Cyber and Social Media Risks What Board Members Should Know Spence Hoole Janice Chaffin Tonia Klausner Lauri Floresca
Overview Why Cyber Risk and not Legal Exposures from D&O Insurance? Cyber Activity Increases In Security and Social Media Risks Data Breaches Cyber Liability – a Board Privacy Issues and Cyber Level Issue Attacks Cyber Liability Insurance Why should a Director care? Goals and Takeaways Role of Directors & Officers What every Director should Practical Implementation know and do Q&A Understanding Privacy Laws in the US 2
Why Cyber Risk and Not D&O at Summit?■ Evolution of changes in exposure to loss . . . brick and mortar risk shifting to network and cyber risks■ A growing trend – frequency and severity of data breaches ■ 2010 largest collection of lost data on record ■ In 2009, over $220M personal records were breached (Social Security numbers, medical information, credit card databases) ■ Compared to only $35M personal records exposed in 2008 Source: Databreaches.net / Source: Ponemon Institute LLC■ Boards responsibility in overseeing all organizational risks, including network / cyber risks■ Cyber Risk insurance for “all” companies is the new, new thing ■ This is not your father’s Property and Liability Insurance Program
Privacy Issues and Cyber AttacksJanice ChaffinGroup PresidentConsumer Business UnitSymantec
Why a director should care Protecting Stock Customer Intellectual Brand Price Confidence Property
THE QUESTION IS NOTWILL YOU BE ATTACKED?THE QUESTION IS WHEN?
WHAT EVERYDIRECTORSHOULD KNOW Who is responsible for Cyber Security? Has a cyber risk assessment been done? Is there a breach response plan in place?
Who is responsible for Cyber Security?Who does he/she report to?Does he/she have the authority and resources to succeed?Is there an IT Security policy in place?Are employees actively engaged?Is there a regular cadence for updating the Board?
Has a cyber risk assessment been done? People “Strategic” Security Executive Security Strategy Sponsorship Organization Security Security Legal Personnel Architecture & Program Metrics Framework Security Planning & Quality Security Governance i IT Risk Security & Defintio o n f Managment Awareness Physical Roles Security Policy and Security Security Contingency / Regulatory Policies & Architecture & Disaster Compliance Procedures Planning Planning Mangement Threat Media Vulnerability Secure Audit Business Control & Awareness & Operations Function Continuity Handling Management Process Logging, Incident Provisioning & Information a “Operational” Implementation Monitoring & Reporting Classifict io n Handling & Response Configr a io t n Secure Backup, Identity Asset Recovery & & Patch Development Mangement Management Archiving u Management Cycle Secure Builds Secure Intrusion Directory & Host Design & Detection & Services Hardening Coding Prevention Secure Malicious Code Application Data Network Encryption Protection Security Integrity Design Network Privacy e Clustering & Mobility & Authentication & Data & Systems Confidnt ia ity & l Data Wireless Authorisation Security Security Segmentation Availability Remote & Technology Extranet Perimeter Product Secure Storage Security Security Communication “Tactical” Connections Security Exceeds goals No gaps Minor gaps Moderate gaps Serious gaps Not applicable
What is the breach response plan?This plan should include clear steps for:Containing the breach and handling forensicsContacting your security software vendorEngaging with law enforcementDisclosing the breachManaging public relationsConducting post-mortem analysis
Use personal best practices onlineTake stock of your online profileNever open links from strangersUse strong passwords and change them oftenBe conservative about what you shareClosely monitor security settings on social networksUse approved web services only for company content
Summary Threats are growing in number and sophistication It’s only a matter of time before your company will be attacked The stakes are high, be informed and act now Don’t make yourself a target
Additional resources• Estimate Your Risk Exposure: Poneman Institute Data Breach Risk Calculator http://databreachcalculator.com• Security Policy Templates and Resources: CSO Magazine http://www.csoonline.com/article/486324/security-tools-templates-policies• Real-time Reports on Data Loss by Data Breach Type: DB Data Loss http://datalossdb.org• The FTC’s Guide to Dealing With A Data Breach: http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html• FBI eScams and Threat Warnings: http://www.fbi.gov/scams-safety/e-scams• Symantec State of Spam and Phishing Report: http://www.symantec.com/business/theme.jsp?themeid=state_of_spam• Symantec Stuxnet Site: http://www.symantec.com/stuxnet Janice_Chaffin@Symantec.com
Privacy Law in the U.S.Technology has driven the growth of privacy lawLegislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable informationMany of these laws respond to particular issues or concernsResult: sectoral approach (industry silos), overlaid with cross- industry requirementsContrast with omnibus approach in other regions (e.g., EU)
Some U.S. Privacy Laws Electronic Telemarketing & States: Communications Consumer Fraud & Spyware Privacy Act (ECPA) Abuse Prevention Act Social Security #s Fair Credit (Telemarketing Sales Rule) Data Security Reporting Act (FCRA) + FACTA Telephone Consumer Breach Notification GLB Protection Act (TCPA) Data Disposal CPNI Junk Fax Prevention Point of Sale Data Act Collection FERPA CAN-SPAM ID Theft Legislation HIPAA US/EU Safe Harbor Security Freezes COPPA Video Privacy Shine the Light SOX Protection Act Credit Card Security FTC Section 5
