Successfully reported this slideshow.

Data Privacy


Published on

Data Privacy Liability and Insurance

  • Be the first to comment

  • Be the first to like this

Data Privacy

  1. 1. 1 2 3 "IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE?" 4 Disclaimer This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued. Please carefully review any policy and all endorsements delivered for the precise coverage terms.
  2. 2. 2 5 Introduction Foundation for Privacy FearsFoundation for Privacy Fears •• Privacy is a rightPrivacy is a right •• Private information has valuePrivate information has value •• Technology has created new issues concerning breaches of privacyTechnology has created new issues concerning breaches of privacy •• Privacy breaches can have a material impact on a company’sPrivacy breaches can have a material impact on a company’s reputationreputation •• Courts, legislatures and regulatory agencies are engaged inCourts, legislatures and regulatory agencies are engaged in addressing privacy issuesaddressing privacy issues •• Highly publicized security breaches are in the newsHighly publicized security breaches are in the news 6 Introduction What are Data Theft and Privacy/Security Breaches? • An organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information. 7 Industry Issues - FTC estimates nearly 10 million victims per year - Many victims don’t know or don’t report - Fastest growing white collar crime in America - Average 175 hours and $1,500 to resolve per individual - Tremendous media exposure Common Types of Fraud - Current credit – credit card, debit card, phone card - Use of name and social security number: - Establish new credit - Commit other criminal activity Risks and Recent Developments Increase in Numbers of Incidents
  3. 3. 3 8 Sources of Data BreachSources of Data Breach 49% lost laptop or other device (USB flash drives…) 16% third party outsourcer/vendor 9% malicious insider 9% paper records 7% lost electronic backup 5% hackers, crackers, social engineers, “phishers” 4% malicious code 2% unknown Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC, 2007 9 Data Breaches – Growing In Numbers! Between January 2005 and February 6, 2009 – 252,308,777 records containing “sensitive personal information” have been involved in security breaches! Source: Privacy Rights Clearinghouse A Chronology of Data Breaches Posted April 20, 2005 Updated February 9, 2009 Risks and Recent Developments Increase in Numbers of Incidents 10 Recent high-profile data security breaches illustrate the nature of the risk • Heartland Payment Systems, Inc. (100 million customer credit cards/debit cards) 2008 (This had a companion D&O suit) • Hannaford Brothers (4.2 million credit cards/debit cards) 2008 • Certegy Check Services (4.2 million customers) 2002-2007 • TJX (94 million records) 2006-2007 • Choicepoint (150,000 records) 2005 • Bank of America (1.2 million federal employees) 2005 • DSW (100,000 customers) 2005 • Lexis/Nexis (32,000 records) 2005 Sources: Computerworld, Boston Globe,, ZDNet and Risks and Recent Developments Prominent Examples
  4. 4. 4 11 California Security Breach Information Act (2003). Since passage, 47 states and territories have passed similar laws ( Essence of these laws is requirement that companies storing personal information must promptly notify persons whose information has been accessed by an unauthorized person In addition to costs of notification, these laws create potential civil liability if proper and timely notification of a data security breach is not given Some states require notification to specific law enforcement and consumer credit reporting agencies Risks and Recent Developments Applicable Laws 12 Graham Leach Bliley Requires “financial institutions” to ensure the security and confidentiality of private financial information (includes all businesses that are “significantly engaged” in providing financial products or services HIPPA – Health Insurance Portability and Accountability Act Regulations for use and disclosure of Protected Health Information which is any information about health status, provision of health care, or payment for health care that can be linked to an individual Covered entities are any health care related businesses that store or transmit health care data in a way regulated by HIPAA The Security Rule of HIPAA deals specifically with Electronic Protected Health Information (EPHI). Risks and Recent Developments Applicable Laws 13 Fair Credit Reporting Act (FCRA) Enacted to promote efficiency in the country’s banking system and to protect consumer privacy. See TRW, Inc. v. Andrews, 534 U.S. 19, 23 (2001) Imposed obligations on three types of entities: • Credit reporting agencies, • Users of credit reports, and • Furnishers of information to credit reporting agencies Risks and Recent Developments Applicable Laws
