Wells Fargo Insurance Services Risk Series Seminar Presents: Network Security and Privacy Liability: How to Prepare for a Cyber Breach July 18, 2012 Panelists: Melissa Krasnow, Dorsey & Whitney Anne De Vries, Digital Risk Managers (A division of Wells Fargo Special Risks, Inc.) Ryan Wakeham, NetSPI Mario Paez (Moderator), Wells Fargo Insurance Services Professional Risk Group This presentation was created by Dorsey & Whitney LLP, 50 South Sixth Street, Suite 1500, Minneapolis, MN 55402. This presentation is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by sending and/or receiving this presentation. Members of Dorsey & Whitney will be pleased to provide further information regarding the matters discussed in this presentation.
Agenda Network Security and Privacy Risk Overview: What Are the Threats? Data Breach Facts & Figures Data Security and Privacy Threats Costs if Threats are Realized Network Security and Privacy Risk Legal Discussion Legislation is driving exposure! Expanding Laws Which should be carefully considered? Network Security and Privacy Risk Management Outsourcing Risk and Vendor Management Data Breach Preparation and Response Digital Risk Management Insurance Coverage Issues 2
Some High Profile Breaches Radisson Hotels announced unauthorized access of company computer systems resulting in access personal information of an unknown number of guests. Vermont ski area, Okemo, reports data breach. Data from more than 46,000 credit / debit transactions compromised. Hannaford Bros: Supermarket chain reported breach of computer system exposing 4.2 million credit and debit card numbers with over 1800 cases of resulting fraud already reported. Pfizer: revealed its third data breach in three months, this time affecting the personal information of an estimated 34,000 people. Disney Movie Club: An employee who works for a company that processes DMC transactions was caught trying to sell customer credit card information. Fidelity National Information Services has admitted that personal information on 2.3 million people has been illegally removed from its database. The breach occurred at Certegy Check Services. Neiman Marcus: stolen computer with personal data of nearly 160,000 employees. TJX: Unauthorized intruder gained access to 46 million customers info Starbucks Corp. lost laptops with private information on 60,000 employees 3
Some Data Breach Facts & Figures The 2011 Cost of Data Breach Study by Symantec and The Ponemon Institute revealed the following: The average cost per breached record was $194 with roughly 1/3 of this cost being direct expenses, the rest being indirect costs (customer churn / productivity) The average total cost of a breach for the companies included in the study was $5.5 million Malicious attacks (from outside) and negligent insiders remain the top 2 causes of data breach. 41% of data breaches were caused by a third party vendor this would include protected data in the hands of outsourcers, cloud providers and business partners 39% of companies had data breaches that involved lost or stolen devices, such as laptops, tablets, smart phones and USB drives that contained confidential and sensitive information Only 22% of organizations surveyed indicated that this was their first security breach. 37% engaged consultants to assist with their data breach response and remediation. 4
Most Prevalent Threats Relating to Data Security and Privacy Unauthorized access/use of information or networks from outsiders (hackers), from insiders (rogue employees); unknown sources Virus, worms or other malware Hardware theft/loss (laptops, PDA s, storage media) Disruption of network traffic (DDOS Attacks) HUMAN ERROR Increasing Use of Social Media 5
Why Is This a Problem? The Internet is an open network Many companies have a transactional website; also many web-facing applications are poorly coded Businesses collect and store private customer data More data collected and stored than is needed Stored for too long or improperly stored Business servers (websites) are often very porous and need constant care (hardening & patching) Tools that help hackers are readily available and shared on the Internet at no cost to malicious attackers Bad guys rely on the prevalence of human error Poor passwords Unchanged default settings Lack of tested back-up process Poor patch management Inadequate use of encryption Failure to properly dispose of paper records 6
Data Security and Privacy Events: Impacts and Costs Tangible Costs of a Data Breach: Lost revenue Impact on availability of breached networks or lost business linked directly to customers fleeing to a safer environment (competitors). Lost productivity costs for lost employee or contractor time and productivity diverted from other usual tasks. Crisis Management Costs - Public relations expenses, consumer breach notification, credit/identity monitoring expenses, forensics Defense and other legal costs for ensuing third party claims and regulatory action, including fines and penalties Total cost of data breach - $194 per record* *Source: Ponemon Institute, LLC 2011 Annual Study: Cost of a Data Breach 7
