GSBA Risk Management Services GASBO Meeting Cyber-Risk for School Districts November 7, 2013.
-
Upload
reginald-griffin -
Category
Documents
-
view
221 -
download
4
Transcript of GSBA Risk Management Services GASBO Meeting Cyber-Risk for School Districts November 7, 2013.
GSBA Risk Management Services
GASBO Meeting
Cyber-Risk for School DistrictsNovember 7, 2013
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
Your budgets are tight and will remain tight for the foreseeable future
Never had a claim involving a breach - at least you don’t think you have had one
Your IT folks assure you the District’s firewalls are sound and present no risk of penetration
I think we already have coverage somewhere else New coverage being pushed by carriers but really no losses out
there I do not want to be the first one to buy the coverage It is not on our radar screen – we will look at this next year We have immunity from this type of loss
Agenda for Today
Why Cyber-Risk was developed and what does it protect Your obligations under the law Examine each reason why you should not buy Cyber Risk
Coverage Outline the GSBA RMF evolving solution Answer any questions
Why was Cyber-Risk Developed?
To protect your electronic assets in the new Cyber-Risk Protection Technological Revolution
No different that protecting buildings and other assets except exposure to a loss is growing faster than you are building buildings
Cyber-Risk ProtectionPrivacy & Computer Security Protection
Privacy & Data Breach
Coverage has many names in the industry but basic risk is the same:
1. School district “mishandles” personal data resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach”; or
2. School district is hacked and the information is stolen resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach” plus any potential liability resulting from the hackers stealing the data
What is Protected?
Personally Identifiable Information (PII): It is the combination of a person’s first name (or initial) and last name plus one or more of the following:
Social Security Number Driver’s License Number State ID Number Account Number Credit or Debit Card Number Account Passwords or PINS or other access codes
Threats to a School District
Internal Threats: Rogue employee who was fired and wants to “hurt” School District “Idealist” who wants to “change” the School District policies by disrupting
normal operations Accidental or careless staff who loose the data in either paper format or
electronic via a lost laptop External Threats:
Outside vendor or business associate with access to School District data who steals personal data sources
Organized crime – both foreign and domestic Hackers or “Hacktivists” who do it “to change the world”
Threats to a School District
Technology: Viruses, SQL Injections, etc Structural vulnerability to your network Employee use of Social Media / networking “opening the door” for
hackers to enter your network Remote teaching putting strain on the security of your internal network
firewalls Phishing
“Old School”: Dumpster diving for discarded papers that are not shredded Loss or theft of a laptop with personal data on it
Threats to a School District
Regulatory/Legal: 47 states now have breach notification laws
o Georgia is one of the 47 states and it applies to any entity, government or private, that has a breach, the law requires that they notify the people affected by the breach – Georgia Personal Identity Protection Act of 2007
Many breaches do not develop into identifiable theft but the notification and tracking requirement is very expensive to the School District
School nurses have to be careful with HIPAA information especially At the present time, it is unclear how immunity would apply if the District
were sued by a third party injured by a breach
Georgia Personal Identity Protection Act of 2007
O.C.G.A. 10-1-910 through 10-1-912
Amended to included public universities and other state and local agencies
The unauthorized acquisition of individual’s electronic data that compromises security, confidentiality or integrity of PII.
Can also apply if compromised information is sufficient to perform or attempt identity theft
What would you do if….?
Labor employee inadvertently e-mails personal info of more than 4,000 customers By Mike Morris
The Atlanta Journal-Constitution
State officials are scrambling to minimize the potential harm to more than 4,000 customers of the Georgia Department of Labor whose personal information was accidentally e-mailed to about 1,000 people.
“A document containing confidential information, including names and social security numbers, for 4,457 customers of the Cobb-Cherokee Career Center has inadvertently been e-mailed to approximately 1,000 people, primarily in Cobb and Cherokee counties,” the Labor department told AM750 and 95.5FM News/Talk WSB in a statement. “The e-mail occurred because of an employee error.”
The statement goes on to say that the department has notified recipients of the erroneous e-mail “and instructed them to immediately delete the file attached to the e-mail without opening it.”
