Transcript No Slide Title

e-Government
Information Privacy and Security
Risk & Insurance
STRIMA
Portland, Maine
September 10, 2007
e-Government Creates New Exposures
Paradigm shift from physical assets to information assets and
resources
Electronic document management
e-Discovery
e-Commerce
Efficiency through on line card payments and filing
Electronic funds transfer
Digital connectivity to citizens, businesses, suppliers and
other government entities
Mobile workforce and outsourcing
Remote access to network
Wireless solutions
Interactive multimedia
Electronic publishing / content distribution
Network control of critical infrastructure and information
Information Assets and Resources
Electronic Document
Management
Employee
Student / juvenal
Bid data
Police
Public works
Medical / health dept.
Motor vehicle
GIS data
Critical Infrastructure
Assurance data
EZ Pass
eDiscovery / litigation
Financial transactions
Economic development
zones
eCommerce / Electronic Kiosks
Credit card or banking information from
on line payments
Dues / licenses
Tickets
Property taxes
EZ Pass
Electronic funds transfer
Network Controlled Resources
Wireless networks
Computing power / storage
Dams and water systems
Airports
Power grid
Access to school and library computers
/ Internet access
EZ Pass
Emergency response
What keeps you up at night?
Jan. 13, 2007 – North Carolina Dept. of Revenue: laptop theft with 30,000 taxpayer
records including SSN.
Feb. 9, 2007 – East Caroline University: programming error exposed PII on 65,000
students including SSN and credit card numbers exposed on University’s Web site.
March 30, 2007 – Los Angles County Child Support Services: three laptops containing
personal information on 243,000 cases were stolen some including SSNs, but
many with out names.
April 10, 2007 – Georgia Dept. of Community Health: computer disk containing
personal information on 2,900,000 individuals including SSNs went missing from
Affiliated Computer Services, a private vendor contracted to handle health care claims
for the state.
June 15, 2007 – State of Ohio: backup computer storage device stolen from a state
intern’s car exposing names and SSNs of 500,000 state workers.
July 17, 2007 – Louisiana Board of Regents: records of 80,000 students and staff
including names and SSNs exposed on Intranet site for as much as 2 years. TJX:
Hackers stole millions of credit card numbers over the course of 6 months from an
internal (non-internet) credit card processing server. 20+ class actions, 10+
governmental investigations. Loss projected to be over $200M.
Expanding Privacy & Breach Disclosure laws
California Consumer Data Protection Act (previously called SB
1386 -effective 7/1/2003 -- “Reasonable belief” of intrusion) requires
any business storing confidential personal information about
California residents in electronic form to contact residents upon
discovering or suspecting a security breach to computer systems.
37 other states have followed with similar laws and Congress is
reviewing federal legislation.
HIPAA – Electronic Medical Information Security Rules.
Merchant Liability for Security Breaches – May 21, 2007, Minnesota
enacted the Plastic Card Security Act. Law enables financial
institutions to file lawsuits to recover costs associated with a
merchant security breach that exposes payment card data. CA, MA,
IL, CA and TX are considering similar laws. Now there is a direct
path to merchant liability for expenses such as cost to reissue card –
estimated at $20 to $50 per card.
Network Security/Privacy Risks
Several key risks include:
Unauthorized Access or Use
At the heart of many of these exposures is unauthorized network access:
• From employees, vendors or outside hackers
• From a stolen/hacked user name and password, phishing incident or inappropriate acts of
an authorized user
• From a virus, Trojan horse or other form of malicious code
• As the result of a lost or stolen PDA, laptop, Blackberry or other mobile device
Disclosure of Personal Information or Confidential Business Data
Identity Theft and fraud
Regulated information can include personal, financial, and medical data
Electronic theft of confidential data can wreak havoc on operations.
Malicious Code
The rising incidence of malicious code – viruses, worms, Trojan horses – is causing network
damage and crippling denial-of-service attacks. Web site disruptions can result in large losses for
banks, insurers and investment firms as so many customers rely on the web for their
transactions.
