Managing Cyber Risks Threats, Risk Management & Insurance Principles Brian J. Courtney, RPLU, AAI The Safegard Group, Inc. 100 Granite Drive, Suite 205 Media, PA 19063 610.892.7688 [email protected] Legal Disclaimer This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued. The precise coverage afforded is subject to the terms and conditions of the policies as issued. Brian J. Courtney, RPLU, AAI Brian Courtney joined The Safegard Group, Inc. in April 2005 and serves as a Producer and the Healthcare Practice Leader for the company. He is primarily responsible for the direction of client services to the healthcare industry. Brian began his career at the height of the medical malpractice crisis. Working with a large regional insurance broker, Brian served with the healthcare practice leader helping hospital systems and physician groups obtain medical malpractice coverage. Prior to joining The Safegard Group, Brian joined a large national insurance brokerage firm where he gained considerable experience in healthcare risk management serving the needs of large physician groups, long-term care facilities, home healthcare providers, and allied health professional organizations. Brian has completed the Registered Professional Liability Underwriter (RPLU) program, which was developed by Professional Liability Underwriting Society as a specialized curriculum completely dedicated to professional liability risk management. Professionals who wish to obtain the RPLU designation are required to complete a rigorous, 13-Course curriculum comprised of eight core courses and five specialization courses. Brian chose to specialize in the following areas: • • • • • Advanced Healthcare Professional Liability Cyber Risk Employment Practices Liability Directors & Officers Liability Crime As it suggests, RPLU professionals are recognized as having the highest level of professional liability expertise to help their clients manage their risk and protect their assets. Currently, Brian is helping many of his clients with Cyber Risk Management initiatives, such as Risk Assessments, Data Breach Incident Response Planning, Contractual Risk Transfer, Insurance Protection and a host of other related services. Brian lives in Downingtown, Pennsylvania with his wife Erin and three kids, Aidan, Carter & Chase. He is active in the community volunteering his time with the Lionville Youth Soccer Association and Brandywine Health Foundation. He is also an avid fitness/thrill seeker recently competing in the Spartan Races, which was voted the 2012 Best Obstacle Course Race by Outside magazine. Brian Courtney Expert in Risk Management and Loss Prevention??? Big believer that you should avoid risk AT ALL COSTS True or False Large corporations are typically the targets for hackers FALSE A joint study by the U.S. Secret Service and Verizon Communications’ forensics analysis unit paints a frightening picture. 482 of the 761 data breaches the unit investigated in 2010—63%—occurred at companies with 100 or fewer employees. 73% percent of small-to-middle-sized companies experienced a cyber attack in 2010, and 30% of those attacks were extremely effective, according to Symantec, a software security developer. True or False Small businesses (less than 100 employees) are required to abide by data breach laws TRUE From the Federal Trade Commission website: For many companies, collecting sensitive consumer and employee information is an essential part of doing business. It’s your legal responsibility to take steps to properly secure or dispose of it. Financial data, personal information from kids, and material derived from credit reports may raise additional compliance considerations. In addition, you may have legal responsibilities to victims of identity theft, regardless of the size of your company or your line of work. True or False Certain industries have to worry about Cyber Security risks FALSE While I would agree that certain industries are more at risk than others, every industry holds sensitive data in some form or another. Also there is more to Cyber risk than just a data breach. Therefore, all industries have Cyber Security risks. What Are Cyber Risk? • • • • • • • • Violation of privacy policies Transmission of viruses to other systems Programming errors Theft, corruption, or destruction of data or computer systems Hacking Abuse of access to networks by employees Copyright or trademark infringement Denial of Service attacks Source: Professional Liability Underwriting Society www.plusweb.org What Activities Create Cyber Risk? • • • • • • • • • • • • • Data storage on networks Credit card processing Online payment processing (other than CCs) Internet connectivity E-commerce Business websites and Internet advertising Customer forums and support (help) message boards Internet Service Providers Website Design Development of hardware and software Providing content or media Consulting Providing technical services, equipment and support Source: Professional Liability Underwriting Society www.plusweb.org Who Regulates the Cyber World? • • • • • • • • Federal Trade Commission (FTC) Federal Bureau of Investigation (FBI) Fair and Accurate Credit Transaction Act (FACTA) Gramm-Leach-Bliley Services Modernization Act Health Insurance Portability & Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Sarbanes-Oxley Act (SOX) State Privacy Breach Legislation Source: Professional