Presentation on theme: "Managing Cyber Risks Threats, Risk Management & Insurance Principles Brian J. Courtney, RPLU, AAI The Safegard Group, Inc. 100 Granite Drive, Suite 205."— Presentation transcript:
Managing Cyber Risks Threats, Risk Management & Insurance Principles Brian J. Courtney, RPLU, AAI The Safegard Group, Inc. 100 Granite Drive, Suite 205 Media, PA
Legal Disclaimer This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued. The precise coverage afforded is subject to the terms and conditions of the policies as issued.
Brian J. Courtney, RPLU, AAI Brian Courtney joined The Safegard Group, Inc. in April 2005 and serves as a Producer and the Healthcare Practice Leader for the company. He is primarily responsible for the direction of client services to the healthcare industry. Brian began his career at the height of the medical malpractice crisis. Working with a large regional insurance broker, Brian served with the healthcare practice leader helping hospital systems and physician groups obtain medical malpractice coverage. Prior to joining The Safegard Group, Brian joined a large national insurance brokerage firm where he gained considerable experience in healthcare risk management serving the needs of large physician groups, long-term care facilities, home healthcare providers, and allied health professional organizations. Brian has completed the Registered Professional Liability Underwriter (RPLU) program, which was developed by Professional Liability Underwriting Society as a specialized curriculum completely dedicated to professional liability risk management. Professionals who wish to obtain the RPLU designation are required to complete a rigorous, 13-Course curriculum comprised of eight core courses and five specialization courses. Brian chose to specialize in the following areas: Advanced Healthcare Professional Liability Cyber Risk Employment Practices Liability Directors & Officers Liability Crime As it suggests, RPLU professionals are recognized as having the highest level of professional liability expertise to help their clients manage their risk and protect their assets. Currently, Brian is helping many of his clients with Cyber Risk Management initiatives, such as Risk Assessments, Data Breach Incident Response Planning, Contractual Risk Transfer, Insurance Protection and a host of other related services. Brian lives in Downingtown, Pennsylvania with his wife Erin and three kids, Aidan, Carter & Chase. He is active in the community volunteering his time with the Lionville Youth Soccer Association and Brandywine Health Foundation. He is also an avid fitness/thrill seeker recently competing in the Spartan Races, which was voted the 2012 Best Obstacle Course Race by Outside magazine.
Brian Courtney Expert in Risk Management and Loss Prevention???
Big believer that you should avoid risk AT ALL COSTS
True or False Large corporations are typically the targets for hackers FALSE A joint study by the U.S. Secret Service and Verizon Communications’ forensics analysis unit paints a frightening picture. 482 of the 761 data breaches the unit investigated in 2010—63%—occurred at companies with 100 or fewer employees. 73% percent of small-to-middle-sized companies experienced a cyber attack in 2010, and 30% of those attacks were extremely effective, according to Symantec, a software security developer.
True or False Small businesses (less than 100 employees) are required to abide by data breach laws TRUE From the Federal Trade Commission website: For many companies, collecting sensitive consumer and employee information is an essential part of doing business. It’s your legal responsibility to take steps to properly secure or dispose of it. Financial data, personal information from kids, and material derived from credit reports may raise additional compliance considerations. In addition, you may have legal responsibilities to victims of identity theft, regardless of the size of your company or your line of work.
True or False Certain industries have to worry about Cyber Security risks FALSE While I would agree that certain industries are more at risk than others, every industry holds sensitive data in some form or another. Also there is more to Cyber risk than just a data breach. Therefore, all industries have Cyber Security risks.
