Transcript Cyber Liability Overview - Virginia Economic Development

Privacy & Cyber Risks
Virginia Leaders in Export & Trade
October 28, 2011
Matthew McDavid
Vice President
Agenda
Understanding Identity Theft
Battling Breaches & Protecting Privacy
• Industry issues
• Threat Environment
• Fraud facts (myth busting)
• Cost of a Data Breach
• The target
• Available Coverage Overview
• The thief
• Your Risk Identification
• Case studies
• Favorable Case Decisions
• Investigating an event
• Insurer Paid Claims Examples
• Managing an event
• Best practices
MARSH
July 17, 2015
1
Section 1
Understanding Identity Theft
The Art of Managing a Crisis
Identity Theft & Fraud
• Industry Issues
– FTC Estimates nearly 10 Million victims per year
– Many victims don’t know or don’t report
– Fastest growing white collar crime in America
– Average 175 hours and $1,500 to resolve
– Tremendous media exposure
• Common Types of Fraud
– Current Credit – Credit Card, Debit Card, Phone Card
– Identity Fraud using:
- Your name and SS# to:
- Establish new credit
- Commit other criminal activity
• ID Theft goes far deeper than your credit!
MARSH
July 17, 2015
3
Fraud Facts
• Other forms of Fraud
– Driver’s License
– Health Benefits
– Insurance Fraud
– Rental Housing
– Utilities
– Government Benefits
– W-2 Fraud
MARSH
July 17, 2015
4
The Target
• Absolutely everyone with identifying information
– Average consumer is most common victim
– If you have:
- A Social Security number
- Credit worthiness is a bonus
– Few consumers become victims because of their
internet use
• Common Identity Thief’s MO (Volume, not Value)
– Gain access to large numbers of potential victims
– Keep a low profile
– Victimize average consumers over long periods
– Sell or Trade Identities
MARSH
July 17, 2015
5
The Thief
• Shadow Crew
– E-bay-like environment for buying/selling identities
• Job Fairs
– Improper vetting of employers
Identities are a currency
• Methamphetamines and Gangs
– Boxes of physical papers of identities
– Hospitals, Auto Dealerships
• Fraud Rings
– Collaborative hiring
• W2 Fraud and Arizona
– #1 ID Theft circumstance
– #1 State for ID Theft
• Broken Business Practices
– Your employees
– Human factors are at hand
MARSH
July 17, 2015
6
Case Studies
• Internal Fraud (40 cases last year)
• Laptops – Laptops - Laptops
• Healthcare Provider loses 20 years worth of data
• HR Employee takes work home over the weekend
• Foreign National takes money and identities
• Healthcare Provider believes it loses data on 275,000
patients
• Employee receives email and sends it to personal
email, then forwards again
• Company instructs victims to “Freeze their Credit”
MARSH
July 17, 2015
7
Your Risk
• What is your breach universe?
– What do you think the most likely cause is of an event?
– Hacking
– Extortion
– Policies and procedures
– Internal fraud
– Disgruntled employee
MARSH
July 17, 2015
8
Identifying an Event
• Do you have an investigative procedure?
• Validate what information was lost, regardless of
media
– Laptop, CD, thumb drive, I-Pod, PDA, back
ups, paper files, third party, rogue employee
– External counsel
– Forensics investigator
– General investigations
– PR & Communications
MARSH
July 17, 2015
9
Managing the Event
• How do you notify victims of the event?
– Mail? Email (E-sign act)? Publicly?
• What is your deliverable to the victims?
– You can’t just say “We breached your data and here is
a list of things you can do to protect yourself”
• Notify correctly vs. quickly
– What should you say?
