What is Cyber/Privacy Coverage?
Cyber Liability addresses the first- and third-party
risks associated with e-business, the Internet,
networks and informational assets.
History of Cyber Development
History Of Cyber Development
• 1936- First freely programmable computer
• 1951- First commercial computer. Is able to pick
presidential winners.
• 1954-The first successful high level programming
language.
• 1957-The development of what we now call the
Internet started when the Soviet Union launched
Sputnik 1, the first satellite.
• 1958-The integrated circuit or “computer chip” is
invented.
• 1974/1975-The first consumer computers are available.
History of Cyber Development Cont.
• 1982-The internet makes great advances as the spread
of internetworking between computers begins to form
into the idea of a global network (the internet).
History of Cyber Development Cont.
• 1990-The world wide web (WWW) is born.
The Virus
History of the Virus
1971-The Creeper Virus: Creeper was an experimental self-
replicating program. Creeper gained access via the
ARPANET (internet predecessor) and copied itself to the
remote system where the message, "I'm the creeper,
catch me if you can!" was displayed.
1981-First virus created that can spread via a floppy disk.
1990’s-viruses are written in the scripting languages for
Microsoft programs such as Word and Excel and spread
throughout Microsoft Office by infecting documents and
spreadsheets.
How does a Computer become
Infected?
How Does a Computer become
Infected?
1. Websites
2.E-mails
3. Music/video Downloads
4.Corrupt program downloads
5.Messenger Service
Who Really Needs This Coverage?
• Business owners who are concerned with their
client's/employee information being compromised.
• Business owners who are aware of the risks
associated with computer hackers, viruses and
other damaging computer programs.
• Business owners who are concerned about
copyright/trademark infringement.
• Business owners who understand it is important to
uphold/preserve their professional reputation
should an incident occur.
If You Answer “Yes”…You Have An
Exposure!
• Do you keep electronic records of your clients names,
addresses, phone numbers, social security numbers,
credit card numbers and/or other sensitive information?
• Do you keep PAPER records of your clients names,
addresses, phone numbers, social security numbers,
credit card numbers and/or other sensitive information?
• Do you operate a website?
• Do you accept credit card payments?
If You Answer “Yes”… You Have An Exposure!
Continued…
• Do you have any employees or coworkers that could
possibly compromise sensitive customer information?
Or any employees that might do something illegal to
try and make some easy money?
• Do you or your employees use laptops, Blackberries or
other portable devices that store client information?
• Do you use a computer?
If You Answered “Yes” You Have An
Exposure!!
And so do your clients!
What Can I Expect from a Cyber/Privacy
Policy?
Coverage from third party claims.
What Can I Expect from a Cyber/Privacy
Policy?
First Party Coverage!
What Can I Expect from a Cyber/Privacy
Policy?
Media Liability
• Personal injury coverage
• Copyright/Trademark infringement
What Can I Expect from a Cyber/Privacy
Policy?
Business Interruption Expense
What Can I Expect from a Cyber/Privacy
Policy?
Cyber Extortion:
Cyber extortion is a form of online criminal activity in
which the Web site, e-mail server, or computer
infrastructure of an enterprise is subjected repeatedly to
denial of service attacks or other attacks by malicious
hackers, who then demand money in return for promising
to stop the attacks.
Privacy Includes:
• Unauthorized access, physical taking,
mysterious disappearance, release, disclosing
and distributing personal and corporate
information.
• Data on both electronic & paper records.
• Breach caused by rogue employees.
• Failure to maintain security including civil fines
& penalties.
Covered Expenses
• Forensic costs-Determining how the breach occurred.
• Notification Costs-This can include the postage,
printing, drafting costs, call center costs and
advertisements.
*Some estimates average this cost at $30 per person
notified.
• Credit Protection-Credit monitoring services, credit
freezes and fraud alerts.
• Public Relations/Crisis Management- To maintain the
reputation of the Business.
Key Questions
• What are the annual revenues?
