Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 1
Contents Information Age The Personal Data Stolen Market Data Breach Causes Data Breach Costs per record and country Greek Market Vs Global Market Security Incidents Directive On Network and Information Security Data Breach Reactive Management Risk Management Issues Privacy Liability and Data Breach Insurance Claims Target Case Study Top 5 List of Businesses Misconceptions The Data Breach Toolkit More Information N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 2
Information Age N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 3
The Market of Stolen Personal Information Large and sophisticated black market with shockingly low prices for personal information (supply > demand): Credit card information (name, billing address, card-number, CVV2 code, and expiration date) = $1.50 $3.00 per file. Social security numbers = $1 $6 per number, depending on availability of corresponding date of birth and/or mother's maiden name. Online banking log-in details = $50 $1,000. See, RSA Anti-Fraud Command Center, RSA Online Fraud Report, August 20010: ww.rsa.com/solutions/consumer_authentication/intelreport/11068_online_fraud_report_0810.pdf N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 4
Data Breach Causes N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 5
The Average per Capita Cost of Data Breach 2013 Cost of Data Breach Study global Ponemon Institute Research Report N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 6
The Average per Capita Cost of Data Breach per Industry 2013 Cost of Data Breach Study global Ponemon Institute Research Report N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 7
Greek Market Vs Global Market Security Incidents PWC Information Security Survey 2013 70% 60% 50% 40% 30% 20% 10% 0% Eurozone China Germany Greece Italy Spain UK None 1or 2 over 3 N/A Greek companies do not report Security Incidents N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 8
Directive On Network and Information Security The Commission extends the obligation to report significant cyber incidents except Internet and Telecommunications providers to: Key Internet companies (e.g. large cloud providers, social networks, e-commerce platforms, search engines). Banking sector and stock exchange Energy (e.g. electricity and gas) Transport (operators of air, rail and maritime transport and logistics) Health Obligation to notify Customers Breach notification within 24 to 72 hours to the local regulator Data protection officers for 250+ employee firms Fine: up to 100m or 5% of global annual turnover N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 9
Data Breach Reactive Management N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 10
Data Breach Consequences -21% 11.8months The average Diminishing Value of the Brand as a direct result of such an incident would be 21% according to the survey. is the average time it will take to restore an Organizations Reputation s following such an incident N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 11
Risk Management Issues Privacy (Cyber) Risks N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 12
Risk Management Issues Privacy (Cyber) Insurance Insure Intangible Assets http://www.youtube.com/watch?v=4cn5dwpkyla N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 13
Cyber Liability and Data Breach Insurance Claims 2012 Percentage of Breaches by Cause of Loss Other 17% Paper Records 3% Malware / Virus 5% Staff Mistake 7% Third Party Contractors 7% Hacker 23% Theft 9% Rogue Employees 10% NetDiligence Report 2012 Cyber Liability and Data Breach Insurance Claims Lost Laptop / Devices 19% N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 14
Cyber Liability and Data Breach Insurance Claims 2013 NetDiligence Report 2013 Cyber Liability and Data Breach Insurance Claims N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 15
Target Privacy (Cyber) Liability Insurance 100 Million Customers Had Info Stolen 17-year-old created malware used in Target breach Target has $100M of Cyber Insurance 6 insurance companies $10 million deductible $61 million data breach costs $17 million data breach costs reported due to data breach insurance Target Contractor is responsible for Data breach http://www.privacyrisksadvisors.com/case-studies/ N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 16
Target Data Breach Insurance Data Breach Insurance Covers hire a computer forensics investigator to determine how the breach occurred and what data was exposed, hire a data privacy attorney to help navigate the various U.S. State (and international) data privacy laws, send notification letters to the affected customers, offer a one-year credit monitoring service to the customers affected as well as a dedicated call center to answer any customer questions, hire a public relations firm to help with the media, pay for customer damages due to identity theft as well as defense costs in the event there s a lawsuit due to their data breach and pay for privacy regulatory defense and where insurable by state law, regulatory fines and penalties. http://www.privacyrisksadvisors.com/case-studies/ N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 17
Top 5 List of Businesses Misconceptions Every Data Breach is covered by General Liability Policy Our Employees would never act maliciously and know how to protect our data Our Information is well-protected by our IT consultants The Cost to respond to a data breach is very low. Most Data Breaches happen to Big Companies N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 18
The Data Breach Toolkit www.privacyrisksadvisors.com Cyber Risks Advisors N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 19
Nikos Georgopoulos www.privacyrisksadvisors.com Cyber Risks Advisors Linkedin Group Mob. 6948 365033 Email: georgopoulosn@ath.forthnet.gr Diversified Experience in Insurance, Asset Management and Banking 19 years experience in Financial Sector 8 years in Insurance: Alternative Channels Sales Manager Generali Hellas 5 years in Asset Management: Marketing Director ALPHA TRUST Asset Management Company 5 years in Banking: XIOSBANK Εducation ALBA Professional MBA BS Physics University of Patras N.G. Privacy Liability Insurance Presentation to Athens 1 st Privacy & Data Breach Management Conference March 2014 20