Transcript W.C. Unit Adjuster File Counts

CYBER LIABILITY
Is our current coverage adequate?
Purpose of Today’s Meeting
•
•
•
•
Identify Cyber exposures
Explore the need for coverage
Determine coverage afforded by JIF/MEL
Decide what actions, if any, need to be
taken.
CYBER
• Members
are usingLIABILITY
computers more to
conduct municipal business
• Municipal websites
• Pay tax bills, dog licenses, sports registrations, etc.
• What do we cover?
– What do members expect?
WHAT IS CYBER LIABILITY?
Cyber Liability addresses the first- and third-party risks
associated with e-business, the Internet, networks and
informational assets. Cyber Liability Insurance coverage offers
cutting edge protection for exposures arising out of Internet
communications.
The concept of Cyber Liability takes into account first- and
third-party risks. The risk category includes privacy issues, the
infringement of intellectual property, virus transmission, or any
other serious trouble that may be passed from first to third
parties via the Web.
CURRENT COVERAGE
Past discussions have resulted in the opinion that our
Casualty Coverage Document and our Public Officials
Liability coverage will be responsive to “Cyber” claims.
Property damage means:
Physical injury to tangible property, including all resulting loss of use of that
property. All such loss of use shall be deemed to occur at the time of
the physical injury that caused it; or
Loss of use of tangible property that is not physically injured. All such loss
of use shall be deemed to occur at the time of the occurrence that
caused it.
CURRENT COVERAGE
Personal and Advertising Injury means injury, including consequential bodily
injury and mental anguish or mental suffering associated with or arising from
bodily injury or personal and advertising injury, arising out of one or more
of the following offenses:
1.
2.
3.
4.
5.
6.
7.
False arrest, detention or imprisonment;
Malicious prosecution;
The wrongful eviction from, wrongful entry into, or invasion of the right of
private occupancy of a room, dwelling or premises that a person occupies,
committed by or on behalf of its owner, landlord or lessor;
Oral or written publication of material that slanders or libels a person or
organization or disparages a person’s or organization’s goods, products or
services;
Oral or written publication of material that violates a person’s right of
privacy;
The use of another’s advertising idea in your advertisement; or
Infringing upon another’s copyright, trade dress or slogan in your
advertisement.
What About First Party?
Electronic Data Processing Equipment and Media
This Policy is extended to insure against direct physical loss caused by:
(1) mechanical or machinery breakdown of data processing
equipment;
(2) electrical or magnetic injury or disturbance to data
processing equipment or data processing media, including
accidental erasure.
Electronic Data Processing Equipment is defined as the machine
components of the insured's electronic or electro-mechanical information
processing system and of the insured's electronic control system for
production operations.
Data Processing Media is defined as all forms of converted
information, including program and instruction vehicles, used in the
insured's electronic and electro-mechanical information processing
and production control operations
Will We Cover Response Costs?
• Notification Costs
• Credit Monitoring Costs
• Forensic Investigations
• Call Center Support
• Identity Theft Education
• Public Relations
If “YES”, should we spell it out? Sub-limit coverage?
Will our reinsurers respond? Can our claims people handle?
Now is the time to address these issues, not after a large claim.
What does a Breach Cost?
Costs Of A Breach (1):
•
•
•
•
Estimated avg. cost of a security/privacy breach is $197 per record.
Average cost is $6.3M per breach.
Avg. cost to defend a claim is 8% of the avg. cost/breach or $504,000
The total cost of a breach ranged from $225,000 to almost $35 million.
Therefore, defense costs ranged from $18,000 to $2,800,000
Additional Costs Per Record (2):
• As high as $50 per record for Discovery and Notification
• As high $30 per record for Credit Monitoring
• As high as $150 per record for Customer Attrition, cost to meet new
audit requirements, lost productivity
• As high as $115 per record for Consumer Redress imposed by the
regulators
(1) Source: 2007 Annual Study: U.S. Cost of a Data Breach – Understanding Financial Impact, Customer Turnover,
and Preventative Solutions – by The Ponemon Institute, PGP Corporation and Vontu, Inc.
(2) Source: Forrester Research
Sometimes Security & Procedures Fail
– Failure of your Network to prevent unauthorized
access or unauthorized use of your network
(hackers, rogue employees)
– Failure of Network to prevent malicious code
– Failure of your Network to prevent denial of
service attack
– Failure of your Network, your Privacy Policies,
and/or your Independent Contractors (Information
Holders) to safeguard private information
(electronic/non-electronic) in your care, custody,
or control
The most vigilant Network Security and Privacy Policies are Vulnerable
to Hackers, Rogue Employees, Social Engineering, and Human Error
Risk Management/Loss Control/Claims Management
CYBER LIABILITY
Compare to Boiler and Environmental Impairment
Loss control is a key component of the program
• Risk Assessment
• Regulatory Compliance
• Security Protocols
• Disaster Recovery Plan
•Website disclaimers
• IT Vendor Management
"The City of New York is committed to providing a secure information technology environment and to the
protection of private information collected from the public. People are part of that solution, and as a City
employee, your understanding and commitment to good security practices go a long way to bolster a secure
computing environment. Therefore, I invite you to participate in the second annual NYC Cyber-security
Summit, where we can explore ways to secure information used by the City as we provide municipal
services." Cyber Security Summit, Brooklyn Marriott, May 4, 2009
REGULATORY REQUIREMENTS
•
•
•
•
HIPAA
Sarbanes Oxley
40 State Privacy Laws
Federal Privacy Laws
– Federal Trade Commission
• Fair And Accurate Transaction Act of 2003 (FACTA)
– Section 15 U.S.C. § 1681c(g) of FACTA limits the information that
can be printed on an electronically printed credit card receipt to the
last five digits of the credit card number, and specifically prohibits
printing a credit card’s expiration date on the receipt.
– Proper disposal of consumer report information required. “Consumer
information” under FACTA includes records that are consumer reports
and records that are derived from consumer reports
• FACTA Regulation 114
– The rules implementing section114 require each financial institution
or creditor to develop and implement a written Identity Theft
Prevention Program (Program) to detect, prevent and mitigate identity
theft in connection with the opening of certain accounts or certain
existing accounts.
Reasons to Address Cyber Liability
• Privacy Breaches are on the rise
• Network threats and vulnerabilities are getting
dramatically worse
• Over 40 states have enacted Privacy Laws in response
to frequency of Privacy Breaches
• John Q Public demands prudent Risk Management that
protects his/her information
• Plaintiffs’ bar is becoming more active
• Additional safety net if security defenses and
procedures fail
• Rogue Employees, social engineering, hacker
sophistication, and human error
Virtually every Municipality now has their own website!
Is A Disclaimer On An Entity
Website Important?
• Potential to limit liability
• Discusses information the entity collects, holds,
uses, etc…
• Easily understood
• Outlines proactive communications and best
practices
Utilize the services of an attorney who can assist with
language of the statement.
None of the JIF member websites I checked have a disclaimer!
What’s Next?
This is a major exposure
Tell our members what is covered/not covered
Address member needs, or
Advise them to obtain outside coverage/guidance
Before it’s too late!
Why Wait Until Our First Major Claim?