Data Breach: Understanding the Risk and Managing a

Transcription

November 2010
Data Breach:
Understanding the Risk and
Managing a Crisis
Seminar
Presented by:
Marsh Canada Limited
Kroll Ontrack
Kroll Fraud Solutions
Gowling Lafleur Henderson LLP
Presented in cooperation with:
 Kroll Ontrack
 Kroll Fraud Solutions
 Gowling Lafleur Henderson LLP
Data Breach: Understanding the Risk
and Managing a Crisis
Toronto - November 9, 2010
Montréal – November 10, 2010
Leadership, Knowledge, Solutions…Worldwide.
Speakers
Data Breach: Understanding the Risk and Managing a Crisis Seminar
Lisa R. Lifshitz
Partner, Gowling Lafleur Henderson LLP
(Toronto only)
Danielle Waldman
Associate, Gowling Lafleur Henderson LLP
(Montreal only)
Theodore Thiesen
Managing Consultant,
Kroll Ontrack
Alex Ricardo
Zone Leader,
Robert Parisi
Senior Vice President,
Marsh USA Inc.
Marsh—Leadership, Knowledge, Solutions…Worldwide.
2
1
Lisa R. Lifshitz
Partner
Toronto
YEAR OF CALL
• 1995 Ontario
EDUCATION
• McGill University, LLB
and BCL
• Carleton University, BA
High Hons. and MA in
Soviet and Eastern
European Studies
t 416-369-4632
f 416-369-7250
[email protected]
Lisa R. Lifshitz is a partner in Gowlings' Toronto office, practising in the areas of
information technology and business law. A member of the Firm’s Technology
Industry Practice Group, Lisa specializes in preparing and negotiating technology
licences and agreements, including software licences, reseller, distribution,
development, system acquisition, maintenance and support agreements, joint
venture agreements, outsourcing agreements, confidentiality and professional
services agreements.
Lisa has extensive experience in preparing and negotiating Internet- and ecommerce-related contracts, including agreements for website development and
maintenance, online retail, cloud computing, web hosting, and website terms and
conditions. Lisa advises on technology law matters for a diverse client base, from
emerging companies to large institutions. She provides technology-related advice on
financings and acquisitions, including export control and open source advice on
cross-border deals. Lisa is also the founder and co-chair of the Firm's national
Privacy & Information Management Practice Group.
As a member of the Firm's Life Sciences Industry Group, Lisa also advises
pharmaceutical companies in the areas of product licensing (including drugs and
medical devices) and has extensive experience negotiating services agreements,
supply agreements, distribution/reseller agreements, funding and promotion
agreements, quality assurance agreements, clinical trial agreements and transition
agreements. Lisa also has extensive experience in the procurement of technology for
health care providers and in assisting pharmaceutical companies in government
tenders.
Lisa is currently the vice chair, subcommittees, of the Cyberspace Law Committee of
the Business Law Section of the American Bar Association and is the past-chair,
subcommittee on Membership and Public Relations of the Cyberspace Law
Committee. Lisa is a former director of the Information Technology Law Association
(ITechLaw), director and treasurer of the Canadian IT Law Association (IT.Can),
Canada's leading technology law organization and is the past chair of the
International Technology and Electronic Commerce Section of the Ontario Bar
Association. She is also the past-chair of the IT.Can’s ad hoc committee on ecommerce and is past-chair, vice chair and treasurer of the Toronto Computer
Lawyers Group.
COMMUNITY INVOLVEMENT
Lisa currently sits on the board of the McGill Alumni Association of Toronto. She is
the past president of the board of directors for the Children’s Aid Society of Toronto
and has also served on the board of directors of eHealth Ontario and the Ontario
Society for the Prevention of Cruelty to Animals.
ARTICLES, PAPERS & PRESENTATIONS
Lisa has authored numerous articles for such publications as Business Law Today,
Internet and E-Commerce Law in Canada, e-Commerce Law Report, DataGuidance
and the BNA International World Data Protection Report. She has spoken on
technology law issues for the American Bar Association, IT.Can, the Ontario Bar
Association, the Law Society of Upper Canada, Insight, Lexpert, ITechLaw,
Federated Press and the Canadian Institute.
RECOGNITIONS
Listed in Chambers Global Guide 2010 in Information Technology
Repeatedly recommended, Computer & IT Law, Canadian Legal Lexpert Directory,
2005-2010
Selected as leading lawyer in Internet & e-Commerce by 2010 Who's Who Legal
RELATED SERVICES
Technology
Privacy & Information Management
Corporate Finance, Securities & Public M&A
Energy
Financial Regulatory Law
Financial Services
Infrastructure
Life Sciences
Danielle Waldman
Associate
Toronto
YEAR OF CALL
t 416-369-6182
f 416-862-7661
[email protected]
• 2006 Ontario
Danielle Waldman is an associate in Gowlings' Toronto office, practising in the area
of business law with a specialization in technology, energy and infrastructure.
