IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE? Privacy.pdf · • Certegy Check Services (4.2 million customers) 2002-2007 • TJX (94 million records) 2006-2007 • Choicepoint

1

2

3

"IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE?"

4

Disclaimer

This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided.

Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued.

Please carefully review any policy and all endorsements delivered for the precise coverage terms.

2

5

Introduction

Foundation for Privacy FearsFoundation for Privacy Fears

•• Privacy is a rightPrivacy is a right

•• Private information has valuePrivate information has value

•• Technology has created new issues concerning breaches of privacyTechnology has created new issues concerning breaches of privacy

•• Privacy breaches can have a material impact on a company’s Privacy breaches can have a material impact on a company’s reputationreputation

•• Courts, legislatures and regulatory agencies are engaged in Courts, legislatures and regulatory agencies are engaged in addressing privacy issuesaddressing privacy issues

•• Highly publicized security breaches are in the newsHighly publicized security breaches are in the news

6

Introduction

What are Data Theft and Privacy/Security Breaches?

• An organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information.

7

Industry Issues

- FTC estimates nearly 10 million victims per year- Many victims don’t know or don’t report- Fastest growing white collar crime in America- Average 175 hours and $1,500 to resolve per individual- Tremendous media exposure

Common Types of Fraud- Current credit – credit card, debit card, phone card- Use of name and social security number:

- Establish new credit- Commit other criminal activity

Risks and Recent Developments

Increase in Numbers of Incidents

3

8

Sources of Data BreachSources of Data Breach

49% lost laptop or other device (USB flash drives…)16% third party outsourcer/vendor

9% malicious insider9% paper records7% lost electronic backup5% hackers, crackers, social engineers, “phishers”4% malicious code2% unknown

Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC, 2007

9

Data Breaches – Growing In Numbers!

Between January 2005 and February 6, 2009 –

252,308,777records containing “sensitive personal information”

have been involved in security breaches!

Source: Privacy Rights ClearinghouseA Chronology of Data BreachesPosted April 20, 2005Updated February 9, 2009www.privacyrights.org


Increase in Numbers of Incidents

10

Recent high-profile data security breaches illustrate the nature of the risk

• Heartland Payment Systems, Inc. (100 million customer credit cards/debit cards) 2008 (This had a companion D&O suit)

• Hannaford Brothers (4.2 million credit cards/debit cards) 2008

• Certegy Check Services (4.2 million customers) 2002-2007

• TJX (94 million records) 2006-2007

• Choicepoint (150,000 records) 2005

• Bank of America (1.2 million federal employees) 2005

• DSW (100,000 customers) 2005

• Lexis/Nexis (32,000 records) 2005

Sources: Computerworld, Boston Globe, Tampabay.com, ZDNet and 11Alive.com


Prominent Examples

4

11

California Security Breach Information Act (2003). Since passage, 47 states and territories have passed similar laws (http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm)

Essence of these laws is requirement that companies storing personal information must promptly notify persons whose information has been accessed by an unauthorized person

In addition to costs of notification, these laws create potential civil liability if proper and timely notification of a data security breach is not given

Some states require notification to specific law enforcement andconsumer credit reporting agencies


Applicable Laws

12

Graham Leach Bliley

Requires “financial institutions” to ensure the security and confidentiality of private financial information (includes all businesses that are “significantly engaged” in providing financial products or services

HIPPA – Health Insurance Portability and Accountability Act

Regulations for use and disclosure of Protected Health Information which is any information about health status, provision of health care, or payment for health care that can be linked to an individual

Covered entities are any health care related businesses that store or transmit health care data in a way regulated by HIPAA

The Security Rule of HIPAA deals specifically with Electronic Protected Health Information (EPHI).


