Managing Cyber RisksThreats, Risk Management & Insurance Principles
Brian J. Courtney, RPLU, AAIThe Safegard Group, Inc.
100 Granite Drive, Suite 205Media, PA 19063
Legal Disclaimer
This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued.
The precise coverage afforded is subject to the terms and conditions of the policies as issued.
Brian J. Courtney, RPLU, AAIBrian Courtney joined The Safegard Group, Inc. in April 2005 and serves as a Producer and the Healthcare Practice Leader for the company. He is primarily responsible for the direction of client services to the healthcare industry. Brian began his career at the height of the medical malpractice crisis. Working with a large regional insurance broker, Brian served with the healthcare practice leader helping hospital systems and physician groups obtain medical malpractice coverage. Prior to joining The Safegard Group, Brian joined a large national insurance brokerage firm where he gained considerable experience in healthcare risk management serving the needs of large physician groups, long-term care facilities, home healthcare providers, and allied health professional organizations. Brian has completed the Registered Professional Liability Underwriter (RPLU) program, which was developed by Professional Liability Underwriting Society as a specialized curriculum completely dedicated to professional liability risk management. Professionals who wish to obtain the RPLU designation are required to complete a rigorous, 13-Course curriculum comprised of eight core courses and five specialization courses. Brian chose to specialize in the following areas: • Advanced Healthcare Professional Liability• Cyber Risk• Employment Practices Liability• Directors & Officers Liability• Crime As it suggests, RPLU professionals are recognized as having the highest level of professional liability expertise to help their clients manage their risk and protect their assets. Currently, Brian is helping many of his clients with Cyber Risk Management initiatives, such as Risk Assessments, Data Breach Incident Response Planning, Contractual Risk Transfer, Insurance Protection and a host of other related services. Brian lives in Downingtown, Pennsylvania with his wife Erin and three kids, Aidan, Carter & Chase. He is active in the community volunteering his time with the Lionville Youth Soccer Association and Brandywine Health Foundation. He is also an avid fitness/thrill seeker recently competing in the Spartan Races, which was voted the 2012 Best Obstacle Course Race by Outside magazine.
Brian CourtneyExpert in Risk Management and Loss Prevention???
Big believer that you should avoid risk
AT ALL COSTS
True or False
Large corporations are typically the targets for hackers
FALSEA joint study by the U.S. Secret Service and Verizon Communications’ forensics analysis unit paints a frightening picture. 482 of the 761 data breaches the unit investigated in 2010—63%—occurred at companies with 100 or fewer employees.
73% percent of small-to-middle-sized companies experienced a cyber attack in 2010, and 30% of those attacks were extremely effective, according to Symantec, a software security developer.
True or FalseSmall businesses (less than 100 employees) are required to abide by data breach laws
TRUE
From the Federal Trade Commission website:For many companies, collecting sensitive consumer and employee information is an essential part of doing business. It’s your legal responsibility to take steps to properly secure or dispose of it. Financial data, personal information from kids, and material derived from credit reports may raise additional compliance considerations. In addition, you may have legal responsibilities to victims of identity theft, regardless of the size of your company or your line of work.
True or False
Certain industries have to worry about Cyber Security risks
FALSE
While I would agree that certain industries are more at risk than others, every industry holds sensitive data in some form or another. Also there is more to Cyber risk than just a data breach. Therefore, all industries have Cyber Security risks.
What Are Cyber Risk?
• Violation of privacy policies• Transmission of viruses to other systems• Programming errors• Theft, corruption, or destruction of data or
computer systems• Hacking• Abuse of access to networks by employees• Copyright or trademark infringement• Denial of Service attacks
Source: Professional Liability Underwriting Societywww.plusweb.org
What Activities Create Cyber Risk?• Data storage on networks• Credit card processing• Online payment processing (other than CCs)• Internet connectivity• E-commerce• Business websites and Internet advertising• Customer forums and support (help) message boards• Internet Service Providers• Website Design• Development of hardware and software• Providing content or media• Consulting• Providing technical services, equipment and support
Source: Professional Liability Underwriting Societywww.plusweb.org
Who Regulates the Cyber World?• Federal Trade Commission (FTC)• Federal Bureau of Investigation (FBI)• Fair and Accurate Credit Transaction Act (FACTA)• Gramm-Leach-Bliley Services Modernization Act• Health Insurance Portability & Accountability Act (HIPAA)• Health Information Technology for Economic and Clinical Health (HITECH)• Sarbanes-Oxley Act (SOX)• State Privacy Breach Legislation
Source: Professional Liability Underwriting Societywww.plusweb.org
Cyber Laws
• Copyright Law – Digital Millennium Copyright Act• Trademark Law – Lanham Act• Defamation • Privacy – HIPAA/HITECH, GLBA, State Laws
Source: Professional Liability Underwriting Societywww.plusweb.org
The Risks Today
Privacy Risk
WebsitesIP Infringement &
Libel
Cyber Exposures – First Party Risks
• Data Storage• Business Interruptions• Fraud & Theft• Extortion• Crisis Management
Source: Professional Liability Underwriting Societywww.plusweb.org
Cyber Exposures – Third Party Risks
Intellectual Property• Copyright• Trademarks• Trade secrets • Patents
Privacy & Customer Data• Security Breaches• Liability• Phishing & Pharming
Professional E&O• Internet provider• App. service provider• Web hosting• Network equipment• Programmers• Website Designers• Data warehouses• Consultants
Source: Professional Liability Underwriting Societywww.plusweb.org
Personal Identifiable Information (PII)
Definition:as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
First or Last name in combination with– Social Security number– Driver’s license number– Financial Account number– Credit, Debit, or payment card
Protected Health Information (PHI)
As defined by HIPPA
“any information, whether oral or recorded in any form or medium” that
• Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse, and
• Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual
What Is a Data Breach?
