New Developments in Cyber Security & Data Breaches San Diego, California May 2014

Transcription

1 New Developments in Cyber Security & Data Breaches San Diego, California May 2014 Sharon Lyon John Mullen NetDiligence Lewis Brisbois Bisgaard & Smith Claire Lee Reiss NLC-RISC

2 John F. Mullen, Sr. John F. Mullen Sr. is the Managing Partner of the Philadelphia regional office and Chair of the US Data Privacy & Network Security Group at Lewis Brisbois Bisgaard & Smith law offices. Mr. Mullen concentrates his practice on first- and third- party privacy and data security matters, and serves as a data breach coach/advisor. Mr. Mullen is well-versed in the complex state, federal, and international rules and laws governing data collection and storage practices and breach response obligations. Mr. Mullen has been on the forefront of developing the cyber market in the insurance industry, and continues to assist insurers, brokers, risks managers, underwriters, product specialists and professional claims personnel navigate this rapidly-developing territory.

3 NETWORK SECURITY/DATA RISK DATA CREATES DUTIES What data do you collect, and why? Where is it? How well is it protected? Who can access it? When do you purge it? How do you purge it?

4 WHY THE CONCERN? Malicious Threats Still Prevalent: Stealth Hackers, Malware, Extortionist; Rogue contractors; Disgruntled IT Staffer Non-Malicious (more often): Staff mistakes (lost laptop) Marketing Mishap: innocent customer data leaks Vendor leak Network Operation & Sharing Trends: Points of failure are multiplied due to trends of outsourcing computing needs (CLOUD) Massive dependencies & data-sharing between organizations Where is YOUR data? A data breach: it s not a matter of if but when

5 ARE YOU AT RISK? ASK YOUR TEAM: Has your firm ever experienced a data breach or system attack event? Does your organization collect, store or transact any personal, financial or health data? Do you outsource any part of computer network operations to a third-party service provider? Do you allow outside contractors to manage your data or network in any way? Do you partner with entities and does this alliance involve the sharing or handling of data? Does your posted Privacy Policy align with your actual data management practices? Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers? Your security is only as good as their practices and you are still responsible to your customers The contractor is often the responsible party for data breach events You may be liable for a future breach of your business partners If not you may be facing a deceptive trade practice allegation Doing nothing is a plaintiff lawyer s dream.

6 REGULATORY EXPOSURES State level breach notice: 47 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Timing requirements vary Some states allow private right of action for violations

7 EVOLVING EXPOSURES VERMONT Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) KENTUCKY Became 47 th state with breach notification law in April 2014 TEXAS Notice to affected individuals pursuant to law of individual s state of residence or, if none, then pursuant to TX MASSACHUSETTS Written information security plan for businesses storing MA resident personal information NEVADA Data collectors doing business in NV to comply with PCI-DSS CALIFORNIA address and PW = pii Strict health information protection

8 REGULATORY EXPOSURES HITECH Act Extends HIPAA to business associates of HIPAA covered entities First national breach notification requirement > 500 HHS < 500 year end Permits state Attorneys General to enforce HIPAA Final Rule is now law of the land: Privacy and Security Rules now apply to Business Associates; Impermissible disclosure is now presumed to be a breach; Business Associates now directly liable to HHS

9 ANATOMY OF A BREACH RESPONSE Freedom of Information Open access to public records can lead to inadvertent access to personally identifiable information Colorado municipality posts all permitting, licensing and land use applications online, accidently exposing thousands of SS#s and bank account information. New York municipality posts EMT employee benefits information exposing employees and their families PII. The usual suspects Credit card information breaches (online or at municipality) Lost HR department laptops

10 ANATOMY OF A BREACH RESPONSE BREACH DISCOVERY EXPERTS Breach coach Forensics Public relations INVESTIGATION internal/forensic/criminal How did it happen When did it happen Is it still happening Who did it happen to What was accessed/acquired Encrypted/protected NOTICE OBLIGATIONS State Federal Other (i.e., PCI, FDIC, Insurance Regulators) NOTICE METHODS Written Electronic Substitute Media DEADLINES Can be from 48 hours to without unreasonable delay INQUIRIES State regulators (i.e. AG, PD) Federal regulators (i.e. OCR) Federal agencies (i.e. SEC, FTC) Consumer reporting agencies LITIGATION Subrogation Class action

11 REGULATOR/COMPLIANCE COST BREACH COSTS Forensics vendor Notification vendor Call centers PR vendor ID theft insurance Credit monitoring ID restoration Attorney oversight PLANNING AND DATA MANAGEMENT Breach planning (Mass.) ID Theft monitoring (red flags) PCI DSS (Nevada and merchants) HIPAA

