Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management Rick Bortnick | Scott...
-
Upload
delphia-singleton -
Category
Documents
-
view
219 -
download
0
Transcript of Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management Rick Bortnick | Scott...
Cyber Attacks and Privacy Claims: Litigation, Insurance and
Crisis Management
Rick Bortnick | Scott Godes | Art Boyle | Mark Greisiger
#3013053
Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management
Cozen O’Connor, founded in 1970, delivers legal services on an integrated and global basis with 575 attorneys in
22 cities and two continents. Their lawyers counsel clients on their most sophisticated legal matters in all areas of
corporate and regulatory law as well as litigation.
About the Firm
Richard J. BortnickCozen O’Connor1900 Market StreetPhiladelphia, PA 19103 Tel.: (215) [email protected]
cyberinquirer.com twitter.com/cyberinquirer linkedin.com/pub/richard-j-bortnick/1/690/143
Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management
Dickstein Shapiro LLP, founded in 1953, is internationally recognized for its work with clients, from start-ups to
Fortune 500 corporations. Dickstein Shapiro is U.S. News & World Report’s “Law Firm of the Year” for Insurance
Law for 2011-2012.
About the Firm
Scott N. GodesDickstein Shapiro LLP1825 I Street, NWWashington, DC 20006 Tel.: (202) [email protected]
corporateinsuranceblog.comtwitter.com/insurancecvg linkedin.com/in/scottgodes
Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management
Radian, which is headquartered in Philadelphia, connects lenders, homebuyers, investors and loan servicers using a suite
of private mortgage insurance and related risk management products and services. The company helps promote and
preserve the tradition of homeownership while protecting lenders from default-related losses on residential first mortgages. It
also facilitates the sale of low-downpayment mortgages in the secondary market. Radian Group Inc. is traded on the New
York Stock Exchange under the symbol RDN.
About the Firm
Art BoyleVice President – Enterprise Risk ManagementRadian Group, Inc.1601 Market StreetPhiladelphia, PA 19103 Tel.: (215) [email protected]
http://www.linkedin.com/pub/art-boyle/7/96a/257
Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management
Mark GreisigerPresident NetDiligence®Corporate HeadquartersPhiladelphia, PA Tel.: (610) [email protected]
http://www.linkedin.com/pub/mark-greisiger/3/b05/475
NetDiligence®, is a Cyber Risk Management company. For the past 12 years NetDiligence has been offering cyber risk
assessment services to Risk Mgrs. NetDiligence supports the loss control needs of many US and UK insurers that offer
cyber risk coverage (aka ‘privacy insurance’). Mr. Greisiger is a frequently published contributor for various insurance &
risk management publications on similar topics. (write me to receive our monthly cyber risk newsletter)
About the Firm
Notable Cyber Risks and Events – Notable Cyber Risks and Events – Global PaymentsGlobal Payments
3rd Party?
1st Party?
How real? No One Is Immune
DateDate CompanyCompany
Jan-11 Pentagon Federal Credit Union
Dec-11 Sovereign Bank
Nov-11 AARP
Oct-11 CitiBank
Oct-11 State Farm Insurance
Oct-11 Farmers Insurance
Sep-11 Morgan Keegan & Company
Sep-11 JP Morgan Chase Bank
Aug-11 Aon Consulting
Aug-11 Wachovia Bank
Aug-11 MetLife
Jun-11 Anthem Blue Cross, Wellpoint
Feb-11 Equifax
Feb-11 Ceridian
Sep-11 Bernard Madoff Investors
Aug-11 American Express
Apr-11 Federal Reserve Bank of New York
Jan-11 Heartland Payment Systems
Sep-11 State Farm Insurance
Aug-11 Countrywide
Jun-11 United Healthcare
YearYear Number AffectedNumber Affected CompaniesCompanies
2011 100,000,000 Sony
2010 3,300,000 Educational Credit Management
2010 600,000 Citigroup
2009 130,000,000 Heartland Payment Systems
2008 4,200,000 Hannaford Brothers Co
2007 94,000,000 TJX Companies Inc.
