Privacy Liability & Data Breach Management Nikos Georgopoulos December 2013 Cyber Risks Advisor

Transcription

1 Privacy Liability & Data Breach Management Nikos Georgopoulos December 2013 Cyber Risks Advisor Nikos Georgopoulos Privacy Liability & Data Breach Management December

2 Contents Information Age How does Data Breach occur The Market of Stolen Personal Information Directive On Network and Information Security (07/02/2013) Greek Market Vs Global Market Security Incidents Data Breach Risk Calculator Data Breach Reactive Management Data Breach LifeCycle Data Breach Insurance Covers Cyber Liability and Data Breach Insurance Claims Risk Management Issues Case Study : Sony - Zurich Top 5 List of Businesses Misconceptions Cyber Risks Advisors Linkedin Group More Information Nikos Georgopoulos Privacy Liability & Data Breach Management December

3 Information Age Nikos Georgopoulos Privacy Liability & Data Breach Management December

4 How Do Data Breaches Occur? Employee loses an unencrypted portable device (smartphones, laptop, thumb drive, backup tape) Property crimes (computers prime targets) Inside job (employee steals information) Stray faxes, s Phishing scams and increasingly, Spear-Phishing (social engineering) Malware / virus attacks (especially when working remotely on an unsecured network) Failure to purge/scrub computing devices scheduled for destruction Weaknesses in "Cloud" security Nikos Georgopoulos Privacy Liability & Data Breach Management December

5 The Market of Stolen Personal Information Large and sophisticated black market with shockingly low prices for personal information (supply > demand): Credit card information (name, billing address, card-number, CVV2 code, and expiration date) = $1.50 $3.00 per file. Social security numbers = $1 $6 per number, depending on availability of corresponding date of birth and/or mother's maiden name. Online banking log-in details = $50 $1,000. See, RSA Anti-Fraud Command Center, RSA Online Fraud Report, August 20010: ww.rsa.com/solutions/consumer_authentication/intelreport/11068_online_fraud_report_0810.pdf Nikos Georgopoulos Privacy Liability & Data Breach Management December

6 Data Breach Causes Nikos Georgopoulos Privacy Liability & Data Breach Management December

7 Critical Company Data Types Prioritized Maximum rank = 5 and Minimum rank = Cost of Data Breach Study global Ponemon Institute Research Report Nikos Georgopoulos Privacy Liability & Data Breach Management December

8 The Average per Capita Cost of Data Breach 2011 Cost of Data Breach Study global Ponemon Institute Research Report Nikos Georgopoulos Privacy Liability & Data Breach Management December

9 The Average Total Organizational Cost of Data Breach 2011 Cost of Data Breach Study global Ponemon Institute Research Report Nikos Georgopoulos Privacy Liability & Data Breach Management December

10 Greek Market Vs Global Market Security Incidents PWC Information Security Survey % 60% 50% 40% 30% 20% 10% 0% Eurozone China Germany Greece Italy Spain UK None 1or 2 over 3 N/A Greek companies do not report Security Incidents Nikos Georgopoulos Privacy Liability & Data Breach Management December

11 Directive On Network and Information Security (07/02/2013) The Commission extends the obligation to report significant cyber incidents except Internet and Telecommunications providers to: Key Internet companies (e.g. large cloud providers, social networks, e-commerce platforms, search engines). Banking sector and stock exchange Energy (e.g. electricity and gas) Transport (operators of air, rail and maritime transport and logistics) Health Obligation to notify Customers Breach notification within 24 to 72 hours to the local regulator Data protection officers for 250+ employee firms Fine: up to 1m or 2% of global annual turnover Nikos Georgopoulos Privacy Liability & Data Breach Management December

12 Data Breach Risk Calculator Nikos Georgopoulos Privacy Liability & Data Breach Management December

13 Data Breach Reactive Management Nikos Georgopoulos Privacy Liability & Data Breach Management December

14 Data Breach LifeCycle Nikos Georgopoulos Privacy Liability & Data Breach Management December

15 Data Breach Insurance Covers Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines. Multimedia/Media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement. Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion. Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems. Nikos Georgopoulos Privacy Liability & Data Breach Management December

16 Cyber Liability and Data Breach Insurance Claims ( ) Crisis Services: 33% $ Legal damages: 63% $ Fines: 4% $ Average Claim Cost: $2,4mio Average Claim Cost per Record :$1,36 Defense Cost: $0,5mio Settlement Cost :$1mio Hackers: 32% Lost Laptops, usb, tablets, backup disks :33% Physical Files: 7% Credit Card Records : 75% 60% of Claims refers to: Financial Services, HealthCare, Retail NetDiligence Report 2011 Cyber Liability and Data Breach Insurance Claims Nikos Georgopoulos Privacy Liability & Data Breach Management December

17 Diminished Value of the Brand due to Data Breach -21% The average Diminishing Value of the Brand as a direct result of such an incident would be 21% according to the survey. Nikos Georgopoulos Privacy Liability & Data Breach Management December

18 11.8 months is the average time to restore an Organizations Reputation 11.8months is the average time it will take to restore an Organizations Reputation s following such an incident Nikos Georgopoulos Privacy Liability & Data Breach Management December

19 Risk Management Issues Cyber Risks Nikos Georgopoulos Privacy Liability & Data Breach Management December

20 Risk Management Issues Cyber Insurance Insure Intangible Assets Nikos Georgopoulos Privacy Liability & Data Breach Management December

21 Risk Management Issues Cyber Insurance as a part of Business Insurance Nikos Georgopoulos Privacy Liability & Data Breach Management December

22 Case Study : Sony - Zurich Sony s CGL Policy does not cover damages arising from Cyber Incidents Nikos Georgopoulos Privacy Liability & Data Breach Management December

23 Top 5 List of Businesses Misconceptions Every Data Breach is covered by General Liability Policy Our Employees would never act maliciously and know how to protect our data Our Information is well-protected by our IT consultants The Cost to respond to a data breach is very low. Most Data Breaches happen to Big Companies Nikos Georgopoulos Privacy Liability & Data Breach Management December

24 Cyber Risks Advisors Linkedin Group Nikos Georgopoulos Privacy Liability & Data Breach Management December

25 Nikos Georgopoulos Privacy Liability & Data Breach Management December

26 Contact Us Nikos Georgopoulos Cyber Risks Advisor Mob Diversified Experience in Insurance, Asset Management and Banking 18 years experience in Financial Sector 8 years in Insurance: Alternative Channels Sales Manager Generali Hellas 5 years in Asset Management: Marketing Director ALPHA TRUST Asset Management Company 5 years in Banking: XIOSBANK Εducation ALBA Professional MBA BS Physics University of Patras Nikos Georgopoulos Privacy Liability & Data Breach Management December