Unauthorized access to protected information
– Hacking– Rogue Employees– Negligence – Rogue Vendors
The Value of Stolen Data
Symantec Corporation; “Report on the Underground Economy, July ’07 – June ‘08
Data Breach ExampleDate Made
PublicName (Location) Number of
RecordsFebruary 12, 2011 Cincinnati Children’s Hospital 60,000
Type of Breach
Mobile Device
An employee’s newly-issued, unencrypted laptop was stolen out of a car. Although the covered entity had a policy of encrypting its computers, an investigation revealed that new computers are not encrypted before they are given to employees. The laptop contained the protected health information (PHI) of approximately 60,000 individuals. The PHI stored on the laptop included names, medical record numbers, and services received at the covered entity. Following the breach, the covered entity notified its clients by letter of the incident, placed notice on various websites and in The Cincinnati Enquirer, and established a new internal procedure whereby all new computers would be encrypted before they are given to employees.
Source: Department of Health & Human Serviceswww.HHS.gov
Data Breach Cost CalculationForensic Investigation: $ 32,200Security Remediation: $ 112,200Data Breach Law Legal Guidance: $ 10,000eDiscovery Litigation: $ 160,998Customer Notification: $ 60,998Call Center: $ 4,575Credit Monitoring: $ 152,500ID Fraud Remediation: $ 60,998Public Relations Service: $ 20,000HHS Fines: $ 750,000State AG Fines: $ 500,000Legal Defense & Damages: $ 76,248
TOTAL:$1,940,712Source: eRiskHUBwww.eriskhub.com
Another Data Breach ExampleDate Made
PublicName (Location) Number of
RecordsMay 16, 2008 Chester County School District 55,000
Type of Breach
Stationary Device
A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students.
Source: Privacy Rights ClearinghouseA Chronology of Data Breacheswww.privacyrights.org
Data Breach Cost CalculationForensic Investigation: $ 75,000Security Remediation: $ 155,000Data Breach Law Legal Guidance: $ 10,000eDiscovery Litigation: $ 0Customer Notification: $ 55,000Call Center: $ 4,125Credit Monitoring: $ 137,500ID Fraud Remediation: $ 55,000Public Relations Service: $ 20,000FTC Fines: $ 750,000State AG Fines: $ 500,000Legal Defense & Damages: $ 0
TOTAL:$1,761,625Source: eRiskHUBwww.eriskhub.com
One More – Manufacturing???Date Made
PublicName (Location) Number of
RecordsFebruary 13, 2012 Combined Systems Unknown
Type of Breach
Hacking
A hacker or hackers accessed the Combined Systems website and shut it down. The hackers claim to have struck in honor of the anniversary of the February 14, 2011 Bahrain uprising and to have wiped out the company's web servers. Administrator logins, customer data, and emails were posted online.
Source: Privacy Rights ClearinghouseA Chronology of Data Breacheswww.privacyrights.org
2011 Data Breaches by Industry
Financial Services
Retail
Education
Government
Medical
Non-Profit
Other
0% 5% 10% 15% 20% 25% 30% 35% 40%
8%
15%
11%
14%
34%
3%
16%
Source: Privacy Rights ClearinghouseA Chronology of Data Breacheswww.privacyrights.org
2011 Data Breaches by Type
Unintended Disclosure
Hacking or Malware
Payment Card Fraud
Insider Physical Loss Portable Device
Stationary Device
0%
5%
10%
15%
20%
25%
30%
14%
24%
2%
16%
14%
20%
9%
Source: Privacy Rights ClearinghouseA Chronology of Data Breacheswww.privacyrights.org
State StatutesCurrently, 47 other states have enacted some type of security breach notification legislation, including:
Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Maine, Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, Washington and Wyoming.
