2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage Chris Reese Vice President, Director of Underwriting Connie Rivas Asst. Vice President, Contracts and Legal Services Overview Introduction In the News Regulatory Oversight Current Data on Breaches Review of Best Practices Current Security and Privacy measures Summary of Cyber Insurance Coverage 2 1
A Data Breach Is Not ADisaster. Mishandling It Is. 3 Introduction: Complexity of Cyber Threats has Grown Dramatically US Business face increasingly sophisticated threats that outstrip traditional defenses Economics of cyber cybersecurity favor the attackers Reputational harm is significant Competing pressures within organizations Deploy IT resources to risk mitigation Deploy IT resources to advance the required business technologies to service and compete 4 2
What is a Breach? A breach is defined as an event in which an individual name plus Social Security Number (SSN), driver s license number, medical record or a financial record/credit/debit card is potentially put at risk Paper or Electronic Potential Security Threats Compromises the integrity, security or confidentiality of information Circumstances where a data breach may have happened or could happen in the future. (e.g. lost flash drive with PII) 5 In the News In 2013 and 2014, the Identity Theft Resource Center (ITRC) documented nearly 1,400 data breaches in the US, including: (www.idtheftcenter.org) Target 110,000,000 Records Compromised Anthem Breach 78,800,000 Records Compromised (source: USA Today April 14, 2015 www.usatoday.com/news) Home Depot 56,000,000 Records Compromised Excellus Blue Cross Blue Shield 10,000,000 Records Compromised (source: Privacy Rights Clearinghouse http://www.privacyrights.org ) IRS 1,400,000 Records Compromised Saint Joseph Health System 405,000 Records Compromised University of Maryland 309,079 Records Compromised 6 3
In the News cont. In 2013 and 2014, the Identity Theft Resource Center (ITRC) documented nearly 1.400 data breaches in the US, including: (www.idtheftcenter.org) Touchstone Medical Imaging (TN) 307,528 Records Compromised Sutherland Healthcare Solutions 168,500 Records Compromised Indiana University 146,000 Records Compromised Orthopedic Specialty Institute (AL) Iron Mountain 49,714 Records Compromised Office of Nisar Quraishi (NY) 20,000 Records Compromised Office of Dennis Flynn, M.D. (IL) 13,646 Records Compromised 7 Regulatory Oversight Privacy and Cyber Gramm Leach Bliley Act; Federal Law passed in 1999 Oversight of insurance companies is delegated to state insurance authorities to enforce If a state insurance authority fails to adopt regulations, then the state shall not be eligible to override Federal oversight The NAIC (National Assoc. of Ins. Commissioners) published a model law for individual states to adopt. States took the following actions: Adopted the model law in a substantially similar manner Related State Activity have not adopted the current model but have an earlier version of the model or have legislation derived from other sources No current activity; includes states that have repealed legislation or never adopted legislation SOURCE: National Association OF Insurance Commissions 2015 http://www.naic.org 8 4
Regulatory Oversight Privacy and Cyber NAIC (National Assoc. of Ins. Commissioners) has adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance. State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insureds is protected from cybersecurity risks Confidential and/or personally identifiable financial information should be appropriately safeguarded State insurance regulators have a responsibility to protect information inside/outside of an insurance department or at the NAIC Cybersecurity regulatory guidance for insureds must be flexible, scalable, proactive, and consistent with nationally recognized efforts such as NIST framework Regulatory guidance must be risk based and must consider the resources of the insurer with a caveat of a minimum set of cybersecurity standards State insurance regulators should provide appropriate regulatory oversight, which includes but is not limited to, conducting risk based financial examination and/or market conduct examinations regarding cybersecurity SOURCE: National Association OF Insurance Commissions 2015 http://www.naic.org 9 Regulatory Oversight Privacy and Cyber (continued) NAIC Principles for Effective Cybersecurity Insurance Regulatory Guidance [continued] Planning for incident response is an essential component to an effective cybersecurity program Insurers.should take appropriate steps to ensure that 3 rd parties and service providers have controls in place to protect PII Cybersecurity risks should be incorporated and part of an enterprise risk management process; transcends the IT department IT internal audit findings that present a material risk to an insurer should be reviewed with the board of directors or appropriate committee thereof It is essential to use information sharing and analysis organization (ISAO) to share information and stay informed of emerging threats, as well as physical threats intelligence sharing Period and timely training, paired with an assessment, for employees regarding cybersecurity issues is essential SOURCE: National Association OF Insurance Commissions 2015 http://www.naic.org 10 5
