SlideShare ist ein Scribd-Unternehmen logo

Data Privacy

C
cliff_rudolph

Data Privacy Liability and Insurance

1 von 15
Downloaden Sie, um offline zu lesen
1 2 3 "IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE?" 4 Disclaimer This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued. Please carefully review any policy and all endorsements delivered for the precise coverage terms.
2 5 Introduction Foundation for Privacy FearsFoundation for Privacy Fears •• Privacy is a rightPrivacy is a right •• Private information has valuePrivate information has value •• Technology has created new issues concerning breaches of privacyTechnology has created new issues concerning breaches of privacy •• Privacy breaches can have a material impact on a company’sPrivacy breaches can have a material impact on a company’s reputationreputation •• Courts, legislatures and regulatory agencies are engaged inCourts, legislatures and regulatory agencies are engaged in addressing privacy issuesaddressing privacy issues •• Highly publicized security breaches are in the newsHighly publicized security breaches are in the news 6 Introduction What are Data Theft and Privacy/Security Breaches? • An organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information. 7 Industry Issues - FTC estimates nearly 10 million victims per year - Many victims don’t know or don’t report - Fastest growing white collar crime in America - Average 175 hours and $1,500 to resolve per individual - Tremendous media exposure Common Types of Fraud - Current credit – credit card, debit card, phone card - Use of name and social security number: - Establish new credit - Commit other criminal activity Risks and Recent Developments Increase in Numbers of Incidents
3 8 Sources of Data BreachSources of Data Breach 49% lost laptop or other device (USB flash drives…) 16% third party outsourcer/vendor 9% malicious insider 9% paper records 7% lost electronic backup 5% hackers, crackers, social engineers, “phishers” 4% malicious code 2% unknown Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC, 2007 9 Data Breaches – Growing In Numbers! Between January 2005 and February 6, 2009 – 252,308,777 records containing “sensitive personal information” have been involved in security breaches! Source: Privacy Rights Clearinghouse A Chronology of Data Breaches Posted April 20, 2005 Updated February 9, 2009 www.privacyrights.org Risks and Recent Developments Increase in Numbers of Incidents 10 Recent high-profile data security breaches illustrate the nature of the risk • Heartland Payment Systems, Inc. (100 million customer credit cards/debit cards) 2008 (This had a companion D&O suit) • Hannaford Brothers (4.2 million credit cards/debit cards) 2008 • Certegy Check Services (4.2 million customers) 2002-2007 • TJX (94 million records) 2006-2007 • Choicepoint (150,000 records) 2005 • Bank of America (1.2 million federal employees) 2005 • DSW (100,000 customers) 2005 • Lexis/Nexis (32,000 records) 2005 Sources: Computerworld, Boston Globe, Tampabay.com, ZDNet and 11Alive.com Risks and Recent Developments Prominent Examples
4 11 California Security Breach Information Act (2003). Since passage, 47 states and territories have passed similar laws (http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm) Essence of these laws is requirement that companies storing personal information must promptly notify persons whose information has been accessed by an unauthorized person In addition to costs of notification, these laws create potential civil liability if proper and timely notification of a data security breach is not given Some states require notification to specific law enforcement and consumer credit reporting agencies Risks and Recent Developments Applicable Laws 12 Graham Leach Bliley Requires “financial institutions” to ensure the security and confidentiality of private financial information (includes all businesses that are “significantly engaged” in providing financial products or services HIPPA – Health Insurance Portability and Accountability Act Regulations for use and disclosure of Protected Health Information which is any information about health status, provision of health care, or payment for health care that can be linked to an individual Covered entities are any health care related businesses that store or transmit health care data in a way regulated by HIPAA The Security Rule of HIPAA deals specifically with Electronic Protected Health Information (EPHI). Risks and Recent Developments Applicable Laws 13 Fair Credit Reporting Act (FCRA) Enacted to promote efficiency in the country’s banking system and to protect consumer privacy. See TRW, Inc. v. Andrews, 534 U.S. 19, 23 (2001) Imposed obligations on three types of entities: • Credit reporting agencies, • Users of credit reports, and • Furnishers of information to credit reporting agencies Risks and Recent Developments Applicable Laws
5 14 Fair And Accurate Credit Transaction Act (FACTA) Amendment to FCRA Key provisions focused on reducing exposure to identity theft and assisting consumer with credit problems Requires truncation of credit card and social security numbers Credit and Debit Card Receipt Clarification Act, June 3, 2008 Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions Risks and Recent Developments Applicable Laws 15 Red Flag Rule Amendment to FCRA Financial institutions and creditors must establish a written program to “detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts” Creditors must develop “Program” formalizing steps they intend to take to prevent identity theft by May 1, 2009 Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions Risks and Recent Developments Applicable Laws 16 Risks and Recent Developments Hypothetical Scenario #1 • Former employee of a financial institution provides accomplice with access to financial institutions secure network. Data includes sensitive personal information about company’s customers and employees Thief also gains access to financial institutions external website • 2 weeks later, company receives ransom note from thief • 2 weeks later, thief hacks into company’s system causing company’s website to be down for 2 days with no ability to conduct online transactions • Media learns of issue – widespread media attention results in cancellation and re-issuance of all client plastic cards, potential effected members must be notified and provided with credit monitoring • Various government agencies begin investigations
