Data Breach Incidents

Transcription

1 Data Breach Incidents A Risk Mitigation Snapshot: 2014 into 2015 Contributing Authors: Jessica Flinn, James Sheehan, William J. McDonough If not already on the enterprise risk radar screen, cyber risks are quickly becoming a central issue for the C-suite and board members in a variety of industries. Today, mitigating cyber risk is a concern for a wide range of organizations. The scale and impact of breach incidents, coupled with the vulnerability of various organizations to such attacks, threaten businesses across all sectors. As cyber threats evolve, the network security and privacy liability insurance market tries to keep pace. Here, we will briefly consider how issues encountered in 2014 may influence market realities in For discussion purposes, we will treat data breaches as incidents in which an individual s social security number, driver s license number, medical record or financial record (e.g., account number, credit or credit card number) has been acquired either unlawfully or without authorization. The Frequency and Severity of Breaches Unfortunately, 2014 was a year in which we witnessed U.S. data breaches reach record levels. It was also the year when U.S. data breach incidents surpassed 5,000 with more than an estimated 675 million records implicated. 1 It is also important to note that many data breach incidents go unreported as organizations do not want to incur the expense of notifying affected individuals or suffer the reputational harm resulting from a release or breach. 2 On an industry basis, healthcare again topped the Identity Theft Resource Centers 2014 Breach List with 42.5 percent of the breaches identified in The general business sector ranked second with 33.0 percent of the data breach incidents, followed by the Government/Military sector at 11.7 percent, the Education sector at 7.3 percent and Banking/Credit/Financial at 5.5 percent. 3 Among the larger breaches: Sony had 47,000 records stolen; J.P. Morgan had 83 million records stolen (affecting 76 million households and 7 million small businesses); Home Depot had 100 million records stolen (implicating 56 million credit cards and 53 million addresses); and the ebay breach is estimated to involve the addresses, physical addresses and login credentials of up to 145 million users. 4 1 Identity Theft Resource Center (2015, January 12). Identity Theft Resource Center Breach Report Hits record High in Retrieved February 16, 2015, from 2 Ibid., 1. 3 Ibid., 2. 4 Collins, K. (2014, December 12). A Quick Guide to the Worst Corporate Hack Attacks of Retrieved January 21, 2015, from Data Breach Incidents A Risk Mitigation Snapshot April

2 According to Ponemon Institute s 2014 Cost of Data Breach Study: Global Analysis, U.S. companies rank first in the cost per compromised record of $201 per record (Figure 1) and have the largest number of exposed records per breach (Figure 2). The news for U.S. companies deteriorates further as the report detailed the average total cost of a data breach increased 15% and the average per record cost increased more than 9%. 5 The retail and healthcare sectors saw the largest increases in compromised systems at 5% and 4%, respectively. 6 Figure 1. The average per capita cost of data breach over two years (Measured in US$) 5 Ponemon Institute. (2014, May 1) Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf 6 Maginot Revisited: More Real-World Results from Real-World Tests. (2015, January 1). Retrieved January 21, 2015, from Data Breach Incidents A Risk Mitigation Snapshot April

3 Figure 2. The average number of breached records by country Shown below are the number of exposed or compromised records for organizations in the ten countries represented in this research. Organizations in the U.S., the Arabian region and India had the largest average number of records lost or stolen. The Cost of Compromised Security to U.S. Companies It is clear that the frequency and severity of data breach incidents have caused U.S. companies considerable consternation in 2014 (see Figure Cyber Fast Facts). Of additional concern is the regulatory framework that allows multiple agencies to assess fines and penalties when data has been released. Increased participation by regulatory agencies necessarily results in increased costs attributed to a release. The Federal Communications Commission s (FCC) entry into the arena illustrates how a regulators involvement can significantly increase the total cost of a release. Recently, the FCC proposed fines of $10 million to two companies for alleged data security breaches. The Office for Civil Rights (OCR) issued seven resolution agreements in 2014 as a result of HIPAA related privacy issues. The fines ranged between $150,000 and $4.8 million. Such fines are in addition to those often levied by state attorneys general. Data Breach Incidents A Risk Mitigation Snapshot April

4 Figure Cyber Fast Facts New Tactics It s Not All About Data Anymore No longer are cyber intrusions limited to searches for personally identifiable information and protected health information (PHI). There were several hacking incidents in 2014 that demonstrated how incursions into a company s network could have direct repercussions in the operations of an organization with worldwide implications. Take, for instance, the attack on Sony. Aside from Sony s data, the hackers took actions that rendered the company s entire computer network and landline phones unusable. In a separate cyber intrusion, hackers gained access to a German iron plant s blast furnace, and disrupted the plant s production capabilities. These incidents go beyond cyber extortion and illustrate how intrusions into a company s computer network can result in more than the soft expense associated with notification, data re-creation, remediation, etc. Hackers have now realized their ability to disrupt a businesses delivery of its core services. This disruption has real world tangible consequences and manifests itself in loss of business and future opportunities. 7 Card Issuers as Victims In 2014 we witnessed the emergence of a new plaintiff s class. The class consists of credit and debit card issuers who incur considerable expense in issuing replacement cards and refunding monies to customers as a result of a data breach. Take, for example, the Target case wherein the card issuers survived dismissal of their claims for out-of-pocket costs. Essentially, the court found that the card issuers furnished a plausible argument that Target was responsible for damages (i.e., the expense associated with the issuance of replacement cards) caused by the 7 King, R. (2014, December 18). Cyberattack on German Iron Plant Causes 'Widespread Damage' Retrieved January 21, 2015, from Data Breach Incidents A Risk Mitigation Snapshot April