The department also said in the statement that it will provide free credit monitoring services to all of the people affected.
Many of the customers contacted by WSB were upset by the erroneous e-mail, which also included ages, phone numbers and e-mails of those 4,457 people. ……..
Friday September 6, 2013Atlanta Journal-Constitution
Data Breach – More Recent Examples Boston Public Schools, MA: August 2013
21,054 student files: ID numbers, name, age and a photo, sent families automated phone calls and letters
A vendor that makes student ID cards lost a stick drive with the records
San Juan Unified School District, CA: May 2011 4,000 employees and former employees notified by letter Compromised personal information when employee inadvertently
uploaded all the information from a stick drive to a church website
Paulding County Schools, GA Phishing loss that was covered but entailed notification costs which
were not covered
Cost of Breach Ponemon Institute – 2013 Cost of a Data Breach Study
Studied breaches in 277 companies in nine countries over ten month in 2012
Average Cost per Record in US $188, second highest to Germany Significantly lower per record
o Public Services : $81o Education : $111
If you had 4,457 records released like the State of Georgia On your own, based on above cost projections, cost is $494,727 Cost of insurance is a premium based on size of district but works out
to about $1 for each current student in District
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
Your budgets are tight and will remain tight for the foreseeable future They are tight and it will cost more money but as you will see shortly, very
affordable – approximately one loss every 15 years payback Will cover not only current PII records (students, employees, & applicants) but will
also cover historical records retained by District
Never had a claim involving a breach - at least you don’t think you have had one
Not a liability issue as much as an internal cost issue if you have a breach and need to comply with the law
Buying the expertise on how to handle a breach unlike the State of Georgia case
Your IT folks assure you the District’s firewalls are sound and present no risk of penetration Not an IT / Firewall issue – it is a mishandle issue
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
I think we already have coverage somewhere else Excluded under the GSBA RMF Coverage Agreement and ISO policy
forms Intent is not to provide the coverage but silent on some of the liability
exposures Will be absolutely excluded as of 7/1/2014
New coverage being pushed by carriers but really no losses out there We’ve shown you some examples of actual losses Beazley has 2500 policies and is expecting 800 breaches this year alone Few and far between but when they happen, could be very large and
confusing for the District involved
Reasons a Business Officer should NOT buy Cyber-Risk Insurance?
I do not want to be the first one to buy the coverage You are not – already have 12-13 districts buying from the GSBA RMF
solution
It is not on our radar screen – we will look at this next year Perfectly acceptable to prepare and budget for it Be aware that full clarifying exclusions go into effect on July 1, 2014 The current proposals provided to all GSBA RMF members are effective till
12/31/2013 and then new members will be re-evaluated as of July 1, 2014
We have immunity from this type of loss From a liability standpoint – probably but from a first party notification
standpoint, you must comply with the law
The GSBA Solution Conservative approach but one based in making sure School
Districts in Georgia have a competitive, broad coverage option to address this growing exposure
RMF has worked with Beazley, a prominent carrier in the Cyber Insurance space, to initially offer a group purchased option for each School District in RMF
Over the next couple of years, RMF will assume some of the risk via the pool to make sure pricing remains stable and any underwriting profits accrue to the benefit of School Districts
Beazley will issue policies and has the infrastructure to guide a Member through any type of breach and how to help reduce the exposure of a breach
The GSBA Solution The goal is to adopt the Beazley form into the RMF coverage
document as of July 1st, 2014 so that we have an affirmative grant of coverage in the coverage document
For July 1st, 2013, coverage purchased will be on a stand-alone basis with a policy issued from Beazley
Quotes were provided in late June to all RMF MembersQuotes are open to bind through 12/31/2013 on pro-rata basis
Even once the form is adopted into the RMF coverage document, and RMF assumes a layer of risk like it does now on the property and liability coverage lines, Beazley will provide the specialty claims and risk control services to the Members
The GSBA Solution There are six coverage parts in the policy that has been
negotiated with Beazley In keeping with the pool approach, there is some sharing of
