GSBA Risk Management Services

GASBO Meeting

Cyber-Risk for School DistrictsNovember 7, 2013

Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

Your budgets are tight and will remain tight for the foreseeable future

Never had a claim involving a breach - at least you don’t think you have had one

Your IT folks assure you the District’s firewalls are sound and present no risk of penetration

I think we already have coverage somewhere else New coverage being pushed by carriers but really no losses out

there I do not want to be the first one to buy the coverage It is not on our radar screen – we will look at this next year We have immunity from this type of loss

Agenda for Today

Why Cyber-Risk was developed and what does it protect Your obligations under the law Examine each reason why you should not buy Cyber Risk

Coverage Outline the GSBA RMF evolving solution Answer any questions

Why was Cyber-Risk Developed?

To protect your electronic assets in the new Cyber-Risk Protection Technological Revolution

No different that protecting buildings and other assets except exposure to a loss is growing faster than you are building buildings

Cyber-Risk ProtectionPrivacy & Computer Security Protection

Privacy & Data Breach

Coverage has many names in the industry but basic risk is the same:

1. School district “mishandles” personal data resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach”; or

2. School district is hacked and the information is stolen resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach” plus any potential liability resulting from the hackers stealing the data

What is Protected?

Personally Identifiable Information (PII): It is the combination of a person’s first name (or initial) and last name plus one or more of the following:

Social Security Number Driver’s License Number State ID Number Account Number Credit or Debit Card Number Account Passwords or PINS or other access codes

Threats to a School District

Internal Threats: Rogue employee who was fired and wants to “hurt” School District “Idealist” who wants to “change” the School District policies by disrupting

normal operations Accidental or careless staff who loose the data in either paper format or

electronic via a lost laptop External Threats:

Outside vendor or business associate with access to School District data who steals personal data sources

Organized crime – both foreign and domestic Hackers or “Hacktivists” who do it “to change the world”

Threats to a School District

Technology: Viruses, SQL Injections, etc Structural vulnerability to your network Employee use of Social Media / networking “opening the door” for

hackers to enter your network Remote teaching putting strain on the security of your internal network

firewalls Phishing

“Old School”: Dumpster diving for discarded papers that are not shredded Loss or theft of a laptop with personal data on it

Threats to a School District

Regulatory/Legal: 47 states now have breach notification laws

o Georgia is one of the 47 states and it applies to any entity, government or private, that has a breach, the law requires that they notify the people affected by the breach – Georgia Personal Identity Protection Act of 2007

Many breaches do not develop into identifiable theft but the notification and tracking requirement is very expensive to the School District

School nurses have to be careful with HIPAA information especially At the present time, it is unclear how immunity would apply if the District

were sued by a third party injured by a breach

Georgia Personal Identity Protection Act of 2007

O.C.G.A. 10-1-910 through 10-1-912

Amended to included public universities and other state and local agencies

The unauthorized acquisition of individual’s electronic data that compromises security, confidentiality or integrity of PII.

Can also apply if compromised information is sufficient to perform or attempt identity theft

What would you do if….?

Labor employee inadvertently e-mails personal info of more than 4,000 customers By Mike Morris

The Atlanta Journal-Constitution

State officials are scrambling to minimize the potential harm to more than 4,000 customers of the Georgia Department of Labor whose personal information was accidentally e-mailed to about 1,000 people.

“A document containing confidential information, including names and social security numbers, for 4,457 customers of the Cobb-Cherokee Career Center has inadvertently been e-mailed to approximately 1,000 people, primarily in Cobb and Cherokee counties,” the Labor department told AM750 and 95.5FM News/Talk WSB in a statement. “The e-mail occurred because of an employee error.”

The statement goes on to say that the department has notified recipients of the erroneous e-mail “and instructed them to immediately delete the file attached to the e-mail without opening it.”

The department also said in the statement that it will provide free credit monitoring services to all of the people affected.

Many of the customers contacted by WSB were upset by the erroneous e-mail, which also included ages, phone numbers and e-mails of those 4,457 people. ……..

