1 / 37

– To Notify or Not to Notify – That is the Question

– To Notify or Not to Notify – That is the Question. MODERATOR: Toby Merrill, Vice President, ACE USA PANEL: Beth D. Diamond, Esq., Claims Manager, Beazley Group John F. Mullen, Esq., Partner, Nelson, Levine, de Luca & Horst, LLC

hashim
Download Presentation

– To Notify or Not to Notify – That is the Question

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. –To Notify or Not to Notify – That is the Question

  2. MODERATOR: Toby Merrill, Vice President, ACE USA PANEL: Beth D. Diamond, Esq., Claims Manager, Beazley Group John F. Mullen, Esq., Partner, Nelson, Levine, de Luca &Horst, LLC K Royal, JD, CIPP, Privacy & Security Officer, Assistant Vice President, Regulatory Affairs, Concentra Inc. Tom Srail, Senior Vice President, Technology, Willis Benjamin Stephan, CISSP, CISA, EnCE, QSA, PA-QSA, Director of Incident Management, FishNet Security To Notify, or Not to NotifyThat is the Question

  3. Overview • Brief Introduction • Privacy and Network Security Liability • Privacy Regulations • To Notify or Not to Notify • Q&A

  4. Privacy Insurance Market To Notify or Not to Notify Privacy Insurance Market

  5. Privacy Insurance Marketplace • Evolution of the Coverage • Origins focused on network security • Evolution to ‘sensitive data’ and ‘unintentional error’ • Market Growth • Standalone market estimated at $600M GWP* • 1 in 3 purchase coverage and 1 in 4 plan to in next 18 mos* • Drivers and Barriers - Price in a sluggish economy + Policies that include data breach services +/- Product knowledge *2010 Betterley Cyber Risk and Privacy Market Survey

  6. Average total cost per incident of $6.75M $6.6M, $6.3M & $4.8M in 2008, 2007 & 2006 Cost to resolve ranged from $750,000 to $31,000,000 Number of records ranged from 5,000 to 101,000 42% of breaches occurred due to external causes Ponemon Institute Studies Breach Cost per Record Cost of a Lost Laptop Avg. HCFI CPRetail Avg.HCPharma

  7. Average cost of $204 per record $202, $197 & $182 in 2008, 2007 & 2006 Direct $69; Indirect $135 Defense 27%; Consulting 24%; Contact 22%; Forensics 16%; Services 6% Malicious $215; Human Negligence $154; IT Glitch $166 1st Party $194; 3rd Party Vendor $217 First Timer $228; Second Offender $198 With CISO $157; Without CISO $236 With consultant $170; Without consultant $231 < 1 month to notify $219; >1 month $196 Ponemon Institute Studies (cont’d)

  8. Privacy/Cyber Insurance Marketplace • Pricing • Aggressive competition • Typical flat to slight decrease on renewals • New/revitalized Markets • Updated forms • Blending with other policies (Managed Care, Misc E&O) • Capacity • Stable Primary Limits (10M-20M typical) • Increased excess participation available • $200M+ total available for most large risks

  9. Privacy/Cyber Insurance Marketplace • Current Coverage Enhancements • Privacy Expense • Outside of Liability Limits options • New express coverage (ID Theft restoration expense) • Larger (Full+) Limits • Regulator and/or PCI Fines/Penalties - larger limits available

  10. Privacy/Cyber Insurance Marketplace • Current Coverage Enhancements (cont’d) • Excess “Drop Down” • Privacy Expenses • Fines/Penalties • Pre-arranged/recommended Vendors • First-Party Coverage • Administrative Error Triggers • Lower BI waiting periods

  11. Privacy Insurance Market Privacy Insurance Market: Panel Discussion

  12. Privacy Regulations Privacy Regulations; Overview

  13. Statutory – In the event of a security breach, most federal and state laws require notification to: Customers Government Agencies Attorneys General Law Enforcement (not necessarily required, but may be prudent) Credit Reporting Agencies (CRA's) Voluntary – When notification is not required by law, but for reasons of goodwill, etc. a company would prefer to notify its customers, etc. What is Notification?

  14. To enable individuals to mitigate risk of identity theft or fraud when a breach occurs To enable the authorities to exercise their regulatory oversight functions To motivate organizations to implement more effective security measures to protect sensitive information Purpose of Notification

  15. Federal and state laws have unique requirements for: format of notification time frame within which to notify, and content of notification letter In many cases, failure to notify pursuant to a particular notification law may lead to fines and penalties General Notification Requirements

  16. Generally require written notification to individual in the event of a breach of security However, each state varies in: the definition of what constitutes a breach the definition of personal information (only a few include PHI) inclusion of a “risk of harm” standard content requirements for notice authorities that must be notified available penalties and private right of action State Notification Requirements

  17. 2003 – California Senate Bill 1386 (CA SB 1386) State Data Breach Laws 2005 – 10 additional states 2006 – 19 additional states 2007 – 9 additional states 2008 – 7 additional states 2009 – 1 additional state2010 – 1 additional state Privacy/identity theft legislation in 46 states (+D.C.) • States with no Data Breach Legislation: • Alabama, Kentucky (passed but not yet enacted) • New Mexico, South Dakota (no data breach law)

