; NetDil NLDH Marsh Del Val RIMS_v2
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

NetDil NLDH Marsh Del Val RIMS_v2

VIEWS: 10 PAGES: 45

  • pg 1
									                              Cyber Risk – Assessing &
                              Combating the Exposures

                         John F. Mullen, Esq.
                Mark Greisiger, President, NetDiligence
               Kate Maybee, Senior Vice President, Marsh

                                    Del Valley RIMS



NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
               Network Security / Data Risk

What data do you collect, and why?
      ۰ Personally Identifiable Info. (PII)
      ۰ Protected Health Info. (PHI)
      ۰ Credit Card Numbers

Where is it?
Who can access it?
How well is it protected?
When do you purge it?



 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
               Network Security / Data Risk

Data creates duties.



                        To protect,
                       preserve and
                         defend.




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
               Network Security / Data Risk


What is a breach?
      ۰ Unauthorized disclosure
      ۰ Unauthorized use or access
      ۰ Data compromised


What is identity theft?
      ۰ Fraudulent use of someone
        else’s personal information
      ۰ Causes injury to property and
        person



 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                                 Private NPI

The Universe of Data
      ۰     Name, address, Driver’s License Number
      ۰     Social Security Number
      ۰     Credit Card Numbers
      ۰     Account Numbers
      ۰     User ID’s and Passwords




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                                           Bulletin Board
                                                           Number
                                                    Year                 Companies
                                                           Affected

Jan 11           Pentagon Federal Credit Union      2010    470,000      Anthem Blue Cross
Dec 10           Sovereign Bank
Nov 10           AARP                               2010    3,300,000    Educational Credit Management
Oct 10           CitiBank
Oct 10           State Farm Insurance               2010    600,000      Citigroup
Oct 10           Farmers Insurance
Sept 10          Morgan Keegan & Company
                                                    2009   130,000,000   Heartland Payment Systems
Sept 10          JP Morgan Chase Bank
Aug 10           Aon Consulting
                                                    2008    4,200,000    Hannaford Brothers Co
Aug 10           Wachovia Bank
Aug 10           MetLife
Jun 10           Anthem Blue Cross, Wellpoint       2007   94,000,000    TJX Companies Inc.
Feb 10           Equifax
Feb 10           Ceridian                           2007   25,000,000    HM Customs and Revenue
Sept 09          Bernard Madoff Investors
Aug 09           American Express                   2007    8,500,000    Fidelity National Information Services
April 09         Federal Reserve Bank of New York
Jan 09           Heartland Payment Systems          2007    6,300,000    TD Ameritrade
Sept 08          State Farm Insurance
                                                    2006   26,500,000    U.S. Department of Veterans Affairs


                                                    2005   40,000,000    Visa, CardSystems, Mastercard, American Express




       NELSON LEVINE de LUCA & HORST
       A Limited Liability Company
       Attorneys At Law
       www.nldhlaw.com
                                    Coverage

                                                     Lost
                Data                                 Stolen
                                                     Destroyed

                              Data… not tangible property

     CGL, P&C, E&O, D&O, and PL policies don’t apply



NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                                     Are the risks real?
                                  Some anecdotal evidence
Verizon Security Consultants …2010 Forensics Study
Some key findings
 70% resulting external bad actors (hackers, malware)
 48% caused by insiders and a large part of this (90%) was deliberate
 Surprising how little „mistakes‟ (errors) were attributed to the cause (3%)…as with other studies they are often
the majority cause
 61% of data breach discovered by 3rd parties, NOT by the company itself
 96% of incidents were avoidable with simple controls
 Main attack pathway – web applications (54%)



Ponemon Institute.
•   85% biz incurred data breach in the past year (up from 60% 2008 study)
•   $20k average cost to consumers who suffered ID/credit fraud as a result of a „medical data‟ breach

CSI FBI Crime Study (2009)
•   Theft of PII/PHI average cost per incident of $710k.. and Financial fraud was $450k .