5 hackers intrusion into Target s network. The court s finding was somewhat novel, in that, there did not exist a contractual relationship between Target and the card issuers. Allegations of negligence, it seems, may carry the day for banks and card issuers looking to recoup their costs from businesses who suffered an attack. Plaintiff s Bar Moving the Ball The Target breach has also led to inroads for consumer plaintiffs pursuit of class action status. Previously, the plaintiffs bar has had difficulty surviving motions to dismiss due to an inability to satisfy the damages element of a negligence claim. Causes of action sounded in negligence require plaintiffs to allege actual or imminent injury. To date, plaintiff s bar has been unable to show that parties affected by a release of data, on its own, have suffered damages or are in imminent risk of injury. However, the Court in the Target case appears more receptive to this type of class action litigation at the motion to dismiss stage of litigation. Specifically, the Court refused an individualized assessment of standing, instead concluding the requirement was met because some plaintiffs alleged injuries of unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees. 8 This may significantly increase defense costs in the preclass certification stage as additional resources will be deployed in the discovery phase. The Target court is not alone in moving the plaintiff s bar closer to class certification. A recent California federal district court found plaintiffs have standing to sue based on increased risk of future harm due to the alleged release of their personally identifiable information. It should be noted that this ruling is contrary to the more accepted line of reasoning, which finds that the increased risk of identity theft does not satisfy the concrete or imminent injury requirement for standing. What Lies Ahead The era of the data breach is upon us and it is unlikely to recede. A new global standard for credit card security, commonly referred to as chip and pin technology, may help insulate consumers from credit card fraud; however, hackers have turned their sights to the more lucrative fraud of identity theft. The misappropriation of an individual s identity, either by the procurement of personally identifiable information or protected health information, will allow the hacker to command a significantly higher per record payment then credit card data alone. Personal Data Notification & Protection Act President Obama has proposed new legislation that would create a single country-wide data breach notification standard. The Act, as proposed, clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. 9 If passed, this Act will replace the current patchwork of notification requirements implemented by various governmental agencies and the individual states. 8 In re Target Corp. Customer Data Security Breach Litig., MDL No (PAM/JJK) (D. Minn. Dec. 18, 2014). 9 FACT SHEET: Safeguarding American Consumers & Families. (2015, January 12). Retrieved January 21, 2015, from Data Breach Incidents A Risk Mitigation Snapshot April

6 The Healthcare Industry Will Likely Retain First Place It comes as no surprise that the healthcare industry will remain squarely in hackers sights. The personal information contained in health records will enable hackers to perpetrate a multitude of different follow-up attacks and various types of fraud, including financial exploitation and identity fraud. The FBI has warned the healthcare industry that its attempts at cyber security remain woefully insufficient. 10 As noted, in 2014 healthcare organizations accounted for about 42 percent of all major data breaches reported, according to the Identity Theft Resource Center. 11 A Ponemon study estimates that the potential cost of healthcare industry breaches will reach $5.6 billion annually. 12 Not surprisingly, it is expected that healthcare breaches will increase as we continue a move towards electronic medical records and growing usage of mobile and wearable technologies (Figure 4). Figure 4. Preparing for the Risks of Mobile and Wearable Technology 13 MOBILE TECHNOLOGY RISK PREVENTION INITIATIVES - ALL INDUSTRIES Percent of All Respondents INTERNAL APP STORE USE OF GEO-LOCATION, GEO-FENCING DEVICE ENCRYPTION STRONG DEVICE AUTHENTIFICATION CORPORATE AND CALENDAR BAN OF USER OWNED DEVICES MOBILE DEVICE MANAGEMENT SOFTWARE MOBILE SECURITY STRATEGY Weisman, S. (2014, December 20). Cyber predictions for Retrieved January 21, 2015, from Was Landmark Year for Health Data Breaches. (n.d.). Retrieved December 26, 2014, from 12 Ponemon Institute. (2014, May 1) Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf 13 The Global State of Information Security Survey, Data Breach Incidents A Risk Mitigation Snapshot April

