CyberSecurity

Download Report

Transcript CyberSecurity

CyberSecurity by Chubb

Insurance for Privacy Breaches

Presented by

Chubb Insurance Company of Canada

June 2011

Presenters

Matthew Davies

Canadian Manager - Professional & Media Liability Chubb Specialty Insurance – Canadian Zone

Kate Kristie

Underwriter – Chubb Pro and Executive Protection Chubb Specialty Insurance – Toronto Branch 2

DISCLAIMER

The views, information and content expressed herein are those of the author and do not necessarily represent the views of any of the insurers of The Chubb Group of Insurance Companies. Chubb did not participate in and takes no position on the nature, quality or accuracy of such content. The information provided should not be relied on as legal advice or a definitive statement of the law in any jurisdiction. For such advice, an applicant, insured, listener or reader should consult their own legal counsel…

DISCLAIMER continued

In fact, as far as Chubb is concerned, we don’t even admit to employing Matthew Davies. The fact that Matthew Davies gets a pay cheque from Chubb 26 times a year or gets his expenses paid by us for appearing before you today is purely coincidental. Nothing to do with Chubb, never heard of the dude.

As for Kate, well….

Agenda

      Exposures faced by Insureds Privacy Law in Canada and Abroad Insurance Coverage CyberSecurity by Chubb Target Classes of Business Underwriting Requirements

EXTRA, EXTRA – READ ALL ABOUT IT!

Privacy Breaches Incur Real Costs

A 2009 survey of more than 600 Canadian IT security professionals by TELUS and the Rotman School of Management at U of T found that on average (1) : – IT security breaches employees reported in 2008 – including viruses, intellectual property theft and abuse by – cost reporting organizations $834,149 in 2009, almost double the amount – – IT security breaches soared to 11.3 per reporting organization in 2009, compared to 3 each in 2008 In 2008, ~17% of reporting organizations had “insider breaches” compared to 36% in 2009 (1) Globe & Mail 29 Sep 2009

Privacy Breaches Incur Real Expenses

In a 2009 Global survey of 133 organizations in 18 industry sectors shows the following comparison (2) (2) 2009 Ponemon Institute / PGP Corporation Global Study (+) Updated – March 2011 Country Australia France Germany UK US Avg of Above

Avg Cost per Record USD $114 USD $119 USD $177 USD $98 USD $214 (+) USD $142 Avg Cost of a Breach USD $1.83 mln USD $2.53 mln USD $3.44 mln USD $2.57 mln USD $7.20 mln (+) USD $3.43 mln 8

Cyber Crime

(3) and (4)

    Prior to May 2011, Canada has usually ranked twelfth or thirteenth in the cyber crime landscape Now, the top five countries found to be hosting servers engaged in cyber crime are the U.S., Canada, Egypt, Germany and the U.K.

Tens of thousands of servers in Canada host “phising” expeditions In 2010, the United States Secret Service arrested more than 1,200 suspects for cybercrime violations. These investigations involved over $500 million in actual fraud loss and prevented approximately $7 billion in additional losses.

(3) ITWorldCanada.com as at 5 May 2011 (4) Verizon Data Breach Study Investigations Report April 2011 page 7

The Threat

(4)

According to IBM:  More than 4.7 trillion security events in 2010 (or about 150,000 every second)     8,000 new vulnerabilities that did not exist in 2009 44% of web application vulnerabilities had no corresponding patch by the end of 2010 to protect users 14% of Fortune 500 sites have many severe client facing JavaScript issues that infect users with malware, viruses, hijacking of web sessions and spoofing of web content “Phising Attacks” - when a hacker masquerades as a trustworthy source, such as a bank, in order to steal sensitive user data have been replaced by a more sophisticated version known as “Spear Phishing.” (4) IBM Security Solutions X-Force 2010 Trend and Risk Report, March 2010

Causes of Breach

(5)

