Global Cyber Risk An international insurance perspective

Transcription

1 Global Cyber Risk An international insurance perspective 19 November 2014

2 Our International Cyber Risk Panel Hans Allnutt London, UK Jose Luis Arce Fernández Mexico City Noreen Howard Dublin, Ireland Rhiannon Davies Associate London Camilla De La Torre, Bogota, Colombia Guillermo Amunátegui Santiago, Chile Marcia Barbosa de Oliveira JBO Advocacia São Paulo, Brazil Mark Anderson Auckland, NZ Ben Nicholson Singapore

3 UK Insurable Cyber Risks Data Protection/Privacy Business Interruption Property Damage Hans Allnutt London, UK Data Security/Privacy Laws Data Protection Act 1998, forthcoming draft EU DP Regulation No legal obligation to notify data breaches (for most companies) but voluntary notifications increasing and highlighting first party legal and forensic costs of regulatory compliance. Fines up to 500k under DPA 1998, unlimited FCA fines Common law recognition of compensation for breaches of DPA (e.g 2,500 compensation awards).

4 UK Claims Examples Data Breaches (Betfair, Racing Post, Morrisons) Hans Allnutt London, UK IT Outages (RBS/Natwest 2013, CHAPS Payment System 2014) Insurance Market Many Insurers entering the market. Data Breach insurance gaining traction, business interruption easily understood, but questions remain over existing coverages. Underwriting challenges (claims made vs occurrence, aggregation for reinsurers)

5 Ireland What is Cyber? Technological risks Data breaches Both? Noreen Howard Dublin, Ireland Data Protection Acts European home of household names Google, Facebook, LinkedIn and most recently Amazon International implications of Irish DPC s actions

6 Ireland Enforcement DPA Noreen Howard Dublin, Ireland The Commissioner s role is to ensure that those who keep personal data comply with the provisions of the Acts. Registration Commissioner s powers include:- Service of legal notices to compel assistance Compelling a data controller to implement one or more provisions of the Acts Investigating complaints or carrying out investigations proactively

7 Ireland Enforcement (continued): DPA Noreen Howard Dublin, Ireland Authorise officers to enter premises: to inspect the type of personal information kept, how it is processed & the security measures in place. Full cooperation must be given to such officers. A data controller found guilty of an offence under the Acts:- Fines of up to 3,000 on summary conviction and 100,000 on conviction on indictment; May be ordered to delete all or part of the database; Data controllers name published in the annual report.

8 Ireland Breach notification DPC (Regulator) Noreen Howard Dublin, Ireland Personal Data Security Breach Code of Practice: Immediately consider informing those affected Notify organisations that may be able to assist, e.g. Garda Data processors to report incidents to controllers as soon as possible DPC must be notified as soon as Data Controller is aware unless: incident reported without delay to the affected data subject(s); and, breach affects <100 data subjects and no sensitive/financial data. Initial contact to DPC made within 2 working days of becoming aware of the incident, which can be via , fax or telephone DPC will then decide if a detailed report and/or subsequent investigation is necessary.

9 Ireland Breach notification DPC (Regulator) Noreen Howard Dublin, Ireland DPC specifies timeframe in which to provide a detailed report on: amount and nature of the personal data that has been compromised; action being taken to secure and / or recover the compromised personal data; action being taken to inform those affected by the incident or reasons for the decision not to do so; action being taken to limit damage or distress to those affected; chronology of events leading up to the incident; and measures being taken to prevent future incidents.

10 Ireland Breach notification Data Subject Noreen Howard Dublin, Ireland Personal Data Security Breach Code of Practice Data subject centric Data at risk of unauthorised disclosure, loss, destruction or alteration Exemption where data unintelligble Treated as mandatory but does not have force of law Other approved Codes include: Garda Siochana (police); Injuries Board; Department of Education; Revenue Commissioners

11 Ireland Summary Noreen Howard Dublin, Ireland Breaches Irish Cyber Insurance Market Challenges Next steps

12 European Comparison UK Law EU Directive 95/46/EC - Data Protection Act 1998 Enforcement through Information Commissioner s Office ( ICO ) Rhiannon Davies Associate London Breach notification laws: Voluntary ICO guidance states if a large number of people are affected and/or particularly sensitive personal data the ICO and in certain cases data subjects should be informed; Compulsory for internet service providers Enforcement Level: Medium Power to fine up to 500,000 Highest Fine: 325,000

13 European Comparison France Law Rhiannon Davies Associate London EU Directive - Law No which amended former law of 1978 Enforcement - Commission Nationale Informatique et Libertes ( CNIL ) Breach notification laws: Voluntary No obligation to notify data subject or CNIL, but CNIL has power to investigate infringements and impose fines Compulsory for internet service providers Enforcement Level: High Fines: <EUR150,000 first violation. <EUR300,000 if second violation within 5 years. Legal entities, 5% of turnover if <EUR300,000), criminal fine <EUR300,000 (EUR1.5 million for a corporate entity), 5 years' imprisonment. Highest Fine: Google 150,000