6 17 Risks and Recent Developments Hypothetical Scenario #2 • Employee innocently opens an email supposedly from the company’s IT department Email has a malicious code embedded to surreptitiously control the employee’s computer Outside hacker uses employee’s computer to launch additional attacks on the company’s backend network • Hacker gains widespread access to company’s various databases including plastic cards • Hacker emails company President with customer database, containing personal confidential information and demands $500,000 or will publish an email link with this information. 18 Risks and Recent Developments Scenarios 1 and 2 result in various potential losses First Party Losses Loss of Private Data Notification/credit monitoring costs Cost to change account numbers Publicity costs Business income loss Data restoration expenses Cyber Extortion Ransom payments Other expenses Third Party Losses Customer Suits Customer alleging invasion of privacy Customers or other third parties alleging financial loss Other Suits Regulatory actions/fines or penalties 19 First Party Losses • Cost of $197 / record compromised, consists of: • $128 lost business (lost customers/reduced orders) • $46 ex-post response (PR costs, credit monitoring) • $15 notification • $9 detection & escalation Source: Ponemon Institute, LLC – “2007 Annual Study: Cost of a Data Breach” Risks and Recent Developments Costs / Claims / Losses
7 20 Third Party Losses (What might be pled if a suit is filed?) • Failure to implement and maintain reasonable security procedures (Currently, actual harm and damages are hard to prove) • Negligence (based upon regulatory/industry standards) • Unfair, deceptive and unlawful business practices • Invasion of the customer’s right to privacy • Breach of fiduciary duty • Breach of contract • Fraud / Misrepresentation • Multiple Class Action filings increasing • New legal theories yet to come in pleadings Risks and Recent Developments Costs / Claims / Losses 21 Third Party Losses (What might be pled if a suit is filed?) cont. • Loss of wages due to time taken to prove “identity theft” to MasterCard or Visa • Expense of legal and other resources necessary to prove “identity theft” to MasterCard and Visa • Loss of business advantage due to effect of fraudulent charges on FICO scores • Damages claimed under applicable state privacy legislation Risks and Recent Developments Costs / Claims / Losses 22 Where is the Insurance Coverage? Comprehensive General Liability (CGL)? Computer/Commercial Crime Form? Directors and Officers Liability? Professional Liability Policy?
8 23 CGL: Covers liability for “Property Damage” to a third party “Property Damage” = “physical injury to tangible property” as well as “loss of use of tangible property that is not physically injured”. Whether electronic data is covered as “physical damage to tangible property” or “loss of use of tangible property”. Coverage B: Personal and Advertising Injury Liability Oral and written publication, in any matter, of material that violates a person’s right to privacy. Is the “loss” of data in electronic form on a data base “oral or written publication of material”? Lack of Coverage in Traditional Policies Comprehensive General Liability (CGL)? 24 Lack of Coverage in Traditional Policies Comprehensive General Liability (CGL)? (cont.) Professional Services exclusion (present on most General Liability policies) will apply if you are a financial institution Financial Professional Services. We won’t cover injury or damage or medical expenses that results from the performance of or failure to perform any financial professional service. Breach of Contract exclusion (present on most General Liability policies) Breach of Contract. We won’t cover personal injury or advertising injury that results from the failure of any protected person to do what is required by a contract or agreement… 25 Surety Association Computer Crime and ISO Commercial Crime policies generally exclude: • Loss directly or indirectly from theft of confidential information • Indirect or consequential loss of any nature • Potential income, including but not limited to interest/dividends Specific Financial Institution Crime Policies can include: • E-theft loss of money or securities as a result of fraudulent electronic communications from a third party, theft of confidential customer information • Extortion, Business Income • No 1st party losses • Typically written with high deductible Lack of Coverage in Traditional Policies Crime?
9 26 D&O: • Possible source of coverage for third party suits • Possible source of coverage for regulatory suits • No First Party coverage • Exclusions for invasion of privacy or violation of any right of privacy right may preclude coverage for the Corporate Entity, or both the Corporate Entity and all Individual Insureds Lack of Coverage in Traditional Policies Directors & Officers Liability (D&O)? 27 E&O: • For wrongful acts committed solely in the conduct of the Insured’s “Professional Services” • Policies for may include coverage for negligence in failing to maintain confidentiality/security of customers information, invasion of privacy, unauthorized access/unauthorized use, introduction of malicious code Lack of Coverage in Traditional Policies Errors & Omissions Liability (E&O)? 28 Overview – covers direct first party losses that an insured may incur in connection with an incident. A. Data recovery expenses (costs to recover data) B. Business interruption expenses – covers business income loss and certain extra expenses the insured incurs during the “Period of Recovery of Services” due to the actual impairment or denial of operations resulting directly from fraudulent access or transmission • Sometimes available by endorsement • Sublimits can apply Insurance Coverage Options First Party
10 29 C. Privacy Notification Expenses – means the reasonable and necessary cost of notifying those persons who may be directly affected by the misappropriation of a record • Costs relating to changing their account numbers, other identification numbers and security codes; and • Costs of providing them, for a stipulated period of time and with the prior approval of the company, with credit monitoring or other similar services that may help protect them against fraudulent use of the record Insurance Coverage Options First Party (cont.) 30 D. Pre-claim forensic costs to investigate a security breach • Example: “Claim Expenses” means all other legal costs and expenses resulting from the investigation…of a circumstance that might lead to a claim with the prior written consent of the underwriters • Example: “Loss” does not include any amount incurred by an insured in the defense or investigation of any action, proceeding, demand or request that is not then a claim, even if such matter subsequently gives rise to a claim E. Crisis Management expenses • Sublimits may apply • See consent / procedural requirements Insurance Coverage Options First Party (cont.) 31 Overview – covers sums the insured is legally obligated to pay to third parties as damages and claims expenses as a result of privacy breach or breach of privacy regulations. A. Regulatory Coverage • See scope of definitions of “claim” • Some policies may only cover regulatory defense costs B. Regulatory Civil Penalties • HIPAA, Gramm-Leach-Bliley Act, state privacy protection laws and privacy provisions of FCRA impose civil penalties • Check definition of “loss” or “damages” for exclusions • Example: Damages includes a penalty or sanction imposed by a federal, state or local regulatory body against you as a result of a privacy breach or the breach of a privacy regulation by you as a person including an independent contractor, for which you are legally responsible Insurance Coverage Options Third Party Privacy
