Cyber and Social Media RisksWhat Board Members Should Know

Spence Hoole

Janice Chaffin

Tonia Klausner

Lauri Floresca

Why Cyber Risk and not D&O Insurance?

Increases In Security and Data Breaches

Privacy Issues and Cyber Attacks

Why should a Director care?

What every Director should know and do

Understanding Privacy Laws in the US

Legal Exposures from Cyber Activity

Social Media Risks

Cyber Liability – a Board Level Issue

Cyber Liability Insurance

Goals and Takeaways

Role of Directors & Officers Practical Implementation

Q&A

2

Overview

■ Evolution of changes in exposure to loss . . . brick and mortar risk shifting to network and cyber risks

■ A growing trend – frequency and severity of data breaches■ 2010 largest collection of lost data on record ■ In 2009, over $220M personal records were breached (Social Security

numbers, medical information, credit card databases)■ Compared to only $35M personal records exposed in 2008

Source: Databreaches.net / Source: Ponemon Institute LLC

■ Boards responsibility in overseeing all organizational risks, including network / cyber risks

■ Cyber Risk insurance for “all” companies is the new, new thing■ This is not your father’s Property and Liability Insurance Program

Why Cyber Risk and Not D&O at Summit?

Privacy Issues and Cyber Attacks

Janice Chaffin

Group President

Consumer Business Unit

Symantec

» BUSINESSES» GOVERNMENTS» INDIVIDUALS

Stuxnet: Thousands Of Industrial Control Centers Infiltrated

“SPEAR PHISHING” FOR COMPANY DATA

Why a director should care

Protecting Intellectual

PropertyBrandStock

PriceCustomer

Confidence

THE QUESTION IS NOT WILL YOU BE ATTACKED? THE QUESTION IS WHEN?

WHAT EVERY DIRECTOR SHOULD KNOW

Who is responsible for Cyber Security? Has a cyber risk assessment been done? Is there a breach response plan in place?

Who is responsible for Cyber Security?

Who does he/she report to?

Does he/she have the authority and resources to succeed?

Is there an IT Security policy in place?

Are employees actively engaged?

Is there a regular cadence for updating the Board?

Has a cyber risk assessment been done?

What is the breach response plan?

This plan should include clear steps for:

Containing the breach and handling forensics

Contacting your security software vendor

Engaging with law enforcement

Disclosing the breach

Managing public relations

Conducting post-mortem analysis

Use personal best practices online

Take stock of your online profile

Never open links from strangers

Use strong passwords and change them often

Be conservative about what you share

Closely monitor security settings on social networks

Use approved web services only for company content

Summary

Threats are growing in number and sophistication

It’s only a matter of time before your company will be attacked

The stakes are high, be informed and act now Don’t make yourself a target

Additional resources• Estimate Your Risk Exposure: Poneman Institute Data Breach Risk Calculator

http://databreachcalculator.com• Security Policy Templates and Resources: CSO Magazine

http://www.csoonline.com/article/486324/security-tools-templates-policies• Real-time Reports on Data Loss by Data Breach Type: DB Data Loss

http://datalossdb.org• The FTC’s Guide to Dealing With A Data Breach: http

://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html• FBI eScams and Threat Warnings: http://www.fbi.gov/scams-safety/e-scams• Symantec State of Spam and Phishing Report:

http://www.symantec.com/business/theme.jsp?themeid=state_of_spam• Symantec Stuxnet Site: http://www.symantec.com/stuxnet

Janice_Chaffin@Symantec.com

Privacy Law

Tonia Klausner

Partner

Wilson Sonsini Goodrich & Rosati

Privacy Law in the U.S.

Technology has driven the growth of privacy law

Legislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable information

Many of these laws respond to particular issues or concerns

Result: sectoral approach (industry silos), overlaid with cross-industry requirements

Contrast with omnibus approach in other regions (e.g., EU)

Some U.S. Privacy Laws

Telemarketing & Consumer Fraud & Abuse Prevention Act (Telemarketing Sales Rule)

Telephone Consumer Protection Act (TCPA)

Junk Fax Prevention Act

CAN-SPAM US/EU Safe Harbor Video Privacy

Protection Act

Electronic Communications Privacy Act (ECPA)

Fair Credit Reporting Act (FCRA) + FACTA

GLB CPNI FERPA HIPAA COPPA SOX FTC Section 5

States: Spyware Social Security #s Data Security Breach Notification Data Disposal Point of Sale Data

Collection ID Theft Legislation Security Freezes Shine the Light Credit Card Security

U.S. Privacy Law Enforcement

Data Breach

Containment Response team Accurate records of all events Preservation of evidence Newly enacted safeguards to prevent reoccurrence