Friday September 6, 2013Atlanta Journal-Constitution

Data Breach – More Recent Examples Boston Public Schools, MA: August 2013

21,054 student files: ID numbers, name, age and a photo, sent families automated phone calls and letters

A vendor that makes student ID cards lost a stick drive with the records

San Juan Unified School District, CA: May 2011 4,000 employees and former employees notified by letter Compromised personal information when employee inadvertently

uploaded all the information from a stick drive to a church website

Paulding County Schools, GA Phishing loss that was covered but entailed notification costs which

were not covered

Cost of Breach Ponemon Institute – 2013 Cost of a Data Breach Study

Studied breaches in 277 companies in nine countries over ten month in 2012

Average Cost per Record in US $188, second highest to Germany Significantly lower per record

o Public Services : $81o Education : $111

If you had 4,457 records released like the State of Georgia On your own, based on above cost projections, cost is $494,727 Cost of insurance is a premium based on size of district but works out

to about $1 for each current student in District

Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

Your budgets are tight and will remain tight for the foreseeable future They are tight and it will cost more money but as you will see shortly, very

affordable – approximately one loss every 15 years payback Will cover not only current PII records (students, employees, & applicants) but will

also cover historical records retained by District

Never had a claim involving a breach - at least you don’t think you have had one

Not a liability issue as much as an internal cost issue if you have a breach and need to comply with the law

Buying the expertise on how to handle a breach unlike the State of Georgia case

Your IT folks assure you the District’s firewalls are sound and present no risk of penetration Not an IT / Firewall issue – it is a mishandle issue

Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

I think we already have coverage somewhere else Excluded under the GSBA RMF Coverage Agreement and ISO policy

forms Intent is not to provide the coverage but silent on some of the liability

exposures Will be absolutely excluded as of 7/1/2014

New coverage being pushed by carriers but really no losses out there We’ve shown you some examples of actual losses Beazley has 2500 policies and is expecting 800 breaches this year alone Few and far between but when they happen, could be very large and

confusing for the District involved

Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

I do not want to be the first one to buy the coverage You are not – already have 12-13 districts buying from the GSBA RMF

solution

It is not on our radar screen – we will look at this next year Perfectly acceptable to prepare and budget for it Be aware that full clarifying exclusions go into effect on July 1, 2014 The current proposals provided to all GSBA RMF members are effective till

12/31/2013 and then new members will be re-evaluated as of July 1, 2014

We have immunity from this type of loss From a liability standpoint – probably but from a first party notification

standpoint, you must comply with the law

The GSBA Solution Conservative approach but one based in making sure School

Districts in Georgia have a competitive, broad coverage option to address this growing exposure

RMF has worked with Beazley, a prominent carrier in the Cyber Insurance space, to initially offer a group purchased option for each School District in RMF

Over the next couple of years, RMF will assume some of the risk via the pool to make sure pricing remains stable and any underwriting profits accrue to the benefit of School Districts

Beazley will issue policies and has the infrastructure to guide a Member through any type of breach and how to help reduce the exposure of a breach

The GSBA Solution The goal is to adopt the Beazley form into the RMF coverage

document as of July 1st, 2014 so that we have an affirmative grant of coverage in the coverage document

For July 1st, 2013, coverage purchased will be on a stand-alone basis with a policy issued from Beazley

Quotes were provided in late June to all RMF MembersQuotes are open to bind through 12/31/2013 on pro-rata basis

Even once the form is adopted into the RMF coverage document, and RMF assumes a layer of risk like it does now on the property and liability coverage lines, Beazley will provide the specialty claims and risk control services to the Members

The GSBA Solution There are six coverage parts in the policy that has been

negotiated with Beazley In keeping with the pool approach, there is some sharing of

limits amongst all the Members in exchange for more competitive pricing for each Member

Overview of Program Structure:Coverage Part 1.A. – Information Security and Privacy Liability

o Liability to a third party as a result of a failure of your network security to protect against identified threats

o Liability to a third party as a result of the disclosure of confidential information

