Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
2. HOUSEKEEPING
â˘Slide deck will be posted on hni.com
â˘Q&A at the end, but feel free to ask questions throughout
â˘Tweet @HNIRisk or using the
hashtag #hniu to win some HNI swag!
2
4. WHOâS ON THE LINE
4
MODERATORAndrea Tarrell
Director of Marketing
HNI
atarrell@hni.com
SUBJECT MATTER EXPERTKevin Zinter
Senior Vice President
AmWINS
Kevin.Zinter@amwins.com
5. Outline Summary
â˘Review of exposures
â˘Review of Wisconsin and state laws, and other Federal Laws
â˘Explanation of Insuring Agreements
â˘Brokering Challenges
â˘Stats
â˘Underwriting Questions
â˘Sample Transportation Industry claims / incidents
â˘Risk Management Services
â˘Why AmWINS
6. Cyber/Privacy Exposures facing the Transportation Industry
â˘Collection of sensitive personal information
â˘Exchanging information with vendors, providers, outsourced firms, etc.
â˘Use of network to provide services to others
â˘Holding confidential business information (your own or third parties
â˘Outsourcing services to third parties âi.e. logistics firms, freight brokers, data processing, billing and collections, etc.
â˘Disseminating information and media online
7. Federal Laws
â˘Consumer notification of potential loss of data is required in 47 states, Puerto Rico, and DC.
â˘Personally identifiable information (PII) and protected health information (PHI), is currently governed by a patchwork of federal and state laws:
âThe Family Educational Rights Privacy Act (FERPA)
âHIPAA
âChildrenâs Online Privacy Protection Act
âGramm Leach Bliley Act (GLBA)
âFair Credit Reporting Act
âSarbanes-Oxley (SOX)
âFederal Privacy Act
âHITECH Act
âRed Flags Rule
âPresident Obamaâs Cybersecurity Executive Order, among others.
8. Wisconsin Notification Requirements
Security Breach Definition
When an Entity whose principal place of business is located in WI or an Entity that maintains or licenses PI in WI knows that PI in the Entityâs possession has been acquired by a person whom the Entity has not authorized to acquire the PI, or, in the case of an Entity whose principal place of business is not located in WI, when it knows that PI pertaining to a resident of WI has been acquired by a person whom the Entity has not authorized to acquire the PI.
9. Wisconsin Notification Requirements
Notification Obligation
Any Entity to which the statute applies shall make reasonable effortsto notify each subject of the PI.
An Entity is not required to provide notice of the acquisition of PI if the acquisition of PI does not create a material riskof identity theft or fraud to the subject of the PI or if the PI was acquired in good faith by an employee or agent of the Entity, if the PI is used for a lawful purpose of the Entity.
An Entity shall provide the notice within a reasonable time, not to exceed 45 daysafter the Entity learns of the acquisition of PI. A determination as to reasonableness shall include consideration of the number of notices that an Entity must provide and the methods of communication available to the Entity.
10. Wisconsin Notification Requirements
Penalties
No penalties defined or outlined.
Considerations
â˘Wisconsin does not require automatic offer of free credit-monitoring to breached individuals.
â˘Wisconsin does not require entities to notify the state Attorney General or any other governmental agencies, but it does require notice to all consumer reporting agencies and credit bureaus if more than 1,000 residents are to be notified.
â˘Additional notification obligations apply pending the state where the consumer (affected individual) is located.
http://www.beazley.com/business_lines/technology_media__business/data_breach_map.aspx
11. What is the difference between 1stParty Risk and 3rdParty Risk in a Cyber Liability Policy?
1stParty Risks
3rdParty Risks
Direct loss incurred by our insured because of âinjuryâ to electronic data or systems resulting from acts of others:
Liability for financial losses or costs sustained by others resulting from internet or other electronic activities:
â˘Costs of fixing the problem
â˘Expenses to protect customers (including notification and credit monitoring costs)
â˘Other expenses to mitigate loss (including PR and publicity costs)
â˘Theft of data & intangible property
â˘Loss of future income
â˘Cyber extortion
â˘Defense expenses
â˘Damages resulting from customer suits and suits from others for personal/content injury, intellectual property claims, professional services, and injury from a security or privacy breach, or Regulatory fines/penalties.
