How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Size: px
Start display at page:

Download "How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised"

Transcription

1 ACE USA Podcast Released June 24, 2010 How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior Vice President, ACE North America Marketing & Communications, ACE USA Panelists: Toby Merrill Vice President, ACE Professional Risk, ACE USA John Mullen Attorney, Nelson, Levine, DeLuca & Horst Mark Greisiger President, NetDiligence Hello, I m Richard Tallo, of North America Communications, at the Philadelphia headquarters of the ACE Group of Companies. Welcome back to the second of two podcasts ACE has produced to discuss how companies can learn how to prepare for, and deal with data breaches. In our first broadcast ( Preparing for the Inevitable Data Breach: What to do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised ), we discussed the steps that organizations and their risk managers need to take in order to put together an effective crisis response plan. To briefly recap, these steps were: Naming a specific senior manger to take charge following a breach; Identifying computer forensic specialists before the event, to determine what has been compromised in a manner that preserves the chain of custody and other stakeholders; Structuring proper service provider contracts; Pre-negotiating notification, call center and credit monitoring services; and Looking into privacy liability insurance. Spending a few thousand dollars on legal counsel up front can potentially save the organization millions in defense costs on the back end. Today, we ll move beyond crisis management planning and look at how companies can respond following the breach of sensitive consumer or employee information. Once again, I m joined by: Toby Merrill, National Privacy Product Manager for ACE USA; John Mullen, a partner with the law firm of Nelson, Levine, DeLuca & Horst; and finally, Mark Greisiger, President of Net Diligence, a data privacy and security firm. I d like to start today s discussion by asking Toby how he would handle the following scenario: It s Monday morning at 10 a.m., and a major credit card company has just alerted you that they noticed a suspicious pattern of charges they suspect was caused by a serious breach at their company. Can you tell us what should occur in the first hour after that phone call?

2 Well, Rich, hopefully management has already put in place an incident response plan in advance of the breach, outlining who inside and outside of the organization needs to be involved and what steps need to be taken. In either case, the company needs to first assemble a crisis response team to determine exactly what happened and begin delegating responsibilities. At the very least, the first action items need to include: Engaging a forensics team to determine the extent of the breach, including the number of records affected and the type of information that has been exposed. Assessing the severity of the breach as early as possible to determine the best course of action. For example, a breach of 10 or 20 credit cards should be classified very differently than a breach of a few thousand social security numbers. What are action steps for the next phase? Engaging a legal firm to counsel senior management on the organization s legal obligations around a number of issues, such as state notification requirements and litigation holds. Spending a few thousand dollars on legal counsel up front can potentially save the organization millions in defense costs on the back end. Then, depending on the severity of the breach, the organization should bring in crisis management consultants to review the situation and to advise on the best means of communication with the public, should it be required or recommended. Thanks, Toby. Mark, why are computer forensics so critically important at this stage? Many companies that have not properly examined the nature of a breach before disclosing have found that they may have disclosed a little bit too soon. First, it is critically important that you get a snapshot of the security breach event. You will need to determine what internal computer servers have been impacted by this event, when and where the attack occurred, and what prudent controls were in place at the time of the incident. Next, you are going to need to identify the individuals who could have potentially been affected by this event. Computer server logs should be reviewed to verify important information, such as: How the company s servers were accessed as well as when and how often this illegal access occurred; Whether the culprit actually accessed the customer s information and employee data; What type of data was accessed and when; and Where the victims physically resided to determine the proper course for notification. Another key point is, depending on the applicable state notification laws, a company may not be legally required to notify customers or employees whose sensitive information has been comprised. Many companies that have not properly examined the nature of a breach before disclosing have found that they may have disclosed a little bit too soon. This past year, I worked with several clients that experienced a real life data breach event impacting their customer data. And in many of these instances, they found they did not have a duty to notify because either the data impacted was limited, for example, no public identifiable information was impacted, such as a combined name with social security number, or the data was encrypted and thus the laws of Safe Harbor may apply. 2

