Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 1

Data Breach Incidents A Risk Mitigation Snapshot: 2014 into 2015 Contributing Authors: Jessica Flinn, James Sheehan, William J. McDonough If not already on the enterprise risk radar screen, cyber risks are quickly becoming a central issue for the C-suite and board members in a variety of industries. Today, mitigating cyber risk is a concern for a wide range of organizations. The scale and impact of breach incidents, coupled with the vulnerability of various organizations to such attacks, threaten businesses across all sectors. As cyber threats evolve, the network security and privacy liability insurance market tries to keep pace. Here, we will briefly consider how issues encountered in 2014 may influence market realities in 2015. For discussion purposes, we will treat data breaches as incidents in which an individual’s social security number, driver’s license number, medical record or financial record (e.g., account number, credit or credit card number) has been acquired either unlawfully or without authorization.

The Frequency and Severity of Breaches Unfortunately, 2014 was a year in which we witnessed U.S. data breaches reach record levels. It was also the year when U.S. data breach incidents surpassed 5,000 with more than an estimated 675 million records implicated.1 It is also important to note that many data breach incidents go unreported as organizations do not want to incur the expense of notifying affected individuals or suffer the reputational harm resulting from a release or breach.2 On an industry basis, healthcare again topped the Identity Theft Resource Centers 2014 Breach List with 42.5 percent of the breaches identified in 2014. The general business sector ranked second with 33.0 percent of the data breach incidents, followed by the Government/Military sector at 11.7 percent, the Education sector at 7.3 percent and Banking/Credit/Financial at 5.5 percent.3 Among the larger breaches: Sony had 47,000 records stolen; J.P. Morgan had 83 million records stolen (affecting 76 million households and 7 million small businesses); Home Depot had 100 million records stolen (implicating 56 million credit cards and 53 million email addresses); and the eBay breach is estimated to involve the email addresses, physical addresses and login credentials of up to 145 million users.4

1 Identity Theft Resource Center (2015, January 12). Identity Theft Resource Center Breach Report Hits record High in 2014. Retrieved

February 16, 2015, from http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html 2 Ibid., 1. 3 Ibid., 2. 4 Collins, K. (2014, December 12). A Quick Guide to the Worst Corporate Hack Attacks of 2014. Retrieved January 21, 2015, from http://www.bloomberg.com/graphics/2014-data-breaches/

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 2

According to Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” U.S. companies rank first in the cost per compromised record of $201 per record (Figure 1) and have the largest number of exposed records per breach (Figure 2). The news for U.S. companies deteriorates further as the report detailed the average total cost of a data breach increased 15% and the average per record cost increased more than 9%.5 The retail and healthcare sectors saw the largest increases in compromised systems at 5% and 4%, respectively.6 Figure 1. The average per capita cost of data breach over two years

(Measured in US$)

5 Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf 6 Maginot Revisited: More Real-World Results from Real-World Tests. (2015, January 1). Retrieved January 21, 2015, from https://www2.fireeye.com/rs/fireye/images/rpt-maginot-revisited.pdf

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 3

Figure 2. The average number of breached records by country Shown below are the number of exposed or compromised records for organizations in the ten countries represented in this research. Organizations in the U.S., the Arabian region and India had the largest average number of records lost or stolen.

The Cost of Compromised Security to U.S. Companies It is clear that the frequency and severity of data breach incidents have caused U.S. companies considerable consternation in 2014 (see Figure 4 – 2014 Cyber Fast Facts). Of additional concern is the regulatory framework that allows multiple agencies to assess fines and penalties when data has been released. Increased participation by regulatory agencies necessarily results in increased costs attributed to a release. The Federal Communications Commission’s (FCC) entry into the arena illustrates how a regulators involvement can significantly increase the total cost of a release. Recently, the FCC proposed fines of $10 million to two companies for alleged data security breaches. The Office for Civil Rights (OCR) issued seven resolution agreements in 2014 as a result of HIPAA related privacy issues. The fines ranged between $150,000 and $4.8 million. Such fines are in addition to those often levied by state attorneys general.

