e-Government

Information Privacy and Security

Risk & Insurance

STRIMA

Portland, MaineSeptember 10, 2007

e-Government Creates New Exposures Paradigm shift from physical assets to information assets and resources

Electronic document management

e-Discovery

e-Commerce

Efficiency through on line card payments and filing

Electronic funds transfer

Digital connectivity to citizens, businesses, suppliers and other government entities

Mobile workforce and outsourcing

Remote access to network

Wireless solutions

Interactive multimedia

Electronic publishing / content distribution

Network control of critical infrastructure and information

Information Assets and Resources

Electronic Document Management

EmployeeStudent / juvenalBid dataPolicePublic worksMedical / health dept.Motor vehicleGIS dataCritical Infrastructure Assurance dataEZ PasseDiscovery / litigationFinancial transactionsEconomic development zones

eCommerce / Electronic KiosksCredit card or banking information from on line payments

Dues / licensesTicketsProperty taxes EZ Pass

Electronic funds transfer

Network Controlled ResourcesWireless networksComputing power / storageDams and water systemsAirportsPower gridAccess to school and library computers / Internet accessEZ PassEmergency response

What keeps you up at night?

Jan. 13, 2007 – North Carolina Dept. of Revenue: laptop theft with 30,000 taxpayer records including SSN.

Feb. 9, 2007 – East Caroline University: programming error exposed PII on 65,000 students including SSN and credit card numbers exposed on University’s Web site.

March 30, 2007 – Los Angles County Child Support Services: three laptops containing personal information on 243,000 cases were stolen some including SSNs, but many with out names.

April 10, 2007 – Georgia Dept. of Community Health: computer disk containing personal information on 2,900,000 individuals including SSNs went missing from Affiliated Computer Services, a private vendor contracted to handle health care claims for the state.

June 15, 2007 – State of Ohio: backup computer storage device stolen from a state intern’s car exposing names and SSNs of 500,000 state workers.

July 17, 2007 – Louisiana Board of Regents: records of 80,000 students and staff including names and SSNs exposed on Intranet site for as much as 2 years. TJX: Hackers stole millions of credit card numbers over the course of 6 months from an internal (non-internet) credit card processing server. 20+ class actions, 10+ governmental investigations. Loss projected to be over $200M.

Expanding Privacy & Breach Disclosure laws

California Consumer Data Protection Act (previously called SB 1386 -effective 7/1/2003 -- “Reasonable belief” of intrusion) requires any business storing confidential personal information about California residents in electronic form to contact residents upon discovering or suspecting a security breach to computer systems.

37 other states have followed with similar laws and Congress is reviewing federal legislation.

HIPAA – Electronic Medical Information Security Rules.

Merchant Liability for Security Breaches – May 21, 2007, Minnesota enacted the Plastic Card Security Act. Law enables financial institutions to file lawsuits to recover costs associated with a merchant security breach that exposes payment card data. CA, MA, IL, CA and TX are considering similar laws. Now there is a direct path to merchant liability for expenses such as cost to reissue card – estimated at $20 to $50 per card.

Network Security/Privacy Risks

Several key risks include:

Unauthorized Access or UseAt the heart of many of these exposures is unauthorized network access:

• From employees, vendors or outside hackers• From a stolen/hacked user name and password, phishing incident or inappropriate acts of

an authorized user• From a virus, Trojan horse or other form of malicious code• As the result of a lost or stolen PDA, laptop, Blackberry or other mobile device

Disclosure of Personal Information or Confidential Business DataIdentity Theft and fraudRegulated information can include personal, financial, and medical dataElectronic theft of confidential data can wreak havoc on operations.Malicious CodeThe rising incidence of malicious code – viruses, worms, Trojan horses – is causing network damage and crippling denial-of-service attacks. Web site disruptions can result in large losses for banks, insurers and investment firms as so many customers rely on the web for their transactions.Reliance on Network OperationsNetwork outages may result in the temporary shutdown of your critical applications/operations. If critical business and operational functions are outsourced to vendors, day-to-day control over operations may be lost despite contractual agreements.Downstream LiabilityThere can be a liability risk to third parties – vendors, customers, business partners – for passing on malicious code or facilitating an attack via your network.

