Transcript GSBA Risk Management Services
GSBA Risk Management Services GASBO Meeting
Cyber-Risk for School Districts November 7, 2013
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
Your budgets are tight and will remain tight for the foreseeable future Never had a claim involving a breach - at least you don’t think you have had one Your IT folks assure you the District’s firewalls are sound and present no risk of penetration I think we already have coverage somewhere else New coverage being pushed by carriers but really no losses out there I do not want to be the first one to buy the coverage It is not on our radar screen – we will look at this next year We have immunity from this type of loss
Agenda for Today
Why Cyber-Risk was developed and what does it protect Your obligations under the law Examine each reason why you should not buy Cyber Risk Coverage Outline the GSBA RMF evolving solution Answer any questions
Why was Cyber-Risk Developed?
To protect your electronic assets in the new Cyber-Risk Protection Technological Revolution
No different that protecting buildings and other assets except exposure to a loss is growing faster than you are building buildings
Cyber-Risk Protection Privacy & Computer Security Protection Privacy & Data Breach
Coverage has many names in the industry but basic risk is the same: 1.
School district “mishandles” personal data resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach”; or 2.
School district is hacked and the information is stolen resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach” plus any potential liability resulting from the hackers stealing the data
What is Protected?
Personally Identifiable Information (PII): It is the combination of a person’s first name (or initial) and last name plus one or more of the following:
Social Security Number
Driver’s License Number
State ID Number
Account Number
Credit or Debit Card Number
Account Passwords or PINS or other access codes
Threats to a School District
Internal Threats: Rogue employee who was fired and wants to “hurt” School District
“Idealist” who wants to “change” the School District policies by disrupting normal operations
Accidental or careless staff who loose the data in either paper format or electronic via a lost laptop External Threats:
Outside vendor or business associate with access to School District data who steals personal data sources
Organized crime – both foreign and domestic
Hackers or “Hacktivists” who do it “to change the world”
Threats to a School District
Technology: Viruses, SQL Injections, etc
Structural vulnerability to your network
Employee use of Social Media / networking “opening the door” for hackers to enter your network
Remote teaching putting strain on the security of your internal network firewalls
Phishing
“Old School”:
Dumpster diving for discarded papers that are not shredded
Loss or theft of a laptop with personal data on it
Threats to a School District
Regulatory/Legal: 47 states now have breach notification laws
o
Georgia is one of the 47 states and it applies to any entity, government or private, that has a breach, the law requires that they notify the people affected by the breach – Georgia Personal Identity Protection Act of 2007
Many breaches do not develop into identifiable theft but the notification and tracking requirement is very expensive to the School District School nurses have to be careful with HIPAA information especially At the present time, it is unclear how immunity would apply if the District were sued by a third party injured by a breach
Georgia Personal Identity Protection Act of 2007 O.C.G.A. 10-1-910 through 10-1-912
Amended to included public universities and other state and local agencies The unauthorized acquisition of individual’s electronic data that compromises security, confidentiality or integrity of PII.
Can also apply if compromised information is sufficient to perform or attempt identity theft
What would you do if….?
Labor employee inadvertently e-mails personal info of more than 4,000 customers
By Mike Morris
The Atlanta Journal-Constitution State officials are scrambling to minimize the potential harm to more than 4,000 customers of the Georgia Department of Labor whose personal information was accidentally e-mailed to about 1,000 people. “A document containing confidential information, including names and social security numbers, for 4,457 customers of the Cobb-Cherokee Career Center has inadvertently been e-mailed to approximately 1,000 people, primarily in Cobb and Cherokee counties,” the Labor department told AM750 and 95.5FM News/Talk WSB in a statement. “The e-mail occurred because of an employee error.” The statement goes on to say that the department has notified recipients of the erroneous e-mail “and instructed them to immediately delete the file attached to the e-mail without opening it.” The department also said in the statement that it will provide free credit monitoring services to all of the people affected. Many of the customers contacted by WSB were upset by the erroneous e-mail, which also included ages, phone numbers and e-mails of those 4,457 people. ……..
