Insurance for Data Breaches in the Hospitality Industry

Transcription

1 The Academy of Hospitality Industry Attorneys The Pl Palmer House Hilton Chicago, IL April 25, 2014 Insurance for Data Breaches in the Hospitality Industry Presenters: David P. Bender, Jr. Michael J. Stoner (805)

2 Disclaimer The views expressed by the participants in this program are not those of the participants employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.

3 Presentation Agenda Cyber Risks Facing The Hospitality Industry What are the risks? What is the magnitude of exposure? Traditional Insurance Policies Cyber Policies What do they purport to cover? Where arethe pitfalls? How do I respond? Questions

4 Cyber Risks Cyber Risks include a broad range of risks arising out of your computer systems, cloud based computing systems, information technology systems, and virtual reality. Cyber Risks includes data breaches by hackers and rogue employees, data loss, cyber vandalism, accidental malware downloads, DDOS attacks, cyber extortion, business interruption. Cyber Risks change with ever evolving technologies, hacker tactics, and employee sophistication.

5 Classifying Cyber Risks First Party Losses Network Damage Loss of Data Business Interruption Customer Notification Credit Monitoring Public Relations Cyber Extortion Payments Third Party Liabilities Data/Privacy Breach Lawsuits Media Liability Lawsuits Regulatory Investigations By Government Regulators

6 Is The Hospitality Industry At Risk? Hospitality Industry and Food and Beverage Industry often rank among the most targeted industries for cyber attacks. That s where the credit card information is. Willie Sutton, the hacker A 2013 Study ranked the Food & Beverage Industry #2, and the Hospitality Industry #3, for the most compromised industries for cyber attacks. Approximately 33% of cyber attacks targeted these two industries.

7 What Makes A Hotel An Attractive Target For Hackers? Multiple swipes of the credit card at multiple locations increases hacker opportunity. Easy access of network through internet service provided to guests. Hackers can be onsite without raising suspicions. Large number of employees and vendors increases security risk. ik No dedicated population of customers. Centralized credit card processing systems used in the industry. Industry does not consider itself a target.

8 Who Is Responsible For A Data Breach? 41% of data breaches in the United States are caused by malicious or criminal attacks. 33% of data breaches in the United States are caused by the negligence of an employee or a contractor of the target. 29% of data breaches in the United States are caused by system glitches involving i IT and business process failures.

9 How Expensive Is A Data Breach? The average total organizational cost of a data breach in the United States was measured at $5,403,644. That figure is broken down as: $3,030,814 in lost business costs $1,412,548 in response costs $565,020 in notification costs $395,262 in detection and escalation cost

10 How Expensive Is A Data Breach Experts have identified seven factors which influence the cost consequence of a data breach. The factors include: Doyou have an incident management plan? What is your security posture at the time of the incident? Who is responsible for your enterprise data dt protection? ti How did the data breach occur? How quickly did you notify victims and regulators? Did the incident involve a lost or stolen device? Was a consultant engaged to remediate the data breach?

11 How Expensive Is A Data Breach? Criminal Attack $277 per record Employee Negligence $174 per record System Glitch $159 per record

12 Don t I Already Have Insurance? Comprehensive e egeneral e Liability policies cover oral or written publication in any manner of material that violates a person s right of privacy, but does that include hacking events? Netscape v. Federal Insurance Co. Zurich hamerican Insurance Co. v. Sony Corporation of America New exclusions coming for claims arising out of access to, or disclosure of, personal or confidential information.

13 Don t I Already Have Insurance? Commercial Property Insurance? D&O and E&O? Crime Coverage?

14 Summary of Cyber Exposures Network Security Liability Privacy Liability Media Liability Regulatory Liability Breach Response / Crisis Management Data Recovery Business Interruption Cyber Extortion Exposure Category Notification / Legal Expense Credit Monitoring Expense Forensic Investigations Public Relations Technology Services/Products & Professional Errors & Omission Liability Description Promises liability coverage if an Insured's Computer System fails to prevent a Security Breach or a Privacy Breach Promises liability coverage if an Insured fails to protect electronic or nonelectronic information in their care custody and control Promises coverage for Intellectual Property and Personal Injury perils the result from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided) Promises coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws 1st Party expenses to comply with Privacy Law notification requirements ; In many instances goodwill notification; Legal Advisory 1st Party expenses to provide up to 12 months credit monitoring 1st Party expenses to investigate a system intrusion into an Insured Computer System 1st Party expenses to hire a Public Relations firm 1st party expenses to recover data damaged don an Insured dcomputer System as a result of a Failure of Security 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber attack Technology Products & Services and Miscellaneous E&O can be added to a policy when applicable

15 Risk Considerations For Dt Data Breach hexposures Limits Deductible/Retention Sub Limits for Investigation and Response First Party or Third Party Losses Claims Made or Occurrence Policy Duty to Defend Cause of Data Breaches Point of Attack kfor Data Breaches Onsite or Offsite Limitations

16 What do I disclose? Potential Landmines: The Application Subsidiaries Supplier Relationships Record Volume Any matters likely to lead to a loss or a claim. Material misrepresentations can void coverage. Insurance companies argue that everything is material.

17 Who is an Insured? What is a Claim? What are Damages? Potential Landmines: Who is an Employee? The Definitions Who is a Hacker? What is a Data Breach?

18 Potential Landmines: The Exclusions Wild Virus Bodily Injury and Property Damage Mechanical Failure Contractual t lliability Acts of an Executive Patents/Trade Secrets Insured v. Insured Spam Unauthorized Data Collection Prior Notice

19 Potential Landmines: Timing Issues Choice of Law and Venue Proof of Loss Notice of Occurrence Notice of Claim No Prejudice Rule vs. Notice Prejudice Rule Contractual Limitations Periods

20 Potential Landmines: Coverage Litigation Issues Relatively New Area For Coverage Issues Dearth of Precedent Inconsistent Policy Language Between Cases Lack of Uniformity Discovery Disclosures Sensitive Data, Customer Information, Network Security Blueprints Privilege Issues

21 Questions?

22 Thank You Anderson Kill David P. Bender, Jr. Michael Stoner