managing cyber risks threats, risk management & insurance principles brian j. courtney, rplu,...

Managing Cyber RisksThreats, Risk Management & Insurance Principles

Brian J. Courtney, RPLU, AAIThe Safegard Group, Inc.

100 Granite Drive, Suite 205Media, PA 19063

[email protected]

Legal Disclaimer

This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued.

The precise coverage afforded is subject to the terms and conditions of the policies as issued.

Brian J. Courtney, RPLU, AAIBrian Courtney joined The Safegard Group, Inc. in April 2005 and serves as a Producer and the Healthcare Practice Leader for the company. He is primarily responsible for the direction of client services to the healthcare industry. Brian began his career at the height of the medical malpractice crisis. Working with a large regional insurance broker, Brian served with the healthcare practice leader helping hospital systems and physician groups obtain medical malpractice coverage. Prior to joining The Safegard Group, Brian joined a large national insurance brokerage firm where he gained considerable experience in healthcare risk management serving the needs of large physician groups, long-term care facilities, home healthcare providers, and allied health professional organizations. Brian has completed the Registered Professional Liability Underwriter (RPLU) program, which was developed by Professional Liability Underwriting Society as a specialized curriculum completely dedicated to professional liability risk management. Professionals who wish to obtain the RPLU designation are required to complete a rigorous, 13-Course curriculum comprised of eight core courses and five specialization courses. Brian chose to specialize in the following areas: • Advanced Healthcare Professional Liability• Cyber Risk• Employment Practices Liability• Directors & Officers Liability• Crime As it suggests, RPLU professionals are recognized as having the highest level of professional liability expertise to help their clients manage their risk and protect their assets. Currently, Brian is helping many of his clients with Cyber Risk Management initiatives, such as Risk Assessments, Data Breach Incident Response Planning, Contractual Risk Transfer, Insurance Protection and a host of other related services. Brian lives in Downingtown, Pennsylvania with his wife Erin and three kids, Aidan, Carter & Chase. He is active in the community volunteering his time with the Lionville Youth Soccer Association and Brandywine Health Foundation. He is also an avid fitness/thrill seeker recently competing in the Spartan Races, which was voted the 2012 Best Obstacle Course Race by Outside magazine.

Brian CourtneyExpert in Risk Management and Loss Prevention???

Big believer that you should avoid risk

AT ALL COSTS

True or False

Large corporations are typically the targets for hackers

FALSEA joint study by the U.S. Secret Service and Verizon Communications’ forensics analysis unit paints a frightening picture. 482 of the 761 data breaches the unit investigated in 2010—63%—occurred at companies with 100 or fewer employees.

73% percent of small-to-middle-sized companies experienced a cyber attack in 2010, and 30% of those attacks were extremely effective, according to Symantec, a software security developer.

True or FalseSmall businesses (less than 100 employees) are required to abide by data breach laws

TRUE

From the Federal Trade Commission website:For many companies, collecting sensitive consumer and employee information is an essential part of doing business. It’s your legal responsibility to take steps to properly secure or dispose of it. Financial data, personal information from kids, and material derived from credit reports may raise additional compliance considerations. In addition, you may have legal responsibilities to victims of identity theft, regardless of the size of your company or your line of work.

True or False

Certain industries have to worry about Cyber Security risks

FALSE

While I would agree that certain industries are more at risk than others, every industry holds sensitive data in some form or another. Also there is more to Cyber risk than just a data breach. Therefore, all industries have Cyber Security risks.

What Are Cyber Risk?

• Violation of privacy policies• Transmission of viruses to other systems• Programming errors• Theft, corruption, or destruction of data or

computer systems• Hacking• Abuse of access to networks by employees• Copyright or trademark infringement• Denial of Service attacks

Source: Professional Liability Underwriting Societywww.plusweb.org

What Activities Create Cyber Risk?• Data storage on networks• Credit card processing• Online payment processing (other than CCs)• Internet connectivity• E-commerce• Business websites and Internet advertising• Customer forums and support (help) message boards• Internet Service Providers• Website Design• Development of hardware and software• Providing content or media• Consulting• Providing technical services, equipment and support


Who Regulates the Cyber World?• Federal Trade Commission (FTC)• Federal Bureau of Investigation (FBI)• Fair and Accurate Credit Transaction Act (FACTA)• Gramm-Leach-Bliley Services Modernization Act• Health Insurance Portability & Accountability Act (HIPAA)• Health Information Technology for Economic and Clinical Health (HITECH)• Sarbanes-Oxley Act (SOX)• State Privacy Breach Legislation