Friday September 6, 2013 Atlanta Journal-Constitution
Data Breach – More Recent Examples
Boston Public Schools, MA: August 2013
21,054 student files: ID numbers, name, age and a photo, sent families automated phone calls and letters
A vendor that makes student ID cards lost a stick drive with the records San Juan Unified School District, CA: May 2011
4,000 employees and former employees notified by letter
Compromised personal information when employee inadvertently uploaded all the information from a stick drive to a church website
Paulding County Schools, GA
Phishing loss that was covered but entailed notification costs which were not covered
Cost of Breach
Ponemon Institute – 2013 Cost of a Data Breach Study
Studied breaches in 277 companies in nine countries over ten month in 2012
Average Cost per Record in US $188, second highest to Germany
Significantly lower per record
o o
Public Services : $81 Education : $111
If you had 4,457 records released like the State of Georgia
On your own, based on above cost projections, cost is $494,727
Cost of insurance is a premium based on size of district but works out to about $1 for each current student in District
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
Your budgets are tight and will remain tight for the foreseeable future
They are tight and it will cost more money but as you will see shortly, very affordable – approximately one loss every 15 years payback
Will cover not only current PII records (students, employees, & applicants) but will also cover historical records retained by District
Never had a claim involving a breach - at least you don’t think you have had one Not a liability issue as much as an internal cost issue if you have a breach and need to comply with the law
Buying the expertise on how to handle a breach unlike the State of Georgia case
Your IT folks assure you the District’s firewalls are sound and present no risk of penetration
Not an IT / Firewall issue – it is a mishandle issue
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
I think we already have coverage somewhere else Excluded under the GSBA RMF Coverage Agreement and ISO policy forms
Intent is not to provide the coverage but silent on some of the liability exposures
Will be absolutely excluded as of 7/1/2014
New coverage being pushed by carriers but really no losses out there
We’ve shown you some examples of actual losses
Beazley has 2500 policies and is expecting 800 breaches this year alone
Few and far between but when they happen, could be very large and confusing for the District involved
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
I do not want to be the first one to buy the coverage
You are not – already have 12-13 districts buying from the GSBA RMF solution
It is not on our radar screen – we will look at this next year Perfectly acceptable to prepare and budget for it Be aware that full clarifying exclusions go into effect on July 1, 2014 The current proposals provided to all GSBA RMF members are effective till 12/31/2013 and then new members will be re-evaluated as of July 1, 2014
We have immunity from this type of loss
From a liability standpoint – probably but from a first party notification standpoint, you must comply with the law
The GSBA Solution
Conservative approach but one based in making sure School Districts in Georgia have a competitive, broad coverage option to address this growing exposure RMF has worked with Beazley, a prominent carrier in the Cyber Insurance space, to initially offer a group purchased option for each School District in RMF Over the next couple of years, RMF will assume some of the risk via the pool to make sure pricing remains stable and any underwriting profits accrue to the benefit of School Districts Beazley will issue policies and has the infrastructure to guide a Member through any type of breach and how to help reduce the exposure of a breach
The GSBA Solution
The goal is to adopt the Beazley form into the RMF coverage document as of July 1 st , 2014 so that we have an affirmative grant of coverage in the coverage document For July 1 st , 2013, coverage purchased will be on a stand-alone basis with a policy issued from Beazley
Quotes were provided in late June to all RMF Members
Quotes are open to bind through 12/31/2013 on pro-rata basis Even once the form is adopted into the RMF coverage document, and RMF assumes a layer of risk like it does now on the property and liability coverage lines, Beazley will provide the specialty claims and risk control services to the Members
The GSBA Solution
There are six coverage parts in the policy that has been negotiated with Beazley In keeping with the pool approach, there is some sharing of limits amongst all the Members in exchange for more competitive pricing for each Member Overview of Program Structure:
Coverage Part 1.A. – Information Security and Privacy Liability