7 Corporate IP and Trade Secrets Are Valuable The Sony hack sent shivers through every R&D department in the digital universe. Hackers not only exposed personal information and embarrassing internal communications, but also Sony s valuable intellectual property in the form of scripts, profits and budget projections. The intellectual property and trade secrets cultivated by companies appears fair game for hackers interested in extortion. 14 Figure 5 How Breaches Occur 15 Vulnerable Code 6% CAUSE OF BREACH Targeted Attack 6% Undetermined 15% Misconfigured System 42% End User Error 31% Note: Although preventable errors are often to blame for security incidents, it was impossible to identify the culprit in nearly 20 percent of the cases reviewed in the IBM Annual Report. Policy Implications The marketplace for cyber security and privacy liability insurance remains in its infancy and is struggling towards maturation. The standardization of coverage terms and claims handling are a distant dream. Policy terms and conditions differ from form to form, and market developments routinely result in mid-term revisions. Typically, policies contain a number of insuring clauses that speak to coverage for breach response costs and claims resulting from a cyber event. The forms may also provide coverage for extortion, network damage, public relations and crisis management, website media content and regulatory investigation costs arising out of a cyber event, as well as business interruption losses. Although provided, the sub-limits placed on these ancillary coverages likely leave many companies substantially exposed. Regulatory sub-limits placed on policies create a lack of meaningful coverage for many insureds, particularly in 14 Troutman Sanders LLP. (2014, December 19). 5 Reasons Sony Pictures Will Be a Cybersecurity Inflection Point. Retrieved January 21, 2015, from point/?utm_source=mondaq&utm_medium=syndication&utm_campaign=view- 15 IBM Security Services Cyber Security Intelligence Index Report, 2014 Data Breach Incidents A Risk Mitigation Snapshot April

8 the financial services and healthcare industries. With more regulators taking interest in cyber issues and data breaches implicating multiple states statutes, it is anticipated that regulatory fines will continue to expand. This will likely require insureds to make payments out-of-pocket for a portion of the regulatory fines, particularly if more than one breach occurs in any given policy period. In other instances the cyber policy may not provide coverage at all. For example, as evidenced by attacks on Sony and J.P. Morgan, companies are vulnerable to hacking by nation states, criminal organizations or terrorists. Many cyber policies have specific exclusions for acts of terrorism or acts of a nation state. Insureds will need to keep a careful eye on the breadth of any such exclusion on their cyber policies. Additionally, physical damage sustained by an insured as a result of a cyber-attack will likely be precluded from coverage. Property insurers have been making it increasingly clear that they do not intend to provide insurance for anything in the cyber realm. At this time, cyber insurance carriers have not shown an inclination to expand coverage for this type of exposure. However, to ensure robust coverage, the insurance market will need to adapt and create insuring clauses specifically geared towards addressing physical damage resulting from a cyber incident. Loss associated with an insured s own intellectual property creates another vacuum in coverage. Today s cyber policies may provide coverage for the intellectual property of others, but do not extend to include first party coverage. For instance, the loss Sony experienced relating to stolen screenplays and other valuable internal intellectual property would not be covered under the typical cyber policy. Perhaps, with time, cyber insurers can be convinced to add such coverage. Concluding Thoughts The cyber insurance market is in a constant state of fluidity. Carriers have been altering their policies to include loss prevention and risk mitigation tools, from breach response teams to risk analytics. As cyber incidents increase in frequency and severity, and evolve to keep pace with technological advances, the insurance industry will need to create new forms of cyber coverage to meet the needs of their clients. As we wait for the market to catch-up, your insurance broker may be able to help with other suggestions to increase the breadth of coverage by, for example, minimizing any state actor, contractual liability or bodily injury exclusions, expanding the definition of computer network and backdating the prior acts date as far as possible. Companies can also use collaboration to protect themselves. Information sharing platforms such as the Information Sharing and Analysis Centers (ISACs), industry associations, and government agencies are valuable risk-awareness tools. Sharing information should help companies improve their incident response through trusted collaboration, analysis, coordination, and drive decision-making by policy makers on cybersecurity, incident response, and risk mitigation and financing for breaches. Data Breach Incidents A Risk Mitigation Snapshot April

9 About the Authors Jessica Flinn is a vice president within Integro s Management Risk practice. She provides professional lines claims advocacy services, including detailed coverage analysis, contract interpretation, consultation and negotiation. She specializes in employment practices, directors & officers and errors & omissions coverages. James Sheehan is a principal of Integro Insurance Brokers, resident in the firm s Boston office. An executive liability and professional liability insurance broker by background, he specializes in the placement of executive liability programs for healthcare organizations and private equity firms William McDonough is a managing principal within Integro s Healthcare practice. Bill counsels clients across America on healthcare alternative risk financing vehicles, captive best practices, and loss prevention. He speaks and writes regularly on patient safety, reporting systems, and strategic planning, among other topics, and is a Fellow with the American Society for Healthcare Risk Management (ASHRM). About Integro Integro is an insurance brokerage and risk management firm. Clients credit Integro s superior technical abilities and creative, collaborative work style for securing superior program results and pricing. The firm's acknowledged capabilities in brokerage, risk analytics and claims are rewriting industry standards for service and quality. Launched in 2005, Integro and its family of specialty insurance and reinsurance companies, some having served clients for more than 150 years, operate from offices in the United States, Canada, Bermuda and the United Kingdom. Its U.S. headquarter office is located at 1 State Street Plaza, 9th Floor, New York, NY Integro Ltd Data Breach Incidents A Risk Mitigation Snapshot April