Presentation is loading. Please wait.

Presentation is loading. Please wait.

2010 PLUS International Conference – To Notify or Not to Notify – That is the Question.

Similar presentations


Presentation on theme: "2010 PLUS International Conference – To Notify or Not to Notify – That is the Question."— Presentation transcript:

1 2010 PLUS International Conference – To Notify or Not to Notify – That is the Question

2 2010 PLUS International Conference MODERATOR: Toby Merrill, Vice President, ACE USA PANEL: Beth D. Diamond, Esq., Claims Manager, Beazley Group John F. Mullen, Esq., Partner, Nelson, Levine, de Luca & Horst, LLC K Royal, JD, CIPP, Privacy & Security Officer, Assistant Vice President, Regulatory Affairs, Concentra Inc. Tom Srail, Senior Vice President, Technology, Willis Benjamin Stephan, CISSP, CISA, EnCE, QSA, PA-QSA, Director of Incident Management, FishNet Security To Notify, or Not to Notify That is the Question

3 2010 PLUS International Conference Brief Introduction Privacy and Network Security Liability Privacy Regulations To Notify or Not to Notify Q&A Overview

4 2010 PLUS International Conference Privacy Insurance Market To Notify or Not to Notify Privacy Insurance Market

5 2010 PLUS International Conference Privacy Insurance Marketplace Evolution of the Coverage  Origins focused on network security  Evolution to ‘sensitive data’ and ‘unintentional error’ Market Growth  Standalone market estimated at $600M GWP*  1 in 3 purchase coverage and 1 in 4 plan to in next 18 mos* Drivers and Barriers - Price in a sluggish economy +Policies that include data breach services +/-Product knowledge *2010 Betterley Cyber Risk and Privacy Market Survey

6 2010 PLUS International Conference Average total cost per incident of $6.75M  $6.6M, $6.3M & $4.8M in 2008, 2007 & 2006  Cost to resolve ranged from $750,000 to $31,000,000  Number of records ranged from 5,000 to 101,000 42% of breaches occurred due to external causes Ponemon Institute Studies Breach Cost per Record Avg. HC FI CP Retail Cost of a Lost Laptop Avg. HC Pharma

7 2010 PLUS International Conference Average cost of $204 per record  $202, $197 & $182 in 2008, 2007 & 2006  Direct $69; Indirect $135  Defense 27%; Consulting 24%; Contact 22%; Forensics 16%; Services 6%  Malicious $215; Human Negligence $154; IT Glitch $166  1 st Party $194; 3 rd Party Vendor $217  First Timer $228; Second Offender $198  With CISO $157; Without CISO $236  With consultant $170; Without consultant $231  1 month $196 Ponemon Institute Studies (cont’d)

8 2010 PLUS International Conference Privacy/Cyber Insurance Marketplace Pricing  Aggressive competition  Typical flat to slight decrease on renewals New/revitalized Markets  Updated forms  Blending with other policies (Managed Care, Misc E&O) Capacity  Stable Primary Limits (10M-20M typical)  Increased excess participation available  $200M+ total available for most large risks

9 2010 PLUS International Conference Privacy/Cyber Insurance Marketplace Current Coverage Enhancements  Privacy Expense Outside of Liability Limits options New express coverage (ID Theft restoration expense) Larger (Full+) Limits  Regulator and/or PCI Fines/Penalties - larger limits available

10 2010 PLUS International Conference Privacy/Cyber Insurance Marketplace Current Coverage Enhancements (cont’d)  Excess “Drop Down” Privacy Expenses Fines/Penalties  Pre-arranged/recommended Vendors  First-Party Coverage Administrative Error Triggers Lower BI waiting periods

11 2010 PLUS International Conference Privacy Insurance Market Privacy Insurance Market: Panel Discussion

12 2010 PLUS International Conference Privacy Regulations Privacy Regulations; Overview

13 2010 PLUS International Conference Statutory – In the event of a security breach, most federal and state laws require notification to:  Customers  Government Agencies  Attorneys General  Law Enforcement (not necessarily required, but may be prudent)  Credit Reporting Agencies (CRA's) Voluntary – When notification is not required by law, but for reasons of goodwill, etc. a company would prefer to notify its customers, etc. What is Notification?

14 2010 PLUS International Conference To enable individuals to mitigate risk of identity theft or fraud when a breach occurs To enable the authorities to exercise their regulatory oversight functions To motivate organizations to implement more effective security measures to protect sensitive information Purpose of Notification

15 2010 PLUS International Conference Federal and state laws have unique requirements for:  format of notification  time frame within which to notify, and  content of notification letter In many cases, failure to notify pursuant to a particular notification law may lead to fines and penalties General Notification Requirements

16 2010 PLUS International Conference Generally require written notification to individual in the event of a breach of security However, each state varies in:  the definition of what constitutes a breach  the definition of personal information (only a few include PHI)  inclusion of a “risk of harm” standard  content requirements for notice  authorities that must be notified  available penalties and private right of action State Notification Requirements

17 2010 PLUS International Conference 2003 – California Senate Bill 1386 (CA SB 1386) 2005 – 10 additional states 2006 – 19 additional states 2007 – 9 additional states 2008 – 7 additional states 2009 – 1 additional state 2010 – 1 additional state Privacy/identity theft legislation in 46 states (+D.C.) States with no Data Breach Legislation: Alabama, Kentucky (passed but not yet enacted) New Mexico, South Dakota (no data breach law) State Data Breach Laws

