PRODUCT HIGHLIGHTS CYBER SECURITY LIABILITY Benefits of this Program Philadelphia Insurance Companies Cyber Security Liability program provides both First and Third Party coverage for numerous classes of business. Through eight (8) Insuring Agreements, a wide range of cyber liability exposures are addressed. Benefits Available on an admitted basis in most states via Philadelphia Indemnity Insurance Company (PIIC) paper, rated A++ by A.M. Best Policy limits up to $5,000,000 available Targeted classes of business include private or publicly traded companies, non-profit social service organizations, nursing homes, physician s practices, clinics, home health agencies, technology consultants, and many more Not a market for financial institutions, credit card processors, online gaming, for-profit entities over $250 million in annual sales Enterprise product solution providing both First and Third party coverages, including: 1. First Party Protection, wtih Loss of Digital Assets coverage, Non-Physical Business Interruption, Extra Expense, Cyber Extortion, Cyber Terrorism, and Security Event Costs 2. Third Party Protection with Network Security and Privacy Liability, Employee Privacy Liability, and Electronic Media Liability Coverages Coverage for damages to third parties caused by a breach of network security Coverage for loss resulting from administrative or operational mistakes - extends to acts of the employee, business process outsourcing (BPO) or outsourced IT provider Breach of Privacy coverage - includes damages resulting from alleged violations of HIPAA, state and federal privacy protection laws and regulations Coverage for expenses resulting from a breach of consumer protection laws such as the Fair Credit Reporting Act (FCRA), the California Consumer Credit Reporting Agencies Act (CCCRAA) and the European Union (EU) Data Protection Act Customer Notification Expenses Coverage (via sub-limit) - reimburses for costs to notify and provide 12 months of credit monitoring Coverage for acts of a rogue employee causing intentional damage to the insured s computer network Public Relations Expenses coverage available to repair insured s reputation as a result of a data breach Customer Notification Expenses include legal expenses, credit monitoring expenses, postage and advertising costs Privacy Breach definition extends to acts of the insured and acts of a service provider acting on behalf of the insured Most favorable venue wording for punitive or exemplary damages Definition of claim includes demand for monetary and non-monetary damages or request to toll applicable statutes of limitations Cyber Extortion reimbursement costs for a range of perils including a credible threat to introduce malicious code, pharm and phish customer systems or to corrupt, damage or destroy the Insured s computer system Electronic Media peril broadly defined to include infringement of domain name, copyright, trade name, slogan, service mark on internet or intranet site Interruption expenses include additional costs associated with rented/leased equipment, use of third party services, additional staff expenses or labor costs directly resulting from a covered Loss of Digital Assets claim Personally Identifiable Information (PII) broadly defined to include an individual s name in combination with social security number, driver s license number, account number, credit or debit card or any non-personal information as defined in any privacy regulation Knowledge provision includes President, Executive Officer, Chairman, Chief Information Officer, Chief Technology Officer, Risk Manager or General Counsel Crisis Management Enhancement Endorsement $25,000 limit for crisis management emergency response expenses incurred because of an incident giving rise to a crisis Documents Required for Proposal Completed, signed, and dated PHLY Cyber Security Liability application (a quotation can be provided from an acceptable and properly completed competitor application) Brochure and advertising material Latest annual audited financial statement Additional information may be required, depending on class of business and degree of computer security controls Service Clients are serviced by both our Home Office staff as well as our Regional Offices located throughout the country continues on next page...