     NELSON LEVINE de LUCA & HORST
    A Limited Liability Company
    Attorneys At Law
    www.nldhlaw.com
                                                                                                                     8
                              Top Perils… that we see

 Hacking (SQL injection)
 Laptop loss w/client data (very common)
 Backup tape loss (not my fault…it was the shipper)
 Staff Mistakes: Data Leaks via email, mailings or
    paper disposal
 DDoS Attacks (BI or Extortion)
 Biz Partner Mishaps & Breach




NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                                                        9
                                      PCI DSS Issues…still looming




                                                                                                             “No compromised entity
                                                                                                             to date has been found to
                                                                                                             be in compliance with
                                                                                                             PCI DSS at the time of
                                                                                                             the breach.”
                                                                                                             Visa‟s deputy chief risk
                                                                                                             officer Adrian Phillips

Commandments:
       ۰ Customer account # data should be encrypted in a database
       ۰ Do not store sensitive authentication (track) data after authorization (not even if it‟s encrypted)
PCI Issues:
       ۰ It‟s not perfect and based upon a sampling approach (i.e. you can‟t visit/ audit 500 stores), and focused on credit card
            data.
       ۰ PCI is constantly tweaking their standard (need FW at application layer to comply with DSS v 1.2)
       ۰ Many companies that WERE compliant (past v1.1) may no longer be with v1.2 & 2.0…
       ۰ Level 2 Merchants now are required to have ONSITE reviews
       ۰ V 2.0 may require a forensic search to find/ map all PCI data
       ۰ Viewed now as a world standard by lawyers…thus more liability


        NELSON LEVINE de LUCA & HORST
        A Limited Liability Company
        Attorneys At Law
        www.nldhlaw.com
                                                                                                                                        10
                                     Common Weak Spots


•   PROBLEM 1) IDS or ‘Intrusion Detection Software’ (bad guy alert sys)
       Studies show that 70% of actual breach events are NOT detected by
        the victim-company, but by 3rd parties (and many more go undetected
        completely).
       FTC and plaintiff lawyers often cite „failure to detect‟
       Vast Data: companies IDS can log millions events against their
        network each month
       False positives: events that appear to be harmful, but are actually
        harmless. IDS can alert to more than 70% false positives.




•   PROBLEM 2) Patch Mgmt - Challenges:
       All systems need constant care (patching) to keep bad guys out.
       Complexity of networking environments: Network professionals are
        responsible for a wide variety of hardware, operating systems and
        applications.
       Lack of time: Gartner Group estimates that “IT Managers spend an
        average of 2 hours per day managing patches.”




       NELSON LEVINE de LUCA & HORST
       A Limited Liability Company
       Attorneys At Law
       www.nldhlaw.com
                                                                              11
PROBLEM # 3 - Encryption (of private data)

•       Problem spans all sizes & sectors.
•       ITRC (Identity Theft Resource Center): only 2.4% of all breaches had „encryption‟
•       Issues: budgets, complexities and partner systems
•       Key soft spots: Data „at rest‟ for database & laptops (lesser extent)
•       Benefits: safe harbor (usually)



PROBLEM # 4) missing Data Loss Prevention (DLP) solutions

    Purpose: protect & prevent mistakes (data leakage) or malicious incidents involving theft or access to
     private customer data

    How: identify & restrict certain NPI data…via email monitoring/filter, or comprehensive monitor of certain
     data-in-motion & data-at-rest

     DLP system should:
       - monitor all data paths…. corporate email, webmail, blog, instant messenger, P2P application, internal
       web or FTP server etc.
       - discover, block & alert
       - offer virtually zero false positives.




    NELSON LEVINE de LUCA & HORST
    A Limited Liability Company
    Attorneys At Law
    www.nldhlaw.com
                                     Strategies for Risk Managers
Plan for the loss

     CFO must understand that data / network security is NEVER 100%..... its really not if but when.
     4 Legs of Traditional Risk Mgmt:
           Eliminate:       e.g. patch known exploits, encrypt laptops etc
           Mitigate:        e.g. dedicated security staff; policies; IDS/ IPS; etc
           Accept:          e.g. partner SLAs, capabilities (trusting their assurances)
           Cede:            residual risk via privacy risk insurance




    Wide-Angle Assess Safeguard Controls Surrounding:
       People: they seem to „get it‟…Proper security budget and vigilant about their job!
       Processes/ Policies: enterprise ISO27002, HITECH ready; employee education/ training; change
        management processes, breach response plan etc.
       Technology: proven IDS/IPS capabilities, DLP solutions, hardened & patched servers (tested), full
        encryption of PII.




