2010 Professional Risk Symposium: EPL, E&O and Fiduciary Chicago, IL ~ March 18 & 19, 2010 Data...
-
Upload
magdalen-smith -
Category
Documents
-
view
216 -
download
2
Transcript of 2010 Professional Risk Symposium: EPL, E&O and Fiduciary Chicago, IL ~ March 18 & 19, 2010 Data...
2010 Professional Risk 2010 Professional Risk Symposium: EPL, E&OSymposium: EPL, E&O
and Fiduciaryand Fiduciary
Chicago, IL ~ March 18 & 19, 2010
Data Breach: Red Flag Rule, Data Breach: Red Flag Rule, HITECH Act & Litigation UpdateHITECH Act & Litigation Update
Data Breach: Red Flag Data Breach: Red Flag Rule, HITECH Act & Rule, HITECH Act & Litigation UpdateLitigation Update
Moderator:
Lori S. Nugent, Esq., Partner, Wilson Elser
Panelists:
Nancy Lyons Callahan, CPCU, CIPP, Consultant
Michael Carr, Vice President, Navigators Pro
Manny Cho, Senior Vice President, Program Management, Aon Affinity Business Insurance Solutions
K Royal, JD, CIPP, Privacy & Security Officer, Assistant Vice President, Concentra
The Rising Tide of The Rising Tide of Cyber Crime: Cyber Crime:
The Problem, Solutions and The Problem, Solutions and Practical TipsPractical Tips
• Overview of Data Breaches
• Government Efforts to Fight Cyber Crime
• Cyber Liability Trends
Overview of Data Breaches:How Big is the
Cyber Crime Problem?
The Breach Leader:
Healthcare,
Banking, or
Other Business?
The Breach Leader:Business
Records Breached in 2009Based on Identity Theft Resource Center® (“ITRC”) data at
http:/ / www.idtheftcenter.org/ artman2/ uploads/ ITRC_ Breach_ Stats_ Report_ 20100106_ 1.pdf
Business 58.9%
Government/Military35.7%
Medical/Healthcare 5.1%%
Educational 0.4%
Banking/Credit/Financial 0.1%
Frequent Types of Data Breaches
• Office Break In
• Laptop/USB Drive Mislaid or Stolen
• Paper Document Lost or Thrown Away
• Mailing Error
• MisFax
Severe Types of Data Breaches
• SQL Injection Attacks
• Botnets
• Social Engineering
• P2P Networks
• Employee/Former Employee/Vendor
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
• State Laws and Trends
• Key Federal Laws, Regulations and Practical Ways to Comply
• Cyber Liability Litigation Trends
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
• State Laws and Trends 45 States with Breach Notification Laws
• Texas
• Nevada
• Massachusetts
Attorney General/Other Agency Notification
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
• Key Federal Laws, Regulations and Practical Ways to Comply
Red Flags Rule
HITECH Act
Federal DATA Bill
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
• Red Flags Rule: Detect, Prevent and Mitigate Identity Theft Applies to
• Financial Institutions• Creditors
Regularly accept deferred payment
• Covered Accounts Permit multiple payments/transactions At risk for identity theft
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
• Red Flags Rule - Covered Accounts? Does the operation offer or maintain
accounts for personal, family or household purposes that involve or are designed to permit multiple payments or transactions?
Does the operation have accounts at risk for identity theft or for the company from a financial, operational, compliance, reputation or litigation risk standpoint?
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
• Red Flags Rule: Even if outside of Red Flags Rule,
consider:
• Negligence Exposure/Hindsight Bias
• Reputational Risk
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
Red Flags Rule: Practical Steps1) Identify PII
2) Specify security in place
3) Detect “red flags” indicating potential theft
4) Specify responses to “red flags”
5) Train employees on “red flags” and responses
6) Update “red flags” at least annually
7) Written plan approved by Board of Directors
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
HITECH Act Covers: Healthcare Providers Insurers Clearinghouses Business Associates
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
HITECH Act Applies to handling Protected Health Information (“PHI”)
including: Personal information about patient health, as well as other
protected information such as name, Social Security number, address and insurance account numbers.
