Data security: A growing liability threat



Similar documents
Data Breach Cost. Risks, costs and mitigation strategies for data breaches

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Network Security & Privacy Landscape

Cyber-insurance: Understanding Your Risks

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Joe A. Ramirez Catherine Crane

ACE Advantage PRIVACY & NETWORK SECURITY

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

ANATOMY of a DATA BREACH DISASTER. Avoiding a Cyber Catastrophe. June, Sponsored by:

Insuring Innovation. CyberFirst Coverage for Technology Companies

Privacy Rights Clearing House

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Mitigating and managing cyber risk: ten issues to consider

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Global Privacy Japan Sets its Rules for Personal Data

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

How To Write A Network Security Endorsement

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

PCI Compliance: Protection Against Data Breaches

CYBER SECURITY SPECIALREPORT

Standard: Information Security Incident Management

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

Enterprise PrivaProtector 9.0

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

What would you do if your agency had a data breach?

Data Breach Response Basic Principles Under U.S. State and Federal Law. ABA Litigation Section Core Knowledge January

Privacy and Data Breach Protection Modular application form

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

An Executive Overview of GAPP. Generally Accepted Privacy Principles

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Data Breach and Senior Living Communities May 29, 2015

Understanding Professional Liability Insurance

Responding to New Identity Theft Laws

Cyber Threats: Exposures and Breach Costs

How To Protect Yourself From Cyber Threats

PCI Compliance for Healthcare

AUTOMATED PENETRATION TESTING PRODUCTS

Securing Critical Information Assets: A Business Case for Managed Security Services

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber and CGL Insurance Coverage for Data Breach Claims

Cyber Risk Insurance for Agents. Frequently Asked Questions

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

Specialty Risk Protector

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

The Liability of Technology Companies for Data Breaches

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

CYBER RISK SECURITY, NETWORK & PRIVACY

ISO? ISO? ISO? LTD ISO?

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES

cyber invasions cyber risk insurance AFP Exchange

6. Does Applicant encrypt all sensitive and Personally Identifiable Information? Yes No If yes, give details:

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;

Self-Service SOX Auditing With S3 Control

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Discussion on Network Security & Privacy Liability Exposures and Insurance

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia (404) (404)

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

Transcription:

Data security: A growing liability threat Data security breaches occur with alarming frequency in today s technology-laden world. Even a comparatively moderate breach can cost a company millions of dollars in emergency response costs, lawsuit defense and settlements and fines and penalties. Lawsuits may be filed by customers, business partners and shareholders, with plaintiffs joining together in class action suits to press their claims. The release of non-public personal information may violate data privacy laws and lead to investigations and enforcement actions by regulatory and law enforcement agencies. The damage to a company s reputation following a data security breach is hard to quantify and even harder to restore. Consider the following recent example of a security breach of private data: Heartland Payment Systems, which provides bank card payment processing services (about 100 million transactions per month) to 250,000 merchants and businesses nationwide, was notified of suspicious activity by Visa and MasterCard. Apparently, when consumers used their debit cards, software had been capturing information about the transactions, including the cardholder name and card number, exposing tens of millions of debit cardholders to fraud. After being alerted of a possible security breach, Heartland found evidence of malicious software that compromised card data that crossed their network. This data security breach is alleged to have begun in 2007, but not discovered by the company until 2008 and not disclosed to the public until January 2009. Since the breach was disclosed, Heartland has been bombarded with lawsuits by consumers and credit card issuers. A securities class action suit filed by shareholders alleges that executives violated securities laws, made false and misleading statements regarding the breach and failed to disclose material adverse facts. Through March 2009, Heartland had recorded $12.6 million in costs associated with the intrusion, including a fine assessed by Mastercard, as well as costs associated with remediating the intrusion and notifying customers. What is especially alarming for Heartland s directors and officers is what has happened to the company s share price since the security breach was reported in the New York Times on January 20, 2009. Before the article was published, shares in Heartland Payment Systems were trading at $15.44. The day the article was published shares declined 8.16 percent to close at $14.18. Over the next two days the shares declined an additional 42.31 percent to close at $8.18 on January 22. On February 24, Heartland announced earnings, which missed analysts earnings estimates for fiscal 2008 and the fourth quarter, and disclosed that it might incur losses from the recent security breach of its systems. However, it could not estimate the amount of losses that might be incurred in connection with the security breach. On that news, shares declined 30.12 percent to close at $5.34 on February 24. The class action alleges a decline of 80 percent ($21.84) per share from a high of $27.19 on September 19, 2008. 1 Some of the decline in share price can be attributed to the tremendous turmoil in the financial markets in the fall of 2008. Exactly how much of the decline is attributable to the data security breach remains to be answered. 1 As of the date of this paper, August 24, 2009, Heartland Payment Systems share price closed at $12.50