EDUCATION
Danielle’s energy and infrastructure practice focuses on mergers and acquisitions,
wind power projects, solar projects, corporate matters including structuring, financing
and governance, and commercial and regulatory matters in the energy and
infrastructure sectors. Danielle has also advised various international solar and wind
developers with respect to entering the Canadian marketplace.
• University of Western
Ontario, LLB
• York University, BA
Hons. in Economics &
Business, specializing in
Financial Analysis
Danielle’s technology practice includes preparing and negotiating software license
and maintenance and support agreements, website development agreements and
other Internet related agreements for various clients, including those in the energy
and infrastructure sectors. She also advises clients with respect to privacy law
matters, online consumer protection issues and financings of both early and midstage technology companies.
ARTICLES, PAPERS & PRESENTATIONS
Danielle has authored and co-authored publications for the American Bar
Association, the Consumer Finance Quarterly Law Report, the Ontario Bar
Association - Entertainment, Media and Communications Newsletter and various
Gowlings newsletters.
MEMBERSHIPS
Canadian Bar Association
Ontario Bar Association
Law Society of Upper Canada
RELATED SERVICES
Advertising, Marketing and Regulatory Affairs
Copyright Law
Corporate Finance, Securities & Public M&A
Energy
Infrastructure
Intellectual Property
Technology
Theodore J. Theisen, MCSE, MCP+I
Managing Consultant, Secure Information
Services and Computer Forensics Consulting
Theodore Theisen is a managing
consultant for Kroll Ontrack’s
Secure Information Services and
Computer Forensics Consulting
group. In this capacity, Mr. Theisen
provides investigative expertise,
analytical assistance and digital
forensic support to contribute
to client success. He holds
broad experience in information
technology and investigations
involving high technology elements,
such as cyber-counterintelligence,
cyber-counterterrorism, criminal
computer intrusions, intellectual
property rights violations and
internet fraud, bolstering his ability
to respond to and solve critical
client issues.
Mr. Theisen previously served
as a Special Agent for the
Federal Bureau of Investigation
in Minnesota and Delaware.
He was one of the first Special
Agents assigned to the Minnesota
Cyber Crime Task Force, and
was instrumental in pioneering
sophisticated investigative
techniques for cyber investigations.
During his tenure in Delaware,
Mr. Theisen collaborated with the
United States Attorney’s Office in
the District of Delaware to conduct
cyber investigations. He further
assisted the Delaware State Police
with the implementation of the
Delaware Child Predator Task
Force and conducted forensic
examinations of digital evidence
to ascertain facts associated with
cyber investigations.
In both Minnesota and
Delaware, Mr. Theisen conducted
investigations involving the theft
of trade secrets, violations of
copyrights, software piracy, and
other elements of intellectual
property rights violations.
Further, he worked closely with
international Legal Attaches
and collaborated with other
United States government
agencies regarding the pursuit
of international elements of his
investigations.
Prior to his work as a Special
Agent, Mr. Theisen worked for
a large online brokerage as a
systems engineer, where he gained
extensive information technology
experience on multiple platforms.
Theodore J. Theisen, MCSE, MCP+I
Managing Consultant, Secure
Information Services and Computer
Forensics Consulting
1242 Bridgewater Drive
West Chester, PA 19380
610 431 1405 Mobile 646 306 8754
[email protected]
Mr. Theisen received his B.S. in
Biology from the University of
Nebraska in Omaha, Nebraska.
www.krollontrack.com
Copyright © 2010 Kroll Ontrack Inc.
All Rights Reserved.
Fraud Solutions – Data Breach Services Team
Alex Ricardo
CIPP
Zone Leader
+1 212 833 3354 - office
+1 646 934 4100 - mobile
[email protected]
1166 Avenue of the Americas
New York, NY 10036
United States
Alex Ricardo serves the Data Breach Services Team of Kroll’s Fraud
Solutions practice as the Zone Leader for the Northeast, Southeast portions
of the US as well as Canada, nationwide. Alex is based in New York City
focusing on solutions for Breach Preparedness, Breach Response and
Identity Theft Protection. He brings to Kroll a fourteen-year background of
service to Fortune 500 corporations and government agencies, addressing
information leakage prevention, data/e-discovery, messaging encryption, and
internal threat management. His extensive experience with technology and
content security as well as regulatory mandates provides Kroll clients with a
broad spectrum perspective from which to address their needs for sensitive
data defense, response, and recovery solutions.