  18. Must be in “plain language” Must include at a minimum: Name and contact info of the reporting agency Types of personal information involved When it happened If notification was delayed due to law enforcement investigations General description of the breach Estimated number of persons affected Toll-free telephone numbers and addresses of major credit reporting agencies (if breach exposed bank account/credit card number, SSN, or driver’s license/ID card number) California Notification Requirements

  19. Other discretionary data may be included (e.g. information about what agency has done to protect affected individuals, advice on how to protect self, etc.) Notice may be given in writing or electronically. Substitute notice permitted if: cost of providing written notice will exceed $250,000, affected class to be notified exceeds 500,000 residents, or insufficient contact information to provide notice California Notification Requirements

  20. State: An individual’s first name or first initial and last name in combination with any one or more of the following, when either the name or the data elements are not encrypted: SSN Driver’s license No. or CA ID Card No. Account, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account Up to ten other factors added in many states (e.g. biometric data in NE, IA and WI) What is Personal Information?

  21. Must be given to: Massachusetts AG; Director of Consumer Affairs and Business Regulation; and affected Massachusetts residents Notice to AG and Director of Consumer Affairs and Business Regulation must include: nature of breach; the number of Massachusetts residents affected by such incident at the time of notification; and any steps the person or agency has taken or plans to take relating to the incident Massachusetts Requirements

  22. Notice to affected Massachusetts residents must include: the resident's right to obtain a police report how to request a security freeze on her/his credit report Notice to affected MA residents must not include: Nature of breach; nor Number of Massachusetts residents affected by the breach Notice may be given in writing, by telephone or electronically. Substitute notice permitted if: cost of providing written notice will exceed $250,000, affected class of Massachusetts residents to be notified exceeds 500,000 residents, or insufficient contact information to provide notice Massachusetts Requirements

  23. Written notice via US mail to individual or next of kin Substitute notice if there are 10 or more individuals for whom there is insufficient contact information. >500 residents of a state or jurisdiction are affected by breach: notify prominent media outlets in that state or jurisdiction >500 individuals in total are notified, Secretary must be notified immediately (i.e. within timeframe to individuals) <500 individuals, Secretary may be notified in an annual report HITECH Notification Requirements

  24. Description of event, including date of breach and date of discovery, if known Description of Protected Health Information (PHI) affected Steps individuals should take to protect themselves Description of what entity is doing to investigate, mitigate harm to individuals and protect against further breaches Contact procedures for more information (toll-free number, an email address, website, or postal address) Must be written in clear, plain language HITECH Notice - Content Requirements

  25. State Attorneys General State regulators DOI Medicaid regulators Consumer Protection Offices Potential Agencies to be NotifiedWhen a HITECH Breach Occurs

  26. HIPAA: ANY “Unsecured” PHI = protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary Encryption and destruction of PHI are the only acceptable methods What is Personal Information?

  27. HIPAA: Breach poses: “[a] significant risk of financial, reputational, or other harm to the individual” Notification is only necessary if the breach poses a significant risk of harm Covered Entities & Business Associates must document their risk assessment to demonstrate that notification was not required State Law: NJ disclosure not required if “misuse of the information is not reasonably possible”. CA and TX without explicit “risk of harm” trigger Risk of Harm Standard

  28. Privacy Regulations Privacy Regulations: Panel Discussions

  29. Data Breach Scenarios To Notify or Not to Notify: Data Breach Scenarios

  30. Scenario #1 • Minnesota retailer notified by Visa of potential hack • Forensics determines 1.5M credit cards were likely compromised • Roughly 1M of the records were encrypted • Hackers were in the system for 14 months • Cardholders reside in MN, ND, SD, IA, IL, WI

  31. Scenario #2 • A trash company discovers the printed records of a SC community bank dumpster • The information contains the loan applications for more than 10,000 residents in NC, SC & GA

  32. Scenario #3 • A hospital in Massachusetts discovers that a desktop computer has been stolen • Forensics determines 100,000 medical records were located on the desktop • None of the records were encrypted • Patients reside in MA, CT, RI, AZ and NH

  33. Scenario #4 • A community college in New Mexico discovers that its alumni list was searchable on its website • Visitors of the site would be able to obtain alumni grade point averages and job history if searched by name • Forensics is unable to determine whether any searches had been made on alumni records • Roughly 500,000 records were potentially compromised • All alumni were New Mexico residents • What if forensics later determines S.S.#’s were involved? Some residents were from New York? Or both??

  34. Scenario #5 • A technology hosting company discovers that hackers had accessed a number of servers • Forensics determines that millions of records were located on these servers • The records belong to more than a dozen financial institutions, hospitals and retailers • Some of the data was encrypted • Cardholders reside in more than 30 states

  35. Takeaways and Predictions Key Takeaways and Predictions

  36. Questions&Answers

  37. Many Thanks To… Toby Merrill Beth Diamond John Mullen K Royal Tom Srail Benjamin Stephan

More Related