1 / 25

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY. RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm. Presenter:. Joshua Gold, Esq. (212) 278-1886 jgold@andersonkill.com. Disclaimer.

duman
Download Presentation

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter MeetingThursday, July 25, 2013 11:30 am – 12:30 pm

  2. Presenter: Joshua Gold, Esq.(212) 278-1886jgold@andersonkill.com

  3. Disclaimer The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.

  4. WHO IS VULNERABLE? EVERYONE!

  5. WHO IS VULNERABLE? 2012 Data Breaches.1 • Business – 36.9% • Medical/Healthcare– 34.6% • Educational – 13.6% • Government/Military– 11.2% • Banking/Credit/Financial – 3.8% ____________1Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr

  6. WHAT IS THE EXPOSURE? • Government/Military – 7.7 million records (44.4%) • Business – 4.6 million (26.7%) • Education – 2.3 million (13.3%) • Medical/Healthcare – 2.2 million (12.9%) • Banking/Credit/Financial – 470k (2.7%)2 ________________2Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr

  7. WHAT ARE THE CAUSES? • Negligence – 39% • Malicious or Criminal Attack – 37% • System Error – 24%3 ________________32011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012.

  8. WHAT IS THE COST? • Information Loss – 44% • Business Disruption – 30% • Revenue Loss – 19% • Equipment Damages – 5% • Other Miscellaneous Costs – 2%4 ________________42011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012

  9. WHAT’S THE REAL COST? Average Resolution Time:24 days Average Cost: $5.5 Million5 ________________52011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012

  10. THIRD-PARTY DATAMANAGEMENT & RISKS. • Cloud is the Trend • Cost Savings • Data Security Risks • Lack of Control • Can delegate the data management but not the responsibility • What are the risks; Amazon/Sony Breach

  11. BEST PRACTICES. • SEC Guidance • FFIEC Guidance • Due Diligence on Vendors • Negotiate Strong Terms in Vendor/Cloud Contracts • Risk Transfer Indemnity/Insurance • Security Assessment of Vendor: Tricky in a Multi-Tenant Cloud Platform • Make Sure There is Adequate Notice/Disclosure of Use of Cloud to Stakeholders

  12. RISK MANAGEMENT. • Notice of Incident (even if your data is not disclosed) • Cooperation with regulation authorities and law enforcement • Periodic audit rights • Notification costs responsibility • Costs of computer forensic experts • Use of sub-contractors • Cloud Services Termination: How does hosted data get disposed of? / Who pays? • Representations and Warranties about firm protecting data

  13. SECURITY & INSURANCE. • Encryption • Automatic red flag for AGs/FTC if data disclosed and not encrypted • Contractual Indemnity/Hold Harmless • Mandate insurance purchase by vendor • Require additional insured status

  14. DEALING WITH ASECURITY BREACH. • Data Breach Team and Plan needs to be in place • Compliance with State Notice • Make sure your insurance provides cover where cloud used • Notice all potentially applicable insurance

  15. POLICIES COVERING LOSS. • Take Inventory of Policies • GL, D&O, E&O, Crime, All Risk Property, Cyber Policies • 1st Party, 3rd Party, Hybrid Coverage Issues

  16. COVERAGE UNDER CGL? • IP Exposure • Data Loss • Business Interruption • Third Party Losses • Privacy

  17. WHEN CGL IS NOT ENOUGH. CYBER POLICIES!

  18. CURRENTLY AVAILABLE CYBER INSURANCE. • Privacy Injury Liability • Privacy Regulatory Proceedings and PCI Fines • Network and Content Liability • Crisis Management Fund • Network Loss or Damage • Business Interruption • Electronic Theft • Network Extortion

  19. RISK MANAGEMENT CONSIDERATIONS • Virus Coverage or Exclusions • Virus Defined in a Manner that Might Affect Hacker Coverage • “Confidential” Information vs. Trade Secrets vs. Customer Information • Coverage for Regulatory Matters (e.g., FTC)

  20. RISK MANAGEMENT CONSIDERATIONS • Data Security Efforts and Policyholder Protective Measures • Coverage for Network Computers Only? • What about Laptops? • Insured Property / Locations / Premises • Where are Servers / Computers Housed?

  21. TIME SENSITIVE PROVISIONS. • Fear of Reporting Claims? • Timely Notice • Proofs of Loss • Suit Limitation Clauses

  22. LITIGATION ISSUES. • Not a Ton of Precedent • What Exists is Not Uniform • Careful What Gets Disclosed During Discovery: • E.g., Sensitive Data, Customer Information, Network Security Blueprints

  23. ONE LAST THOUGHT. Side note for clients at risk due to a reduction in coverage: • Duty of Insurer to advise of reduction in coverage at renewal • Duty of Broker to inform client of reduction in coverage

  24. QUESTIONS?

  25. Thank You Joshua Gold, Esq.(212) 278-1886jgold@andersonkill.com

More Related