0 Marsh Issues in Risk Management: Privacy and Data Breach Risk Review & Discussion John McLaughlin, Marsh USA

2 Marsh Agenda  The Legal Landscape  The Art of Breach Crisis Management – Breach statistics – Breach Response Methodology  Risk Transfer – Risk Overview – Coverage Overview – The Potential Cost of a Data Breach – Marsh Approach – The Insurance Underwriting Process

3 Marsh Regulatory Landscape  Increasing regulatory scrutiny – FTC & State AG enforcement  Regulations - Compliance - Audit – State notification laws (45 + D.C.) – HIPAA (Health Insurance Portability & Accountability)  HITECH Act – FACTA (Fair and Accurate Credit Transactions) – FCRA (Fair Credit Reporting) – GLBA (Gramm-Leach-Bliley) – FTCA (Federal Trade Commission – SAFE WEB) – PCI Compliance – Plastic Card Act (MN)

The Art of Breach Crisis Management

5 Marsh 2009 How Data is Lost (General): Inside Perpetrator (Accidental and Malicious Intent) Source:

6 Marsh 2009 How Data is Lost (General): Inside vs. Outside the Organization Source:

7 Marsh 2009: Number of Reported Breaches by Industry Source:

8 Marsh 2009: Number of Reported Affected Individuals by Industry Source:

9 Marsh Data Breach Statistics: Data Loss by Type Source:

10 Marsh Breaches: By the numbers…. Cost of a breach record VICTIM COSTS Notification Call Center Identity Monitoring (credit/non-credit) Identity Restoration DIRECT COSTS Discovery/Data Forensics Loss of Employee Productivity INDIRECT COSTS Restitution Additional Security and Audit Requirements Lawsuits Regulatory Fines OPPORTUNITY COSTS Loss of Consumer Confidence Loss of Funding $14.00 $10.00 $40.00 $ Cost per record: $204 (2009) © Ponemon Institute

11 Marsh Best Practices Breach Crisis Management  Retain an outside counsel who specializes in Privacy Law and Breach Crisis Management  Notify Correctly vs. Quickly – Diffuse anger and emotion among constituents – Provide remedy with notification – Identity an accurate breach universe to minimize public exposure to event – Unique constituents  Leverage an Outside Call Center  Retain a Reputational Risk Advisor who specializes in Breach Crisis Management  Investigate – Investigate – Investigate – Have outside counsel retain any data forensics investigation – Potentially minimize public exposure to event  Leverage a Breach Service Provider to conduct Recovery – Pre-Existing ID Theft Victims – More thorough recovery and restoration

Risk Transfer

Risk Overview

14 Marsh Threat Environment  Social Media/Networking  Lost or stolen laptops, computers or other computer storage devices  Backup tapes lost in transit because they were not sent either electronically or with a human escort  Hackers breaking into systems  Employees stealing information or allowing access to information  Information bought by a fake business  Poor business practices- for example sending postcards with Social Security numbers on them  Internal security failures  Viruses, Trojan Horses and computer security loopholes  Info tossed into dumpsters- improper disposition of information

15 Marsh What’s At Risk  Financial data - tax receipts, account information – (credit and non-credit), financial reports including revenue and debt data  Health information - medical and insurance records  Personal identifiers - Social Security numbers, patient ID numbers, Tax ID numbers  Research data/Intellectual property  REPUTATION!

16 Marsh What Are the Exposures?  Legal liability to others for computer security & privacy breaches  Failure to safeguard data – Identity theft  Financial  Medical  Employee records  Plaintiff actions – Loss mitigation strategy – Credit monitoring  Card re-issuance liability  Vendors, service providers & partners errors

17 Marsh Risk Identification Potential Risk EventLikelihood Potential Impact Website copyright/trademark infringement claimslow Legal liability to others for computer security breaches (non-privacy) low - mediummedium Legal liability to others for privacy breacheshigh Privacy breach notification costs & credit monitoringhighmedium Privacy regulatory action defense and fineslowmedium Costs to repair damage to your information assetslowmedium Loss of revenue due to a failure of security or computer attack medium (overall) high (eCommerce) medium (overall) high (eCommerce) Loss of revenue due to a failure of security at a dependent technology provider lowmedium Cyber Extortion Threatlowmedium

Available Coverage Overview

19 Marsh Risks and Coverage Risks Coverage Traditional Policies Cyber & Privacy Policy Legal liability to others for privacy breaches Privacy Liability: Harm suffered by others due to the disclosure of confidential information Legal liability to others for computer security breaches Network Security Liability: Harm suffered by others from a failure of your network security Loss or damage to data/ information Property Loss: The value of data stolen, destroyed, or corrupted by a computer attack Loss of revenue due to a computer attack Loss of Revenue: Business income that is interrupted by a computer attack Extra expense to recover/ respond to a computer attack Cyber Extortion: The cost of investigation and the extortion demand Loss or damage to reputation Identity TheftExpenses resulting from identity theft Privacy Notification Requirements Cost to comply with privacy breach notification statues Regulatory ActionsLegal defense for regulatory actions