2007 25,000,000 HM Customs and Revenue
2007 8,500,000 Fidelity National Information Services
2007 6,300,000 TD Ameritrade
2006 26,500,000 U.S. Department of Veterans Affairs
2005 40,000,000 Visa, CardSystems, Mastercard, AMEX
…Sampling of live events
Notable Recent Cases - Defense
• Katz v. Pershing, LLC– “The innovations and problems of the electronic age have
created new challenges for the courts. But venerable principles of our jurisprudence can guide us on this frontier. This case is illustrative: the plaintiff has asserted a litany of novel harms under freshly inked laws, but the irreducible minimum requirements of pleading and Article III doom her case.”
• Paul v. Providence Health System-Oregon– “plaintiffs failed to state a legally sufficient claim for
negligence or under the UTPA.”
Notable Recent Cases - Plaintiffs
• Anderson v. Hannaford Bros.– “two forms of mitigation damages . . . are cognizable under Maine law
and we reverse . . . dismissal of the plaintiffs’ negligence and implied contract claims as to those damages”
• Claridge v. RockYou, Inc.– “breach of his PII has caused him to lose some ascertainable but
unidentified ‘value’ and/or property right inherent in the PII.”– “Online gaming firm will pay $250,000, submit to independent audits for
20 years after exposing data on 30 million users” (ComputerWorld.com)
• Krottner v. Starbucks Corp.– increased risk of identity theft constitutes an injury-in-fact
Types of First-Party Loss
• Hardware or Software Malfunction
• Data Corruption
• Denial of Service Attack
• Extortion
• Forensics
Types of Third-Party Claims and Liabilities
• Copyright/Trademark Infringement
• Data Privacy Breach
• Internet Media Liability (e.g., Defamation)
• Unauthorized Access/Unauthorized Use (e.g., Third Party Data Corruption, Denial of Service Attack)
• Statutory Liability (Federal and State Privacy Laws)
What is a “Privacy Breach”?
• Violation of posted Privacy Policy
• Violation of State or Federal Law
• Involves PII, non-public data, or paper records
• Unencrypted Data
• Holds potential for identity theft
• May occur in: – Systems (server farms)– Facilities (dumpsters) – Stolen laptops or mobile devices
What are the Causes of Loss? (Per Ponemon Institute)
• 35% lost laptop
• 21% third party/outsource
• 19% electronic backup
• 9% paper records
• 9% malicious insider
• 7% hacker
14
Who are the Breach Perpetrators?
• Employees – Intentional– Unintentional
• Unknown Third Parties – Hackers – Crackers– Hacktivists
• Business Partners
15
Typical Allegations In a Privacy Breach (Class Action) Lawsuit
• Failure to protect customer information/privacy
• Reduction in value of claimants’ PII
• Failure to notify/timely notification
• Cost to reissue payment cards/open new accounts
• Cost of fraudulent purchases
• Consumer Redress: credit monitoring/identity theft insurance
• Regulatory Actions: fines and penalties
Identity Theft Victims
• 11.6 million adults in 2011 (increase of 13% over 2010)
• Total amount of fraud = $37 billion
• 1 in 10 consumers already victimized
• Source: Javelin Research
Costs of a Data Breach
• 2011 average total cost per incident (among surveyed companies) = $5.5 million to $7.2 million, depending on whose study you read
• 2011 per record cost (among surveyed companies) = ~$194.00, depending on the cause and impact
• Sources: Ponemon Institute and NetDiligence survey
Federal and State Laws
• SEC Guidelines, published October, 13, 2011
• Federal and state laws require businesses to maintain adequate data security and destroy data with Personal Identifiable Informationor Personal Health Information
• Notification statutes require disclosure in certain circumstances where Personal Identifiable Information or Personal Health Information has been obtained by an unauthorized third party
What Is Personal Identifiable Information?