The outcome of the Heartland securities class action suit and the other lawsuits should be closely followed to see how liability is assessed and allocated for a massive security breach. The alleged hacker, Albert Gonzalez, who has been charged in the Heartland criminal case, also was charged and is awaiting trial for breaching TJX s data systems. Questions sure to be raised in this case include how the breach of data security could have gone undetected for so long and if management used all available tools to prevent such a breach. Furthermore, management s response to the crisis including how quickly and effectively consumers and business partners were notified, and what steps were taken to mitigate further damage undoubtedly will be an important consideration. Heartland Payment Systems reportedly was compliant with the security requirements of the credit card industry known as Payment Card Industry Data Security Standards (PCI DSS) requirements. Whether compliance with standards provides a shield against liability, however, remains to be seen. This is just one example of the many data security breaches occurring daily. In fact, since January 2005, according to privacyrights.org, more than 250 million records containing sensitive personal information have been involved in security breaches in the United States. Data security and privacy regulations The privacy and security of non-public personal data first became an issue of significant concern in the 1960s and 1970s. With the emergence of the internet, however, came unprecedented new possibilities for widespread loss and abuse of personal information. Around the world, data protection concerns have led to legislation affecting every company operating in the global marketplace. Until the late 1990s, legislative attempts to address these issues were based largely on sector-specific legislation and self-regulation. The introduction of sweeping European Union (EU) legislation in recent years and the subsequent upsetting of the international status quo on the treatment of personal data have altered standards of privacy and data protection. An understanding of the differences in regulation that exist between industries and countries, as well as the potential liabilities for the misuse or improper handling of personal information, is now essential for any company operating in the global online marketplace. The protection of personal information in the US The United States has no one comprehensive privacy protection law. Rather, several laws address particular situations, such as for healthcare data (HIPAA), financial data (Gramm-Leach-Bliley Act), credit information (Fair Credit Reporting Act), and information obtained from children (the Children s Online Privacy Protection Act). Another federal laws that touchs upon data privacy and security issues is the Electronic Communications Privacy Act, which principally addresses government surveillance, but also includes provisions concerning access to private computerized messages by third parties without legitimate authorization. Yet another law is the Computer Fraud and Abuse Act, which prohibits accessing a computer without authorization to obtain certain types of information. The Computer Fraud and Abuse Act also prohibits knowingly accessing a computer with the intent to defraud and thereby obtaining anything of value. As of August 2009, 45 states and the District of Columbia have enacted laws that require companies to notify consumers when there is breach of security involving non-public personal information. There are currently no breach notification laws in Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. New regulations are emerging seemingly daily. As part of the Fair and Accurate Credit Transactions (FACT) Act of 2003, recently enacted Red Flag Rules require creditors and financial institutions to implement programs to provide for the identification, detection and response to patterns, practices, or specific activities known as red flags that could indicate identity theft. Each knowing violation of this law results in a $2,500 penalty.

Data privacy laws are also becoming more onerous. Massachusetts is set to implement the strictest data protection rules in the country. This law will require notification of a security breach and provide for the implementation of security freezes. The law will also allow for triple damages, payment of defense costs and other costs. The rule, once set for implementation on January 1, 2010, has been pushed back to accommodate the concerns of small businesses. Finally, to demonstrate the spreading breadth of data privacy compliance, even the American Recovery & Reinvestment Act (ARRA) of 2009 (Stimulus Act) mandates additional data breach notification requirements for certain types of companies. The protection of personal information in the EU The EU has taken a global leadership position in setting and enforcing standards for the protection of private data. The Information Directive of 1995 and the more recent Directive on Privacy and Electronic Communications of 2002 emphatically state that EU residents are entitled to a right to privacy. The 2002 EU Directive builds on the privacy protections that are contained in the 1995 EU Information Directive which defines personal data as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity In the US, medical and financial records are protected under separate legislation, while most other private information acquired online does not have legal protection. The EU centrally supervises the private sector s use of personal data. A proposed amendment to the Directive on Privacy and Electronic Communications would mandate security breach notification. European regulators remain vigilant of data security breaches. In July 2009, the UK s Financial Services Authority (FSA) fined three HSBC Holding PLC firms a total of 3 million ($4.9 million) for failing to protect customers confidential information, the highest fine ever imposed by the FSA for data security breaches. Costs associated with data security breaches Data security breaches can result in large losses from a number of sources. Companies need to consider the full range of costs associated with data security breaches, which can include: Costs of notice to consumers and government authorities, which can average $30-$140 per notice to each consumer; Credit monitoring services; ID theft coverage; Defense costs and damages; Expenses to secure compromised networks and assess damages; Costs of compliance with government investigations; an Fines for violation of laws (e.g. HIPAA, GLBA, FRCA) Loss of trust and other reputational damages can also have significant top line and bottom line impact. In extreme cases it can be ruinous. Lawsuits by customers, business partners and shareholders can result in tens of millions of dollars in settlements. For example, a well publicized case involved the parent company of T.J. Maxx and Marshalls (TJX), in which debit card information belonging to at least 45.7 million customers was obtained by hackers. TJX has reached settlements with private plaintiffs as well as the FTC. TJX has reported that cost of the breach may total as much as $256 million.

