Download presentation
Presentation is loading. Please wait.
Published byPrimrose Ray Modified over 9 years ago
1
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm
2
2 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. Presenter: Joshua Gold, Esq. (212) 278-1886 jgold@andersonkill.com
3
3 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. Disclaimer The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.
4
4 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. WHO IS VULNERABLE? EVERYONE!
5
5 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. WHO IS VULNERABLE? 2012 Data Breaches. 1 Business – 36.9% Medical/Healthcare – 34.6% Educational – 13.6% Government/Military – 11.2% Banking/Credit/ Financial – 3.8% ____________ 1 Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr
6
6 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. WHAT IS THE EXPOSURE? Government/Military – 7.7 million records (44.4%) Business – 4.6 million (26.7%) Education – 2.3 million (13.3%) Medical/Healthcare – 2.2 million (12.9%) Banking/Credit/Financial – 470k (2.7%) 2 ________________ 2 Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr
7
7 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. Negligence – 39% Malicious or Criminal Attack – 37% System Error – 24% 3 ________________ 3 2011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012. WHAT ARE THE CAUSES?
8
8 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. Information Loss – 44% Business Disruption – 30% Revenue Loss – 19% Equipment Damages – 5% Other Miscellaneous Costs – 2% 4 ________________ 4 2011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012 WHAT IS THE COST?
9
9 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. Average Resolution Time: 24 days Average Cost: $5.5 Million 5 ________________ 5 2011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012 WHAT’S THE REAL COST?
10
10 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. THIRD-PARTY DATA MANAGEMENT & RISKS. Cloud is the Trend Cost Savings Data Security Risks Lack of Control Can delegate the data management but not the responsibility What are the risks; Amazon/Sony Breach
11
11 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. BEST PRACTICES. SEC Guidance FFIEC Guidance Due Diligence on Vendors Negotiate Strong Terms in Vendor/Cloud Contracts Risk Transfer Indemnity/Insurance Security Assessment of Vendor: Tricky in a Multi- Tenant Cloud Platform Make Sure There is Adequate Notice/Disclosure of Use of Cloud to Stakeholders
12
12 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. RISK MANAGEMENT. Notice of Incident (even if your data is not disclosed) Cooperation with regulation authorities and law enforcement Periodic audit rights Notification costs responsibility Costs of computer forensic experts Use of sub-contractors Cloud Services Termination: How does hosted data get disposed of? / Who pays? Representations and Warranties about firm protecting data
13
13 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. SECURITY & INSURANCE. Encryption –Automatic red flag for AGs/FTC if data disclosed and not encrypted Contractual Indemnity/Hold Harmless Mandate insurance purchase by vendor Require additional insured status
14
14 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. DEALING WITH A SECURITY BREACH. Data Breach Team and Plan needs to be in place Compliance with State Notice Make sure your insurance provides cover where cloud used Notice all potentially applicable insurance
15
15 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. POLICIES COVERING LOSS. Take Inventory of Policies GL, D&O, E&O, Crime, All Risk Property, Cyber Policies 1 st Party, 3 rd Party, Hybrid Coverage Issues
16
16 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. IP Exposure Data Loss Business Interruption Third Party Losses Privacy COVERAGE UNDER CGL?
17
17 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. CYBER POLICIES! WHEN CGL IS NOT ENOUGH.
18
18 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. CURRENTLY AVAILABLE CYBER INSURANCE. Privacy Injury Liability Privacy Regulatory Proceedings and PCI Fines Network and Content Liability Crisis Management Fund Network Loss or Damage Business Interruption Electronic Theft Network Extortion
19
19 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. Virus Coverage or Exclusions Virus Defined in a Manner that Might Affect Hacker Coverage “Confidential” Information vs. Trade Secrets vs. Customer Information Coverage for Regulatory Matters (e.g., FTC) RISK MANAGEMENT CONSIDERATIONS
20
20 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. RISK MANAGEMENT CONSIDERATIONS Data Security Efforts and Policyholder Protective Measures Coverage for Network Computers Only? What about Laptops? Insured Property / Locations / Premises Where are Servers / Computers Housed?
21
21 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. TIME SENSITIVE PROVISIONS. Fear of Reporting Claims? Timely Notice Proofs of Loss Suit Limitation Clauses
22
22 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. LITIGATION ISSUES. Not a Ton of Precedent What Exists is Not Uniform Careful What Gets Disclosed During Discovery: –E.g., Sensitive Data, Customer Information, Network Security Blueprints
23
23 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. ONE LAST THOUGHT. Side note for clients at risk due to a reduction in coverage: Duty of Insurer to advise of reduction in coverage at renewal Duty of Broker to inform client of reduction in coverage
24
24 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. QUESTIONS?
25
25 1016250v1 ©2013 Anderson Kill & Olick, P.C. All Rights Reserved. Thank You Joshua Gold, Esq. (212) 278-1886 jgold@andersonkill.com
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.