Prior to joining Kroll, Alex worked with Tablus (acquired by RSA/EMC), a
leading provider of enterprise solutions designed to safeguard sensitive
corporate data whether at rest, in motion, or in use. Before that, his sales
engineering efforts at Tumbleweed Communications (acquired by Axway –
Sopra Group), CipherTrust (acquired by Secure Computing – McAfee), and
PostX (acquired by IronPort - Cisco) focused on internet communications
security and content management for regulatory compliance.
Alex’s background in the software industry combined with his extensive
knowledge of security threats and mitigation best practices assures his clients
of a comprehensive problem-solving approach.
Alex is a Certified Information Privacy Professional (CIPP) which is a
credential issued by the International Association of Privacy Professionals
(IAPP). This credential demonstrates Alex’s breadth of knowledge on
privacy principles, general privacy law and information security best
practices throughout the United States and around the globe.
Fraud Solutions – Data Breach Services Team
Professional Experience
Alex Ricardo
 International Business Development. Alex’s expertise has been solicited to aid
agencies of the United States, including the Federal Bureau of Investigation (FBI),
Department of Labor (DOL), Internal Revenue Service (IRS), Federal Depository
Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC); as
well as the governments of Hong Kong (Hong Kong Post, Office of the Government
Chief Information Officer) and Australia (Australian Tax Office (ATO), Australian
Government Information Management Office (AGIMO), Department of Justice,
Australian Foreign Affairs and Trade Office, Reserve Bank of Australia and Health eSignature Authority.
 Service Consultant. Alex worked on PosteCS®, a web-based secure document
delivery and e-messaging solution jointly commissioned by the US Postal Service,
Canada Post Corporation and La Poste of France. PosteCS helps businesses communicate
privately over the Internet. His responsibilities with this engagement led him to work
closely with national posts of other countries, including Germany, Portugal, and
Singapore.
 Speaker and Facilitator. Alex has been an invited speaker at conferences nationwide,
including:
New York City Bar Association (www.nycbar.org), Healthcare Financial Management
Association (www.hfma.org), American Society for Healthcare Risk Management
(www.ashrm.org), Professional Liability Underwriter Soceity (www.plusweb.org),
Midwest Higher Education Compact (www.mhec.org), College and University
Professionals Associations (www.cupa.org), University Risk Management & Insurance
Association (www.urmia.org), Financial Executives International
(www.financialexecutives.org), SecureWorld (www.secureworldexpo.com), Angelbeat
(www.angelbeat.com) and various seminars sponsored by Marsh (www.mmc.com) as
well as network security firms such as FlatEarth networking (www.flatearth.net).
On behalf of the office of the Consulate General of the United States – Hong Kong and
Macau (www.hongkong.usconsulate.gov) he facilitated a security summit of Hong Kongbased IT executives of US corporations to discuss information loss attacks, identity theft
and data leakage prevention.
Education
Stevens Institute of Technology, B.E., Materials and Polymer Engineering - 1992
Stevens Institute of Technology, Technology Management Graduate Program
Professional Affiliations
Certified Information Privacy Professional (CIPP)
International Association of Privacy Professionals (IAPP) (www.privacyassociation.org)
Fellow, Council on Litigation Management (www.litmgmt.org)
InfraGard – New York Chapter (www.infragard.org)
Anti-Phishing Working Group (www.antiphishing.org)
LinkedIn (www.linkedin.com/in/alexricardo)
Certifications and Awards
■ Microsoft Certified Systems Engineer (MCSE)
■ Microsoft Certified Professional Plus Internet (MCP+I)
■E
xemplary Service Award, Federal Bureau of Investigation, for achievements at National Joint Terrorism Task
Force, 2006
■D
edicated Service Award, Federal Bureau of Investigation, for contributions to the Terrorist Screening Operations
Unit, 2008
■U
nited States Attorney Award, United States Attorney’s Office, District of Delaware, for contributions to Project
Safe Childhood/Internet Crimes Against Children, 2010
Complete curriculum vitae available upon request.
www.krollontrack.com
Copyright © 2010 Kroll Ontrack Inc.
All Rights Reserved.
2
Professional Biography
Robert Parisi, Jr.
Senior Vice President
Current Responsibilities
Robert Parisi is a senior vice president and Technology, Network Risk & Telecommunications
specialist in Marsh’s New York City headquarters. His current responsibilities include advising
clients on issues related to technology, privacy, and cyber related risks as well as negotiating with
the carriers on terms and conditions.
Experience
Prior to joining Marsh, Robert was the senior vice president and Chief Underwriting Officer (CUO)
of eBusiness Risk Solutions at AIG. Robert joined AIG in 1998 as legal counsel for its
Professional Liability group and held several executive and legal positions, including CUO for
Professional Liability and Technology. While at AIG, Robert oversaw the creation and drafting of
underwriting guidelines and policies for all lines of Professional Liability. In addition to working
with AIG, Robert has also been in private practice, principally as legal counsel to various Lloyds
of London syndicates.