Data Security and Privacy Events: Impacts and Costs Intangible Costs of a Data Breach: Damage to brand / reputation / customer trust Abnormal Customer Churn Rate Impact on growth from inability to retain customers or difficulty in acquiring new customers. Average customer churn rate following a data breach was 3.2%.* In a related survey of over 9000 consumers who had received breach notifications, 60% said that they had terminated or had considered terminating their relationship with the company. Loss of competitive edge *Source: Ponemon Institute, LLC 2011 Annual Study: Cost of a Data Breach 8
Data Security and Privacy Events: Impacts and Costs Third party claims arising from a network event: Failure to protect customer information/privacy Failure to notify / timely notification Cost to cancel or reissue payment cards/open new accounts (financial institutions) Costs of fraudulent purchases Consumer Redress credit and identity monitoring / restoration Regulatory Actions defense as well as fines and penalties 9
Most states including Minnesota have breach notification laws Cover personal information, meaning name, plus any of: social security number driver s license number financial account information (e.g., credit card, bank account, etc.) in some cases, health information 2012 amendments to state breach notification laws (e.g., California, Connecticut, Illinois, Texas, Vermont) Calls for national breach notification law 10
Enforcement of state breach notification laws varies State attorney general enforcement in Minnesota Private right of action in California Administrative fines in Florida 11
Massachusetts privacy regulation Covers any entity (regardless of whether in Massachusetts) with access to Massachusetts resident personal information Written information security program (WISP) must be implemented: encryption of personal information transmitted wirelessly and stored on portable devices third party service provider to an entity by contract provision must implement and maintain appropriate security measures for personal information 12
Massachusetts privacy regulation documentation of actions taken in response to incident involving a breach and mandatory postincident review to make changes in business practices for protection Reporting a breach to the Massachusetts attorney general (which is required under the Massachusetts breach notification law) could trigger an investigation of a reporting entity, including that the entity submit its WISP for review Massachusetts attorney general privacy enforcement actions 13
State social security number laws Could be implicated in a breach involving social security numbers 14
Federal HIPAA / HITECH Act breach notification Applies to covered entities and business associates Covered entity means (i) health plan, (ii) health care clearinghouse or (iii) health care provider Business associate that (i) on behalf of a covered entity, performs activity involving use or disclosure of individually identifiable health information or (ii) provides legal, actuarial, accounting, consulting, management, administrative, accreditation or financial services for the covered entity involving the disclosure of individually identifiable health information from the covered entity to the person 15
Federal HIPAA / HITECH Act breach notification Protected health information means individually identifiable health information relating to health care treatment, a health condition or payment for the provision of health care Covered entity notification to each individual, U.S. Department of Health and Human Services (if breach involves more than 500 individuals) and prominent media outlet (if breach involves more than 500 residents of state or jurisdiction) Business associate notification to covered entity 16
Enforcement of federal HIPAA / HITECH Act U.S. Department of Health and Human Services enforcement Civil penalties Criminal penalties State attorney generals also can bring civil actions No private right of action 17
International Privacy Laws Countries throughout the world continue to adopt privacy laws Information crosses country borders Data breaches can be global Canada: Alberta Personal Information Protection Act security breach notification 18
PCI DSS: Payment Card Industry Data Security Standard A security standard that requires all merchants to enforce critical protective measures security management policies and procedures network architecture software design Helps organizations proactively protect customer account data Developed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International Now governed by independent PCI Council 19
Outsourcing: Benefits vs. Risks Benefits: Companies can achieve growth and tremendous cost savings by outsourcing business practices (i.e. call centers, payroll, credit card processing) or technology Companies can leverage managing technology to another person Risks: Company must ensure that the outsourcer complies with all applicable laws Transferring control of company processes, IT functions and DATA reduces the ability to control or monitor the services and security Agreements must require the outsourcer to implement changes in laws and maintain adequate security, privacy and confidentiality of customer information Although your outsourcer is maintaining the information on your behalf, you as the data owner are responsible for breach notification and other liabilities 20
