1. Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015

2.  What is Cyber Insurance?  What Coverages are Typically in a Cyber Insurance Policy?  What’s Truly Important to Have (or Not Have) in YOUR policy?

3.  The term “cyber insurance” has a variety of different meanings depending on who is using it and how they are applying it.  Cyber insurance policy forms and coverages differ significantly from carrier to carrier.  Cyber insurance and coverages are constantly evolving and changing.

5.  Technology Errors and Omissions Coverage “Cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Nevertheless, tech E&O insurance policies do contain a number of the same insuring agreements as cyber and privacy policies. -- International Risk Management Institute (IRMI)

6.  Covered under a Commercial General Liability policy As of May 1, 2014, the Insurance Services Office introduced “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-related Liability – with Limited Bodily Injury Exception”.

7.  Insurance “designed to [respond to and ] mitigate losses from a variety of cyber incidents, including data breaches, business interruption and network damage.” -- US Department of Homeland Security

9.  Breach Response Services (1 st party)  Information Security & Privacy Liability (3 rd party)  Regulatory Defense & Penalties Coverage (3 rd party)  Business Interruption Coverage (1 st party)  Data Restoration Coverage (1 st party)  Cyber Extortion Coverage (1 st party)  Media Liability (3 rd party)

10.  Legal Analysis: costs associated with hiring specialized attorneys to determine your responsibilities and duties under applicable data breach and privacy statutes  Computer Forensics: costs associated hiring specialized computer forensics firms to determine the existence and extent of a data breach  Notification: costs to print and mail letters to affected individuals

11.  Credit Monitoring: costs of offering 12 or 24 months of credit monitoring with one or all three of the national credit bureaus  Call Center: costs of setting up a call center that affected individuals receiving the notice can call with questions or for additional information  Crisis Management/Public Relations: costs associated with hiring a specialized crisis management firm to assist in the mitigation of any adverse publicity resulting from the data breach

12. 12 Computer Forensics$500 - $600 per hour Pre-Claim Legal Fees$500 - $600 per hour Notification Costs$1-$2 per affected individual Credit Monitoring$20-$30 per affected individual 15%-25% acceptance rate Call Center$4,000 - $5,000 setup costs plus per minute charge for each phone call received. For dedicated support, add $50-$60 per hour per person. Claim / Regulatory Defense$600 - $700 per hour LiabilityVaries Average Cost of a Data Breach in the US$5.4M per breach / $188 per record* *The 2013 Cost of Data Breach: Global Analysis by the Ponemon Institute

13.  Liability (and defense) resulting from harm suffered by third-parties due to a data breach  Examples: ◦ Costs incurred by an affected individual in dealing with identity theft and fraud resulting from the breach of their private information ◦ Costs incurred by a business for which you handle private information in dealing with their own notification requirements resulting from the breach of that private information

14.  October 2012: Nationwide Mutual Insurance discovered a data breach in which impacted the “name, Social Security number, driver's license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer” of approximately 1.1M Americans. FBI and various Attorneys General including North Carolina’s are notified. Affected individuals are notified.*  February 2014: Federal judge in Kansas dismisses two proposed class actions due to no evidence of actual harm.** * http://www.zdnet.com/article/nationwide-mutual-hack- affected-1-1-million-americans/ http://www.zdnet.com/article/nationwide-mutual-hack- affected-1-1-million-americans/ ** http://www.law360.com/articles/508534/nationwide-mutual- defeats-data-breach-class-actionshttp://www.law360.com/articles/508534/nationwide-mutual- defeats-data-breach-class-actions

15.  Costs associated defending a claim brought by a regulatory/law enforcement entity or agency pursuant to federal or state data breach regulations and any resulting penalties assessed.  Office of Civil Rights (OCR): tasked with enforcement of HIPAA & HITECH statutes  State Attorneys General: may bring regulatory enforcement actions under state data breach laws or unfair trade practices/consumer protection laws

16.  An insured’s loss of income and extra expense costs resulting from a data breach or computer network security event.  Sony Corporation: cyber attack took down entire system for two days and left them operating on reduced systems for several weeks.

17.  Costs to recreate deleted, destroyed, corrupted or altered data due resulting from a data breach.  Restoring data from backup tapes  Manually entering data from paper files if no backup tape is available

18.  Payment made to terminate the threat to breach your computer network security in order to: ◦ Destroy data ◦ Prevent access to computer systems ◦ Introduce a virus to your computer system or a third party’s computer system ◦ Interrupt or suspend the functioning of your computer system

19.  Coverage for liability arising out of content created or used by you. May be limited to online content only. ◦ Defamation, libel, slander ◦ Plagiarism, misappropriation of ideas ◦ Copyright and trademark infringement

21.  Adequate limits  Separate limit of coverage for first party breach response coverage  Coverage for your vendors’ breaches involving your information  Coverage for a suspected incident  Modified Intentional Acts Exclusion / Rogue Employee Coverage

22.  February 2013: Mass Mutual Life Insurance Company notifies a number of its customers (more than 500 in California; 37 in Maryland) of a data breach resulting when a third-party service provider, Convey Compliance Solutions, inadvertently mailed 1099 tax forms to incorrect addresses.  Two years of credit monitoring was offered to all affected individuals.* *Privacy Rights Clearinghouse; CA & MD Office of Attorney General Websites

23.  Unencrypted Data Exclusion  Safeguard exclusion  Coverage that only extends to personally identifiable information  Failure to follow your own privacy policy exclusion

24.  Traditional insurance policies (commercial general liability, property, workers compensation) do not provide cyber coverage.  Policy forms and coverage differ significantly from carrier to carrier  Carrier and breach response vendor(s) experience is an important factor to consider when purchasing a policy

25. 25