NEFEC - Cyber LiabilityMICHAEL GUZMAN, ARMARTHUR J. GALLAGHER & CO.

2 © 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™

What are we talking about today?

1. Cyber Risk Overview

2. Regulatory Landscape

3. Trends and Developments

4. Cyber Liability Coverage

5. Breach Examples

Today’s Agenda

3

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 4

Cyber Risk Overview

Economic Damages

1. Notification Costs

2. Forensic Costs

3. Data Recovery Costs

4. Business Interruption

5. Legal Expenses

6. Lawsuits

7. Reputational Damage (Non- Economic)

What is Cyber Risk

The Potential of Economic and Non-Economic Losses arising out of the use of Information Technology Systems

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 5

Cyber Risk Overview

Cyber Risk1. Breach of Personal Protected

Information (PPI) / Hacker

2. Lost or Stolen Laptop/ Smartphone/ Tablets

3. Employee Negligence/ Human Error/ Rogue Employee

4. Thumb drives / Flash drives

5. Servers and Cloud Storage

6. Dropbox

7. Paper Files

8. Copy Machines

Potential Exposures

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 6

Cyber Risk Overview

School Districts Exposures• Student/ Alumni Records• Enrollment• Social Security Numbers• Employee Records• Employee Benefits• Credit Card Numbers

Cyber Risk for Public Entities

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 8

• When a breach occurs, there are many Federal/State and regulatory laws to consider:

– 47 out of 50 State Laws (Varies from State to State)

– Health Insurance Portability & Accountability Act (HIPAA)

– FTC 114: Red Flag Rule

– Payment Card Industry (PCI) Data Security Standards

Regulatory LandscapeComplex, Changing, and Challenging

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 9

• Gov. Rick Scott signed a bill dramatically changing the State of Florida’s data security breach laws.

• The Florida Information Protection Act of 2014 changes the requirements after a data breach and the definition of personal protected information.

• These changes give Florida the broadest and most encompassing breach laws in the nation.

Regulatory LandscapeFlorida Information Protection Act of 2014

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 10

Regulatory Landscape

FL Definition of Personal Information

1. Social Security Number

2. Driver’s License # or FL ID Card #

3. Credit or Debit Card Number

4. Health Insurance Policy or Subscriber #

5. Medical History

6. Financial Information

7. Online User Name or Email Address in combination with their password

8. Online User Names or Email Address in combination with their security question and answer

FL Notification Requirement Changes

1. Provide notification of breach to affected individuals within 30 days.

2. Notice must be provided to the Florida Department of Legal Affairs for any breach affecting 500 or more individuals.

3. Must provide the Florida Attorney General with a copy of an incident or forensic report along with a copy of the company’s data breach policies and procedures.

Florida Information Protection Act of 2014 Summary

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 11

Regulatory Landscape

• 1st Party Coverage not covered under Sovereign Immunity

– Notification Cost, Regulatory Fees, Expenses, etc.

• 3rd Party coverage has yet to be tested in court

• Sovereign Immunity varies from State to State

• 1st Party Coverage (Not Covered by Sovereign Immunity)

– Crisis Management (Notification cost, Credit Monitoring, etc.)

– Data Recovery– Business Interruption– Cyber Extortion

• 3rd Party Coverage (Possibly covered by Sovereign Immunity)

– Network & Security Liability – Privacy Liability– Media Liability– Regulatory Liability

Sovereign Immunity and Tort Caps

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 13

Trends and Developments

• Number of data security incidents in 2013 by victim industry and organization size

• Public Entities account for 74.84%

High Frequency IndustriesIndustry Total Small Large Unknown % of TotalPublic 47,479 26 47,074 379 74.84%Unknown 12,324 5,498 4 6,822 19.43%Information 1,132 16 27 1,089 1.78%Finance 856 43 189 624 1.35%Retail 467 36 11 420 0.74%Professional 360 26 10 324 0.57%Manufacturing 251 7 33 211 0.40%Accommodation 212 115 34 63 0.33%Utilities 166 2 3 161 0.26%Education 33 2 10 21 0.05%Transportation 27 3 7 17 0.04%Other 27 13 - 14 0.04%Healthcare 26 6 1 19 0.04%Entertainment 20 8 1 11 0.03%Administrative 16 8 7 1 0.03%Mining 11 - 8 3 0.02%Management 10 1 3 6 0.02%Real Estate 8 4 - 4 0.01%Agriculture 4 - 3 1 0.01%Construction 4 2 - 2 0.01%Trade 4 3 - 1 0.01%Total 63,437 5,819 47,425 10,193 100.00%Small = organizations with less than 1,000 employees.Large= organizations with 1,000+ employees.*Information Source Credit to the Verizon 2013 Data Breach Investigation Report

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 14

Trends and Developments

• Ponemon Institute, LLC conducted a study on the cost of a data breach.

Cost of a Data Breach

Cost Per Breach$0

$20$40$60$80

$100$120$140$160$180$200

$38

$50

$40

$60

Cost Per Record Breakout*

Legal Guidance/ Breach CoachCredit MonitoringForensics Notification/ Call Center

*Cost can vary depending on vendor.

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 15

Trends and Developments

• Where is the data really stored?