Reliance on Network Operations
Network outages may result in the temporary shutdown of your critical applications/operations. If
critical business and operational functions are outsourced to vendors, day-to-day control over
operations may be lost despite contractual agreements.
Downstream Liability
There can be a liability risk to third parties – vendors, customers, business partners – for passing
on malicious code or facilitating an attack via your network.
Traditional Insurance Gaps
Property: usually requires physical damage to a tangible asset to trigger
coverage. Data is not considered tangible property in most policies. Also,
computer viruses and hacker attacks seldom damage your systems “physically.”
Also, most property policies include computer virus exclusions, or provide for
small sub-limits of coverage or long waiting periods.
General Liability: physical damage or bodily injury trigger is not activated in a
network security breach. Advertising Injury and Personal Injury coverage can be
difficult to trigger as a result of intentional and/or criminal acts, like breach of
confidential data due to a hacker or computer virus.
Commercial Crime: covers theft of money and securities, but does not cover
the theft of data, information, and account numbers (including credit card data).
Professional Liability/E&O: intentional acts are usually excluded. Often, an
event such as a security breach can not only harm your client, but also your
client’s customers. Many E&O policies do not respond to these types of security
breach/disclosure of sensitive data events.
Protecting Information
Confidentiality
Availability
Integrity
Basic Risk Questions
How does an organization identify critical or sensitive
information assets and risks to those assets?
Is the frequency and scope of your risk evaluation and
compliance audits sufficient to take evolving threats into
account?
Are risks to critical or sensitive information assets managed in
a similar fashion to other key business risks?
What is the structure, activities, and decision-making relating
to cyber risk management, including electronic fraud?
What are your due diligence and financial responsibility
(insurance) requirements for other companies that connect to
your network or provide technology services?
Contractual Solutions
Vendors providing: Hosting, Managed Security services,
Software, IT services & consulting, ISP/ASP, content
providers, companies connected to your networks/systems.
Insurance coverage requirements:
Errors & Omissions
Internet/Network Security Liability Coverage
Privacy Breach Coverage
Media Liability
Indemnification / Limitation of Liability
Insurance Solutions
Coverage for invasion, infringement or interference with
rights of privacy or publicity, including false light, public
disclosure of private facts, intrusion and commercial
appropriation of name, persona or likeness.
Coverage for damage to/disclosure of data, and the
resulting liabilities
Coverage which responds to wrongful acts in connection
with “internet media” in the conduct of the Insured’s
business
Coverage for any form of defamation (e.g. libel and/or
slander)
Coverage for infringement of intellectual property (e.g.
copyright and/or trademark infringement)
Network Security/Privacy
Insurance Coverages
Network Security Liability
Privacy Liability
Network Business Interruption and Asset Protection
Cyber Extortion
Electronic Media/Website Content Liability
Internet Professional Liability/Tech E&O
Theft of Data/Information (Cyber Crime)
Personal Identity Theft Expense Insurance/Services
Pre and post-breach
Crisis Management & Public Relations
Breach Notification and Credit Monitoring
Insurance Solutions
What kinds of perils can be included?
Breach of Privacy / Identity Theft (electronic and non-electronic)
Negligent release of confidential information
Security breaches such as unauthorized access and
unauthorized use
Content Infringement (website copyright, trademark, domain
names)
Cyber Extortion
Implantation or spread of a Computer Virus
Destruction, modification, or disclosure of electronic data
Loss of Business Income due to a network security breach
Information theft
Covered acts caused by Service Providers
Expenses associated with breach of security notification
requirements
Network Security Coverage
Network Security Liability -- Liability arising from the interruption of your eBusiness communications caused by damage to your computer programs or data that
results from virus, hacking, a denial of service attack, a denial of access or a simple
mistake by your authorized personnel in the administration of your computer system
or handling of your e-Business information assets (administrative error). This also
includes liability for transmission of a computer virus to a third party via a covered
computer system or the failure to prevent the use of your computer system in a denial
of service attack
Broad Privacy Liability – Liability arising from the alleged breach/disclosure of
personal information or confidential corporate information.
