140 likes | 156 Views
Learn about the risks and privacy concerns associated with network data exposure and how insurance can help protect your business. Explore the costs, regulatory environment, and coverage types involved in data breach litigation.
E N D
Network Risk/Privacy Insurance Exposure and Coverage Issues
Network Risk and Data Exposures • Networks and data essential to operations • IT infrastructure interruption • Data disclosure risk – Account info; PII/PHI; Customer/Shareholder/Employee/Business partner data • Data collection/use risk; Credit Cards • Web presence • Online transactions • Web content/tools • Advertising & Branding • Online advertising, product information, etc. • Social Media • Other online systems • jobs/vendor/information management/employee data • TRUST may be a big issue depending upon industry – FI and healthcare vs. retail - a breach can lead to severe reputational harm. Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Data Breach Litigation & Costs • The Heartland Payment Systems breach disclosed in January 2009 affected over 250,000 merchants and 500+ financial institutions. Fourteen lawsuits filed against Heartland. $65 Million Visa Settlement Rejected by attorneys. • TJX reached a $40.9 Million settlement agreement with banks that processed credit card transactions. This represented only a fraction of the $256 million+cost of the breach. • Hannaford data breach consumer suffering case accepted by Maine Supreme Court – Hannaford wins! • TD Ameritrade Settlement Rejected by court because of insufficient remuneration to the class. Lawyers do well – consumers get little. • They keep happening…Epsilon, Sony, Lockheed, Citi…the NY Yankees! • Of the 78% of Fortune 1,000 U.S. entities that have reported a data breach*: • 80% of breaches = total insurable amount < $1,000,000 • 15% of breaches = total insurable amount $1,000,000 - $20,000,000 • 5% of breaches = total insurable amount > $20,000,000 *January 2011 Ponemon Institute Study Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Cost Timeline of a Breach • Recognize breach • Forensics - Determine extent of breach, number of records lost, type of information lost • Review federal and state statutes, actions necessary in breach response • Notification, credit monitoring, credit restoration • Potential regulatory fines and penalties incurred • Vendor fines and penalties incurred • Third party litigation and damages Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Regulatory Environment • 46 State Breach Disclosure Laws in effect • State AG & FTC actions more prevalent • FINRA now active • MN Plastic Card Security Act (WA now has similar law) • New Federal Laws • HiTech Act created first federal law • HIPAA enforcement ramping up • CVS/Caremark fined $2.5M - many recent fines • FACTA “Red Flag” rule • Mandatory compliance • GLBA, FCRA, FACTA, COPPA, etc • PCI standards being enforced more aggressively • Implications: • Fines & Penalties • Injunctions • Oversight/Remediation requirements • Harm to Reputation • Criminal Indictments • Precursor to Civil Liability Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Costs of a Breach • Breaches of confidential information can lead to significant expenses and liability: • Post-breach expenses like compliance with breach disclosure laws, forensics, public relations costs, and identity theft prevention services • Litigation from credit card issuing banks and consumers • Regulatory actions alleging violation of consumer protection and privacy laws • Fines, penalties and/or remediation expenses if PCI non-compliance is found or from government regulators • Recent breach events show: • Plaintiff’s attorneys adopting new strategies • Significant implications for settlements/judgments • Financial institutions tired of holding the bag • Real incurred losses • Medical Identity Theft on the rise • Increased potential for regulatory penalties • Minor costs per record – size of the breach can lead to major costs: • $1- cost to notify • $20-$30 cost to monitor/year • $20 -$35 card re-issuance • $1k-$5k damages sought per victim Significant damages/cost: • Fraud Losses • Class Action plaintiff’s attorneys fees • Theft of confidential corporate information Average cost of a data breach in 2011* $214 per record $7,200,000 per incident Aon Risk Solutions | Financial Services GroupProprietary & Confidential *January 2011 Ponemon Institute Study
Hypothetical Breach Scenario Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Network Risk CoverageTypes • Computer Crime Policy – triggered by direct loss of the Insured • First PartyNetwork Security – for losses incurred by the insured for network failures - similar to property coverage • Third Party Network Security – for losses incurred arising from a breach of network security, including transmission of a virus and identity theft – can include professional services coverage. • Privacy Violations – Loss and liability arising from a breach of privacy under defined privacy regulations, including GLB, HIPAA, and state privacy protection laws including, Data Breach Costs coverage - for costs associated with a breach (notification, credit reports, credit monitoring) BEFORE actual damages to individuals have occurred Always Look to the Claim Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Sample Program Excess Limits $10,000,000 or more Sublimits – Part of the Full Limit Limits – $$2M, 5M or $10M in primary – Excess depends on size and industry. Retentions –Revenue is the big driver here but companies look at a variety of options. Higher retentions will have a material impact on pricing. Carriers –Lots of carriers but a subset of leaders. Lots of excess capacity if needed. Estimated Pricing – Dependent upon retention, industry class, revenue, claims history, terms. Security and Privacy Policy $10,000,000 Primary Aggregate Limit (3rd Party Coverage) Excess Event Manmgt. Sublimits $3,000,000 (if needed) Excess Regulatory Defense (if needed) Event Manmgt. Sublimits $3,000,000 Regulatory Defense Costs Sublimit $1,000,000 Retention Options of: $100K to $10M Aon Risk Solutions | Financial Services GroupProprietary & Confidential
What limits are appropriate? • An Art not a Science • Losses are very fact specific – how many records, what kind of records, nature of the breach – all have a large impact on the overall cost • Costs per Record figures are scary and include lots of hypothetical costs that may or may not have occurred and that if they did occur are difficult to accurately measure and cannot be insured • Most breaches are small – larger companies buy for the big one, not for the small ones • Benchmarking is available but illustrates that companies make a wide range of decisions as to limits • Factors to consider - Industry class, revenue size and number and types of records are metrics to consider. Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Proper Coverage is Essential! • Failure of Network Operations Security • Failure to Protect/Wrongful Disclosure of Information • Inclusion of Employees as Plaintiffs • Defense/Indemnity associated with Regulatory Actions • Vicarious Liability Coverage for Vendor Error • Notification Costs/Crisis Management • Regulatory Defense • Electronic Content Liability • Professional Services Liability • Base policy forms vary and must be customized to ensure maximum possible coverage Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Underwriting Submission & Meetings • Risk management policies and loss history are critical. • Revenue and Industry Class are key drivers of pricing. First step: complete an Application and an IT Security Self-Assessment. The underwriters will then want to conduct a due diligence call with the Insured’s IT Security experts to discuss the information in the self-assessment. The underwriters will also require information from the Insured’s attorneys regarding contractual allocation of liability with respect to its IT security partners and vendors. Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Questions/Contacts Aon Financial Services Group Professional Risk Solutions Steve Bridges 312-381-4493 Steve.Bridges@aon.com Aon Risk Solutions | Financial Services GroupProprietary & Confidential
Appendix - First Party Coverages • Damage to Intangible Property – Intangible property such as software and data, exposed to damage or theft by electronic means such as virus, unauthorized access or usage, as well as theft of computer system capacity • Network Business Interruption – Disruption of revenue streams by non-traditional means such as hacking, virus, or denial of service attacks • Cyber-Extortion –Loss arising from extortion threats regarding computer networks and intangible assets • Cyber-Terrorism –Loss and liability arising from cyber-terrorism events Aon Risk Solutions | Financial Services GroupProprietary & Confidential