• How is the data protected?

• Who owns the data?

• Who is responsible for the data during a breach?

• Are you the only organization using this cloud?

What about the Cloud?

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 16

Trends and Developments

Top 5 Leading Causes of Cyber Claims

1. Lost employee laptop or other computing devices

2. Malicious acts by a rogue employee or ex-employee

3. Improperly disposed sensitive information

4. Media campaign gone wrong

5. Subcontractor error or omission (including breaches on those subcontracting vendors that are holding your data)

Claims Triggers

Lost or Stolen Device

25%

Network Secu-rity Attack

21%Human Error15%

Employee Theft15%

Privacy Policy 10%

Paper7%

Other7%

Most Common Policy Triggers

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 17

Trends and DevelopmentsNetwork Security Attacks

Negligence35%

Malicious or Crim-inal Acts

36%

System Failure

29%

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 19

Cyber Liability CoverageFirst & Third Party

Cyber Liability

First Party Coverage

Crisis Manage

mentNotification

Expense

Credit Monitoring

Forensic

Investigation

s

Public Relati

ons

Data Recovery

Business Interrupti

on

Cyber Extortion

Third Party CoverageNetwork

& Security Liability

Privacy Liability

Media Liability

Regulatory

Liability

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 20

Crisis Management

– Notification Cost

– Credit monitoring

– Call center to handle inquiries

– Identity fraud expense reimbursement

– Public relations services to mitigate negative publicity

– Forensic costs incurred to determine the scope of the network failure and determine whose information was breached

– Breach Coach and Legal Assistance to handle the event and determine which regulatory bodies need to be notified

Cyber Liability Coverage1st Party Coverage

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 21

Cyber Liability Coverage

Carrier Vendor Benefits• Breach Coach• Forensic Investigator• Credit Monitoring

Vendor• Notification & Call

Centers• Public Relations Firm• Legal Assistant

Approved Vendor Panel

Pre - Negotiated Rates

1st Party Coverage

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 22

• Breach of approximately 5,000 records with two years of credit monitoring

Cyber Liability CoverageNegotiated Vendor Rates

ServiceStandard

Vendor Cost*Carrier Negotiated

Vendor Cost* Savings

Legal Assistance with Notification Letters $24,190 $10,000 -59%

Print/Mail Letters $63,551 $56,341 -11%

Call Center Services $118,642 $66,852 -44%

Credit Monitoring $683,996 $317,297 -54%

Total $890,379 $450,490 -49%

*Cost can vary depending on vendor.

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 23

• Data Recovery

Expenses incurred to restore data lost from an unauthorized access or virus to an information system

• Business Interruption

Loss of income and extra expense incurred to restore operations, as result of a computer system disruption caused by a virus or other unauthorized computer attack

• Cyber Extortion

Money paid due to threats made regarding an intent to fraudulently transfer funds, destroy data, introduce a virus or attack on computer system, or disclose electronic data/information

Cyber Liability Coverage1st Party Coverage

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 24

• Network & Security Liability

Liability coverage for failing to prevent a Security Breach or a Privacy Breach

• Privacy Liability

Liability coverage for failing to protect personal information (electronic or non-electronic) in their care custody and control

• Media Liability

Intellectual Property and Personal Injury liability from an error or omission in content (website, electronic publishing, etc.)

• Regulatory Liability

Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws

Cyber Liability Coverage3rd Party Coverage

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 25

Cyber Liability Coverage

Vendor shall obtain at its own expense and evidence via Certificate(s) of Insurance the following insurance requirements before commencement of any awarded work and throughout the duration of the Agreement:

1. Network Security / Privacy Liability with breach response coverage

2. $1M Minimum Liability/ Aggregate Limit

– Breach response sublimits of at least 50% of the liability limit

– Inclusive of defense costs

3. Technology E&O / Technology Products E&O: (If Applicable)

– $1M Minimum Aggregate Limit– Inclusive of defense costs

4. School District must be named as an additional insured under policies.

5. Claims-made policies must be in place for a period of at least 12 months after the agreement completion/ termination date.

6. Addition of the appropriate endorsement deleting the “Insured vs. Insured” exclusion. This is protect the School District for wrongful acts by the Vendor.

7. All insurance carrier(s) must carry an A.M. Best rating of at A- VI or better.

Vendor Recommended Requirements

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 27

• FL County School District - #200 – SSN of 200 students who paid tuition for education programs was comprised. Affected

students were offered one-year credit monitoring.

• Florida University - #47,000– The information of 47,000 teachers and students was publicly accessible for 14 days after

a data transfer at the University. The information was from teachers participating in state prep programs.

• Florida Community College - #3,300 – Federal investigators informed the Community College that a hacker gained access to

their main computer system.  The personal information of students who applied for financial aid may have been accessed.  It appears that an insider hacked into the computer system. Hacked 2011 financial aid records were misused to file fraudulent tax refunds.  

Breach ExamplesFlorida Public Entity Breaches

© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 28

Gallagher Cyber Risk GroupEducate, Inform, and Assist

Michael Guzman, ARMArthur J. Gallagher Risk Management Services, Inc.

200 South Orange Avenue | Suite 1350

Orlando | FL | 32801