Transcript aci-na.org

Cyber Attacks and Privacy
Claims: Litigation, Insurance and
Crisis Management
Rick Bortnick | Scott Godes |
Art Boyle | Mark Greisiger
#3013053
Cyber Attacks and Privacy Claims: Litigation,
Insurance and Crisis Management
Richard J. Bortnick
Cozen O’Connor
1900 Market Street
Philadelphia, PA 19103
Tel.: (215) 665-7251
[email protected]
cyberinquirer.com
twitter.com/cyberinquirer
linkedin.com/pub/richard-j-bortnick/1/690/143
About the Firm
Cozen O’Connor, founded in 1970, delivers legal services on an integrated and global basis with
575 attorneys in 22 cities and two continents. Their lawyers counsel clients on their most
sophisticated legal matters in all areas of corporate and regulatory law as well as litigation.
Cyber Attacks and Privacy Claims: Litigation,
Insurance and Crisis Management
Scott N. Godes
Dickstein Shapiro LLP
1825 I Street, NW
Washington, DC 20006
Tel.: (202) 420-3369
[email protected]
corporateinsuranceblog.com
twitter.com/insurancecvg
linkedin.com/in/scottgodes
About the Firm
Dickstein Shapiro LLP, founded in 1953, is internationally recognized for its work with clients,
from start-ups to Fortune 500 corporations. Dickstein Shapiro is U.S. News & World Report’s “Law
Firm of the Year” for Insurance Law for 2011-2012.
Cyber Attacks and Privacy Claims: Litigation,
Insurance and Crisis Management
Art Boyle
Vice President – Enterprise Risk Management
Radian Group, Inc.
1601 Market Street
Philadelphia, PA 19103
Tel.: (215) 231-1364
[email protected]
http://www.linkedin.com/pub/art-boyle/7/96a/257
About the Firm
Radian, which is headquartered in Philadelphia, connects lenders, homebuyers, investors and loan servicers
using a suite of private mortgage insurance and related risk management products and services. The
company helps promote and preserve the tradition of homeownership while protecting lenders from defaultrelated losses on residential first mortgages. It also facilitates the sale of low-downpayment mortgages in the
secondary market. Radian Group Inc. is traded on the New York Stock Exchange under the symbol RDN.
Cyber Attacks and Privacy Claims: Litigation,
Insurance and Crisis Management
Mark Greisiger
President
NetDiligence®
Corporate Headquarters
Philadelphia, PA
Tel.: (610) 525-6383
[email protected]
http://www.linkedin.com/pub/mark-greisiger/3/b05/475
About the Firm
NetDiligence®, is a Cyber Risk Management company. For the past 12 years NetDiligence has been
offering cyber risk assessment services to Risk Mgrs. NetDiligence supports the loss control needs of
many US and UK insurers that offer cyber risk coverage (aka ‘privacy insurance’). Mr. Greisiger is a
frequently published contributor for various insurance & risk management publications on similar topics.
(write me to receive our monthly cyber risk newsletter)
Notable Cyber Risks and Events –
Global Payments
3rd
Party?
1st
Party?
How real? No One Is Immune
…Sampling of live events
Company
Year
Number Affected
Jan-11
Pentagon Federal Credit Union
2011
100,000,000
Dec-11
Sovereign Bank
Nov-11
AARP
2010
3,300,000
Oct-11
CitiBank
2010
600,000
Oct-11
State Farm Insurance
Oct-11
Farmers Insurance
2009
130,000,000
Sep-11
Morgan Keegan & Company
2008
4,200,000
Hannaford Brothers Co
Sep-11
JP Morgan Chase Bank
2007
94,000,000
TJX Companies Inc.
