SlideShare una empresa de Scribd logo

Cyberinsurance 111006

J
JNicholson

PWSP October 2011 presentation on data breaches and cyberinsurance.

1 de 27
Descargar para leer sin conexión
Emerging Legal Trends in Cyber Insurance October 2011 René Siemens John Nicholson Pillsbury Winthrop Shaw Pittman LLP
Are You at Risk for a Data Breach or Other Cyber-Related Losses? Does your product have an intensely loyal consumer fan base? (Sony) Is your organization (or any senior executive) visibly politically active on any controversial issue? (Koch Industries attacked in response to Wisc. protests) Does your organization outsource the processing/collection/storage of personal information to a third party? Does your organization outsource any IT functions with access to personal information? Does your organization ship backup tapes/drives from operational facilities to a backup/storage provider? (SAIC/Tricare) Does your organization process/collect/store personal information about your customers? (SSN, credit card, address, financial information, medical information …) (Betfair) Does your organization process/collect/store personal information about your employees? (SSN, drivers license #, address, insurance information, bank account information, credit card …) 2 | Trends in Cyberinsurance
The Current Legal Landscape Privacy / Data Security Compliance Obligations (for now) US Federal GLBA HIPAA / HITECH Red Flags Rules FTC US State privacy/consumer protection laws (e.g., Massachusetts) Canada, EU and many other countries Other - PCI DSS US Data Breach Notification Laws (for now) 46 states + DC, Puerto Rico and others Current trend is addition of medical information HIPAA / HITECH Act Other regulations 3 | Trends in Cyberinsurance
The Evolving Legal Landscape US Personal Data Privacy and Security Act of 2011 (S.1151) (Sen. Leahy) Personal Data Protection and Breach Accountability Act of 2011 (S. 1535) (Sen. Blumenthal) Data Breach Notification Act (S. 1408) (Sen. Feinstein) Among others Canada - Sept. 29, update to PIPEDA proposed in Bill C-12 to expand existing privacy law to include data breach notification requirements "It seems to me that it's time to begin imposing fines--significant, attention-getting fines--on companies when poor privacy and security practices lead to breaches," - Jennifer Stoddart, Canadian Privacy Commissioner (May 2011) EU - mid-November, EC to publish revised Data Protection Directive which will include: Mandatory data breach disclosure law covering public and private sectors Binding Safe Processor Rules (BSPR) requiring cloud service providers (CSPs) in the EU to be certified by the EU and making them legally liable for data breaches occurring at CSP data centers 4 | Trends in Cyberinsurance
What Does Cyber-Liability Insurance Cover? Third-Party: Data security breaches Privacy breaches Content liability (libel, infringement, etc.) First-Party: Loss of data Revenue loss due to interruption of data systems “E-vandalism,” “e-extortion” 5 | Trends in Cyberinsurance
Third-Party Cyber Coverage: What’s Included? Crisis Management Expenses Notification costs Credit monitoring services Public relations consultants Forensic investigation Pursuit of indemnity rights Regulatory compliance costs Claim Expenses Costs of defending against lawsuits Judgments and settlements Regulatory Response Costs Costs of responding to regulatory investigations Settlement costs 6 | Trends in Cyberinsurance
First-Party Cyber Coverage: What’s Included? Costs of restoring, recreating or re-collecting: Lost data Stolen data Damaged data Revenue lost due to interruption of your operations due to, e.g., Hacking Virus transmission Other security failures 7 | Trends in Cyberinsurance
Cyber Insurance Market Trends 800 600 400 Total Premiums Underwritten 200 Source: The Betterly Report 0 2005 2008 2009 2010 Premiums ≈ $15,000 to $35,000 per $1,000,000 of limits, depending on retention and level of covers Source: Aon: Cyber Insurance Options Oct. 3, 2011 Soft market: Premiums declined an average of 8.5% during the first half of 2011 Source: Marsh Insights: Benchmarking Trends July 2011 Large corporations were early adopters Most growth is among middle market companies 8 | Trends in Cyberinsurance
Who Is Buying Cyber Insurance? Source: Marsh Insights: Benchmarking Trends July 2011 9 | Trends in Cyberinsurance
Who Is Issuing It? 10 | Trends in Cyberinsurance
Are Issuers Paying Claims? Yes, but statistical information is hard to come by Areas of potential friction: Adequacy of limits, size of retentions Consent and panel provisions Coverage of vendors’ errors and omissions Loss vs. theft of data “One size fits all” crisis management expense coverage Hidden traps Interplay with vendor indemnity agreements “Other insurance” provisions Inadequacy of defense coverage Cyber policies are highly manuscripted: prevent disputes by negotiating clear policy language! 11 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #1 – Make sure your limits and sub-limits are adequate • Average remediation cost is $7.2 million per data breach event • Average remediation cost is $214 per record Source: Symantec Corp. and Ponemon Institute: Global Cost of a Data Breach (2010) • Warning! Many policies impose inadequate limits on “crisis management expenses” and “regulatory action” expenses 12 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #2 – Watch out for “panel” and “consent” provisions • Policies often provide that you must use the insurance company’s pre- approved forensic consultants, defense counsel, etc. • Make sure that yours are pre-approved! • Forensic, notification and defense costs are often covered only if you obtain the insurer’s “prior consent” • Make sure you get it – and obtain policy language confirming that post- tender costs will be covered or at least that the insurer’s consent “shall not be unreasonably withheld” 13 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #3 – Make sure you are covered for your vendors’ errors and omissions Example: ● Bad “The Insurer shall pay all Loss that an Insured incurs as a result of your actual or alleged breach of duty to maintain security of confidentiality Confidential Information” ● Good “The Insurer shall pay all Loss that an Insured incurs as a result of any alleged failure to protect Confidential Information in the care, custody and control of the Insured or a third party to which an Insured has provided Confidential Information” 14 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #4 – Make sure you are covered for loss of data, not just theft or unauthorized access Example: ● Bad “A covered breach shall include the unauthorized acquisition, access, use, or disclosure of confidential information” ● Good “A covered breach shall include the unauthorized acquisition, access, use, disclosure or loss of confidential information” 15 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #5 – If you handle