        NELSON LEVINE de LUCA & HORST
       A Limited Liability Company
       Attorneys At Law
       www.nldhlaw.com
                                                                                                            13
         Where to begin? Wide-angle assessment

Self-Assess Key Areas of impact

• e-records management programs

• compliance (HITECH, GLBA, PCI, State Regs)

• disaster recovery planning

• privacy breaches (PR, communications, response)

• information security: ensuring organization is investing in
baseline or vital safeguards (encryption of laptops with ePHI
etc.).

Lesson - not just IT's responsibility (CFO & Risk Mgr
too)




NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                                                                14
                                        Example Process



Remote Cyber Risk Assessment (common to insurance industry)
                                                                                        key concept
• Step 1: Self-assessment: completed mostly by client‟s IT security rep, this strives
                                                                                        …vigilance &
to gauge their industry security & privacy practices against a known standard (ISO
27002). Other „privacy‟ & media liability practices may be included here.               layered safeguards

• Step 2: Phone calls interview: Purpose is to flush out any „red flag‟ areas
identified ….gather more details or to clarify a „compensating control‟.

• Step 3 - Document Review: verify key security policies e.g. enterprise security,
privacy, BC/DR and 3rd party vendor assurances. We also seek to peer review of
any recent security audit materials such as PCI RoC.

• Step 4 - Network perimeter vulnerability scan test: ck SQL exploit in Web aps

• Step 5 – Summary Report: These 4 tasks might be then pulled into composite
report which strives to measure client‟s good faith practices to ISO adherence.
Important here to mention strengths (good things found) along with weak spots and
suggestions…




   NELSON LEVINE de LUCA & HORST
   A Limited Liability Company
   Attorneys At Law
   www.nldhlaw.com
                                                                                                             15
                                   Assessment Summary
Value of the Assessment Exercise for the RM
•   Purpose: Showcase Risk Mgmt Strengths                         •   Proactive Things We Like
       – Reaffirm & document due care and a prudent                     – Assess & Test
         information security program                                   – Inventory of Assets; Data, Systems,
       – Good faith effort towards compliance                             applications
       – Lessons learned from past loss/ incidents (they should         – Privacy Policy that actual conforms to
         own up to these past losses)                                     practices
                                                                        – Employee training
•   Items to streamline an insurability assessment
                                                                        – Quarterly Scan testing (know the
       – Make the process collaborative                                   hacker‟s view)
       – Educate: Include Risk Mgr or CFO                               – Encrypt & Detect
       – Wide-Angle: address „non security‟ network liability           – Review of you ASP‟s & Partners own
         issues
                                                                          safeguards
       – Allow client to self-attest
             – Phone Call Interviews
             – Self-Assessment
             – Peer review prior audits (PCI RoC alone may not
                be sufficient)




     NELSON LEVINE de LUCA & HORST
     A Limited Liability Company
     Attorneys At Law
     www.nldhlaw.com
                                                                                                                   16
                               Law School 101

Lawsuit Basics:

              Duty + Breach + Causation + Damages




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                                Litigation Trends

Single Plaintiff                                   Class Action
       ۰     Identity theft                            ۰   Failure to protect data
       ۰     Privacy                                   ۰   Failure to properly notify
                                                       ۰   Failure to mitigate
                                                       ۰   NO DAMAGES . . . YET
Government Action
       ۰     Attorney General (Health Net)
       ۰     FTC (Choice Point)


Banks
       ۰     Cost of replacing credit cards
       ۰     Reimbursement of fraudulent charges
       ۰     Business interruption