The Security Issues of Outsourcing Specific regulatory requirements for third party contracts (i.e. GLBA, HIPAA, PCI DSS) The agreement of security policies and procedures The need for regular compliance audits or third party certification monitoring and enforcement to ensure that service provider is meeting contractual obligations Disaster recovery, business continuity and incident response plans Issues related to off-shoring multi-jurisdicational risk and transborder data flow Allocation of risk and insurance 21
Outsourcing: Benefits vs. Risks Making a Move to the CLOUD Many companies, especially smaller ones, are transitioning from upfront IT investment to sleeker, more affordable hosted systems. But with this new business model comes new risks. Cloud Benefits: Reduced upfront IT costs Reduced maintenance and staffing Ability to scale systems up or down on demand Access to data from anywhere with Internet connection Cloud Risks: Lack of control reliance on faith that information is protected. One-sided contracts. Data movement/availability issues inability to recover all data in event of an outage. Also international law considerations. Data aggregation Cloud providers become targets for hackers. Move from anonymity to headliner. 22
Who is Behind Data Breaches? 98% stemmed from external agents (+6%) 4% implicated internal employees (-13%) <1% committed by business partners (<>) 58% of all data theft tied to activist groups How do Breaches Occur? 81% utilized some form of hacking (+31%) 69% incorporated malware (+20%) 10% involved physical attacks (-19%) 7% employed social tactics (-4%) 5% resulted from privilege misuse (-12%) Source: Verizon s 2012 Data Breach Investigations Report 23
What Commonalities Exist? 79% of victims were targets of opportunity (-4%) 96% of attacks were not highly difficult (+4%) 94% of all data compromised involved servers (+18%) 85% of breaches took weeks or more to discover (+6%) 92% of incidents were discovered by a third party (+6%) 97% of breaches were avoidable through simple or intermediate controls (+1%) 96% of victims subject to PCI DSS had not achieved compliance (+7%) Source: Verizon s 2012 Data Breach Investigations Report 24
Industry Groups Represented by % of Breaches Source: Verizon s 2012 Data Breach Investigations Report 25
Industry Groups Represented by % of Breaches Larger Organizations Source: Verizon s 2012 Data Breach Investigations Report 26
Threat Agents Over Time By % of Breaches Source: Verizon s 2012 Data Breach Investigations Report 27
Motive of External Agents by % of Breaches Source: Verizon s 2012 Data Breach Investigations Report 28
Threat Action Categories Over time by % of Breaches (and % of Records) (0%) (<1%) (<1%) (<1%) (37%) (99%) (95%) (0%) (<1%) (<1%) (<1%) (38%) (97%) (99%) Source: Verizon s 2012 Data Breach Investigations Report 29
Hacking Methods by % of Breaches Source: Verizon s 2012 Data Breach Investigations Report 30
Role of Organization Size on Variety of Data Compromise Trade Secrets Sensitive Organizational Data System Information Personal Information Bank Account Numbers/Data Classified Information Medical Records Copyrighted/Trademarked Material Authentication Credentials Payment Card Numbers/Data Source: Verizon s 2012 Data Breach Investigations Report 31
What are the biggest risks? Flaws in custom web application code Ubiquitous Attackers can circumvent controls to access data in the application or access the backend systems Lack of security processes / standards Weak configurations allow for easier exploitation (e.g., password guessing) Weak security awareness training Social engineering targets the end user People are always one of the weakest links 32
Where should efforts be focused? Smaller Organizations Change default credentials Implement a regular patching process Ensure that only necessary services are allowed through your firewall If you rely on third parties for the above, make sure they ve done them Larger Organizations Eliminate unnecessary data, systems, etc. Implement secure development processes Engage in periodic assessments to identify weaknesses and then remediate Monitor your environment (log and audit) 33
Strategies for Risk Managers Network Security and Privacy Risk Management: People Vigilant employees, board-level commitment to security and privacy issues, network security and privacy team in place and active Processes Network Asset Policies in place network security, privacy, document retention and acceptable use policies Legal vetting process for contracts and compliance Incident Response and Business Continuity plans Technology Basic network security controls that meet industry standards. Including monitoring/log review, DMZ Zones, Firewalls, Intrusion Detection Systems, anti-virus/spam/spyware software (updated daily), VPN/Remote Access authentication, vulnerability scans, backup, hot-site etc. Vendor Contract Requirements defintions, warranties/duties, monitoring and enforcement, incident response/reporting, indemnification/insurance requirements Insurance 34
