/2011) Fla Stat.

817.5681(7/1/2005)

• Triggering Event: unlawful & unauthorized acquisition of computerized data that materially compromises security, confidentiality or integrity of PI unless investigation finds misuse of PI has not occurred or will not reasonably likely occur (retain documentation for 5 years)

• Civil or Criminal Penalties: Yes (gov’t agencies are exempt)

• Pre-breach measures required: No

• Timing of Notification: Without unreasonable delay, but no later than 45 days unless investigation finds misuse of PI has not occurred or will not reasonably likely will occur (must retain documentation for 5 years)

• Other parties to notify? : Consumer Reporting Agencies if notifying over 1,000 persons

Page 10: Cyber Risks

Regulatory EnvironmentInformation Security Laws

Control Requirements: HIPAA FACTA ID Theft Red Flag Rules Data disposal laws (e.g. Colo. Rev. Stat. Ann. §6-1-713) Encryption laws (Mass and Nevada) State “reasonable security” laws (e.g. Cal. AB 1950) Gramm-Leach Bliley (GLB --Financial Industry) Written Information Security Program (Mass) International laws (EU Data Protection Directive)

Failure to Warn Laws: “Breach-Notice Laws” in about 46 States HITech Act (within HIPAA): 2011 Annual Report to Congress Statistics

Page 11: Cyber Risks

The Value of Your Data• Information and Intellectual Property are an

organization’s most valuable asset today• No longer a “Bricks & Mortar” world• Impact of a data breach on an organization is huge

FinancialBusiness Distraction Loss of CustomersDamage to Reputation

• The “Next Product” – becoming a standard product

Page 12: Cyber Risks

Other Coverage The Cyber Risks to which a corporation is exposed fall into two

general categories and insurance coverage is available for both:1) Those losses suffered by an Insured(1st Party Losses)2) An Insured's liability to third parties (3rd Party Losses)

Standard Property, Liability or Crime policies will not traditionally cover damage to or loss of intangible assets (data and systems) so there exists a significant gap in coverage, both in terms of exposure and because of the ever greater dependency on technology to be able to do business.

Traditional property/casualty programs do not meet the need !

Page 13: Cyber Risks

Typical Agreements/CapabilitiesThird party liabilities: Technology E&O Employee Privacy Intellectual Property(electronic media) Network/Privacy Liability Denial of Service Transmission of malicious code

First party losses: Unauthorized access Cyber extortion and cyber terrorism Unauthorized use Loss of digital assets Business interruption(non CGL) Security event costs

Page 14: Cyber Risks

First Party Causes of Loss – May Include

• Accidental Damage or DestructionPhysical damage of data – no longer machine-

readableFailure of power supply that is under your

direct control• Administrative or Operational Mistakes

Entry or modification of your data• Computer Crime and Computer Attacks

Malicious code introduction; unauthorized access; unauthorized use; denial of service attack

Page 15: Cyber Risks

Non-Physical Business Interruption

• Extra expenses incurred to avoid or minimize suspension of businessLost profits (net income)Fixed operating expenses incurred

during the period of restorationCosts related to outside consultants and

service providers

Page 16: Cyber Risks

Network Security and Privacy Liability

• Damages and claim expenses arising from an alleged breach of security or privacy breach

• 3rd party suits involving Damages• Typically includes errors or omissions by

outside service providers for whom you are legally liable

Page 17: Cyber Risks

Cyber Extortion Threat

• Extortion expenses and extortion monies resulting directly from a credible threat during the policy period

• Typically includes requirement to involve law enforcement, FBI (every reasonable attempt to consult with) prior to payment of extortion monies

Page 18: Cyber Risks

Electronic Media Liability• Publishing liability for content on

your internet or intranet site Defamation, libel, slanderInvasion of privacyPlagiarism, misappropriationCopyright or domain name infringementExcludes any patent infringement

Page 19: Cyber Risks

A Cyber Event Occurs: Now what?

Page 20: Cyber Risks

Cyber/Privacy Insurance• Family Planning Council of Philadelphia: April 9th. Employee stole a

computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used.

• Gucci: April 6th. Network engineer who was terminated by the company used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours.

• New York Yankees: April 28th. Employee mistakenly sends email that contained a spreadsheet attachment with the personal information of 17,000 season ticket holders to other season ticket holders.

Page 21: Cyber Risks

Cyber/Privacy Insurance• Family Planning Council of Philadelphia: April 9th. Employee stole a

computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used.

• Needs relating to this event:• - Investigation/Forensics (Network security team?)• - Defense and coverage counsel expenses• - Determine compliance with all relevant state and federal privacy

laws• - Notification and credit monitoring where necessary• - Public Relations• - Possible recovery of data• - Monitoring of data/investigation assistance• - Financial impact

Page 22: Cyber Risks

Cyber/Privacy Insurance• Gucci: April 6th. Network engineer who was terminated by the company

used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours.

Needs relating to this cyber event:• - Investigation/Forensics (Network security team)• - Defense and coverage counsel expenses• - Determine compliance with all relevant state and federal privacy laws• - Notification and credit monitoring where necessary• - Public Relations• - Recovery/correction of data• - business interruption costs (cut email access to entire country)

Page 23: Cyber Risks

Cyber/Privacy Insurance• New York Yankees: April 28th. Employee mistakenly sends email that

contained a spreadsheet attachment with the personal information (specifically the names, addresses, phone numbers and e-mail addresses, seat numbers) of ‘several hundred’* season ticket holders to other season ticket holders.

Needs relating to this cyber event:• - Investigation/Forensics (network security team?)• - Defense and coverage counsel expenses• - Determine compliance with all relevant state and federal privacy laws• - Notification and credit monitoring where necessary• - Public Relations

Page 24: Cyber Risks

Cyber/Privacy InsuranceProfessionals Involved in Handling a Cyber Claim

• - Breach Notice and defense Counsel(privacy attorneys).• - Computer Forensics Companies.• - Breach Investigation.• - Public Relations Firms.• - Credit Monitoring Firms.

• -Breach Notification & Call Center• - data breach incident response planning;• - address list management;• - direct mail capability-prep, print and mail;• - call center;• - returned mail management

Page 25: Cyber Risks

Cyber/Privacy InsuranceTop 10 Trends for 2011

• More small scale data breaches in news• “low-tech” theft will increase• Lost devices will continue to dominate• Data minimization will increasingly be seen as essential• Increased exchange and collaboration will increase risk• More social networking policies implemented• Data encryption = golden ticket• Business associates• Privacy awareness training• Overarching federal law?*Kroll Fraud Solutions, Top Ten Data Trends for 2011

Page 26: Cyber Risks