Traditional Insurance Gaps

Property: usually requires physical damage to a tangible asset to trigger coverage. Data is not considered tangible property in most policies. Also, computer viruses and hacker attacks seldom damage your systems “physically.” Also, most property policies include computer virus exclusions, or provide for small sub-limits of coverage or long waiting periods.

General Liability: physical damage or bodily injury trigger is not activated in a network security breach. Advertising Injury and Personal Injury coverage can be difficult to trigger as a result of intentional and/or criminal acts, like breach of confidential data due to a hacker or computer virus.

Commercial Crime: covers theft of money and securities, but does not cover the theft of data, information, and account numbers (including credit card data).

Professional Liability/E&O: intentional acts are usually excluded. Often, an event such as a security breach can not only harm your client, but also your client’s customers. Many E&O policies do not respond to these types of security breach/disclosure of sensitive data events.

Protecting Information

Confidentiality

Availability Integrity

Basic Risk Questions

How does an organization identify critical or sensitive information assets and risks to those assets?

Is the frequency and scope of your risk evaluation and compliance audits sufficient to take evolving threats into account?

Are risks to critical or sensitive information assets managed in a similar fashion to other key business risks?

What is the structure, activities, and decision-making relating to cyber risk management, including electronic fraud?

What are your due diligence and financial responsibility (insurance) requirements for other companies that connect to your network or provide technology services?

Contractual SolutionsVendors providing: Hosting, Managed Security services, Software, IT services & consulting, ISP/ASP, content providers, companies connected to your networks/systems.

Insurance coverage requirements:Errors & Omissions

Internet/Network Security Liability Coverage

Privacy Breach Coverage

Media Liability

Indemnification / Limitation of Liability

Insurance SolutionsCoverage for invasion, infringement or interference with rights of privacy or publicity, including false light, public disclosure of private facts, intrusion and commercial appropriation of name, persona or likeness.

Coverage for damage to/disclosure of data, and the resulting liabilities

Coverage which responds to wrongful acts in connection with “internet media” in the conduct of the Insured’s business

Coverage for any form of defamation (e.g. libel and/or slander)

Coverage for infringement of intellectual property (e.g. copyright and/or trademark infringement)

Network Security/Privacy Insurance Coverages

Network Security Liability

Privacy Liability

Network Business Interruption and Asset Protection

Cyber Extortion

Electronic Media/Website Content Liability

Internet Professional Liability/Tech E&O

Theft of Data/Information (Cyber Crime)

Personal Identity Theft Expense Insurance/ServicesPre and post-breach

Crisis Management & Public Relations

Breach Notification and Credit Monitoring

Insurance Solutions

What kinds of perils can be included?Breach of Privacy / Identity Theft (electronic and non-electronic)Negligent release of confidential informationSecurity breaches such as unauthorized access and unauthorized useContent Infringement (website copyright, trademark, domain names)Cyber Extortion Implantation or spread of a Computer VirusDestruction, modification, or disclosure of electronic dataLoss of Business Income due to a network security breachInformation theftCovered acts caused by Service ProvidersExpenses associated with breach of security notification requirements

Network Security Coverage

Network Security Liability -- Liability arising from the interruption of your e-Business communications caused by damage to your computer programs or data that results from virus, hacking, a denial of service attack, a denial of access or a simple mistake by your authorized personnel in the administration of your computer system or handling of your e-Business information assets (administrative error). This also includes liability for transmission of a computer virus to a third party via a covered computer system or the failure to prevent the use of your computer system in a denial of service attack

Broad Privacy Liability – Liability arising from the alleged breach/disclosure of personal information or confidential corporate information.

