What Every Risk Manager Needs to Know About Data Security
RIMS PERK
Memphis Chapter
Sedgwick Conference Center August 21, 2014 3:00 pm to 4:30 pm
What Every Risk Manager Needs to Know About Data Security
Disclaimer The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.
2
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
Your Speakers Joshua Gold, Esq. (212) 278-1886 [email protected]
Darin J. McMullen, Esq. (267) 216-2708 [email protected]
3
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHO IS VULNERABLE?
EVERYONE! Target Neiman Marcus Yahoo! 4
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHO IS VULNERABLE? 2013 Data Breaches.1 Business – 33.9% Medical/Healthcare – 43.1% Educational – 9.0% Government/Military – 10.3% Banking/Credit/ Financial – 3.7% ____________ 1 2013 Data Breach Category Summary, Identity Theft Resource Center, January 1, 2014. http://www.idtheftcenter.org/images/breach/2013/BreachStatsReportSummary2013.pdf
5
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHAT ARE THE CAUSES? Negligence – 35% Malicious or Criminal Attack – 37% System Error – 29% 2
____________
22013 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2013.
http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf
6
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHAT IS THE COST?
Information Loss – 44% Business Disruption – 30% Revenue Loss – 19% Equipment Damages – 5% Other Miscellaneous Costs – 2%3
________________ 32011
Cost of Data Breach Study: United States, Ponemon Institute, March 2012
7
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHAT’S THE REAL COST? Average Resolution Time: 24 days Average Cost: $5.4 Million 4
________________ 42013
Cost of Data Breach Study: Global Analysis, Ponemon Institute, June 2013. http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01&om_ext_cid=biz_socmed_twitter_facebook_mar ketwire_linkedin_2013Jun_worldwide_CostofaDataBreach
8
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHY DATA SECURITY MATTERS SO MUCH TO REGULATORS Identity Theft Tops FTC Consumer Complaints In 2013 14 years in a row now, identity theft was tops for list of complaints to FTC More than complaints over debt collection, banks and other lenders
9
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
THIRD-PARTY DATA MANAGEMENT & RISKS. Cloud is the Trend Cost Savings Data Security Risks Lack of Control Can delegate the data management but not the responsibility What are the risks; Amazon/Sony Breach
10
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
BEST PRACTICES. SEC Guidance FFIEC Guidance Due Diligence on Vendors Negotiate Strong Terms in Vendor/Cloud Contracts Risk Transfer Indemnity/Insurance Security Assessment of Vendor: Tricky in a Multi-Tenant Cloud Platform Make Sure There is Adequate Notice/Disclosure of Use of Cloud to Stakeholders
11
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
RISK MANAGEMENT. Notice of Incident (even if your data is not disclosed) Cooperation with regulation authorities and law enforcement Periodic audit rights Notification costs responsibility Costs of computer forensic experts Use of sub-contractors Cloud Services Termination: How does hosted data get disposed of? / Who pays? Representations and Warranties about firm protecting data 12
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
SECURITY & INSURANCE. Encryption – Automatic red flag for AGs/FTC if data disclosed and not encrypted
Contractual Indemnity/Hold Harmless Mandate insurance purchase by vendor Require additional insured status
13
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
DEALING WITH A SECURITY BREACH. Data Breach Team and Plan needs to be in place Compliance with State Notice Make sure your insurance provides cover where cloud used Notice all potentially applicable insurance
14
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
Identify the Exposure Hackers
Rogue Employees Independent Contractors Human Error Social Media Mobile Devices Cloud Computing A Changing Regulatory Environment
15
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
POLICIES COVERING LOSS. Take Inventory of Policies GL, D&O, E&O, Crime, All Risk Property, Cyber Policies 1st Party, 3rd Party, Hybrid Coverage Issues
16
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
COVERAGE UNDER CGL?
IP Exposure Data Loss Business Interruption Third Party Losses Privacy
17
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHEN CONVENTIONAL IS NOT ENOUGH.
CYBER POLICIES!
18
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
CURRENTLY AVAILABLE CYBER INSURANCE.