While at Marsh, Robert has worked extensively with healthcare clients, in particular several
BC/BS affiliates and numerous hospitals, assisting them in analysis of their risk as well as in the
placement of coverage for cyber and privacy risks.
Education
 JD from Fordham University School of Law

BA in Economics from Fordham College
Affiliations
 Spoken at various business, technology, legal, and insurance forums throughout the world

Written, on issues effecting professional liability, privacy, technology and telecommunications,
media, intellectual property, computer security, and insurance

Admitted to practice in New York and the U.S. District Courts for the Eastern and Southern
Districts of New York

Honored by Business Insurance (2002) magazine as one of the Rising Stars of Insurance

In 2009, honored by Risk & Insurance magazine as a Power Broker
Data Breach Notification in
Canada: Your Legal
Obligations
Lisa R. Lifshitz
Danielle Waldman
Gowling Lafleur Henderson LLP
Toronto
Data Breach Notification in Canada
Overview
• Privacy framework
– Private Sector
– Health Sector
– Public Sector (which will not be discussed in this
presentation)
• Privacy breach notification in Canada
– Existing Law
– Pending Legal Amendments
1
Privacy Framework
Q: How is privacy in the private sector regulated in Canada?
A: Canadian businesses and private sector organizations are
subject to federal or provincial privacy protection legislation
governing both customer and (with some exceptions)
employee information.
Federal: Personal Information Protection and Electronic
Documents Act (“PIPEDA”)
•
PIPEDA, a federal statute, regulates the collection, use and disclosure of
personal information by federal works, undertakings and businesses, including
personal information about their employees.
•
PIPEDA applies to federally-regulated private sector organizations.
•
PIPEDA also applies to all personal information that flows across provincial or
national borders, in the course of commercial transactions involving
organizations subject to PIPEDA or to substantially similar legislation.
•
Largely does not apply in provinces that have substantially similar privacy
legislation, namely Alberta, British Columbia and Quebec.
Privacy Framework
Provincial
• British Columbia, Alberta, and Quebec have their own
privacy legislation that regulates the private sector.
– British Columbia: Personal Information Protection Act
– Alberta: Personal Information Protection Act
– Quebec: An Act Respecting the Protection of Personal
Information in the Private Sector
• In all the other provinces and territories, PIPEDA applies
to the collection, use and disclosure of personal
information by the private sector.
2
Privacy Framework
How is privacy in the health sector regulated in
Canada?
• Saskatchewan, Manitoba, Alberta and Ontario have each
passed legislation to deal specifically with personal health
information by public and private sector health care
providers and other health care organizations.
– Saskatchewan: Health Information Protection Act
– Manitoba: Personal Health Information Act
– Alberta: Health Information Act
– Ontario: Personal Health Information Protection Act
• New Brunswick recently enacted the Personal Health
Information Privacy and Access Act that came into force
on September 1, 2010.
Privacy Breach Notification
Privacy Breach Notification in Canada
Private Sector
– Alberta
– British Columbia
– PIPEDA
Health Sector
– Ontario
– New Brunswick
– Newfoundland and Labrador
3
Privacy Breach Notification
What is privacy breach?
• Privacy Breach occurs when there is “unauthorized
access to or collection, use or disclosure of personal
information.
• Common privacy breaches happen when personal
information of customers, patients, clients or employees is
lost, stolen, or mistakenly disclosed.
• E.g. a computer containing private information is stolen or
hacked.
Privacy Breach Notification – Alberta
Alberta Personal Information Protection Act (“PIPA”)
• First Canadian jurisdiction to require mandatory privacy breach
notification by private sector organizations.
• In force May 1, 2010.
• Private sector organizations are required under mandatory
privacy breach notification provisions to notify the Privacy
Commissioner if personal information under its control is,
without authorization accessed, lost, or disclosed.
• Failure to notify Commissioner of a breach is an offence
• Organizations can face a fine of up to $100,000 under
59(2)(b).
4
When must the Commissioner be notified?
• Threshold of notification: “real risk of significant harm”
• “Significant harm” means “a material harm; it has non-trivial
consequences or effects. Examples may include possible financial
loss, identity theft, physical harm, humiliation or damage to one’s
professional or personal reputation”.
PIPA Information Sheet 11
• “Real risk” means “a reasonable degree of likelihood that the harm
could result”; must be more than “merely speculative” and not simply
“hypothetical or theoretical”.
• Once the threshold is met the security breach must be reported to the
Commissioner without unreasonable delay.
Who must notify the Commissioner?
• Organization with control of the personal information.