Electronic Media Liability -- Actual or alleged acts committed in the course of your e-Business communications, including in the course of providing access, publishing, hosting, collaboration and conducting e-commerce. e-Publishing Offenses include:

Defamation, libel & slander, product disparagement and trade libel Violation of rights of privacy Misappropriation and plagiarism of advertising ideas or materials or literary or artistic

formats or styles or performances Infringement of copyright, title, slogan, trademark, trade name/dress, service marks or

names.

Network Security Coverage

Business Income Loss -- Comprised of Earnings Loss and/or Expenses Loss as defined below.

Earnings Loss: Loss of gross margin you sustain due to an e-Communications disruption from a qualifying cause, which exceeds the waiting period stated in the declarations.

Expenses Loss: The additional expense that you expect to incur during the period of the e-Communications disruption that is over and above the cost that reasonably and necessarily would have been incurred to conduct your business had no e-Communications disruption occurred (Not including restoration costs or investigative expenses as defined below).

Dependent Business Income Loss -- Earnings loss and/or expenses loss you expect to sustain as a result of, and during, an e-Communications disruption sustained by a third party on which you depend for the services to support your e-Business Communications.

Extended Business Income Loss or Extended Dependent Business Income Loss -- The business income loss or dependent business income loss you sustain during the period of restoration following an e-Communications disruption.

Restoration Costs -- The actual & necessary expenses you expect to incur to replace, restore, or recreate your e-Business information assets to the level or condition at which they existed prior to the loss.

Network Security Coverage

Public Relations Expenses -- The actual & necessary expense fees & costs you expect to pay to an approved public relations consultant for planning & executing your public relations campaign in order to protect or restore your professional reputation in response to media coverage of any: e-Communications disruption, network interruption or qualifying cause. Up to $250,000 for costs associated with notifying consumers of the potential breach of their personal identifiable information (i.e. Identity Theft; Security Breach Consumer Notification Laws).

Investigative Expenses -- The actual, reasonable and necessary expenses you incur during the waiting period to respond to an e-Communications disruption or to the occurrence of any damage to, destruction of or loss of use your e-Business information assets, so that you may prevent, minimize or mitigate any further damage to your e-Business information assets, minimize the duration of the e-Communications disruption and gather preliminary forensic evidence to be used in making a determination of coverage to be provided under this policy and preserve critical evidence of any wrongdoing.

Extortion Threat(s) -- Amounts paid to terminate a threat to introduce unauthorized code into your computer system or a computer system that is under your direct control, or to divulge, disseminate or utilize your e Business information assets without authorization.

Who is Buying Network Security/Privacy Risk nsurance?

Financial institutions – banks, insurers, investment

Technology – Service providers – combining E&O and Cyber

Healthcare – MCOs, TPAs, Hospitals

Media/Telecom – combining E&O and Cyber

Retail – supply chain and privacy are key issues

Universities – liability to alumni/students key issue

Energy – system availability and privacy are key issues

What is Different Today?

Information and network security risks represent significant civil liability and regulatory exposure, as well as direct losses to data and network assets.

The privacy risk is causing security breaches to be made public, leading to liability claims

Need for due diligence: gap analysis and risk assessment

GL, Property, and Crime continue to come up short on coverage. ISO GL 2001 & 2004 explicit about data being intangible property

Network Security policy broadened due to maturity in marketplace: Privacy, Programming E&O, six-hour time element on Business Interruption; Notification Expense coverage

Large losses are being paid by underwriters

Loss maturity and competition are decreasing premiums

Summary

Information & Network Security risks represent significant civil liability and regulatory exposure, as well as direct losses to data and network assets.

Understand how to identify, control, mitigate and transfer your cyber exposures -- it’s a high level issue

Current insurance programs may be deficient; cyber products are being offered to address first party and third party risks

Insurers are wary of governments due to risk assessment challenges and history of security breaches

Assess your information security before approaching the insurance market to determine insurability

Some insurers see government as potential growth opportunity