3 Thanks, Mark. John, can you discuss the key ingredients of an effective media message? And, how should the news that sensitive consumer data has been comprised be communicated to both affected customers and the public? Rich, ideally a simple, clear, company statement by a senior executive should include key facts of the incident that are known at that time, what is being done to address the breach, in what timeframe, and it should conclude with confirming that appropriate steps are being taken actively. It s always best to tell your story up front, stressing open communication within the organization and making yourself available for participation in news stories as appropriate, taking care to work with trusted media sources. Thanks, John. Are there other best practices to consider when communicating to key audiences? Yes, they include the following: Keeping to the basic facts of the breach and not overstating the facts; Showing empathy and concern for the affected individuals; Reassuring key audiences and stakeholders that the response to the privacy breach is being handled properly and that assistance is being offered to those affected; and Finally, accepting responsibility for the incident while taking care not to admit negligence. That s important. Thanks, John. Mark, is it always necessary to provide credit monitoring services to affected customers? Rich, it depends on the situation. A lost laptop with encrypted data is much different than a hacking attack where compromised information is being used for real identity theft purposes. The most important issue is determining the type of data that has been lost. If the data compromised is medical data or credit card information, than credit monitoring services may only provide limited assistance for the customers that were affected. However, if customers social security numbers have been compromised, which is the holy grail of data, then credit monitoring services will be an appropriate response. Another consideration is whether there is any concrete evidence of actual fraud. A laptop that went missing for two days and was returned by a trustworthy citizen may not warrant the additional costs of credit monitoring. It is important to note that there are currently no state notification laws on the books requiring that credit monitoring be offered. This is not a mandatory offering. However, research has demonstrated that individuals who are offered free or subsidized services, may perceive the company more positively and are less likely to participate in a class action lawsuit. But credit monitoring services can be expensive, which is a key reason why pre-planning is so important. Thanks, Mark. Would you share some best practices for offering credit monitoring services? First, a prudent step is to offer those customers whose data has been compromised a free credit check, such as from the ftc.gov site. If a free service is not available, rates should be negotiated in advance of a data security breach event and the company should talk to a number of different providers before a making a final selection. A company should also try to find the most economical way to manage its costs. In many cases, choosing a provider that charges for redemptions only and not on every offer made is a better value since we only see between 10 and 25 percent of offers redeemed. And finally, if a third-party service provider was responsible for the breach you may be able to seek indemnity. 3

4 Toby, we ve spent time focusing on best practices for companies. Can you share lessons learned from companies that have experienced data breaches? Of course. The three biggest mistakes I have seen companies make after a breach are really related to a lack of preparation: First, without a crisis response plan in place, the company is forced to make rash decisions due to a lack of direction and leadership. A company responding to a breach should consider its culture and reputation, and how it is perceived by its customers. Senior management needs to agree on this prior to developing an appropriate response. Another common mistake I ve seen is when companies have not taken the time to properly screen forensic, legal, and public relations as well as notification vendors prior to the breach. Not doing this may often result in a company making hasty decisions and hiring inexperienced firms or grossly overpaying for these services. The third mistake I have seen companies make is the tendency to over-notify, as Mark mentioned earlier. In some instances there have been a number of notifications that could have been significantly reduced, and in some cases, eliminated entirely had management taken the time to hire a qualified attorney who knows the intricacies of the various privacy regulations. Toby, are there any instances where a company may choose to notify even after they ve determined they are not legally obligated to do so? The organization s decision to notify could mitigate its liability from class action considerably. Absolutely. There are three major areas where this has been the case: First, many organizations reputations are built on their open culture environment, such as universities. The organizations may risk more by hiding the incident than any pending litigation might bring. Second, there are a number of foreign jurisdictions, such as Canada, that have yet to pass notification legislation. [Note: Alberta has become the first province to add a data breach notification requirement into its legislation. The new measures were added into its Personal Information Protection Act (PIPA) on May 1, 2010 and are now law]. And many of the notification laws are very limited in the type of information that triggers the obligation to notify. For example, a breach of a customer s address may not trigger a notification requirement but could be used by a hacker to obtain more sensitive information. In each of these instances, the organization s decision to notify could mitigate its liability from class action considerably. Thanks, Toby. John, can you talk about the actual financial damages suffered in the real cases that you have been involved with? Of course. Incidents of data loss can be very costly for companies, especially those organizations that fail to take their legal duties seriously up front. Prior to any lawsuit being filed, there are expenses that can include notification to affected customers, call centers, and service offerings to reduce damage to the customer or employee base, litigation expense and e-discovery costs. If a customer files a lawsuit, costs will escalate. 4

