0 marsh issues in risk management: privacy and data breach risk review & discussion john...
Post on 01-Jan-2016
216 Views
Preview:
TRANSCRIPT
1Marsh
Issues in Risk Management: Privacy and Data BreachRisk Review & Discussion
John McLaughlin, Marsh USA
www.marsh.com
3Marsh
Agenda
The Legal Landscape
The Art of Breach Crisis Management– Breach statistics– Breach Response Methodology
Risk Transfer– Risk Overview– Coverage Overview– The Potential Cost of a Data Breach– Marsh Approach– The Insurance Underwriting Process
4Marsh
Regulatory Landscape
Increasing regulatory scrutiny– FTC & State AG enforcement
Regulations - Compliance - Audit– State notification laws (45 + D.C.)– HIPAA (Health Insurance Portability & Accountability)
HITECH Act– FACTA (Fair and Accurate Credit Transactions)– FCRA (Fair Credit Reporting)– GLBA (Gramm-Leach-Bliley)– FTCA (Federal Trade Commission – SAFE WEB)– PCI Compliance– Plastic Card Act (MN)
The Art of Breach Crisis Management
6Marsh
2009 How Data is Lost (General): Inside Perpetrator (Accidental and Malicious Intent)
Source: http://datalossdb.org/
7Marsh
2009 How Data is Lost (General):Inside vs. Outside the Organization
Source: http://datalossdb.org/
8Marsh
2009:Number of Reported Breaches by Industry
Source: http://datalossdb.org/
9Marsh
2009:Number of Reported Affected Individuals by Industry
Source: http://datalossdb.org/
10Marsh
Data Breach Statistics:Data Loss by Type
Source: http://datalossdb.org/
11Marsh
Breaches: By the numbers….Cost of a breach record
VICTIM COSTSNotificationCall CenterIdentity Monitoring (credit/non-credit)Identity Restoration
DIRECT COSTSDiscovery/Data ForensicsLoss of Employee Productivity
INDIRECT COSTSRestitutionAdditional Security and Audit RequirementsLawsuitsRegulatory Fines
OPPORTUNITY COSTSLoss of Consumer ConfidenceLoss of Funding
$14.00
$10.00
$40.00
$140.00
Cost per record:$204 (2009)
© Ponemon Institute
12Marsh
Best PracticesBreach Crisis Management
Retain an outside counsel who specializes in Privacy Law and Breach Crisis Management
Notify Correctly vs. Quickly– Diffuse anger and emotion among constituents– Provide remedy with notification– Identity an accurate breach universe to minimize public exposure to event– Unique constituents
Leverage an Outside Call Center
Retain a Reputational Risk Advisor who specializes in Breach Crisis Management
Investigate – Investigate – Investigate– Have outside counsel retain any data forensics investigation– Potentially minimize public exposure to event
Leverage a Breach Service Provider to conduct Recovery– Pre-Existing ID Theft Victims– More thorough recovery and restoration
Risk Transfer
Risk Overview
15Marsh
Threat Environment
Social Media/Networking
Lost or stolen laptops, computers or other computer storage devices
Backup tapes lost in transit because they were not sent either electronically or with a human escort
Hackers breaking into systems
Employees stealing information or allowing access to information
Information bought by a fake business
Poor business practices- for example sending postcards with Social Security numbers on them
Internal security failures
Viruses, Trojan Horses and computer security loopholes
Info tossed into dumpsters- improper disposition of information
16Marsh
What’s At Risk
Financial data - tax receipts, account information – (credit and non-credit), financial reports including revenue and debt data
Health information - medical and insurance records
Personal identifiers - Social Security numbers, patient ID numbers, Tax ID numbers
Research data/Intellectual property
REPUTATION!
17Marsh
What Are the Exposures?
Legal liability to others for computer security & privacy breaches
Failure to safeguard data– Identity theft
Financial Medical Employee records
Plaintiff actions – Loss mitigation strategy– Credit monitoring
Card re-issuance liability
Vendors, service providers & partners errors
18Marsh
Risk Identification
Potential Risk Event LikelihoodPotential Impact
Website copyright/trademark infringement claims low low
Legal liability to others for computer security breaches
(non-privacy)
low - medium medium
Legal liability to others for privacy breaches high high
Privacy breach notification costs & credit monitoring high medium
Privacy regulatory action defense and fines low medium
Costs to repair damage to your information assets low medium
Loss of revenue due to a failure of security or computer attack
medium (overall)
high (eCommerce)
medium (overall)
high (eCommerce)
Loss of revenue due to a failure of security at a dependent technology provider
low medium
Cyber Extortion Threat low medium
Available Coverage Overview
20Marsh
Risks and Coverage
Risks
CoverageTraditional
Policies
Cyber & Privacy Policy
Legal liability to others for privacy breaches
Privacy Liability: Harm suffered by others due to the disclosure of confidential information
Legal liability to others for computer security breaches
Network Security Liability: Harm suffered by others from a failure of your network security
Loss or damage to data/ information
Property Loss: The value of data stolen, destroyed, or corrupted by a computer attack
Loss of revenue due to a computer attack
Loss of Revenue: Business income that is interrupted by a computer attack
Extra expense to recover/ respond to a computer attack
Cyber Extortion: The cost of investigation and the extortion demand
Loss or damage to reputation
Identity Theft Expenses resulting from identity theft
Privacy Notification Requirements
Cost to comply with privacy breach notification statues
Regulatory Actions Legal defense for regulatory actions
21Marsh
What Are the Gaps in Traditional Policies?
