How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised



Similar documents
Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Cyber Liability & Data Breach Insurance Claims

cyber invasions cyber risk insurance AFP Exchange

Cyber Insurance: How to Investigate the Right Coverage for Your Company

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

How To Buy Cyber Insurance

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Personal Information Protection Act Information Sheet 11

Data Breach and Senior Living Communities May 29, 2015

Cyber Liability & Data Breach Insurance Claims

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Understanding Professional Liability Insurance

Cyber-Crime Protection

Beazley Group Beazley Breach Response. A data breach isn t always a disaster Mishandling it is.

Cyber Liability & Data Breach Insurance Claims

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

Anatomy of a Privacy and Data Breach

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

CYBER SECURITY SPECIALREPORT

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cloudy With a Chance Of Risk Management

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Anatomy of a Hotel Breach

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber Insurance Presentation

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Brief. The BakerHostetler Data Security Incident Response Report 2015

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Aftermath of a Data Breach Study

Cyber/ Network Security. FINEX Global

Cyber Exposure for Credit Unions

Cyber Liability. What School Districts Need to Know

DATA BREACH COVERAGE

Coverage is subject to a Deductible

Standard: Information Security Incident Management

Privacy Insurance. Avoiding the HMO Experience. cyber. More Differences. By Toby Merrill

Cyber Liability. AlaHA Annual Meeting 2013

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

T H E R E A L C O S T O F A D ATA B R E A C H

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Need for Cyberliability Insurance Continues to Grow

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Corporate Incident Response. Why You Can t Afford to Ignore It

Discussion on Network Security & Privacy Liability Exposures and Insurance

Cyber Risk A Serious Threat Facing Public Entities

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

Identity Theft Prevention Program Red Flag Rules Policy P Issued: May 2009

Managing Cyber & Privacy Risks

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Cybersecurity Workshop

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015

Finding a Cure for Medical Identity Theft

Guidance on data security breach management

Guidance on data security breach management

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Data Breach Readiness

Cyber and data Policy wording

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference

Mitigating and managing cyber risk: ten issues to consider

IDENTIFYING AND RESPONDING TO DATA BREACHES

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Nonprofit risk management

I ve been breached! Now what?

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Don t Wait Until It s Too Late: Top 10 Recommendations for Negotiating Your Cyber Insurance Policy

The New Crisis Communication Challenge: Data Breach

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

DATA BREACH: hy you should care!

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Small businesses: What you need to know about cyber security

New Developments in Cyber Security & Data Breaches San Diego, California May 2014

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Actorcard Prepaid Visa Card Terms & Conditions

Working with the Federal Government on Cybersecurity

Joe A. Ramirez Catherine Crane

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

Responding to Data Breaches. March 25, 2015

BOARD OF GOVERNORS MEETING JUNE 25, 2014

Understanding the Business Risk

Data Security Breach Management - A Guide

Transcription:

ACE USA Podcast Released June 24, 2010 How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior Vice President, ACE North America Marketing & Communications, ACE USA Panelists: Toby Merrill Vice President, ACE Professional Risk, ACE USA John Mullen Attorney, Nelson, Levine, DeLuca & Horst Mark Greisiger President, NetDiligence Hello, I m Richard Tallo, of North America Communications, at the Philadelphia headquarters of the ACE Group of Companies. Welcome back to the second of two podcasts ACE has produced to discuss how companies can learn how to prepare for, and deal with data breaches. In our first broadcast ( Preparing for the Inevitable Data Breach: What to do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised ), we discussed the steps that organizations and their risk managers need to take in order to put together an effective crisis response plan. To briefly recap, these steps were: Naming a specific senior manger to take charge following a breach; Identifying computer forensic specialists before the event, to determine what has been compromised in a manner that preserves the chain of custody and other stakeholders; Structuring proper service provider contracts; Pre-negotiating notification, call center and credit monitoring services; and Looking into privacy liability insurance. Spending a few thousand dollars on legal counsel up front can potentially save the organization millions in defense costs on the back end. Today, we ll move beyond crisis management planning and look at how companies can respond following the breach of sensitive consumer or employee information. Once again, I m joined by: Toby Merrill, National Privacy Product Manager for ACE USA; John Mullen, a partner with the law firm of Nelson, Levine, DeLuca & Horst; and finally, Mark Greisiger, President of Net Diligence, a data privacy and security firm. I d like to start today s discussion by asking Toby how he would handle the following scenario: It s Monday morning at 10 a.m., and a major credit card company has just alerted you that they noticed a suspicious pattern of charges they suspect was caused by a serious breach at their company. Can you tell us what should occur in the first hour after that phone call?

