1 / 22

Murn Meyrick & Jonathan Ashall

Murn Meyrick & Jonathan Ashall. ORIMS Professional Development Day Privacy & Network Security Liability. April 9, 2008. Agenda. Privacy legislation & framework Exposures Recent Examples Insurance Response Underwriting. The Path to Privacy Legislation…….

irina
Download Presentation

Murn Meyrick & Jonathan Ashall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Murn Meyrick & Jonathan Ashall ORIMS Professional Development Day Privacy & Network Security Liability April 9, 2008

  2. Agenda • Privacy legislation & framework • Exposures • Recent Examples • Insurance Response • Underwriting 2

  3. The Path to Privacy Legislation…… • Growth and importance of IT systems and technology through 1980’s and 1990’s meant past legislation outdated. • Data being collected, stored and transmitted in ways not contemplated when existing legislation enacted. • Clear that new legislation was required to ensure its relevance to the modern world. • Realisation of such led to a raft of legislation being enacted the world over, including…… 3

  4. Privacy Legislation Around the World • Europe – EU Data Protection Act, overseeing various laws at Member State level including UK Data Protection Act. • USA – Fair Credit Reporting Act (FCRA), Gramm Leach Bliley Act (GLB), Health Insurance Portability & Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA) and various State acts. • Australia – Commonwealth Privacy Act, amended by Privacy Amendment (Private Sector) Act. • Canada – Privacy Act and Personal Information Protection & Electronic Documents Act (PIPEDA) 4

  5. Common Themes… • All seek to address the collection, storage and use of “personal information” by both Government agencies and the private sector. • All seek to outline appropriate technical and organisational measures to protect such data. • “Personal Information” usually described as any data that can be used to identify a living person, with focus upon financial and healthcare related data. • All seek to outline the rights of individuals and potential sanctions for breaches of such legislation. 5

  6. Legislation Continuing to Evolve • Initial legislative efforts focused on rights of individuals to know what information is being stored by an organisation and to gain access to it but….. • Little or no right to know when such information has been tampered with or leaked illegitimately to a third party as a result of a security or administrative breach. • US has led the way in implementing breach notification laws, mandating that organisations inform those individuals potentially affected by such a breach (notification laws now in place in 40 states and counting) • Following recent well publicised security breach events pressure being put on legislators in other jurisdictions to follow suit. 6

  7. Public Sector Privacy Acts( federal & provincial) Criminal Code Charter of Rights Common Law Collective Agreements Private Sector PIPEDA Quebec Legislation BC, Alta, Ontario Health Privacy Act Sector specific rules/regs Criminal Code Common law Collective Agreements Canadian Privacy Law: The Framework 7

  8. The Exposures • Negligent or intentional disclosure of personal information- mistakes, rogue employee • Cyber Attacks- hackers, extortion, sabotage • Fraud & other criminal offences- new offences proposed November 2007 • Network & website disruptions due to glitches or malicious code 8

  9. The Exposures continued • Electronic theft/loss of proprietary competitive business data • Conflicting laws • New exposures? 9

  10. Exposures 10

  11. The Aftermath:Losses associated with a breach • Third Party Liability • Compensation to clients or employees • Class actions • Third party subrogation costs • Contingent business interruption- downstream loss • Contractual obligations 11

  12. Losses continued • Regulatory/law enforcement • Complaint to Privacy Commissioner/Federal Court • Recommendations/orders to change practices, damages( including humiliation with no cap), fines/penalties( PIPEDA- $100k) • Audit by commissioner • Criminal Code sanctions • Defence Costs for all of above 12

  13. Losses continued Direct Damages to Insured: • Decline in revenue • Restoration/Reconstruction costs • Response Plan • Notification costs • Law enforcement authorities • Auditors • Changes to internal processes • Mitigation/Crisis management costs • Credit monitoring • Call centre & website • PR 13

  14. The Reality: Survey results • FusePoint Data Confidence Survey 2007: • 62% of executives felt security breach would impact their brand • Only 37% have confidence their data is protected against attacks • 20% of companies do not use anti-virus software, 25% do not have a firewall • Symantec Corp. survey 2007: • 91% IT organizations carry out “full scenario” testing of disaster recovery plans. Nearly 50% failed. • 23% of city dwellers have themselves, or know someone who has, fallen victim to fraud or identity theft • IDC Canada Survey 2007: • there is an “irrationally” high level of confidence among Canadian firms regarding their security measures 14

  15. Current Events:A Sample of Incidents Worldwide…. USA • TJX- Intruder gained access to 47 million customers info. Settlements with banks ~$65M • Harvard- hacker attacks server accessing up to 10,000 student accounts and posting some of info on web • Hannaford Bros grocery- over 4 million credit and debit card numbers stolen during authorization process, leading to 1,800 cases of fraud UK • Inland Revenue lost unencrypted discs containing sensitive information of 25 million British citizens. • Nationwide Building Society – theft of laptop containing unencrypted details of 11 million savers. Led to notification letters being sent to all 11 million individuals potentially affected and £980,000 fine being levied by FSA for inadequate systems and controls to address information security risk. 15

  16. …and in Canada • TJX/Winners: • In Canada alone, thousands of cases of fraud reported on stolen cards. Lawsuits follow from banks, shareholders( pension funds), class action by customers, regulatory probes in US and Canada. • CIBC: Jan.07 • loss of computer file in transit between offices with data on 470,000 customers. Regulatory investigation follows. • Club Monaco: Jan.07 • sought help from police and forensic experts to investigate privacy breach of credit card processor • Canada Post: Dec.07 • security breach- login records of scores of small businesses using shipping website available 16

  17. continued… • Passport Canada: Dec. 07 • Security flaw allows access to passport applicants personal information • Air Canada: Nov.07 • AC flights in GTA grounded for hours after computer “glitch” between reservation system and airport locale • Canadian Bar Association: • Unauthorized access to online orders and credit card information • Bell Canada: Feb.08 • 3.3million customers have their personal information stolen. Suspect arrested in Montreal following which public disclosure made. 17

  18. The Insurance Response Evolution of Privacy Liability: • Cyber Insurance • Multimedia insurance • Network liability • Privacy • Disaster recovery analysis 18

  19. Coverage under “traditional” policies • Hodge podge of policies may historically respond including: • Errors & Omissions, General Liability, Data, Property, Media, Crime/Fraud, Directors & Officers, Cyber • Traditional policy response dependant on cause, impact and claimant- not all encompassing • In general limited to the Personal Injury aspect of privacy losses, usually covered under General Liability or Professional Liability policies • Even more specific Cyber Liability policies do not address the unique liabilities presented by the changing legislative environment. • As awareness grows of potential privacy related liabilities, more likely that exclusionary language will be added to traditional policies. 19

  20. Privacy Liability Coverage • Privacy breach • Crisis Management and Notification Expenses • Network Security breach 20

  21. Underwriting • Privacy Statement • Application • Audit • Meetings 21

  22. Questions?

More Related