Walking the Data Security Tightrope: What’s Below?

2008 International Conference

Golden Opportunities or Fool’s Gold? • November 5-7, 2008 • San Francisco

Walking the Data Security Tightrope:What’s Below?

MODERATOR:

Theodore J. Kobus, III, Esq., Chair, Technology, Media and Intellectual Property Practice Group, Marshall Dennehey Warner Coleman & Goggin

PANELISTS:

Shena Crowe, Infragard Coordinator, Federal Bureau of Investigation

Nicholas Economidis, ARM, Underwriter, Beazley USA

Thomas C. Katona, President, Managing Member, Apogee Insurance Group

Leslie Lamb, Global Risk and Insurance Manager, Cisco Systems, Inc.

Adam Sills, Underwriter, Darwin Professional Underwriters, Inc.

Walking the Data Security Tightrope: What’s Below?

Overview

• Types of Data Security Breaches/Threats/ Vulnerabilities

• Costs of Handling Data Security Claims

• Insurance Coverage

• Emerging Issues

• Q&A

Types of Data Security Breaches

• A study by Kroll found the following types of breaches over a 5-year period:

– 4.8% Disposal of documents/computers

– 1.8% eMail

– 20.8% Hacking

– 22.4% Lost/missing/stolen laptops

– 15.3% via the Web

The Threat Environment

• Lost or stolen laptops, computers

• Backup tapes lost in transit

• Hackers

• Employees stealing information

• Information brought in by a fake business

Vulnerabilities

• Poor business practices

• Internal security failures

• Viruses, trojan horses

• Info tossed into dumpsters

Business Owners have a false sense of security about Data Breaches-

A Zogby Study Recently showed:

• Zogby Study of 1,500 business’

• Data breaches are not the highest priority

• Customer data should be protected

• Breaches will harm a company

• No plan or protections in place

• Risk Management

Top Priorities

– Protecting our brand

– Protecting our customers

– Improving our products

Costs of Handling Data Security Incidents

• Risk Management

Top Focus Areas

– Security awareness

– Diversified business management

– Extranet/partner management

– Identity and access management

– Infrastructure intelligence and reporting

– Web application Infrastructure protection



• Ponemon Institute estimate = $6.3M/breach

– $4.1M ($128/record) is lost business

– $2.2M ($69/record) is made up of:• Defense costs (incl. attorney fees)

• Crisis Management/media/PR

• Credit monitoring & Call Center support

• Internal & Regulatory Investigation costs

• Equates to $197 per lost customer record


• Notification Costs:– $1 to $2 per individual

• Credit Monitoring:– $10 to $20 per person per year

– 15% to 20% acceptance rate (higher for employees)


Sample Breach NoticeURGENT ALERT

Dear ____________________:At COMPANY, we take your privacy very seriously. That is why we are very sorry to have to report to you that _______________________________________. The theft occurred on __________. We have no reason to believe that the thieves gained access to the password-protected information on the laptop, let alone of any fraudulent or other misuse of your information by the thieves or anyone else, but want you to be aware immediately of this event. Meanwhile we are engaged in a thorough review of this incident to determine how we can better protect your information. There are some actions you can take to help protect yourself against misuse of your personal information, in the event that it is ever compromised. You can go to www.annualcreditreport.com and get a copy of your credit report. This service has now been made available across the United States at no charge to you.You may also wish to call the toll-free number of any of the three major credit bureaus and place a fraud alert on your credit report. As soon as any one credit bureau receives your fraud alert it will notify the other two. The credit bureaus are:

Equifax Credit Information Services, Inc. Experian TransUnion(888) 766-0008 (888) 397-3742 (800) 680-7289P.O. Box 740241 www.experian.com Fraud Victim Assistance DivisionAtlanta, GA 30374 P.O. Box 2000www.equifax.com Chester, PA 19022

www.transunion.comThe websites for all three credit reporting agencies have additional helpful information on how to protect your information. If you have any questions, please call _____ at ______..

Very truly yours,


• Defense Costs:

– Class action suits boost costs!

• Hannaford

• Bank of New York Mellon Corp.

• Tri-West Healthcare

– Electronic discovery


• Settlements or Judgments

– Tri-West Healthcare (9th Circuit)

– Certegy Check Services

• $4 million; plus monitoring

• Wells Fargo: $6.7 million

Insurance Coverage

• Traditionally not covered– Commercial General Liability

• No bodily injury or property damage

• No publication for “invasion of privacy”

– Other types of insurance• Personal Injury/privacy exclusions

• Professional Liability: “special intellectual ability” vs. “ordinary business activities”

Insurance Coverage

• Security & Privacy Insurance:– Liability: defense costs and damages– Notification costs– Credit monitoring expenses– 1st-party losses

• Limits available:– Primary: up to $25 million– Excess: up to $150+ million– Sub-Limits often apply for Notification/

Credit Monitoring

Emerging Issues

• Understanding & keeping pace with threats:

– New threats such as “brandjacking”

– Phishing is on the rise

• Impact of compliance on global companies

• Risk/benefit of litigation/prosecution

• Increased cost of prevention

Many Thanks to

• Theodore J. Kobus III, Esq.

• Shena Crowe

• Nicholas Economidis, ARM

• Thomas C. Katona

• Leslie Lamb

• Adam Sills

Walking the Data Security Tightrope: What’s Below?

Documents

Transcript of Walking the Data Security Tightrope: What’s Below?