11 32 C. Personal Injury Coverage • See wording of exception to personal injury exclusion for scope • Are claims for emotional distress, mental anguish included? D. Privacy Breach Coverage (non-regulatory) • Common law breach of privacy or confidentiality Insurance Coverage Options Third Party Privacy (cont.) 33 Overview – Covers sums that insured is legally obligated to pay as damages and claims expenses arising out of computer attacks caused by failures of security including theft of client information, identity theft, negligent transmission of computer viruses and denial of service liability. A. Unauthorized access (hacker attack) of the insured’s computer systems B. Unauthorized use of insured’s and insured’s customers computer systems by authorized person or third party C. Independent contractor - Vendor coverage (acts of outside vendors) • Example: Coverage for “your wrongful acts”, where “your” does not include independent contractors • Example: Coverage for wrongful acts by any insured, where insured includes independent contractors who are natural persons and are acting written scope on behalf of the named insured Insurance Coverage Options Network Security 34 D. Denial of service attack (third parties cannot access insured’s website) E. Transmission of computer virus Insurance Coverage Options Network Security (cont.)
12 35 • Electronic content coverage: Information disseminated on website including extension for Copyright / Trademark Example: Coverage for injury sustained by a third party because of the actual or alleged infringement of a trademark name, copyright, the name of a title or the title of an artistic or literary work from information on website • Personal Injury • Advertising Injury (of company’s own products but only in electronic format) Insurance Coverage Options Internet / Media Liability (optional coverage) 36 • Expenses incurred in responding to an extortion demand • Extortion payment (not all forms cover) • Policies have prior consent provisions Insurance Coverage Options Cyber Extortion 37 A. Some policies exclude coverage for “claims” related to the insured’s failure to maintain or upgrade their security • Example: No coverage arising out of or resulting from the failure of computer systems or data assets to the protected by computer security equal to or superior to that disclosed in response to specific questions in the application B. Some policies exclude coverage for “claims” alleging fraudulent or malicious acts by employees • Example: “Privacy Peril” does not include any intentional, fraudulent, criminal or malicious act, error or omission if committed by any employee if any elected or appointed officer possessed any knowledge of the act Insurance Coverage Pitfalls Watch The Exclusions!
13 38 C. Some policies exclude certain operations of the insured, or may not cover various types of computer or peripheral devices • Example: No coverage for theft of data via laptops unless whole disc encryptions or equivalent grade encryption is used D. Some policies will not cover actions of independent contractors working on behalf of the Insured Insurance Coverage Pitfalls Watch The Exclusions! 39 Key coverage to look for in Policies Privacy Breach Coverage • Coverage includes Employee Personal Information • Regulatory defense • Regulatory civil monetary, penalties and fines? • Breach of privacy regulations/laws? 40 Key coverage to look for in Policies Network Security Coverage • Unauthorized Access • Unauthorized use (rogue employee) • Denial of service attacks of systems of third parties • Transmission of malicious code/virus to third parties • Identity theft/theft of data • Inability of authorized third party to access insured’s computer systems • Damage, destruction, deletion, tampering or alteration to electronic data of third parties • Data in any form other than electronic (loss of paper records i.e.., dumpster diving) • Data definition extended to private, proprietary confidential corporate information • Theft of laptops (laptops do not have to be encrypted)
14 41 Key coverage to look for in policies Extortion Coverage • Expenses only • Ransom payments Crisis Management Expenses • Public relations expenses • Notification expenses • Credit monitoring costs • Forensic systems investigations • Crisis management expenses limited only to breach of privacy or breach of privacy regulations 42 Key coverage to look for in policies First Party Data Protection or E-Vandalism Expenses • Costs or expenses vary by form (generally incurred to restore, remediate, or replace damaged, deleted, destroyed or inaccessible data) First Party Network Business Interruption • Extra expenses during restoration • Business income loss Independent Contractors • Insured protected if I.C.’s commit wrongful act • Coverage extended to I.C.’s 43 Costs to repair damage to your information assets Privacy regulatory action defense and fines Privacy breach notification costs & credit monitoring Legal liability to others for privacy breaches Damage to 3rd party information assets Website copyright/trademark infringement claims Potential Impact (Low Med High) Likelihood (Low Med High)Potential Risk Event Risks That Could Impact Client Companies
15 44 Wrongful acts by independent contractors Need to engage crisis management firm if an incident occurs Regulated Industry? Identify any unique risks / regulations Cyber Extortion threat Loss of revenue due to a failure of security at a dependent technology provider Loss of revenue due to a failure of security or computer attack Potential Impact (Low Med High) Likelihood (Low Med High)Potential Risk Event Risks That Could Impact Client Companies 45 Contact: Cliff Rudolph crudolph@psfinc.com 425.709.3705

