1Marsh

Issues in Risk Management: Privacy and Data BreachRisk Review & Discussion

John McLaughlin, Marsh USA

www.marsh.com

3Marsh

Agenda

The Legal Landscape

The Art of Breach Crisis Management– Breach statistics– Breach Response Methodology

Risk Transfer– Risk Overview– Coverage Overview– The Potential Cost of a Data Breach– Marsh Approach– The Insurance Underwriting Process

4Marsh

Regulatory Landscape

Increasing regulatory scrutiny– FTC & State AG enforcement

Regulations - Compliance - Audit– State notification laws (45 + D.C.)– HIPAA (Health Insurance Portability & Accountability)

HITECH Act– FACTA (Fair and Accurate Credit Transactions)– FCRA (Fair Credit Reporting)– GLBA (Gramm-Leach-Bliley)– FTCA (Federal Trade Commission – SAFE WEB)– PCI Compliance– Plastic Card Act (MN)

The Art of Breach Crisis Management

6Marsh

2009 How Data is Lost (General): Inside Perpetrator (Accidental and Malicious Intent)

Source: http://datalossdb.org/

7Marsh

2009 How Data is Lost (General):Inside vs. Outside the Organization

Source: http://datalossdb.org/

8Marsh

2009:Number of Reported Breaches by Industry

Source: http://datalossdb.org/

9Marsh

2009:Number of Reported Affected Individuals by Industry

Source: http://datalossdb.org/

10Marsh

Data Breach Statistics:Data Loss by Type

Source: http://datalossdb.org/

11Marsh

Breaches: By the numbers….Cost of a breach record

VICTIM COSTSNotificationCall CenterIdentity Monitoring (credit/non-credit)Identity Restoration

DIRECT COSTSDiscovery/Data ForensicsLoss of Employee Productivity

INDIRECT COSTSRestitutionAdditional Security and Audit RequirementsLawsuitsRegulatory Fines

OPPORTUNITY COSTSLoss of Consumer ConfidenceLoss of Funding

$14.00

$10.00

$40.00

$140.00

Cost per record:$204 (2009)

© Ponemon Institute

12Marsh

Best PracticesBreach Crisis Management

Retain an outside counsel who specializes in Privacy Law and Breach Crisis Management

Notify Correctly vs. Quickly– Diffuse anger and emotion among constituents– Provide remedy with notification– Identity an accurate breach universe to minimize public exposure to event– Unique constituents

Leverage an Outside Call Center

Retain a Reputational Risk Advisor who specializes in Breach Crisis Management

Investigate – Investigate – Investigate– Have outside counsel retain any data forensics investigation– Potentially minimize public exposure to event

Leverage a Breach Service Provider to conduct Recovery– Pre-Existing ID Theft Victims– More thorough recovery and restoration

Risk Transfer

Risk Overview

15Marsh

Threat Environment

Social Media/Networking

Lost or stolen laptops, computers or other computer storage devices

Backup tapes lost in transit because they were not sent either electronically or with a human escort

Hackers breaking into systems

Employees stealing information or allowing access to information

Information bought by a fake business

Poor business practices- for example sending postcards with Social Security numbers on them

Internal security failures

Viruses, Trojan Horses and computer security loopholes

Info tossed into dumpsters- improper disposition of information

16Marsh

What’s At Risk

Financial data - tax receipts, account information – (credit and non-credit), financial reports including revenue and debt data

Health information - medical and insurance records

Personal identifiers - Social Security numbers, patient ID numbers, Tax ID numbers

Research data/Intellectual property

REPUTATION!

17Marsh

What Are the Exposures?

Legal liability to others for computer security & privacy breaches

Failure to safeguard data– Identity theft

Financial Medical Employee records

Plaintiff actions – Loss mitigation strategy– Credit monitoring

Card re-issuance liability

Vendors, service providers & partners errors

18Marsh

Risk Identification

Potential Risk Event LikelihoodPotential Impact

Website copyright/trademark infringement claims low low

Legal liability to others for computer security breaches

(non-privacy)

low - medium medium

Legal liability to others for privacy breaches high high

Privacy breach notification costs & credit monitoring high medium

Privacy regulatory action defense and fines low medium

Costs to repair damage to your information assets low medium

Loss of revenue due to a failure of security or computer attack

medium (overall)

high (eCommerce)

medium (overall)

high (eCommerce)

Loss of revenue due to a failure of security at a dependent technology provider

low medium

Cyber Extortion Threat low medium

Available Coverage Overview

20Marsh

Risks and Coverage

Risks

CoverageTraditional

Policies

Cyber & Privacy Policy

Legal liability to others for privacy breaches

Privacy Liability: Harm suffered by others due to the disclosure of confidential information

Legal liability to others for computer security breaches

Network Security Liability: Harm suffered by others from a failure of your network security

Loss or damage to data/ information

Property Loss: The value of data stolen, destroyed, or corrupted by a computer attack

Loss of revenue due to a computer attack

Loss of Revenue: Business income that is interrupted by a computer attack

Extra expense to recover/ respond to a computer attack

Cyber Extortion: The cost of investigation and the extortion demand

Loss or damage to reputation

Identity Theft Expenses resulting from identity theft

Privacy Notification Requirements

Cost to comply with privacy breach notification statues

Regulatory Actions Legal defense for regulatory actions

21Marsh

What Are the Gaps in Traditional Policies?