Bottom Line Impact: Up to $50,000/violation; $1,500.00/year + other
remedies Potential criminal penalties for involved
employees Connecticut Enforcement Against Health Net
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
HITECH Act’s Stringent Notification: 60 day notification requirement
New guidelines for letter content and address verification
Maintain and report log of breaches to HHS
Breaches of 500 or more records require posting to “prominent media outlets” and immediate notification to HHS
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
• Federal Data Accountability and Trust Act (DATA): Pending federal legislation to create
consistent customer data breach notification
• Focus on "data brokers"
• Requires customers to be notified of breach and provided with quarterly credit reports at no charge
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
(Federal DATA Act) (cont’d)
Types of data leaks that require notice: • Social Security Numbers (SSNs)• Credit card or debit card information• Financial account numbers• State identification• Driver's license numbers
Status: http://thomas.loc.gov, using House bill number, H.R.2221
Government Efforts to Fight Cyber Crime with New Laws
and Regulations
Real World Compliance: What Works
• Red Flags Document/Training• Coordination:
IT Legal Human Resources Operations handling PII or PHI
• Commercial Reasonableness/Hindsight Bias
Cyber Litigation Trends
Privacy/Security Breaches• Avoiding Spoliation• Jurisdiction• Motions to Dismiss• Class Certification and Settlement
Technology Errors & Omissions• Vendor Contracts
Cyber Media Liability• Social Media• Email Publishing
Cost of a Data Breach: Example
Tangible CostsLegal Fees $100,000Customer Notification 10,000Public Relations 20,000Credit Monitoring 50,000Customer Demands
• Reimbursement 300,000Forensic Investigation 25,000
Total $505,000 Insurable Costs $505,000 (Less any applicable Deductible)
Cost of a Data Breach: Example
Intangible Costs
• Loss of Customer Goodwill/Trust
• Loss of Future Revenues Due to Reputation Damage
• Employee Downtime
RM Security Breach RM Security Breach ManagementManagement
•Identify Stakeholders•Establish Analysis and Communication Protocols•Evaluate Vendor Needs•Remediation and Recovery Procedures•Human Resource Involvement•Testing (DRP)
•Breach Containment•Damage Determination•Legal Analysis•Communication
•Analyze Requirements (State and Fed Considerations)•Consider All Notification Methods•Third Party Vendors for Notification and PR(?)•Roll Out Notifications Over Time
•Insurance Remedies•Credit Monitoring •Public Relations•Customer Retention Plans•Implementation of IT Upgrades
•Public Relations•Ongoing Marketing Efforts•IT as part of the Ongoing Solution•HR Involvement TBD
Pre-Breach Response Planning
Incident Analysis
Incident Disclosure
Loss Mitigation
Communication &
Remediation
Cyber Liability Marketplace
• Evolution of Cyber Insurance
• Who is in the Hot Seat?
• Risk Management and Underwriting Considerations
Evolution of Cyber InsuranceEvolution of Cyber Insurance
February 24, 2010ACI Insurance Regulation Conference 26
Past
Internet and e-commerce
Present
Identity Theft and Privacy Regulations
Future
Social Media, Cloud
Computing, Expanded BI,
Additional Regulation
Who is in the Cyber Who is in the Cyber Hot Seat?Hot Seat?
• Directors and Officers
• Accountants
• Insurance Brokers
• Lawyers
Risk Management and Risk Management and Underwriting Underwriting
ConsiderationsConsiderations• Large Operations
• Smaller Operations
• Cloud Computing and Emerging Technology
• Media Savvy for Everyone
Risk Management and Risk Management and Underwriting Underwriting
ConsiderationsConsiderations• Target of Choice or Opportunity?• Security Answers from Face Book• Basic Issues
Employee awareness/limited to business Password security—Administrator too! Patch management Avoid using/keeping PII and PHI absent need Paper records Adopt defenses to known attack methods Coverage gaps in traditional policies
• Media: Does coverage follow you where you publish?
Risk Management and Risk Management and Underwriting Underwriting
ConsiderationsConsiderations
Large Risk Underwriting Considerations• Risk Selection - mix of industries, primary vs. excess• Limits Management - aggregate, sub limits • Risk Analysis - complex insureds, evolving risk
management practices• Pricing - more claims experience, new exposures• Coverage - expanding, customized• Competition - new entrants, shifting appetites,
additional services
Questions?