o
Liability to a third party as a result of a failure of your network security to protect against identified threats
o
Liability to a third party as a result of the disclosure of confidential information
The GSBA Solution
Overview of Program Structure:
Coverage Part 1.B. – Privacy Breach Response Services
o
Crisis Management and Identify Theft response services and expense coverage in order to comply with regulatory compliance issues
o
This also includes the expense for retaining a crisis management firm to perform a forensic investigation to protect or restore the School District’s reputation as a result of a breach of privacy event
o
Based on number of individuals to notify and not a limit of liability
Coverage Part 1.C. – Regulatory Defense and Penalties
o
Fines and penalties associated with School District’s violation of a Privacy Law related to an insured breach
Coverage Part 1.D. – Website Media Content Liability
o
Expansion for Cyber exposures of the coverage provided for under Personal Injury and School Leaders Liability coverage but without some of the electronic means limitations
The GSBA Solution
Overview of Program Structure:
Coverage Part 1.E. – Crisis Management and Public Relations
o
To pay for the Public Relations and Crisis Management expenses associated with the costs to manage a breach that gets into the public eye via newspaper, radio, television in order to re-build the School District’s reputation or to avoid undue damage in the reporting of the breach event
Coverage Part 1.F. – PCI Fines and Costs
o
Coverage for direct monetary fines and penalties owed by the School District under the terms of a Merchant Services Agreement and where the alleged breach was due to the result of a non-compliance with the published PCI Data Security Standards
The GSBA Solution
Limits of Liability to Members:
Any one claim limit combined from all sections except Privacy Breach Response Services, is $1,000,000
o
Subject to no more than $500,000 from Regulatory Defense and Penalties and $50,000 each from Crisis Management and PCI Fines and Costs
o
The overall RMF fund aggregate limits for all Members from all coverage lines except Privacy Breach Response Services is 10 times each of these limits ($10,000,000 , $5,000,000, and $500,000 respectfully)
For Privacy Breach Response Services, there is no limit of liability as the coverage is based on the number of Notified Individuals
o
The RMF fund has an aggregate of 500,000 Notified Individuals subject to sub-limits for the legal and forensic expense coverage part which is limited to 250,000 and the foreign Notified Individuals extension which is limited to 50,000
o
Overall RMF fund aggregate limits is again 10 times
The GSBA Solution
Retention / Deductibles for Members:
Any one claim limit combined from all sections except Privacy Breach Response Services, is $25,000
For Privacy Breach Response Services, the retention is broken into two parts:
o
All costs and services under the legal and forensic services combined with the notification costs would be $10,000 combined subject to a sub retention of no more than $5,000 in legal expenses exposed
o
Under the Call Center Services and Credit Monitoring Program, the retenion of any expenses are limited based on the size of the district:
•
Small Members , which are less than 1,000 FTE’s, would be responsible for any breaches involving less than 25 individuals
•
Medium Members 50 individuals , which are more than 1,000 FTE’s but less than 10,000 FTE’s, would be responsible for any breaches involving less than
•
Large Members, which are those Members with more than 10,000 FTE’s, would be responsible for any breaches involving less than 100 individuals
The GSBA Solution
Premium Brackets
Premium is based on FTE (current student and staff combined)
Includes coverage for alumni records even though alumni count is not included in the FTE for premium determination
Here are the proposed pricing ranges based on Student Enrollment:
o
30,000 plus
o
20,000 to 29,999
o
10,000 to 19,999
o
5,000 to 9,999
o o
2,500 to 4,999 1,000 to 2,499
o
999 or less $29,638 to $31,453 $24,432 to $28,227 $13,903 to $21,683 $7,111 to 11,504 $4,392 to $6,658 $1,942 to $4,005 $500 to $1,628 0 0 0 2 3 4 3 GWP To-Date:$45,467
Conclusion
The exposure is here to stay
Computers and mobile devices that store personal information about your employees and your students are an integral part of your District
Accidental loss of, or criminal appropriation of, that personal information will continue to happen whether you have good firewall protection or not
Attacks are getting more frequent and more sophisticated
Accidents are getting more frequent as we ask staff to do more in a day than ever before
GSBA RMF and Beazley offer you broad coverage at a reasonable premium and a team ready to respond when necessary