Applicable Laws

13

Fair Credit Reporting Act (FCRA)

Enacted to promote efficiency in the country’s banking system and to protect consumer privacy. See TRW, Inc. v. Andrews, 534 U.S. 19, 23 (2001)

Imposed obligations on three types of entities:

• Credit reporting agencies,

• Users of credit reports, and

• Furnishers of information to credit reporting agencies


Applicable Laws

5

14

Fair And Accurate Credit Transaction Act (FACTA)

Amendment to FCRA

Key provisions focused on reducing exposure to identity theft and assisting consumer with credit problems

Requires truncation of credit card and social security numbers

Credit and Debit Card Receipt Clarification Act, June 3, 2008

Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions


Applicable Laws

15

Red Flag Rule

Amendment to FCRA

Financial institutions and creditors must establish a written program to “detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts”

Creditors must develop “Program” formalizing steps they intend to take to prevent identity theft by May 1, 2009

Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions


Applicable Laws

16


Hypothetical Scenario #1• Former employee of a financial institution provides accomplice with

access to financial institutions secure network.

Data includes sensitive personal information about company’s customers and employees

Thief also gains access to financial institutions external website

• 2 weeks later, company receives ransom note from thief

• 2 weeks later, thief hacks into company’s system causing company’s website to be down for 2 days with no ability to conduct online transactions

• Media learns of issue – widespread media attention results in cancellation and re-issuance of all client plastic cards, potential effected members must be notified and provided with credit monitoring

• Various government agencies begin investigations

6

17


Hypothetical Scenario #2• Employee innocently opens an email supposedly from the company’s IT

department

Email has a malicious code embedded to surreptitiously control the employee’s computer

Outside hacker uses employee’s computer to launch additional attacks on the company’s backend network

• Hacker gains widespread access to company’s various databases including plastic cards

• Hacker emails company President with customer database, containing personal confidential information and demands $500,000 or will publish an email link with this information.

18


Scenarios 1 and 2 result in various potential losses

First Party LossesLoss of Private Data

Notification/credit monitoring costsCost to change account numbersPublicity costsBusiness income lossData restoration expenses

Cyber ExtortionRansom paymentsOther expenses

Third Party LossesCustomer Suits

Customer alleging invasion of privacyCustomers or other third parties alleging financial loss

Other SuitsRegulatory actions/fines or penalties

19

First Party Losses

• Cost of $197 / record compromised, consists of:• $128 lost business (lost customers/reduced orders)

• $46 ex-post response (PR costs, credit monitoring)

• $15 notification

• $9 detection & escalation

Source: Ponemon Institute, LLC – “2007 Annual Study: Cost of a Data Breach”


Costs / Claims / Losses

7

20

Third Party Losses (What might be pled if a suit is filed?)

• Failure to implement and maintain reasonable security procedures(Currently, actual harm and damages are hard to prove)

• Negligence (based upon regulatory/industry standards)

• Unfair, deceptive and unlawful business practices

• Invasion of the customer’s right to privacy

• Breach of fiduciary duty

• Breach of contract

• Fraud / Misrepresentation

• Multiple Class Action filings increasing

• New legal theories yet to come in pleadings



21

Third Party Losses (What might be pled if a suit is filed?) cont.

• Loss of wages due to time taken to prove “identity theft” to MasterCard or Visa

• Expense of legal and other resources necessary to prove “identity theft” to MasterCard and Visa

• Loss of business advantage due to effect of fraudulent charges on FICO scores

• Damages claimed under applicable state privacy legislation



22

Where is the Insurance Coverage?

Comprehensive General Liability (CGL)?

Computer/Commercial Crime Form?

Directors and Officers Liability?

Professional Liability Policy?

8

23

CGL: Covers liability for “Property Damage” to a third party“Property Damage” = “physical injury to tangible property” as well as “loss of use of tangible property that is not physically injured”.

Whether electronic data is covered as “physical damage to tangible property” or “loss of use of tangible property”.

Coverage B: Personal and Advertising Injury Liability

Oral and written publication, in any matter, of material that violates a person’s right to privacy.

Is the “loss” of data in electronic form on a data base “oral or written publication of material”?

Lack of Coverage in Traditional Policies

Comprehensive General Liability (CGL)?

24


Comprehensive General Liability (CGL)? (cont.)

Professional Services exclusion (present on most General Liability policies) will apply if you are a financial institutionFinancial Professional Services. We won’t cover injury or damage or medical expenses that results from the performance of or failure to perform any financial professional service.

