Walking the Data Security Tightrope: What’s Below?

1. Walking the Data Security Tightrope:What’s Below?

2. Walking the Data Security Tightrope: What’s Below? MODERATOR: Theodore J. Kobus, III, Esq., Chair, Technology, Media and Intellectual Property Practice Group, Marshall Dennehey Warner Coleman & Goggin PANELISTS: Shena Crowe,Infragard Coordinator, Federal Bureau of Investigation Nicholas Economidis, ARM,Underwriter, Beazley USA Thomas C. Katona,President, Managing Member, Apogee Insurance Group Leslie Lamb, Global Risk and Insurance Manager, Cisco Systems, Inc. Adam Sills,Underwriter, Darwin Professional Underwriters, Inc.

3. Overview • Types of Data Security Breaches/Threats/ Vulnerabilities • Costs of Handling Data Security Claims • Insurance Coverage • Emerging Issues • Q&A

4. Types of Data Security Breaches • A study by Kroll found the following types of breaches over a 5-year period: • 4.8% Disposal of documents/computers • 1.8% eMail • 20.8% Hacking • 22.4% Lost/missing/stolen laptops • 15.3% via the Web

5. The Threat Environment • Lost or stolen laptops, computers • Backup tapes lost in transit • Hackers • Employees stealing information • Information brought in by a fake business

6. Vulnerabilities • Poor business practices • Internal security failures • Viruses, trojan horses • Info tossed into dumpsters

7. Business Owners have a false sense of security about Data Breaches- A Zogby Study Recently showed: • Zogby Study of 1,500 business’ • Data breaches are not the highest priority • Customer data should be protected • Breaches will harm a company • No plan or protections in place

8. Costs of Handling Data Security Incidents • Risk Management Top Priorities • Protecting our brand • Protecting our customers • Improving our products

9. Costs of Handling Data Security Incidents • Risk Management Top Focus Areas • Security awareness • Diversified business management • Extranet/partner management • Identity and access management • Infrastructure intelligence and reporting • Web application Infrastructure protection

10. Costs of Handling Data Security Incidents • Ponemon Institute estimate = $6.3M/breach • $4.1M ($128/record) is lost business • $2.2M ($69/record) is made up of: • Defense costs (incl. attorney fees) • Crisis Management/media/PR • Credit monitoring & Call Center support • Internal & Regulatory Investigation costs • Equates to $197 per lost customer record

11. Costs of Handling Data Security Incidents • Notification Costs: • $1 to $2 per individual • Credit Monitoring: • $10 to $20 per person per year • 15% to 20% acceptance rate (higher for employees)

12. Costs of Handling Data Security Incidents Sample Breach Notice URGENT ALERT Dear ____________________: At COMPANY, we take your privacy very seriously. That is why we are very sorry to have to report to you that _______________________________________. The theft occurred on __________. We have no reason to believe that the thieves gained access to the password-protected information on the laptop, let alone of any fraudulent or other misuse of your information by the thieves or anyone else, but want you to be aware immediately of this event. Meanwhile we are engaged in a thorough review of this incident to determine how we can better protect your information. There are some actions you can take to help protect yourself against misuse of your personal information, in the event that it is ever compromised. You can go to www.annualcreditreport.com and get a copy of your credit report. This service has now been made available across the United States at no charge to you. You may also wish to call the toll-free number of any of the three major credit bureaus and place a fraud alert on your credit report. As soon as any one credit bureau receives your fraud alert it will notify the other two. The credit bureaus are: Equifax Credit Information Services, Inc. Experian TransUnion (888) 766-0008 (888) 397-3742 (800) 680-7289 P.O. Box 740241 www.experian.com Fraud Victim Assistance Division Atlanta, GA 30374 P.O. Box 2000 www.equifax.com Chester, PA 19022 www.transunion.com The websites for all three credit reporting agencies have additional helpful information on how to protect your information. If you have any questions, please call _____ at ______.. Very truly yours,

13. Costs of Handling Data Security Incidents • Defense Costs: • Class action suits boost costs! • Hannaford • Bank of New York Mellon Corp. • Tri-West Healthcare • Electronic discovery

14. Costs of Handling Data Security Incidents • Settlements or Judgments • Tri-West Healthcare (9th Circuit) • Certegy Check Services • $4 million; plus monitoring • Wells Fargo: $6.7 million

15. Insurance Coverage • Traditionally not covered • Commercial General Liability • No bodily injury or property damage • No publication for “invasion of privacy” • Other types of insurance • Personal Injury/privacy exclusions • Professional Liability: “special intellectual ability” vs. “ordinary business activities”

16. Insurance Coverage • Security & Privacy Insurance: • Liability: defense costs and damages • Notification costs • Credit monitoring expenses • 1st-party losses • Limits available: • Primary: up to $25 million • Excess: up to $150+ million • Sub-Limits often apply for Notification/Credit Monitoring

17. Emerging Issues Understanding & keeping pace with threats: New threats such as “brandjacking” Phishing is on the rise Impact of compliance on global companies Risk/benefit of litigation/prosecution Increased cost of prevention

18. Q & A

19. Many Thanks to • Theodore J. Kobus III, Esq. • Shena Crowe • Nicholas Economidis, ARM • Thomas C. Katona • Leslie Lamb • Adam Sills