data for others, make sure your liability to them is covered Example: ● Bad “The Insurer will not make any payment for any claim alleging or arising from … your performance of services under a contract with your client” ● Better “The Insurer will not pay for Claims arising out of breach of contract; provided, however, that this exclusion shall not apply to liabilities that the Insured would have in the absence of contract, or arising out of breach of a confidentiality agreement or a professional services agreement for the handling of confidential information” ● Best “The Insurer will pay on behalf of the Insured all Damages and Claim Expense which the Insured becomes legally obligated to pay because of liability imposed by law or Assumed Under Contract” 16 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #6 – Avoid “one size fits all” coverage Example: ● Bank suffers loss of thousands of customer credit card numbers ● Insurance policy covers cost of providing notice and credit monitoring ● Bank would rather just cancel and re-issue the cards Lesson: When procuring insurance, negotiate for the coverage you will need 17 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #7 – Beware of hidden traps Example: ● Bad “The Insurer shall pay Crisis Management Expenses incurred by an Insured arising out of a Claim” ● Good “The Insurer shall pay Crisis Management Expenses incurred by an Insured in response to an actual or alleged security breach” 18 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #8 – Harmonize cyber insurance with your indemnity agreements ● Bad “The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount shall be borne by the Insured’s uninsured and at their own risk” ● Good “The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount may be paid either by the Insured, or by the Insured’s other insurance or indemnified by third parties” 19 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #9 – Harmonize cyber insurance with your other insurance • Review your agreements with vendors Make sure your vendors are required to have adequate insurance Ask to be added as an additional insured on their policies Make sure your policy’s “other insurance” clause specifies that their policy will apply first • Example: “This Policy shall be primary, unless the Insured is also covered for the loss under the insurance of a third party, in which case this insurance shall apply excess of amounts actually paid by that other insurance” 20 | Trends in Cyberinsurance
Ten Tips For Buying Cyber Insurance #10 – Negotiate favorable defense provisions • “Pay defense costs on behalf of” vs. “duty to defend” Will you control your own defense? • At least negotiate the right to choose your own counsel if the policy has a “panel” provision • Negotiate specific deadlines for payment by the insurer (e.g., within 30 days of invoicing) • If rates are an issue, negotiate them up front! 21 | Trends in Cyberinsurance
Preparing for/Responding to an Incident 1. Know what information you collect. Conduct an audit to identify what you have and what you really need. Determine whether you can encrypt what you must have. Securely dispose of information when it is no longer required - You can’t lose what you don’t have! 2. Create an incident response team including: IT, HR, Legal, CEO/CIO/CFO, Media relations 3. Develop incident response plan BEFORE you have an incident Plan for different scenarios (DDOS, insider breach, hacking attack, etc.) Know which third parties you plan to contact – computer security forensics, external legal, law enforcement, crisis communications Conduct practice exercises 4. Acquire insurance based on risks and potential losses 22 | Trends in Cyberinsurance
What If You Don’t Have Cyber Insurance? Insurance industry and brokers assert that there is no coverage under conventional insurance, but many courts disagree. Therefore, tender to all of your other insurers! 23 | Trends in Cyberinsurance
General Errors & Liability Property Omissions Crime Cyber Data security breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Privacy breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Media liability POSSIBLE NONE POSSIBLE NONE COVERAGE Professional services NONE NONE POSSIBLE NONE COVERAGE Virus Transmission POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Damage to data POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Breach notification POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Regulatory investigation POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Extortion POSSIBLE NONE NONE NONE COVERAGE Virus/hacker attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Denial of service attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Business interruption NONE POSSIBLE POSSIBLE NONE COVERAGE loss 24 | Trends in Cyberinsurance
Case Study – Sony PSN Attack Sony PS3 user posts code to “jailbreak” Sony PSN consoles and Sony sues user in US federal court April 4 - Members of Anonymous launch attack on Sony April 20 – Sony takes PSN and Qriocity networks offline April 26 - Sony announces that 77 million names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/PSN online ID, profile data, purchase history and possibly credit cards obtained April 27 – Sony shares fall 2% April 28 – Sony shares fall 4.5%; 1st class action lawsuit filed May 2 – Sony Online Entertainment attacked; 24.6 million customer dates of birth, email addresses and phone numbers, including 12,700 non-U.S. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account number breached 25 | Trends in Cyberinsurance
Case Study – Sony PSN Attack (cont) May 14 – Sony brings PSN/Qriocity back online; Offline for a total of 24 days May 23 – Sony estimates that PSN breach and restoration cost $171M At least 58 class action lawsuits filed against Sony Numerous additional attacks from other hacking groups target various Sony companies and online properties. Full timeline July 20 – Zurich Insurance filed suit seeking a declaration that various Zurich policies do not provide coverage for hacking claims Zurich issued: Primary CGL policy to Sony Online Computer Entertainment America LLC (“SCEA”) Excess liability policy to Sony Corp. of America. Policy attaches above a lead umbrella policy issued by National Union Primary CGL policy to SCEA for its Canadian operations Zurich policies provide coverage for “bodily injury,” “property damage” and “personal and advertising injury” arising out of an “occurrence.” Zurich argues Sony claims do not allege any such injury or damage and therefore Zurich does not owe a defense or indemnification to Sony under any of its policies 26 | Trends in Cyberinsurance
Questions & Answers René Siemens Partner Pillsbury Winthrop Shaw Pittman LLP +1 213.488.7277 reynold.siemens@pillsburylaw.com John Nicholson Counsel Pillsbury Winthrop Shaw Pittman LLP +1 202.663.8269 john.nicholson@pillsburylaw.com 27 | Trends in Cyberinsurance