• “Control” of personal information is broadly defined and is
not limited to information in an organization’s physical
possession.
• E.g. if organization contracts with another business and
contractor suffers a security breach principal organization
remains responsible for ensuring Commissioner is notified if
harm threshold is met.
5
What are the contents of notice to the Commissioner?
(section 19 of the PIPA Regulations)
• A description of the circumstances of the loss or unauthorized access or
disclosure;
• The date on which, or time period during which, the loss or unauthorized
access or disclosure occurred;
• A description of the personal information involved in the loss or
unauthorized access or disclosure;
• An assessment of the risk of harm to individuals as a result of the loss or
unauthorized access or disclosure;
• An estimate of the number of individuals to whom there is a real risk of
significant harm as a result of the loss or unauthorized access or
disclosure;
• A description of any steps the organization has taken to reduce the risk
of harm to individuals; a description of any steps the organization has
taken to notify individuals of the loss or unauthorized access or
disclosure; and
• The name of and contact information for a person who can answer, on
behalf of the organization, the Commissioner’s questions about the loss
or unauthorized access or disclosure.
Alberta PIPA
• When notified, Commissioner will review the information
provided and determine whether affected individuals need
to be notified (see section 37.1).
• Commissioner can direct organization to notify individuals
in form and manner of PIPA regulations (see section 19.1
of the PIPA Regulations).
• Purpose of notification to individuals is to allow the
individual to take steps to reduce his/her risk of harm, or
the extent of the harm, where possible.
6
Privacy Breach Notification – BC
British Columbia Personal Information Protection Act
(“PIPA”)
• April 2008 Final Report of the Special Committee to
Review PIPA.
• Committee recommended requirement to notify in
carefully defined and controlled circumstances (e.g., loss
of confidential medical records).
• Breadth of any enacted notification provision remains to
be seen.
Privacy Breach Notification – PIPEDA
Federal legislation - PIPEDA
• Current framework for privacy breach notification in the
private sector outside of Alberta is PIPEDA.
• Voluntary security breach notification.
• Guidelines from Federal Privacy Commissioner.
• Anticipation that breach notification may become a
mandatory mechanism (Bill C-29).
7
Federal legislation – PIPEDA
• Applies to personal information that is collected, used or
disclosed by all:
• Federal Works
• Undertakings; and
• Businesses
• Includes personal information about employees.
• Also applies to personal data that flows across provincial
or national borders, in the course of commercial
transactions involving organizations subject to PIPEDA or
substantially similar legislation.
•
Currently, under PIPEDA data breach requirements subject to
certain voluntary guidelines created by the Privacy Commissioner’s
Office in August 2007 entitled ‘Key Steps for Organizations in
Responding to Privacy Breaches’.
•
The Commissioner also developed an associated Checklist to
assist organizations in ensuring they have dealt with all relevant
considerations of the breach.
•
Four key steps to consider when responding to a breach:
1.
2.
3.
4.
Breach containment and preliminary assessment;
Evaluation of the risks associated with the breach;
Notification; and
Prevention
8
1. Breach Containment and Preliminary Assessment
•
Take immediate common sense steps to limit the data
breach.
•
Immediately contain the breach
•
Determine who should be made aware of the incident
internally and potentially externally.
•
If appears to involve theft/criminal activity, notify the
police.
2. Evaluation of the Risks Associated with Breach
•
What Personal Information was involved?
•
What was the cause and extent of the breach?
•
What individuals were affected by the breach?
•
What is the foreseeable harm that could result from the
breach?
9
3. Notification
•
Notification is an “important mitigation strategy”.
•
In determining whether to notify, companies should
consider:
•
•
•
•
•
•
Legal and contractual obligations.
Risk of harm to the individual.
Reasonable risk of identify theft or fraud?
Risk of physical harm.
Risk of humiliation or damage to reputation.
Ability of individual to avoid or mitigate possible harm.
When/How/Who Should Notify
• As soon as reasonably possible.
• Preferred method direct notification (e.g. phone, letter or email).
• Organization with direct relationship with individual should notify.
Content of Notification:
•
•
•
•
•
•
Information about the incident and timing.
Description of information involved.
General account of organization’s steps to control/reduce harm.
Organization’s available assistance.
Contract information for questions.
If applicable, indicate whether Privacy Commissioner has been
notified.
10
4. Prevention
•
Investigate the breach with view of developing a
prevention plan depending on nature/type of breach
(i.e. isolated or systemic).
•
•
•
•
Possible security audit of physical and technical
security.
Review of policies and procedures including any
changes to reflect lessons learned.
Review of employee training practices.
Review of service delivery partners.
Penalties & Enforcement
• No penalty under PIPEDA for actual failure to follow
guidelines (problematic!)