14 European Comparison Germany Law: Rhiannon Davies Associate London Federal/State Data Protection Law Federal Data Protection Act ( BDSG : Bundesdatenschutzgesetz) which implements the EU Directive 95/46/EC Enforcement through protection authorities of the states Breach notification laws: Yes E.g if sensitive personal data or telecoms data, then notify regulator and data subjects Enforcement Level: High Power to fine: Up to EUR300,000 each offence for administrative offences. Criminal sanctions (maximum of to two years imprisonment or a fine). Highest Fine : Deutsche Bahn AG EUR 1,123,503.50

15 European Comparison Spain Law: Rhiannon Davies Associate London EU Directive 95/46/EC - Special Data Protection Act 1999 ( LOPD ), only a renewed version of former Data Protection Act, not a major change. Enforcement through Data Protection Commissioner s Office ( AEPD ) Breach notification laws: Partial Different from other countries, Spanish law sets out mandatory procedure for management of breaches but does not require notification of regulator or individuals. Enforcement Level: High Power to fine: <EUR 600,000 per adminstrative offence Highest Fine: Google EUR 900,000

16 Brazil Law of 23/04/2014 Internet Law Marcia Barbosa de Oliveira JBO Advocacia São Paulo, Brazil Principles: Protection of privacy and personal data Liability of agents for material and moral damages caused by data breaches Data cannot be given to third parties without express consent of the owner Consumer rules also apply

17 Brazil Law of 23/04/2014 Internet Law Marcia Barbosa de Oliveira JBO Advocacia São Paulo, Brazil Penalties: Formal warning to adopt corrective measures Fine of up to 10% of the revenue in the last business year Temporary suspension of activities Prohibition of activities Branches of foreign companies jointly responsible

18 Brazil Cyber Incidents in Brazil in large corporations: Marcia Barbosa de Oliveira JBO Advocacia São Paulo, Brazil 2012: 1957 (World average: 2.989) 2013: 4665 (World average: 3.741) Expenses with cyber incidents: increase of 18% Main causes for incidents: Hackers (41%) Employees Ex-employees Source: PwC

19 Brazil Insurance Marcia Barbosa de Oliveira JBO Advocacia São Paulo, Brazil Third party claims: data breach and defence costs Extensions: breach of intellectual property; moral damages; administrative claims First Party loss: notification cost and data breach monitoring; emergency costs; extortion; business interruption, crisis management.

20 Chile Criminal Data Protection Law, 1993 Guillermo Amunátegui Santiago, Chile Applies to natural persons and legal entities It is a criminal act to: Destroy data management systems (software or hardware); Obtain, use or handle data unduly or without authorization; Destroy, modify or damage data; Disclose or spread information.

21 Chile Civil Data Protection Law, 1999 Guillermo Amunátegui Santiago, Chile Applies to natural persons only Defines sensitive data such as: Physical or moral features; and Facts of private life (personal habits; racial origin; ideologies; religious and political thoughts; sexual life) It establishes pain and suffering damages and material damages (no fines). Courts will determine those penalties depending on the facts involved.

22 Chile Other privacy legislation Guillermo Amunátegui Santiago, Chile Employment Law Employers must keep all employees information confidential (for privacy and reputational reasons) Consumer Protection Law Security and surveillance systems must respect the dignity and consumers rights. Rules governing advertising and publicity send via s (e.g provide sender s name and an address to unsubscribe from marketing)

23 Chile Cyber Insurance Policies in Chile Guillermo Amunátegui Santiago, Chile There is only one valid insurance policy registered before the Chilean Insurance Authority that is currently available. The coverage given by this insurance policy includes an indemnity for third party claims due to a breach of personal data, corporate data, or data security. The policy tries to indemnify the costs associated with the protection of personal or corporate reputation. The policy will also cover the costs associated to investigate the cyber criminal s tracks.

24 Chile State of Cyber Insurance Market Guillermo Amunátegui Santiago, Chile Even though Chile is one of the most advanced LatAm countries in terms of technology, there is limited awareness of what might be covered by a cyber insurance policy. Currently, Chilean companies prefer to improve their technology systems instead of purchasing a cyber insurance policy. Chilean companies are afraid to admit cyber attacks because they want to protect their corporate reputation. Therefore, within Chilean market there are few examples of cyber claims/attacks and therefore limited understanding the risks and how insurers are covering those risks.