CYBER SECURITY LIABILITY - continued Carrier These coverages are underwritten by Philadelphia Insurance Companies, rated A++ (Superior) by A.M. Best. Nationally recognized as a member of Ward s Top 50. Forbes Magazine has recognized PHLY as one of the 400 Best Big Companies in America Payment Terms Interest-free installments available for accounts that generate at least $2,000 in premium For more information about our products and services, please visit our website at
Focus on the things that Matter, We ll Handle the Risk! Benefits of this Program Philadelphia Insurance Companies Cyber Security Liability program provides both First and Third Party coverage for numerous classes of business. Through eight (8) Insuring Agreements, a wide range of cyber liability exposures are addressed. Benefits Available on an admitted basis in most states via Philadelphia Indemnity Insurance Company (PIIC) paper, rated A++ by A.M. Best Policy limits up to $5,000,000 available Targeted classes of business include private or publicly traded companies, non-profit social service organizations, nursing homes, physician s practices, clinics, home health agencies, technology consultants, and many more Not a market for financial institutions, credit card processors, online gaming, for-profit entities over $250 million in annual sales Enterprise product solution providing both First and Third party coverages, including: 1. First Party Protection, with Loss of Digital Assets coverage, Non-Physical Business Interruption, Extra Expense, Cyber Extortion, Cyber Terrorism, and Security Event Costs 2. Third Party Protection with Network Security and Privacy Liability, Employee Privacy Liability, and Electronic Media Liability Coverages Coverage for damages to third parties caused by a breach of network security Coverage for loss resulting from administrative or operational mistakes extends to acts of the employee, business process outsourcing (BPO) or outsourced IT provider Breach of Privacy coverage includes damages resulting from alleged violations of HIPAA, state and federal privacy protection laws and regulations Coverage for expenses resulting from a breach of consumer protection laws such as the Fair Credit Reporting Act (FCRA), the California Consumer Credit Reporting Agencies Act (CCCRAA) and the European Union (EU) Data Protection Act Customer Notification Expenses Coverage (via sub-limit) reimburses for costs to notify and provide 12 months of credit monitoring Coverage for acts of a rogue employee causing intentional damage to the insured s computer network Public Relations Expenses coverage available to repair insured s reputation as a result of a data breach Customer Notification Expenses include legal expenses, credit monitoring expenses, postage and advertising costs Privacy Breach definition extends to acts of the insured and acts of a service provider acting on behalf of the insured Most favorable venue wording for punitive or exemplary damages Definition of claim includes demand for monetary and non-monetary damages or request to toll applicable statutes of limitations Cyber Extortion reimbursement costs for a range of perils including a credible threat to introduce malicious code, pharm and phish customer systems or to corrupt, damage or destroy the insured s computer system Electronic Media peril broadly defined to include infringement of domain name, copyright, trade name, slogan, service mark on internet or intranet site Interruption expenses include additional costs associated with rented/leased equipment, use of third party services, additional staff expenses or labor costs directly resulting from a covered Loss of Digital Assets claim Personally Identifiable Information (PII) broadly defined to include an individual s name in combination with social security number, driver s license number, account number, credit or debit card or any non-personal information as defined in any privacy regulation Knowledge provision includes President, Executive Officer, Chairman, Chief Information Officer, Chief Technology Officer, Risk Manager or General Counsel Crisis Management Enhancement Endorsement $25,000 limit for crisis management emergency response expenses incurred because of an incident giving rise to a crisis Documents Required for Proposal Completed, signed, and dated PHLY Cyber Security Liability application (a quotation can be provided from an acceptable and properly completed competitor application) Brochure and advertising material Latest annual audited financial statement Additional information may be required, depending on class of business and degree of computer security controls Company Profile In operation since 1962, Philadelphia Insurance Companies designs, markets, and underwrites Commercial Property/Casualty, Personal Lines, and Professional Liability insurance products incorporating value added coverages and services for select markets. Nationally recognized as a premier niche underwriter, the Company has field offices strategically located nationwide to provide local service to our agents and policyholders. The Company has three underwriting divisions: Commercial Lines Management & Professional Liability Personal Lines Philadelphia Insurance Companies provides competitively priced policies, local service relationships, and differentiated coverage features designed to provide a win-win relationship with our customers. A.M. Best Rating The Company s two insurance subsidiaries are pooled for risk assumption and accumulated surplus. A.M. Best Company has assigned the insurance subsidiaries an A++ (Superior) rating. Standard & Poor s Assigned A+ for counterpart credit and financial strength. Ward s Nationally recognized as a member of Ward s Top 50 Benchmark group of Property/Casualty insurance companies for outstanding achievement in the areas of financial strength, claims performance, and consistently favorable underwriting results. Forbes Magazine Forbes Magazine has recognized Philadelphia Insurance Companies as one of the 400 Best Big Companies in America. Philadelphia Insurance Companies is the marketing name for the insurance company subsidiaries of the Philadelphia Consolidated Holding Corp., a Member of the Tokio Marine Group. Your insurance policy, and not the information contained in this document, forms the contract between you and your insurance company. If there is a discrepancy or conflict between the information contained herein and your policy, your policy takes precedence. All coverages are not available in all states due to state insurance regulations. Certain coverage(s) may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds. 2007-2012 Philadelphia Insurance Companies, All Rights Reserved.
