IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE? Privacy.pdf · • Certegy Check Services (4.2...
Transcript of IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE? Privacy.pdf · • Certegy Check Services (4.2...
1
2
3
"IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE?"
4
Disclaimer
This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided.
Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued.
Please carefully review any policy and all endorsements delivered for the precise coverage terms.
2
5
Introduction
Foundation for Privacy FearsFoundation for Privacy Fears
•• Privacy is a rightPrivacy is a right
•• Private information has valuePrivate information has value
•• Technology has created new issues concerning breaches of privacyTechnology has created new issues concerning breaches of privacy
•• Privacy breaches can have a material impact on a company’s Privacy breaches can have a material impact on a company’s reputationreputation
•• Courts, legislatures and regulatory agencies are engaged in Courts, legislatures and regulatory agencies are engaged in addressing privacy issuesaddressing privacy issues
•• Highly publicized security breaches are in the newsHighly publicized security breaches are in the news
6
Introduction
What are Data Theft and Privacy/Security Breaches?
• An organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information.
7
Industry Issues
- FTC estimates nearly 10 million victims per year- Many victims don’t know or don’t report- Fastest growing white collar crime in America- Average 175 hours and $1,500 to resolve per individual- Tremendous media exposure
Common Types of Fraud- Current credit – credit card, debit card, phone card- Use of name and social security number:
- Establish new credit- Commit other criminal activity
Risks and Recent Developments
Increase in Numbers of Incidents
3
8
Sources of Data BreachSources of Data Breach
49% lost laptop or other device (USB flash drives…)16% third party outsourcer/vendor
9% malicious insider9% paper records7% lost electronic backup5% hackers, crackers, social engineers, “phishers”4% malicious code2% unknown
Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC, 2007
9
Data Breaches – Growing In Numbers!
Between January 2005 and February 6, 2009 –
252,308,777records containing “sensitive personal information”
have been involved in security breaches!
Source: Privacy Rights ClearinghouseA Chronology of Data BreachesPosted April 20, 2005Updated February 9, 2009www.privacyrights.org
Risks and Recent Developments
Increase in Numbers of Incidents
10
Recent high-profile data security breaches illustrate the nature of the risk
• Heartland Payment Systems, Inc. (100 million customer credit cards/debit cards) 2008 (This had a companion D&O suit)
• Hannaford Brothers (4.2 million credit cards/debit cards) 2008
• Certegy Check Services (4.2 million customers) 2002-2007
• TJX (94 million records) 2006-2007
• Choicepoint (150,000 records) 2005
• Bank of America (1.2 million federal employees) 2005
• DSW (100,000 customers) 2005
• Lexis/Nexis (32,000 records) 2005
Sources: Computerworld, Boston Globe, Tampabay.com, ZDNet and 11Alive.com
Risks and Recent Developments
Prominent Examples
4
11
California Security Breach Information Act (2003). Since passage, 47 states and territories have passed similar laws (http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm)
Essence of these laws is requirement that companies storing personal information must promptly notify persons whose information has been accessed by an unauthorized person
In addition to costs of notification, these laws create potential civil liability if proper and timely notification of a data security breach is not given
Some states require notification to specific law enforcement andconsumer credit reporting agencies
Risks and Recent Developments
Applicable Laws
12
Graham Leach Bliley
Requires “financial institutions” to ensure the security and confidentiality of private financial information (includes all businesses that are “significantly engaged” in providing financial products or services
HIPPA – Health Insurance Portability and Accountability Act
Regulations for use and disclosure of Protected Health Information which is any information about health status, provision of health care, or payment for health care that can be linked to an individual
Covered entities are any health care related businesses that store or transmit health care data in a way regulated by HIPAA
The Security Rule of HIPAA deals specifically with Electronic Protected Health Information (EPHI).
