overview of identity theft, data breaches and cyber/privacy liability insurance october 6, 2009
TRANSCRIPT
2
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Michelle Lafferty – Corporate Counsel, Specialty Claims Counsel, Executive Risk Practice
• Hylant Group
• Cleveland Office
3
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Agenda• Examples & Statistics – Data Breach
• Examples & Statistics - Cyber attack
• Legislative Environment
• Insurance Coverage
• Policy Gap Analysis
• Insurers
4
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Who is this man?!?
6
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Data Breach ExamplesHistorical Large Losses America Online: 30 Million US Dept. of Veterans Affairs: 26.5 Million Citigroup: 30 Million TJX: 94 Million (double the original estimate)
♦ Required to provide three years of credit monitoring and
three years of victim assistance as part of their
class action settlement♦ Criminals had access to the TJX system for 17 months♦ TJX loss is estimated to be over $1.35 billion (source: Forrester
Research)
7
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Data Breach Examples
Last 12 Months Countrywide Financial: 2 Million (customers) Hannaford Bros.: 1.5 Million (customers) Fallon Community Health Plan: 30,000 (patients) Harvard Law School: 21,000 (clients) Barclays Bank: 17,000 (customers) National Guard Bureau: 131,000 (soldiers) Naval Hospital Pensacola: 38,000 (pharmacy customers) Network Solutions: 573,000 (credit card holders)
8
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Data Breach Examples Heartland Payment Systems
6th largest credit-card payment processor in the country 100 million card transactions each month, 250,000 businesses May – November, 2008 spyware installed Unencrypted credit card data – 250 million records Magnetic strip data & names More than 220 banks affected
Defense: No PII breached – 3 class action lawsuits anyway $12.6MM expenses to date
9
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Data Breach Examples
More than 150 million American’s have had their information put at risk in the last 2 years.
www.privacyrights.org
10
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Personal Data StatisticsSummary of Ponemon Institute, LLC’s 2006 Annual Study: Cost of a Data
Breach:• Total Average Cost:
• $182 per lost record• $4.8 million per breach • Range of $226,000 to $22 million per breach
• Lost productivity costs averaged $30 per lost record
• Customer opportunity costs averaged $98 per lost record (turnover of existing customers and increased difficulty acquiring new customers)
• Direct incremental costs averaged $54 per lost record (unbudgeted spending for legal counsel, notification letters, discounted product offers, etc.)
11
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Personal Data Statistics• 23 million U.S. adults have received notification of a breach from companies
• 60% of respondents terminated or considered terminating their relationship with the company
• 14% were not concerned
• Almost 30% of reported breaches originated with external partners, consultants, outsourcers, or contractors
• More than 90% of all breaches were in digital form (laptops, electronic backups, and hacked or attacked systems)
• 47 states have passed some version of a database notification law
12
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Cyber Attack Examples Express Scripts (cyber extortion) TD Waterhouse (unauthorized access) YouTube (web site content) Care First of Maryland (web site content) Authorize.net (denial of service attack) Six Apart, ltd. (denial of service attack) Paine Weber (malicious code)
13
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Cyber Statistics (2008 Computer Security Survey Report)• 43% of companies surveyed experienced Cyber Security incidents in 2008 • 27% of the companies surveyed experience targeted attacks• Companies that experienced incidents, reported the following types
• Virus (50%)• Insider Abuse (44%)• Laptop theft/compromise (42%) • Unauthorized access (29%)• Bots (internet/web robots) (20%)• Computer related financial fraud (12%)• DNS compromised (domain names system) (8%)
• Over $500 per employee is spent by U.S. companies on IT Security
• The average direct financial loss reported was $289,000
14
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Legislative Environment• State Notification Laws
• HIPAA
• Gramm-Leach-Bliley
• FTC Red Flag Rules
15
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Red Flag Rules recently became effective in January 2008 and compliance is required by November 1, 2009. Under these rules, covered accounts, creditors and businesses:
Must develop and implement a written privacy and security program
Must obtain approval of the initial written program from either its Board of Directors or an appropriate committee of the board of directors
Small businesses are not exempt
A covered entity cannot escape its obligation to comply by outsourcing
Businesses must exercise appropriate and effective oversight of service providers.
Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft
FACTA Red Flag Rules
16
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Insurance – First Party Liability Business Interruption
• Lost income realized as a result of a hacker attack or a virus• Extra expense• Dependant business interruption
Crisis Expenses• Public relations expenses • Notification expenses• Regulatory defense• Credit-monitoring and other services to customers
Digital Asset Coverage• Cost to restore or recollect data lost or stolen
Extortion & Criminal Reward Fund• Extortion monies paid and the cost of a cyber investigator• Reward for information leading to arrest of hacker, cyber criminal
17
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Insurance – Third Party Coverage
• Network Security Liability• Protection for claims brought by third parties for the following:
• Theft of personally identifiable data• Denial of service attack• Virus transmitted to the third party
• Electronic Media Liability/Internet Liability • Protection for claims brought by third parties alleging invasion of
privacy, libel, defamation, copyright, title or trademark infringement with regard to information posted on an Insured’s website
• Privacy Extension• Protection from claims arising out of theft or compromise of personally identifiable data regardless of method
18
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Policy Gap Analysis • General Liability Insurance - Coverage for bodily injury or property damage
- Intentional acts are excluded- Intangible property is excluded
• Property Insurance - Coverage for loss of tangible property caused by a covered peril
- Computer viruses are excluded- Intangible property is excluded- Business interruption coverage only applies if there has been a direct physical loss
• Crime Insurance - Coverage for theft of money, securities or other property
- No coverage for theft of information, trade secrets and other types of confidential information
• Directors & Officers Liability Insurance - Coverage for claims alleging acts, errors and/or omissions
committed by directors or officers of a company in such capacity
• Technology Errors & Omissions Liability Policy - Coverage for claims resulting from an Insured’s rendering or
failure to render professional services to others for a fee
19
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Policy Gap Analysis
Cyber Peril Property/ EDP
General Liability
Crime K&R E&O D&O Corporate ID Theft
Full Cyber Risk
Physical Loss 1 2 Mechanical Breakdown 1 Loss of revenue/ extra expense due to computer attack
Loss of revenue/ extra expenses due to computer attack on dependent business
Loss of, damage to corporate data/information
Theft of corporate data/information
Cyber threats or extortion Liability to others for computer security breaches
3 4 5 6
Information technology services errors and omissions
Copyright/ trademark infringement
7 8
Content and advertising injury/ offense
9 8
Legal liability to others for privacy breaches
10 6
Identity Theft of personal data (including employee, customer)
Identity Theft expenses (crisis management, notification, credit monitoring)
20
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Cyber Risk Insurers
• AIG
• Arch
• Beazley
• Chubb
• C.N.A.
• Darwin
• Hartford
• Hiscox U.S.
• Lloyd’s of London (AGM Syndicate)
21
Overview of Identity Theft, Data Breaches
and Cyber/Privacy Liability Insurance
Property | Casualty | Employee Benefits | Medical Risk | Personal | Captives | Environmental
Executive Risk | Claims Advocacy | Risk Control | International | Wealth Management
HYLANTGROUP
EXECUTIVE RISK PRACTICE hylantexecutiverisk.com