Breach of Contract exclusion (present on most General Liability policies) Breach of Contract. We won’t cover personal injury or advertising injury that results from the failure of any protected person to do what is required by a contract or agreement…

25

Surety Association Computer Crime and ISO Commercial Crime policies generally exclude:

• Loss directly or indirectly from theft of confidential information

• Indirect or consequential loss of any nature

• Potential income, including but not limited to interest/dividends

Specific Financial Institution Crime Policies can include:

• E-theft loss of money or securities as a result of fraudulent electronic communications from a third party, theft of confidential customer information

• Extortion, Business Income

• No 1st party losses

• Typically written with high deductible


Crime?

9

26

D&O:

• Possible source of coverage for third party suits

• Possible source of coverage for regulatory suits

• No First Party coverage

• Exclusions for invasion of privacy or violation of any right of privacy right may preclude coverage for the Corporate Entity, or both the Corporate Entity and all Individual Insureds


Directors & Officers Liability (D&O)?

27

E&O:

• For wrongful acts committed solely in the conduct of the Insured’s “Professional Services”

• Policies for may include coverage for negligence in failing to maintain confidentiality/security of customers information, invasion of privacy, unauthorized access/unauthorized use, introduction of malicious code


Errors & Omissions Liability (E&O)?

28

Overview – covers direct first party losses that an insured may incur in connection with an incident.

A. Data recovery expenses (costs to recover data)

B. Business interruption expenses – covers business income loss and certain extra expenses the insured incurs during the “Period of Recovery of Services” due to the actual impairment or denial of operations resulting directly from fraudulent access or transmission

• Sometimes available by endorsement

• Sublimits can apply

Insurance Coverage Options

First Party

10

29

C. Privacy Notification Expenses – means the reasonable and necessary cost of notifying those persons who may be directly affected by the misappropriation of a record

• Costs relating to changing their account numbers, other identification numbers and security codes; and

• Costs of providing them, for a stipulated period of time and with the prior approval of the company, with credit monitoring or other similar services that may help protect them against fraudulent use of the record


First Party (cont.)

30

D. Pre-claim forensic costs to investigate a security breach

• Example: “Claim Expenses” means all other legal costs and expenses resulting from the investigation…of a circumstance thatmight lead to a claim with the prior written consent of the underwriters

• Example: “Loss” does not include any amount incurred by an insured in the defense or investigation of any action, proceeding, demand or request that is not then a claim, even if such matter subsequently gives rise to a claim

E. Crisis Management expenses

• Sublimits may apply

• See consent / procedural requirements


First Party (cont.)

31

Overview – covers sums the insured is legally obligated to pay to third parties as damages and claims expenses as a result of privacy breach or breach of privacy regulations. A. Regulatory Coverage

• See scope of definitions of “claim”

• Some policies may only cover regulatory defense costs

B. Regulatory Civil Penalties

• HIPAA, Gramm-Leach-Bliley Act, state privacy protection laws and privacy provisions of FCRA impose civil penalties

• Check definition of “loss” or “damages” for exclusions

• Example: Damages includes a penalty or sanction imposed by a federal, state or local regulatory body against you as a result of a privacy breach or the breach of a privacy regulation by you as a person including an independent contractor, for which you are legally responsible


Third Party Privacy

11

32

C. Personal Injury Coverage

• See wording of exception to personal injury exclusion for scope

• Are claims for emotional distress, mental anguish included?

D. Privacy Breach Coverage (non-regulatory)

• Common law breach of privacy or confidentiality


Third Party Privacy (cont.)

33

Overview – Covers sums that insured is legally obligated to pay as damages and claims expenses arising out of computer attacks caused by failures of security including theft of client information, identity theft, negligent transmission of computer viruses and denial of service liability.

A. Unauthorized access (hacker attack) of the insured’s computer systems

B. Unauthorized use of insured’s and insured’s customers computer systems by authorized person or third party

C. Independent contractor - Vendor coverage (acts of outside vendors)

• Example: Coverage for “your wrongful acts”, where “your” does not include independent contractors

• Example: Coverage for wrongful acts by any insured, where insured includes independent contractors who are natural personsand are acting written scope on behalf of the named insured


Network Security

34

D. Denial of service attack (third parties cannot access insured’s website)

E. Transmission of computer virus


Network Security (cont.)

