CyberRisk: What we know and what we don't know

Size: px

Start display at page:

Download "CyberRisk: What we know and what we don't know"

Junior Rich
5 years ago
Views:

1 CyberRisk: What we know and what we don't know JOHN MULLEN, ESQ., LEWIS BRISBOIS BISGAARD & SMITH LLP ADAM COTTINI, ARTHUR J GALLAGHER MARCH 16, ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

2 Agenda March 16, 2016 Cyber Breach Activity Emerging & Future Trends Internet of Things (IoT) & Artificial Intelligence How does Cyber Insurance Apply to the Future? 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS 2

3 Cyber Breach Activity 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

The Usual Suspects DATA INTENSIVE INDUSTRIES Healthcare Higher Education Retail Public Entities Financial Institutions Events leading to breaches of Personally Identifiable Information

4 The Usual Suspects DATA INTENSIVE INDUSTRIES Healthcare Higher Education Retail Public Entities Financial Institutions Events leading to breaches of Personally Identifiable Information Employee misplaces a laptop / mobile device Phishing attacks Inadvertent website posting Programming errors Malicious employee actions Hackers ALL OF THE ABOVE MAY BE CAUSED BY A VENDOR 4

Attack on a Car Cyber events that may cause bodily injury (BI)

5 The Unique Cyber attack a Medical Device Cyber Attack on Power Plant Cyber Attack on Manufacturing Facility Cyber Attack on a Dam Cyber Attack on a Car Cyber events that may cause bodily injury (BI) and/or property damage (PD) Yet the cyber liability policy excludes BI/PD 5

6 Cyber Threats Malicious Attacks Ransomware Hackers in network, Malware and viruses, Phishing scams, Physical theft of hardware and paper, denial of service Rogue employees UNSOPHISTICATED ACTORS Employees Negligence related to use and storage of data, failure to follow or learn POLICIES AND PROCEDURES, loss of portable devices, mis-mailing of paper, unencrypted s to the wrong recipients, web use violation, UNAPPROVED DEVICES, abuse of access. Vendor Any of the above can occur to a business associates with whom data is shared/system access granted 6

7 Types of Data at Stake PHI - Protected Health Information Information created or received by a covered entity or business associate relating to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies or can be used to identify individual PII Personally Identifiable Information i.e., Social Security number, driver s license number, bank account information, credit card information, online/financial account username and password, medical information, health insurance information, and address and password in CA, FL and PR. PCI Payment Card Information Cardholder data 7

8 Emerging & Future Trends 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

9 New State Regulations New or Effective in 2015 Connecticut (90 day deadline and credit monitoring) California (notice to DPH within 15 days. 1 year of credit monitoring. User name and pw = PII) New Jersey (some health insurers must encrypt) North Dakota (regulator notice if over 250) Montana (medical info and TIN) Utah (student data) Nevada (medical info and user name and pw) Washington (paper, regulator, 45 days) Wyoming (user name and pw, medical info, TIN) Oregon (regulator notice if over 250) Rhode Island (paper, regulator notice if over 500, 45 days) States with Unwritten Rules Pennsylvania (AG requests notice if incident affects PA residents, though no statutory requirement) California (DHCS interprets California data breach statute to cover paper breaches, and expects CA legislature to update statute soon to clearly cover paper breaches) Indiana (anything over 30 days is unreasonable delay ) Connecticut (demanding 2 years of credit monitoring) (90 days probably unreasonable delay ) North Carolina (routinely inquires as to timeline of events) 9

10 New Federal Activity NEW HIPAA/ HITECH OCR unofficially mandates automatic investigation if over 500 affected Covered Entities and their Business Associates subject to rules FTC Approx. 50 privacy investigations since 2002, and dozens of fines ($22.5 million - Google 2012) Actively enforcing health care vendor rules (breach reporting for non-hipaa entities) FCC (Regulates communications networks) First ever data breach fine (July, 2015)($10 million-terracom and YourTel America- 300,000 records) IMPORTANT July 7, State AGs write to Congress, urging U.S. to preserve state authority over data breaches SEC (More aggressive cyber role expected) FERPA (Federal funding can be, but never has been, cut off following violation) SOX (Requires security controls, and auditors require disclosure if such controls are inadequate) GLB (Privacy Rule suggests notification; Safeguards Rule suggests written security plan) FACTA (Red Flags Rule requires procedures to detect and prevent identity theft) 10