5 Should there be a lawsuit, legal cases tend to fall into three basic categories: First, the Federal Trade Commission, considered the most active government authority currently policing the data loss world, can elect to pursue statutory damages based on a fines per record type loss situation. These can be expensive to pay and even more expensive to defend against as anyone who has ever gone up against the government in a lawsuit knows it s a very time consuming and very expense. The second type of case is a suit related to financial institutions. Should a company lose significant amounts of data, particularly with credit card information, most banks, regardless of best practices, will replace those credit cards. However, there is a fee involved in credit card replacement it is how many dollars per credit card to replace it. And, with lost records often in the millions, the amount claimed by financial institutions to replace those cards will be substantial. The third type of lawsuit -- and by far the most expensive and problematic -- are those that are called class actions. These are brought in the guise of customer and employee lawsuits. Class actions are generally brought in federal court, and although the industry has been relatively successful in defending against them, fighting certification of classes, because they lack the requisite damages required under the law, the data breach context is tricky and that trend seems to be eroding in the courts. Thanks, John. From our discussions, it s apparent that preparing a formal response plan is a necessity for a company. In the heat of a crisis, you don t want to be caught unprepared. As we ve been discussing during this broadcast, an open and measured response can also help retain goodwill with customers and reduce the potential for legal liability down the road. I d like to thank Toby, John and Mark for joining us today. On behalf of everyone at ACE, thanks for joining us. NetDiligence : is a cyber risk assessment services company. NetDiligence also offers a unique post data breach response service called service erisk Hub to fully support & assist clients with their inevitable data breach crisis incident. For the past decade NetDiligence has established itself as a leader for performing due diligence cyber risk assessments on behalf of majority of P&C insurers in US & UK that offer cyber liability coverage. Our clients also include well-known names in banking, brokerage, mortgage, insurance, clearinghouse, and other financial service sectors. NELSON LEVINE deluca & HORST: With seven offices from New York to Denver, NLdH is devoted solely to helping build and protect the insurance industry's business practices and clients, providing comprehensive legal services in the areas of reinsurance, regulatory, complex litigation, class action, coverage, subrogation, bad faith consulting and insurance fraud. For more information, please visit the NLdH website at ACE USA is the U.S.-based retail operating division of the ACE Group of Companies, headed by ACE Limited (NYSE: ACE), and is rated A+ (Superior) by A.M. Best Company and A+ (Strong) by Standard & Poor s. ACE USA, through its underwriting companies, provides insurance products and services throughout the U.S. Additional information on ACE USA and its products and services can be found at The ACE Group of Companies provides insurance and reinsurance for a diverse group of clients around the world. Product highlights are summaries only; please see actual policy for terms and conditions. Products may not be available in all locations and remain subject to ACE Professional Risk s underwriting criteria. The views expressed by Messrs. Merrill, Tallo, Mullen and Greisiger are their own and do not represent those of ACE USA, any of The ACE Group of Companies, Nelson Levine or NetDiligence. The material presented in this podcast is not intended to provide legal or other expert advice as to any of the subjects mentioned but is presented for general information only. You should consult knowledgeable legal counsel or other experts as to any legal or other questions they may have. Any references to insurance are also intended for general information only. For actual terms and conditions of any insurance, please refer to the policy. Coverage may not be available in all states. Copyright 2010, the ACE Group. All rights reserved. 5