CLAIM SCENARIOS CYBER SECURITY LIABILITY The average cost of a data breach is $204 per lost record, with more than half of such costs attributable to lost customers and the associated public relations expenses to rebuild an organization s reputation. 1 The below examples illustrate situations in which the costs incurred to remediate a data breach were significant. Unauthorized Access An international computer hacking group gained access electronically to the computerized cash registers of a restaurant chain and stole credit card information of 5,000 customers, starting a flood of fraudulent purchases around the world. Theft of Digital Assets A regional retailer contracted with a third party service provider. A burglar stole two laptops of the service provider containing the data of over 800,000 clients of the retailer. Under applicable notification laws, the retailer - not the service provider - was required to notify affected individuals. Total expenses incurred for notification and crisis management to customers was nearly $5,000,000. Privacy Breach An employee of a rehabilitation center improperly disposed of 4,000 client records in violation of the center s privacy policy. The records contained social security numbers, credit and debit card account numbers, names, addresses, telephone numbers as well as sensitive medical information. The center settled the claim with the state of Massachusetts and agreed to pay fines and penalties imposed by the state as well as extend $890,000 in customer redress funds for credit monitoring on behalf of the victims. Theft of Digital Assets A home healthcare organization had backup tapes, laptops and disks containing social security numbers, clinical and demographic information, and in a small number of cases, patient financial data that was stolen. In total, over 365,000 patient records were exposed. The organization settled with the state attorney general, providing patients with free credit monitoring, credit restoration to patients that were victims of identity fraud, and reimbursement to patients for direct losses that resulted from the data breach. The organization was also required to revamp its security policies, implement technical safeguards and conduct random compliance audits. Human Error A non-profit community action corporation printed two 1099 forms on one piece of paper. An employee was supposed to separate the forms and send each to its rightful owner. Instead, one person received both copies. The mistake sent tax forms and social security numbers to strangers. Approximately 50% of the landlords who work with the community action corporation received their forms in addition to the private information of the others. Cyber Extortion Threat A U.S. based information technology company contracted with an overseas software vendor. The contracted vendor left universal administrator defaults installed on the company s server and a Hacker for Hire was paid $20,000 to exploit such vulnerability. The hacker advised if the requested payment was not made he would post the records of millions of registered users on a blog available for all to see. The extortion expenses and extortion monies are expected to exceed $2,000,000. Human Error An employee of a private high school mistakenly distributed via e-mail the names, social security numbers, birthdates and medical information of students and faculty creating a privacy breach. Overall, 1,250 individuals information was compromised. Malicious Code A juvenile released a computer worm directing infected computers to launch a denial of service attack against a regional computer consulting & application outsourcing firm. The infection caused an 18 hour shutdown of the entity s computer systems. The computer consulting & application outsourcing firm incurred extensive costs and expenses to repair and restore their system as well as business interruption expenses which totaled approximately $875,000. 1Ponemon Institute, 4/2009 Global Cost of a Data Breach Study. For all your cyber security liability insurance needs, please visit our website at Ed. 021012
PHYSICIAN/DENTAL PRACTICES Why would my practice need cyber/privacy insurance? A large majority of doctors and dentists are not aware that their standard insurance coverages (Malpractice, GL, Property) typically don t provide proper coverage for cyber and privacy liability. Most also don t know that they (along with their practice) have an exposure to cyber and privacy risk, especially given the presence of personal health information that they and their vendors have access to and the laws that exist to protect this. Any medical practice that Obtains social security numbers, personal health information, drivers license numbers, bank account numbers of patients Is in the process of going paperless or stores paper files Provides online access for payment Has a website Given our expertise in underwriting small to mediumsized companies insurance We recently developed a cyber product that: Is modular. You are able to pick and choose appropriate coverage lines Is on PHLY s admitted A++ paper Provides industry leading coverage for both 1st party and 3rd party exposures We can help you understand. At any point, a cyber underwriter can help explain the coverage to you, and/or your agent Information needed for a Non-Binding Indication: PHLY Cyber Application (online adobe fill-able) or PHLY Indication Application Financial Threats to Your Practice: Costs to comply with federal and/or state required notification. Data breaches in 2010 cost their companies an average of $214/ record.