Liability Underwriting Society www.plusweb.org Cyber Laws • • • • Copyright Law – Digital Millennium Copyright Act Trademark Law – Lanham Act Defamation Privacy – HIPAA/HITECH, GLBA, State Laws Source: Professional Liability Underwriting Society www.plusweb.org The Risks Today Websites IP Infringement & Libel Privacy Risk Cyber Exposures – First Party Risks • • • • • Data Storage Business Interruptions Fraud & Theft Extortion Crisis Management Source: Professional Liability Underwriting Society www.plusweb.org Cyber Exposures – Third Party Risks Intellectual Property • Copyright • Trademarks • Trade secrets • Patents Privacy & Customer Data • Security Breaches • Liability • Phishing & Pharming Source: Professional Liability Underwriting Society www.plusweb.org Professional E&O • Internet provider • App. service provider • Web hosting • Network equipment • Programmers • Website Designers • Data warehouses • Consultants Personal Identifiable Information (PII) Definition: as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. First or Last name in combination with – – – – Social Security number Driver’s license number Financial Account number Credit, Debit, or payment card Protected Health Information (PHI) As defined by HIPPA “any information, whether oral or recorded in any form or medium” that • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse, and • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual What Is a Data Breach? Unauthorized access to protected information – – – – Hacking Rogue Employees Negligence Rogue Vendors The Value of Stolen Data Symantec Corporation; “Report on the Underground Economy, July ’07 – June ‘08 Data Breach Example Date Made Public Name (Location) Number of Records February 12, 2011 Cincinnati Children’s Hospital 60,000 Type of Breach Mobile Device An employee’s newly-issued, unencrypted laptop was stolen out of a car. Although the covered entity had a policy of encrypting its computers, an investigation revealed that new computers are not encrypted before they are given to employees. The laptop contained the protected health information (PHI) of approximately 60,000 individuals. The PHI stored on the laptop included names, medical record numbers, and services received at the covered entity. Following the breach, the covered entity notified its clients by letter of the incident, placed notice on various websites and in The Cincinnati Enquirer, and established a new internal procedure whereby all new computers would be encrypted before they are given to employees. Source: Department of Health & Human Services www.HHS.gov Data Breach Cost Calculation Forensic Investigation: Security Remediation: Data Breach Law Legal Guidance: eDiscovery Litigation: Customer Notification: Call Center: Credit Monitoring: ID Fraud Remediation: Public Relations Service: HHS Fines: State AG Fines: Legal Defense & Damages: $ $ $ $ $ $ $ $ $ $ $ $ TOTAL: $1,940,712 Source: eRiskHUB www.eriskhub.com 32,200 112,200 10,000 160,998 60,998 4,575 152,500 60,998 20,000 750,000 500,000 76,248 Another Data Breach Example Date Made Public May 16, 2008 Type of Breach Stationary Device Name (Location) Number of Records Chester County School District 55,000 A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students. Source: Privacy Rights Clearinghouse A Chronology of Data Breaches www.privacyrights.org Data Breach Cost Calculation Forensic Investigation: Security Remediation: Data Breach Law Legal Guidance: eDiscovery Litigation: Customer Notification: Call Center: Credit Monitoring: ID Fraud Remediation: Public Relations Service: FTC Fines: State AG Fines: Legal Defense & Damages: $ $ $ $ $ $ $ $ $ $ $ $ TOTAL: $1,761,625 Source: eRiskHUB www.eriskhub.com 75,000 155,000 10,000 0 55,000 4,125 137,500 55,000 20,000 750,000 500,000 0 One More – Manufacturing??? Date Made Public Name (Location) Number of Records February 13, 2012 Combined Systems Unknown Type of Breach Hacking A hacker or hackers accessed the Combined Systems website and shut it down. The hackers claim to have struck in honor of the anniversary of the February 14, 2011 Bahrain uprising and to have wiped out the company's web servers. Administrator logins, customer data, and emails were posted online. Source: Privacy Rights Clearinghouse A Chronology of Data Breaches www.privacyrights.org 2011 Data Breaches by Industry Other 16% Non-Profit 3% Medical 34% Government 14% Education 11% Retail 15% Financial Services 8% 0% 5% 10% Source: Privacy Rights Clearinghouse A Chronology of Data Breaches www.privacyrights.org 15% 20% 25% 30% 35% 40% 2011 Data Breaches by Type 30% 25% 24% 20% 20% 15% 16% 14% 14% 10% 9% 5% 2% 0% Unintended Disclosure Hacking or Malware Payment Card Fraud Source: Privacy Rights Clearinghouse A Chronology of Data Breaches www.privacyrights.org Insider Physical Loss Portable Device Stationary Device State Statutes Currently, 47 other states have enacted some type of security breach notification legislation, including: Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Maine, Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, Washington and Wyoming. Some states have state laws that require breaches to be reported to a centralized data base including: Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents). Other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests including: California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website: www.datalossdb.org Massachusetts General Law 93H Every person that owns, licenses, stores or maintains personal information about a resident of the commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.” Massachusetts – Effective March 1, 2010 Requires encryption of confidential data when it is on a mobile device Includes additional, robust security requirements for holders of personal information of Massachusetts residents Pennsylvania State Law 73 P.S. § 2303 Notification of a Breach (a) General rule. – An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and un-redacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Except as provided in section 4 [FN1] or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth. (b) Encrypted information. – An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key. (c) Vendor notification. – A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act. Pennsylvania State Law 73 P.S. § 2305 Notification of Consumer Reporting Agencies When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a), of the timing, distribution and number of notices. Delaware Law § 12B-102 Notification of a Breach (a) An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information about a resident of Delaware shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Delaware resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. (b) An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Delaware resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach. (c) Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation. Delaware Law § 12B-103 Compliance Procedures (a)Under this chapter, an individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system. (b)Under this chapter, an individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs. The “Perfect Storm” First Party Loss of Private Data • Notification Costs • Publicity Costs • Crisis Management Expenses Business Continuity Expense • Extra Expenses to continue operations • Business Income loss Cyber Extortion • Ransom Payment • Other Expenses Third Party Client Suits - Privacy • Suits from clients alleging negligence in protecting information and other causes of action Client Suits – Denial of Service • Suits from clients alleging negligence in protecting the network against denial of service Breach Related Expenses Notification Public Relations Forensics Legal Crafting letter or other notification Advertising & Press Releases Legal Expenses for Outside Attorney Response to Claims or Suits Printing or design Call Center Operations Cost of Forensic Examination Mailing or other transmission Other Services for Effected Persons: Cost To Remediate Discovered Vulnerabilities Payment of Judgments or Settlements Credit Monitoring Trends in Data Breach Costs In a U.S. based study of 49 companies in 14 different industries. Number of breached records/incident ranged from 4,500 to 98,000. • • • • • • The organizational cost has declined from $7.2M to $5.5M Cost per record has declined from $214 to $194 Lost business due to a breach averages $3.01M Detection and escalation costs declined from $460K to $433K Cost to notify victims increased from $510K to $560K First timers on average spent $37 more per record; Too-quick/nonplanners on average spent $33 more per record • CISO can reduce cost per record by $80; Outside consultant can reduce cost per record by $41. 2011 Ponemon Institute Benchmark Study Cyber Risk Insurance Policies Traditional Insurance Coverage? ISO Commercial Property? Electronic Data Extension only addresses loss or damage to data which has been destroyed or corrupted by a covered cause of loss. Commercial Crime Form? No coverage due to the Definition of “Other Property” and the Exclusion of “Indirect Loss”. General Liability Policy? Addresses only physical injury to persons or tangible property, as well as the Insured’s publication of material that violates a person’s right to privacy. Professional Liability Policy? May be limited by the description of “Professional Services” or by Exclusions for “Invasion of Privacy”. Common First Party “Gaps” Cyber Vandalism Denial of Service ISO Property Policy Surety Assoc. Computer Crime Cyber Extortion Cyber Fraud Unauthorized Record Access Surety Assoc. Crime Policy Extortion & Kidnap Ransom Policy Only Cyber Risk Covers: • Notification Expenses When required by law or on a voluntary basis? • Credit Monitoring Expenses For a stipulated period of time and/or under specified circumstances? • Crisis Management Expenses Including expenses related to legal analysis, as well as public relations? What Information Assets Are Covered? Personal Identifiable Information (PII) • Customers, Employees, Others? Personal Health Information (PHI) Business Property: • Customer Lists (non-PII) • Financial Information • Marketing & Operational Information Trade Secrets Privacy Risk Cyber Policy Addresses • Access to information other than by over the Internet • Access to information by an employee Employees • Access to information residing on an “outsourced” system – anywhere Outsourcers • Access to information in “nonelectronic” form • Negligent release of information Conclusion Avoid It Assess & Mitigate It Employee Training Operational Guidelines Customer Awareness Penetration Testing Robust Patch Management Ongoing Security Assessments Insure It Cyber Insurance Policy & Crime Insurance QUESTIONS???