CYBER RISK Threats, Loss Control, Liability & Claims

Transcription

1 CYBER RISK Threats, Loss Control, Liability & Claims Mark Greisiger, NetDiligence Chris DiIenno, Esq., Nelson Levine

2 MARK GREISIGER NETDILIGENCE Mark Greisiger leads NetDiligence, a Cyber Risk Management company. For the decade NetDiligence has been offering unique cybersecurity e-risk assessment services to organizations of all sectors. Their services supports the data risk management & compliance needs for many businesses. NetDiligence supports the loss control needs of many US and UK insurers that offer network liability coverage (aka 'privacy insurance'). Mr. Greisiger is also to a frequently published contributor for various insurance & risk management publications on similar topics.

3 CHRIS DIIENNO NELSON LEVINE Chris focuses his practice on privacy and data security issues. He works with insureds and clients to respond to losses or unauthorized disclosures of personally identifiable or protected health information and compliance with applicable state, federal and foreign laws. Chris assists insureds and insurers with the preparation of legally compliant data security policies and practical breach response plans. He also assists insureds in the defense of matters involving single plaintiff, class action and regulatory proceedings, and in the pursuit of indemnification from third parties whose actions may have given rise to breach of privacy and data security matters. Prior to practicing law, Chris served as the president of a website development and marketing company and also held the positions of office manager and assistant secretary to the Board of Directors of a Pennsylvania municipal waste authority. These roles provided invaluable experience in addressing electronic and internet data issues, preparing mass communications and collaborating with decision makers on major public communication projects.

4 DATA BREACH TRENDS Number of Incidents Source: Risk Based Security, Inc. February 2013 Data Breach QuickView Report

5 NETWORK SECURITY/DATA RISK DATA CREATES DUTIES What data do you collect, and why? Where is it? How well is it protected? Who can access it? When do you purge it? How do you purge it?

6 TECHNICAL CONSIDERATIONS Mark Greisiger 7/26/2013 6

7 WHY THE CONCERN? Malicious Threats Still Prevalent: Stealth Hackers, Malware, Extortionist; Rogue contractors; Disgruntled IT Staffer Non-Malicious (more often): Staff mistakes (lost laptop) Marketing Mishap: innocent customer data leaks Vendor leak Network Operation & Sharing Trends: Points of failure are multiplied due to trends of outsourcing computing needs (CLOUD) Massive dependencies & data-sharing between organizations Where is YOUR data? A data breach: it s not a matter of if but when

8 Current Events (sampling)

9 WHY THE PROBLEM? THE INTERNET S OPEN NETWORK Many organizations will collect/ store/share VAST private data! More data often collected than needed Data often stored for too long (no records retention limits) Websites are very porous & need constant care (hardening & patching). IDS (detection) is very weak: no matter size many co s learn of breach too late or not at all! Bad buys still rely on the prevalence of human error Unchanged default settings Missing patches Wide open laptop Customer records improperly disposed Guessable access 95% of all network intrusions could be avoided by keeping systems up-todate (CERT)

10 COMMON WEAK SPOTS PROBLEM 1) IDS or Intrusion Detection Software (Bad guy alert system) Studies show that 70% of actual breach events are NOT detected by the victimcompany, but by 3 rd parties (and many more go undetected completely). FTC and plaintiff lawyers often cite failure to detect Vast Data: companies IDS can log millions events against their network each month False positives: 70% PROBLEM 2) Patch Management Challenges: All systems need constant care (patching) to keep bad guys out. Complexity of networking environments Lack of time: Gartner Group estimates that IT Managers spend an average of 2 hours per day managing patches. PROBLEM 3) Encryption (of private data) Problem spans all sizes & sectors. ITRC (Identity Theft Resource Center): Only 2.4% of all breaches had encryption Issues: Budgets, complexities and partner systems Key soft spots: Data at rest for database & laptops (lesser extent) Benefits: Safe harbor (usually)

11 STRATEGIES FOR RISK MANAGERS PLAN FOR THE LOSS CFO must understand that data / network security is NEVER 100%... 4 Legs of Traditional Risk Mgmt: Eliminate: e.g. patch known exploits, encrypt laptops etc Mitigate: e.g. dedicated security staff; policies; IDS/ IPS; etc Accept: e.g. partner SLAs, capabilities (trusting their assurances) Cede: residual risk via privacy risk insurance Wide-Angle Assess Safeguard Controls Surrounding: People: they seem to get it Proper security budget and vigilant about their job! Processes/ Policies: enterprise ISO27002, HITECH ready; employee education/ training; change management processes, breach response plan etc. Technology: proven IDS/IPS capabilities, DLP solutions, hardened & patched servers (tested), full encryption of PII.