11 Regulatory Enforcement (Current Examples) HHS/OCR Cancer Care Group ($750,000 settlement, August 31, 2015) OCR found widespread non-compliance, and lack of policies, after laptop bag with unencrypted media exposed records of 55,000 patients State-Run Community Mental Health Facility ($150,000 settlement, Dec. 2014) Organization failed to patch systems and continued to run outdated, unsupported software resulting in exposure of 2,743 medical records FCC $25 million fine against ATT for unauthorized disclosure of information (April ,000 records) State Indiana Assurance of Voluntary Compliance (AVC)(multiple fines ranging from $4,000 to $20,000) TD Bank 260,000 affected ($850,000 nine state fine plus $650,000 Mass. fine in December 2014) 11

12 Private Litigation Robins v. Spokeo (U.S. Supreme Ct.) (Pending) Allegation that Spokeo posted false information. Privacy (not breach) case - implications for cyber. Supreme Court to decide whether violation of statute that allows automatic statutory damages, without any actual damages (as Plaintiffs allege FCRA does), confers standing even if no other harm alleged (Circuit Court said yes). Could open data breach class action floodgates in states whose statutes allow for automatic statutory damages. Neiman Marcus (July 2015) Actual fraud (reimbursed) and threat of imminent future harm confer standing. Seventh Circuit joins minority of Circuits (along with First, Ninth - but some post-clapper District Courts hold otherwise -, Eleventh, and a District Court in the Eighth) as data breach class friendly. The Third Circuit, and District Courts in the Second, Fourth, Fifth, Sixth, Tenth and D.C. Circuits are less favorable for Plaintiffs. 12

13 Private Litigation CGL Coverage Zurich v. Sony (NY State, 2014): PII stolen by hackers not publication under personal and advertising liability coverage in CGL policy (Zurich and Sony settled in May 2015). Cyber Coverage Columbia Casualty (CNA) v. Cottage Health System (C.D. Cal., May 2015) CNA sought to avoid coverage because Cottage failed to follow minimum required practices and for misrepresentation of security controls in application. Case dismissed (without prejudice) for failure to first engage in alternative dispute resolution as required in policy. Target Banking litigation banks won class certification in September (U.S.D.C. Minn.) October 23, District Court holds forensic investigation protected from discovery by attorney-client and work product privileges. December 2, 2015 settlement with MasterCard for $39.4 million, August 18, 2015 settlement with Visa for $67 million, and $10 million settlement with consumers (an objector appealed Court approval of the settlement on Dec. 10). 13

14 Internet of Things (IoT) & Artificial Intelligence (AI) An estimated 7B Mobile Devices Worldwide Your everyday life connected Home Transportation Health Does Convenience outweigh the Risk???? 14

15 How does Cyber Insurance Apply to the Future? 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

16 Available Coverages Today Exposure Category Description Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security Breach or a Privacy Breach Privacy Liability Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their care custody and control Regulatory Liability PCI Assessments Legal Expenses Forensic Investigations Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws Coverage for contractual assessments, fines and penalties owed under the terms of a Merchant Services Agreement due to non-compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and as the result of a data breach 1st Party legal expenses to review and determine responsibilities under Privacy Breach Law 1st Party expenses to investigate a system intrusion into an Insured Computer System Breach Response Notification Expense Credit /ID Monitoring 1st Party expenses to comply with Privacy Law notification requirements 1st Party expenses to provide up to 12 months credit monitoring Media Liability Cyber Extortion Data Recovery Public Relations 1st Party expenses to hire a Public Relations firm Covers the Insured for Intellectual Property and Personal Injury perils the result from dissemination of content (coverage for Patent and Trade Secrets are generally not provided) Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber attack 1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security Business Interruption 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security Errors & Omissions (E&O) Technology E&O / Miscellaneous E&O coverage for wrongful acts committed by or on behalf of the insured 16

17 Policies Covering Loss General Liability Directors & Officers Errors & Omissions Crime Insurance All Risk Property Cyber Policies (1st Party, 3rd Party, Hybrid Coverage) 17

18 What can be done? Proactive Risk Management Steps Empowered Senior Executive Talk to your IT Security folks. Gain an appreciation of the many challenges Not many Firms can say: how many records they have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged? Assess & test your own staff and operations Incident response plan Document your due care measures (training and enforcement) Insurance Red Flags, data security and breach response plans affirmative duties Service level agreements Repeat 18

19 Closing Thoughts Many organizations WILL suffer a breach event in the near term. AND many have already sustained a breach but they failed to identify it 19

20 Adam Cottini Thank You Adam Cottini Managing Director, Cyber Liability Practice Arthur J. Gallagher & Co BSD17\26685A 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber Protection Data Creates Duties What data do you access, and