Cyber Laws

• Copyright Law – Digital Millennium Copyright Act• Trademark Law – Lanham Act• Defamation • Privacy – HIPAA/HITECH, GLBA, State Laws


The Risks Today

Privacy Risk

WebsitesIP Infringement &

Libel

Cyber Exposures – First Party Risks

• Data Storage• Business Interruptions• Fraud & Theft• Extortion• Crisis Management


Cyber Exposures – Third Party Risks

Intellectual Property• Copyright• Trademarks• Trade secrets • Patents

Privacy & Customer Data• Security Breaches• Liability• Phishing & Pharming

Professional E&O• Internet provider• App. service provider• Web hosting• Network equipment• Programmers• Website Designers• Data warehouses• Consultants


Personal Identifiable Information (PII)

Definition:as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

First or Last name in combination with– Social Security number– Driver’s license number– Financial Account number– Credit, Debit, or payment card

Protected Health Information (PHI)

As defined by HIPPA

“any information, whether oral or recorded in any form or medium” that

• Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse, and

• Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

What Is a Data Breach?

Unauthorized access to protected information

– Hacking– Rogue Employees– Negligence – Rogue Vendors

The Value of Stolen Data

Symantec Corporation; “Report on the Underground Economy, July ’07 – June ‘08

Data Breach ExampleDate Made

PublicName (Location) Number of

RecordsFebruary 12, 2011 Cincinnati Children’s Hospital 60,000

Type of Breach

Mobile Device

An employee’s newly-issued, unencrypted laptop was stolen out of a car. Although the covered entity had a policy of encrypting its computers, an investigation revealed that new computers are not encrypted before they are given to employees. The laptop contained the protected health information (PHI) of approximately 60,000 individuals. The PHI stored on the laptop included names, medical record numbers, and services received at the covered entity. Following the breach, the covered entity notified its clients by letter of the incident, placed notice on various websites and in The Cincinnati Enquirer, and established a new internal procedure whereby all new computers would be encrypted before they are given to employees.

Source: Department of Health & Human Serviceswww.HHS.gov

Data Breach Cost CalculationForensic Investigation: $ 32,200Security Remediation: $ 112,200Data Breach Law Legal Guidance: $ 10,000eDiscovery Litigation: $ 160,998Customer Notification: $ 60,998Call Center: $ 4,575Credit Monitoring: $ 152,500ID Fraud Remediation: $ 60,998Public Relations Service: $ 20,000HHS Fines: $ 750,000State AG Fines: $ 500,000Legal Defense & Damages: $ 76,248

TOTAL:$1,940,712Source: eRiskHUBwww.eriskhub.com

Another Data Breach ExampleDate Made


RecordsMay 16, 2008 Chester County School District 55,000

Type of Breach

Stationary Device

A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students.

Source: Privacy Rights ClearinghouseA Chronology of Data Breacheswww.privacyrights.org

Data Breach Cost CalculationForensic Investigation: $ 75,000Security Remediation: $ 155,000Data Breach Law Legal Guidance: $ 10,000eDiscovery Litigation: $ 0Customer Notification: $ 55,000Call Center: $ 4,125Credit Monitoring: $ 137,500ID Fraud Remediation: $ 55,000Public Relations Service: $ 20,000FTC Fines: $ 750,000State AG Fines: $ 500,000Legal Defense & Damages: $ 0

TOTAL:$1,761,625Source: eRiskHUBwww.eriskhub.com

One More – Manufacturing???Date Made


RecordsFebruary 13, 2012 Combined Systems Unknown

Type of Breach

Hacking

A hacker or hackers accessed the Combined Systems website and shut it down. The hackers claim to have struck in honor of the anniversary of the February 14, 2011 Bahrain uprising and to have wiped out the company's web servers. Administrator logins, customer data, and emails were posted online.


2011 Data Breaches by Industry

Financial Services

Retail

Education

Government

Medical

Non-Profit

Other

0% 5% 10% 15% 20% 25% 30% 35% 40%

8%

15%

11%

14%

34%

3%

16%


2011 Data Breaches by Type

Unintended Disclosure

Hacking or Malware

Payment Card Fraud

Insider Physical Loss Portable Device

Stationary Device

0%

5%

10%

15%

20%

25%

30%

14%

24%

2%

16%

14%

20%

9%


State StatutesCurrently, 47 other states have enacted some type of security breach notification legislation, including:

Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Maine, Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, Washington and Wyoming.

Some states have state laws that require breaches to be reported to a centralized data base including:

Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents).

Other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests including:

California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website: www.datalossdb.org

Massachusetts General Law 93HEvery person that owns, licenses, stores or maintainspersonal information about a resident of the commonwealth shall develop, implement, maintain and monitor acomprehensive, written information security programapplicable to any records containing such personal information.”