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 4

Figure 3. 2014 Cyber Fast Facts

New Tactics It’s Not All About Data Anymore No longer are cyber intrusions limited to searches for personally identifiable information and protected health information (PHI). There were several hacking incidents in 2014 that demonstrated how incursions into a company’s network could have direct repercussions in the operations of an organization with worldwide implications. Take, for instance, the attack on Sony. Aside from Sony’s data, the hackers took actions that rendered the company’s entire computer network and landline phones unusable. In a separate cyber intrusion, hackers gained access to a German iron plant’s blast furnace, and disrupted the plant’s production capabilities. These incidents go beyond cyber extortion and illustrate how intrusions into a company’s computer network can result in more than the soft expense associated with notification, data re-creation, remediation, etc. Hackers have now realized their ability to disrupt a businesses’ delivery of its core services. This disruption has real world tangible consequences and manifests itself in loss of business and future opportunities.7

Card Issuers as Victims In 2014 we witnessed the emergence of a new plaintiff’s class. The class consists of credit and debit card issuers who incur considerable expense in issuing replacement cards and refunding monies to customers as a result of a data breach. Take, for example, the Target case wherein the card issuers survived dismissal of their claims for out-of-pocket costs. Essentially, the court found that the card issuers furnished a plausible argument that Target was responsible for damages (i.e., the expense associated with the issuance of replacement cards) caused by the

7 King, R. (2014, December 18). Cyberattack on German Iron Plant Causes 'Widespread Damage' Retrieved January 21, 2015, from

http://blogs.wsj.com/digits/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/?mod=ST1

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 5

hackers intrusion into Target’s network. The court’s finding was somewhat novel, in that, there did not exist a contractual relationship between Target and the card issuers. Allegations of negligence, it seems, may carry the day for banks and card issuers looking to recoup their costs from businesses who suffered an attack.

Plaintiff’s Bar Moving the Ball The Target breach has also led to inroads for consumer plaintiffs’ pursuit of class action status. Previously, the plaintiffs’ bar has had difficulty surviving motions to dismiss due to an inability to satisfy the damages element of a negligence claim. Causes of action sounded in negligence require plaintiffs to allege actual or imminent injury. To date, plaintiff’s bar has been unable to show that parties affected by a release of data, on its own, have suffered damages or are in imminent risk of injury. However, the Court in the Target case appears more receptive to this type of class action litigation at the motion to dismiss stage of litigation. Specifically, the Court refused an individualized assessment of standing, instead concluding the requirement was met because some plaintiffs alleged injuries of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”8 This may significantly increase defense costs in the pre-class certification stage as additional resources will be deployed in the discovery phase. The Target court is not alone in moving the plaintiff’s bar closer to class certification. A recent California federal district court found plaintiffs have standing to sue based on increased risk of future harm due to the alleged release of their personally identifiable information. It should be noted that this ruling is contrary to the more accepted line of reasoning, which finds that the increased risk of identity theft does not satisfy the concrete or imminent injury requirement for standing.

What Lies Ahead The era of the data breach is upon us and it is unlikely to recede. A new global standard for credit card security, commonly referred to as ‘chip and pin’ technology, may help insulate consumers from credit card fraud; however, hackers have turned their sights to the more lucrative fraud of identity theft. The misappropriation of an individual’s identity, either by the procurement of personally identifiable information or protected health information, will allow the hacker to command a significantly higher per record payment then credit card data alone.

Personal Data Notification & Protection Act President Obama has proposed new legislation that would create a single country-wide data breach notification standard. The Act, as proposed, “clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard.”9 If passed, this Act will replace the current patchwork of notification requirements implemented by various governmental agencies and the individual states.