  5. 5. 5 14 Fair And Accurate Credit Transaction Act (FACTA) Amendment to FCRA Key provisions focused on reducing exposure to identity theft and assisting consumer with credit problems Requires truncation of credit card and social security numbers Credit and Debit Card Receipt Clarification Act, June 3, 2008 Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions Risks and Recent Developments Applicable Laws 15 Red Flag Rule Amendment to FCRA Financial institutions and creditors must establish a written program to “detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts” Creditors must develop “Program” formalizing steps they intend to take to prevent identity theft by May 1, 2009 Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions Risks and Recent Developments Applicable Laws 16 Risks and Recent Developments Hypothetical Scenario #1 • Former employee of a financial institution provides accomplice with access to financial institutions secure network. Data includes sensitive personal information about company’s customers and employees Thief also gains access to financial institutions external website • 2 weeks later, company receives ransom note from thief • 2 weeks later, thief hacks into company’s system causing company’s website to be down for 2 days with no ability to conduct online transactions • Media learns of issue – widespread media attention results in cancellation and re-issuance of all client plastic cards, potential effected members must be notified and provided with credit monitoring • Various government agencies begin investigations
  6. 6. 6 17 Risks and Recent Developments Hypothetical Scenario #2 • Employee innocently opens an email supposedly from the company’s IT department Email has a malicious code embedded to surreptitiously control the employee’s computer Outside hacker uses employee’s computer to launch additional attacks on the company’s backend network • Hacker gains widespread access to company’s various databases including plastic cards • Hacker emails company President with customer database, containing personal confidential information and demands $500,000 or will publish an email link with this information. 18 Risks and Recent Developments Scenarios 1 and 2 result in various potential losses First Party Losses Loss of Private Data Notification/credit monitoring costs Cost to change account numbers Publicity costs Business income loss Data restoration expenses Cyber Extortion Ransom payments Other expenses Third Party Losses Customer Suits Customer alleging invasion of privacy Customers or other third parties alleging financial loss Other Suits Regulatory actions/fines or penalties 19 First Party Losses • Cost of $197 / record compromised, consists of: • $128 lost business (lost customers/reduced orders) • $46 ex-post response (PR costs, credit monitoring) • $15 notification • $9 detection & escalation Source: Ponemon Institute, LLC – “2007 Annual Study: Cost of a Data Breach” Risks and Recent Developments Costs / Claims / Losses
  7. 7. 7 20 Third Party Losses (What might be pled if a suit is filed?) • Failure to implement and maintain reasonable security procedures (Currently, actual harm and damages are hard to prove) • Negligence (based upon regulatory/industry standards) • Unfair, deceptive and unlawful business practices • Invasion of the customer’s right to privacy • Breach of fiduciary duty • Breach of contract • Fraud / Misrepresentation • Multiple Class Action filings increasing • New legal theories yet to come in pleadings Risks and Recent Developments Costs / Claims / Losses 21 Third Party Losses (What might be pled if a suit is filed?) cont. • Loss of wages due to time taken to prove “identity theft” to MasterCard or Visa • Expense of legal and other resources necessary to prove “identity theft” to MasterCard and Visa • Loss of business advantage due to effect of fraudulent charges on FICO scores • Damages claimed under applicable state privacy legislation Risks and Recent Developments Costs / Claims / Losses 22 Where is the Insurance Coverage? Comprehensive General Liability (CGL)? Computer/Commercial Crime Form? Directors and Officers Liability? Professional Liability Policy?
  8. 8. 8 23 CGL: Covers liability for “Property Damage” to a third party “Property Damage” = “physical injury to tangible property” as well as “loss of use of tangible property that is not physically injured”. Whether electronic data is covered as “physical damage to tangible property” or “loss of use of tangible property”. Coverage B: Personal and Advertising Injury Liability Oral and written publication, in any matter, of material that violates a person’s right to privacy. Is the “loss” of data in electronic form on a data base “oral or written publication of material”? Lack of Coverage in Traditional Policies Comprehensive General Liability (CGL)? 