(5) Ponemon Institute “Five Countries Cost of Data Breach” April 2010

Operation PODIUM – Vancouver 2010

The Cost of a Lost Laptop

(6)

Average value of a lost laptop is $49,246. based on 7 cost factors: 1. Replacement: hardware, software & allocated corporate overhead 2. Detection & Escalation: employee time spent trying to recover the laptop and reporting the incident 3. Forensics & Investigation: Hours of IT employee time to do analysis of what data has been exposed 4. Data Breach: per Record to notify 5. Lost IP: Un-encrypted data and estimate of its value to a competitor 6. Lost Productivity: downtime for the employee 7. Legal, Regulatory and Consulting Costs (6) Ponemon Institute, “The Cost of a Lost Laptop” Apr 2009

Large Data Security Breaches of the past Decade

       Heartland records from Dec 07 through Oct 08. Exposure at $30. a card = $4bln.

(7) – Malicious breach of 130mln debit and credit card TJX Companies $10mln.

– Malicious breach of over 100mln cards from Dec 02 to Jan 07. Exposure estimated to be $1bln. Settled with VISA in Nov 07 for $40.9mln, with MasterCard in May 08 for $24mln and various state actions in Jun 09 and Sep 09 for over Google and 20 other multinationals – Announced in Jan 10 that hackers in China breached e-mail accounts Epsilon – April 2011 If you haven’t heard about this one, just Google “Epsilon Breach” and 2mln articles later… Four Bay Street Law Firms – April 2011 Sony – May 2011: Need I say anything else?

Etc, etc, etc – we just can’t keep up… (7) Advisen Apr 10

Social Media

 Web 2.0 - interactive, dynamic, users become creators of the message through posts, collaboration, sharing and re-use of content – – – – – – Blogs and Micro-Blogs  Twitter File-Sharing  YouTube Collaborative sites  Wikipedia, Wikileaks, Ancestry, Quirky Social Networking  Facebook, MySpace, LinkedIn Aggregation sites  Digg, Stumbleupon Virtual Worlds  Second Life

Social Media Exposures

   Brand protection – – – User Names User and Domain Name Squatting Trademarks Virtual worlds – Contracts, E-commerce, Consumer Protection, Privacy, Intellectual Property, Taxation, Family Law Vicarious Liability – – – – Outsourcing Employment Practices Client confidentiality IT and Corporate Governance

Privacy Law in Canada and Abroad

Notification Laws for a Privacy Breach

   US has led the way in implementing breach notification laws, mandating that organisations inform those individuals potentially affected by such a breach (notification laws now in place in 40 states and counting) Many jurisdictions such as the European Union and Australia have tabled Bills or passed Acts legislating mandatory data breach disclosure Other jurisdictions such as Canada and Japan have instituted voluntary guidelines. In Canada, the federal government released a proposed model in June 2008 to impose mandatory notification

Privacy Legislation in General

   Depending on the jurisdiction in which a privacy breach occurs, there could be any number of requirements that

should

be met and/or

must

be met Even if an Insured is only domiciled in Canada, they are subject to the privacy legislation, jurisprudence and remedies elsewhere if a plaintiff’s private information is breached in another jurisdiction Every jurisdiction has its own approach to the standard of care and obligations to report when private information in your care, custody or control

may have been or actually has been

breached

Privacy Legislation - Canadian Perspective

FEDERAL LEGISLATION

 

Personal Information Protection and Electronic Documents Act

(PIPEDA)

Privacy Act

– applies to government institutions

PROVINCIAL LEGISLATION

  BC:

Personal Information Protection Act

(PIPA), Alberta:

Personal Information Protection Act

(PIPA),    Quebec:

An Act Respecting the Protection of Personal Information in the Private Sector

(QPPIPS) Saskatchewan, Manitoba and Ontario:

Health and Information Protection Act

(HIPA),

Personal Health Information Act Protection Act

(PHIA), (PHIPA)

Personal Health Information

Other Provinces / Territories rely on PIPEDA

Bill 54 - Alberta

   Alberta is leading the pack in obligations to notify customers of a breach of their privacy Bill 54 amends Personal Information Protection Amendment Act (PIPA), received Royal Assent on November 26, 2009, has been proclaimed into force and effective May 1, 2010 Requirement to notify the Privacy Commissioner or individuals, as required by the Commissioner, about security breaches that place personal information at risk, and to inform individuals when services involving personal information are occurring outside of Canada.