• However, Federal Privacy Commissioner has power to
investigate underlying breach.
• Section 14 allows a complainant, after receiving
Commissioner’s report to apply to Federal Court for a
hearing of the complaint.
• Available remedies include an order to correct practices,
publish notice of action taken/proposed to correct
practice, and damages.
11
Bill C-29: Making Notification Mandatory
•
Federal government tabled Bill C-29 to amend PIPEDA (passed
first reading May 25, 2010)
•
Bill C-29 proposes mandatory breach notification provisions
similar to those legislated in Alberta imposing data breach
reporting and notification duties on organizations.
•
Bill C-29 would impose duties to
1) report “material” breaches of security safeguards to Commissioner;
2) notify individuals of breach when “reasonable in the circumstances
to believe that the breach creates a real risk of significant harm to
the individual”; and
3) notify other organizations if they might reduce the risk of harm or
mitigate the harm from the breach.
Bill C-29
• “Materiality” assessed in relation to the sensitivity of the
information at risk, the number of persons affected and
whether or not breach was an isolated incident or
systemic problem.
• “Real risk” based on the sensitivity of the information and
the probability that the personal information will be
misused.
• “Significant harm” includes bodily harm, humiliation,
damage to reputation or relationships, loss of
employment, business or professional opportunities,
financial loss, identity theft, negative effects on the credit
record and damage to or loss of property.
12
Privacy Breach Notification - PIPEDA
• Organizations required to give notification “as soon as
feasible” after confirming the breach and concluding
notification is required.
• Notice must provide sufficient information to allow the
individual to understand the significance of the breach to
them and to take possible steps to mitigate harm.
• Note that unlike Alberta’s amendments to PIPA, the
amendments do not give the Commissioner the power to
order notification to individuals even if a material breach
has been reported. This is left to the discretion of the
organization.
Privacy Breach Notification – Health Sector
Personal health information legislation
– Ontario
– New Brunswick
– Newfoundland and Labrador
13
Privacy Breach Notification – Ontario
Ontario Personal Health Information Protection Act
(“PHIPA”)
• PHIPA requires ‘health information custodians’ (e.g.,
hospitals, physicians, laboratories) to notify affected
individuals in circumstances where the privacy of their
personal health information has been compromised.
• Notification required in every case of breach.
• Commissioner: when laptop / mobile computing device is
lost or stolen, the statutory obligation to notify will not apply if
personal health information properly encrypted.
Section 12(2), PHIPA
Privacy Breach Notification – New Brunswick
New Brunswick Personal Health Information Privacy
and Access Act (“PHIPAA”)
• Came into force on September 1, 2010.
• Custodians required to notify at the first reasonable
opportunity the individual to whom the information relates
and the Privacy Commissioner.
• Notification is not required where reasonably believed the
breach will not lead to identification of patient or other
adverse impact.
• If information appropriately encrypted, notification likely
not required.
14
Privacy Breach Notification – Newfoundland
Newfoundland and Labrador Personal Health
Information Act (“PHIA”)
• Not yet fully in force.
• Notify individual(s) and Commissioner at first reasonable
opportunity after breach where custodian reasonably
believes there has been a “material breach” (as defined in
the regulations).
• Notification not required where custodian reasonably
believes breach will not have an adverse impact on
individual.
• Full Proclamation anticipated December 2010.
Recommendations/Conclusion
Organizations should:
• Incorporate into their privacy breach protocol a step requiring reporting to
the Privacy Commissioner of any serious breach;
• Ensure employees are aware of, and in compliance with, policies and
practices regarding breach notification;
• Develop a comprehensive security program to protect the confidentiality,
integrity and availability of all information, not just personal;
• Develop data classification standards that identify personal information;
• Conduct a risk assessment of all personal information and ensure proper
security controls are in place to protect it; and
• Be proactive and start revising and developing policies for handling
security breaches.
Mandatory notification likely the way of the future.
15
Questions or Comments?
Thank you!
Lisa R. Lifshitz
416.369.4632
[email protected]
Danielle Waldman
416.862.6182
[email protected]
montréal  ottawa  toronto  hamilton  waterloo region  calgary  vancouver  moscow  london
16
The Art of Breach Crisis
Management
Alex Ricardo, CIPP
www.KrollFraudSolutions.com
Will you become a statistic?
 McMaster eBusiness Research Centre (MeRC) reports that in 2008, 23% of
Canadians have been victimized, up from 17% in 2006.
Fastest growing white collar crime in Canada ($2B) and the world, recently
surpassed drugs as highest grossing crime in the world.
 2009 Rotman-TELUS joint study, annual losses from breaches have increased
from $423,469 to $834,149. Up in all categories.
 Individual identity theft issues can take up to 175 hours and $1,500 to resolve.