12. Basic Insuring Agreements Found in Most Forms
1. Privacy/Security Liability
Third party claims alleging failure to protectan individuals PII, whether through a network & information security failure, unauthorized access & unauthorized use, etc etc.
13. Basic Insuring Agreements Found in Most Forms
2. Notification Costs
The hot button sublimit, and main premium driver within a Cyber Liability policy. When private/confidential information is lost, this insuring agreement covers the cost to notifythose individuals/victims that their private information was lost or stolen. 47/50 states have laws outlining the requirements to notify, usually described as a short period of time. Credit Monitoring is also often included with the Notification limit. Some forms will include Credit Repair/Remediation Services âthe actual cost to repair a victimâs credit history if their information was used fraudulently.
14. Basic Insuring Agreements Found in Most Forms
3. Crisis Management & Forensic Expenses
Costs of hiring an outside PR / consulting firmto handle media inquiries, restore insuredâs brand image in the media, assist with the drafting of notification letters to breached individuals, and provide expert strategies/solutions in regards to the exact claim scenario. Forensic Expenses covers the costs for an outside expert to help determine the scope of the breach, what was exposed, and possibly eradicate the intrusion.
15. Basic Insuring Agreements Found in Most Forms
4. Regulatory Defense & Penalties
The costs to handle inquiries & investigations, and the possible resulting fines/penaltieslevied against the insured by a regulatory or governmental body. An increasing number of regulations exist related to the protection of confidential data, and all signs point towards increased enforcement (FTC, State Attorney Generals, etc).
16. Basic Insuring Agreements Found in Most Forms
5. Extortion/Threat Expenses
If the insured is contacted by an individual threatening to hack the system, shut down the system, and which might include a demand for payment
17. Basic Insuring Agreements Found in Most Forms
6. Business Interruption
Interruptions in business due to breaches of a companyâs network (i.e. denial of service attack).
18. Basic Insuring Agreements Found in Most Forms
7. Media/Content
Covers libel, slander, and other forms of disparagementwith respect to display of material, as well as copyright infringement. A well written Media insuring agreement will also respond to SocialMedia exposures, such as disparaging statements made via a companyâs official Twitter/Facebook page which may result in a suit brought by a 3rdparty vendor/partner or an offended individual.
19. Basic Insuring Agreements Found in Most Forms
8. Hacker Damage
Covers the cost to repair/replace/restore damaged or destroyed data the insured had in their possession, to the state it was in previously, as a result of a hack/incident.
20. Basic Insuring Agreements Found in Most Forms
9. PCI Fines/Penalties
Covers violations of the Payment Card Industry Data Security Standard, as levied against the insured. Generally brought as a fine or penalty, and cited as a violation of a PCI Standard as defined under Payment Card Company Rules. PCI governs the safeguarding of sensitive payment card information, by merchants.
21. Brokering Challenges: Why Itâs Not Covered Elsewhere
â˘General Liabilitycovers bodily injury and property damage, not stolen identities.
â˘Property Insurancedoes not consider data as property
â˘E&Opolicies are covering services for others for a fee. The primary intent of an E&O policy is covering a mistake/error/omission in the course of an individualâs professional service. While there is limited invasion of privacy coverage in an E&O form, the intent is only to cover errors in the course of professional services. You wonât get notification expense coverage or credit monitoring services coverage on an E&O policy, which are your primary 1stparty sublimits.
22. Brokering Challenges: Why Itâs Not Covered Elsewhere [Contâd]
â˘Directors & Officers Coveragedoes not cover the key 1stparty expenses that are provided on a Cyber form. D&O is primarily for the directorsâ & officersâ fiduciary duty in running the company, and will not extend coverage for 1stparty expenses associated with a breach situation.
â˘Media Liabilitypolicies are only covering content for libel, slander and copyright, and donât fully respond to the interrelated nature of a breach incident that turns into a Media claim.