  NELSON LEVINE de LUCA & HORST
  A Limited Liability Company
  Attorneys At Law
  www.nldhlaw.com
                                Defenses Eroding
Stollenwerk v. Tri West - plaintiffs with damages survived summary
   judgment
Krottner v. Starbucks Corp. - increased risk of identity theft constitutes an
   injury-in-fact (class plaintiffs survived summary judgment)
ITERA (Identity Theft Enforcement and Restoration Act) – pay an amount
     equal to the value of the time reasonably spent
In re Hannaford Bros. Data Security Breach Litigation - federal court asked
    state court does time equal money.
ChoicePoint Data Breach Settlement - FTC paid for “time they may have
   spent monitoring their credit or taking other steps in response”;
   $18.17 x 14,000 = $254K




  NELSON LEVINE de LUCA & HORST
  A Limited Liability Company
  Attorneys At Law
  www.nldhlaw.com
                                Defenses Eroding

Gail Slaughter v. Aon Consulting, Inc., et al.
      ۰ Social Security numbers and birth dates of 22,000 Delaware
        government retirees posted on a state website
      ۰ Suit filed September 2, 2010 alleges failure to properly
        safeguard personal information
      ۰ Class action status pending
      ۰ Plaintiff:
                   “I feel aggrieved. It's something
                               we're going to have worry about
                               for the rest of our lives.”



 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                         Tomorrow’s Class Action

۰ Plaintiffs’ attorneys will find a representative plaintiff with actual ID Theft
  (4.8% of U.S. population will have ID theft regardless1)
۰ Hannaford decision
۰ Raise ITERA as measure of damages
۰ FTC Recognition of 20 years of damages2
۰ Krotter decision recognize of standing to sue for
  future harm?



1 Better Business Bureau and Javelin Research report that for 2009, 11.1
million consumers (4.8 percent of the U.S. population) were victims of
identity theft
2 Choice Point Settlement includes 20 years of system auditing




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                              Litigation Costs
  Attorney fees
           ●    Breach guidance
           ●    Investigation
           ●    Notification
           ●    e-discovery
           ●    Litigation prep
           ●    Contractual review
           ●    Defense (MDL?)

  Plaintiff Demands
           ●    Fraud reimbursement
           ●    Credit card replacement
           ●    Credit monitoring/ repair/ insurance
           ●    Civil fines/ penalties
           ●    Time


NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                              Exponential Demands

     Legal Liability? Minor damages for large groups = significant
     potential loss:

                    $ 200      ($100 time; $100 monitoring/ repair/ ins.)

                    x 10,000 (claimants)

                    x 20 years
                  _____________
                    $ 40 million




NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                                Defending the Lawsuit

Specialized considerations when defending a data breach
class action lawsuit
       ۰ MDL – national coordinating counsel
       ۰ Class certification discovery
       ۰ Joinder of all necessary and appropriate parties
           ● Evaluate cross and counterclaims

       ۰ eDiscovery: preservation, production and analysis of vast amount of
         data
       ۰ Experts for pre and post breach data handling issues




  NELSON LEVINE de LUCA & HORST
  A Limited Liability Company
  Attorneys At Law
  www.nldhlaw.com
                                Regulations

Gramm–Leach–Bliley Act
Applies to Financial Institutions
۰ Must provide customers with Privacy Notice when each opens an
  account and annually thereafter
۰ Must provide customers with opt-out option related to data sharing
  with third parties (applies requirements of FCRA to financial
  institutions)
۰ requires financial institutions to develop a
  written information security plan




NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                               Notice Regulations

State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin
Islands) require notice to customers after unauthorized access to PII/PHI.

                                      ۰   Require firms that conduct business in state to
                                          notify resident consumers of security breaches of
                                          unencrypted computerized personal information
                                      ۰   Many require notification of state attorney
                                          general, state consumer protection agencies, and
                                          credit monitoring agencies
                                      ۰   Some states allow private right of action for
                                          violations
                                      ۰   Data-at-rest (disc level) encryption often a safe
                                          harbor




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
      Compliance & Notice Regulations
CONNECTICUT: Insurance Department Bulletin IC-25
– all licensees and registrants of the Department notify the
    Department [Commissioner] of any information security incident
    which affects any Connecticut residents as soon as the incident is
    identified, but no later than five (5) calendar days after the
    incident
MASSACHUSETTS 201 CMR 17: Protection of Personal Info.
– All businesses that store Mass. Residents‟ personal information must
    develop a “written information security program” (WISP)