Tremendous media exposure and growing class-action litigation.
31%
22%
28%
19%
Identity Theft Crime
by Age in 2009
1-29
Marsh
30-39
40-49
50+
35
1
2009 How Data is Lost (General)
Inside Perpetrator (Accidental and Malicious Intent)
Source: www.DataLossDB.org
Marsh
36
2009 How Data is Lost (General)
Inside vs. Outside the Organization
Marsh
37
2
Data Breach Statistics: Data Loss by Type
Marsh
38
How can Identity Theft affect your financial security and healthcare?
 Money and time are at risk
 The risk of the thoroughness of the recovery can be based on restoration method
 “20 Step Guides” – self-restoration
 “Fraud Specialist” – usually in-house trained or paralegals
 Certified Investigator-conducted restoration
 Identity Theft affects beyond credit
 Criminal activity/record
 Collector harassment
 Higher insurance rates/premiums
 Difficulty in securing or obtaining employment
 Damaged driving record
 Healthcare/Welfare issues
 Canada Revenue Agency (CRA) issues
The average identity
theft takes 175 hours
and $1,500 to resolve
by a lay-person.
FTC Survey
Marsh
39
3
Breaches: By the numbers….
Cost of a breach record
Cost per record:
$204 USD (2009)
VICTIM COSTS
Notification
Call Center
Identity Monitoring (credit/non-credit)
Identity Restoration
$10.00
DIRECT COSTS
Discovery/Data Forensics
Loss of Employee Productivity
$14.00
INDIRECT COSTS
Restitution
Additional Security and Audit Requirements
Lawsuits
Regulatory Fines
$40.00
$140.00
OPPORTUNITY COSTS
Loss of Consumer Confidence
Loss of Funding
© Ponemon Institute
Marsh
40
Breaches: By the numbers….
Consumer Confidence Survey
80%
I monitor the details of my accounts more often
60%
It did not change my relationship
55%
I trust that company or institution less with my personal information
37%
I use their services less, but maintain a relationship
33%
I closed my accounts
31%
I am more confident in my relationship with that company or institution
30%
I would never purchase products from them again
29%
I stopped donating money or sponsoring the institution
29%
I would never maintain a relationship with the institution in the future
I switched providers (medical, insurance or banking)
I use their products or services more often
I have opened more accounts
0%
23%
18%
16%
10% 20% 30% 40% 50% 60% 70% 80% 90%
© Javelin Strategy & Research
Marsh
41
4
Case Studies on ID Theft
•Heartland
•TJX (Winners – Home Sense)
•Alberta Health Services - Healthcare Identity
Fraud
•Passport Canada
•Chrysler Financial Canada
•Toronto Hydro
•Western, Ryerson, Memorial & Centennial
College
•Employment Fraud
•Broken Business Practices
•Email sent to wrong person (send all)
•University Job Fair – Higher Education
•Methamphetamines, Gangs and Organized Crime
Identities are a currency
•Fraud Rings – Websites (Shadow Crew) and
Chatrooms
Marsh
42
Post Breach
Investigation and Documentation
 Has the breach been contained?
 Isolate the affected system to prevent further exposure
 Have you engaged expert outside counsel?
 Data Forensics
 Legal Counsel
 Breach Crisis Management Services
 Reputational Risk Advisory
 Have you considered using a third-party forensics team?
 Credible third party assessment
 Reliable Chain of Custody
 Backups of all pertinent system logs
 Attorney-client privilege
Marsh
43
5
The Forensics Front
Theodore “Ted” Theisen
Prepare/Prevent: A Holistic Approach
Data Mapping & Inventory
Table Top Exercises
Data Accessibility Assessment
Data Security Assessment and Strategy
Vulnerability Testing
Credit Monitoring
Network Monitoring
Records Retention
Consulting
Data Preservation and
Collection
Compliance and Global
Data Privacy
Incident Response Strategy
Data Archiving
Incident Response
Marsh
45
6
Respond/Remediate: A Holistic Approach
Incident Response
Data Preservation and Collection
Breach Scope Determination
Information Security Consulting
Network and Forensic Data Analysis
Breach Investigation
Business Investigation Services
Custodian Interviews
Breach Notification
Breach Contact Call
Center Support
Identity Theft
Investigation and
Restoration
Credit Report and NonCredit Searches
Expert Testimony
Continuous Credit
Monitoring
Information Technology
Remediation
Marsh
46
Kroll Case Study #1
Situation
Marsh
47
7
Kroll Case Study #1
Kroll was critical to the investigation and breach remediation and notification
process.