Empfohlen

Data Privacy
Data PrivacyData Privacy
Data PrivacyHome
 
S719a
S719aS719a
S719aecommerce
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Data and software privacy
Data and software privacyData and software privacy
Data and software privacyIntegral university, India
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 

Empfohlen

Data Privacy
Data PrivacyData Privacy
Data PrivacyHome
 
S719a
S719aS719a
S719aecommerce
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Data and software privacy
Data and software privacyData and software privacy
Data and software privacyIntegral university, India
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldArab Federation for Digital Economy
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
Overview Data Privacy Bill India
Overview Data Privacy Bill IndiaOverview Data Privacy Bill India
Overview Data Privacy Bill IndiaITS Technology Solution Private Limited
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacySolix Technologies, Inc
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyprimeteacher32
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop Kaufman & Canoles
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacySolix Technologies, Inc
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 

Was ist angesagt? (19)

Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform Operators
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital World
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer Privacy
 
Overview Data Privacy Bill India
Overview Data Privacy Bill IndiaOverview Data Privacy Bill India
Overview Data Privacy Bill India
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacy
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 

Ähnlich wie Data Privacy

CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskWilliam Gamble
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionJoe Nathans
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceFinancial Poise
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 

Ähnlich wie Data Privacy (20)

The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology Risk
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
Cyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation GianinoCyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation Gianino
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 