Regulatory Oversight Privacy and Cyber (continued) NIST National Institute of Standards and Technology Federal government framework for standards benchmark Standards, methodologies, procedures and processes that aligns policy, business and tech issues to address cyber risks SOURCE: National Association OF Insurance Commissions 2015 http://www.naic.org 11 NAIC Cyber Security Bill of Rights Presented for Court July 2015, Final version, not yet Approved. 12 6
Cybersecurity Bill of Rights As an insurance consumer, you generally have the right to: 1. Know what type of personally identifiable information is being collected and how long that personally identifiable information is kept by an insurer 2. Expect that an insurer is adequately protecting the personally identifiable information from disclosure to unauthorized persons. 3. Receive notice from an insurer if your personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person and could result in identity theft or fraud to you. 4. Receive notice from an insurer, insurance producer, or other state regulated entity in the event of a data breach. 13 Cybersecurity Bill of Rights 5. Receive notification, from health insurers regarding a data breach of protected health information that is held by a health plan, under federal HIPAA laws. 6. Receive notice from an insurer information on any relevant payment card/bank account number breach, if the breach involves a breach of the payment card/bank account numbers. 7. Receive notice from an insurer in the event of a data breach of their security system, maintained by a third party service provider that has been contracted to maintain, store, or process personally identifiable information in electronic or paper form. 8. Receive a general description of the actions taken by the insurer restore the security and confidentiality of the personally identifiable information involved in a data breach. 9. Receive a minimum of two years of identity theft protection from the insurer, insurance producer, or other state regulated entity in the event of a data breach. 14 7
Cybersecurity Bill of Rights 10. Receive a summary of the rights of victims of identity theft prepared under the Fair Credit Reporting Act, http://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf 0111 fair creditreporting act.pdf, in the event of a data breach that involves personally identifiable information. Your rights under the Fair Credit Reporting Act include: The right to ask the three nationwide consumer reporting agencies to place fraud alerts in your file to let potential creditors and others know that you may be a victim of identity theft. o An initial fraud alert remains in your file for at least 90 days; o An extended fraud alert remains in your file for seven years; The right to obtain free copies of your credit report; o An initial fraud alert entitles you to a copy of all information in your file for each of the three nationwide consumer reporting agencies: Equifax; Experian; and TransUnion.. 15 Cybersecurity Bill of Rights 11. Request all three nationwide consumer reporting agencies to place a security freeze on your credit report (http://www.consumer.ftc.gov/articles/0497 credit freeze faqs). A security freeze will limit the consumer reporting agency from releasing your credit report or any information from your credit report without your authorization. 12. Receive an insurer, insurance producer, or other regulated entity s privacy policy regarding the data they collect on you. The regulated entity should provide a clear and conspicuous notice to you that accurately reflects its privacy policies and practices on an annual basis. Note: Your specific data rights are based on and subject to state and federal law. For more details regarding protections in your state, contact your state insurance department. The contact information can be found on the NAIC s web page, http://www.naic.org/state_web_map.htm. 16 8
Number of Breaches is on the Rise Identity Theft Resource Center (ITRC) documented 783 U.S. data breaches in 2014, representing a 27.5% increase over the number of breaches reported in 2013 * Hacking incidents represented the leading cause of data breach incidents, accounting for 29% of the breaches tracked by the ITRC This was followed for the second year in a row by breaches involving Subcontractor/Third Party at 15.1 %. * http://www.idtheftcenter.org/itrc-surveys-studies/2014databreaches.html 17 2014 Cyber Claims Study PII was the most frequently exposed data (41% of breaches), followed by PHI (21%) and PCI (19%). Hackers were the most frequent cause of loss (30%), followed by Staff Mistakes (14%). Healthcare was the sector most frequently breached (23%), followed closely by Financial Services (22%). Small Revenue ($300M $2B), Micro Revenue ($50M $300M) and Nano Revenue (<$50M) companies experienced the most incidents (25%, 24% and 23% respectively). (SOURCE: NetDiligence 2014 Cyber Claims Study http://www.netdiligence.com/netdiligence_2014cyberclaimsstudy.pdf 18 9