Basic Questions Regarding Data Risk How does the organization identify critical or sensitive information assets and risks to those assets? Is the frequency and scope of the risk evaluation and compliance audits sufficient to take evolving threats into account? Are risks to critical or sensitive information assets managed in a similar fashion to other key business risks? What is the structure, activities, and decision-making process relating to network / data risk management? What are the due diligence and financial responsibility (insurance) requirements for other companies that connect to your network or provide outsourced services? 35
Review information and documentation and determine applicable laws Personally identifiable information what, where and in which form is it? Which company policies and procedures and agreements have provisions relating to privacy and confidentiality? Determine which laws apply and what the requirements are (e.g., policies and procedures and agreements) Sometimes, policies and procedures are advisable, though not required by law Which federal and state and other laws apply? 36
Be prepared Prepare policies and procedures and ensure they are consistent and integrated with company policies and procedures Devise a roadmap of what to do in the event of a possible breach Consider handling of investigations How should a company respond internally and externally to media, employees and others about breach circumstances and status? 37
SEC guidance on cybersecurity and cyber incident disclosure Securities and Exchange Commission (SEC) guidance about public company disclosure of cybersecurity risks and cyber incidents: not a rule, regulation or statement of the SEC no disclosure requirement specifically refers to cybersecurity risks and cyber incidents certain disclosure obligations may require discussion of cybersecurity risks and cyber incidents 38
SEC guidance on cybersecurity and cyber incident disclosure risk factors (if among the most significant factors that make an investment in the company speculative or risky), for example: aspects of the company s business that give rise to material cybersecurity risks and the potential costs and consequences description of material cyber incidents experienced by the company and the costs and other consequences 39
SEC guidance on cybersecurity and cyber incident disclosure management s discussion and analysis of financial condition and results of operations description of business (if materially affects its products, services, relationships with customers or suppliers or competitive conditions) legal proceedings (where a party to a material pending legal proceeding that involves a cyber incident) disclosure controls and procedures (where poses a risk to the company s ability to record, process, summarize and report information required to be disclosed in SEC filings) financial statement disclosure 40
Privacy developments Federal Trade Commission final privacy report Obama administration consumer privacy framework Federal HIPAA / HITECH Act rule modifications Cybersecurity legislation Federal and state enforcement actions 41
Data Breach Preparation Checklist How is the incident reported and documented? Do you know who you are going to call? Internal response team External response team Breach Counsel / Coach first call Process for determining compliance requirements Understanding of specific laws When / how to engage law enforcement Timeline obligations Breach Quarterback External breach response team in place? Breach Counsel / Coach Forensic investigator Notification letters / call center Credit / Identity Monitoring Consumer fraud protection reporting agencies, banks 42
Network & Privacy Risk Management Summary Network & privacy risk should be part of an enterprise-wide risk management strategy which includes employee training and network security related policies and procedures Strive for more/better communication between the IT department, risk management and other senior-level management Evaluate business activities and operations that are performed electronically or that involve sensitive information (PII / PHI) Evaluate financial impact should these activities or operations be negatively impacted by a network-related event Determine best approach to mitigating digital risks loss control (assessments / technology), contract language, risk retention and/or transfer to an insurance product. 43
Issues With Traditional Insurance Bodily Injury / Property Damage Triggers direct physical loss or damage Data is not tangible property Do not address theft or disclosure of third party information Intentional acts exclusions Do not address breach response / crisis management costs Contingent / Service Provider Risks (from external hosting, etc.) Crime policies require intent to cause harm. Only cover money, securities and tangible property. Territory restrictions 44