18 2010 PLUS International Conference Must be in “plain language” Must include at a minimum:  Name and contact info of the reporting agency  Types of personal information involved  When it happened  If notification was delayed due to law enforcement investigations  General description of the breach  Estimated number of persons affected  Toll-free telephone numbers and addresses of major credit reporting agencies (if breach exposed bank account/credit card number, SSN, or driver’s license/ID card number) California Notification Requirements

19 2010 PLUS International Conference Other discretionary data may be included (e.g. information about what agency has done to protect affected individuals, advice on how to protect self, etc.) Notice may be given in writing or electronically. Substitute notice permitted if:  cost of providing written notice will exceed $250,000, affected class to be notified exceeds 500,000 residents, or insufficient contact information to provide notice California Notification Requirements

20 2010 PLUS International Conference State:  An individual’s first name or first initial and last name in combination with any one or more of the following, when either the name or the data elements are not encrypted: SSN Driver’s license No. or CA ID Card No. Account, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account Up to ten other factors added in many states (e.g. biometric data in NE, IA and WI) What is Personal Information?

21 2010 PLUS International Conference Must be given to:  Massachusetts AG; Director of Consumer Affairs and Business Regulation; and affected Massachusetts residents Notice to AG and Director of Consumer Affairs and Business Regulation must include:  nature of breach;  the number of Massachusetts residents affected by such incident at the time of notification; and  any steps the person or agency has taken or plans to take relating to the incident Massachusetts Requirements

22 2010 PLUS International Conference Notice to affected Massachusetts residents must include:  the resident's right to obtain a police report  how to request a security freeze on her/his credit report Notice to affected MA residents must not include:  Nature of breach; nor  Number of Massachusetts residents affected by the breach Notice may be given in writing, by telephone or electronically. Substitute notice permitted if:  cost of providing written notice will exceed $250,000, affected class of Massachusetts residents to be notified exceeds 500,000 residents, or insufficient contact information to provide notice Massachusetts Requirements

23 2010 PLUS International Conference Written notice via US mail to individual or next of kin Substitute notice if there are 10 or more individuals for whom there is insufficient contact information. >500 residents of a state or jurisdiction are affected by breach: notify prominent media outlets in that state or jurisdiction >500 individuals in total are notified, Secretary must be notified immediately (i.e. within timeframe to individuals) <500 individuals, Secretary may be notified in an annual report HITECH Notification Requirements

24 2010 PLUS International Conference Description of event, including date of breach and date of discovery, if known Description of Protected Health Information (PHI) affected Steps individuals should take to protect themselves Description of what entity is doing to investigate, mitigate harm to individuals and protect against further breaches Contact procedures for more information (toll-free number, an address, website, or postal address) Must be written in clear, plain language HITECH Notice - Content Requirements

25 2010 PLUS International Conference State Attorneys General State regulators  DOI  Medicaid regulators  Consumer Protection Offices Potential Agencies to be Notified When a HITECH Breach Occurs

26 2010 PLUS International Conference HIPAA:  ANY “Unsecured” PHI = protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary  Encryption and destruction of PHI are the only acceptable methods What is Personal Information?

27 2010 PLUS International Conference HIPAA:  Breach poses: “[a] significant risk of financial, reputational, or other harm to the individual”  Notification is only necessary if the breach poses a significant risk of harm  Covered Entities & Business Associates must document their risk assessment to demonstrate that notification was not required State Law:  NJ disclosure not required if “misuse of the information is not reasonably possible”.  CA and TX without explicit “risk of harm” trigger Risk of Harm Standard

28 2010 PLUS International Conference Privacy Regulations Privacy Regulations: Panel Discussions

29 2010 PLUS International Conference Data Breach Scenarios To Notify or Not to Notify: Data Breach Scenarios

30 2010 PLUS International Conference Scenario #1 Minnesota retailer notified by Visa of potential hack Forensics determines 1.5M credit cards were likely compromised Roughly 1M of the records were encrypted Hackers were in the system for 14 months Cardholders reside in MN, ND, SD, IA, IL, WI

31 2010 PLUS International Conference Scenario #2 A trash company discovers the printed records of a SC community bank dumpster The information contains the loan applications for more than 10,000 residents in NC, SC & GA

32 2010 PLUS International Conference Scenario #3 A hospital in Massachusetts discovers that a desktop computer has been stolen Forensics determines 100,000 medical records were located on the desktop None of the records were encrypted Patients reside in MA, CT, RI, AZ and NH

33 2010 PLUS International Conference Scenario #4 A community college in New Mexico discovers that its alumni list was searchable on its website Visitors of the site would be able to obtain alumni grade point averages and job history if searched by name Forensics is unable to determine whether any searches had been made on alumni records Roughly 500,000 records were potentially compromised All alumni were New Mexico residents What if forensics later determines S.S.#’s were involved? Some residents were from New York? Or both??

34 2010 PLUS International Conference Scenario #5 A technology hosting company discovers that hackers had accessed a number of servers Forensics determines that millions of records were located on these servers The records belong to more than a dozen financial institutions, hospitals and retailers Some of the data was encrypted Cardholders reside in more than 30 states

35 2010 PLUS International Conference Takeaways and Predictions Key Takeaways and Predictions

36 2010 PLUS International Conference Questions & Answers

37 2010 PLUS International Conference Many Thanks To… Toby Merrill Beth Diamond John Mullen K Royal Tom Srail Benjamin Stephan


Download ppt "2010 PLUS International Conference – To Notify or Not to Notify – That is the Question."

Similar presentations


Ads by Google