20 Marsh What Are the Gaps in Traditional Policies?  Traditional insurance was written for a world that no longer exists.  Attempting to fit all of the risks a business faces today into traditional  policy is like putting a round peg into a square hole.  Errors and Omissions (E&O): even a broadly worded E&O policy is still tied to “professional services” and often further tied to a requirement that there be an act of negligence  Commercial General Liability (CGL): covers only bodily and tangible property—Advertising Injury / Personal Injury (AI/PI) section has potential exclusions/limitations in the area of web advertising  Property: courts have consistently held that data isn’t “property”— “direct physical loss” requirement not satisfied  Crime: requires intent and only covers money, securities, and tangible property  Kidnap and Ransom (K&R): no coverage without amendment for “cyber- extortion”

21 Marsh Coverage Overview Network security liability: liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems Privacy liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business. Crisis management and identity theft response fund: expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for a forensic investigation or for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations.

22 Marsh Coverage Overview (continued) Cyber extortion: ransom or investigative expenses associated with a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system. Network business interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of network security to prevent a security breach. Includes sub-limited coverage for dependent business interruption. Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

23 Marsh Privacy Liability Why is it different from cyber liability?  Breach of Privacy: – Disclosure of confidential information  Personal  Commercial – Cause doesn’t matter  Computers  Vendors  Dumpsters  Phishing  Employees  Damages/Covered Loss – Legal liability – Defense & Claims Expenses – Regulatory defense costs – Vicarious liability when control of information is outsourced  Crisis Coverage – Credit remediation and credit monitoring – Cover for PR expenses – Cover for notification costs

24 Marsh Privacy Event - Quantification

25 Marsh Security/Privacy Insurance Market Trends  Insurance carriers are offering options that include coverage for “# of records that are compromised” as opposed to a dollar limit  Insurance carriers are incorporating post-breach vendor panels within the coverage grants that allow insured’s to access multiple vendors once a breach occurs.  Clients are experiencing increasing insurance requirements from their customers as well as from their partner arrangements.  The majority of current insurance carrier claims are related to the upfront mandatory expenses for notification and credit monitoring. Looking Ahead  Privacy claims are at the forefront of insurer’s minds as they are starting to see potentially large losses for healthcare, retail, financial institutions and credit card processors.  Clients should expect underwriters to question not just the technology they employ but hiring practices, overall corporate policies related to the protection of data, as well as their due diligence in vetting vendors and independent contractors with whom they share information or rely upon for elements of critical infrastructure.

The Marsh Approach

27 Marsh MMC Privacy Solution  Placement of coverage is the last step in the process  Insurance is never a valid alternative to good risk management  Similarly, relying upon technology as some mythical “silver bullet” that will defend against all risks is to turn a blind eye to major risks facing every commercial entity  Marsh’s approach to the privacy and cyber risks combines elements of: – Assessment; – Remediation; – Prevention; – Education; and – Risk transfer.

28 Marsh Underwriting Process for Security & Privacy Insurance  Quote Process – Application – Security Self-Assessment – Approach to underwriting varies by carrier – Principal primary markets  ACE  Chartis  AXIS  Beazley  Chubb  CNA  Hiscox – Market Capacity: 400M

29 Marsh Common Questions  How does this coverage align with our standard coverage?  Does the programs include coverage for fines and penalties?  Do the policies insure our organization if one of our vendors is the source of the breach?  If we have an event, can we use our own vendors? (Legal, IT, etc.)  Is employee data that is compromised included within the coverage grants?  Do the programs include coverage for both electronic and non- electronic forms of information?

30 Marsh How can Marsh help? Marsh/FINPRO: the brokerage arm of MMC, helps companies evaluate and manage the risks associated with conducting their business in a networked world. Services include:  Policy Drafting  Placement  Risk Profiling and Benchmarking  Security & Risk Assessments  Coverage Gap Analysis

31 Marsh Contact John McLaughlin Senior Vice President-FINPRO Advisor for Tech/Telecom E&O and Network Risk 3560 Lenox Road Atlanta, GA

32 Marsh The information contained in this presentation provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisors regarding specific coverage issues. Statements concerning legal matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with the client’s own qualified legal advisors in these areas. Marsh is part of the family of MMC companies, including Kroll, Guy Carpenter, Mercer Human Resource Consulting (including Mercer Health & Benefits, Mercer HR Services, Mercer Investment Consulting, and Mercer Global Investments), and Mercer specialty consulting businesses (including Mercer Management Consulting, Mercer Oliver Wyman, Mercer Delta Organizational Consulting, NERA Economic Consulting, and Lippincott Mercer). This document or any portion of the information it contains may not be copied or reproduced in any form without the permission of Marsh, Inc., except that clients of any of the companies of MMC—including Marsh, Kroll, Guy Carpenter and Mercer—need not obtain such permission when using this report for their internal purposes. Copyright—2010 Marsh Inc. All rights reserved.