Electronic Media Liability -- Actual or alleged acts committed in the course of your
e-Business communications, including in the course of providing access, publishing,
hosting, collaboration and conducting e-commerce. e-Publishing Offenses include:




Defamation, libel & slander, product disparagement and trade libel
Violation of rights of privacy
Misappropriation and plagiarism of advertising ideas or materials or literary or artistic
formats or styles or performances
Infringement of copyright, title, slogan, trademark, trade name/dress, service marks or
names.
Network Security Coverage
Business Income Loss -- Comprised of Earnings Loss and/or Expenses Loss as
defined below.
Earnings Loss: Loss of gross margin you sustain due to an e-Communications disruption
from a qualifying cause, which exceeds the waiting period stated in the declarations.
Expenses Loss: The additional expense that you expect to incur during the period of the
e-Communications disruption that is over and above the cost that reasonably and
necessarily would have been incurred to conduct your business had no eCommunications disruption occurred (Not including restoration costs or investigative
expenses as defined below).
Dependent Business Income Loss -- Earnings loss and/or expenses loss you
expect to sustain as a result of, and during, an e-Communications disruption
sustained by a third party on which you depend for the services to support your eBusiness Communications.
Extended Business Income Loss or Extended Dependent Business Income
Loss -- The business income loss or dependent business income loss you sustain
during the period of restoration following an e-Communications disruption.
Restoration Costs -- The actual & necessary expenses you expect to incur to
replace, restore, or recreate your e-Business information assets to the level or
condition at which they existed prior to the loss.
Network Security Coverage
Public Relations Expenses -- The actual & necessary expense fees & costs you
expect to pay to an approved public relations consultant for planning & executing
your public relations campaign in order to protect or restore your professional
reputation in response to media coverage of any: e-Communications disruption,
network interruption or qualifying cause. Up to $250,000 for costs associated with
notifying consumers of the potential breach of their personal identifiable information
(i.e. Identity Theft; Security Breach Consumer Notification Laws).
Investigative Expenses -- The actual, reasonable and necessary expenses you
incur during the waiting period to respond to an e-Communications disruption or to
the occurrence of any damage to, destruction of or loss of use your e-Business
information assets, so that you may prevent, minimize or mitigate any further
damage to your e-Business information assets, minimize the duration of the eCommunications disruption and gather preliminary forensic evidence to be used in
making a determination of coverage to be provided under this policy and preserve
critical evidence of any wrongdoing.
Extortion Threat(s) -- Amounts paid to terminate a threat to introduce unauthorized
code into your computer system or a computer system that is under your direct
control, or to divulge, disseminate or utilize your e Business information assets
without authorization.
Who is Buying
Network Security/Privacy Risk nsurance?
Financial institutions – banks, insurers, investment
Technology – Service providers – combining E&O and
Cyber
Healthcare – MCOs, TPAs, Hospitals
Media/Telecom – combining E&O and Cyber
Retail – supply chain and privacy are key issues
Universities – liability to alumni/students key issue
Energy – system availability and privacy are key issues
What is Different Today?
Information and network security risks represent significant civil
liability and regulatory exposure, as well as direct losses to data and
network assets.
The privacy risk is causing security breaches to be made public,
leading to liability claims
Need for due diligence: gap analysis and risk assessment
GL, Property, and Crime continue to come up short on coverage.
ISO GL 2001 & 2004 explicit about data being intangible property
Network Security policy broadened due to maturity in marketplace:
Privacy, Programming E&O, six-hour time element on Business
Interruption; Notification Expense coverage
Large losses are being paid by underwriters
Loss maturity and competition are decreasing premiums
Summary
Information & Network Security risks represent significant civil
liability and regulatory exposure, as well as direct losses to data
and network assets.
Understand how to identify, control, mitigate and transfer your
cyber exposures -- it’s a high level issue
Current insurance programs may be deficient; cyber products are
being offered to address first party and third party risks
Insurers are wary of governments due to risk assessment
challenges and history of security breaches
Assess your information security before approaching the
insurance market to determine insurability
Some insurers see government as potential growth opportunity