24 Lack of Coverage in Traditional Policies Comprehensive General Liability (CGL)? (cont.) Professional Services exclusion (present on most General Liability policies) will apply if you are a financial institution Financial Professional Services. We won’t cover injury or damage or medical expenses that results from the performance of or failure to perform any financial professional service. Breach of Contract exclusion (present on most General Liability policies) Breach of Contract. We won’t cover personal injury or advertising injury that results from the failure of any protected person to do what is required by a contract or agreement… 25 Surety Association Computer Crime and ISO Commercial Crime policies generally exclude: • Loss directly or indirectly from theft of confidential information • Indirect or consequential loss of any nature • Potential income, including but not limited to interest/dividends Specific Financial Institution Crime Policies can include: • E-theft loss of money or securities as a result of fraudulent electronic communications from a third party, theft of confidential customer information • Extortion, Business Income • No 1st party losses • Typically written with high deductible Lack of Coverage in Traditional Policies Crime?
  9. 9. 9 26 D&O: • Possible source of coverage for third party suits • Possible source of coverage for regulatory suits • No First Party coverage • Exclusions for invasion of privacy or violation of any right of privacy right may preclude coverage for the Corporate Entity, or both the Corporate Entity and all Individual Insureds Lack of Coverage in Traditional Policies Directors & Officers Liability (D&O)? 27 E&O: • For wrongful acts committed solely in the conduct of the Insured’s “Professional Services” • Policies for may include coverage for negligence in failing to maintain confidentiality/security of customers information, invasion of privacy, unauthorized access/unauthorized use, introduction of malicious code Lack of Coverage in Traditional Policies Errors & Omissions Liability (E&O)? 28 Overview – covers direct first party losses that an insured may incur in connection with an incident. A. Data recovery expenses (costs to recover data) B. Business interruption expenses – covers business income loss and certain extra expenses the insured incurs during the “Period of Recovery of Services” due to the actual impairment or denial of operations resulting directly from fraudulent access or transmission • Sometimes available by endorsement • Sublimits can apply Insurance Coverage Options First Party
  10. 10. 10 29 C. Privacy Notification Expenses – means the reasonable and necessary cost of notifying those persons who may be directly affected by the misappropriation of a record • Costs relating to changing their account numbers, other identification numbers and security codes; and • Costs of providing them, for a stipulated period of time and with the prior approval of the company, with credit monitoring or other similar services that may help protect them against fraudulent use of the record Insurance Coverage Options First Party (cont.) 30 D. Pre-claim forensic costs to investigate a security breach • Example: “Claim Expenses” means all other legal costs and expenses resulting from the investigation…of a circumstance that might lead to a claim with the prior written consent of the underwriters • Example: “Loss” does not include any amount incurred by an insured in the defense or investigation of any action, proceeding, demand or request that is not then a claim, even if such matter subsequently gives rise to a claim E. Crisis Management expenses • Sublimits may apply • See consent / procedural requirements Insurance Coverage Options First Party (cont.) 31 Overview – covers sums the insured is legally obligated to pay to third parties as damages and claims expenses as a result of privacy breach or breach of privacy regulations. A. Regulatory Coverage • See scope of definitions of “claim” • Some policies may only cover regulatory defense costs B. Regulatory Civil Penalties • HIPAA, Gramm-Leach-Bliley Act, state privacy protection laws and privacy provisions of FCRA impose civil penalties • Check definition of “loss” or “damages” for exclusions • Example: Damages includes a penalty or sanction imposed by a federal, state or local regulatory body against you as a result of a privacy breach or the breach of a privacy regulation by you as a person including an independent contractor, for which you are legally responsible Insurance Coverage Options Third Party Privacy
  11. 11. 11 32 C. Personal Injury Coverage • See wording of exception to personal injury exclusion for scope • Are claims for emotional distress, mental anguish included? D. Privacy Breach Coverage (non-regulatory) • Common law breach of privacy or confidentiality Insurance Coverage Options Third Party Privacy (cont.) 33 Overview – Covers sums that insured is legally obligated to pay as damages and claims expenses arising out of computer attacks caused by failures of security including theft of client information, identity theft, negligent transmission of computer viruses and denial of service liability. A. Unauthorized access (hacker attack) of the insured’s computer systems B. Unauthorized use of insured’s and insured’s customers computer systems by authorized person or third party C. Independent contractor - Vendor coverage (acts of outside vendors) • Example: Coverage for “your wrongful acts”, where “your” does not include independent contractors • Example: Coverage for wrongful acts by any insured, where insured includes independent contractors who are natural persons and are acting written scope on behalf of the named insured Insurance Coverage Options Network Security 34 D. Denial of service attack (third parties cannot access insured’s website) E. Transmission of computer virus Insurance Coverage Options Network Security (cont.)
