Cyber Risks

CYBER RISKS Cyber Security, Privacy and the Regulatory environment

What is cyber?
What does the term “cyber” mean? Refers to the use of computers, internet, computer networks, and electronic information databases

What creates cyber/privacy risk?
internet connectivity
e-commerce
business websites and internet advertising
customer forums and support/message boards
credit card processing/online payment
data storage, ISP, website design
providing media content
paper documents

What is a data/privacy breach?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property.
Street values: $50/medical identity vs. $1/SSN*
*American Health Information management Association

What is 1 st party and 3 rd party?
The Cyber Risks to which an organization is exposed fall into two general categories and Insurance coverage is available for both :
1) Those losses suffered by an organization (1 st Party Losses)
– extortion, employee theft, system failure, etc.
2) An organization's liability to third parties (3 rd Party Losses)
– hacker theft of data, Intellectual Property Infringement,
etc.

Foundations of Cyber Risk
Focus is on data about the person not the person (e.g. traditional privacy torts)
Information technology and the Internet magnifies the risk
Multi-jurisdictional exposure
Data security v. data privacy

Data Security Risks
Protection Risks (Information security): failure to implement adequate measures to protect private information from theft by others or disclosure to unauthorized persons
Failure to Warn Risks : failure to warn of actual or suspected unauthorized access to Personal Identifiable Information (PII) - e.g. breach notice laws

Data Privacy Risks
Collection Risk : intrusively or secretly collecting PII without the consent of the individual
Disclosure and Mishandling Risk : mishandling of PII, disclosing PII in a fraudulent manner or providing PII to bad actors without consent
Choice/Consent Risks : failure to provide person with choice on how their PII is collected/handled, including failure to provide opt-in/opt-out
Notice Risks : failure to provide notice of PII handling practices or the provision of inadequate or fraudulent notice
Accuracy/Integrity Risks : disseminating inaccurate PII or failure to correct PII
Access Risks : failure to provide access to collected PII
Lack of Privacy Policy/Inadequate Privacy Policy

Regulatory Environment
Florida Law (as of 9/6/2011) Fla Stat. 817.5681(7/1/2005)
Triggering Event : unlawful & unauthorized acquisition of computerized data that materially compromises security, confidentiality or integrity of PI unless investigation finds misuse of PI has not occurred or will not reasonably likely occur (retain documentation for 5 years)
Civil or Criminal Penalties: Yes (gov’t agencies are exempt)
Pre-breach measures required : No
Timing of Notification : Without unreasonable delay, but no later than 45 days unless investigation finds misuse of PI has not occurred or will not reasonably likely will occur (must retain documentation for 5 years)
Other parties to notify? : Consumer Reporting Agencies if notifying over 1,000 persons

Regulatory Environment
Information Security Laws
Control Requirements :
HIPAA
FACTA ID Theft Red Flag Rules
Data disposal laws (e.g. Colo. Rev. Stat. Ann. §6-1-713)
Encryption laws (Mass and Nevada)
State “reasonable security” laws (e.g. Cal. AB 1950)
Gramm-Leach Bliley (GLB --Financial Industry)
Written Information Security Program (Mass)
International laws (EU Data Protection Directive)
Failure to Warn Laws:
“ Breach-Notice Laws” in about 46 States
HITech Act (within HIPAA): 2011 Annual Report to Congress Statistics

The Value of Your Data
Information and Intellectual Property are an organization’s most valuable asset today
No longer a “Bricks & Mortar” world
Impact of a data breach on an organization is huge
Financial
Business Distraction
Loss of Customers
Damage to Reputation
The “Next Product” – becoming a standard product

Other Coverage
The Cyber Risks to which a corporation is exposed fall into two general categories and insurance coverage is available for both:
1) Those losses suffered by an Insured(1st Party Losses)
2) An Insured's liability to third parties (3rd Party Losses)
Standard Property, Liability or Crime policies will not traditionally cover damage to or loss of intangible assets (data and systems) so there exists a significant gap in coverage, both in terms of exposure and because of the ever greater dependency on technology to be able to do business.
Traditional property/casualty programs do not meet the need !