Data Privacy

  • 1. 1 2 3 "IS THIS YOUR FIRMS IDEA OF DATA PRIVACY COVERAGE?" 4 Disclaimer This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of the policy as issued. Please carefully review any policy and all endorsements delivered for the precise coverage terms.
  • 2. 2 5 Introduction Foundation for Privacy FearsFoundation for Privacy Fears •• Privacy is a rightPrivacy is a right •• Private information has valuePrivate information has value •• Technology has created new issues concerning breaches of privacyTechnology has created new issues concerning breaches of privacy •• Privacy breaches can have a material impact on a company’sPrivacy breaches can have a material impact on a company’s reputationreputation •• Courts, legislatures and regulatory agencies are engaged inCourts, legislatures and regulatory agencies are engaged in addressing privacy issuesaddressing privacy issues •• Highly publicized security breaches are in the newsHighly publicized security breaches are in the news 6 Introduction What are Data Theft and Privacy/Security Breaches? • An organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information. 7 Industry Issues - FTC estimates nearly 10 million victims per year - Many victims don’t know or don’t report - Fastest growing white collar crime in America - Average 175 hours and $1,500 to resolve per individual - Tremendous media exposure Common Types of Fraud - Current credit – credit card, debit card, phone card - Use of name and social security number: - Establish new credit - Commit other criminal activity Risks and Recent Developments Increase in Numbers of Incidents
  • 3. 3 8 Sources of Data BreachSources of Data Breach 49% lost laptop or other device (USB flash drives…) 16% third party outsourcer/vendor 9% malicious insider 9% paper records 7% lost electronic backup 5% hackers, crackers, social engineers, “phishers” 4% malicious code 2% unknown Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC, 2007 9 Data Breaches – Growing In Numbers! Between January 2005 and February 6, 2009 – 252,308,777 records containing “sensitive personal information” have been involved in security breaches! Source: Privacy Rights Clearinghouse A Chronology of Data Breaches Posted April 20, 2005 Updated February 9, 2009 www.privacyrights.org Risks and Recent Developments Increase in Numbers of Incidents 10 Recent high-profile data security breaches illustrate the nature of the risk • Heartland Payment Systems, Inc. (100 million customer credit cards/debit cards) 2008 (This had a companion D&O suit) • Hannaford Brothers (4.2 million credit cards/debit cards) 2008 • Certegy Check Services (4.2 million customers) 2002-2007 • TJX (94 million records) 2006-2007 • Choicepoint (150,000 records) 2005 • Bank of America (1.2 million federal employees) 2005 • DSW (100,000 customers) 2005 • Lexis/Nexis (32,000 records) 2005 Sources: Computerworld, Boston Globe, Tampabay.com, ZDNet and 11Alive.com Risks and Recent Developments Prominent Examples
  • 4. 4 11 California Security Breach Information Act (2003). Since passage, 47 states and territories have passed similar laws (http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm) Essence of these laws is requirement that companies storing personal information must promptly notify persons whose information has been accessed by an unauthorized person In addition to costs of notification, these laws create potential civil liability if proper and timely notification of a data security breach is not given Some states require notification to specific law enforcement and consumer credit reporting agencies Risks and Recent Developments Applicable Laws 12 Graham Leach Bliley Requires “financial institutions” to ensure the security and confidentiality of private financial information (includes all businesses that are “significantly engaged” in providing financial products or services HIPPA – Health Insurance Portability and Accountability Act Regulations for use and disclosure of Protected Health Information which is any information about health status, provision of health care, or payment for health care that can be linked to an individual Covered entities are any health care related businesses that store or transmit health care data in a way regulated by HIPAA The Security Rule of HIPAA deals specifically with Electronic Protected Health Information (EPHI). Risks and Recent Developments Applicable Laws 13 Fair Credit Reporting Act (FCRA) Enacted to promote efficiency in the country’s banking system and to protect consumer privacy. See TRW, Inc. v. Andrews, 534 U.S. 19, 23 (2001) Imposed obligations on three types of entities: • Credit reporting agencies, • Users of credit reports, and • Furnishers of information to credit reporting agencies Risks and Recent Developments Applicable Laws