• Call center (questions and answers)
• Credit reports and monitoring
• Insurance vs. Resolution
• Additional exposure
– Current victims
- Audience segments
MARSH
July 17, 2015
10
Best Practices for Breach Preparedness and Prevention
• Pre-Arrange a Breach Service Provider, External Counsel and Reputational Risk Advisor – all
specializing in Privacy Law and “Breach” Crisis Management
• Provide “Certification” through e-Learning to employee base on safeguarding data
• Develop an Incident Response Plan
– Internal Staff
– Outside Counsel
– Reputational Risk Advisor
– Breach Service Provider
• Conduct annual Risk Assessments and Tabletop Exercises
• Hold an internal “Privacy Summit” to identify vulnerabilities
– Risk
– Compliance and Privacy
– HR
– Legal
– IT
– C-level representation (CFO)
– Physical Security / Facilities
MARSH
July 17, 2015
11
Section 2
Battling Breaches & Protecting Privacy
Risk Review & Discussion
Threat Environment
• Lost or stolen laptops, computers or
other computer storage devices
Hacked Systems:
7%
Malicious Insider or
Malicious Code:
9%
• Hackers breaking into systems
• Employees stealing information or
allowing access to information
Lost Laptop or other
Device:
35%
Paper Records:
9%
• Internal security failures
• Viruses, Trojan Horses and computer
security loopholes
Electronic Backup:
19%
Third Party or
Outsourcer:
21%
• Info tossed into dumpsters- improper
disposition of information
• Web 2.0 Social Media/Cloud Computing
• FTC and State AG Regulatory Actions
Source: Ponemon Institute
MARSH
July 17, 2015
13
Privacy Event
Quantification
MARSH
July 17, 2015
14
2010 U.S. Cost of a Data Breach
Ponemon Institute
• Data breach incidents cost US companies $204 per compromised customer record
in 2009, compared to $202 in 2008
• The average total cost per incident increased to $6.75M, up from $6.65M in the
previous year
• The cost of a data breach as the result of malicious attacks were more costly and
severe
• Negligent insider breaches have decreased due to awareness and training on
protecting private information. 58% have expanded their use of encryption
• Third party organizations accounted for 42% of all breach cases. These remain the
most costly due to additional investigation and consulting fees
• The most expensive case in the study cost nearly $31,000,000 to resolve, the least
was $750,000
• The study was comprised of 45 breaches with a range of 5,000 to 101,000
compromised records
MARSH
July 17, 2015
15
Available Coverage Overview
• Network Security Liability: Liability to a 3rd party as a result of a failure of
company's network security to protect against destruction, deletion or corruption of
a 3rd party’s electronic data, denial of service attacks against Internet sites or
computers; or transmission of viruses to third party computers and systems.
• Privacy Liability: Liability to a 3rd party as a result of company's failure to properly
handle, manage, store or otherwise control personally identifiable information,
corporate information identified a confidential and protected under a nondisclosure
agreement and unintentional violation of privacy regulations.
• Regulatory: Defense expenses and civil fines or penalties paid to a governmental
entity in connection with an investigative demand or civil proceeding regarding
actual or alleged violation of privacy laws
• Identity Theft Response Fund: Expenses to comply with privacy regulations, such
as communication to and credit monitoring services for affected customers. This
also includes expenses incurred in retaining a public relations firm for the purpose
of protecting/restoring company's reputation as a result of the actual or alleged
violation of privacy regulations.
MARSH
July 17, 2015
16
Available Coverage Overview
• Network Business Interruption: reimbursement of the company's own
loss of income or extra expense resulting from an interruption or
suspension of its systems due to a failure of network security to prevent a
security breach.
• Data Asset Protection: recovery of the company's costs and expenses
incurred to restore, recreate or regain access to any software or electronic
data from back-ups or from originals or to gather, assemble and recreate
such software or electronic data from other sources to the level or condition
in which it existed immediately prior to its alteration, corruption, destruction,
deletion or damage.
• Cyber Extortion: ransom or investigative expenses associated a threat
directed at the company to release, divulge, disseminate, destroy, steal, or
use the confidential information taken from the Insured, introduce malicious
code into the company's computer system; corrupt, damage or destroy
company's computer system, or restrict or hinder access to the company's
computer system.