Recomendados

You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rule
complianceonline123
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
RightScale
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 

Recomendados

You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rule
complianceonline123
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
RightScale
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
Jim Anfield
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
Todd LaRue
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1
Armor
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
LaDavia Day, MHA, BS
 
Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines
Aegify Inc.
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
Hostway|HOSTING
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
Manas Deep
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
CMDLMS
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
ClearDATACloud
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
RightScale
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 

Más contenido relacionado

La actualidad más candente

HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
RightScale
 

La actualidad más candente (20)

MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
 
Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
 

Similar a Cyberinsurance 111006

Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2
Kenny Boddye
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
NationalUnderwriter
 
Legal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and UsersLegal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and Users
MMMTechLaw
 
20 Questions to ask your Cyber Carrier - Wis Banker 12-2015
20 Questions to ask your Cyber Carrier - Wis Banker 12-201520 Questions to ask your Cyber Carrier - Wis Banker 12-2015
20 Questions to ask your Cyber Carrier - Wis Banker 12-2015
Jeff Otteson
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
Nathan Desfontaines
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 

Similar a Cyberinsurance 111006 (20)

Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Intermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial RisksIntermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial Risks
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-Insurance
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
 
Cyber risk insurance
Cyber risk insuranceCyber risk insurance
Cyber risk insurance
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
 