Risks and Recent Developments
Applicable Laws
13
Fair Credit Reporting Act (FCRA)
Enacted to promote efficiency in the country’s banking system and to protect consumer privacy. See TRW, Inc. v. Andrews, 534 U.S. 19, 23 (2001)
Imposed obligations on three types of entities:
• Credit reporting agencies,
• Users of credit reports, and
• Furnishers of information to credit reporting agencies
Risks and Recent Developments
Applicable Laws
5
14
Fair And Accurate Credit Transaction Act (FACTA)
Amendment to FCRA
Key provisions focused on reducing exposure to identity theft and assisting consumer with credit problems
Requires truncation of credit card and social security numbers
Credit and Debit Card Receipt Clarification Act, June 3, 2008
Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions
Risks and Recent Developments
Applicable Laws
15
Red Flag Rule
Amendment to FCRA
Financial institutions and creditors must establish a written program to “detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts”
Creditors must develop “Program” formalizing steps they intend to take to prevent identity theft by May 1, 2009
Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions
Risks and Recent Developments
Applicable Laws
16
Risks and Recent Developments
Hypothetical Scenario #1• Former employee of a financial institution provides accomplice with
access to financial institutions secure network.
Data includes sensitive personal information about company’s customers and employees
Thief also gains access to financial institutions external website
• 2 weeks later, company receives ransom note from thief
• 2 weeks later, thief hacks into company’s system causing company’s website to be down for 2 days with no ability to conduct online transactions
• Media learns of issue – widespread media attention results in cancellation and re-issuance of all client plastic cards, potential effected members must be notified and provided with credit monitoring
• Various government agencies begin investigations
6
17
Risks and Recent Developments
Hypothetical Scenario #2• Employee innocently opens an email supposedly from the company’s IT
department
Email has a malicious code embedded to surreptitiously control the employee’s computer
Outside hacker uses employee’s computer to launch additional attacks on the company’s backend network
• Hacker gains widespread access to company’s various databases including plastic cards
• Hacker emails company President with customer database, containing personal confidential information and demands $500,000 or will publish an email link with this information.
18
Risks and Recent Developments
Scenarios 1 and 2 result in various potential losses
First Party LossesLoss of Private Data
Notification/credit monitoring costsCost to change account numbersPublicity costsBusiness income lossData restoration expenses
Cyber ExtortionRansom paymentsOther expenses
Third Party LossesCustomer Suits
Customer alleging invasion of privacyCustomers or other third parties alleging financial loss
Other SuitsRegulatory actions/fines or penalties
19
First Party Losses
• Cost of $197 / record compromised, consists of:• $128 lost business (lost customers/reduced orders)
• $46 ex-post response (PR costs, credit monitoring)
• $15 notification
• $9 detection & escalation
Source: Ponemon Institute, LLC – “2007 Annual Study: Cost of a Data Breach”
Risks and Recent Developments
Costs / Claims / Losses
7
20
Third Party Losses (What might be pled if a suit is filed?)
• Failure to implement and maintain reasonable security procedures(Currently, actual harm and damages are hard to prove)
• Negligence (based upon regulatory/industry standards)
• Unfair, deceptive and unlawful business practices
• Invasion of the customer’s right to privacy
• Breach of fiduciary duty
• Breach of contract
• Fraud / Misrepresentation
• Multiple Class Action filings increasing
• New legal theories yet to come in pleadings
Risks and Recent Developments
Costs / Claims / Losses
21
Third Party Losses (What might be pled if a suit is filed?) cont.
• Loss of wages due to time taken to prove “identity theft” to MasterCard or Visa
• Expense of legal and other resources necessary to prove “identity theft” to MasterCard and Visa
• Loss of business advantage due to effect of fraudulent charges on FICO scores
• Damages claimed under applicable state privacy legislation
Risks and Recent Developments
Costs / Claims / Losses
22
Where is the Insurance Coverage?
Comprehensive General Liability (CGL)?
Computer/Commercial Crime Form?
Directors and Officers Liability?
Professional Liability Policy?
8
23
CGL: Covers liability for “Property Damage” to a third party“Property Damage” = “physical injury to tangible property” as well as “loss of use of tangible property that is not physically injured”.
Whether electronic data is covered as “physical damage to tangible property” or “loss of use of tangible property”.
Coverage B: Personal and Advertising Injury Liability
Oral and written publication, in any matter, of material that violates a person’s right to privacy.
Is the “loss” of data in electronic form on a data base “oral or written publication of material”?
Lack of Coverage in Traditional Policies
Comprehensive General Liability (CGL)?
24
Lack of Coverage in Traditional Policies
Comprehensive General Liability (CGL)? (cont.)