Massachusetts – Effective March 1, 2010 Requires encryption of confidential data when it is on a mobile device Includes additional, robust security requirements for holders of

personal information of Massachusetts residents

Pennsylvania State Law 73 P.S. § 2303Notification of a Breach(a) General rule. – An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and un-redacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Except as provided in section 4 [FN1] or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.

(b) Encrypted information. – An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.

(c) Vendor notification. – A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act.

Pennsylvania State Law 73 P.S. § 2305Notification of Consumer Reporting Agencies

When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a), of the timing, distribution and number of notices.

Delaware Law § 12B-102Notification of a Breach(a) An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information about a resident of Delaware shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Delaware resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

(b) An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Delaware resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach.

(c) Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

Delaware Law § 12B-103Compliance Procedures(a)Under this chapter, an individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system.

(b)Under this chapter, an individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs.

The “Perfect Storm”First Party Third Party

Loss of Private Data• Notification Costs• Publicity Costs• Crisis Management Expenses

Business Continuity Expense• Extra Expenses to continue

operations• Business Income loss

Cyber Extortion• Ransom Payment• Other Expenses

Client Suits - Privacy• Suits from clients

alleging negligence in protecting information and other causes of action

Client Suits – Denial of Service• Suits from clients alleging negligence in protecting the network against denial of service

Breach Related Expenses

Notification Crafting letter or other notification

Printing or design

Mailing or other transmission

Public Relations Advertising & Press Releases

Call Center Operations

Other Services for Effected Persons:

Credit Monitoring

Forensics Legal Expenses for

Outside Attorney

Cost of Forensic Examination

Cost To Remediate Discovered

Vulnerabilities

Legal Response to

Claims or Suits

Payment of Judgments or Settlements

Trends in Data Breach CostsIn a U.S. based study of 49 companies in 14 different industries. Number of breached records/incident ranged from 4,500 to 98,000.

• The organizational cost has declined from $7.2M to $5.5M• Cost per record has declined from $214 to $194• Lost business due to a breach averages $3.01M • Detection and escalation costs declined from $460K to $433K• Cost to notify victims increased from $510K to $560K• First timers on average spent $37 more per record; Too-quick/non-

planners on average spent $33 more per record• CISO can reduce cost per record by $80; Outside consultant can reduce

cost per record by $41.

2011 Ponemon Institute Benchmark Study

Cyber Risk Insurance Policies

Traditional Insurance Coverage?ISO Commercial Property?

Commercial Crime Form?

General Liability Policy?

Professional Liability Policy?

Electronic Data Extension only addresses loss or damage to data which has been destroyed or corrupted by a covered cause of loss.

No coverage due to the Definition of “Other Property” and the Exclusion of “Indirect Loss”.

Addresses only physical injury to persons or tangible property, as well as the Insured’s publication of material that violates a person’s right to privacy.

May be limited by the description of “Professional Services” or by Exclusions for “Invasion of Privacy”.

Common First Party “Gaps”

Unauthorized Record Access

Cyber Fraud

Denial of Service

Cyber Extortion

Cyber VandalismISO Property Policy

Surety Assoc. Computer Crime

Surety Assoc. Crime Policy

Extortion & Kidnap Ransom Policy

Only Cyber Risk Covers:

• Notification Expenses

When required by law or on a voluntary basis?

• Credit Monitoring Expenses

For a stipulated period of time and/or under specified circumstances?

• Crisis Management Expenses

Including expenses related to legal analysis, as well as public relations?

What Information Assets Are Covered?

Privacy Risk

Personal Identifiable Information (PII)

• Customers, Employees, Others?

Personal Health Information (PHI)

Business Property:• Customer Lists (non-PII)• Financial Information• Marketing & Operational Information

Trade Secrets

Cyber Policy Addresses• Access to information other than

by over the Internet

• Access to information by an employee

• Access to information residing on an “outsourced” system – anywhere

• Access to information in “non-electronic” form

• Negligent release of information

Employees

Outsourcers

Conclusion

Avoid It Assess & Mitigate It Insure It

Employee Training

Operational Guidelines

Customer Awareness

Penetration Testing

Robust Patch Management

Ongoing Security Assessments

Cyber Insurance Policy

&

Crime Insurance

QUESTIONS???

managing cyber risks threats, risk management & insurance principles brian j. courtney, rplu,...

Documents

healthcare risk management

brian lives

aai brian courtney

risk assessments

brian courtney expert

contractual risk transfer

healthcare industry

rplu professionals