Aug-11
Aon Consulting
Aug-11
Wachovia Bank
2007
25,000,000
HM Customs and Revenue
Aug-11
MetLife
2007
8,500,000
Jun-11
Anthem Blue Cross, Wellpoint
Fidelity National Information
Services
Feb-11
Equifax
2007
6,300,000
TD Ameritrade
Feb-11
Ceridian
2006
26,500,000
Sep-11
Bernard Madoff Investors
U.S. Department of Veterans
Affairs
Aug-11
American Express
2005
40,000,000
Visa, CardSystems,
Mastercard, AMEX
Apr-11
Federal Reserve Bank of New York
Jan-11
Heartland Payment Systems
Sep-11
State Farm Insurance
Aug-11
Countrywide
Jun-11
United Healthcare
Date
Companies
Sony
Educational Credit
Management
Citigroup
Heartland Payment Systems
Notable Recent Cases - Defense
• Katz v. Pershing, LLC
– “The innovations and problems of the electronic age have
created new challenges for the courts. But venerable
principles of our jurisprudence can guide us on this frontier.
This case is illustrative: the plaintiff has asserted a litany of
novel harms under freshly inked laws, but the irreducible
minimum requirements of pleading and Article III doom her
case.”
• Paul v. Providence Health System-Oregon
– “plaintiffs failed to state a legally sufficient claim for
negligence or under the UTPA.”
Notable Recent Cases - Plaintiffs
• Anderson v. Hannaford Bros.
– “two forms of mitigation damages . . . are cognizable under Maine law
and we reverse . . . dismissal of the plaintiffs’ negligence and implied
contract claims as to those damages”
• Claridge v. RockYou, Inc.
– “breach of his PII has caused him to lose some ascertainable but
unidentified ‘value’ and/or property right inherent in the PII.”
– “Online gaming firm will pay $250,000, submit to independent audits for
20 years after exposing data on 30 million users” (ComputerWorld.com)
• Krottner v. Starbucks Corp.
– increased risk of identity theft constitutes an injury-in-fact
Types of First-Party Loss
• Hardware or Software Malfunction
• Data Corruption
• Denial of Service Attack
• Extortion
• Forensics
Types of Third-Party Claims and Liabilities
• Copyright/Trademark Infringement
• Data Privacy Breach
• Internet Media Liability (e.g., Defamation)
• Unauthorized Access/Unauthorized Use (e.g., Third
Party Data Corruption, Denial of Service Attack)
• Statutory Liability (Federal and State Privacy Laws)
What is a “Privacy Breach”?
• Violation of posted Privacy Policy
• Violation of State or Federal Law
• Involves PII, non-public data, or paper records
• Unencrypted Data
• Holds potential for identity theft
• May occur in:
– Systems (server farms)
– Facilities (dumpsters)
– Stolen laptops or mobile devices
What are the Causes of Loss?
(Per Ponemon Institute)
• 35% lost laptop
• 21% third party/outsource
• 19% electronic backup
• 9% paper records
• 9% malicious insider
• 7% hacker
Who are the Breach Perpetrators?
• Employees
– Intentional
– Unintentional
• Unknown Third Parties
– Hackers
– Crackers
– Hacktivists
• Business Partners
14
Typical Allegations In a Privacy Breach
(Class Action) Lawsuit
• Failure to protect customer information/privacy
• Reduction in value of claimants’ PII
• Failure to notify/timely notification
• Cost to reissue payment cards/open new accounts
• Cost of fraudulent purchases
• Consumer Redress: credit monitoring/identity theft
insurance
• Regulatory Actions: fines and penalties
15
Identity Theft Victims
• 11.6 million adults in 2011 (increase of 13% over
2010)
• Total amount of fraud = $37 billion
• 1 in 10 consumers already victimized
• Source: Javelin Research
Costs of a Data Breach
• 2011 average total cost per incident (among
surveyed companies) = $5.5 million to $7.2 million,
depending on whose study you read
• 2011 per record cost (among surveyed companies) =
~$194.00, depending on the cause and impact
• Sources: Ponemon Institute and NetDiligence survey
Federal and State Laws
• SEC Guidelines, published October, 13, 2011
• Federal and state laws require businesses to
maintain adequate data security and destroy data
with Personal Identifiable Information
or Personal Health Information
• Notification statutes require disclosure in certain
circumstances where Personal Identifiable
Information or Personal Health Information has been
obtained by an unauthorized third party
What Is Personal Identifiable
Information?