Traditional insurance was written for a world that no longer exists.
Attempting to fit all of the risks a business faces today into traditional
policy is like putting a round peg into a square hole.
Errors and Omissions (E&O): even a broadly worded E&O policy is still tied to “professional services” and often further tied to a requirement that there be an act of negligence
Commercial General Liability (CGL): covers only bodily and tangible property—Advertising Injury / Personal Injury (AI/PI) section has potential exclusions/limitations in the area of web advertising
Property: courts have consistently held that data isn’t “property”— “direct physical loss” requirement not satisfied
Crime: requires intent and only covers money, securities, and tangible property
Kidnap and Ransom (K&R): no coverage without amendment for “cyber-extortion”
22Marsh
Coverage Overview
Network security liability: liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems
Privacy liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business.
Crisis management and identity theft response fund: expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for a forensic investigation or for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations.
23Marsh
Coverage Overview (continued)
Cyber extortion: ransom or investigative expenses associated with a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system.
Network business interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of network security to prevent a security breach. Includes sub-limited coverage for dependent business interruption.
Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.
24Marsh
Privacy LiabilityWhy is it different from cyber liability?
Breach of Privacy: – Disclosure of confidential
information Personal Commercial
– Cause doesn’t matter Computers Vendors Dumpsters Phishing Employees
Damages/Covered Loss– Legal liability– Defense & Claims Expenses– Regulatory defense costs– Vicarious liability when control of
information is outsourced
Crisis Coverage– Credit remediation and credit
monitoring– Cover for PR expenses– Cover for notification costs
25Marsh
Privacy Event - Quantification
26Marsh
Security/Privacy Insurance Market Trends
Insurance carriers are offering options that include coverage for “# of records that are compromised” as opposed to a dollar limit
Insurance carriers are incorporating post-breach vendor panels within the coverage grants that allow insured’s to access multiple vendors once a breach occurs.
Clients are experiencing increasing insurance requirements from their customers as well as from their partner arrangements.
The majority of current insurance carrier claims are related to the upfront mandatory expenses for notification and credit monitoring.
Looking Ahead
Privacy claims are at the forefront of insurer’s minds as they are starting to see potentially large losses for healthcare, retail, financial institutions and credit card processors.
Clients should expect underwriters to question not just the technology they employ but hiring practices, overall corporate policies related to the protection of data, as well as their due diligence in vetting vendors and independent contractors with whom they share information or rely upon for elements of critical infrastructure.
The Marsh Approach
28Marsh
MMC Privacy Solution
Placement of coverage is the last step in the process
Insurance is never a valid alternative to good risk management
Similarly, relying upon technology as some mythical “silver bullet” that will defend against all risks is to turn a blind eye to major risks facing every commercial entity
Marsh’s approach to the privacy and cyber risks combines elements of:– Assessment; – Remediation; – Prevention; – Education; and – Risk transfer.
29Marsh
Underwriting Process for Security & Privacy Insurance
Quote Process– Application – Security Self-Assessment– Approach to underwriting varies by carrier– Principal primary markets
ACE Chartis AXIS Beazley Chubb CNA Hiscox
– Market Capacity: 400M
30Marsh
Common Questions
How does this coverage align with our standard coverage?
Does the programs include coverage for fines and penalties?
Do the policies insure our organization if one of our vendors is the source of the breach?
If we have an event, can we use our own vendors? (Legal, IT, etc.)
Is employee data that is compromised included within the coverage grants?
Do the programs include coverage for both electronic and non-electronic forms of information?
31Marsh
How can Marsh help?
Marsh/FINPRO: the brokerage arm of MMC, helps companies evaluate and manage the risks associated with conducting their business in a networked world. Services include:
Policy Drafting Placement Risk Profiling and Benchmarking Security & Risk Assessments Coverage Gap Analysis
32Marsh
Contact
John McLaughlin
Senior Vice President-FINPRO
Advisor for Tech/Telecom E&O and Network Risk
3560 Lenox Road
Atlanta, GA 30326
John.t.mclaughlin@marsh.com
404-995-3658
33Marsh
The information contained in this presentation provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisors regarding specific coverage issues.
Statements concerning legal matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with the client’s own qualified legal advisors in these areas.
Marsh is part of the family of MMC companies, including Kroll, Guy Carpenter, Mercer Human Resource Consulting (including Mercer Health & Benefits, Mercer HR Services, Mercer Investment Consulting, and Mercer Global Investments), and Mercer specialty consulting businesses (including Mercer Management Consulting, Mercer Oliver Wyman, Mercer Delta Organizational Consulting, NERA Economic Consulting, and Lippincott Mercer).
This document or any portion of the information it contains may not be copied or reproduced in any form without the permission of Marsh, Inc., except that clients of any of the companies of MMC—including Marsh, Kroll, Guy Carpenter and Mercer—need not obtain such permission when using this report for their internal purposes.
Copyright—2010 Marsh Inc. All rights reserved.
top related