Data Breach Containment Response team Accurate records of all events Preservation of evidence Newly enacted safeguards to prevent reoccurrence Notifications Required-by statute; by contract Other notifications Customer relations Call center Protection services
Data Breach Consequences Investigations FTC State AGs HHS Fines Lawsuits Breach Of Contracts; Loss of Rights/Revenues Commercial Reputation
Data Breach Pending Legislation Comprehensive notice requirements Preemption of patchwork of state statutes Possible private right of action
Social Media• Social Networking-rapid growth online and on handhelds MySpace, Facebook, LinkedIn, Google+, Twitter, Ning, Tagged, Orkut, hi5, Meetup, Badoo, Friendster iPhone, Android, iPad, Galaxy, Xoom, Windows 7 Tablet GroupMe, Disco, WeTxt
Legal Risks Beyond Breach Many Potentially Applicable Statutes Computer Fraud and Abuse Act ECPA CAN-SPAM/Wireless CAN-SPAM TCPA COPPA Video Privacy Protection Act Hot area for class action lawsuits Social programs Geolocation data collection and use Texting programs
Online AdvertisingCollection of information about users’ activities online Web pages visited Searches conducted Content viewedAdvertisers’ Goal: present users with ads targeting users’ interests
Digital Advertising Flow source gridley & co. and gregstuart.com
A New Perspective on Online Privacy “Most of the online world is based on a simple, if unarticulated, agreement: consumers browse Web sites for free, and in return, they give up data – like their gender or income level – which the sites use to aim their advertisements. The head of the Bureau of Consumer Protection at the Federal Trade Commission, David C. Vladeck, says it is time for that to change.” New York Times, August 5, 2009
Industry Created A Self-Regulatory ProgramSelf-Regulatory Principles for Online Behavioral Advertising released July 2009Advertising Option Icon announced & registration begins October 4, 2010Consumer Choice page launched November 2010Coalition turns to enforcement, operational implementation, and educational planning
FTC Staff Report on Privacy December 2010 Said Progress Not Fast Enough Simplified Choice • Consumers should have choice about both data collection and usage • Choice mechanism should be offered at point consumers provide data • “Do Not Track” proposed as simplified choice mechanism • Choice not required for a narrow set of practices – Fulfillment – Internal operations – Fraud prevention – Legal compliance – First-party marketing – Contextual advertising
Behavioral Advertising Litigation RisksLawsuits regarding cookies, flash cookies, super- cookiesUnsettled law ECPA CFAAMulti-million dollar Class-action Settlements
Cyber Liability a Board-Level IssueLauri FlorescaPartnerWoodruff-Sawyer & Co.
Cyber Liability: a Board-Level IssueBoards increasingly focused on cyber risk exposures ERM Risk Oversight Rules adopted by SEC in 2009 Media attention on high profile breaches grows in 2011 SEC issues informal guidance on cyber risk disclosure in October 2011In a technology driven world, most companies have some exposure to cyber liability. Customer Records Employee RecordsHow to quantify? And how to remediate?
SEC Guidance: A Closer LookOctober 2011 SEC guidance suggests that listed companies should add disclosure on cyber liability to their risk factors based on: 1. The “probability of cyber incidents occurring” 2. The “quantitative and qualitative magnitude of those risks”Probability ≈ 100%Magnitude much more difficult to assessSEC also suggests that companies include a description of “relevant insurance coverage” Not straight-forward Many different types of insurance policies address cyber liability exposures, and all of them have some coverage limitationsSEC notes that relevant costs may include: Remediation costs – insurable, sublimits often apply Increased cyber security protection costs – not generally insurable Lost revenues resulting from a cyber attack – insurable, significant limitations/waiting periods Litigation - insurable Reputational damage – specialized insurance products available, limited in scope
Contract Liability in the CloudGrowth in cloud computing and outsourced I/T function creates new challenges I/T infrastructure may be improved by outsourcing to a reputable cloud vendor – but lose some elements of control Will cloud vendor be a more attractive target for a serious hacker (criminal or “hacktivism”?)Compliance with data breach notification rests with the data owner – does not matter if you outsourcing data processing or storageContracts with vendors likely limit their liability – but can vary substantially Often limited to 12 months of revenue paid to cloud provider Large cloud providers may offer no indemnity whatsoever under a standard contract, wiling to negotiate for large customersMake sure that your cyber liabialty insurance extends coverage in the event your data is breached while under control of a third partyNegotiate with vendor to maximize your chance of recovery if a breach is their faultAsk your vendor for confirmation of their coverage – for them, falls under traditional technology “E&O” coverage module