Well, Rich, hopefully management has already put in place an incident response plan in advance of the breach, outlining who inside and outside of the organization needs to be involved and what steps need to be taken. In either case, the company needs to first assemble a crisis response team to determine exactly what happened and begin delegating responsibilities. At the very least, the first action items need to include: Engaging a forensics team to determine the extent of the breach, including the number of records affected and the type of information that has been exposed. Assessing the severity of the breach as early as possible to determine the best course of action. For example, a breach of 10 or 20 credit cards should be classified very differently than a breach of a few thousand social security numbers. What are action steps for the next phase? Engaging a legal firm to counsel senior management on the organization s legal obligations around a number of issues, such as state notification requirements and litigation holds. Spending a few thousand dollars on legal counsel up front can potentially save the organization millions in defense costs on the back end. Then, depending on the severity of the breach, the organization should bring in crisis management consultants to review the situation and to advise on the best means of communication with the public, should it be required or recommended. Thanks, Toby. Mark, why are computer forensics so critically important at this stage? Many companies that have not properly examined the nature of a breach before disclosing have found that they may have disclosed a little bit too soon. First, it is critically important that you get a snapshot of the security breach event. You will need to determine what internal computer servers have been impacted by this event, when and where the attack occurred, and what prudent controls were in place at the time of the incident. Next, you are going to need to identify the individuals who could have potentially been affected by this event. Computer server logs should be reviewed to verify important information, such as: How the company s servers were accessed as well as when and how often this illegal access occurred; Whether the culprit actually accessed the customer s information and employee data; What type of data was accessed and when; and Where the victims physically resided to determine the proper course for notification. Another key point is, depending on the applicable state notification laws, a company may not be legally required to notify customers or employees whose sensitive information has been comprised. Many companies that have not properly examined the nature of a breach before disclosing have found that they may have disclosed a little bit too soon. This past year, I worked with several clients that experienced a real life data breach event impacting their customer data. And in many of these instances, they found they did not have a duty to notify because either the data impacted was limited, for example, no public identifiable information was impacted, such as a combined name with social security number, or the data was encrypted and thus the laws of Safe Harbor may apply. 2

Thanks, Mark. John, can you discuss the key ingredients of an effective media message? And, how should the news that sensitive consumer data has been comprised be communicated to both affected customers and the public? Rich, ideally a simple, clear, company statement by a senior executive should include key facts of the incident that are known at that time, what is being done to address the breach, in what timeframe, and it should conclude with confirming that appropriate steps are being taken actively. It s always best to tell your story up front, stressing open communication within the organization and making yourself available for participation in news stories as appropriate, taking care to work with trusted media sources. Thanks, John. Are there other best practices to consider when communicating to key audiences? Yes, they include the following: Keeping to the basic facts of the breach and not overstating the facts; Showing empathy and concern for the affected individuals; Reassuring key audiences and stakeholders that the response to the privacy breach is being handled properly and that assistance is being offered to those affected; and Finally, accepting responsibility for the incident while taking care not to admit negligence. That s important. Thanks, John. Mark, is it always necessary to provide credit monitoring services to affected customers? Rich, it depends on the situation. A lost laptop with encrypted data is much different than a hacking attack where compromised information is being used for real identity theft purposes. The most important issue is determining the type of data that has been lost. If the data compromised is medical data or credit card information, than credit monitoring services may only provide limited assistance for the customers that were affected. However, if customers social security numbers have been compromised, which is the holy grail of data, then credit monitoring services will be an appropriate response. Another consideration is whether there is any concrete evidence of actual fraud. A laptop that went missing for two days and was returned by a trustworthy citizen may not warrant the additional costs of credit monitoring. It is important to note that there are currently no state notification laws on the books requiring that credit monitoring be offered. This is not a mandatory offering. However, research has demonstrated that individuals who are offered free or subsidized services, may perceive the company more positively and are less likely to participate in a class action lawsuit. But credit monitoring services can be expensive, which is a key reason why pre-planning is so important. Thanks, Mark. Would you share some best practices for offering credit monitoring services? First, a prudent step is to offer those customers whose data has been compromised a free credit check, such as from the ftc.gov site. If a free service is not available, rates should be negotiated in advance of a data security breach event and the company should talk to a number of different providers before a making a final selection. A company should also try to find the most economical way to manage its costs. In many cases, choosing a provider that charges for redemptions only and not on every offer made is a better value since we only see between 10 and 25 percent of offers redeemed. And finally, if a third-party service provider was responsible for the breach you may be able to seek indemnity. 3