12 DUE DILIGENCE PROCESS Remote Cyber Risk Assessment (common to insurance industry) Step 1 Self-assessment: completed by client s IT security rep, this strives to gauge their industry security & privacy practices against a industry standard (ISO 27002) KEY CONCEPT Vigilance Layered safeguards Step 2 Phone call interview: Purpose is to flush out any red flag areas identified gather more details or to clarify a compensating control. Step 3 Document Review: verify key security policies e.g. enterprise security, privacy, BC/DR and 3rd party vendor assurances. Step 4 Network perimeter vulnerability scan test: ck SQL exploit in Web apps. See if internet facing servers are properly patched to deflect known exploits Step 5 Summary Report: These 4 tasks might be then pulled into composite report which strives to measure client s good faith practices to industry expected standards.

13 EXAMPLE SCREEN SHOT FROM NETDILIGENCE REPORT

14 ASSESSMENT VALUE Purpose: Showcase Risk management strengths Reaffirm reasonable safeguards Benchmark to Standards & Peers Good faith effort towards compliance with Regs Lessons learned from past loss/ incidents (are they now battle ready?) Cyber Risk Insurability Assessment Process should be collaborative Educate Risk Mgr or CFO about their own IT operations Wide-Angle: people/process & tech

15 CYBER RISK CLAIMS A review of industry losses paid out 2013 Study Mark Greisiger

16 HIGHLIGHTS OF FINDINGS PER BREACH COSTS Average cost $1.0 million (down from $3.7m in 2012) Note: Many ongoing claims in our sampling have not yet been paid. If we assume that, at a minimum, the SIR will be met, the average cost per incident is $3.5 million. Claim range $13K to $10.5 million Typical claim $25K to $400K PER RECORD COSTS Average cost per record $5.22 Average records lost 115K CRISIS SERVICES COSTS (forensics, legal counsel, notification & credit monitoring) Average cost of crisis services $364K LEGAL COSTS (defense & settlement) Average cost of defense $258K Average cost of settlement $88K Preliminary Findings 2013 Study

17 XL ERISK HUB Highly Specialized Cyber Risk Web Portal A comprehensive resource for: Prevention (pre-data breach) Recovery (post-breach)

18 XL ERISK HUB Incident Roadmap spells out the steps to take in the event of a breach and provides access to the XL Breach Coach News Center monitors breach events and trends Learning Center provides best-practices articles, white papers & on-demand webinars Risk Manager Tools help manage cyber risk more effectively erisk EXPERTS features qualified third-party providers of breach-related services HELPS ORGANIZATIONS PREVENT AND RESPOND TO PRIVACY VIOLATIONS AND DATA BREACHES

19

20

21 ARE YOU AT RISK? ASK YOUR TEAM: Has your firm ever experienced a data breach or system attack event? Does your organization collect, store or transact any personal, financial or health data? Do you outsource any part of computer network operations to a third-party service provider? Do you allow outside contractors to manage your data or network in any way? Do you partner with entities and does this alliance involve the sharing or handling of data? Does your posted Privacy Policy align with your actual data management practices? Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers? Studies show % of execs admitted to a recent breach incident Your security is only as good as their practices and you are still responsible to your customers The contractor is often the responsible party for data breach events You may be liable for a future breach of your business partners If not you may be facing a deceptive trade practice allegation Doing nothing is a plaintiff lawyers dream.

22 Legal Considerations: Chris DiIenno LEGAL CONSIDERATIONS Chris DiIenno 7/26/

23 REGULATORY EXPOSURES State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due without unreasonable delay Some states allow private right of action for violations

24 REGULATORY EXPOSURES NEW JERSEY Any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security Requires notice to the Cyber Crimes Unit of the State Police (enforcement arm of the Attorney General) Notice to State Police must come before notice to any affected New Jersey residents (unique to NJ). Substitute notice allowed if cost exceeds $250,000 or number affected exceeds 500,000.