NEVADA
– Mandates that data collectors doing business in Nevada comply with
    Payment Card Industry Data Security Standards (PCI DSS)

CALIFORNIA
– Augments federal HIPAA provisions
– Breach requires notice to California Department of Health and
  affected individuals within 5 days
– State can fine institution up to $250,000 per violation
– Allows private right of action


 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                         Compliance Regulations

Fair And Accurate Transaction Act of 2003 (FACTA)
      ۰ Truncation: limits the information that can be printed on an electronically
        printed credit card receipt.


FACTA ‘Red Flags’ Program
      ۰ Mandates “creditors” create Identity Theft Prevention Program.
                ●    must include reasonable policies and procedures for detecting,
                     preventing, and mitigating identity theft

      ۰ Enforcement began December 31, 2010
      ۰ Definition of “creditor” causes concern




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
     Compliance & Notice Regulations

HITECH Act (amends HIPAA)
          ۰ HIPAA’s privacy rules apply to “covered entities.”
                   ●    Eg. health plans; health care clearinghouses (billing services, claims
                        handling); health care providers who electronically transmit any health
                        information in connection with transactions for which HHS has adopted
                        standards.


          ۰ HIPAA mandates various physical and technical safeguards.
                   ●    Privacy and Security Rules apply to passwords, access controls and
                        policies, certain uses of encryption, data back-up, and others.
                        (See 45 C.F.R. §§ 164.302 to 164.318).




NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
     Compliance & Notice Regulations
HITECH Act
          ۰ Extends HIPAA to “business associates” of covered entities.
                   ●    Eg. claims processing or administration, data analysis, processing or
                        administration, utilization review, quality assurance, billing, benefit
                        management

          ۰ Permits State Attorney Generals to bring civil actions in federal court.
                   ●    Recall Health Net Connecticut suit
          ۰ Civil monetary penalties range from $100 - $50K per violation and $25K -
            $1.5 mil within a calendar year.

          ۰ Mandates notice of breach to individual within 60 days, and to Sec. of
            HHS (immediately if over 500 individuals involved).

          ۰ Provides for mandatory audits by the Sec. of HHS to ensure data security
            policies and procedures are compliant, and implemented.


NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                         Key Regulations - Recall

ITERA: Identity Theft Enforcement and Restitution Act
      ۰ Identity theft offenders must
                “pay an amount equal to the value of the time reasonably
                spent by the victim in an attempt to remediate the intended or
                actual harm incurred by the victim from the offense.”
                18 U.S.C.A. § 3663(b)(6).




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                Regulator/Compliance Costs
          Breach Costs
                    ●   Forensics vendor
                    ●   Notification vendor
                    ●   Call centers
                    ●   PR vendor
                    ●   ID theft insurance
                    ●   Credit monitoring
                    ●   ID restoration
                    ●   Attorney oversight

          Planning and Data Management
                    ●   Breach planning (Mass.)
                    ●   ID Theft monitoring (Red Flags)
                    ●   PCI DSS (Nevada and merchants)
                    ●   HIPAA



NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                              HealthNet - Case Study

•      May of 2009: Portable computer disk drive with 446,000 private
       records lost/stolen from HealthNet Connecticut.
•      January 2010: Connecticut Attorney General files suit against HealthNet
       alleging:
         ۰     Improper handling of the breach event
         ۰     Failure to timely notify affected individuals and AG’s office
         ۰     12 violations of HIPAA privacy and security rules
•      HealthNet will pay CT $250,000 in statutory damages and $500,000
       more if identity theft itself is established.
•      HealthNet incurred costs of over $7 Mil to forensically investigate,
       provide notification and credit monitoring…




    NELSON LEVINE de LUCA & HORST
    A Limited Liability Company
    Attorneys At Law
    www.nldhlaw.com
                      Managing a Breach Event