â˘Crime Insurancecovers employee theft of money, securities and property. A data record can be stolen, but you may not see a financial loss for many years. In the absence of the privacy/security policy, there wouldnât be coverage for the notification and credit monitoring, which are your primary 1stparty sublimits. There can be some overlap though, at least for financial institutions, and some carriers are now offering a combo Cyber-Crime policy
23. Brokering Challenges: Non-Standard Policy Language
COVERAGE TYPE
AIG
CHUBB
TRAVELERS
Security
Security & Privacy Liability
Cyber Liability
Network and Information Security Liability
Privacy
Security & Privacy Liability
Cyber Liability
Network and Information Security Liability
Media/Content
Media Content Insurance
Content Injury and Reputational injury
Communications and Media Liability
Regulatory
Regulatory Action
Regulatory Defense
Regulatory Defense
Business Interruption
Network Interruption
E-Business Interruption
Business Interruption
Breach Response Costs
Event Management
Privacy Notification Expenses and Crisis Management Expenses
Crisis Management Event Expenses and Security Breach Remediation and Notification Expenses
Extortion/Threat
Cyber/Extortion
E-Threat Expenses
E-Commerce Extortion
Carriers use different language, and it can be difficult to decipher. Just a few examples from various carriers:
24. Brokering Challenges: Exclusions to Watch For
â˘Losses arising out of unencrypted portable devices
â˘Notice of Claim Timing âare you required to report a claim within a certain number of days of the event/incident
â˘Limitation of expenses paid out to within a certain number of days of the event
â˘Stacking of Retentions
â˘Failure, interruption, or outage to internet accessservice provided by the internet service provider that hosts the insuredâs website
â˘Failure / Requirement to update antivirusand maintain security levels referenced on the application
25. Brokering Challenges: Exclusions to Watch For
â˘Failure to continuously implement the procedures and risk controls identified in the application, whether orally or in writing
â˘Failure to follow in whole or in part, the Minimum Required Practices as listed by Endorsement
â˘Failure to meet any service levels, performance standards, or metrics
â˘Failure to use best efforts to install commercially available software product updates and releases, or to apply software patches
â˘Inability to use or inadequate performance of softwareprograms due to the expiration or withdrawal of technical support by the software vendor, or that are in development or otherwise not authorized for general commercial release
26. Brokering Challenges: Exclusions to Watch For (cont)
â˘Inability to use or inadequate performance of software programs due to the expiration or withdrawal of technical support by the software vendor, or that are in development or otherwise not authorized for general commercial release
â˘Wear and tear, drop in performance, progressive deterioration, or aging of electronic equipment and other property or computer hardware being used by the insured
â˘Malfunction or defectof any hardware, component or equipment
â˘Involving wireless networks that are not under your control, or information exchanged over unsecured wireless networks
â˘Does Regulatory coverage include coverage for fines/penaltiesor just the Defense?
â˘Does Media coverage cover all forms of Media, or just online Media?
31. Privacy: Costs of an Incident
$3.5m*
Average total cost per reporting company. Of that figure, Defense ($575k) and Settlement ($300k) continue to be a huge portion.
*NetDiligence June 2013 study
32. Privacy: Costs of an Incident
$737K Average cost for Crisis Services (forensics, notification, credit monitoring)
$50K The average PCI fine.
$150,000 The average Regulatory fine.
$3.94 Average per-record Notification Cost of a data breach. Per-record notification estimates range from $2-$400, pending the sample size and claims studied. Other factors include vendors used in the Notification process, and whether defense costs, PR costs, and other expenses are lumped into the per-record estimates.
*NetDiligence June 2013 study
33. Privacy: Costs of an Incident
Breaches involving malware or spyware are 4.5xmore costly than breaches involving unintended/accidental disclosure**
**Beazley Analysis Findings 2014
34. Questions to consider:
â˘Do you hold any personally confidential data of any employees, customers, clients, etc? If so how many individual records?
â˘Do you hold any corporate information or trade secrets, for any of your clients?