Privacy Injury Liability Privacy Regulatory Proceedings and PCI Fines Network and Content Liability Crisis Management Fund Network Loss or Damage Business Interruption Electronic Theft Network Extortion 19
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
The Insurance Policy Exposure Category
Description
Network Security Liability
Promises liability coverage if an Insured's Computer System fails to prevent a Security Breach or a Privacy Breach
Privacy Liability
Promises liability coverage if an Insured fails to protect electronic or nonelectronic information in their care custody and control
Media Liability
Promises coverage for Intellectual Property and Personal Injury perils the result from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided)
Regulatory Liability
Promises coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws Notification / Legal Expense
Breach Response / Crisis Management
Credit Monitoring Expense Forensic Investigations Public Relations
1st Party expenses to comply with Privacy Law notification requirements ; In many instances goodwill notification; Legal Advisory 1st Party expenses to provide up to 12 months credit monitoring 1st Party expenses to investigate a system intrusion into an Insured Computer System 1st Party expenses to hire a Public Relations firm
Data Recovery
1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security
Business Interruption
1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security
Cyber Extortion
Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber attack
Technology Services/Products & Professional Errors & Omission Liability
Technology Products & Services and Miscellaneous E&O can be added to a policy when applicable
20
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
RISK MANAGEMENT CONSIDERATIONS Virus Coverage or Exclusions Virus Defined in a Manner that Might Affect Hacker Coverage “Confidential” Information vs. Trade Secrets vs. Customer Information Coverage for Regulatory Matters (e.g., FTC)
21
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
RISK MANAGEMENT CONSIDERATIONS Data Security Efforts and Policyholder Protective Measures Coverage for Network Computers Only? What about Laptops? Insured Property / Locations / Premises Where are Servers / Computers Housed?
22
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
TIME SENSITIVE PROVISIONS.
Fear of Reporting Claims? Timely Notice Proofs of Loss Suit Limitation Clauses
23
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
LITIGATION ISSUES. Not a Ton of Precedent What Exists is Not Uniform Careful What Gets Disclosed During Discovery: – E.g., Sensitive Data, Customer Information, Network Security Blueprints
24
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
QUESTIONS?
25
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
Thank You Joshua Gold, Esq. (212) 278-1886 [email protected]
Darin J. McMullen, Esq. (267) 216-2708 [email protected]
26
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
Memphis Chapter
Sedgwick Conference Center August 21, 2014 3:00 pm to 4:30 pm
What Every Risk Manager Needs to Know About Data Security
Disclaimer The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.
2
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
Your Speakers Joshua Gold, Esq. (212) 278-1886 [email protected]
Darin J. McMullen, Esq. (267) 216-2708 [email protected]
3
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHO IS VULNERABLE?
EVERYONE! Target Neiman Marcus Yahoo! 4
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHO IS VULNERABLE? 2013 Data Breaches.1 Business – 33.9% Medical/Healthcare – 43.1% Educational – 9.0% Government/Military – 10.3% Banking/Credit/ Financial – 3.7% ____________ 1 2013 Data Breach Category Summary, Identity Theft Resource Center, January 1, 2014. http://www.idtheftcenter.org/images/breach/2013/BreachStatsReportSummary2013.pdf
5
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHAT ARE THE CAUSES? Negligence – 35% Malicious or Criminal Attack – 37% System Error – 29% 2
____________
22013 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2013.
http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf
6
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHAT IS THE COST?
