Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013

2  Goes by various names – “Information Security Insurance”, “Network Security Insurance”, “Privacy Insurance”, “Data Breach Insurance”, “Network Breach Insurance”, “Technology Solutions”, “Cyber Liability”, “Breach Response Insurance”…

3  General Liability Insurance doesn’t respond to cyber claims  Typical CGL policy defines “property damage” as “physical injury to tangible property, including all resulting loss of use of that property.  Some CGL policy forms specifically exclude electronic data from their definition of “property damage.” In such policies, “electronic data” is generally defined as the “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software.”  Data, web pages and computer systems do not constitute tangible property because they are not capable of being touched, held or sensed by the human mind. 3

4  In the event of a data breach:  Notify Employees  Notify members of public  Notify regulators State/Multi State Federal Additional efforts Who has to do this?

5 Responsibility lies with the offending entity

6  Not just insurance coverage  Claims for damages by third parties  A variety of services  Designed to prevent claims  Respond on your behalf  Deal with regulators  Make sure you comply Handle Public Relations Takes the burden off of you

7  Cyber claims are infrequent but they do occur  Big name companies are targets but you represent low hanging fruit  Lack of formal security and “Privacy Policies”  What if it happens to you?  Will you know what to do?

8  If you pass along a virus or other type of malware, even unknowingly, especially if another entity's customer information is then compromised.

9  If an employee gains unauthorized access to another entity's information or if confidential information is disclosed or misused.

10  If an employee knowingly or unwittingly slanders another entity in a blog, , or in a social media or forum post, or infringes on copyrighted material.

11  If you do not follow federal or state regulations controlling notification of members of the public/employees whose personal data has been compromised.

12  Breach occurs when an unauthorized 3rd party accesses your network or the network becomes infected with a virus or a denial of service attack.

13  Data can be stolen that can help criminals access PII*.  PII is a legal concept, not a technical concept.  PII can be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts.stalksteal the identity  PII has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII.information technologyInternetinternet securitynetwork securitybrowser security *Personally Identifiable Information

14 And who pays for it?

15 Ghost Busters?

16 Immediately dial the XL Data Breach Hotline This is EXTREMELY IMPORTANT! Keep the number handy!

17 Nelson, Levine, deLuca, & Hamilton They will guide you.

18 Or contact Qual-Lynx.

19 Data Recovery ◦ Expenses required to replace, recreate, restore or repair the Insured’s network or information residing on the network to substantially the form in which it existed immediately prior to a breach.

20 Cyber Extortion  Coverage provided to reimburse an Insured the amounts paid to avert a credible threat to commit or continue a network attack against the insured or to disclose personally identifiable information

21 Data Breach Response Costs PCI-DSS Response Reimburse the Insured for the costs incurred following a breach of private information. Typically costs are provided on a sub-limited basis. Reimburse the Insured for the costs in incurs to respond to a PCI-DSS incident. Forensics costs Public relations costs Legal Mandatory notification costs Voluntary notification costs Credit monitoring Call center Breach coach costs Independent forensic investigation conducted by a Payment Card Industry Forensic Investigator (PFI); Attorney fees fines and penalties owed by the Insured under the terms of a Merchant Services Agreement Fees..

22 Data Breach Response Costs PCI-DSS Response Reimburse the Insured for the costs in incurs following a breach of private information. Typically costs are provided on a sublimited basis. Reimburse the Insured for the costs incurred to respond to a PCI-DSS incident. Forensics costs Public relations costs Legal Mandatory notification costs Voluntary notification costs Credit monitoring Call center Breach coach costs Independent forensic investigation conducted by a Payment Card Industry Forensic Investigator (PFI); Attorney fees fines and penalties owed by the Insured under the terms of a Merchant Services Agreement Fees..

23 Data Breach Response Costs PCI-DSS Response Reimburse the Insured for the costs incurred following a breach of private information. Typically costs are provided on a sub-limited basis. Reimburse the Insured for the costs incurred to respond to a PCI-DSS incident. Forensics costs Public relations costs Legal Mandatory notification costs Voluntary notification costs Credit monitoring Call center Breach coach costs Independent forensic investigation conducted by a Payment Card Industry Forensic Investigator (PFI); Attorney fees fines and penalties owed by the Insured under the terms of a Merchant Services Agreement Fees.

24 Network Security LiabilityPrivacy Liability Failure by the Insured to prevent a network breach which results in: 1.the inability of an authorized user to gain access to the network; 2.the alteration, addition to, copying, destruction, deletion, disclosure, damage or removal of any data residing on the network; 3.a denial of service attack against Internet sites or computers; 4.the transmission of a computer virus from the network to third- party networks or Internet sites; Coverage for claim arising from third parties for allegations of: 1.violation of privacy torts, law and regulations (GLB, HIPAA, COPPA) 2.theft, loss, unauthorized disclosure of personally identifiable information private information 3.alterations, corruption, destruction, deletion or damage to private information Includes both online and off-line data.

25 Network Security LiabilityPrivacy Liability Failure by the Insured to prevent a network breach which results in: 1.the inability of an authorized user to gain access to the network; 2.the alteration, addition to, copying, destruction, deletion, disclosure, damage or removal of any data residing on the network; 3.a denial of service attack against Internet sites or computers; 4.the transmission of a computer virus from the network to third- party networks or Internet sites; Coverage for claim arising from third parties for allegations of: 1.violation of privacy torts, law and regulations (GLB, HIPAA, COPPA) 2.theft, loss, unauthorized disclosure of personally identifiable information private information 3.alterations, corruption, destruction, deletion or damage to private information Includes both online and off-line data.

26 Network Security LiabilityPrivacy Liability Failure by the Insured to prevent a network breach which results in: 1.the inability of an authorized user to gain access to the network; 2.the alteration, addition to, copying, destruction, deletion, disclosure, damage or removal of any data residing on the network; 3.a denial of service attack against Internet sites or computers; 4.the transmission of a computer virus from the network to third- party networks or Internet sites; Coverage for claim arising from third parties for allegations of: 1.violation of privacy torts, law and regulations (GLB, HIPAA, COPPA) 2.theft, loss, unauthorized disclosure of personally identifiable information private information 3.alterations, corruption, destruction, deletion or damage to private information Includes both online and off-line data

27 Defense  Provides defense costs resulting from a regulatory investigation or proceeding. Typical enforcement comes from the FTC or AGs.  FTC can charge defendants with violating of Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.  As of May 1, 2011, the FTC has brought 32 legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information.

28  Covers the content the Insured disseminates through various means including social media for a defined list of covered perils.  Intellectual property infringement  Defamation  Other personal injury torts

29 Third Party Coverage :  Media Liability, Network Security and Privacy Liability  $1,000,000 per claim  $3,000,000 annual aggregate  $10,000 deductible each claim  Regulatory Fines and Penalties sub limit of $500,000  Retroactive date January 1, 2013

30 First Party Coverage:  Notification Costs, Extortion Threat, Crisis Management and Business Interruption  $500,000 per claim limit  $3,000,000 annual aggregate  $10,000 deductible each claim

31  Data Breach Hotline o o Service Provided by Nelson, Levin, deLuca & Horst  eRisk Hub ◦ Go to ◦ Complete Registration Form ◦ Access Code – ◦ Once Registered your have immediate access to the portal with User ID & password created during registration

32

33

34

35 Much More

Jim Prendergast Partner Nelson Levine de Luca & Hamilton After The Break… Cyber Liability Risk Management