*ponemon Institute Study Various regulatory proceedings (including fines and penalties) as a result of a privacy breach, including alleged HIPAA violations. Patients/affected individuals suing your organizations for damages as a result of a privacy breach or network intrusion Business interruption expenses as a result of your network or server going down due to a denial of service attack or similar action Intellectual property/privacy lawsuits. These include libel/slander arising out of content that is on your internet or intranet sites Destruction to your brand as a result of a privacy breach (lost patients) Claim Scenarios for physicians/dentists: A physicians assistant brings a laptop home to update patient records. While on her way home, she stops at the grocery store and her car is broken into and the laptop is stolen. Files on the laptop contained patient names, social security numbers, dates of birth, addresses, phone numbers, and medical condition information In an effort to go paperless, employees organized medical information (to be shredded) and non-medical information (to be thrown out.) The person responsible for discarding the information inadvertently switched the two types of information and the medical information was thrown into an unsecured dumpster without being shredded. Personal information and personal health information of patients is compromised and those affected join a class action suit against the practice A hacker gained unauthorized access to a surgery center s computer system. The practice s failed to timely notify its patients whose personal health information was contained on the computer system. The practice suffered fines and penalties for not adhering to HIPAA laws and regulations A practices computer network is down for 4 days as a result of a Trojan horse attack and are unable to access billing software, appointment scheduler or patient files, resulting in a need to hire experts to come in and correct the system and get it back to where it was functioning A practice has a website and posts testimonials from patients. As a result of the practice not obtaining proper authorization to use one of the patient s comments, they are sued for invasion of privacy
HEALTH AND FITNESS ORGANIZATIONS Why Would My Gym Or Studio Need Cyber Liability Coverage? A large majority of gym owners are not aware that their standard insurance coverages (Commercial GL, Property, D&O, Crime) typically don t provide proper coverage for cyber liability. Most fitness instructors, gym personnel and risk managers don t know that they (along with their gym) have an exposure to cyber risk and how that exposure can pose a significant financial threat to their companies. Any gym or fitness studio that Obtains social security numbers, drivers license numbers, bank account numbers of clients or employees Has access to member health information Provides online personal training Is in the process of going paperless or stores paper files Provides online access for members Posts pictures or information about members online Given our expertise in underwriting Commercial Package, D&O & EPLI for the fitness industry We recently developed a cyber product that: Is modular. You and your agent are able to pick and choose appropriate coverage lines Is on PHLY s A.M. Best rated A++. paper in most states Provides industry leading coverage for both 1st party and 3rd party exposures We can help you understand. At any point, a cyber underwriter can help explain the coverage to an agent or Insured Information Needed for a Non-Binding Indication for current or prospective PHLY School customers: Annual Revenues and number of employees Financial Threats to Your Company: Costs to comply with federal and/or state required notification. Per individual, the average cost per record is estimated at $203 Regulatory proceedings (including fines and penalties) as a result of a privacy breach. This includes HIPAA violations Employees (instructors, facilities crew) and/or groups of affected individuals (current or former members) suing for damages as a result of a privacy breach Denial of service attack on your network, causing your computer system to go down and business interruption expenses Intellectual property/privacy lawsuits. These include libel/slander arising out of content that is on your internet or intranet sites Claim Scenarios Member information was on a gym employee s laptop that was stolen from her office. Membership files on the laptop contained names, social security numbers, bank account numbers, dates of birth, addresses, phone numbers, medical condition information for all members for the past 3 years Third-party vendor that hosted a gym s website experienced a security incident. Members who had online bill-pay set up may have had their names, dates of birth and credit card information accessed Yoga Studio s computer network is down for 4 days as a result of a Trojan horse attack and are unable to accept any monthly member fees, resulting in a need to hire experts to come in and correct your system and get it back to where it was functioning In an effort to go paperless, cleaning crew at a gym discards employee files in an unsecured dumpster. Personal information of all employees is compromised and those affected join a class action suit against the gym A Fitness Club holding a golf tournament posts information regarding the event on their website. They are sued by a golf company for copyright infringement as the club did not obtain permission to use their logo