• What are the business activities?
• Type of sensitive information processed/stored: social security
numbers, bank account details, protected health information,
credit card numbers.
• Are you complaint with PCI?
• Do you have unencrypted mobile devises?
• Number of records stored?
• Claims?
Claims
Data Breach Led to Multi-Million Dollar ATM Heists:
A nationwide ATM heist late last year netted thieves $9 million in
cash in one day, according to published reports. The coordinated
attack stemmed from a computer intrusion at payment processor
RBS WorldPay.
Atlanta-based RBS WorldPay announced on Dec. 23 that hackers had
broken into its database and made off with personal and financial
data on 1.5 million customers of its payroll cards business. Some
companies use payroll cards in lieu of paychecks by depositing
employee salaries or hourly wages directly into payroll card accounts,
which can then be used as debit cards at ATMs. RBS said that thieves
also might also have accessed Social Security numbers of 1.1 million
customers.
Source: Washington Post
Claims
On January 17, 2007, TJX, the parent company of T.J. Maxx, Marshalls,
HomeGoods, and other retail stores, reported an unauthorized
intrusion into its computer systems potentially exposing credit and
debit card account information on customers. TJX initially identified
45.7 million credit and debit cards that had been compromised.
That number, however, grew to over 94 million affected accounts.
In the TJX data breach costs amounted to $256 million for the victim
company.
Source: DATA BREACHES: WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS by Kimberly Kiefer Peretti
Claims
Google announced breach: Feb 2010
Intruders gained access by sending a tailored attack to
one or a few targeted individuals These attacks appeared
to come from a trusted source, leading the target to fall
for the trap and clicking a link or file.
Once the malware was downloaded and installed, it
opened a back door that allowed the attacker to gain
complete control over the compromised system. The
attacker was able to identify high value targets and start
to siphon off valuable data from the company.
What is at Stake?
The economic loss for both the financial institutions issuing payment
cards and the corporate entities from which cardholder account
information is stolen is significant. Issuing financial institutions may
experience three types of losses, including:
(1) costs associated with reissuing new payment cards,
(2) costs associated with monitoring open accounts for fraud (with or
without reissue).
(3) fraud losses.
Merchants, data processors and other companies suffering from the
breach, in turn, face significant losses in the form of lawsuits, credit
card association fines, customer notification costs, stock price
decline, lost business, and loss of existing customer confidence.
Source: DATA BREACHES: WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS by Kimberly Kiefer Peretti-
What is at Stake? Cont.
Merchants and processors face class action lawsuits from
both consumers and issuing financial institutions.
A recent study suggests that the total average cost to the
victim of a data breach in 2007 was $197 per record (or, in
the case of financial services companies, $239 per record).
The total damages include costs associated with
detecting the breach, reporting the breach, notifying
customers, and lost business.
Business Owner Beware!
Methods of Identity Theft
Dumpster diving involves rummaging through garbage cans or trash
bins to obtain copies of checks, credit card or bank statements, or other
records that contain personally identifiable information such as name,
address, and telephone number, and using this information to assume a
person’s identity.
Skimming involves the use of an electronic storage device by
criminals to read and record the encoded data on the magnetic stripe
on the back of a credit or debit card. Typical examples of such use
involve rogue employees at restaurants that swipe a patron’s card in
the skimming device prior to swiping it through the restaurant’s own
card reader or attaching the skimming device to an ATM.
Methods of Identity Theft Cont.
Phishing attacks involve the use of ‘spoofed’ emails to “lead
consumers to counterfeit websites designed to trick recipients into
divulging financial data such as credit card numbers, account
usernames, passwords and social security numbers. Hijacking brand
names of banks, e-retailers and credit card companies, phishers often
convince recipients to respond.
Phishing attacks can also involve the use of technical schemes that
plant malicious code, such as Trojan, keylogger spyware, onto an
individual’s computer without the individual’s awareness and steal
personal information directly.