What Are Cyber Risk? Violation of privacy policies Transmission of viruses to other systems Programming errors Theft, corruption, or destruction of data or computer systems Hacking Abuse of access to networks by employees Copyright or trademark infringement Denial of Service attacks Source: Professional Liability Underwriting Society
What Activities Create Cyber Risk? Data storage on networks Credit card processing Online payment processing (other than CCs) Internet connectivity E-commerce Business websites and Internet advertising Customer forums and support (help) message boards Internet Service Providers Website Design Development of hardware and software Providing content or media Consulting Providing technical services, equipment and support Source: Professional Liability Underwriting Society
Who Regulates the Cyber World? Federal Trade Commission (FTC) Federal Bureau of Investigation (FBI) Fair and Accurate Credit Transaction Act (FACTA) Gramm-Leach-Bliley Services Modernization Act Health Insurance Portability & Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Sarbanes-Oxley Act (SOX) State Privacy Breach Legislation Source: Professional Liability Underwriting Society
Cyber Laws Copyright Law – Digital Millennium Copyright Act Trademark Law – Lanham Act Defamation Privacy – HIPAA/HITECH, GLBA, State Laws Source: Professional Liability Underwriting Society
The Risks Today Privacy Risk Websites IP Infringement & Libel
Cyber Exposures – First Party Risks Data Storage Business Interruptions Fraud & Theft Extortion Crisis Management Source: Professional Liability Underwriting Society
Cyber Exposures – Third Party Risks Intellectual Property Copyright Trademarks Trade secrets Patents Privacy & Customer Data Security Breaches Liability Phishing & Pharming Professional E&O Internet provider App. service provider Web hosting Network equipment Programmers Website Designers Data warehouses Consultants Source: Professional Liability Underwriting Society
Personal Identifiable Information (PII) Definition: as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. First or Last name in combination with – Social Security number – Driver’s license number – Financial Account number – Credit, Debit, or payment card
Protected Health Information (PHI) As defined by HIPPA “any information, whether oral or recorded in any form or medium” that Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse, and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual
What Is a Data Breach? Unauthorized access to protected information – Hacking – Rogue Employees – Negligence – Rogue Vendors
The Value of Stolen Data Symantec Corporation; “Report on the Underground Economy, July ’07 – June ‘08
Data Breach Example Date Made Public Name (Location)Number of Records February 12, 2011Cincinnati Children’s Hospital 60,000 Type of Breach Mobile Device An employee’s newly-issued, unencrypted laptop was stolen out of a car. Although the covered entity had a policy of encrypting its computers, an investigation revealed that new computers are not encrypted before they are given to employees. The laptop contained the protected health information (PHI) of approximately 60,000 individuals. The PHI stored on the laptop included names, medical record numbers, and services received at the covered entity. Following the breach, the covered entity notified its clients by letter of the incident, placed notice on various websites and in The Cincinnati Enquirer, and established a new internal procedure whereby all new computers would be encrypted before they are given to employees. Source: Department of Health & Human Services
Data Breach Cost Calculation Forensic Investigation:$ 32,200 Security Remediation:$ 112,200 Data Breach Law Legal Guidance:$ 10,000 eDiscovery Litigation:$ 160,998 Customer Notification:$ 60,998 Call Center:$ 4,575 Credit Monitoring:$ 152,500 ID Fraud Remediation:$ 60,998 Public Relations Service:$ 20,000 HHS Fines:$ 750,000 State AG Fines:$ 500,000 Legal Defense & Damages:$ 76,248 TOTAL:$1,940,712 Source: eRiskHUB
Another Data Breach Example Date Made Public Name (Location)Number of Records May 16, 2008Chester County School District 55,000 Type of Breach Stationary Device A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students. Source: Privacy Rights Clearinghouse A Chronology of Data Breaches
Data Breach Cost Calculation Forensic Investigation:$ 75,000 Security Remediation:$ 155,000 Data Breach Law Legal Guidance:$ 10,000 eDiscovery Litigation:$ 0 Customer Notification:$ 55,000 Call Center:$ 4,125 Credit Monitoring:$ 137,500 ID Fraud Remediation:$ 55,000 Public Relations Service:$ 20,000 FTC Fines:$ 750,000 State AG Fines:$ 500,000 Legal Defense & Damages:$ 0 TOTAL:$1,761,625 Source: eRiskHUB
One More – Manufacturing??? Date Made Public Name (Location)Number of Records February 13, 2012Combined Systems Unknown Type of Breach Hacking A hacker or hackers accessed the Combined Systems website and shut it down. The hackers claim to have struck in honor of the anniversary of the February 14, 2011 Bahrain uprising and to have wiped out the company's web servers. Administrator logins, customer data, and s were posted online. Source: Privacy Rights Clearinghouse A Chronology of Data Breaches
2011 Data Breaches by Industry Source: Privacy Rights Clearinghouse A Chronology of Data Breaches
2011 Data Breaches by Type Source: Privacy Rights Clearinghouse A Chronology of Data Breaches
State Statutes Currently, 47 other states have enacted some type of security breach notification legislation, including: Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Maine, Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, Washington and Wyoming. Some states have state laws that require breaches to be reported to a centralized data base including: Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents). Other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests including: California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website:
Massachusetts General Law 93H Every person that owns, licenses, stores or maintains personal information about a resident of the commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.” Massachusetts – Effective March 1, 2010 Requires encryption of confidential data when it is on a mobile device Includes additional, robust security requirements for holders of personal information of Massachusetts residents
Pennsylvania State Law 73 P.S. § 2303 Notification of a Breach (a) General rule. – An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and un-redacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Except as provided in section 4 [FN1] or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth. (b) Encrypted information. – An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key. (c) Vendor notification. – A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act.