HUMAN & SOCIAL SERVICE ORGANIZATIONS Why would my organization need Cyber Liability Coverage? A large majority of non-profit and social service executive directors, boards of directors and risk managers are not aware that their standard insurance coverages (Commercial GL, Property, D&O, crime) typically don t provide proper coverage for cyber liability. Most employees and IT professionals don t know that they (along with their organization) have an exposure to cyber risks and how that exposure can pose a significant financial threat to their institutions. Any Non-Profit or Social Service organization that Obtains social security numbers, drivers license numbers, bank account numbers of clients or employees Has access to patient medical records Is in the process of going paperless or keeps paper files onsite Provides online access to sensitive data Allows laptops or access to their network from a remote location Given our expertise in underwriting Commercial Package, D&O & EPLI for the social service industry and other non-profit institutions We recently developed a cyber product that Is modular. You and your agent are able to pick and choose the appropriate coverage lines Is on PHLY s admitted A++ paper in most states. Provides industry leading coverage for both 1st party and 3rd party exposures Helps you understand. At any point, a cyber underwriter can help explain the coverage to an agent or insured Information Needed for a Non-Binding Indication for current or prospective PHLY Customers: Annual revenues and number of employees. Financial Threats to Your Institution: Costs to comply with federal and/or state required notification. Per individual, the average cost per record is estimated at $203 Regulatory proceedings(including fines and penalties) as a result of a privacy breach. This includes HIPAA violations Employees (teachers, volunteers) and/or groups of affected individuals(alumni, current students, parents) suing for damages as a result of a privacy breach Denial of service attack on your network, causing computer system to go down and business interruption expenses Intellectual property/privacy lawsuits. These include libel/slander arising out of content that is on your internet or intranet sites Claim Scenarios for Non-Profit Organizations Client information was on a case manager s laptop that was stolen from her office. Files on the laptop contained patient names, social security numbers, dates of birth, addresses, phone numbers, medical condition information and case information Third-party vendor that hosted a foundation s website experienced a security incident. Customers who donated to the organization may have had their names, dates of birth and credit card information accessed Adult day care s computer network is down for 4 days as a result of a Trojan horse attack and are unable to provide any services as a result. There is a need to hire experts to correct their system and get it back to where it was functioning In an effort to go paperless, cleaning crew at a HIV awareness organization discards all employee files in an unsecured dumpster. Personal information of all employees is compromised and those affected join a class action suit against the non-profit Animal shelter holding a golf tournament posts information regarding the event on their website. As a result of the shelter not getting permission to use a golf company s logo, they are sued for copyright infringement
VETERINARIAN PRACTICES Why would my practice need Cyber Liability Coverage? A large majority of veterinarians are not aware that their standard insurance coverages (Malpractice, GL, Property, Crime) typically don t provide proper coverage for cyber and privacy liability. Most vets also don t know that they (along with their practice) have a significant exposure to cyber risk and how that same exposure can pose a significant financial threat to their practice(and them as individuals). Any veterinarian practice that Obtains social security numbers, drivers license numbers, bank account numbers of clients Has access to pet health information Uses an online appointment system Is in the process of going paperless or stores paper files Provides online access for payment Posts pictures or information about pets and/or parents online Given our expertise in underwriting low-premium business We recently developed a cyber product that: Is modular. You and your agent are able to pick and choose the appropriate coverage lines Is on PHLY s admitted A++ paper in most states Provides industry leading coverage for both 1st party and 3rd party exposures We can help you understand. At any point, a cyber underwriter can help explain the coverage to an agent or Insured Information Needed for a Non-Binding Indication for current or prospective PHLY customers: One page Cyber Indication sheet Financial Threats to Your Company: Costs to comply with federal and/or state required notification. Data breaches in 2010 cost their companies an average of $214/ record.*ponemon Institute Study Regulatory proceedings (including fines and penalties) as a result of a privacy breach. Pet owners suing your organizations for damages as a result of a network or security breach Denial of service attack on your network, causing your computer system to go down and business interruption expenses Intellectual property/privacy lawsuits. These include libel/slander arising out of content that is on your internet or intranet site Claim Scenarios for veterinarians: Patient health records were on an employee s laptop that was stolen from her office. Pet records on the laptop contained names, health records, addresses and diagnoses for all pets treated in the last 3 years. Third-party vendor that hosted a veterinarian s website experienced a security incident. Patient parents who had online bill-pay set up may have had their names, dates of birth and credit card information accessed. State notification is required. Veterinarian s computer network is down for 4 days as a result of a Trojan horse attack and are unable to accept any new appointments; resulting in a need to hire experts to come in and correct your system and get it back to where it was functioning In an effort to go paperless, cleaning crew discards employee files in an unsecured dumpster. Personal information of all employees is compromised and those affected join a class action suit against the practice. A Veterinarian holds a 5K walk to benefit a local animal shelter. They post information regarding the event on their website. They are sued by a dog food company for copyright infringement as the veterinarian did not obtain permission to use their logo