25 Colombia Data Protection Regime Camilla De La Torre, Bogota, Colombia The current regime can be divided into three categories: Criminal laws protecting traditional rights when those wrongdoing is committed using technological means. Civil laws specially designed to protect data privacy when the data is held in databases. General liability regime applicable to all activities affecting data privacy (compensation of damages of any nature) In relation to data held in databases, the law requires the managers of such databases to notify the regulator when a violation or security infringement occurs

26 Colombia Data Protection Regime (contd.) Camilla De La Torre, Bogota, Colombia Fines may be up to USD$616,000 when entities collect and misuse data in their database (e.g. using it for different purposes beyond the users authorization). Damages caused by breach of data security would be subject to compensation in accordance with the general civil liability regulation where material and non-material damages ought to be indemnified.

27 Colombia State of Cyber Insurance Market Camilla De La Torre, Bogota, Colombia Cyber risk insurance is only at an initial stage of development in Colombia. Only one insurance company is offering cyber-risk insurance policies in Colombia but in 2015 two additional companies are intending to offer this. Main coverages offered by cyber policies: Liabilities for data Protection/Privacy Data recovery Restoration of public reputation Costs of notification of data breaches

28 Mexico State of Cyber Insurance Market Jose Luis Arce Fernández Mexico City Cyber Risk Insurance is really new Mexico. A few insurers offering policies, as a specific policy or as an endorsement. There are few (if any) claims under cyber risk insurance policies although it is becoming more common to see reports of fines against companies for breaching Mexican privacy laws - this may increase interest in cyber insurance policies

29 Mexico Mexican Data Protection Laws Jose Luis Arce Fernández Mexico City Based on global privacy and data protection frameworks, similar to other countries. However, idiosyncrasies in the Mexican Law must be considered. Notification Law requires data subjects to be notified of breaches if the breach significantly affects their economic or moral rights. No legal requirement to notify other entities of government agencies. Fines Up to $1.2m (double if sensitive data involved) for breaches of DP law Citibank, Pfizer, Office Depot have been fined since 2012

30 Mexico Mexican Data Protection Laws Jose Luis Arce Fernández Mexico City Liability Compensation may be payable to individuals for harm or damage to individuals property or rights due to a breach of the law by the data controller of its sub-contractors Non-domiciled companies Companies do not have to be domiciled to process Mexican personal data but they must comply with Mexican laws and can be fined. Data breaches There are no public sector data breaches in Mexico, only private sector breaches which have been heavily publicised in the media.

31 Mexico Points to note for Cyber Risk Insurers Jose Luis Arce Fernández Mexico City In principle, the offering and sale of insurance by foreign insurance companies in Mexico is prohibited. Insurance/reinsurance is written via a fronting arrangement. Increasing opportunities to write cyber insurance/reinsurance in Mexico in the near future, once more privacy breaches are known publicly. Only a few insurance companies are selling this kind of insurance in Mexico: either as an specific policy or as endorsement to Civil Liability Policies. Insured companies do not understand the risks they face and sometimes they think that they are covered by existing policies.

32 Singapore/Asia Ben Nicholson Singapore ASEAN introduction of new data protection / privacy rules in Malaysia, Singapore and Philippines. New rules not harmonised Cyber Policies not selling. Why? Recent Cybercrime / Cyber Risk Incidents Theft of personal details of 650 private clients from StanChart Singapore / Fuji Xerox (Dec 2013) Theft of personal details and credit card numbers of 20 million Koreans by a worker at the Korean Credit Bureau (Jan 2014)

33 Singapore/Asia Notable Enforcement / Civil Actions Ben Nicholson Singapore Korea SK Communications ordered to pay US$185 each to 2,737 class action claimants for losing IDs in hack of Facebookstyle service. Class action also filed in January 2014 in the KCB case. Singapore PDPC has handed out combined fines of GBP 52,000 for two incidents (22 data subjects) of breach of DNC Registry provisions. PDPC creates avenue for data subjects to sue data controllers in case of data breach.

34 New Zealand & Australia Insurable Cyber Risks Data Protection/Privacy Business Interruption Media Liabilities Fines and penalties Mark Anderson Auckland, New Zealand Data Security/Privacy Laws New Zealand - Privacy Act 1993 Australia Privacy Amendment (Enhancing Privacy Protection) Act 2012 No obligation to notify data breaches but Australia Privacy Amendment (privacy Alerts) Bills New Zealand Privacy Amendment Bill 2015 New Zealand fines up to NZD$25,000 Australia fines update AUD$1,100,000

35 New Zealand & Australia Claims Examples Data Breaches Governmental and Small Business Mark Anderson Auckland, New Zealand Cyber Extortion: Australian police investigate extortion of consumers caught with their pants down IT Outages: NZ Met Service Environmental hacktivism: Solid Energy Insurance Market New Zealand: 5-6 insurers in the market. Estimated NZD$2m GWP 2014 Australia: Similar providers. Slower initial uptake estimated AUD$7m GWP 2014 Australasia growing market for cyber and data protection insurance

36 Questions