12

35

• Electronic content coverage: Information disseminated on website including extension for Copyright / Trademark

Example: Coverage for injury sustained by a third party because of the actual or alleged infringement of a trademark name, copyright, the name of a title or the title of an artistic or literary work from information on website

• Personal Injury

• Advertising Injury (of company’s own products but only in electronic format)


Internet / Media Liability (optional coverage)

36

• Expenses incurred in responding to an extortion demand

• Extortion payment (not all forms cover)

• Policies have prior consent provisions


Cyber Extortion

37

A. Some policies exclude coverage for “claims” related to the insured’s failure to maintain or upgrade their security

• Example: No coverage arising out of or resulting from the failure of computer systems or data assets to the protected by computer security equal to or superior to that disclosed in response to specific questions in the application

B. Some policies exclude coverage for “claims” alleging fraudulent or malicious acts by employees

• Example: “Privacy Peril” does not include any intentional, fraudulent, criminal or malicious act, error or omission if committed by any employee if any elected or appointed officer possessed any knowledge of the act

Insurance Coverage Pitfalls

Watch The Exclusions!

13

38

C. Some policies exclude certain operations of the insured, or may not cover various types of computer or peripheral devices

• Example: No coverage for theft of data via laptops unless whole disc encryptions or equivalent grade encryption is used

D. Some policies will not cover actions of independent contractors working on behalf of the Insured

Insurance Coverage Pitfalls

Watch The Exclusions!

39

Key coverage to look for in PoliciesPrivacy Breach Coverage

• Coverage includes Employee Personal Information

• Regulatory defense

• Regulatory civil monetary, penalties and fines?

• Breach of privacy regulations/laws?

40

Key coverage to look for in PoliciesNetwork Security Coverage

• Unauthorized Access

• Unauthorized use (rogue employee)

• Denial of service attacks of systems of third parties

• Transmission of malicious code/virus to third parties

• Identity theft/theft of data

• Inability of authorized third party to access insured’s computer systems

• Damage, destruction, deletion, tampering or alteration to electronic data of third parties

• Data in any form other than electronic (loss of paper records i.e.., dumpster diving)

• Data definition extended to private, proprietary confidential corporate information

• Theft of laptops (laptops do not have to be encrypted)

14

41

Key coverage to look for in policiesExtortion Coverage

• Expenses only

• Ransom payments

Crisis Management Expenses• Public relations expenses

• Notification expenses

• Credit monitoring costs

• Forensic systems investigations

• Crisis management expenses limited only to breach of privacy or breach of privacy regulations

42

Key coverage to look for in policiesFirst Party Data Protection or E-Vandalism Expenses

• Costs or expenses vary by form (generally incurred to restore, remediate, or replace damaged, deleted, destroyed or inaccessible data)

First Party Network Business Interruption• Extra expenses during restoration

• Business income loss

Independent Contractors• Insured protected if I.C.’s commit wrongful act

• Coverage extended to I.C.’s

43

Costs to repair damage to your information assets

Privacy regulatory action defense and fines

Privacy breach notification costs & credit monitoring

Legal liability to others for privacy breaches

Damage to 3rd party information assets

Website copyright/trademark infringement claims

Potential Impact (Low Med High)

Likelihood (Low Med High)Potential Risk Event

Risks That Could Impact Client Companies

15

44

Wrongful acts by independent contractorsNeed to engage crisis management firm if an incident occurs

Regulated Industry? Identify any unique risks / regulations

Cyber Extortion threat

Loss of revenue due to a failure of security at a dependent technology provider

Loss of revenue due to a failure of security or computer attack

Potential Impact (Low Med High)

Likelihood (Low Med High)Potential Risk Event

Risks That Could Impact Client Companies

45

Contact:

Cliff [email protected]

425.709.3705

Documents

IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE? Privacy.pdf · • Certegy Check Services (4.2 million customers) 2002-2007 • TJX (94 million records) 2006-2007 • Choicepoint