Under Lock And Key


Published on

Risk transfer solutions to limit liability for security and priovacy data breaches

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Under Lock And Key

  1. 1. Financial Services Group Under lock and key: risk transfer solutions to limit liability Canadian Advisory 2009 for security and privacy data breaches For more information Data security increasingly provincial legislation. In accordance please contact: at risk with these statutes, businesses must National ensure that safeguards are implemented There isn’t a day that goes by without to protect personal information against Brad Lorimer Senior Vice President, news of a privacy breach in some part loss or theft, as well as unauthorized use, National Director of the world. In fact, a whole cottage distribution and disclosure. The public 416.868.2479 industry has evolved, whereby hundreds of sector and governments are regulated by brad.lorimer@aon.ca websites regularly monitor data security the Privacy Act, and there are a number breaches. Canada has not been immune of other statutes that deal specifically with David A. Griffiths Senior Vice President to the privacy breach phenomenon, as the treatment of personal information by National Consulting Director evidenced by the fact that such breaches health care providers. 416.868.5554 have more than doubled in this country david.griffiths@aon.ca since 2008 according to a June 2008, survey conducted by CA Canada. Most Enforcement of regulations Ontario Mark LeSaevage recently, the Heartland Payment Systems Provincial and federal privacy Vice President breach has affected over 140 banks and commissioners, who oversee the 416.868.5795 credit unions, including many from application of privacy legislation, have the mark.lesaevage@aon.ca Canada. Companies and government right to conduct investigations of alleged Québec agencies that have experienced privacy violations of privacy laws, which can be Bernard Dupré breaches over the past two years include quite costly as well as embarrassing. They Vice President Canada Post, Bell Canada, Passport also have the right to refer non-compliance 514.840.7783 Canada, The Canadian Imperial Bank of to the courts, which have wide powers to bernard.dupre@aon.ca award damages for privacy breaches. Commerce, Air Canada, The Canadian Bar Prairies Association, DaimlerChrysler Financial Kathleen Cook Services Canada Inc., Club Monaco, and of Additional legislation Prairie Region FSG Leader course Winners/HomeSense. 403.267.7878 Industry Canada has tabled a proposal kathleen.cook@aon.ca that will amend PIPEDA to provide for Current privacy regulations a national mandatory breach notification B.C. Private-sector Canadian companies that law, and there are amendments in the Paul Lively Senior Vice President deal with customer information must works for many existing statutes, setting 604.443.3353 abide by the provisions of the Personal out data management standards and paul.lively@aon.ca Information Protection and Electronic spelling out the consequences of fraudulent Documents Act (PIPEDA) or equivalent procurement of personal information. www.aon.com
  2. 2. Under lock and key: risk transfer solutions to limit liability for security and privacy data breaches Risks to data security It is very important for these entities to review and audit their existing insurance policies to determine what, if any, coverage they Businesses are under increasing pressure to put data online in order have for first and third party claims arising out of security and to serve clients. This has resulted in a worldwide technology and privacy breaches. communications infrastructure that is vulnerable to both internal and external risks. Risk transfer solutions With that in mind, companies should take a detailed look at their Commercial general liability policies may appear to provide some data security risk management practices and strategies as they coverage for third–party losses; however, U.S. courts have recently pertain to sensitive, confidential or proprietary personal identifiable ruled that data is not considered tangible property under certain information from customers, business partners, prospects or CGL policies and, as a result, have excluded coverage. employees in the following areas: Professional liability policies may cover a number of security • collection • aggregation and privacy breach exposures faced by insureds while rendering • processing • use professional services to their clients/customers, but may not respond to claims for breaches that arise outside of that arena. • transfer • storage • distribution • destruction Fidelity, employment related practices, data processing, computer fraud, advertising and kidnap and ransom policies are generally not It is safe to say that most companies engage in some or all of these intended to cover privacy and data breaches, and there are significant activities, and thus are at risk for liability stemming from data coverage gaps in each. security and privacy breaches. Lawsuits and third-party liability Privacy and data loss liability coverage A number of insurance carriers have developed specific privacy It should come as no surprise that most of the litigious activity and data loss liability coverage products that provide coverage for involving data security breaches is initiated out of the United States; businesses when data in their care and control is compromised. however, Canadians are catching on quickly. Class action lawsuits were brought against Winners and HomeSense in almost every For the fullest coverage, it is important to determine whether these Canadian province for damages arising out of the TJX security policies will respond to claims from employees, customers and breach. The costs in connection with the potential liability to third corporate clients, as well as from the insured itself for damages, parties for privacy and data breaches due to corporate negligence, is defense costs, administrative expenses, notification costs, crisis a growing concern. expenses and credit monitoring expenses. First-party losses Conclusion Even if a security breach does not result in a lawsuit or regulatory In determining the most appropriate risk transfer solutions for investigation, the first-party costs associated with internal companies seeking to limit their liability for security and privacy investigations, public and investor damage control, discounted data breaches, it is highly recommended that advice be procured services and lost employee productivity can be crippling. Ponemon from an experienced insurance professional. Only then can a Institute research indicates that the cost of a data breach is now over decision be made as to whether an alteration and/or endorsement $200 per compromised customer record. to an existing insurance product, or the placement of a specialized stand-alone policy is most appropriate from a coverage and cost Preparing for increased regulation and perspective. enforcement Brian Rosenbaum LL.B It is clear that the public is pushing for greater liability for those Aon Financial Services Group responsible for security and privacy breaches. As a result, entities Director, Legal and Research Practice that deal with personal, identifiable information should prepare themselves for the prospect of increased regulation and enforcement by government, as well as enforcement through private sector lawsuits. This publication contains general information only and is intended to provide an overview of legal, liability and insurance issues. The information is not intended to constitute legal or other professional advice.