Who is Behind the Crime?
Who is Behind the Crime?
Who is Behind the Crime?
Criminal Organizations
Shadowcrew
A criminal global organization with thousands of members that was
dedicated to promoting and facilitating the electronic theft of personal
identifying information, credit card and debit card fraud, and the
production and sale of false identification documents. The organization
operated and maintained the Internet website www.shadowcrew.com
from 2002 until October 2004, when it was taken down by the U.S.
Secret Service (“USSS”) as the result of a year-long undercover
investigation known as “Operation Firewall.
Shadowcrew members collectively trafficked in at least 1.5 million
stolen credit card numbers that resulted in over $4 million in actual
losses to credit card companies and financial institutions. Source: DATA
BREACHES: WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS by Kimberly Kiefer Peretti
Criminal Organizations
After the October 2004 takedown of the Shadowcrew website, several
new forums were created, including for example, the International
Association for the Advancement of Criminal Activity (IAACA),
which later became the Theft Services, CardersMarket, and
CCpowersForum. By 2006, there were approximately a dozen other
criminal organizations similar to Shadowcrew.
In 2007, two of the largest carding forums together had nearly 20,000
member accounts.
What is Your Personal Info Worth to
Thieves?
In the first half of 2007, credit card information ranged from $0.50 to
$5.00 per card, bank account information ranged from $30.00 to
$400.00, and full identity information ranged from $10 to $150.
Your Info Cont.
There are several methods by which thieves obtain the stolen
financial account information to resell on the carding forums. Most
often, carders purchase the information in bulk from hackers who
steal it from entities that hold large amounts of financial account
information, including credit card service providers and data
processors, financial institutions, merchants, restaurants and
government agencies.
The compromise of such computer systems allows hackers to obtain
large quantities of financial account information, often on millions of
potential victims.
Corrective Actions
Recognizing the risk posed by weak security, the credit card
associations developed a set of security standards, known as the
Payment Card IndustryData Security Standards (PCI DSS), for
merchants and third party processors.
The PCI DSS, organized as a set of twelve requirements under six
core principles, are designed to protect consumer payment account
information. These core principles include:
(1)building and maintaining a secure network; (2) protecting
cardholder data; (3)maintaining a vulnerability management
program; (4) implementing strong access control measures; (5)
regularly monitoring and testing networks; and (6) maintaining an
information security policy
Law
In May 2007, Minnesota became the first state to enact legislation
codifying Requirement 3 of the PCI DSS. The legislation was
proposed in response to the data breach at TJX and several other
retailers.
Effective August 1, 2007, the Plastic Card Security Act prohibits any
person or entity conducting business in Minnesota that accepts an
access device in connection with a transaction from retaining:
the card security code, the PIN verification code number, or the full
contents of any track of magnetic stripe data, subsequent to the
authorization of the transaction or in the case of a PIN debit
transaction, subsequent to 48 hours after authorization of the
transaction.
Source: DATA BREACHES: WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS by Kimberly Kiefer Peretti
Law
• Over 36 states have laws that require consumer notification in the
event of a security breach.
• Several bills now before Congress include a national notification
standard.
• Red Flag rule was created by the Federal Trade Commission, along
with other government agencies to help prevent identity theft.
This act was passed in January 2008. This rule sets out how certain
businesses and organizations must develop, implement, and
administer their Identity Theft Prevention Programs. Applies to
financial institutions and creditors.
Law
March 2010
Massachusetts implemented rules last month that any
company that has personal information on a Mass.
resident, regardless of whether the business is based in
the state, must comply with the states privacy rules in
protecting that information.
This rule requires firms to develop a written policy and
maintain proper information security practices to
personal data in their activities and those of their third
party providers.
The Burden of Liability
Legislation shifts the financial liability of security breaches from the
financial institution issuing the card to the merchant or entity from
which the cardholder data was stolen. Furthermore, the legislation
creates a private right of action for any individual cardholder injured
by the breach.