Professional Services exclusion (present on most General Liability policies) will apply if you are a financial institutionFinancial Professional Services. We won’t cover injury or damage or medical expenses that results from the performance of or failure to perform any financial professional service.
Breach of Contract exclusion (present on most General Liability policies) Breach of Contract. We won’t cover personal injury or advertising injury that results from the failure of any protected person to do what is required by a contract or agreement…
25
Surety Association Computer Crime and ISO Commercial Crime policies generally exclude:
• Loss directly or indirectly from theft of confidential information
• Indirect or consequential loss of any nature
• Potential income, including but not limited to interest/dividends
Specific Financial Institution Crime Policies can include:
• E-theft loss of money or securities as a result of fraudulent electronic communications from a third party, theft of confidential customer information
• Extortion, Business Income
• No 1st party losses
• Typically written with high deductible
Lack of Coverage in Traditional Policies
Crime?
9
26
D&O:
• Possible source of coverage for third party suits
• Possible source of coverage for regulatory suits
• No First Party coverage
• Exclusions for invasion of privacy or violation of any right of privacy right may preclude coverage for the Corporate Entity, or both the Corporate Entity and all Individual Insureds
Lack of Coverage in Traditional Policies
Directors & Officers Liability (D&O)?
27
E&O:
• For wrongful acts committed solely in the conduct of the Insured’s “Professional Services”
• Policies for may include coverage for negligence in failing to maintain confidentiality/security of customers information, invasion of privacy, unauthorized access/unauthorized use, introduction of malicious code
Lack of Coverage in Traditional Policies
Errors & Omissions Liability (E&O)?
28
Overview – covers direct first party losses that an insured may incur in connection with an incident.
A. Data recovery expenses (costs to recover data)
B. Business interruption expenses – covers business income loss and certain extra expenses the insured incurs during the “Period of Recovery of Services” due to the actual impairment or denial of operations resulting directly from fraudulent access or transmission
• Sometimes available by endorsement
• Sublimits can apply
Insurance Coverage Options
First Party
10
29
C. Privacy Notification Expenses – means the reasonable and necessary cost of notifying those persons who may be directly affected by the misappropriation of a record
• Costs relating to changing their account numbers, other identification numbers and security codes; and
• Costs of providing them, for a stipulated period of time and with the prior approval of the company, with credit monitoring or other similar services that may help protect them against fraudulent use of the record
Insurance Coverage Options
First Party (cont.)
30
D. Pre-claim forensic costs to investigate a security breach
• Example: “Claim Expenses” means all other legal costs and expenses resulting from the investigation…of a circumstance thatmight lead to a claim with the prior written consent of the underwriters
• Example: “Loss” does not include any amount incurred by an insured in the defense or investigation of any action, proceeding, demand or request that is not then a claim, even if such matter subsequently gives rise to a claim
E. Crisis Management expenses
• Sublimits may apply
• See consent / procedural requirements
Insurance Coverage Options
First Party (cont.)
31
Overview – covers sums the insured is legally obligated to pay to third parties as damages and claims expenses as a result of privacy breach or breach of privacy regulations. A. Regulatory Coverage
• See scope of definitions of “claim”
• Some policies may only cover regulatory defense costs
B. Regulatory Civil Penalties
• HIPAA, Gramm-Leach-Bliley Act, state privacy protection laws and privacy provisions of FCRA impose civil penalties
• Check definition of “loss” or “damages” for exclusions
• Example: Damages includes a penalty or sanction imposed by a federal, state or local regulatory body against you as a result of a privacy breach or the breach of a privacy regulation by you as a person including an independent contractor, for which you are legally responsible
Insurance Coverage Options
Third Party Privacy
11
32
C. Personal Injury Coverage
• See wording of exception to personal injury exclusion for scope
• Are claims for emotional distress, mental anguish included?
D. Privacy Breach Coverage (non-regulatory)
• Common law breach of privacy or confidentiality
Insurance Coverage Options
Third Party Privacy (cont.)
33
Overview – Covers sums that insured is legally obligated to pay as damages and claims expenses arising out of computer attacks caused by failures of security including theft of client information, identity theft, negligent transmission of computer viruses and denial of service liability.