  • 5. 5 14 Fair And Accurate Credit Transaction Act (FACTA) Amendment to FCRA Key provisions focused on reducing exposure to identity theft and assisting consumer with credit problems Requires truncation of credit card and social security numbers Credit and Debit Card Receipt Clarification Act, June 3, 2008 Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions Risks and Recent Developments Applicable Laws 15 Red Flag Rule Amendment to FCRA Financial institutions and creditors must establish a written program to “detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts” Creditors must develop “Program” formalizing steps they intend to take to prevent identity theft by May 1, 2009 Consequences for non-compliance: statutory and actual damages; attorneys’ fees; punitive damages; possible class actions Risks and Recent Developments Applicable Laws 16 Risks and Recent Developments Hypothetical Scenario #1 • Former employee of a financial institution provides accomplice with access to financial institutions secure network. Data includes sensitive personal information about company’s customers and employees Thief also gains access to financial institutions external website • 2 weeks later, company receives ransom note from thief • 2 weeks later, thief hacks into company’s system causing company’s website to be down for 2 days with no ability to conduct online transactions • Media learns of issue – widespread media attention results in cancellation and re-issuance of all client plastic cards, potential effected members must be notified and provided with credit monitoring • Various government agencies begin investigations
  • 6. 6 17 Risks and Recent Developments Hypothetical Scenario #2 • Employee innocently opens an email supposedly from the company’s IT department Email has a malicious code embedded to surreptitiously control the employee’s computer Outside hacker uses employee’s computer to launch additional attacks on the company’s backend network • Hacker gains widespread access to company’s various databases including plastic cards • Hacker emails company President with customer database, containing personal confidential information and demands $500,000 or will publish an email link with this information. 18 Risks and Recent Developments Scenarios 1 and 2 result in various potential losses First Party Losses Loss of Private Data Notification/credit monitoring costs Cost to change account numbers Publicity costs Business income loss Data restoration expenses Cyber Extortion Ransom payments Other expenses Third Party Losses Customer Suits Customer alleging invasion of privacy Customers or other third parties alleging financial loss Other Suits Regulatory actions/fines or penalties 19 First Party Losses • Cost of $197 / record compromised, consists of: • $128 lost business (lost customers/reduced orders) • $46 ex-post response (PR costs, credit monitoring) • $15 notification • $9 detection & escalation Source: Ponemon Institute, LLC – “2007 Annual Study: Cost of a Data Breach” Risks and Recent Developments Costs / Claims / Losses
  • 7. 7 20 Third Party Losses (What might be pled if a suit is filed?) • Failure to implement and maintain reasonable security procedures (Currently, actual harm and damages are hard to prove) • Negligence (based upon regulatory/industry standards) • Unfair, deceptive and unlawful business practices • Invasion of the customer’s right to privacy • Breach of fiduciary duty • Breach of contract • Fraud / Misrepresentation • Multiple Class Action filings increasing • New legal theories yet to come in pleadings Risks and Recent Developments Costs / Claims / Losses 21 Third Party Losses (What might be pled if a suit is filed?) cont. • Loss of wages due to time taken to prove “identity theft” to MasterCard or Visa • Expense of legal and other resources necessary to prove “identity theft” to MasterCard and Visa • Loss of business advantage due to effect of fraudulent charges on FICO scores • Damages claimed under applicable state privacy legislation Risks and Recent Developments Costs / Claims / Losses 22 Where is the Insurance Coverage? Comprehensive General Liability (CGL)? Computer/Commercial Crime Form? Directors and Officers Liability? Professional Liability Policy?
  • 8. 8 23 CGL: Covers liability for “Property Damage” to a third party “Property Damage” = “physical injury to tangible property” as well as “loss of use of tangible property that is not physically injured”. Whether electronic data is covered as “physical damage to tangible property” or “loss of use of tangible property”. Coverage B: Personal and Advertising Injury Liability Oral and written publication, in any matter, of material that violates a person’s right to privacy. Is the “loss” of data in electronic form on a data base “oral or written publication of material”? Lack of Coverage in Traditional Policies Comprehensive General Liability (CGL)? 