Insurance Coverage

Exposures that Brokers need to explain to their clients

    Insured has a fiduciary duty to protect third party private information that they hold – – – – Does the Insured hold, share, host or transmit client information?

Theft of personal identification information (including employee information)?

Breach of records that include private facts?

Unauthorized access of a customer’s proprietary information entrusted to the Insured?

Obligations to notify third parties of security breach and monitor their credit records to mitigate loss Cyber Threats, Extortion or Attacks against an Insured shutting down its Systems Content published on an Insured’s website or in e-mail – – Defamation Infringement of third party’s intellectual property

Uncharted Territory

        Cyberspace knows no boundaries – exposures are ahead of legislation / people’s knowledge levels Insurance industry dilemma – how do we track losses that have an internet nexus?

If we aren’t discreetly tracking how new media losses are being paid, how can we measure the exposure? Actuarially significant loss analysis Cyber related losses – publicly reported damages Privacy Breaches – hard costs don’t tell the whole story New insurance products - Months to create, weeks to be out of date Supply of cyber products (in one form or another) is ahead of buyer demand

So many coverages, so much confusion…

          Media and Internet Liability (content) Professional Liability (service) Electronics E&O Liability (software and hardware sold or licensed to others) D&O Liability (management) Employment Practices Liability (employment) Fiduciary Liability (pension plan administration) Crime (fidelity and fraud) General Liability (premises, products and completed operations, personal and advertising injury torts) Kidnap & Ransom (extortion payments) Cyber (liability and first party cyber activities)

Cyber Coverage

Kate Kristie 26

Cyber Liability – Features to look for

      A stand alone liability policy with optional multiple first party expense coverages with individual sub-limits and retentions Intended for Insured's that do transactions over the internet and/or store confidential customer information on their Systems Flexibility to allow tailoring for individual clients Claims made Pay on behalf for liability coverage First party expenses paid as incurred

Cyber Liability Coverage

Mandatory Liability Coverage   Insuring Clause (A) Cyber Liability – Covers the Insured’s liabilities for “

Injury” v

ia: Conduit, Content, Disclosure, Impaired Access; or Reputational Injury Does the coverage distinguish who causes the Injury?

Cyber Liability Triggers

  Conduit Injury (B2B / B2C - System) – – Customers systems are affected by a Cyber-attack launched against the Insured’s System Example: Suit arises from a System security failure that causes a virus to be transmitted from the Insured to a third party’s System Content Injury (B2B / B2C - IP Named Peril) – Violation of a third party’s intellectual property rights via the Insured’s System – Example: The Insured displays a logo on its website that violates someone else’s trademark

Cyber Liability Triggers

  Disclosure Injury (B2C - Privacy) – – Individuals are affected by the unauthorized access of their private information held on the Insured’s system Example: Individual customers’ credit card data is stolen from the Insured’s System by a hacker – Coverage enhancements available by Endorsement Impaired Access Injury (B2B / B2C – Transactional Named Peril) – Customers suffer damages because they can’t access the Insured’s system to conduct a transaction – Example: A disgruntled employee Exceeds Authorized Access and Customers can’t transact business with the Insured in a timely fashion resulting in the Customer suffering a financial loss

Cyber Liability Triggers

 Reputational Injury (B2B / B2C - Disparagement Named Peril) – – Third party is disparaged or has their privacy violated due to the Insured’s Cyber Activities Example: An employee makes a comment in a company e-mail that libels a customer