Legal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and UsersLegal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and Users
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar Presentation
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Users
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
20 Questions to ask your Cyber Carrier - Wis Banker 12-2015
20 Questions to ask your Cyber Carrier - Wis Banker 12-201520 Questions to ask your Cyber Carrier - Wis Banker 12-2015
20 Questions to ask your Cyber Carrier - Wis Banker 12-2015
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber Liability
 
Vendor Contracts & Cyber Risks
Vendor Contracts & Cyber RisksVendor Contracts & Cyber Risks
Vendor Contracts & Cyber Risks
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats Report
 

Cyberinsurance 111006

  • 1. Emerging Legal Trends in Cyber Insurance October 2011 René Siemens John Nicholson Pillsbury Winthrop Shaw Pittman LLP
  • 2. Are You at Risk for a Data Breach or Other Cyber-Related Losses? Does your product have an intensely loyal consumer fan base? (Sony) Is your organization (or any senior executive) visibly politically active on any controversial issue? (Koch Industries attacked in response to Wisc. protests) Does your organization outsource the processing/collection/storage of personal information to a third party? Does your organization outsource any IT functions with access to personal information? Does your organization ship backup tapes/drives from operational facilities to a backup/storage provider? (SAIC/Tricare) Does your organization process/collect/store personal information about your customers? (SSN, credit card, address, financial information, medical information …) (Betfair) Does your organization process/collect/store personal information about your employees? (SSN, drivers license #, address, insurance information, bank account information, credit card …) 2 | Trends in Cyberinsurance
  • 3. The Current Legal Landscape Privacy / Data Security Compliance Obligations (for now) US Federal GLBA HIPAA / HITECH Red Flags Rules FTC US State privacy/consumer protection laws (e.g., Massachusetts) Canada, EU and many other countries Other - PCI DSS US Data Breach Notification Laws (for now) 46 states + DC, Puerto Rico and others Current trend is addition of medical information HIPAA / HITECH Act Other regulations 3 | Trends in Cyberinsurance
  • 4. The Evolving Legal Landscape US Personal Data Privacy and Security Act of 2011 (S.1151) (Sen. Leahy) Personal Data Protection and Breach Accountability Act of 2011 (S. 1535) (Sen. Blumenthal) Data Breach Notification Act (S. 1408) (Sen. Feinstein) Among others Canada - Sept. 29, update to PIPEDA proposed in Bill C-12 to expand existing privacy law to include data breach notification requirements "It seems to me that it's time to begin imposing fines--significant, attention-getting fines--on companies when poor privacy and security practices lead to breaches," - Jennifer Stoddart, Canadian Privacy Commissioner (May 2011) EU - mid-November, EC to publish revised Data Protection Directive which will include: Mandatory data breach disclosure law covering public and private sectors Binding Safe Processor Rules (BSPR) requiring cloud service providers (CSPs) in the EU to be certified by the EU and making them legally liable for data breaches occurring at CSP data centers 4 | Trends in Cyberinsurance
  • 5. What Does Cyber-Liability Insurance Cover? Third-Party: Data security breaches Privacy breaches Content liability (libel, infringement, etc.) First-Party: Loss of data Revenue loss due to interruption of data systems “E-vandalism,” “e-extortion” 5 | Trends in Cyberinsurance
  • 6. Third-Party Cyber Coverage: What’s Included? Crisis Management Expenses Notification costs Credit monitoring services Public relations consultants Forensic investigation Pursuit of indemnity rights Regulatory compliance costs Claim Expenses Costs of defending against lawsuits Judgments and settlements Regulatory Response Costs Costs of responding to regulatory investigations Settlement costs 6 | Trends in Cyberinsurance
  • 7. First-Party Cyber Coverage: What’s Included? Costs of restoring, recreating or re-collecting: Lost data Stolen data Damaged data Revenue lost due to interruption of your operations due to, e.g., Hacking Virus transmission Other security failures 7 | Trends in Cyberinsurance
  • 8. Cyber Insurance Market Trends 800 600 400 Total Premiums Underwritten 200 Source: The Betterly Report 0 2005 2008 2009 2010 Premiums ≈ $15,000 to $35,000 per $1,000,000 of limits, depending on retention and level of covers Source: Aon: Cyber Insurance Options Oct. 3, 2011 Soft market: Premiums declined an average of 8.5% during the first half of 2011 Source: Marsh Insights: Benchmarking Trends July 2011 Large corporations were early adopters Most growth is among middle market companies 8 | Trends in Cyberinsurance