8 In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (PAM/JJK) (D. Minn. Dec. 18, 2014). 9 FACT SHEET: Safeguarding American Consumers & Families. (2015, January 12). Retrieved January 21, 2015, from

http://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 6

The Healthcare Industry Will Likely Retain First Place It comes as no surprise that the healthcare industry will remain squarely in hackers’ sights. The personal information contained in health records will enable hackers to perpetrate a multitude of different follow-up attacks and various types of fraud, including financial exploitation and identity fraud. The FBI has warned the healthcare industry that its attempts at cyber security remain woefully insufficient.10 As noted, in 2014 healthcare organizations accounted for about 42 percent of all major data breaches reported, according to the Identity Theft Resource Center.11 A Ponemon study estimates that the potential cost of healthcare industry breaches will reach $5.6 billion annually.12 Not surprisingly, it is expected that healthcare breaches will increase as we continue a move towards electronic medical records and growing usage of mobile and wearable technologies (Figure 4). Figure 4. Preparing for the Risks of Mobile and Wearable Technology13

10 Weisman, S. (2014, December 20). Cyber predictions for 2015. Retrieved January 21, 2015, from

http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/ 11 2014 Was Landmark Year for Health Data Breaches. (n.d.). Retrieved December 26, 2014, from

http://www.healthdatamanagement.com/news/2014-Landmark-Year-for-Health-Data-Breaches-49505-1.html 12 Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis.

Retrieved January 21, 2015, from http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf

13 The Global State of Information Security Survey, 2015.

M O B I L E S E C U R I T Y S T R A T E G Y

M O B I L E D E V I C E M A N A G E M E N T S O F T W A R E

B A N O F U S E R O W N E D D E V I C E S

C O R P O R A T E E M A I L A N D C A L E N D A R …

S T R O N G D E V I C E A U T H E N T I F I C A T I O N

D E V I C E E N C R Y P T I O N

U S E O F G E O - L O C A T I O N , G E O - F E N C I N G …

I N T E R N A L A P P S T O R E

53.96

46.94

35.13

38.89

39.07

39.72

22.64

24.47

MOBILE TECHNOLOGY RISK PREVENTION INITIATIVES - ALL INDUSTRIES

Percent of All Respondents

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 7

Corporate IP and Trade Secrets Are Valuable The Sony hack sent shivers through every R&D department in the digital universe. Hackers not only exposed personal information and embarrassing internal communications, but also Sony’s valuable intellectual property in the form of scripts, profits and budget projections. The intellectual property and trade secrets cultivated by companies appears fair game for hackers interested in extortion. 14 Figure 5 – How Breaches Occur15

Note: Although preventable errors are often to blame for security incidents, it was impossible to identify the culprit in nearly 20 percent of the cases reviewed in the IBM Annual Report.

Policy Implications The marketplace for cyber security and privacy liability insurance remains in its infancy and is struggling towards maturation. The standardization of coverage terms and claims handling are a distant dream. Policy terms and conditions differ from form to form, and market developments routinely result in mid-term revisions. Typically, policies contain a number of insuring clauses that speak to coverage for breach response costs and claims resulting from a cyber event. The forms may also provide coverage for extortion, network damage, public relations and crisis management, website media content and regulatory investigation costs arising out of a cyber event, as well as business interruption losses. Although provided, the sub-limits placed on these ancillary coverages likely leave many companies substantially exposed. Regulatory sub-limits placed on policies create a lack of meaningful coverage for many insureds, particularly in

14 Troutman Sanders LLP. (2014, December 19). 5 Reasons Sony Pictures Will Be a Cybersecurity Inflection Point. Retrieved January 21,

2015, from http://www.informationintersection.com/2014/12/5-reasons-sony-pictures-will-be-a-cybersecurity-inflection-point/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-