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised ACE USA Podcast Released February 3, 2010 Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior

More information

Cyber Liability & Data Breach Insurance Claims

Cyber Liability & Data Breach Insurance Claims Cyber Liability & Data Breach Insurance Claims A Study of Actual Payouts for Covered Data Breaches Mark Greisiger President NetDiligence June 2011 Last year, privacy breaches ran about 1-2 per week. This

More information

cyber invasions cyber risk insurance AFP Exchange

cyber invasions cyber risk insurance AFP Exchange Cyber Risk With cyber invasions now a common place occurrence, insurance coverage isn t found in your liability policy. So many different types of computer invasions exist, but there is cyber risk insurance

More information

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,

More information

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Cyber Insurance: How to Investigate the Right Coverage for Your Company 6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)

More information

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

Cyber Insurance: How to Investigate the

Cyber Insurance: How to Investigate the 10-26-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)

More information

Personal Information Protection Act Information Sheet 11

Personal Information Protection Act Information Sheet 11 Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores

More information

Cyber Liability & Data Breach Insurance Claims

Cyber Liability & Data Breach Insurance Claims NetDiligence 2013 Cyber Liability & Data Breach Insurance Claims Authored by: Mark Greisiger Sponsored by: AllClear ID Faruki Ireland & Cox PLL Kivu Consulting Introduction The third annual NetDiligence

More information

CYBER SECURITY SPECIALREPORT

CYBER SECURITY SPECIALREPORT CYBER SECURITY SPECIALREPORT 32 The RMA Journal February 2015 Copyright 2015 by RMA INSURANCE IS AN IMPORTANT TOOL IN CYBER RISK MITIGATION Shutterstock, Inc. The time to prepare for a potential cyber

More information

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become

More information

Understanding Professional Liability Insurance

Understanding Professional Liability Insurance Understanding Professional Liability Insurance Definition Professional liability is more commonly known as errors & omissions (E&O) and is a form of liability insurance that helps protect professional

More information

Cyber Liability & Data Breach Insurance Claims

Cyber Liability & Data Breach Insurance Claims Cyber Liability & Data Breach Insurance Claims A Study of Actual Payouts for Covered Data Breaches Mark Greisiger President NetDiligence June 2011 Last year, privacy breaches ran about 1-2 per week. This

More information

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title

More information

Cyber-Crime Protection

Cyber-Crime Protection Cyber-Crime Protection A program of cyber-crime prevention, data breach remedies and data risk liability insurance for houses of worship, camps, schools, denominational/association offices and senior living

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

Privacy Insurance. Avoiding the HMO Experience. cyber. More Differences. By Toby Merrill

Privacy Insurance. Avoiding the HMO Experience. cyber. More Differences. By Toby Merrill Privacy Insurance Avoiding the HMO Experience By Toby Merrill Privacy, as it relates to an individual s personally identifiable information, such as Social Security numbers, credit card and healthcare

More information

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance Today s agenda Introductions Cyber exposure overview Cyber insurance market and coverages Captive cyber insurance

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Beazley Group Beazley Breach Response. A data breach isn t always a disaster Mishandling it is.

Beazley Group Beazley Breach Response. A data breach isn t always a disaster Mishandling it is. Beazley Group Beazley Breach Response A data breach isn t always a disaster Mishandling it is. A world of risk 932.7m Personal records breached in the U.S. since 2005 3 51% The proportion of breaches attributable

More information

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE ACC-Charlotte February 4, 2015 THIS WILL NEVER HAPPEN TO ME! Death, Taxes & Data Breach Not just Home Depot, Target or Sony Do you employ the next

More information

Aftermath of a Data Breach Study

Aftermath of a Data Breach Study Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath

More information

Cyber/ Network Security. FINEX Global

Cyber/ Network Security. FINEX Global Cyber/ Network Security FINEX Global ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over

More information

Anatomy of a Privacy and Data Breach

Anatomy of a Privacy and Data Breach Anatomy of a Privacy and Data Breach Understanding the Risk and Managing a Crisis Adam Kardash: Partner, Heenan Blaikie LLP Robert Parisi: Senior Vice President, Marsh Leadership, Knowledge, Solutions

More information

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!