Typical Agreements/Capabilities
Third party liabilities:
Technology E&O
Employee Privacy
Intellectual Property(electronic media)
Network/Privacy Liability
Denial of Service
Transmission of malicious code
First party losses:
Unauthorized access
Cyber extortion and cyber terrorism
Unauthorized use
Loss of digital assets
Business interruption(non CGL)
Security event costs

First Party Causes of Loss – May Include
Accidental Damage or Destruction
Physical damage of data – no longer machine-readable
Failure of power supply that is under your direct control
Administrative or Operational Mistakes
Entry or modification of your data
Computer Crime and Computer Attacks
Malicious code introduction; unauthorized access; unauthorized use; denial of service attack

Non-Physical Business Interruption
Extra expenses incurred to avoid or minimize suspension of business
Lost profits (net income)
Fixed operating expenses incurred during the period of restoration
Costs related to outside consultants and service providers

Network Security and Privacy Liability
Damages and claim expenses arising from an alleged breach of security or privacy breach
3 rd party suits involving Damages
Typically includes errors or omissions by outside service providers for whom you are legally liable

Cyber Extortion Threat
Extortion expenses and extortion monies resulting directly from a credible threat during the policy period
Typically includes requirement to involve law enforcement, FBI (every reasonable attempt to consult with) prior to payment of extortion monies

Electronic Media Liability
Publishing liability for content on your internet or intranet site
Defamation, libel, slander
Invasion of privacy
Plagiarism, misappropriation
Copyright or domain name infringement
Excludes any patent infringement

A Cyber Event Occurs: Now what?

Cyber/Privacy Insurance
Family Planning Council of Philadelphia: April 9th. Employee stole a computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used.
Gucci: April 6th. Network engineer who was terminated by the company used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours.
New York Yankees : April 28th. Employee mistakenly sends email that contained a spreadsheet attachment with the personal information of 17,000 season ticket holders to other season ticket holders.

Family Planning Council of Philadelphia: April 9th. Employee stole a computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used.
Needs relating to this event:
- Investigation/Forensics (Network security team?)
- Defense and coverage counsel expenses
- Determine compliance with all relevant state and federal privacy laws
- Notification and credit monitoring where necessary
- Public Relations
- Possible recovery of data
- Monitoring of data/investigation assistance
- Financial impact

Gucci: April 6th. Network engineer who was terminated by the company used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours.
Needs relating to this cyber event:
- Investigation/Forensics (Network security team)
- Determine compliance with all relevant state and federal
privacy laws
- Public Relations
- Recovery/correction of data
- business interruption costs (cut email access to entire
country)

New York Yankees : April 28th. Employee mistakenly sends email that contained a spreadsheet attachment with the personal information (specifically the names, addresses, phone numbers and e-mail addresses, seat numbers) of ‘several hundred’* season ticket holders to other season ticket holders.
Needs relating to this cyber event:
- Investigation/Forensics (network security team?)
- Determine compliance with all relevant state and federal
privacy laws
- Public Relations

Professionals Involved in Handling a Cyber Claim
- Breach Notice and defense Counsel(privacy attorneys).
- Computer Forensics Companies.
- Breach Investigation.
- Public Relations Firms.
- Credit Monitoring Firms.
- Breach Notification & Call Center
- data breach incident response planning;
- address list management;
- direct mail capability-prep, print and mail;
- call center;
- returned mail management

Top 10 Trends for 2011
More small scale data breaches in news
“ low-tech” theft will increase
Lost devices will continue to dominate
Data minimization will increasingly be seen as essential
Increased exchange and collaboration will increase risk
More social networking policies implemented
Data encryption = golden ticket
Business associates
Privacy awareness training
Overarching federal law?
*Kroll Fraud Solutions, Top Ten Data Trends for 2011

Cyber Risks

by RickWaldman

Accessibility

Upload Details

Usage Rights

1 Embed 23

Statistics

Cyber Risks Presentation Transcript