24 Lack of Coverage in Traditional Policies Comprehensive General Liability (CGL)? (cont.) Professional Services exclusion (present on most General Liability policies) will apply if you are a financial institution Financial Professional Services. We won’t cover injury or damage or medical expenses that results from the performance of or failure to perform any financial professional service. Breach of Contract exclusion (present on most General Liability policies) Breach of Contract. We won’t cover personal injury or advertising injury that results from the failure of any protected person to do what is required by a contract or agreement… 25 Surety Association Computer Crime and ISO Commercial Crime policies generally exclude: • Loss directly or indirectly from theft of confidential information • Indirect or consequential loss of any nature • Potential income, including but not limited to interest/dividends Specific Financial Institution Crime Policies can include: • E-theft loss of money or securities as a result of fraudulent electronic communications from a third party, theft of confidential customer information • Extortion, Business Income • No 1st party losses • Typically written with high deductible Lack of Coverage in Traditional Policies Crime?
  • 9. 9 26 D&O: • Possible source of coverage for third party suits • Possible source of coverage for regulatory suits • No First Party coverage • Exclusions for invasion of privacy or violation of any right of privacy right may preclude coverage for the Corporate Entity, or both the Corporate Entity and all Individual Insureds Lack of Coverage in Traditional Policies Directors & Officers Liability (D&O)? 27 E&O: • For wrongful acts committed solely in the conduct of the Insured’s “Professional Services” • Policies for may include coverage for negligence in failing to maintain confidentiality/security of customers information, invasion of privacy, unauthorized access/unauthorized use, introduction of malicious code Lack of Coverage in Traditional Policies Errors & Omissions Liability (E&O)? 28 Overview – covers direct first party losses that an insured may incur in connection with an incident. A. Data recovery expenses (costs to recover data) B. Business interruption expenses – covers business income loss and certain extra expenses the insured incurs during the “Period of Recovery of Services” due to the actual impairment or denial of operations resulting directly from fraudulent access or transmission • Sometimes available by endorsement • Sublimits can apply Insurance Coverage Options First Party
  • 10. 10 29 C. Privacy Notification Expenses – means the reasonable and necessary cost of notifying those persons who may be directly affected by the misappropriation of a record • Costs relating to changing their account numbers, other identification numbers and security codes; and • Costs of providing them, for a stipulated period of time and with the prior approval of the company, with credit monitoring or other similar services that may help protect them against fraudulent use of the record Insurance Coverage Options First Party (cont.) 30 D. Pre-claim forensic costs to investigate a security breach • Example: “Claim Expenses” means all other legal costs and expenses resulting from the investigation…of a circumstance that might lead to a claim with the prior written consent of the underwriters • Example: “Loss” does not include any amount incurred by an insured in the defense or investigation of any action, proceeding, demand or request that is not then a claim, even if such matter subsequently gives rise to a claim E. Crisis Management expenses • Sublimits may apply • See consent / procedural requirements Insurance Coverage Options First Party (cont.) 31 Overview – covers sums the insured is legally obligated to pay to third parties as damages and claims expenses as a result of privacy breach or breach of privacy regulations. A. Regulatory Coverage • See scope of definitions of “claim” • Some policies may only cover regulatory defense costs B. Regulatory Civil Penalties • HIPAA, Gramm-Leach-Bliley Act, state privacy protection laws and privacy provisions of FCRA impose civil penalties • Check definition of “loss” or “damages” for exclusions • Example: Damages includes a penalty or sanction imposed by a federal, state or local regulatory body against you as a result of a privacy breach or the breach of a privacy regulation by you as a person including an independent contractor, for which you are legally responsible Insurance Coverage Options Third Party Privacy
  • 11. 11 32 C. Personal Injury Coverage • See wording of exception to personal injury exclusion for scope • Are claims for emotional distress, mental anguish included? D. Privacy Breach Coverage (non-regulatory) • Common law breach of privacy or confidentiality Insurance Coverage Options Third Party Privacy (cont.) 33 Overview – Covers sums that insured is legally obligated to pay as damages and claims expenses arising out of computer attacks caused by failures of security including theft of client information, identity theft, negligent transmission of computer viruses and denial of service liability. A. Unauthorized access (hacker attack) of the insured’s computer systems B. Unauthorized use of insured’s and insured’s customers computer systems by authorized person or third party C. Independent contractor - Vendor coverage (acts of outside vendors) • Example: Coverage for “your wrongful acts”, where “your” does not include independent contractors • Example: Coverage for wrongful acts by any insured, where insured includes independent contractors who are natural persons and are acting written scope on behalf of the named insured Insurance Coverage Options Network Security 34 D. Denial of service attack (third parties cannot access insured’s website) E. Transmission of computer virus Insurance Coverage Options Network Security (cont.)