Toby, we ve spent time focusing on best practices for companies. Can you share lessons learned from companies that have experienced data breaches? Of course. The three biggest mistakes I have seen companies make after a breach are really related to a lack of preparation: First, without a crisis response plan in place, the company is forced to make rash decisions due to a lack of direction and leadership. A company responding to a breach should consider its culture and reputation, and how it is perceived by its customers. Senior management needs to agree on this prior to developing an appropriate response. Another common mistake I ve seen is when companies have not taken the time to properly screen forensic, legal, and public relations as well as notification vendors prior to the breach. Not doing this may often result in a company making hasty decisions and hiring inexperienced firms or grossly overpaying for these services. The third mistake I have seen companies make is the tendency to over-notify, as Mark mentioned earlier. In some instances there have been a number of notifications that could have been significantly reduced, and in some cases, eliminated entirely had management taken the time to hire a qualified attorney who knows the intricacies of the various privacy regulations. Toby, are there any instances where a company may choose to notify even after they ve determined they are not legally obligated to do so? The organization s decision to notify could mitigate its liability from class action considerably. Absolutely. There are three major areas where this has been the case: First, many organizations reputations are built on their open culture environment, such as universities. The organizations may risk more by hiding the incident than any pending litigation might bring. Second, there are a number of foreign jurisdictions, such as Canada, that have yet to pass notification legislation. [Note: Alberta has become the first province to add a data breach notification requirement into its legislation. The new measures were added into its Personal Information Protection Act (PIPA) on May 1, 2010 and are now law]. And many of the notification laws are very limited in the type of information that triggers the obligation to notify. For example, a breach of a customer s e-mail address may not trigger a notification requirement but could be used by a hacker to obtain more sensitive information. In each of these instances, the organization s decision to notify could mitigate its liability from class action considerably. Thanks, Toby. John, can you talk about the actual financial damages suffered in the real cases that you have been involved with? Of course. Incidents of data loss can be very costly for companies, especially those organizations that fail to take their legal duties seriously up front. Prior to any lawsuit being filed, there are expenses that can include notification to affected customers, call centers, and service offerings to reduce damage to the customer or employee base, litigation expense and e-discovery costs. If a customer files a lawsuit, costs will escalate. 4

Should there be a lawsuit, legal cases tend to fall into three basic categories: First, the Federal Trade Commission, considered the most active government authority currently policing the data loss world, can elect to pursue statutory damages based on a fines per record type loss situation. These can be expensive to pay and even more expensive to defend against as anyone who has ever gone up against the government in a lawsuit knows it s a very time consuming and very expense. The second type of case is a suit related to financial institutions. Should a company lose significant amounts of data, particularly with credit card information, most banks, regardless of best practices, will replace those credit cards. However, there is a fee involved in credit card replacement it is how many dollars per credit card to replace it. And, with lost records often in the millions, the amount claimed by financial institutions to replace those cards will be substantial. The third type of lawsuit -- and by far the most expensive and problematic -- are those that are called class actions. These are brought in the guise of customer and employee lawsuits. Class actions are generally brought in federal court, and although the industry has been relatively successful in defending against them, fighting certification of classes, because they lack the requisite damages required under the law, the data breach context is tricky and that trend seems to be eroding in the courts. Thanks, John. From our discussions, it s apparent that preparing a formal response plan is a necessity for a company. In the heat of a crisis, you don t want to be caught unprepared. As we ve been discussing during this broadcast, an open and measured response can also help retain goodwill with customers and reduce the potential for legal liability down the road. I d like to thank Toby, John and Mark for joining us today. On behalf of everyone at ACE, thanks for joining us. NetDiligence : www.netdiligence.com is a cyber risk assessment services company. NetDiligence also offers a unique post data breach response service called service erisk Hub www.eriskhub.com to fully support & assist clients with their inevitable data breach crisis incident. For the past decade NetDiligence has established itself as a leader for performing due diligence cyber risk assessments on behalf of majority of P&C insurers in US & UK that offer cyber liability coverage. Our clients also include well-known names in banking, brokerage, mortgage, insurance, clearinghouse, and other financial service sectors. NELSON LEVINE deluca & HORST: With seven offices from New York to Denver, NLdH is devoted solely to helping build and protect the insurance industry's business practices and clients, providing comprehensive legal services in the areas of reinsurance, regulatory, complex litigation, class action, coverage, subrogation, bad faith consulting and insurance fraud. For more information, please visit the NLdH website at http://www.nldhlaw.com/. ACE USA is the U.S.-based retail operating division of the ACE Group of Companies, headed by ACE Limited (NYSE: ACE), and is rated A+ (Superior) by A.M. Best Company and A+ (Strong) by Standard & Poor s. ACE USA, through its underwriting companies, provides insurance products and services throughout the U.S. Additional information on ACE USA and its products and services can be found at www.aceusa.com. The ACE Group of Companies provides insurance and reinsurance for a diverse group of clients around the world. Product highlights are summaries only; please see actual policy for terms and conditions. Products may not be available in all locations and remain subject to ACE Professional Risk s underwriting criteria. The views expressed by Messrs. Merrill, Tallo, Mullen and Greisiger are their own and do not represent those of ACE USA, any of The ACE Group of Companies, Nelson Levine or NetDiligence. The material presented in this podcast is not intended to provide legal or other expert advice as to any of the subjects mentioned but is presented for general information only. You should consult knowledgeable legal counsel or other experts as to any legal or other questions they may have. Any references to insurance are also intended for general information only. For actual terms and conditions of any insurance, please refer to the policy. Coverage may not be available in all states. Copyright 2010, the ACE Group. All rights reserved. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information