2014 Cyber Claims Study Third parties accounted for 20% of the claims submitted. There was insider involvement in 32% of the claims submitted. The median number of records lost was 3,500. The average number of records lost was 2.4 million. Non zero claim payouts in this year s study ranged from $600 to almost $6.5 million. Typical claims, however ranged from $30,000 to $400,000. (SOURCE: NetDiligence 2014 Cyber Claims Study http://www.netdiligence.com/netdiligence_2014cyberclaimsstudy.pdf 19 2014 Cyber Claims Study Median claim payout was $144,000. Average claim payout was $733,109. Healthcare sector $1.3 million. Median per record cost was $19.84. Average per record cost was $956.21. Median cost for Crisis Services (forensics, notification, legal guidance and miscellaneous other) was $110,594. Average cost for Crisis Services was $366,484. Median cost for legal defense was $283,300. Average cost for legal defense was $698,797. Median cost for legal settlement was $150,000. Average cost for legal settlement was $558,520. (SOURCE: NetDiligence 2014 Cyber Claims Study http://www.netdiligence.com/netdiligence_2014cyberclaimsstudy.pdf 20 10
MISSION: CRITICAL Highly valuable information to cyber criminals Cyber Threat Map 1 21 Economic Motivation Estimate of 95% of attacks are economically motivated Attempting to steal data Corporate trade secrets client list Personal information on insureds (Name/address/SS#/banking info) Employee records Insurance Company financial assets cyber crime 22 11
Advanced Persistent Threats High End Attacks Ultra sophisticated teams of cyber criminals Deploy increasingly targeted malware in multi staged stealth attacks Goal penetrate all of the perimeter defense systems Intruders look at multiple avenues to exploit all layers of security vulnerabilities until they reach their goal Cyber security field consensus criminals are ahead of the corporations that need to defend themselves 23 Vulnerability is not limited to External Threats Low End Attacks Employees poorly trained, not following required protocols, disgruntled Subcontractors and independent contractors BYOD bring your own device Any party that the company connects to electronically creates a vulnerability vendor and partner management 24 12
Balance Risk Management And Use of New Technology Mobile technology, cloud computing and smart devices need appropriate risk management to minimize risk 25 Four Basic Security Controls Restricting user installation of applications ( whitelisting ) Ensuring that the operations system is patched with current updates Ensuring software applications have current updates Restricting Administrative privileges 26 13
5 Steps Corporate Boards Should Consider to Enhance Oversight of Corporate Risks Cyber security is an enterprise wide risk management issue, not just IT Directors are responsible to understand the legal risks of cyber security Boards should be adequately informed of cyber security risk / risk management; entire board; not just the audit committee Directors and management work together to have an adequate enterprise wide risk management plan/budget Board management discussions include identification of risk and agreement re: avoidance, mitigation, acceptance and transfer. Including plans for each. Source: Cyber Risk Oversight, Director s Handbook Series, 2014. NACD ( National Association of Corporate Directors) https://www.nacdonline.org/resources/article.cfm?itemnumber=10688 27 Boards Show be Adequately Informed of Cyber Security Risks / Risk Management Schedule educational sessions Participate in company privacy training Consider whether the company should have a cyber and/or IT expert serve on the board Regular reporting to the board by company management on cyber risk security and incidents; quarterl (Source: Cyber Risk Oversight, Director s Handbook Series, 2014. NACD) https://www.nacdonline.org/resources/article.cfm?itemnumber=10688 28 14
Compliance Basics Assign ultimate privacy and data security responsibility to 1 person Prepare for data security incidents (Additional resources provided) Determine where Personal Information is stored (Additional resources provided) Conduct a risk assessment 29 Compliance Basics Continued Mitigate against identified risks Control your vendors and business partners Implement a continuous workforce training and awareness program Review and Update Procedures 30 15
Manage Breach Responding to an Incident Immediate Response Breach Notification Requirements Report Data Breach 31 A Simplified View Data Breach Insurance Response Evaluation of the Data Breach Managing the Short Term Crisis Handling the Long Term Consequences Class Action Lawsuits Discovery of a Data Breach Forensic Investigation and Legal Review Notification and Credit Monitoring Public Relations Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Income Loss 32 16
Costs of a Data Breach Our results show that the cost to respond to a data breach is usually between $10 $30 per record for breach response services that include some legal expenses, patient notification letters, call center support, and credit monitoring services. (Keep in mind this number is an average. Costs can exceed $30 a record in some cases. IT costs, Legal fees, and government fines are additional costs.) 33 Coverage Considerations Balance Sheet Protection When considering the limits of insurance Resource Allocation Competing IT demands; insurance = risk transfer Risk Tolerance level Sleep at night 34 17