More information

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Nikos Georgopoulos Privacy Liability & Data Breach Management wwww.privacyrisksadvisors.com October 2014

More information

Brief. The BakerHostetler Data Security Incident Response Report 2015

Brief. The BakerHostetler Data Security Incident Response Report 2015 Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the

More information

Cloudy With a Chance Of Risk Management

Cloudy With a Chance Of Risk Management Proudly presents Cloudy With a Chance Of Risk Management Toby Merrill, ACE USA John Mullen, Nelson Levine de Luca & Hamilton Shawn Melito, Immersion Ltd. Michael Trendler, ACE INA Canada What is Cloud

More information

Identity Theft Prevention Program Red Flag Rules Policy P093.00 Issued: May 2009

Identity Theft Prevention Program Red Flag Rules Policy P093.00 Issued: May 2009 Identity Theft Prevention Program Red Flag Rules Policy P093.00 Issued: May 2009 The Federal Trade Commission has issued a final rule (the Red Flag Rule) under the Fair and Accurate Credit Transactions

More information

Cyber Exposure for Credit Unions

Cyber Exposure for Credit Unions Cyber Exposure for Credit Unions What it is and how to protect yourself L O C K T O N 2 0 1 2 www.lockton.com Add Cyber Title Exposure Here Overview #1 financial risk for Credit Unions Average cost of

More information

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

DATA BREACH RESPONSE READINESS Is Your Organization Prepared? March 30, 2015 DATA BREACH RESPONSE READINESS Is Your Organization Prepared? Peter Sloan Pete Enko Jeff Jensen Deborah Juhnke The data security imperatives of Prevention, Detection, and Response do not

More information

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000

More information

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data Breach Cost. Risks, costs and mitigation strategies for data breaches Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,

More information

T H E R E A L C O S T O F A D ATA B R E A C H

T H E R E A L C O S T O F A D ATA B R E A C H T H E R E A L C O S T O F A D ATA B R E A C H Hosted by AllClear ID www.allclearid.com/business WELCOME // QUICK NOTES Presentation is being recorded and will be available within 2-3 business days at www.allclearid.com/business

More information

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor Cyber Risks Management Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor 1 Contents Corporate Assets Data Breach Costs Time from Earliest Evidence of Compromise to Discovery of Compromise The Data Protection

More information

Anatomy of a Hotel Breach

Anatomy of a Hotel Breach Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers

More information

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security

More information

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures

More information

Cyber Risk A Serious Threat Facing Public Entities

Cyber Risk A Serious Threat Facing Public Entities Cyber Risk A Serious Threat Facing Public Entities by Mark Greisiger, NetDiligence John Mullen, Nelson, Levine, deluca & Horst Joseph DePaepe, McGriff, Seibels & Williams, Inc. Cyber Risk A Serious Threat

More information

Coverage is subject to a Deductible

Coverage is subject to a Deductible Frank Cowan Company Limited 75 Main Street North, Princeton, ON N0J 1V0 Phone: 519-458-4331 Fax: 519-458-4366 Toll Free: 1-800-265-4000 www.frankcowan.com CYBER RISK INSURANCE DETAILED APPLICATION Notes:

More information

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime? Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies

More information

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President

More information

THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY.

THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Named Insured Endorsement Number Policy Symbol Policy Number Policy Period Issued By (Name of Insurance Company) to Effective Date of Endorsement

More information

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP www.willis.com CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP INSIDE THIS EDITION... CYBER CLAIMS LANDSCAPE A SAMPLING OF LARGE CYBER SETTLEMENTS LEGAL SPOTLIGHT, PRIVILEGE

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes

More information

Cyber Insurance Presentation

Cyber Insurance Presentation Cyber Insurance Presentation Presentation Outline Introduction General overview of Insurance About us Cyber loss statistics Cyber Insurance product coverage Loss examples Q & A About Us A- Rated reinsurance

More information

Need for Cyberliability Insurance Continues to Grow

Need for Cyberliability Insurance Continues to Grow Need for Cyberliability Insurance Continues to Grow 14 benefits magazine may 2015 MAGAZINE Reproduced with permission from Benefits Magazine, Volume 52, No. 5, May 2015, pages 14-19, published by the International

More information

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Jeremy Ong Divisional Vice-President Great American Insurance Company November 13, 2010 1 Agenda Overview of data breach statistics

More information

Discussion on Network Security & Privacy Liability Exposures and Insurance

Discussion on Network Security & Privacy Liability Exposures and Insurance Discussion on Network Security & Privacy Liability Exposures and Insurance Presented By: Kevin Violette Errors & Omissions Senior Broker, R.T. Specialty, LLC February, 25 2014 HFMA Washington-Alaska Chapter

More information

Cyber Liability. AlaHA Annual Meeting 2013

Cyber Liability. AlaHA Annual Meeting 2013 Cyber Liability AlaHA Annual Meeting 2013 Disclaimer We are not providing legal advise. This Presentation is a broad overview of health care cyber loss exposures, the process in the event of loss and coverages

More information

Nonprofit risk management

Nonprofit risk management Nonprofit risk management Mary Mancuso Nonprofit organizations face unique risk management challenges. They are often held to the same standards as for-profit organizations but do not have the same resources

More information

Data Breach Readiness

Data Breach Readiness Data Breach Readiness 877.983.9850 Partner@Intersections.com www.intersections.com Introduction Few events can damage a company s reputation more than losing the personal confidential information entrusted

More information

Cyber-insurance: Understanding Your Risks

Cyber-insurance: Understanding Your Risks Cyber-insurance: Understanding Your Risks Cyber-insurance represents a complete paradigm shift. The assessment of real risks becomes a critical part of the analysis. This article will seek to provide some

More information

Investment Advisors & Financial Professionals: Using your Insurance as a Marketing Tool. Presented by Lockton Affinity

Investment Advisors & Financial Professionals: Using your Insurance as a Marketing Tool. Presented by Lockton Affinity T Investment Advisors & Financial Professionals: Using your Insurance as a Marketing Tool Presented by Lockton Affinity PAGE INTRODUCTION... 3 INSURANCE AS A MARKETING TOOL... 3 TYPES OF INSURANCE PROTECTION...

More information

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a

More information

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015 Cybersecurity: A Growing Concern for All Businesses RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015 RLI Design Professionals is a Registered Provider with The American

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT MODIFIES THE POLICY. PLEASE READ IT CAREFULLY. INTERLINE CL IL 01 17 12 11 DATA BREACH COVERAGE This endorsement provides additional coverage under the following: COMMERCIAL PROPERTY COVERAGE

More information

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information

More information

Cyber Liability. What School Districts Need to Know

Cyber Liability. What School Districts Need to Know Cyber Liability What School Districts Need to Know Data Breaches Growing In Number Between January 1, 2008 and April 4, 2012 314,216,842 reported records containing sensitive personal information have

More information

Corporate Incident Response. Why You Can t Afford to Ignore It

Corporate Incident Response. Why You Can t Afford to Ignore It Corporate Incident Response Why You Can t Afford to Ignore It Whether your company needs to comply with new legislation, defend against financial loss, protect its corporate reputation or a combination

More information

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

erisks Policyholder s Guide to Privacy & Security Breach Response Planning erisks Policyholder s Guide to Privacy & Security Breach Response Planning Professional Indemnity Financial Institutions Directors & Officers Management Liability Medical Malpractice Media Liability Level

