Recent Australia privacy incidents compared to rest of world Insurance Response

Transcription

1 Recent Australia privacy incidents compared to rest of world Insurance Response Prior to 2015, we observed an increasing number of insurance carriers from Australia, the U.S., and Lloyd s of London attracted by the allure of new premiums i and increased profits from a new line of business cyber insurance and they jumped in with both feet to compete on both price and coverage for new placements and existing programs. In the wake of recent highprofile network security and privacy breach incidents however, we have found that many carriers are re-evaluating their appetite. Carriers have been seen to be adding cyber insurance exclusions and declining to consider certain sizes and types of business. We recommend that lawyers should take a fresh look at their evolving cyber exposures and solutions to be sure they can weather a storm if a data breach occurs with one of their clients. ii In particular, business lawyers should consider advising their clients of the following key takeaways about data protection and cyber losses and insurance coverage: Key Takeaways Australia s Privacy Act of 1988, even after the 2014 amendments, does not apply to the collection and use of personal information by private citizens, nor does it guarantee overarching privacy protection for the individual. Companies need to consider alternate and multiple ways of protecting themselves in the event of a data breach, including ensuring they take out cyber-loss insurance coverage, as appropriate. Recent trends in cyber losses and insurance coverage suggest that organizations compare potential cyber exposures with those of traditional tangible property. iii Lawyers need to prepare their clients for the legal aftermath which may include consumer litigation, declaratory actions by insurers and crippling first party costs, such as forensics investigations, remediation and business interruption. Significant cyber losses have transformed cyber in to a Board issue. iv A comprehensive breach response road map may not only assist mitigate the adverse effects of third party legal costs and first party expenses, it can also help satisfy Board of Directors fiduciary duties under the Corporations Act 2001.

2 Australia Privacy Law: No Mandatory Breach Notification (Yet) The 12 March 2014 reforms to the Privacy Act 1988 (the Act) saw a slew of changes introduced, which consolidated the existing National Privacy Principles (NPPs) and Information Privacy Principles (IPPs) into a new set of Australian Privacy Principles (APPs). The new APPs significantly increased the powers of the Privacy Commissioner, as well as updating and amending the existing rights and obligations set out in the Act. Additional bills have been introduced, which would have required serious data breaches be notified, however the new bills have not yet passed for one reason or another. Notwithstanding this, we believe that lawyers should be alive to these potential developments and work with their clients to help mitigate the effects of privacy and security liabilities. Cyber Trends According to publicly available information v, network security and privacy incidents include the following material impacts. vi Date Breach Reported Entity Loss Estimate Records Impact (millions) Jun 2014 NYC Taxi & Limousine Commission Not Known 173M Oct 2013 Adobe Systems, Inc. Not Known 152M May 2014 ebay, Inc. Not Known 145M Jan 2009 Heartland Payments Systems $143M 130M Dec 2013 Target Brands, Inc. $200M 110M Jan 2007 TJX Companies Inc. $256M 94M Jun 2011 Sony $280M 77M Aug 2014 J.P. Morgan Not Known 76M

3 Sep 2014 Home Depot $62M 56M Mar 2012 Global Payments $125M 7M The losses are not limited to retailers and the incidents are not limited to the United States. The following network privacy and security incidents have occurred in Australia in the past few years: On the 21 February 2014, the Department of Immigration and Border Protection (DIBP) posted a database on its website which accidently contained the personal information of 10,000 asylum seekers. The Australian Information Commissioner (AIC) subsequently opened up an own motion investigation which found the DIBP had breached the Privacy Act vii Over a four month period from September 2012, a Global ID card solutions provider stored personal information of Maritime Security Identity Card holders on a publicly accessible server without appropriate security controls viii. In 2013, an Australian online dating site was hacked and had 42 million records exposed including names, addresses and unencrypted passwords ix. In May 2013, the personal information of over 15,000 Telstra customers was discovered to be publicly accessible through a Google search x. In April 2014, a security vulnerability in an Australian travel company s ticketing system meant that by typing in any series of digits into the web address used by passengers to download their own e-ticket would likely show another travellers name, itinerary and other personal information. xi In 2012, a number of financial services related websites were hit with a distributed denial-of-service attacks forcing them to shut down for a period of time xii. On November , the Australian Government launched a website Australian Cybercrime Online Reporting Network (ACORN) which allows people to report cybercrime incidents to law enforcement agencies for consideration and possible investigation xiii. Distribution and supply chain disruption, manufacturing downtime, cyberattacks on energy grids and defects in customer relationship management software could impact most entities across the globe. For example, MtGox, a Japanese Bitcoin exchange, faced 150,000 attacks per second prior to its $475 million breach earlier this year. Last year s hacks of two India-based payment processors of Bank of Muscat in Oman and RakBank in United Arab Emirates resulted in $45 million illegally withdrawn from A.T.M. s. The Korea Credit Bureau breach in January