Immediate Steps
      ۰ Stop intruder access

      ۰ Address vulnerability/scope

      ۰ Mitigate damages

      ۰ Use outside vendor to confirm
        efforts




 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                      Managing a Breach Event
Breach Response
      1. Fact Finding
                ●      What data accessed? (PII, PHI, Employees, Credit Cards…?)
                ●      How many individuals potentially affected?
                        o   Where are they – what states?
      2. Legal
                ●      Manage investigation; legal compliance; litigation hold and prep; contract
                       analysis
      3. Notification and Public Relations
                ●      Affected individuals; State Attorney Generals, credit reporting agencies
                ●      Secretary of Health and Human Services (if HIPAA invoked)
                ●      Press conferences, news media, web and other notifications
                ●      Safe harbor provisions: Encrypted? Likelihood of ID theft? Alternate notice?
      4. Vendors
                ●      Forensic IT investigators; Credit monitoring, identity theft restoration, ID
                       insurance
                              ۰ Printing, mailing and call-center services



 NELSON LEVINE de LUCA & HORST
 A Limited Liability Company
 Attorneys At Law
 www.nldhlaw.com
                                What can be done?

Proactive Risk Manger Steps
       ۰     Empowered Senior Executive
       ۰     Talk to your IT Security folks. Gain an appreciation of the many challenges
       ۰     Not many companies can say: how many records they have; what type of data is being
             collected, stored, shared, protected; where does all this data reside; when is it purged??
       ۰     Assess & Test your own staff and operations
       ۰     Document your due care measures
       ۰     Insurance
       ۰     Red Flags and Response plans/affirmative duties


                                                               Easier said than done…




  NELSON LEVINE de LUCA & HORST
  A Limited Liability Company
  Attorneys At Law
  www.nldhlaw.com
                      Insurance Market Update
•      Significant capacity is driving insurer competition and premiums.

•      Increased claims activity- particularly on first party privacy losses.

•      Insurers continue to show a willingness to negotiate terms and conditions. Policies require
       significant customization. Terms and conditions still vary widely between insurers.

•      It is important to understand the claims handling experience of the insurers- many new
       entrants have not handled many claims before.

•      Underwriters are increasing their interest in practices and procedures surrounding
       information security taking underwriting beyond the realm of IT- questions surround
       information holders, contract management, disaster planning and incident response plans.

•      Insurers are integrating privacy event response services into their product offerings.

•      Continuing trend of expanding programs to be “all inclusive” addressing professional,
       technology, content, internet, security and privacy liability on a single program.

•      Increasing insurance requirements from their customers-these requirements are being
       expanded to include insurance for security/privacy liability.


NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                              Insurance Market
The market for this insurance coverage continues to expand with many recent entrants. Some
    of the insurers for this line include:
     -Ace                             -Liberty
     -Arch                            -CNA
     -Axis                            -Hiscox
     -Allied World                    -Lloyds
     -Chartis                         -Hartford
     -Chubb                           -RLI
     -Beazley                         -Zurich
.
Another significant consideration is to determine which vendors are allowed by each insurer.
    Some insurers take over these functions and some provide flexibility. These can include:
     ۰ Notification service
     ۰ Defense attorney
     ۰ Call center
     ۰ Credit monitoring
     ۰ Forensics


 NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                          Insurance Coverage Parts
Coverage
  Part                              Description                             Traditional Insurance Gaps
                   Defense and liability for failure to keep           䊜General Liability- case law that data is
                   information private or for failure of others that   not tangible property
                   you have entrusted with information to keep it
                   private (ex. Pension actuary, credit card           䊜E&O – employee claims not included
                   processor). Also includes liability for not
Privacy
                   properly notifying of a privacy breach.             䊜E&O- if any coverage then covers
Liability
                   Coverage has expanded to include corporate          medical information only, not third party
                   information and non computer related                corporate information
                   information.
                                                                       䊜E&O – exclusion for fines/penalties-
                   Likely Claimants: Customers, employees              includes redress fund
                   Defense and liability for failure of systems to     䊜E&O – exclusions for system failures
                   prevent spread of virus or a denial of service
Security           to those that rely on systems due to a failure      䊜E&O – definition of wrongful act does
Liability          in network security.                                not extend to this