Traditional insurance was written for a world that no longer exists.

Attempting to fit all of the risks a business faces today into traditional

policy is like putting a round peg into a square hole.

Errors and Omissions (E&O): even a broadly worded E&O policy is still tied to “professional services” and often further tied to a requirement that there be an act of negligence

Commercial General Liability (CGL): covers only bodily and tangible property—Advertising Injury / Personal Injury (AI/PI) section has potential exclusions/limitations in the area of web advertising

Property: courts have consistently held that data isn’t “property”— “direct physical loss” requirement not satisfied

Crime: requires intent and only covers money, securities, and tangible property

Kidnap and Ransom (K&R): no coverage without amendment for “cyber-extortion”

22Marsh

Coverage Overview

Network security liability: liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems

Privacy liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business.

Crisis management and identity theft response fund: expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for a forensic investigation or for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations.

23Marsh

Coverage Overview (continued)

Cyber extortion: ransom or investigative expenses associated with a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system.

Network business interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of network security to prevent a security breach. Includes sub-limited coverage for dependent business interruption.

Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

24Marsh

Privacy LiabilityWhy is it different from cyber liability?

Breach of Privacy: – Disclosure of confidential

information Personal Commercial

– Cause doesn’t matter Computers Vendors Dumpsters Phishing Employees

Damages/Covered Loss– Legal liability– Defense & Claims Expenses– Regulatory defense costs– Vicarious liability when control of

information is outsourced

Crisis Coverage– Credit remediation and credit

monitoring– Cover for PR expenses– Cover for notification costs

25Marsh

Privacy Event - Quantification

26Marsh

Security/Privacy Insurance Market Trends

Insurance carriers are offering options that include coverage for “# of records that are compromised” as opposed to a dollar limit

Insurance carriers are incorporating post-breach vendor panels within the coverage grants that allow insured’s to access multiple vendors once a breach occurs.

Clients are experiencing increasing insurance requirements from their customers as well as from their partner arrangements.

The majority of current insurance carrier claims are related to the upfront mandatory expenses for notification and credit monitoring.

Looking Ahead

Privacy claims are at the forefront of insurer’s minds as they are starting to see potentially large losses for healthcare, retail, financial institutions and credit card processors.

Clients should expect underwriters to question not just the technology they employ but hiring practices, overall corporate policies related to the protection of data, as well as their due diligence in vetting vendors and independent contractors with whom they share information or rely upon for elements of critical infrastructure.

The Marsh Approach

28Marsh

MMC Privacy Solution

Placement of coverage is the last step in the process

Insurance is never a valid alternative to good risk management

Similarly, relying upon technology as some mythical “silver bullet” that will defend against all risks is to turn a blind eye to major risks facing every commercial entity

Marsh’s approach to the privacy and cyber risks combines elements of:– Assessment; – Remediation; – Prevention; – Education; and – Risk transfer.

29Marsh

Underwriting Process for Security & Privacy Insurance

Quote Process– Application – Security Self-Assessment– Approach to underwriting varies by carrier– Principal primary markets

ACE Chartis AXIS Beazley Chubb CNA Hiscox

– Market Capacity: 400M

30Marsh

Common Questions

How does this coverage align with our standard coverage?

Does the programs include coverage for fines and penalties?

Do the policies insure our organization if one of our vendors is the source of the breach?

If we have an event, can we use our own vendors? (Legal, IT, etc.)

Is employee data that is compromised included within the coverage grants?

Do the programs include coverage for both electronic and non-electronic forms of information?

31Marsh

How can Marsh help?

Marsh/FINPRO: the brokerage arm of MMC, helps companies evaluate and manage the risks associated with conducting their business in a networked world. Services include:

Policy Drafting Placement Risk Profiling and Benchmarking Security & Risk Assessments Coverage Gap Analysis

32Marsh

Contact

John McLaughlin

Senior Vice President-FINPRO

Advisor for Tech/Telecom E&O and Network Risk

3560 Lenox Road

Atlanta, GA 30326

John.t.mclaughlin@marsh.com

404-995-3658

33Marsh

The information contained in this presentation provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisors regarding specific coverage issues.

Statements concerning legal matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with the client’s own qualified legal advisors in these areas.

Marsh is part of the family of MMC companies, including Kroll, Guy Carpenter, Mercer Human Resource Consulting (including Mercer Health & Benefits, Mercer HR Services, Mercer Investment Consulting, and Mercer Global Investments), and Mercer specialty consulting businesses (including Mercer Management Consulting, Mercer Oliver Wyman, Mercer Delta Organizational Consulting, NERA Economic Consulting, and Lippincott Mercer).

This document or any portion of the information it contains may not be copied or reproduced in any form without the permission of Marsh, Inc., except that clients of any of the companies of MMC—including Marsh, Kroll, Guy Carpenter and Mercer—need not obtain such permission when using this report for their internal purposes.

Copyright—2010 Marsh Inc. All rights reserved.