Information Loss – 44% Business Disruption – 30% Revenue Loss – 19% Equipment Damages – 5% Other Miscellaneous Costs – 2%3
________________ 32011
Cost of Data Breach Study: United States, Ponemon Institute, March 2012
7
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHAT’S THE REAL COST? Average Resolution Time: 24 days Average Cost: $5.4 Million 4
________________ 42013
Cost of Data Breach Study: Global Analysis, Ponemon Institute, June 2013. http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01&om_ext_cid=biz_socmed_twitter_facebook_mar ketwire_linkedin_2013Jun_worldwide_CostofaDataBreach
8
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHY DATA SECURITY MATTERS SO MUCH TO REGULATORS Identity Theft Tops FTC Consumer Complaints In 2013 14 years in a row now, identity theft was tops for list of complaints to FTC More than complaints over debt collection, banks and other lenders
9
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
THIRD-PARTY DATA MANAGEMENT & RISKS. Cloud is the Trend Cost Savings Data Security Risks Lack of Control Can delegate the data management but not the responsibility What are the risks; Amazon/Sony Breach
10
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
BEST PRACTICES. SEC Guidance FFIEC Guidance Due Diligence on Vendors Negotiate Strong Terms in Vendor/Cloud Contracts Risk Transfer Indemnity/Insurance Security Assessment of Vendor: Tricky in a Multi-Tenant Cloud Platform Make Sure There is Adequate Notice/Disclosure of Use of Cloud to Stakeholders
11
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
RISK MANAGEMENT. Notice of Incident (even if your data is not disclosed) Cooperation with regulation authorities and law enforcement Periodic audit rights Notification costs responsibility Costs of computer forensic experts Use of sub-contractors Cloud Services Termination: How does hosted data get disposed of? / Who pays? Representations and Warranties about firm protecting data 12
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
SECURITY & INSURANCE. Encryption – Automatic red flag for AGs/FTC if data disclosed and not encrypted
Contractual Indemnity/Hold Harmless Mandate insurance purchase by vendor Require additional insured status
13
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
DEALING WITH A SECURITY BREACH. Data Breach Team and Plan needs to be in place Compliance with State Notice Make sure your insurance provides cover where cloud used Notice all potentially applicable insurance
14
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
Identify the Exposure Hackers
Rogue Employees Independent Contractors Human Error Social Media Mobile Devices Cloud Computing A Changing Regulatory Environment
15
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
POLICIES COVERING LOSS. Take Inventory of Policies GL, D&O, E&O, Crime, All Risk Property, Cyber Policies 1st Party, 3rd Party, Hybrid Coverage Issues
16
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
COVERAGE UNDER CGL?
IP Exposure Data Loss Business Interruption Third Party Losses Privacy
17
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
WHEN CONVENTIONAL IS NOT ENOUGH.
CYBER POLICIES!
18
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
CURRENTLY AVAILABLE CYBER INSURANCE.
Privacy Injury Liability Privacy Regulatory Proceedings and PCI Fines Network and Content Liability Crisis Management Fund Network Loss or Damage Business Interruption Electronic Theft Network Extortion 19
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
The Insurance Policy Exposure Category
Description
Network Security Liability
Promises liability coverage if an Insured's Computer System fails to prevent a Security Breach or a Privacy Breach
Privacy Liability
Promises liability coverage if an Insured fails to protect electronic or nonelectronic information in their care custody and control
Media Liability
Promises coverage for Intellectual Property and Personal Injury perils the result from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided)
Regulatory Liability
Promises coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws Notification / Legal Expense
Breach Response / Crisis Management
Credit Monitoring Expense Forensic Investigations Public Relations
1st Party expenses to comply with Privacy Law notification requirements ; In many instances goodwill notification; Legal Advisory 1st Party expenses to provide up to 12 months credit monitoring 1st Party expenses to investigate a system intrusion into an Insured Computer System 1st Party expenses to hire a Public Relations firm
Data Recovery
1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security
Business Interruption
1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security
Cyber Extortion
Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber attack
Technology Services/Products & Professional Errors & Omission Liability
Technology Products & Services and Miscellaneous E&O can be added to a policy when applicable
20
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
RISK MANAGEMENT CONSIDERATIONS Virus Coverage or Exclusions Virus Defined in a Manner that Might Affect Hacker Coverage “Confidential” Information vs. Trade Secrets vs. Customer Information Coverage for Regulatory Matters (e.g., FTC)
21
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
RISK MANAGEMENT CONSIDERATIONS Data Security Efforts and Policyholder Protective Measures Coverage for Network Computers Only? What about Laptops? Insured Property / Locations / Premises Where are Servers / Computers Housed?
22
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
TIME SENSITIVE PROVISIONS.
Fear of Reporting Claims? Timely Notice Proofs of Loss Suit Limitation Clauses
23
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
LITIGATION ISSUES. Not a Ton of Precedent What Exists is Not Uniform Careful What Gets Disclosed During Discovery: – E.g., Sensitive Data, Customer Information, Network Security Blueprints
24
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
QUESTIONS?
25
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
Thank You Joshua Gold, Esq. (212) 278-1886 [email protected]
Darin J. McMullen, Esq. (267) 216-2708 [email protected]
26
1033791v1 © 2014 Anderson Kill P.C. All Rights Reserved.