  12. 12. 12 35 • Electronic content coverage: Information disseminated on website including extension for Copyright / Trademark Example: Coverage for injury sustained by a third party because of the actual or alleged infringement of a trademark name, copyright, the name of a title or the title of an artistic or literary work from information on website • Personal Injury • Advertising Injury (of company’s own products but only in electronic format) Insurance Coverage Options Internet / Media Liability (optional coverage) 36 • Expenses incurred in responding to an extortion demand • Extortion payment (not all forms cover) • Policies have prior consent provisions Insurance Coverage Options Cyber Extortion 37 A. Some policies exclude coverage for “claims” related to the insured’s failure to maintain or upgrade their security • Example: No coverage arising out of or resulting from the failure of computer systems or data assets to the protected by computer security equal to or superior to that disclosed in response to specific questions in the application B. Some policies exclude coverage for “claims” alleging fraudulent or malicious acts by employees • Example: “Privacy Peril” does not include any intentional, fraudulent, criminal or malicious act, error or omission if committed by any employee if any elected or appointed officer possessed any knowledge of the act Insurance Coverage Pitfalls Watch The Exclusions!
  13. 13. 13 38 C. Some policies exclude certain operations of the insured, or may not cover various types of computer or peripheral devices • Example: No coverage for theft of data via laptops unless whole disc encryptions or equivalent grade encryption is used D. Some policies will not cover actions of independent contractors working on behalf of the Insured Insurance Coverage Pitfalls Watch The Exclusions! 39 Key coverage to look for in Policies Privacy Breach Coverage • Coverage includes Employee Personal Information • Regulatory defense • Regulatory civil monetary, penalties and fines? • Breach of privacy regulations/laws? 40 Key coverage to look for in Policies Network Security Coverage • Unauthorized Access • Unauthorized use (rogue employee) • Denial of service attacks of systems of third parties • Transmission of malicious code/virus to third parties • Identity theft/theft of data • Inability of authorized third party to access insured’s computer systems • Damage, destruction, deletion, tampering or alteration to electronic data of third parties • Data in any form other than electronic (loss of paper records i.e.., dumpster diving) • Data definition extended to private, proprietary confidential corporate information • Theft of laptops (laptops do not have to be encrypted)
  14. 14. 14 41 Key coverage to look for in policies Extortion Coverage • Expenses only • Ransom payments Crisis Management Expenses • Public relations expenses • Notification expenses • Credit monitoring costs • Forensic systems investigations • Crisis management expenses limited only to breach of privacy or breach of privacy regulations 42 Key coverage to look for in policies First Party Data Protection or E-Vandalism Expenses • Costs or expenses vary by form (generally incurred to restore, remediate, or replace damaged, deleted, destroyed or inaccessible data) First Party Network Business Interruption • Extra expenses during restoration • Business income loss Independent Contractors • Insured protected if I.C.’s commit wrongful act • Coverage extended to I.C.’s 43 Costs to repair damage to your information assets Privacy regulatory action defense and fines Privacy breach notification costs & credit monitoring Legal liability to others for privacy breaches Damage to 3rd party information assets Website copyright/trademark infringement claims Potential Impact (Low Med High) Likelihood (Low Med High)Potential Risk Event Risks That Could Impact Client Companies
  15. 15. 15 44 Wrongful acts by independent contractors Need to engage crisis management firm if an incident occurs Regulated Industry? Identify any unique risks / regulations Cyber Extortion threat Loss of revenue due to a failure of security at a dependent technology provider Loss of revenue due to a failure of security or computer attack Potential Impact (Low Med High) Likelihood (Low Med High)Potential Risk Event Risks That Could Impact Client Companies 45 Contact: Cliff Rudolph 425.709.3705