12 LITIGATION TRENDS SINGLE PLAINTIFF Identity theft Privacy GOVERNMENT ACTION Attorney General (Goldthwait, South Shore, Accretiv, Health Net) FTC (Choice Point, American United Mortgage) HHS (Hospice of North Idaho, Massachusetts Eye and Ear, Alaska Dept. of HHS) BANKS Cost of replacing credit cards Reimbursement of fraudulent charges Business interruption CLASS ACTION Failure to protect data Failure to properly notify Failure to mitigate NO VERDICTS... YET

13 DEFENSE ERODING Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft constitutes an injury-in-fact Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) AvMed class action settlement approved where no proof of actual fraud or monetary loss ITERA (Identity Theft Enforcement and Restitution Act) pay an amount equal to the value of the time reasonably spent In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But if there is fraud, credit monitoring damages may be due. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response

14 COSTS LITIGATION Breach guidance Investigation Notification e-discovery Litigation prep Contractual review Defense (MDL?) PLAINTIFF DEMANDS Fraud reimbursement Credit card replacement Credit monitoring/ repair/ insurance Civil fines/ penalties Statutory damages Time

15 WHAT CAN BE DONE? PROACTIVE STEPS Empowered Senior Executive Talk to your IT Security folks. Gain an appreciation of the many challenges Not many Firms can say: how many records they have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged? Assess & test your own staff and operations Document your due care measures Insurance Red Flags, data security and breach response plans affirmative duties

16 The Value of Pre-Planning Data Breach Response How NLC-RISC is Helping Members Address Cyber Risk Management Sharon Lyon on behalf of NetDiligence

17 About NetDiligence 13+ years supporting the cyber liability insurance industry. As a loss control service, we now directly support the vast majority of cyber liability insurance markets. We conduct hundreds of risk assessments per year on organizations of all sizes & sectors. We support majority of insurers and their insured clients with post data breach crisis support via erisk Hub Sampling of insurers that we support: ACE Aegis AIG Arch Argo Aspen Axis Barbican Beazley Brit Chubb Cuna Mutual Endurance Hiscox HSB Ironshore Kiln Liberty Markel National League of Cities One Beacon Philadelphia Principia QBE RLI Travelers USLI Vela XL Zurich

18 Example Breach Claims ABC City Cause: Malware Number of records affected: 2,126 Type of data lost: tax info CLAIM COST: Forensics: $200,000 Notice: $6,300 Credit: $0 Legal Guidance (crisis response): $109,000 Total Claim: $315,000 ($148 per record) XYZ Town Cause: Exposed paper files (by vendor) Number of records: 1200 Type of data lost: PII CLAIM COST: Forensics: $0 Notice: $20,000 Credit: $2,000 Legal Guidance (crisis response): $100,000 Total Claim: $122,000 ($102 per record)

19 How Does Pre-planning Help? By pre-planning the response to an inevitable breach event, which includes identifying experienced third-party vendors for specific post-breach services, your organization can: Reduce the cost to respond (crisis services) Shorten the response timeline

20 Claim Payouts for Crisis Services in thousands 1,200 1, K K 728K Average Cost K Median Cost K 195K 204K 102K (preliminary) Based on findings from annual NetDiligence Cyber Liability & Data Breach Insurance Claims study

21 Timeline of a Breach OCTOBER LOSS NOVEMBER MGMT AWARE INSURER & COACH FORENSICS FORENSICS NOTICE PREP 48 Days (used to take 60+ days) PR ISSUED & NOTICES SENT VICTIM INQUIRIES STATE AG

22 + + +YOU

23 + + +YOU A One-Stop-Shop for Data Breach Services Homepage gives you a place to speak directly to pool members Incident Roadmap spells out the steps to take in the event of a breach (including accessing Breach Coach ) Risk Manager Tools help manage cyber risk more effectively Vendors/Experts directory features qualified third-party providers of breach-related services News Center monitors breach events and trends Learning Center provides best-practices articles, white papers & ondemand webinars Search makes it easy to find specific information

24 Cyber Risk Management

25 Help for a Suspected Breach

26 Breach Coach

27 Tools and Calculators

28 Awareness

29 Education

30 Third-Party Assistance

31 Thank you! Mark Greisiger NetDiligence

32 Speaker Contact Information John Mullen Managing Partner, Philadelphia Regional Office Chair of the National Data Privacy and Network Security Practice Lewis Bisbois Bisgaard & Smith Sharon Lyon President Lion s Share Marketing Group slyon@lionsshare.com