• Generally defined as including any combination of
the following:
Name; address; telephone number; electronic mail
address; fingerprints; photographs or computerized
images; a password; an official state or government-issued
driver’s license or identification card number; a
government passport number; biometric data; an
employer, student, or military identification number; date
of birth; medical information; financial information; tax
information; disability information; and zip codes
(depending on the state).
SEC CF Disclosure Guidance: Topic No. 2:
CYBERSECURITY
“appropriate disclosures may include: . . .
Description of relevant insurance coverage.”
SEC CF Disclosure Guidance: Topic No. 2:
CYBERSECURITY
Risk Factors
– Tailor to company’s individual facts and circumstances;
avoid “boilerplate” disclosures.
– Disclosures that may be appropriate include:
• The company’s business or operations that give rise to
cybersecurity risk;
• Outsourced functions that have material cybersecurity risks,
including how the company addresses those risks
• Cyber incidents that the company has experienced, including costs
and consequences;
• Cyber risks that may remain undetected; and
• Relevant insurance held by the company.
Examples of Federal Statutes
Protecting a Person’s Privacy
• Gramm-Leach-Bliley Act
• Driver Privacy Protection Act
• Health Insurance Portability and Accountability Act
• Electronic Communications Privacy Act of 1986
States With Breach Notification Laws
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
District of Columbia
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
Iowa
Kansas
Louisiana
Maine
Maryland
Massachusetts
Michigan
Mississippi
Missouri
Minnesota
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Puerto Rico
Rhode Island
South Carolina
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
Typical Requirements of
State Breach Notification Laws
• Generally require written notification to affected
individual in the event of a security breach
• Each state varies in:
– the definition of what constitutes a breach
– the definition of Personal Identifiable Information (only a
few states include Personal Health Information)
– whether a risk of harm standard applies
– content requirements for notice
– authorities that must be notified
– available penalties and private rights of action
States With No Breach Notification Law
• Alabama
• Kentucky
– HB 581 introduced on March 2, 2010
• New Mexico
• South Dakota
Cost of a Data Breach
Cost per record:
$214 (2010) (up $10 from 2009)
DIRECT COSTS
Notification
Call Center
Identity Monitoring (credit/non-credit)
Identity Restoration
Discovery / Data Forensics
Loss of Employee Productivity
INDIRECT COSTS
Restitution
Additional Security and Audit Requirements
Lawsuits
Regulatory Fines
Loss of Consumer Confidence
Loss of Funding
$73.00
$141.00
© Ponemon Institute 2011
NetDiligence® Cyber Risk Claims Study
Insurers paid out losses. This is a Highlights of Findings
•
Collected from insurers data on actual data/privacy breach claims based on following criteria
–
–
The victimized organization had some form of cyber or privacy liability coverage
A legitimate claim was filed
•
Analyze data in terms of types of events and their associated costs
•
117 data breach claim events were submitted for our study
•
Data at Risk
–
–
•
Cause of Loss
–
•
PII is the most frequently exposed data (37% of breaches), followed by PHI (21% of breaches)
Credit card information accounts for a whopping 88% of records exposed
Hackers are the most frequent cause of loss (32%), followed by rogue employees/contractors (19%)
Sectors at Risk
–
Healthcare is the sector most frequently breached (24%), followed by Financial Services (22%)
Highlights of Findings
Costs (at-a-glance)
– Average cost* per breach was $2.4 million
– Average cost* per record was $5.00
– Legal (Defense & Settlement) represents the largest
portion of costs incurred
• Average Cost of Defense
• Average Cost of Settlement
$500K
$1 million
– Crisis services costs (forensics, notice & credit monitoring)
avg $800k (combined) per event
% of Breaches by Data Type
21%
37%
5%
16%
21%
% of Breaches by Cause of Loss
19%
32%
8%
15%
7%
19%
Average Cost per Breach
Hundred
Thousands
Typical First-Party Coverages
• Digital Asset Expenses
• Business Interruption Income Loss and Dependent
Business Interruption Income Loss Coverage