Available Insurance Coverage Multimedia Liability Coverage for third party claims alleging copyright/trademark infringement, libel/slander, advertising, plagiarism, and personal injury. Covers both online and offline media. Security & Privacy Liability Coverage for third party claims alleging liability resulting from a security or privacy breach, including the failure to safeguard online or offline information, or the failure to prevent virus attacks, denial of service of attacks or the transmission of malicious code. 35 Available Insurance Coverage (Continued) Privacy Regulatory Defense & Penalties Coverage for defense costs and fines/penalties incurred in defending against regulatory investigations of privacy or security breaches. Privacy Breach Responses Costs, Customer Notification Expenses and Customer Support and Credit Monitoring Expenses Coverage includes all reasonable legal, public relations, advertising, IT forensic, call center, credit monitoring and postage expenses incurred by the insured in response to a privacy breach. 36 18
Available Insurance Coverage (Continued) BrandGuard Coverage for lost revenue directly resulting from an adverse media report and/or notification to customers of a security or privacy breach. Network Asset Protection Coverage for amounts incurred to recover and/or replace data that is compromised, damaged, lost, erased or corrupted due to accidental damage or destruction of electronic media or computer hardware, administrative or operational mistakes in the handling of electronic data, or computer crime/attacks. Coverage also extends to business income loss and interruption expenses incurred as a result of a total or partial interruption of the insured s computer system directly caused by any of the above events. 37 Available Insurance Coverage (Continued) Cyber Extortion Covers extortion expenses incurred, and extortion monies paid, as a direct result of a credible cyber extortion threat. Cyber Terrorism Coverage for income loss and business interruption expenses directly resulting from a total or partial interruption, degradation in service or failure of the insured s computer system due to a cyber terrorism attack. 38 19
Possible Uninsured Exposures Intentional violation of law damages Prior Act exposures check retroactive date Wear/Tear/Gradual Deterioration Representations made regarding maintaining a certain level of cyber security Damages to data resulting from a Natural Event (may not be covered by Property Insurance either) Loss resulting from power outages Use of programs that are unlicensed or not operational 39 Coverage Features New Cyber Crime PCI Coverage Cyber Terrorism Voluntary Notification Cost Pre Breach cost 40 20
Fair Use Disclaimer FAIR USE DISCLAIMER: The following presentation contains copyrighted materials the use of which has not always been specifically authorized by the copyright owner. We are making the information available for education, news reporting, research, teaching and discussion purposes and to advance awareness and understanding of issues relating to personally identifiable information and associated risks. We believe this constitutes fair use of any such copyrighted material as provided for under the Fair Use exemptions of Title 17 U.S.C. Section 107 of the U.S. Copyright Law. Further use is prohibited. If you wish to use copyrighted material from this presentation for purposes of your own that go beyond fair use, you must obtain permission from the copyright owner. 41 Copyrighted Materials List Page 6 & 7 Identity Theft Resource Center Data Breach Source: Identity Theft Resource Center (ITRC) www.idtheftcenter.org Page 6 Anthem Breach Source: USA Today April 14,2015 www.usatoday.com/news Page 6 Excellus Blue Cross Blue Shield Source: Privacy Right Clearinghouse www.privacyrights.org Page 8 11 Regulatory Oversight Privacy and Cyber Source: National Associate of Insurance Commissions www.naic.org Page 12 16 Cybersecurity Bill of Rights Source: National Associate of Insurance Commissions www.naic.org/state_web_map/htm Page 17 ITRC Data Breaches Source: Identity Theft Resource Center (ITRC) www.idtheftcenter.org/itrc Surveys Studies/2014databreaches.html Page 18 20 2014 Cyber Claims Study Source: NetDiligence www.netdiligence.com/netdiligence_2014cyberclaimsstudy.pdf Page 21 $50 Million Class Action Lawsuit Against Long Island Health System Source: Modern Healthcare, Feb. 2013 www.modernhealthcare.com/article/20130212/news/302129848 Page 21 $400,00 Penalty in HIPAA Case Source: Government Information Security, May 2013 www.databreachtoday.com/400000 penalty in hipaa case a 5782 Page 21 Page 28 Page 29 Three laptops stolen from New York podiatry office 5 Steps Corporate Boards Should Consider to Enhance Oversight of Corporate Risks Boards Show be Adequately Informed of Cyber Security Risks / Risk Management Source: Sims and Associates Podiatry, Important Security and Protection Notification, April, 2014 www.scmagazine.com/three laptops stolen from new york podiatry office 6475 atrisk/article/343644/ Source: Cyber Risk Oversight, Director s Handbook Series, 2014. NACD (National Association of Corporate Directors) www.nacdonline.org/resources/article.cfm?itemnumber=10688 Source: Cyber Risk Oversight, Director s Handbook Series, 2014. NACD (National Association of Corporate Directors) www.nacdonline.org/resources/article.cfm?itemnumber=10688 42 21
NAS INSURANCE THANK YOU Chris Reese Vice President, Director of Underwriting Connie Rivas Assistant Vice President, Contracts and Legal Services www.nasinsurance.com 43 22