                   Likely Claimants: Customers


     NELSON LEVINE de LUCA & HORST
     A Limited Liability Company
     Attorneys At Law
     www.nldhlaw.com
                                  Insurance Coverage Parts
Coverage Part
                                            Description                       Traditional Insurance Gaps
                                                                            䊜General Liability- Exclusions for
                            Defense and liability for libel, slander,       all AI/PI claims arising out of
                            disparagement, misappropriate of name or        professional services
                            likeness, plagiarism, copyright infringement,
                            negligence in content to those that relied on   䊜General Liability- Exclusions for
Media Liability
                            content.                                        internet

                            Likely Claimants: Authors, producers,           䊜General Liability- Clarification
                            publishers, competitors                         regarding “in the business of
                                                                            advertising”
                            Defense and liability for negligent errors or
Technology/                 omissions in performing technology and          䊜E&O- exclusion for technology
Miscellaneous               telecom services or in the failure of           services
Errors &                    technology products.
Omissions                                                                   䊜E&O- wrongful acts limited to
                            Likely Claimants: Customers                     specific professional services.



    NELSON LEVINE de LUCA & HORST
    A Limited Liability Company
    Attorneys At Law
    www.nldhlaw.com
                                    Insurance Coverage Parts
  Coverage Part                                                                      Traditional Insurance Gaps
                                                      Description
                                    The following costs resulting from a privacy
                                    breach:
                                    -Computer forensics investigation expert
                                    -Costs to provide notifications, (including
                                    attorney costs/call center)                     䊜E&O/General Liability- liability
Notification Costs-
                                    -Offer of fraud monitoring to those             coverage only
Privacy
                                    impacted.
                                    -Some insurers are moving to a per person
                                    limit on this coverage.

                                    1st Party Costs
                                    Costs of public relations firm due to privacy
                                                                                    䊜E&O/General Liability- liability
                                    or security incident.
Crisis Management                                                                   coverage only
Expenses
                                    1st Party costs



      NELSON LEVINE de LUCA & HORST
      A Limited Liability Company
      Attorneys At Law
      www.nldhlaw.com
                                   Insurance Coverage Parts
  Coverage Part                                                                   Traditional Insurance Gaps
                                                       Description
                                   Costs to defend an action by Attorney
                                   General, FTC, or other regulator due to a     䊜E&O- if any coverage limited
Privacy Regulatory
                                   privacy breach.                               regulatory defense coverage- may
Defense Costs
                                                                                 be limited to anti trust
                                   Likely Claimants: Attorney General, FTC
                                   Costs of consultants and extortion monies
                                                                                 䊜Kidnap Ransom – excludes acts
                                   for threats related to interrupting systems
                                                                                 by employees, may exclude
Cyber Extortion                    and releasing private information.
                                                                                 computer related, excludes non
                                                                                 monetary demands
                                   1st Party Costs
                                   Loss of income or extra expense due to        䊜Property – coverage limited to
                                   system shut down from security failure.       physical perils and tangible
Business Income/                   Waiting period applies. Coverage for          property
Extra Expense                      destruction of data assets also available.
                                                                                 䊜Property- significant waiting
                                   1st   Party Costs                             period



      NELSON LEVINE de LUCA & HORST
     A Limited Liability Company
     Attorneys At Law
     www.nldhlaw.com
                                Take Aways


         PREPARE $ (or budget $$$)

         ASSESS

         INSURE




NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
                                Take Aways

When to pay…




        now…                      or later?




NELSON LEVINE de LUCA & HORST
A Limited Liability Company
Attorneys At Law
www.nldhlaw.com
Cyber Risk: Assessing and Combating the Exposures
                                          Thank you
                                          John F. Mullen, Esq.
                                         jmullen@nldhlaw.com
                                             215.358.5154

                                 Mark Greisiger, President, NetDiligence
                                   mark.greisiger@netdiligence.com
                                             610.525.6383

                            Kate Maybee, Senior Vice President, Marsh
                                 catherine.maybee@marsh.com
                                         215.246.1225

   NELSON LEVINE de LUCA & HORST
   A Limited Liability Company
   Attorneys At Law
   www.nldhlaw.com

								
To top