• Network Extortion Threat and Reward Payments
Coverage
Typical Third-Party Coverages
• Network Security Liability Coverage
• Privacy Liability Coverage
• Media Liability Coverage
• Technology Liability Coverage
• Miscellaneous Professional Liability Coverage
Personal and Advertising Injury Coverage
• Cyber privacy claims may implicate personal and
advertising injury coverage
–
–
–
–
–
Right to Privacy
Defamation
Scope of Publication
Social Media
Copyright and Trademark Issues
Other Insurance and Overlapping Coverage
• Liability coverage may overlap and converge with
other insurance products
–
–
–
–
–
–
–
–
–
–
Part A of CGL Policies
Part B of CGL Policies
Pure Cyber and Technology Policies
Professional Liability Policies
Crime and Fidelity Policies
Directors and Officers Liability Policies
First-Party Property Policies
Business Interruption Policies
EPLI Policies
Kidnap, Ransom, Extortion Policies
Other Insurance and Overlapping Coverage
• Scope of Duty to Defend
• Allocation of Defense Costs
• Damages Covered under Each Form
• Implications of “Other Insurance” Clauses
• Scope of Duty to Pay under Pure Indemnity Policies
Common Weak Spots
•
PROBLEM 1) IDS or ‘Intrusion Detection Software’ (bad guy alert sys)
–
–
–
–
•
PROBLEM 2) Patch Mgmt - Challenges:
–
–
–
•
Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3rd
parties (and many more go undetected completely).
FTC and plaintiff lawyers often cite ‘failure to detect’
Vast Data: companies IDS can log millions events against their network each month
False positives: 70%
All systems need constant care (patching) to keep bad guys out.
Complexity of networking environments
Lack of time: Gartner Group estimates that “IT Managers spend an average of 2 hours per day
managing patches.”
PROBLEM 3) - Encryption (of private data)
–
–
–
–
–
Problem spans all sizes & sectors.
ITRC (Identity Theft Resource Center): only 2.4% of all breaches had ‘encryption’
Issues: budgets, complexities and partner systems
Key soft spots: Data ‘at rest’ for database & laptops (lesser extent)
Benefits: safe harbor (usually)
Strategies for Risk Managers
• Plan for the loss
– CFO must understand that data / network security is NEVER 100%..... It’s really
not if but when.
– 4 Legs of Traditional Risk Mgmt:
•
•
•
•
Eliminate: e.g., patch known exploits, encrypt laptops etc
Mitigate: e.g., dedicated security staff; policies; IDS/ IPS; et
Accept: e.g., partner SLAs, capabilities (trusting their assurances)
Cede: residual risk via privacy risk insurance
Wide-Angle Assess Safeguard Controls Surrounding:
– People: they seem to ‘get it’…Proper security budget and vigilant about their
job!
– Processes/ Policies: enterprise ISO27002, HITECH ready; employee education/
training; change management processes, breach response plan etc.
– Technology: proven IDS/IPS capabilities, DLP solutions, hardened & patched
servers (tested), full encryption of PII.
Are you at risk? Ask your team:
• Has your firm ever experienced a data breach or system attack event?
Some studies show 80-100% of execs admitted to a recent breach
incident
• Does your organization collect, store or transact any personal, or financial
or health data?
• Do you outsource any part of computer network operations to a thirdparty service provider?
Your security is only as good as their practices and you are still
responsible to your customers
• Do you use outside contractors to manage your data or network in any
way?
The contractor, SP, Biz partner is often the responsible party for data
breach events
Are you at risk? Ask your team:
• Do you partner with entities and does this alliance involve the sharing or
handling of their data (or your data) or do your systems connect/touch
their systems?
You may be liable for a future breach of their network and/or business
partners often require cyber risk insurance as part of their requirements
• Does your posted Privacy Policy actually align with your internal data
management practices?
If not you may be facing a deceptive trade practice allegation
• Has your organization had a recent cyber risk assessment of security/
privacy practices to ensure that they are reasonable and prudent and
measure up with your peers?
Doing nothing is a plaintiff lawyers dream. It is vital for the Risk Mgr to
know if your practices are reasonable, in line with peers and the many
regulations