25 EVOLVING EXPOSURES VERMONT Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) CONNECTICUT Notice to CT AG not later than time when notice provided to Connecticut residents MASSACHUSETTS Written information security plan for businesses storing MA resident personal information NEVADA Data collectors doing business in NV to comply with PCI-DSS TEXAS Notice to affected individuals pursuant to law of individual s state of residence or, if none, then pursuant to TX

26 REGULATORY EXPOSURES HITECH ACT Extends HIPAA to business associates of HIPAA covered entities First national breach notification requirement > 500 HHS < 500 year end Permits state Attorneys General to enforce HIPAA

27 ANATOMY OF A BREACH RESPONSE FREEDOM OF INFORMATION Open access to public records can lead to inadvertent access to personally identifiable information Colorado municipality posts all permitting, licensing and land use applications online, accidently exposing thousands of SS#s and bank account information. New York municipality posts EMT employee benefits information exposing employees and their families PII. THE USUAL SUSPECTS Credit card information breaches (online or at municipality) Lost HR department laptops

28 ANATOMY OF A BREACH RESPONSE BREACH DISCOVERY EXPERTS Breach coach Forensics Public relations INVESTIGATION internal/forensic/criminal How did it happen When did it happen Is it still happening Who did it happen to What was accessed/acquired Encrypted/protected NOTICE OBLIGATIONS State Federal Other (i.e., PCI, FDIC, OCC) NOTICE METHODS Written Electronic Substitute Media DEADLINES Can be from 48 hours to without unreasonable delay INQUIRIES State regulators (i.e. AG, PD) Federal regulators (i.e. OCR) Federal agencies (i.e. SEC, FTC) Consumer reporting agencies LITIGATION Subrogation Class action

29 REGULATOR/COMPLIANCE COST BREACH COSTS Forensics vendor Notification vendor Call centers PR vendor ID theft insurance Credit monitoring ID restoration Attorney oversight PLANNING AND DATA MANAGEMENT Breach planning (Mass.) ID Theft monitoring (red flags) PCI DSS (Nevada and merchants) HIPAA

30 LITIGATION TRENDS SINGLE PLAINTIFF Identity theft Privacy GOVERNMENT ACTION Attorney General (Goldthwait, South Shore, Accretiv, Health Net) FTC (Choice Point, American United Mortgage) HHS (Hospice of North Idaho, Massachusetts Eye and Ear, Alaska Dept. of HHS) BANKS Cost of replacing credit cards Reimbursement of fraudulent charges Business interruption CLASS ACTION Failure to protect data Failure to properly notify Failure to mitigate NO VERDICTS... YET

31 DEFENSE ERODING Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft constitutes an injury-in-fact Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) ITERA (Identity Theft Enforcement and Restitution Act) pay an amount equal to the value of the time reasonably spent In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But if there is fraud, credit monitoring damages may be due. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response

32 COSTS LITIGATION Breach guidance Investigation Notification e-discovery Litigation prep Contractual review Defense (MDL?) PLAINTIFF DEMANDS Fraud reimbursement Credit card replacement Credit monitoring/ repair/ insurance Civil fines/ penalties Statutory damages (CMIA) Time

33 Empowered Senior Executive Talk to your IT Security folks. Gain an appreciation of the many challenges Not many Firms can say: how many records they have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged? Assess & test your own staff and operations Document your due care measures Insurance WHAT CAN BE DONE? PROACTIVE RISK MANAGER STEPS Red Flags, data security and breach response plans affirmative duties

34 CLOSING THOUGHTS MANY ORGANIZATIONS WILL SUFFER A DATA BREACH EVENT IN THE NEAR TERM. AND MANY HAVE ALREADY SUSTAINED BREACH BUT HAVE FAILED TO IDENTIFY IT

35 Thank you! Please contact me for our Claims Study report Mark Greisiger NetDiligence Chris DiIenno Nelson Levine de Luca & Hamilton