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,

More information

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks Hacks, breaches, stolen data, trade secrets hijacked, privacy violated, ransom demands made; how can you protect your data

More information

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently

More information

Considerations for Outsourcing Records Storage to the Cloud

Considerations for Outsourcing Records Storage to the Cloud Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage

More information

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ APIP - Cyber Liability Insurance Coverages, Limits, and FAQ The state of Washington purchases property insurance from Alliant Insurance Services through the Alliant Property Insurance Program (APIP). APIP

More information

Managing Cyber & Privacy Risks

Managing Cyber & Privacy Risks Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

www.bonddickinson.com Cyber Risks October 2014 2

www.bonddickinson.com Cyber Risks October 2014 2 www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime

More information

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET 2014 NSGA Management Conference John Webb Jr., CIC Emery & Webb, Inc. Inga Goddijn, CIPP/US Risk Based Security, Inc. Not just a big business problem

More information

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015 SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Authored by Neeraj Sahni and Tim Stapleton Neeraj Sahni is Director, Insurance Channel at Kroll Cyber Investigations

More information

Cyber and Privacy Breach Insurance

Cyber and Privacy Breach Insurance Aon Risk Solutions Financial Services Group Cyber and Privacy Breach Insurance A Risk Transfer Solution for a Growing Liability January 2015 Risk. Reinsurance. Human Resources. Introduction The frequency

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015

Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015 Are Data Breaches a Real Concern? Protecting Your Sensitive Information Phillips Auction House NY- 03/24/2015 1 Agenda Current Data Breach Issues & Legal Implications Data Breach Case Study Risk Management

More information

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

The New Crisis Communication Challenge: Data Breach

The New Crisis Communication Challenge: Data Breach The New Crisis Communication Challenge: Data Breach By Lisa MacKenzie When a data breach occurs, how an organization responds and communicates to its customer, patients or stakeholders can be the difference

More information

HIPAA Compliance in the Event of a Data Breach

HIPAA Compliance in the Event of a Data Breach HIPAA Compliance in the Event of a Data Breach November 5, 2015 Lucie Huger Officer, Greensfelder, Hemker & Gale, P.C. Information is the New Oil! Hospitals are collecting and storing mass amounts of data

More information

Finding a Cure for Medical Identity Theft

Finding a Cure for Medical Identity Theft Finding a Cure for Medical Identity Theft A look at the rise of medical identity theft and what small healthcare organizations are doing to address threats October 2014 www.csid.com TABLE OF CONTENTS SUMMARY

More information

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security 2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009

More information

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report

More information

Managing E-Risks in today s cyberspace: Growth of Cyber Liability Insurance

Managing E-Risks in today s cyberspace: Growth of Cyber Liability Insurance WHITEPAPER MARCH 2014 www.beroe-inc.com Managing E-Risks in today s cyberspace: Growth of Cyber Liability Insurance Abstract With cyber-attacks becoming increasingly sophisticated and frequent, and with

More information

Cybersecurity y Managing g the Risks

Cybersecurity y Managing g the Risks Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking

More information

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider 1 Cyber/Information Security Insurance Pros / Cons and Facts to Consider 2 Presenters Calvin Rhodes, Georgia Chief Information Officer Ron Baldwin, Montana Chief Information Officer Ted Kobus, Partner

More information

Anti-Money Laundering Program and Suspicious Activity Reporting Requirements For Insurance Companies. Frequently Asked Questions

Anti-Money Laundering Program and Suspicious Activity Reporting Requirements For Insurance Companies. Frequently Asked Questions Anti-Money Laundering Program and Suspicious Activity Reporting Requirements For Insurance Companies Frequently Asked Questions We are providing the following Frequently Asked Questions to assist insurance

More information

Procedure for Managing a Privacy Breach

Procedure for Managing a Privacy Breach Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access

More information