4 2014 resulted in 20 million customers and 105 million files being compromised. The RBS Worldpay breach reportedly cost more than $85 million. In August 2014, 1.2 billion user names and passwords were compromised by a Russian crime ring. The below diagram xiv reflects the interdepencies between critical infrastructure and the reliance on information and communication technologies. Source: J. Peerenboom, R.Fisher and R.Whitfield Recovering from Disruptions of Interdependent Critical Infrastructures.

5 Companies in nearly all industries and of all sizes are adopting new technologies and utilizing information assets. Social media, mobile devices, cloud computing, third party outsourced Information technology vendors and big data analytics are supposed to increase sales, raise efficiency and decrease costs. However, we have found that such technology and information assets spout new exposure issues. Who is liable if a mobile application downloaded by an employee infects the company s computer network? What if the bad guys gain access to a large organization s computer network through a third party heating, ventilation and air conditioning vendor? Within this risk landscape, critical infrastructures, including public facilities, are also vulnerable to cyber attacks. With increasing levels of standardisation, complexity and connectivity, industrial control systems are at risk from attack by remote unauthorised access from anywhere in the world. For example, a Queensland Local Council experienced spillage from its sewage system into local parks and rivers when someone used a laptop and wireless network to hack into the water supply control system and opened the sluice gates. An important point to keep in mind is that new technologies and increased information assets create different exposures, but not necessarily worse risks. For instance, if ApplePay tokenization generates random numbers, which cannot be as easily utilized compared to the existing credit card magnetic stripe numbers, which can be skimmed and reused, then the new system may reduce exposures. If entities can prepare a comprehensive and accurate representation of their cyber risk management, there is greater possibility that diligent insurance carrier underwriters will offer wider coverage terms at lower premiums. In the aftermath of a network security and privacy incidents, companies are potentially exposed to the undesirable risks of facing a consumer class action, an insurer s denial of coverage under their insurance and/or shareholder actions against the Directors and Officers of the offending entity. To date, we have found that consumer class action litigation has not been very successful anywhere in the world. Most cases have ended up being dismissed for failure to state a claim because the consumers cannot prove actual damages. Consumers are generally not liable for fraudulent charges on their credit cards and the courts have held that speculative future damages are not compensable. Payment Card Industry Data Security Standard fines are another story, including more than $100 million in liability. Such PCI fines and penalties are collected by the card associations to offset the cost of the credit card issuing bank to cancel and reissue the compromised credit cards. The forensic, investigation, legal and remediation costs

6 to stop and fix a breach can be substantial and in many cases more than the defense and indemnity costs to defend litigation. When an entity provides notice to its property or general liability or crime insurance carrier after it suffers a cyber-breach, the insurance carrier can and (we find) often does deny the claim and files a declaratory judgment action in court against the very same entity (the insured) that paid insurance premiums. For example, on February 21, 2014, a New York court held that Zurich Insurance, which had filed a Declaratory Judgment action against its insured, Sony, was not liable to cover the massive Sony Playstation breach under a general liability policy: Zurich successfully argued that direct costs to companies impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, are basic costs we would cover under our Security and Privacy Protection Policy. xv Then if a claim is filed, we have a liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a result. It s a Board Issue When the cyber loss numbers become material to an entity s financial statement, it is inevitable that cyber is becoming a board of director s issue. xvi Consider Australian organizations that are listed in the United States via American Depository Receipts. The U.S Securities and Exchange Commission got the ball rolling October 2011 when it issued guidelines regarding disclosure of cyber exposures. Additionally, The U.S. set forth the National Institute of Standards and Technology s Framework for Improving Critical Infrastructure in February Although the plaintiffs in high profile cases have not yet enjoyed success in shareholder litigation, the trend is to hold directors and officers responsible. Directors and officers must create a corporate culture that includes network security and privacy issues in enterprise risk management. It is not solely an IT issue it is an issue for the entire organization. In Australia, Directors should have particular regard to their duties of continuous disclosure and the duty of care and diligence under the Corporations Act. Monitoring and reviewing a company s risk management and data security policy would appear to be one of the steps that should be taken in discharging this duty. For organisations listed on the Australian Securities Exchange (ASX), there are additional obligations requiring them to notify the ASX of any information that a reasonable person would expect to have a material impact on its price or value.