The GSBA Solution Overview of Program Structure:

Coverage Part 1.B. – Privacy Breach Response Serviceso Crisis Management and Identify Theft response services and expense

coverage in order to comply with regulatory compliance issueso This also includes the expense for retaining a crisis management firm to

perform a forensic investigation to protect or restore the School District’s reputation as a result of a breach of privacy event

o Based on number of individuals to notify and not a limit of liability

Coverage Part 1.C. – Regulatory Defense and Penaltieso Fines and penalties associated with School District’s violation of a

Privacy Law related to an insured breach

Coverage Part 1.D. – Website Media Content Liabilityo Expansion for Cyber exposures of the coverage provided for under

Personal Injury and School Leaders Liability coverage but without some of the electronic means limitations

The GSBA Solution Overview of Program Structure:

Coverage Part 1.E. – Crisis Management and Public Relationso To pay for the Public Relations and Crisis Management expenses

associated with the costs to manage a breach that gets into the public eye via newspaper, radio, television in order to re-build the School District’s reputation or to avoid undue damage in the reporting of the breach event

Coverage Part 1.F. – PCI Fines and Costso Coverage for direct monetary fines and penalties owed by the School

District under the terms of a Merchant Services Agreement and where the alleged breach was due to the result of a non-compliance with the published PCI Data Security Standards

The GSBA Solution Limits of Liability to Members:

Any one claim limit combined from all sections except Privacy Breach Response Services, is $1,000,000o Subject to no more than $500,000 from Regulatory Defense and Penalties and

$50,000 each from Crisis Management and PCI Fines and Costso The overall RMF fund aggregate limits for all Members from all coverage lines

except Privacy Breach Response Services is 10 times each of these limits ($10,000,000 , $5,000,000, and $500,000 respectfully)

For Privacy Breach Response Services, there is no limit of liability as the coverage is based on the number of Notified Individualso The RMF fund has an aggregate of 500,000 Notified Individuals subject to

sub-limits for the legal and forensic expense coverage part which is limited to 250,000 and the foreign Notified Individuals extension which is limited to 50,000

o Overall RMF fund aggregate limits is again 10 times

The GSBA Solution Retention / Deductibles for Members:

Any one claim limit combined from all sections except Privacy Breach Response Services, is $25,000

For Privacy Breach Response Services, the retention is broken into two parts:o All costs and services under the legal and forensic services combined with

the notification costs would be $10,000 combined subject to a sub-retention of no more than $5,000 in legal expenses exposed

o Under the Call Center Services and Credit Monitoring Program, the retenion of any expenses are limited based on the size of the district:• Small Members, which are less than 1,000 FTE’s, would be responsible for any

breaches involving less than 25 individuals

• Medium Members, which are more than 1,000 FTE’s but less than 10,000 FTE’s, would be responsible for any breaches involving less than 50 individuals

• Large Members, which are those Members with more than 10,000 FTE’s, would be responsible for any breaches involving less than 100 individuals

The GSBA Solution Premium Brackets

Premium is based on FTE (current student and staff combined)

Includes coverage for alumni records even though alumni count is not included in the FTE for premium determination

Here are the proposed pricing ranges based on Student Enrollment:

o 30,000 plus $29,638 to $31,453 0o 20,000 to 29,999 $24,432 to $28,227 0o 10,000 to 19,999 $13,903 to $21,683 0o 5,000 to 9,999 $7,111 to 11,504 2o 2,500 to 4,999 $4,392 to $6,658 3

GWP To-Date:$45,467

o 1,000 to 2,499 $1,942 to $4,005 4o 999 or less $500 to $1,628 3

Conclusion The exposure is here to stay

Computers and mobile devices that store personal information about your employees and your students are an integral part of your District

Accidental loss of, or criminal appropriation of, that personal information will continue to happen whether you have good firewall protection or not

Attacks are getting more frequent and more sophisticated

Accidents are getting more frequent as we ask staff to do more in a day than ever before

GSBA RMF and Beazley offer you broad coverage at a reasonable premium and a team ready to respond when necessary