â˘Are you aware of the notice requirements in each state if you lose control of that data?
â˘What steps would you take/who would you call if you lost those private records?
â˘Do you have a corporate wide privacy policy?
â˘Do you have a disaster plan specific to data breaches?
â˘Are your records stored electronically? Paper? Are the records secure? Do you shred?
35. Questions to consider:
â˘Do any employees have access to private client records? Do you allow use of USB drives on computers with access to private data?
â˘Are any records ever handled by a third party?
â˘Are all of your laptops, mobile devices, and wireless connections encrypted?
â˘Are you confident your antivirus and firewall systems are 100% effective?
â˘How would your clients respond if you lost their private records? Do your contracts promise to do the notification if you lose their records âor will they do the notification process?
â˘If your network was damaged or disabled by a virus or hacker attack, would it be material to your revenues/income? Do you have a backup system? How long would it take you to recover?
36. Additional Underwriting Questions that go into quoting a risk:
Review of controls & protocols on portable devices:
â˘How many portable computers are in circulation and what % are encrypted?
â˘Are users able to store data to the hard drive?
â˘Is the actual data on the portable device encrypted?
â˘Is tracking software installed on portable devices?
â˘Have workstations been configured to prevent the storage of data to USB dvices?
â˘Do you have back up tapes, and if so, are they stored offsite? How are they transported?
â˘Are the back up tapes encrypted?
â˘Do you issue company smart phones to employees? Are they encrypted?
â˘Do employees access confidential information on their smart phones?
â˘Is all data backed up on a daily basis?
â˘In the event of a breach, do your contracts put the requirement to do notification on the vendor who lost your information, or are you doing the notification?
37. The Biggest Breaches of All Time
Heartland Payment Systems 134m records lost
Target110m records lost
eBay Inc. 145m records lost
Adobe152m records lost
TJ Maxx 94m records lost
Home Depot 56m records lost
Epsilon 60m records lost
RSA Security 40m records lost
Stuxnet Attack on Iranâs nuclear power program
Department of Veterans Affairs 26.5m records lost
Sonyâs PlayStation 77m records lost
ESTsoft 35m records lost
Gawker Media 1.3m records lost
Google Chinese govt infiltrated systems & stole intellectual property
VeriSign Not disclosed
CardSystems 40m records lost
AOL 650k records lost
SC Dept of Revenue4m records lost
WikiLeaks OngoingâŚ
Advocate Medical Group 4m records lost
38. Trucking/Transportation Claims Examples
CorporateCarOnline
11/4/13 âKirkwood, MO.
Hackers stole and stored information online related to customers who used limousine and other ground transportation. The online information included plain text archives of credit card numbers, expiration dates, names, and addresses. Many of the customers were wealthy and used credit cards that would be attractive to identity thieves.
Records from this breach: 850,000
Source: www.Privacyrights.org
39. Trucking/Transportation Claims Examples
Yusen Logistics
10/25/13 âSecaucus, NJ
An unencrypted laptop was stolen from an employee's vehicle sometime around September 23. It contained a spreadsheet with payroll deduction information for former and current Yusen Logistics Americas employees. It contained names, Social Security numbers, addresses, and payroll benefit deduction amounts from the period of July 2013 to September 2013.
Records from this breach: unknown
Source: www.Privacyrights.org
40. Trucking/Transportation Claims Examples
US Department of Transportation
8/9/06 âWashington, DC
The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County, 42,800 persons in FL with FAA pilot certificates and 9,000 persons with FL driver's licenses. A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot.
Records from this breach: 132,470
Source: www.Privacyrights.org
41. Trucking/Transportation Claims Examples
Allied Waste
4/12/08 âBoston, MA.
A strap on a garage truck snapped and sent reams of intact financial reports over downtown Boston streets.
Records from this breach: unknown.
Source: www.Privacyrights.org
42. Trucking/Transportation Claims Examples
Laboratory Corporation of America
3/27/10 âBurlington, VT.
Thousands of medical documents fell out of a truck bed while in transit. The scattered documents contained billing information and possibly medical records from 1993 or later.