• Generally defined as including any combination of the following:
Name; address; telephone number; electronic mail address; fingerprints; photographs or computerized images; a password; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; date of birth; medical information; financial information; tax information; disability information; and zip codes (depending on the state).
SEC CF Disclosure Guidance: Topic No. 2:CYBERSECURITY
“appropriate disclosures may include: . . . Description of relevant insurance coverage.”
SEC CF Disclosure Guidance: Topic No. 2: CYBERSECURITY
Risk Factors– Tailor to company’s individual facts and circumstances;
avoid “boilerplate” disclosures.– Disclosures that may be appropriate include:
• The company’s business or operations that give rise to cybersecurity risk;
• Outsourced functions that have material cybersecurity risks, including how the company addresses those risks
• Cyber incidents that the company has experienced, including costs and consequences;
• Cyber risks that may remain undetected; and• Relevant insurance held by the company.
Examples of Federal Statutes Protecting a Person’s Privacy
• Gramm-Leach-Bliley Act
• Driver Privacy Protection Act
• Health Insurance Portability and Accountability Act
• Electronic Communications Privacy Act of 1986
States With Breach Notification LawsAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareDistrict of ColumbiaFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansas
LouisianaMaineMarylandMassachusettsMichiganMississippiMissouriMinnesotaMontanaNebraskaNevadaNew HampshireNew JerseyNew YorkNorth CarolinaNorth Dakota
OhioOklahomaOregonPennsylvaniaPuerto RicoRhode IslandSouth CarolinaTennesseeTexas UtahVermontVirginiaWashingtonWest VirginiaWisconsinWyoming
Typical Requirements of State Breach Notification Laws
• Generally require written notification to affected individual in the event of a security breach
• Each state varies in:– the definition of what constitutes a breach– the definition of Personal Identifiable Information (only a
few states include Personal Health Information)– whether a risk of harm standard applies– content requirements for notice– authorities that must be notified– available penalties and private rights of action
States With No Breach Notification Law
• Alabama
• Kentucky– HB 581 introduced on March 2, 2010
• New Mexico
• South Dakota
DIRECT COSTSNotificationCall CenterIdentity Monitoring (credit/non-credit)Identity RestorationDiscovery / Data ForensicsLoss of Employee Productivity
INDIRECT COSTSRestitutionAdditional Security and Audit RequirementsLawsuitsRegulatory FinesLoss of Consumer ConfidenceLoss of Funding
$73.00
Cost per record:$214 (2010) (up $10 from 2009)
© Ponemon Institute 2011
$141.00
Cost of a Data Breach
NetDiligence® Cyber Risk Claims Study
Insurers paid out losses. This is a Highlights of Findings
• Collected from insurers data on actual data/privacy breach claims based on following criteria– The victimized organization had some form of cyber or privacy liability coverage– A legitimate claim was filed
• Analyze data in terms of types of events and their associated costs
• 117 data breach claim events were submitted for our study
• Data at Risk– PII is the most frequently exposed data (37% of breaches), followed by PHI (21% of breaches)– Credit card information accounts for a whopping 88% of records exposed
• Cause of Loss– Hackers are the most frequent cause of loss (32%), followed by rogue employees/contractors (19%)
• Sectors at Risk– Healthcare is the sector most frequently breached (24%), followed by Financial Services (22%)
Highlights of Findings
Costs (at-a-glance)– Average cost* per breach was $2.4 million– Average cost* per record was $5.00– Legal (Defense & Settlement) represents the largest
portion of costs incurred• Average Cost of Defense $500K• Average Cost of Settlement $1 million
– Crisis services costs (forensics, notice & credit monitoring) avg $800k (combined) per event
% of Breaches by Data Type
37%
21%
21%
16%
5%
% of Breaches by Cause of Loss
19%
19%32%
8%
15%
7%
Average Cost per BreachHundred
Thousands
Typical First-Party Coverages
• Digital Asset Expenses
• Business Interruption Income Loss and Dependent Business Interruption Income Loss Coverage