Coverage for data breaches under standard property and casualty insurance policies Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of non-public personal information are all circumstances that can lead to legal exposure. Potential causes of action resulting from data security breaches may include increased risk of identity theft, actual or attempted identity theft, violation of consumer protection statutes, negligence, breach of contract, breach of fiduciary duty and even fraud. A company s standard property and casualty insurance policies may provide some coverage in the event of a data security breach, but specialized cyberliability coverages may be worth exploring and evaluating. The following types of insurance policies may provide some coverage for data security breaches and resulting claims: 1. First-party property polices typically cover all risk of loss or damage to covered property. However: a. Some policies may have exclusions for certain causes of damage to systems; and b. The policy may need to be endorsed to cover computer equipment and electronic data. 2. Third-party liability policies such as Commercial General Liability (CGL) policies provide coverage to a company when it issued. Provisions in CGL policies may provide coverage for some types of lawsuits triggered by a data security breaches. However: a. Some policies may exclude personal or advertising injury arising out of knowingly violating the rights of another and/or personal or advertising Injury arising out of publication of material that violates a person s right of privacy; b. Damage to personal property in the care, custody or control of the insured is usually excluded; and c. Some policies exclude coverage for electronic data. 3. Errors and Omissions (E&O) policies cover wrongful acts committed in the insured s performance of professional services. However: a. Whether there is coverage for data security breaches depends upon the policy s definition of the covered professional services. 4. Directors and Officers Liability (D&O) insurance provides coverage for directors and officers, and usually coverage for the entity, for wrongful acts committed in their capacity as directors and officers of the insured organization. However: a. Organization coverage may be limited to securities claims; b. D&O policies typically contain exclusions for intentional acts and property damage. Of all the standard property and casualty insurance coverages, D&O policies may be the most exposed to large claims arising from a data breach. As incidents of data security breaches rise, so does the impact, financial and reputational, to companies. Directors and officers are increasingly a target for lawsuits by shareholders looking to hold management responsible for losses incurred by a company and loss of shareholder value. Exposure for directors and officers may arise if they have not responded appropriately to prepare for, respond to, and finance the cost of a data security breach. Additionally, once a breach occurs, directors and officers may be targeted by shareholders if it is believed that the financial consequences of the breach were not fully disclosed in a timely manner. Relevant principally to public companies, the corporate governance rules of the Sarbanes-Oxley Act of 2002 require that company directors and officers evaluate and maintain a safe control environment. This responsibility may be interpreted as including regular evaluation of an organization s procedures for data security to ensure the company is protected against unauthorized breaches.

Cyberliability insurance: data breach coverage As a backstop to data security technology, data breach insurance coverages have been introduced. Data breach coverage still is relatively new, and terms can vary materially from one carrier to another. However, policies have become both more comprehensive and more focused as insurers have come to better understand the risk landscape of cyberspace, as well as the specific business needs of their customers. Additionally, meaningful limits of liability now are available, which was not the case only a few years ago. Insurers offer property and theft (first party) coverage and liability (third party) coverage related to privacy and data security. Some insurers also offer crises management benefits (including hiring a public relations team), customer notification expense coverage and risk management services. Data breach coverages also may be bundled with complimentary cyberliability coverages such as unauthorized access or use of an insured s computer system, alteration or destruction of electronic data and denial of service attacks. Conclusion As the world becomes increasingly reliant on new technologies, utmost care must be taken to ensure that the private data entrusted to companies is protected. Almost every company maintains transaction and customer information on computers, and a great many companies transact at least a portion of their business electronically. Consequently, the vast majority of companies are exposed to electronic data security breaches. When non-public personal data is inadvertently released, a company faces civil litigation, regulatory inquires, fines, penalties and even criminal investigation. It is imperative to consider the consequences of a data security breach before it happens and to prepare for the likely event a company will be the victim of an unauthorized release of non-public personal information at some point in the near future. The financial consequences of a data breach can be enormous sometimes even devastating but most companies have relied almost exclusively on technological solutions to manage the risk. The market for data security insurance is growing with increasingly sophisticated products, higher policy limits, and competitive pricing. Combined with a growing awareness at many companies that data security should not be exclusively an IT issue, these developments will eventually make cyberliability insurance products a standard part of data security risk management strategies. This report was produced by Advisen Ltd. Advisen integrates business information and market data for the commercial insurance industry and maintains critical risk analytics and time-saving workflow tools for over 530 industry leading firms. Advisen combines the industry s deepest data sets with proprietary analytics to offer unique insights into risk and insurance. For more information, visit http://www.advisen.com. For more information, contact: Zurich 1400 American Lane, Schaumburg, Illinois 60196-1056 800 382 2150 www.zurichna.com This fact sheet is intended as a general description of certain types of insurance and services available to qualified customers through the companies of Zurich in North America. It is not an insurance contract. The insurance policy is the contract that specifically and fully describes coverage. The description of the policy provisions gives a broad overview of coverages and does not revise or amend the policy. We make no guarantee of results and assume no liability in connection with the information, methods or suggestions contained in this fact sheet. Insurance coverages underwritten by member companies of Zurich in North America, including Zurich American Insurance Company. Certain coverages are not available in all states. Some coverages may be written on a nonadmitted basis through surplus lines brokers 2009 Zurich American Insurance Company

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information