limits amongst all the Members in exchange for more competitive pricing for each Member
Overview of Program Structure:Coverage Part 1.A. – Information Security and Privacy Liability
o Liability to a third party as a result of a failure of your network security to protect against identified threats
o Liability to a third party as a result of the disclosure of confidential information
The GSBA Solution Overview of Program Structure:
Coverage Part 1.B. – Privacy Breach Response Serviceso Crisis Management and Identify Theft response services and expense
coverage in order to comply with regulatory compliance issueso This also includes the expense for retaining a crisis management firm to
perform a forensic investigation to protect or restore the School District’s reputation as a result of a breach of privacy event
o Based on number of individuals to notify and not a limit of liability
Coverage Part 1.C. – Regulatory Defense and Penaltieso Fines and penalties associated with School District’s violation of a
Privacy Law related to an insured breach
Coverage Part 1.D. – Website Media Content Liabilityo Expansion for Cyber exposures of the coverage provided for under
Personal Injury and School Leaders Liability coverage but without some of the electronic means limitations
The GSBA Solution Overview of Program Structure:
Coverage Part 1.E. – Crisis Management and Public Relationso To pay for the Public Relations and Crisis Management expenses
associated with the costs to manage a breach that gets into the public eye via newspaper, radio, television in order to re-build the School District’s reputation or to avoid undue damage in the reporting of the breach event
Coverage Part 1.F. – PCI Fines and Costso Coverage for direct monetary fines and penalties owed by the School
District under the terms of a Merchant Services Agreement and where the alleged breach was due to the result of a non-compliance with the published PCI Data Security Standards
The GSBA Solution Limits of Liability to Members:
Any one claim limit combined from all sections except Privacy Breach Response Services, is $1,000,000o Subject to no more than $500,000 from Regulatory Defense and Penalties and
$50,000 each from Crisis Management and PCI Fines and Costso The overall RMF fund aggregate limits for all Members from all coverage lines
except Privacy Breach Response Services is 10 times each of these limits ($10,000,000 , $5,000,000, and $500,000 respectfully)
For Privacy Breach Response Services, there is no limit of liability as the coverage is based on the number of Notified Individualso The RMF fund has an aggregate of 500,000 Notified Individuals subject to
sub-limits for the legal and forensic expense coverage part which is limited to 250,000 and the foreign Notified Individuals extension which is limited to 50,000
o Overall RMF fund aggregate limits is again 10 times
The GSBA Solution Retention / Deductibles for Members:
Any one claim limit combined from all sections except Privacy Breach Response Services, is $25,000
For Privacy Breach Response Services, the retention is broken into two parts:o All costs and services under the legal and forensic services combined with
the notification costs would be $10,000 combined subject to a sub-retention of no more than $5,000 in legal expenses exposed
o Under the Call Center Services and Credit Monitoring Program, the retenion of any expenses are limited based on the size of the district:• Small Members, which are less than 1,000 FTE’s, would be responsible for any
breaches involving less than 25 individuals
• Medium Members, which are more than 1,000 FTE’s but less than 10,000 FTE’s, would be responsible for any breaches involving less than 50 individuals
• Large Members, which are those Members with more than 10,000 FTE’s, would be responsible for any breaches involving less than 100 individuals
The GSBA Solution Premium Brackets
Premium is based on FTE (current student and staff combined)
Includes coverage for alumni records even though alumni count is not included in the FTE for premium determination
Here are the proposed pricing ranges based on Student Enrollment:
o 30,000 plus $29,638 to $31,453 0o 20,000 to 29,999 $24,432 to $28,227 0o 10,000 to 19,999 $13,903 to $21,683 0o 5,000 to 9,999 $7,111 to 11,504 2o 2,500 to 4,999 $4,392 to $6,658 3
GWP To-Date:$45,467
o 1,000 to 2,499 $1,942 to $4,005 4o 999 or less $500 to $1,628 3
Conclusion The exposure is here to stay
Computers and mobile devices that store personal information about your employees and your students are an integral part of your District
Accidental loss of, or criminal appropriation of, that personal information will continue to happen whether you have good firewall protection or not
Attacks are getting more frequent and more sophisticated
Accidents are getting more frequent as we ask staff to do more in a day than ever before
GSBA RMF and Beazley offer you broad coverage at a reasonable premium and a team ready to respond when necessary