Some states have state laws that require breaches to be reported to a centralized data base including:
Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents).
Other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests including:
California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website: www.datalossdb.org
Massachusetts General Law 93HEvery person that owns, licenses, stores or maintainspersonal information about a resident of the commonwealth shall develop, implement, maintain and monitor acomprehensive, written information security programapplicable to any records containing such personal information.”
Massachusetts – Effective March 1, 2010 Requires encryption of confidential data when it is on a mobile device Includes additional, robust security requirements for holders of
personal information of Massachusetts residents
Pennsylvania State Law 73 P.S. § 2303Notification of a Breach(a) General rule. – An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and un-redacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Except as provided in section 4 [FN1] or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.
(b) Encrypted information. – An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.
(c) Vendor notification. – A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act.
Pennsylvania State Law 73 P.S. § 2305Notification of Consumer Reporting Agencies
When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a), of the timing, distribution and number of notices.
Delaware Law § 12B-102Notification of a Breach(a) An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information about a resident of Delaware shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Delaware resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
(b) An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Delaware resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach.
(c) Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.
Delaware Law § 12B-103Compliance Procedures(a)Under this chapter, an individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system.
(b)Under this chapter, an individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs.
The “Perfect Storm”First Party Third Party
Loss of Private Data• Notification Costs• Publicity Costs• Crisis Management Expenses
Business Continuity Expense• Extra Expenses to continue
operations• Business Income loss
Cyber Extortion• Ransom Payment• Other Expenses
Client Suits - Privacy• Suits from clients
alleging negligence in protecting information and other causes of action
Client Suits – Denial of Service• Suits from clients alleging negligence in protecting the network against denial of service
Breach Related Expenses
Notification Crafting letter or other notification
Printing or design
Mailing or other transmission
Public Relations Advertising & Press Releases
Call Center Operations
Other Services for Effected Persons:
Credit Monitoring
Forensics Legal Expenses for
Outside Attorney
Cost of Forensic Examination
Cost To Remediate Discovered
Vulnerabilities
Legal Response to
Claims or Suits
Payment of Judgments or Settlements
Trends in Data Breach CostsIn a U.S. based study of 49 companies in 14 different industries. Number of breached records/incident ranged from 4,500 to 98,000.
• The organizational cost has declined from $7.2M to $5.5M• Cost per record has declined from $214 to $194• Lost business due to a breach averages $3.01M • Detection and escalation costs declined from $460K to $433K• Cost to notify victims increased from $510K to $560K• First timers on average spent $37 more per record; Too-quick/non-
planners on average spent $33 more per record• CISO can reduce cost per record by $80; Outside consultant can reduce
cost per record by $41.
2011 Ponemon Institute Benchmark Study
Cyber Risk Insurance Policies
Traditional Insurance Coverage?ISO Commercial Property?
Commercial Crime Form?
General Liability Policy?
Professional Liability Policy?
Electronic Data Extension only addresses loss or damage to data which has been destroyed or corrupted by a covered cause of loss.
No coverage due to the Definition of “Other Property” and the Exclusion of “Indirect Loss”.
Addresses only physical injury to persons or tangible property, as well as the Insured’s publication of material that violates a person’s right to privacy.
May be limited by the description of “Professional Services” or by Exclusions for “Invasion of Privacy”.
Common First Party “Gaps”
Unauthorized Record Access
Cyber Fraud
Denial of Service
Cyber Extortion
Cyber VandalismISO Property Policy
Surety Assoc. Computer Crime
Surety Assoc. Crime Policy
Extortion & Kidnap Ransom Policy
Only Cyber Risk Covers:
• Notification Expenses
When required by law or on a voluntary basis?
• Credit Monitoring Expenses
For a stipulated period of time and/or under specified circumstances?
• Crisis Management Expenses
Including expenses related to legal analysis, as well as public relations?
What Information Assets Are Covered?
Privacy Risk
Personal Identifiable Information (PII)
• Customers, Employees, Others?
Personal Health Information (PHI)
Business Property:• Customer Lists (non-PII)• Financial Information• Marketing & Operational Information
Trade Secrets
Cyber Policy Addresses• Access to information other than
by over the Internet
• Access to information by an employee
• Access to information residing on an “outsourced” system – anywhere
• Access to information in “non-electronic” form
• Negligent release of information
Employees
Outsourcers
Conclusion
Avoid It Assess & Mitigate It Insure It
Employee Training
Operational Guidelines
Customer Awareness
Penetration Testing
Robust Patch Management
Ongoing Security Assessments
Cyber Insurance Policy
&
Crime Insurance
QUESTIONS???