  • 9. Who Is Buying Cyber Insurance? Source: Marsh Insights: Benchmarking Trends July 2011 9 | Trends in Cyberinsurance
  • 10. Who Is Issuing It? 10 | Trends in Cyberinsurance
  • 11. Are Issuers Paying Claims? Yes, but statistical information is hard to come by Areas of potential friction: Adequacy of limits, size of retentions Consent and panel provisions Coverage of vendors’ errors and omissions Loss vs. theft of data “One size fits all” crisis management expense coverage Hidden traps Interplay with vendor indemnity agreements “Other insurance” provisions Inadequacy of defense coverage Cyber policies are highly manuscripted: prevent disputes by negotiating clear policy language! 11 | Trends in Cyberinsurance
  • 12. Ten Tips For Buying Cyber Insurance #1 – Make sure your limits and sub-limits are adequate • Average remediation cost is $7.2 million per data breach event • Average remediation cost is $214 per record Source: Symantec Corp. and Ponemon Institute: Global Cost of a Data Breach (2010) • Warning! Many policies impose inadequate limits on “crisis management expenses” and “regulatory action” expenses 12 | Trends in Cyberinsurance
  • 13. Ten Tips For Buying Cyber Insurance #2 – Watch out for “panel” and “consent” provisions • Policies often provide that you must use the insurance company’s pre- approved forensic consultants, defense counsel, etc. • Make sure that yours are pre-approved! • Forensic, notification and defense costs are often covered only if you obtain the insurer’s “prior consent” • Make sure you get it – and obtain policy language confirming that post- tender costs will be covered or at least that the insurer’s consent “shall not be unreasonably withheld” 13 | Trends in Cyberinsurance
  • 14. Ten Tips For Buying Cyber Insurance #3 – Make sure you are covered for your vendors’ errors and omissions Example: ● Bad “The Insurer shall pay all Loss that an Insured incurs as a result of your actual or alleged breach of duty to maintain security of confidentiality Confidential Information” ● Good “The Insurer shall pay all Loss that an Insured incurs as a result of any alleged failure to protect Confidential Information in the care, custody and control of the Insured or a third party to which an Insured has provided Confidential Information” 14 | Trends in Cyberinsurance
  • 15. Ten Tips For Buying Cyber Insurance #4 – Make sure you are covered for loss of data, not just theft or unauthorized access Example: ● Bad “A covered breach shall include the unauthorized acquisition, access, use, or disclosure of confidential information” ● Good “A covered breach shall include the unauthorized acquisition, access, use, disclosure or loss of confidential information” 15 | Trends in Cyberinsurance
  • 16. Ten Tips For Buying Cyber Insurance #5 – If you handle data for others, make sure your liability to them is covered Example: ● Bad “The Insurer will not make any payment for any claim alleging or arising from … your performance of services under a contract with your client” ● Better “The Insurer will not pay for Claims arising out of breach of contract; provided, however, that this exclusion shall not apply to liabilities that the Insured would have in the absence of contract, or arising out of breach of a confidentiality agreement or a professional services agreement for the handling of confidential information” ● Best “The Insurer will pay on behalf of the Insured all Damages and Claim Expense which the Insured becomes legally obligated to pay because of liability imposed by law or Assumed Under Contract” 16 | Trends in Cyberinsurance
  • 17. Ten Tips For Buying Cyber Insurance #6 – Avoid “one size fits all” coverage Example: ● Bank suffers loss of thousands of customer credit card numbers ● Insurance policy covers cost of providing notice and credit monitoring ● Bank would rather just cancel and re-issue the cards Lesson: When procuring insurance, negotiate for the coverage you will need 17 | Trends in Cyberinsurance
  • 18. Ten Tips For Buying Cyber Insurance #7 – Beware of hidden traps Example: ● Bad “The Insurer shall pay Crisis Management Expenses incurred by an Insured arising out of a Claim” ● Good “The Insurer shall pay Crisis Management Expenses incurred by an Insured in response to an actual or alleged security breach” 18 | Trends in Cyberinsurance
  • 19. Ten Tips For Buying Cyber Insurance #8 – Harmonize cyber insurance with your indemnity agreements ● Bad “The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount shall be borne by the Insured’s uninsured and at their own risk” ● Good “The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount may be paid either by the Insured, or by the Insured’s other insurance or indemnified by third parties” 19 | Trends in Cyberinsurance