7 Traps and Escape Hatches We have found that there is little standardization among the more than 60 insurers that write cyber insurance. Policy limits vary from a $1,000 limit add-on to a small business owners policy to more than $100 million in limits for large financial institutions, retailers and technology providers. Some insurance carriers include cyber breach response services within the insurance purchase, such as breach response coaching, cyber attorneys, forensics experts, credit monitoring and remediation. There is no such thing as a typical program and the structure can vary tremendously. In Australia, some insurers insist on retroactive date inception policies meaning that preexisting vulnerabilities are not covered under the policy. This limitation appears out of sorts with research which highlights that the average time from initial breach to detection is 210 days. xvii When it comes to cyber insurance, one size does not fit all so organisations need to consider their internal risk exposures and whether the policy appropriately responds to their unique industry exposures

8 Reinsurance Potential Additional Cyber Limits London Bermuda Bermuda U.S. EU Lloyd s U.S. or Certain Lloyd s of London U.S. or Certain Lloyd s of London U.S. or Certain Lloyd s of London $100M Total Standalone Cyber program for entities with revenue > $1 B, although one layer program with $5 MM or $10 MM total limits with single carrier is still most common U.S. or Certain Lloyd s of London Retention More important than the retention, limits, and premium is the policy wording itself. Typical exclusions include patents and trade secrets, refunds owed by the breached entity and liquidated damages, known network security vulnerabilities and unencrypted devices. A prudent insured will focus first and foremost on coverage issues. Unfortunately, in many placements we have reviewed, policyholders fail to identify their exposures or prioritize their coverage requirements. As a result, many critical coverage issues are often not negotiated, such as the following: Choice of Counsel and choice of third party outsourced vendors Prior Acts Coverage Delete exclusions for lack of patch upgrades/unencrypted data/device

9 Incident caused by a third party vendor Allocation of coverage between necessary remediation costs and relative upgrades Extra costs incurred due to complying with a government order to take (or not take) certain actions to stop the incident A recent global data protection survey xviii concluded that data loss and downtime cost Australian organisations over US$55 billion in the last twelve months. The survey also highlighted the biggest challenges for data protection in Australia was from big data, mobile and the use of hybrid clouds. With 31% of all primary data located in cloud storage and 58% of businesses lacking a disaster recovery plan, globally, Australia ranked in the bottom two categories of data protection maturity. As organizations continue to embrace technology, the range of exposures is evolving. Risk management best practices dictate that entities should consider cyber exposures and solutions in their future plans. The recent and continuing rise of cyber risk to the top of the boardroom agenda is primarily in response to the greater focus given to the issue by policymakers, regulators, law enforcement agencies and the investment community. We have found that they have all come increasingly to a view that cyber risk poses a significant and growing threat to the general public and almost every type of private and public organisation. Eric Lowenstein Client Manager Aon Risk Solutions Eric.lowenstein@aon.com Phone: (02)

10 Kevin P. Kalinich, Esquire Global Practice Leader Cyber Insurance Aon plc 2015 Aon Risk Services Australia Pty Limited ABN AFSL No (Aon) This article is for general informational purposes only and is not intended to provide individualized business or legal advice. The information contained herein was compiled primarily from sources that Aon considers to be reliable; however, Aon does not warrant the accuracy or completeness of any information herein. Should you have any questions regarding how the subject matter may impact you, please contact your legal, financial or other appropriate advisor. i It is estimated that total cyber insurance premiums in Australia for 2014 are between AUD$6m - AUD$8m according to internal Aon Global Risk Insight Platform data. ii Aon Cyber Risk Diagnostic Tool: iii The Risk Manager s Role in Mitigating Cyber Risk: iv Cyber Risk: Are Boards the New Target? v Sony vi vii viii ix x xi xii xiii xiv rrisk_solutions_in_emea.html xv Zurich American Insurance Co. v. Sony Corp., Index. No /2011 (N.Y. Supr. Ct. Feb. 21, 2014), xvi Cyber Risk: Are Boards the New Target? xvii xviii