Notifications Required-by statute; by contract Other notifications

Customer relations Call center Protection services

Data BreachConsequences

Investigations FTC State AGs HHS

Fines

Lawsuits

Breach Of Contracts; Loss of Rights/Revenues

Commercial Reputation

Data BreachPending Legislation

Comprehensive notice requirements

Preemption of patchwork of state statutes

Possible private right of action

Social Media• Social Networking-rapid growth online and on handhelds

MySpace, Facebook, LinkedIn, Google+, Twitter, Ning, Tagged, Orkut, hi5, Meetup, Badoo, Friendster

iPhone, Android, iPad, Galaxy, Xoom, Windows 7 Tablet GroupMe, Disco, WeTxt

Legal Risks Beyond Breach Many Potentially Applicable Statutes

Computer Fraud and Abuse Act ECPA CAN-SPAM/Wireless CAN-SPAM TCPA COPPA Video Privacy Protection Act

Hot area for class action lawsuits Social programs Geolocation data collection and use Texting programs

Steps to Reduce Litigation Risks

Clear disclosure in terms of use or privacy policy

Conspicuous opt out or opt in at time user data is collected

Customer agreement to arbitrate dispute with class action waiver

Online Advertising

Online Advertising

Collection of information about users’ activities online Web pages visited Searches conducted Content viewed

Advertisers’ Goal: present users with ads targeting users’ interests

Digital Advertising Flowsource gridley & co. and gregstuart.com

A New Perspective on Online Privacy

“Most of the online world is based on a simple, if unarticulated, agreement: consumers browse Web sites for free, and in return, they give up data – like their gender or income level – which the sites use to aim their advertisements. The head of the Bureau of Consumer Protection at the Federal Trade Commission, David C. Vladeck, says it is time for that to change.”

New York Times, August 5, 2009

Industry Created A Self-Regulatory Program

Self-Regulatory Principles for Online Behavioral Advertising released July 2009

Advertising Option Icon announced & registration begins October 4, 2010

Consumer Choice page launched November 2010

Coalition turns to enforcement, operational implementation, and educational planning

FTC Staff Report on Privacy December 2010 Said Progress Not Fast Enough

Simplified Choice

• Consumers should have choice about both data collection and usage

• Choice mechanism should be offered at point consumers provide data

• “Do Not Track” proposed as simplified choice mechanism

• Choice not required for a narrow set of practices– Fulfillment– Internal operations– Fraud prevention– Legal compliance– First-party marketing– Contextual advertising

Behavioral Advertising Litigation Risks

Lawsuits regarding cookies, flash cookies, super-cookies

Unsettled law ECPA CFAA

Multi-million dollar

Class-action Settlements

Tonia Klausner

tklausner@wsgr.com

+1. 212.497.7706

Cyber Liability a Board-Level Issue

Lauri Floresca

Partner

Woodruff-Sawyer & Co.

Cyber Liability: a Board-Level Issue

Boards increasingly focused on cyber risk exposures ERM Risk Oversight Rules adopted

by SEC in 2009

Media attention on high profile breaches grows in 2011

SEC issues informal guidance on cyber risk disclosure in October 2011

In a technology driven world, most companies have some exposure to cyber liability. Customer Records

Employee Records

How to quantify? And how to remediate?

Average Cost of Breach

SEC Guidance: A Closer LookOctober 2011 SEC guidance suggests that listed companies should add disclosure on

cyber liability to their risk factors based on:1. The “probability of cyber incidents occurring”

2. The “quantitative and qualitative magnitude of those risks”

Probability ≈ 100%

Magnitude much more difficult to assess

SEC also suggests that companies include a description of “relevant insurance coverage” Not straight-forward

Many different types of insurance policies address cyber liability exposures, and all of them have some coverage limitations

SEC notes that relevant costs may include: Remediation costs – insurable, sublimits often apply

Increased cyber security protection costs – not generally insurable

Lost revenues resulting from a cyber attack – insurable, significant limitations/waiting periods

Litigation - insurable

Reputational damage – specialized insurance products available, limited in scope

Evolution of Cyber Liability Insurance

Why you need Cyber Liability Insurance

Identifying Your Cyber Liability

Third-party v. First-party Coverage

Contract Liability in the CloudGrowth in cloud computing and outsourced I/T function creates new challenges

I/T infrastructure may be improved by outsourcing to a reputable cloud vendor – but lose some elements of control

Will cloud vendor be a more attractive target for a serious hacker (criminal or “hacktivism”?)

Compliance with data breach notification rests with the data owner – does not matter if you outsourcing data processing or storage

Contracts with vendors likely limit their liability – but can vary substantially Often limited to 12 months of revenue paid to cloud provider

Large cloud providers may offer no indemnity whatsoever under a standard contract, wiling to negotiate for large customers

Make sure that your cyber liabialty insurance extends coverage in the event your data is breached while under control of a third party

Negotiate with vendor to maximize your chance of recovery if a breach is their fault

Ask your vendor for confirmation of their coverage – for them, falls under traditional technology “E&O” coverage module

Q&A