15 IBM Security Services Cyber Security Intelligence Index Report, 2014

Misconfigured System42%

End User Error31%

Undetermined15%

Vulnerable Code6%

Targeted Attack6%

CAUSE OF BREACH

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 8

the financial services and healthcare industries. With more regulators taking interest in cyber issues and data breaches implicating multiple states’ statutes, it is anticipated that regulatory fines will continue to expand. This will likely require insureds to make payments out-of-pocket for a portion of the regulatory fines, particularly if more than one breach occurs in any given policy period. In other instances the cyber policy may not provide coverage at all. For example, as evidenced by attacks on Sony and J.P. Morgan, companies are vulnerable to hacking by nation states, criminal organizations or terrorists. Many cyber policies have specific exclusions for acts of terrorism or acts of a nation state. Insureds will need to keep a careful eye on the breadth of any such exclusion on their cyber policies. Additionally, physical damage sustained by an insured as a result of a cyber-attack will likely be precluded from coverage. Property insurers have been making it increasingly clear that they do not intend to provide insurance for anything in the cyber realm. At this time, cyber insurance carriers have not shown an inclination to expand coverage for this type of exposure. However, to ensure robust coverage, the insurance market will need to adapt and create insuring clauses specifically geared towards addressing physical damage resulting from a cyber incident. Loss associated with an insured’s own intellectual property creates another vacuum in coverage. Today’s cyber policies may provide coverage for the intellectual property of others, but do not extend to include first party coverage. For instance, the loss Sony experienced relating to stolen screenplays and other valuable internal intellectual property would not be covered under the typical cyber policy. Perhaps, with time, cyber insurers can be convinced to add such coverage.

Concluding Thoughts The cyber insurance market is in a constant state of fluidity. Carriers have been altering their policies to include loss prevention and risk mitigation tools, from breach response teams to risk analytics. As cyber incidents increase in frequency and severity, and evolve to keep pace with technological advances, the insurance industry will need to create new forms of cyber coverage to meet the needs of their clients. As we wait for the market to catch-up, your insurance broker may be able to help with other suggestions to increase the breadth of coverage by, for example, minimizing any state actor, contractual liability or bodily injury exclusions, expanding the definition of computer network and backdating the prior acts date as far as possible. Companies can also use collaboration to protect themselves. Information sharing platforms such as the Information Sharing and Analysis Centers (ISACs), industry associations, and government agencies are valuable risk-awareness tools. Sharing information should help companies improve their incident response through trusted collaboration, analysis, coordination, and drive decision-making by policy makers on cybersecurity, incident response, and risk mitigation and financing for breaches.

Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 9

About the Authors Jessica Flinn is a vice president within Integro’s Management Risk practice. She provides professional lines claims advocacy services, including detailed coverage analysis, contract interpretation, consultation and negotiation. She specializes in employment practices, directors & officers and errors & omissions coverages. James Sheehan is a principal of Integro Insurance Brokers, resident in the firm’s Boston office. An executive liability and professional liability insurance broker by background, he specializes in the placement of executive liability programs for healthcare organizations and private equity firms William McDonough is a managing principal within Integro’s Healthcare practice. Bill counsels clients across America on healthcare alternative risk financing vehicles, captive best practices, and loss prevention. He speaks and writes regularly on patient safety, reporting systems, and strategic planning, among other topics, and is a Fellow with the American Society for Healthcare Risk Management (ASHRM). About Integro Integro is an insurance brokerage and risk management firm. Clients credit Integro’s superior technical abilities and creative, collaborative work style for securing superior program results and pricing. The firm's acknowledged capabilities in brokerage, risk analytics and claims are rewriting industry standards for service and quality. Launched in 2005, Integro and its family of specialty insurance and reinsurance companies, some having served clients for more than 150 years, operate from offices in the United States, Canada, Bermuda and the United Kingdom. Its U.S. headquarter office is located at 1 State Street Plaza, 9th Floor, New York, NY 10004. 877.688.8701. www.integrogroup.com © Integro Ltd. 2015