  • 20. Ten Tips For Buying Cyber Insurance #9 – Harmonize cyber insurance with your other insurance • Review your agreements with vendors Make sure your vendors are required to have adequate insurance Ask to be added as an additional insured on their policies Make sure your policy’s “other insurance” clause specifies that their policy will apply first • Example: “This Policy shall be primary, unless the Insured is also covered for the loss under the insurance of a third party, in which case this insurance shall apply excess of amounts actually paid by that other insurance” 20 | Trends in Cyberinsurance
  • 21. Ten Tips For Buying Cyber Insurance #10 – Negotiate favorable defense provisions • “Pay defense costs on behalf of” vs. “duty to defend” Will you control your own defense? • At least negotiate the right to choose your own counsel if the policy has a “panel” provision • Negotiate specific deadlines for payment by the insurer (e.g., within 30 days of invoicing) • If rates are an issue, negotiate them up front! 21 | Trends in Cyberinsurance
  • 22. Preparing for/Responding to an Incident 1. Know what information you collect. Conduct an audit to identify what you have and what you really need. Determine whether you can encrypt what you must have. Securely dispose of information when it is no longer required - You can’t lose what you don’t have! 2. Create an incident response team including: IT, HR, Legal, CEO/CIO/CFO, Media relations 3. Develop incident response plan BEFORE you have an incident Plan for different scenarios (DDOS, insider breach, hacking attack, etc.) Know which third parties you plan to contact – computer security forensics, external legal, law enforcement, crisis communications Conduct practice exercises 4. Acquire insurance based on risks and potential losses 22 | Trends in Cyberinsurance
  • 23. What If You Don’t Have Cyber Insurance? Insurance industry and brokers assert that there is no coverage under conventional insurance, but many courts disagree. Therefore, tender to all of your other insurers! 23 | Trends in Cyberinsurance
  • 24. General Errors & Liability Property Omissions Crime Cyber Data security breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Privacy breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Media liability POSSIBLE NONE POSSIBLE NONE COVERAGE Professional services NONE NONE POSSIBLE NONE COVERAGE Virus Transmission POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Damage to data POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Breach notification POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Regulatory investigation POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Extortion POSSIBLE NONE NONE NONE COVERAGE Virus/hacker attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Denial of service attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Business interruption NONE POSSIBLE POSSIBLE NONE COVERAGE loss 24 | Trends in Cyberinsurance
  • 25. Case Study – Sony PSN Attack Sony PS3 user posts code to “jailbreak” Sony PSN consoles and Sony sues user in US federal court April 4 - Members of Anonymous launch attack on Sony April 20 – Sony takes PSN and Qriocity networks offline April 26 - Sony announces that 77 million names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/PSN online ID, profile data, purchase history and possibly credit cards obtained April 27 – Sony shares fall 2% April 28 – Sony shares fall 4.5%; 1st class action lawsuit filed May 2 – Sony Online Entertainment attacked; 24.6 million customer dates of birth, email addresses and phone numbers, including 12,700 non-U.S. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account number breached 25 | Trends in Cyberinsurance
  • 26. Case Study – Sony PSN Attack (cont) May 14 – Sony brings PSN/Qriocity back online; Offline for a total of 24 days May 23 – Sony estimates that PSN breach and restoration cost $171M At least 58 class action lawsuits filed against Sony Numerous additional attacks from other hacking groups target various Sony companies and online properties. Full timeline July 20 – Zurich Insurance filed suit seeking a declaration that various Zurich policies do not provide coverage for hacking claims Zurich issued: Primary CGL policy to Sony Online Computer Entertainment America LLC (“SCEA”) Excess liability policy to Sony Corp. of America. Policy attaches above a lead umbrella policy issued by National Union Primary CGL policy to SCEA for its Canadian operations Zurich policies provide coverage for “bodily injury,” “property damage” and “personal and advertising injury” arising out of an “occurrence.” Zurich argues Sony claims do not allege any such injury or damage and therefore Zurich does not owe a defense or indemnification to Sony under any of its policies 26 | Trends in Cyberinsurance
  • 27. Questions & Answers René Siemens Partner Pillsbury Winthrop Shaw Pittman LLP +1 213.488.7277 reynold.siemens@pillsburylaw.com John Nicholson Counsel Pillsbury Winthrop Shaw Pittman LLP +1 202.663.8269 john.nicholson@pillsburylaw.com 27 | Trends in Cyberinsurance