Pennsylvania State Law 73 P.S. § 2305 Notification of Consumer Reporting Agencies When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act (Public Law , 15 U.S.C. § 1681a), of the timing, distribution and number of notices.
Delaware Law § 12B-102 Notification of a Breach (a) An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information about a resident of Delaware shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Delaware resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. (b) An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Delaware resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach. (c) Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.
Delaware Law § 12B-103 Compliance Procedures (a)Under this chapter, an individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system. (b)Under this chapter, an individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs.
The “Perfect Storm” First PartyThird Party Loss of Private Data Notification Costs Publicity Costs Crisis Management Expenses Business Continuity Expense Extra Expenses to continue operations Business Income loss Cyber Extortion Ransom Payment Other Expenses Client Suits - Privacy Suits from clients alleging negligence in protecting information and other causes of action Client Suits – Denial of Service Suits from clients alleging negligence in protecting the network against denial of service
Breach Related Expenses Notification Crafting letter or other notification Printing or design Mailing or other transmission Public Relations Advertising & Press Releases Call Center Operations Other Services for Effected Persons: Credit Monitoring Forensics Legal Expenses for Outside Attorney Cost of Forensic Examination Cost To Remediate Discovered Vulnerabilities Legal Response to Claims or Suits Payment of Judgments or Settlements
Trends in Data Breach Costs In a U.S. based study of 49 companies in 14 different industries. Number of breached records/incident ranged from 4,500 to 98,000. The organizational cost has declined from $7.2M to $5.5M Cost per record has declined from $214 to $194 Lost business due to a breach averages $3.01M Detection and escalation costs declined from $460K to $433K Cost to notify victims increased from $510K to $560K First timers on average spent $37 more per record; Too-quick/non- planners on average spent $33 more per record CISO can reduce cost per record by $80; Outside consultant can reduce cost per record by $ Ponemon Institute Benchmark Study
Cyber Risk Insurance Policies
Traditional Insurance Coverage? ISO Commercial Property? Commercial Crime Form? General Liability Policy? Professional Liability Policy? Electronic Data Extension only addresses loss or damage to data which has been destroyed or corrupted by a covered cause of loss. No coverage due to the Definition of “Other Property” and the Exclusion of “Indirect Loss”. Addresses only physical injury to persons or tangible property, as well as the Insured’s publication of material that violates a person’s right to privacy. May be limited by the description of “Professional Services” or by Exclusions for “Invasion of Privacy”.
Common First Party “Gaps” Unauthorized Record Access Cyber Fraud Denial of Service Cyber Extortion Cyber Vandalism ISO Property Policy Surety Assoc. Computer Crime Surety Assoc. Crime Policy Extortion & Kidnap Ransom Policy
Only Cyber Risk Covers: Notification Expenses When required by law or on a voluntary basis? Credit Monitoring Expenses For a stipulated period of time and/or under specified circumstances? Crisis Management Expenses Including expenses related to legal analysis, as well as public relations?
What Information Assets Are Covered? Privacy Risk Personal Identifiable Information (PII) Customers, Employees, Others? Personal Health Information (PHI) Business Property: Customer Lists (non-PII) Financial Information Marketing & Operational Information Trade Secrets
Cyber Policy Addresses Access to information other than by over the Internet Access to information by an employee Access to information residing on an “outsourced” system – anywhere Access to information in “non- electronic” form Negligent release of information Employees Outsourcers
Conclusion Avoid It Assess & Mitigate It Insure It Employee Training Operational Guidelines Customer Awareness Penetration Testing Robust Patch Management Ongoing Security Assessments Cyber Insurance Policy & Crime Insurance