Records from this breach: unknown
Source: www.Privacyrights.org
43. Trucking/Transportation Claims Examples
Federal Reserve Bank of Dallas
8/9/05 âDallas, TX
A truck driver lost thousands of Federal Reserve Bank checks headed to Houston. It seems that the back door of the truck was not closed when the driver left the loading area. Paid and canceled checks with Social Security numbers, names, addresses and signatures were scattered on the highway between Dallas and Houston. Most of the checks were not recovered.
Records from this breach: unknown
Source: www.Privacyrights.org
44. Trucking/Transportation Claims Examples
Various Taxi Cab Companies in Chicago
3/13/14 âChicago, IL.
In an unprecedented move, First American Bank made a public announcement regarding fraudulent activity they were seeing on both credit and debit cards of customers with their bank specifically related to cab rides in the city of Chicago. The bank is urging both residents and tourists to avoid paying for their cab rides with either debit or credit cards.
The ongoing breach appears to be related to the card processing systems used by a significant amount of taxis in the city of Chicago. The bank has reported the breach to MasterCard. They have also reached out to Banc of America Merchant Services and Bank of America, the payment processors for the affected payment systems within the affected taxi cab companies. First American Bank is urging that Banc of America Merchant Services and Bank of America discontinue payment processing for the taxi companies who have been targeted in this breach. So far, neither entity is commenting on the breach or appear to be halting the processing services.
Records from this breach: 500+
Source: www.Privacyrights.org
45. Trucking/Transportation Claims Examples
Various Trucking firms
October 2008
A group of Russian immigrants used their hacking skills to effectively run a trucking company that didn't exist. They would hack into a Department of Transportation website (Safersys.org) that listed licensed trucking firms to change the contact info (temporarily) on certain firms to their own address and phone number. Then, they would go to another online site that listed cargo in need of transportation. They'd pose as the firm whose contact info they'd replaced, get the deal, and then go find another trucking firm to actually deliver the cargo.
The cargo itself would get delivered, and the scammers would contact the original cargo owners to get paid. Then, the company that actuallydelivered the cargo would contact the company these scammers pretended to be working for, and discover that it had no clue what they were talking about. This scam was effective enough to net the scammers over a half-million dollars. The scammers were eventually arrested.
Source: www.Privacyrights.org
46. Trucking/Transportation Claims Examples
ZombieZero
July 2014
Logistics firms that purchase a handheld scanner used to track shipments as they are loaded and unloaded from ships, trucks, and airplanes are being warned the scanners may be infected with malware. The inventory scanners are made in China, and are allegedly being implanted with the malware purposely by the manufacturer, in an attempt to steal corporate data as well as the âmanifestsâ â whatâs on the particular load and where is it going. This could in turn be used to re-route or steal the inventories/loads.
Source: www.Privacyrights.org
47. Cyber Summary
Security
Failure of network and information security
Privacy
Failure to protect private or confidential information
Media
Libel, slander, and other forms of disparagement with respect to display of material, or infringement of a copyright / trademark
Regulatory Coverage
Fines/penalties and defense costs incurred during an investigation from a governmental or regulatory agency
First Party Coverages
Privacy Notification & Credit Monitoring Expenses
Crisis Management / PR Expenses
Forensic Expenses
Extortion/Threat Expenses
PCI Fines & Penalties
Business Interruption
48. Risk Management is the Key
â˘eRiskHub -http://eriskhub.com/
â˘Beazley âwww.nodatabreach.com-Q&A sections, incident examples, white papers on security âbest practicesâ, etc. Access to security professionals who only work with Beazley policyholders in answering questions and dealing with incidents.
â˘Expect the unexpected
â˘Need expertise and experience immediately
â˘Know what vendors and partners to call
51. WHOâS ON THE LINE
51
MODERATORAndrea Tarrell
Director of Marketing
HNI
atarrell@hni.com
SUBJECT MATTER EXPERTKevin Zinter
Senior Vice President
AmWINS
Kevin.Zinter@amwins.com