Network And Privacy Risk Policies: Property and Business Income Loss Property (Data Asset Coverage) Direct financial loss arising out of the damage, destruction, corruption or theft of electronic data due to a network security event Data restoration coverage typically includes cost to restore, replace or recreate the data Business Income/Extra Expense Coverage for loss of earnings (online and offline) Extra expense covers the actual costs incurred to minimize the suspension of business and continue operations until normal network operations are restored 45
Network & Privacy Risk Policies: Crisis Management Public Relations Expenses Coverage provided for the actual and necessary costs you incur to plan and execute a public relations campaign in order to protect or restore your professional reputation following a security breach Consumer Notification Expenses Coverage provided for the actual and necessary costs you incur to notify consumers if their personal identity information was compromised, as required by law Credit / Identity Monitoring / Restoration Coverage provided for the actual and necessary costs you incur to provide credit or identity monitoring and restoration services. Not typically required by law but generally offered in conjunction with the notification. Investigative/Forensic Expenses Coverage provided for the necessary expenses incurred to investigate a network security incident for the purposes of preventing or mitigating resulting damage, making a determination of coverage and preserving critical forensic evidence 46
Network And Privacy Risk Policies: Additional Coverage Cyber Extortion Involves a threat made against an insured to damage their computer system (i.e. by introducing a virus) or to divulge, disseminate or utilize their electronic information assets without authorization Coverage includes necessary expenses to investigate and settle the threat, including payment of extortion monies Regulatory Claim Expenses Covers the defense (and in some cases fines and penalties) of regulatory actions by governmental agencies against the insured for alleged violations of privacy regulations/laws 47
Network And Privacy Risk Policies: Network Security and Privacy Liability Provides for damages and defense expenses arising out of a covered claim due to a network security or privacy event Includes downstream liability of the insured for transmission of a computer virus or their participation in promulgating an attack against a 3 rd party Includes coverage for the insured s liability for: Damage to, theft of or destruction of data Prevention or hindrance of access to the insured network for those otherwise authorized to do so 48
Network And Privacy Risk Policies: Digital Content and IP Infringement Liability Provides coverage for electronic infringement of copyright, trademark, service mark, trade name, trade dress, title, slogan, etc. Defamation or other tort related to the disparagement or harm to the reputation or character of any person or organization. Misappropriation, plagiarism, or unauthorized use of ideas, material, titles, literary or artistic formats, or style, or performances in connection with advertising. 49
Who is buying Network Security & Privacy Insurance? Financial Institutions Banks, Insurers, Investment, other financial services Technology Service providers Combining E&O / Cyber Healthcare MCOs, TPAs, hospitals, physicians, insurers Retail/Hospitality PII / privacy key issue Mfg/Wholesale/Distribution supply chain management Public Entities Availability and Privacy are key issues Universities Liability to alumni/endowment Media/TelCom Combining E&O and Cyber How Much Does It Cost?? 3 rd Party Liability only: $1,000-$25,000 per Million of (liability) limit (depending on size) By adding 1 st party coverage, add approximately 10-20% in premium. 50
Why You Must Take Action Network Security & Privacy risks represent significant civil liability and regulatory exposures, as well as exposures arising from direct losses to data and network assets. Reputation loss is a significant danger to your business New privacy laws are increasing your need to be pro-active and are causing security breaches to be made more public, leading to significant direct costs and liability claims (class action suits) GL, Property, Crime and E&O continue to come up short on coverage. ISO GL 2001 & 2004 explicit about data being intangible property. 2004 excludes damage to Electronic Data. Network Security & Privacy Insurance has broadened considerably due to maturity in marketplace: Privacy, Programming E&O, short waiting periods on Business Interruption, Breach Counsel/Notification/Credit Monitoring/Forensic costs, Regulatory Expense including fines / penalties DATA BREACHES ARE INEVITABLE and Losses are being paid by underwriters 51
Questions? Anne De Vries Managing Director Digital Risk Managers A division of Wells Fargo Special Risks, Inc. P: (503) 968-5777 anne.devries@drisk.com www.drisk.com Melissa J. Krasnow Partner Dorsey & Whitney LLP P: (612) 492.6106 krasnow.melissa@dorsey.com http://www.dorsey.com/krasnow_melissa/ Ryan Wakeham Director of Assessment Services NetSPI P: (612) 455-6977 Ryan.Wakeham@netspi.com www.netspi.com Mario Paez Vice President Professional Risk Group Wells Fargo Insurance Services P: (952) 826-9738 Mario.Paez@wellsfargo.com wfis.wellsfargo.com 52