Cyber Risk and Construction - Karl Pedersen

Download Report

Transcript Cyber Risk and Construction - Karl Pedersen 

PRIVACY RISK
MANAGEMENT AND
INSURANCE
Or
September 2012
“CYBER” INSURANCE TIMELINE
Cyber
Insurance
Introduced
Notice
Costs
Covered
Broad Privacy Ins.
Vendor Coverage
Corp Confidential Info
PCI Fines
& Penalties
Reg. Fines
&Penalties
1996
HIPAA
1998
2000
GLB
2002
2004
SB1386
PCI
Card
Systems
Insurance History
Regulatory/Industry History
Claims/Losses History
2006
2008
2010
HITECH
TJX
Heartland
NETWORK SECURITY / DATA RISK
What Data do you collect?
- Personally Identifiable Info. (PII)
- Protected Health Info. (PHI)
- Credit Card Numbers
Where is it?
How well is it protected?
How long do you keep it?
What is a Breach?
- Unauthorized disclosure
- Unauthorized acquisition
- Data compromised
WHAT IS DIFFERENT TODAY?
Familiar mediums
- SQL injections; man-in the-middle; spear phishing; malware & spyware;
denial of service attacks; web site defacing
New culprits
- Loosely formed groups of people who are very good at hacking and work
together to do so (e.g., Anonymous, Lulzsec)
- State actors (China, Iran)
New information targeted
- Corporate data and trade secrets; inside information; embarrassing
information; corporate weaknesses
New victims
- Data Security consultants
- Utilities / infrastructure
- Government contractors
New motives
- Political, ideological, personal, war/terrorism, revenge
- “Hacktivism”
CAUSE OF A DATA BREACH
© Kroll 2010
ORGANIZATIONAL
PRIVACY RISKS
Customer/Personal Data
 Credit card
 Medical
 SSNs/Gov’t IDs
 Student transcripts
 HR/Payroll
 Loyalty programs
 Motor vehicle
 Insurance claims
 Financial transactions
 Financial records
 Contracts
Corporate Data



