RELIGIOUS ORGANIZATIONS Why would my religious organization need Cyber or Privacy Coverage? A large majority of deacons, pastors and rabbis are not aware that their standard insurance coverages (Commercial GL, Property, D&O, crime) typically don t provide proper coverage for cyber liability. Most employees, volunteers and IT professionals don t know that they (along with their organization) have an exposure to cyber risks and don t understand how that exposure can pose a significant financial threat to their organizations. Any religious organization that Accepts online donations Maintains a social networking page Obtains credit card numbers, drivers license numbers, social security numbers or medical histories of its congregation Posts pictures or personal information on the church s website Provides streaming webcasts of their services Allows pastors to maintain a blog Given our expertise in underwriting Commercial Package, D&O & EPLI for Religious institutions and other non-profit organizations We recently developed a cyber product that Is modular. You and your agent are able to pick and choose the appropriate coverage lines Is on PHLY s admitted A++ paper in most states Provides industry leading coverage for both 1st party and 3rd party exposures Helps you understand. At any point in the process, a cyber underwriter can help explain the coverage to an agent or Insured Information Needed for a Non-Binding Indication for current or prospective PHLY customers: Annual revenues and number of employees Financial Threats to Your Institution: Defense costs for intellectual property lawsuits. These include libel/ slander arising out of content that is on your internet or intranet sites Costs to comply with federal and/or state required notification. Per individual, the average cost per record is estimated to be well over $200 Regulatory proceedings (including fines and penalties) as a result of a privacy breach Employees (pastors,office personnel or volunteers) and/or groups of affected individuals (members of your congregation, Sunday school students, parents) suing for damages as a result of a privacy breach Lost income as a result of your online donation service or network going down Claim Scenarios for Religious organizations Synagogue s website developer accidentally uploads personal information of congregation onto their external internet site. Information included social security numbers, addresses, and names. Synagogue is required to notify all affected individuals Pastor s blog on the church s website makes an offensive remark regarding a former congregation member. That former member takes note and files lawsuit for defamation/slander A religious hacktivist attacks the network of a nationwide religious institution because he disagreed with their politically charged blog. As a result, their entire computer network (email, website & congregation information) is down for 4 days Church is sued by songwriter for copyright infringement and royalties due when they post an audio file on their social media site. The suit alleges the content was released without the songwriter s permission Priest has laptop stolen from his car while at his nephew s softball game. Laptop contained names, credit card information & total amount of donations of all church donors. Church is required to notify all affected individuals
PRIVATE, ACADEMIC, VOCATIONAL AND CHARTER SCHOOLS Why Would My School Need Cyber Liability Coverage? A large majority of school principals, boards of directors and headmasters are not aware that their standard insurance coverage (Commercial GL, Property, D&O, Crime) typically doesn t provide proper coverage for cyber liability. Most principals, teachers and IT professionals don t know that they (and their organization) have an exposure to cyber risks and how those risks can pose a significant financial threat to their organizations. Any School that Obtains social security numbers, drivers license numbers, bank account numbers, medical histories of students Posts student pictures or personal information on the school s website. Provides online access to student grades or other sensitive data Sells, donates or recycles computers Allows laptops to be removed from the school premises. Given our expertise in underwriting Commercial Package, D&O & EPLI for Schools and other non-profit institutions We recently developed a cyber product that Is scalable. You and your agent are able to pick and choose appropriate coverages for your enitity On PHLY s admitted A++ paper in most states Provides industry leading coverage for both 1st party and 3rd party claims Information Needed for a Non-Binding Indication for current or prospective PHLY School customers: Annual revenues and number of employees Financial Threats to Your Institution: Costs to comply with federal and/or state required notification. Per individual, the average cost per record is estimated at $203 Regulatory proceedings (including fines and penalties) as a result of a privacy breach Employees (teachers, volunteers) and/or groups of affected individuals (alumni, current students, parents) suing for damages as a result of a privacy breach Denial of service attack on your network, causing computer system to go down and business interruption expenses Intellectual property/privacy lawsuits. These include libel/slander arising out of content that is on your internet or intranet sites Claim Scenarios School Athletic director has laptop stolen from her car. Laptop contained names, social security and health information for all athletic participants for that year Charter school network is down for 4 days as a result of a Trojan horse attack and are unable to hold any classes without their network School posts photos of students without their consent and the pictures are construed by their parents as inappropriate. Parents bring suit against the school as a result In an effort to go paperless, school janitors discard all employee files in an unsecured dumpster. Personal information of all employees is compromised and those affected join a class action suit against the school