MARSH
July 17, 2015
17
Coverage Overview with Examples
Coverage
Example
Limit of Liability
Retention
Security Liability
Hacking, virus transfer
Up to $150,000,000
$25,000 and up
Privacy Liability
Customer information
breach
Up to $150,000,000
$25,000 and up
Forensics
Investigation
Up to $10,000,000
Ranges from NIL and up
Privacy Breach Notification Costs
State privacy laws
require notification
Up to $10,000,000 or
2,000,000 records
Ranges from NIL and up
Loss mitigation coverage
Credit monitoring
Up to $10,000,000
Ranges from NIL and up
1st Party Data Protection
Rebuild your damaged
data from computer
attack
Up to $100,000,000
$25,000 and up
1st Party Network Bus. Int. (“NBI”)
Loss of revenue due to
computer attack
Up to $100,000,000
A combination of the greater of
$25,000 + or 8 to 12 hours
Defense Costs/Fines & Penalties for
Regulatory Actions
FTC or AG claims for
privacy breach
Up to $25,000,000
Ranges from NIL and up
MARSH
July 17, 2015
18
Risk Identification
Potential Risk Event
Likelihood
Potential
Impact
Website copyright/trademark infringement claims
Legal liability to others for computer security breaches
(non-privacy)
Legal liability to others for privacy breaches
Privacy breach notification costs & credit monitoring
Privacy regulatory action defense and fines
Costs to repair damage to your information assets
Loss of revenue due to a failure of security or computer
attack
Loss of revenue due to a failure of security at a dependent
technology provider
Cyber Extortion Threat
MARSH
July 17, 2015
19
Favorable Case Decisions
• In re: Hannaford Bros. Co. Customer Data Security Breach Litigation, (D. Me.,
May 12, 2009).
– 4,000,000 + records exposed
– Alleged failure to protect cardholder data and notify customers
– Judge Hornby ruled without any actual and substantial loss of money or property,
consumers could not seek damages
– Consumers with no fraudulent charges, or those that had them reversed, could
not seek damages under Maine law
• Ruiz v. Gap Inc. (N.D. Calif. 4/09)
– Theft of two laptop computers from Vangent Inc., a Gap vendor processing job
applications containing personal information, including social security numbers,
on roughly 750,000 Gap job applicants.
– Court ruled that the plaintiff's proof he was at "significant risk" of identity theft as
a result of a laptop containing unencrypted personal information was not a
sufficient damage to make out a viable negligence claim.
– Affirmed on appeal June 2010 - The district court did not err in granting summary
judgment on Ruiz's state law negligence claim. The elements of a negligence
cause of action under California law are (1) the existence of a duty to exercise
due care, (2) breach of that duty, (3) causation, and (4) damages.
MARSH
July 17, 2015
20
Insurer Paid Claims
• $20,000,000+ Hacking Incident: Payment card processor’s system was hacked compromising credit card
data. Insurer paid over $20,000,000 in legal defenses and crisis management related expenses.
• $16,000,000 FI Security Breach: Hackers broke into the insured’s system and inflated the balances of
100 issued payroll and prepaid debit cards to $250,000 per card. Counterfeit cards were used repeatedly in
over 300 ATM locations, located in 20 countries over a seven day period. Approximately $14,000,000 in
such transactions were ultimately processed. The insurer paid the $14,000,000 loss and $2,000,000 for
crisis management, notification costs, and public relations services.
• $15,000,000+ Rogue Employee: A rogue employee used a personal USB drive on the company computer
system to steal and sell the identities of over 4,000,000 customers and applicants. Proposed settlement
exceeds $15,000,000 and includes credit monitoring services, identity theft insurance, and attorney fees.
• $1,400,000+ Database Breach: Hackers broke into a credit card processor’s database and accessed
consumers’ personal data. This resulted in a class action lawsuit, which was filed against the insured
alleging that the insured improperly stored unencrypted customer data, and failed to maintain proper firewall
protection. Settled for $1,250,000 and paid over $160,000 in defense costs.
• $3,000,000+ Lost/Stolen Equipment: E-mail server and external hard drive containing personally
identifiable customer information was stolen while in the custody of an outside vendor. The information was
in the possession of the vendor to facilitate an investigatory request. An employee of the outside vendor has
been implicated. While no lawsuit was filed, the insurer paid out over $3,000,000 in crisis expenses for legal
advice, public relations, forensics, and notification costs.
MARSH
July 17, 2015
21
The information contained in this document is confidential, may be privileged, and is intended for the use of the individual or entity named above. If you are not the addressee, please do not
read, copy, forward, use, or store this document or any of the information contained herein.