  • 12. 12 35 • Electronic content coverage: Information disseminated on website including extension for Copyright / Trademark Example: Coverage for injury sustained by a third party because of the actual or alleged infringement of a trademark name, copyright, the name of a title or the title of an artistic or literary work from information on website • Personal Injury • Advertising Injury (of company’s own products but only in electronic format) Insurance Coverage Options Internet / Media Liability (optional coverage) 36 • Expenses incurred in responding to an extortion demand • Extortion payment (not all forms cover) • Policies have prior consent provisions Insurance Coverage Options Cyber Extortion 37 A. Some policies exclude coverage for “claims” related to the insured’s failure to maintain or upgrade their security • Example: No coverage arising out of or resulting from the failure of computer systems or data assets to the protected by computer security equal to or superior to that disclosed in response to specific questions in the application B. Some policies exclude coverage for “claims” alleging fraudulent or malicious acts by employees • Example: “Privacy Peril” does not include any intentional, fraudulent, criminal or malicious act, error or omission if committed by any employee if any elected or appointed officer possessed any knowledge of the act Insurance Coverage Pitfalls Watch The Exclusions!
  • 13. 13 38 C. Some policies exclude certain operations of the insured, or may not cover various types of computer or peripheral devices • Example: No coverage for theft of data via laptops unless whole disc encryptions or equivalent grade encryption is used D. Some policies will not cover actions of independent contractors working on behalf of the Insured Insurance Coverage Pitfalls Watch The Exclusions! 39 Key coverage to look for in Policies Privacy Breach Coverage • Coverage includes Employee Personal Information • Regulatory defense • Regulatory civil monetary, penalties and fines? • Breach of privacy regulations/laws? 40 Key coverage to look for in Policies Network Security Coverage • Unauthorized Access • Unauthorized use (rogue employee) • Denial of service attacks of systems of third parties • Transmission of malicious code/virus to third parties • Identity theft/theft of data • Inability of authorized third party to access insured’s computer systems • Damage, destruction, deletion, tampering or alteration to electronic data of third parties • Data in any form other than electronic (loss of paper records i.e.., dumpster diving) • Data definition extended to private, proprietary confidential corporate information • Theft of laptops (laptops do not have to be encrypted)
  • 14. 14 41 Key coverage to look for in policies Extortion Coverage • Expenses only • Ransom payments Crisis Management Expenses • Public relations expenses • Notification expenses • Credit monitoring costs • Forensic systems investigations • Crisis management expenses limited only to breach of privacy or breach of privacy regulations 42 Key coverage to look for in policies First Party Data Protection or E-Vandalism Expenses • Costs or expenses vary by form (generally incurred to restore, remediate, or replace damaged, deleted, destroyed or inaccessible data) First Party Network Business Interruption • Extra expenses during restoration • Business income loss Independent Contractors • Insured protected if I.C.’s commit wrongful act • Coverage extended to I.C.’s 43 Costs to repair damage to your information assets Privacy regulatory action defense and fines Privacy breach notification costs & credit monitoring Legal liability to others for privacy breaches Damage to 3rd party information assets Website copyright/trademark infringement claims Potential Impact (Low Med High) Likelihood (Low Med High)Potential Risk Event Risks That Could Impact Client Companies
  • 15. 15 44 Wrongful acts by independent contractors Need to engage crisis management firm if an incident occurs Regulated Industry? Identify any unique risks / regulations Cyber Extortion threat Loss of revenue due to a failure of security at a dependent technology provider Loss of revenue due to a failure of security or computer attack Potential Impact (Low Med High) Likelihood (Low Med High)Potential Risk Event Risks That Could Impact Client Companies 45 Contact: Cliff Rudolph crudolph@psfinc.com 425.709.3705