• Network Extortion Threat and Reward Payments Coverage
Typical Third-Party Coverages
• Network Security Liability Coverage
• Privacy Liability Coverage
• Media Liability Coverage
• Technology Liability Coverage
• Miscellaneous Professional Liability Coverage
Personal and Advertising Injury Coverage
• Cyber privacy claims may implicate personal and advertising injury coverage – Right to Privacy– Defamation– Scope of Publication– Social Media– Copyright and Trademark Issues
Other Insurance and Overlapping Coverage
• Liability coverage may overlap and converge with other insurance products – Part A of CGL Policies– Part B of CGL Policies– Pure Cyber and Technology Policies– Professional Liability Policies– Crime and Fidelity Policies– Directors and Officers Liability Policies– First-Party Property Policies– Business Interruption Policies – EPLI Policies– Kidnap, Ransom, Extortion Policies
Other Insurance and Overlapping Coverage
• Scope of Duty to Defend
• Allocation of Defense Costs
• Damages Covered under Each Form
• Implications of “Other Insurance” Clauses
• Scope of Duty to Pay under Pure Indemnity Policies
Common Weak Spots• PROBLEM 1) IDS or ‘Intrusion Detection Software’ (bad guy alert sys)
– Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3rd parties (and many more go undetected completely).
– FTC and plaintiff lawyers often cite ‘failure to detect’– Vast Data: companies IDS can log millions events against their network each month– False positives: 70%
• PROBLEM 2) Patch Mgmt - Challenges: – All systems need constant care (patching) to keep bad guys out.– Complexity of networking environments– Lack of time: Gartner Group estimates that “IT Managers spend an average of 2 hours per day
managing patches.”
• PROBLEM 3) - Encryption (of private data)– Problem spans all sizes & sectors.– ITRC (Identity Theft Resource Center): only 2.4% of all breaches had ‘encryption’– Issues: budgets, complexities and partner systems– Key soft spots: Data ‘at rest’ for database & laptops (lesser extent)– Benefits: safe harbor (usually)
• Plan for the loss– CFO must understand that data / network security is NEVER 100%..... It’s really
not if but when.– 4 Legs of Traditional Risk Mgmt:
• Eliminate: e.g., patch known exploits, encrypt laptops etc• Mitigate: e.g., dedicated security staff; policies; IDS/ IPS; et• Accept: e.g., partner SLAs, capabilities (trusting their assurances)• Cede: residual risk via privacy risk insurance
Wide-Angle Assess Safeguard Controls Surrounding:– People: they seem to ‘get it’…Proper security budget and vigilant about their
job!– Processes/ Policies: enterprise ISO27002, HITECH ready; employee education/
training; change management processes, breach response plan etc.– Technology: proven IDS/IPS capabilities, DLP solutions, hardened & patched
servers (tested), full encryption of PII.
Strategies for Risk Managers
Are you at risk? Ask your team:
• Has your firm ever experienced a data breach or system attack event? Some studies show 80-100% of execs admitted to a recent breach incident
• Does your organization collect, store or transact any personal, or financial or health data?
• Do you outsource any part of computer network operations to a third-party service provider?
Your security is only as good as their practices and you are still responsible to your customers
• Do you use outside contractors to manage your data or network in any way?
The contractor, SP, Biz partner is often the responsible party for data breach events
Are you at risk? Ask your team:
• Do you partner with entities and does this alliance involve the sharing or handling of their data (or your data) or do your systems connect/touch their systems?
You may be liable for a future breach of their network and/or business partners often require cyber risk insurance as part of their requirements
• Does your posted Privacy Policy actually align with your internal data management practices?
If not you may be facing a deceptive trade practice allegation
• Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers?
Doing nothing is a plaintiff lawyers dream. It is vital for the Risk Mgr to know if your practices are reasonable, in line with peers and the many regulations