Customer lists
Price lists
Bid data
Confidential 3rd party information (NDA)
eDiscovery / litigation
Merger/Acquisition targets / plans
Financial records
Marketing / advertising plans
Contracts
New product development plans / release dates
Security policy and assessments
Network architecture
Emergency response / Disaster recovery plans
Restructuring / RIF plans
Reporters notes
Reporter confidential sources
Scripts and other content in draft or
development
Critical Infrastructure Assurance data
Patent applications
WHAT IS PERSONAL IDENTFIABLE
INFORMATION (PII)?
Generally defined as including any combination of
the following:
Name; address; telephone number; electronic mail
address; fingerprints; photographs or computerized
images; a password; an official state or governmentissued driver's license or identification card number;
a government passport number; biometric data; an
employer, student, or military identification number;
date of birth; medical information; financial
information; tax information; and disability
information.
COST OF A DATA BREACH
Cost per record:
$214 (2010) (up $10 from 2009)
DIRECT COSTS
Notification
Call Center
Identity Monitoring (credit/non-credit)
Identity Restoration
Discovery / Data Forensics
Loss of Employee Productivity
INDIRECT COSTS
Restitution
Additional Security and Audit Requirements
Lawsuits
Regulatory Fines
Loss of Consumer Confidence
Loss of Funding
$73.00
$141.00
© Ponemon Institute
2011
NOTIFICATION LAWS
It all started in California…..
California led the way (Civil Code Section 1798.81.5(b))
 “A business that owns or licenses personal information about a
California resident shall implement and maintain reasonable
security procedures and practices appropriate to the nature of the
information, to protect the personal information from unauthorized
access, destruction, use, modification, or disclosure”
46 Other States Have Data Security Laws:
Most Mandate “Reasonable” data security measures and proper data
disposal
Others are More specific:
 Connecticut, Michigan, New Mexico, Texas (SSN Policies)
 Nevada (encryption for external electronic communications)
 Minnesota (Minn. Stat. 365E.64 - card magnetic stripe data)
 Massachusetts Regulations
PRIVACY RISK MANAGEMENT
Ask Your Privacy/IT professionals:
Incident Response Plan (tested?)
Vendor Contracts / Insurance Requirements
Privacy Risk Assessment (sources, vulnerabilities,
processes, perils)
Check Existing Insurance Gap Analysis (GL, Prop,
E&O, Crime, K&R)
New coverage terms must integrate
With Response Plans
With Traditional Policies
VENDOR CONTRACTUAL
REQUIREMENTS
 IT/Software Companies
 Request Tech E&O, plus Privacy/Network Coverage
 Some Tech E&O policies have security/privacy exclusions
 Breach could occur without “wrongful act” being
committed
 Business Services – Payroll, Auditors, Counsel
 Request appropriate E&O coverage
 Request Privacy/Network coverage
 Credit Card Processors/Acquiring Banks
 Request Privacy/Network Coverage (Gaps in Bond or
Professional Liability coverage)
 Other Vendors that transport, touch, interact with your
systems or sensitive information
 Request Privacy/Network coverage
TRADITIONAL INSURANCE
GAPS
 Theft or disclosure of third party information (GL)
 Security and privacy – “Intentional Act” exclusions (GL)
 Data is not “tangible property” (GL, Prop, Crime)
 Bodily Injury & Property Damage triggers (GL)
 Value of data if corrupted, destroyed, or disclosed (Prop, GL)
 Contingent risks (from external hosting, etc.)
 Commercial Crime policies require intent, only cover money,
securities and tangible property.
 Territorial restrictions
 Sublimit or long waiting period applicable to any virus
coverage available (Prop)
PRIVACY & NETWORK
COVERAGES
Liability Coverage
•Privacy Liability
•Network Security Liability
•Media, IP and Content Liability
•Technology Services Liability (if required)
Direct (Loss Mitigation) Coverage
•Data Breach Expenses:
 Public relations expenses, consumer notification and credit monitoring service
costs (sub-limit)
 Forensics/Investigations
Direct (First Party) Coverage
•Revenue Loss
•Data Reconstruction
•Extortion Costs
BEST PRACTICES
Maintain a Risk Transfer Instrument
Have a Proper Background Screening Program for new hires and vendors.
Pre-Arrange a Breach Service Provider, Outside Counsel and Reputational Risk
Advisor
All specializing in Privacy Law and Breach Crisis Management
Provide “Certification” through e-Learning to employee base on safeguarding
data
#1 preventative initiative being adopted by CISOs and CPOs in 2010 (as per
Ponemon 2011 Study)
Develop an Incident Response Plan (required on several federal and state fronts
– HTIECH, MA201, et al.)
Internal Staff, Outside Counsel, Reputational Risk Advisor, Breach Service Provider
Conduct annual Risk Assessments and Tabletop Exercises.
Hold an internal “Privacy Summit” to identify vulnerabilities
Risk, Compliance and Privacy, HR, Legal, IT, C-level representation (CFO), Physical
Security / Facilities – “Technology, Processes and People.”
Keep General Counsel’s office current to state disclosure laws, federal
regulations, foreign requirements and updates
MANAGING A DATA
BREACH
What information was involved?
- Personally Identifiable Info. (PII)
- Protected Health Info. (PHI)
- Credit Card Numbers
Was the information computerized/ what type of media?
Was the information encrypted?
Is there a “reasonable” belief that personal information was
accessed or acquired by an unauthorized person?
POSSIBLE STAKEHOLDERS
Affected individuals
Board of Directors/ Senior Management
Law Enforcement
State and Federal Regulators
Financial Markets
Payment Card Issuers
Employees
Shareholders
Auditors
The General Public
CONSEQUENCES OF A DATA
BREACH
 Forensic Investigations
 Notification: $1/individual
 Credit monitoring costs: $15-$50+ per individual
 Call Centers, Fraud Alerts, Database Scanning, Restoration
Services
 Civil penalties and fines
 Class Action suits
 Legal defence costs:
 Civil, regulatory and possibly criminal defense
 Data Privacy counsel can cost $700 per hour. A major data
breach will cost millions in legal costs
 Business Interruption Costs/Data Damage?
FOR MORE INFORMATION
Contact:
Karl Pedersen
FINEX North America
Privacy, Network Security, Media & Intellectual
Property National Team
(213) 550 9806
[email protected]