A. Unauthorized access (hacker attack) of the insured’s computer systems
B. Unauthorized use of insured’s and insured’s customers computer systems by authorized person or third party
C. Independent contractor - Vendor coverage (acts of outside vendors)
• Example: Coverage for “your wrongful acts”, where “your” does not include independent contractors
• Example: Coverage for wrongful acts by any insured, where insured includes independent contractors who are natural personsand are acting written scope on behalf of the named insured
Insurance Coverage Options
Network Security
34
D. Denial of service attack (third parties cannot access insured’s website)
E. Transmission of computer virus
Insurance Coverage Options
Network Security (cont.)
12
35
• Electronic content coverage: Information disseminated on website including extension for Copyright / Trademark
Example: Coverage for injury sustained by a third party because of the actual or alleged infringement of a trademark name, copyright, the name of a title or the title of an artistic or literary work from information on website
• Personal Injury
• Advertising Injury (of company’s own products but only in electronic format)
Insurance Coverage Options
Internet / Media Liability (optional coverage)
36
• Expenses incurred in responding to an extortion demand
• Extortion payment (not all forms cover)
• Policies have prior consent provisions
Insurance Coverage Options
Cyber Extortion
37
A. Some policies exclude coverage for “claims” related to the insured’s failure to maintain or upgrade their security
• Example: No coverage arising out of or resulting from the failure of computer systems or data assets to the protected by computer security equal to or superior to that disclosed in response to specific questions in the application
B. Some policies exclude coverage for “claims” alleging fraudulent or malicious acts by employees
• Example: “Privacy Peril” does not include any intentional, fraudulent, criminal or malicious act, error or omission if committed by any employee if any elected or appointed officer possessed any knowledge of the act
Insurance Coverage Pitfalls
Watch The Exclusions!
13
38
C. Some policies exclude certain operations of the insured, or may not cover various types of computer or peripheral devices
• Example: No coverage for theft of data via laptops unless whole disc encryptions or equivalent grade encryption is used
D. Some policies will not cover actions of independent contractors working on behalf of the Insured
Insurance Coverage Pitfalls
Watch The Exclusions!
39
Key coverage to look for in PoliciesPrivacy Breach Coverage
• Coverage includes Employee Personal Information
• Regulatory defense
• Regulatory civil monetary, penalties and fines?
• Breach of privacy regulations/laws?
40
Key coverage to look for in PoliciesNetwork Security Coverage
• Unauthorized Access
• Unauthorized use (rogue employee)
• Denial of service attacks of systems of third parties
• Transmission of malicious code/virus to third parties
• Identity theft/theft of data
• Inability of authorized third party to access insured’s computer systems
• Damage, destruction, deletion, tampering or alteration to electronic data of third parties
• Data in any form other than electronic (loss of paper records i.e.., dumpster diving)
• Data definition extended to private, proprietary confidential corporate information
• Theft of laptops (laptops do not have to be encrypted)
14
41
Key coverage to look for in policiesExtortion Coverage
• Expenses only
• Ransom payments
Crisis Management Expenses• Public relations expenses
• Notification expenses
• Credit monitoring costs
• Forensic systems investigations
• Crisis management expenses limited only to breach of privacy or breach of privacy regulations
42
Key coverage to look for in policiesFirst Party Data Protection or E-Vandalism Expenses
• Costs or expenses vary by form (generally incurred to restore, remediate, or replace damaged, deleted, destroyed or inaccessible data)
First Party Network Business Interruption• Extra expenses during restoration
• Business income loss
Independent Contractors• Insured protected if I.C.’s commit wrongful act
• Coverage extended to I.C.’s
43
Costs to repair damage to your information assets
Privacy regulatory action defense and fines
Privacy breach notification costs & credit monitoring
Legal liability to others for privacy breaches
Damage to 3rd party information assets
Website copyright/trademark infringement claims
Potential Impact (Low Med High)
Likelihood (Low Med High)Potential Risk Event
Risks That Could Impact Client Companies
15
44
Wrongful acts by independent contractorsNeed to engage crisis management firm if an incident occurs
Regulated Industry? Identify any unique risks / regulations
Cyber Extortion threat
Loss of revenue due to a failure of security at a dependent technology provider
Loss of revenue due to a failure of security or computer attack
Potential Impact (Low Med High)
Likelihood (Low Med High)Potential Risk Event
Risks That Could Impact Client Companies
45
Contact:
Cliff [email protected]
425.709.3705