 Information Security/Breach Assessment
– Gathered facts from numerous sources to determine scope of breach
– Responded and located backup tapes of stolen data
 Data Review Services, Computer Forensics, Data Recovery and
Information Security Consulting
– Rebuilt server environment based on backup tapes, with assistance of Data
Recovery and Computer Forensics teams
– Exhaustive inventory of all data included on the drives; including reviewing data
for consumers’ personal information
– Information Security Assessment and Penetration Test (on-going)
Enhanced Identity Theft Consultation and Restoration Services
– Member notifications (approximately ½ million notifications delivered)
– Identity theft restoration
Marsh
48
Kroll Case Study #1
Solution Continued
 Kroll Infrastructure
One isolated network and two video servers
210 computers
– Five review rooms with tables/desks and chairs
–
–
 Data
Audio
▪ Received 3,167,619 audio file
▪ Reviewed 1,206,239 audio files
(after searching/filtering)
Video
▪ Received & reviewed 160,110 video files
 People
–
420 reviewers (a total of 89,700 labor hours)
 Timing
7.5 weeks of review
Approx. two weeks of initial planning and final production
– Two shifts, Monday – Saturday (6:30am – 4:30am)
–
–
Marsh
49
8
Thank You
Theodore J Theisen
Managing Consultant
Marsh
Kroll Ontrack
1242 Bridgewater Drive
West Chester, PA 19380
Office: 610.431.1405
Mobile: 646.306.8754
Email: [email protected]
For More Information:
www.KrollOntrack.com
50
9
Post Breach
Crisis Management
Customers
Board of Directors
 Have you carefully considered …
Privacy Commissioners
Shareholders
 With whom you will communicate?
Auditors
Financial Analysts
 What you will communicate?
Employees
Law Enforcement
 How you will communicate?
Management
Media
 When you will communicate?
Consumer Reporting Agencies
Payment Card Providers
Provincial Governments
Marsh
51
Notification
Timing
When should my notifications be released?
Has the breach been contained?
Has a reasonable investigation been concluded?
Some Provinces require notification in a timely manner
Are you comfortable with knowing enough about the event?
Are you being transparent and truly helping the victims?
Have you considered timing of notification to those Privacy Commissioner’s
offices?
Marsh
52
1
Responding to Questions and Answering Calls
“The Call Center”
Deliver remedy with notification
Avoid deluge of calls
Remove frustration from victims
Who will the victim’s call?
Availability
Language barriers
Knowledge of event
Knowledge of identity theft concerns
Non-credit related fraud
Employment fraud, Cheque, Healthcare, Utility and Insurance
Ability to investigate and provide an affidavit for liability
Pre-existing conditions
Incorrect information in credit report
Unrelated rejection for credit
Insurance fraud
Marsh
53
Providing Protection to Victims
What services will you make available?
Protection against credit and non-credit fraud
Investigative services for non-credit fraud
Handling of inconsistent cross-bureau data
Insurance
How will the services you provide help victims of ID Theft?
Government issued ID fraud, healthcare fraud, insurance fraud, check fraud,
employment fraud, utility fraud (80% of fraud)
Investigators
DIY kits
How will you handle the deceased, minors and expatriates?
Unique notification
Credit services not an option
Marsh
54
2
Best Practices
Breach Preparedness and Prevention
Maintain a Cyber Risk Transfer Instrument
Have a Proper Background Screening Program for new hires and vendors.
Pre-Arrange a Breach Service Provider, Outside Counsel and Reputational Risk Advisor
All specializing in Privacy Law and Breach Crisis Management
Provide “Certification” through e-Learning to employee base on safeguarding data
Develop an Incident Response Plan
Internal Staff, Outside Counsel, Reputational Risk Advisor, Breach Service Provider
Conduct annual Risk Assessments and Tabletop Exercises.
Hold an internal “Privacy Summit” to identify vulnerabilities
Risk, Compliance and Privacy, HR, Legal, IT, C-level representation (CFO), Physical
Security / Facilities
Keep General Counsel’s office current to various federal and provincial disclosure laws and
updates
Marsh
55
Best Practices
Breach Crisis Management
Retain an outside counsel who specializes in Privacy Law and Breach Crisis Management
Notify Correctly vs. Quickly
Diffuse anger and emotion among constituents
Provide remedy with notification
Identity an accurate breach universe to minimize public exposure to event
Unique constituents
Leverage an Outside Call Center
Retain a Reputational Risk Advisor who specializes in Breach Crisis Management
Investigate – Investigate – Investigate
Have outside counsel retain any data forensics investigation
Potentially minimize public exposure to event
Leverage a Breach Service Provider to conduct Recovery
Pre-Existing ID Theft Victims
More thorough recovery and restoration
Marsh
56
3
Kroll Breach Response Services

Enrollment and Notification Services
 Enrollment of constituents from a breach universe
 Construction, compliance review, print & delivery fulfillment of notifications
 Address Verification Services
 Solution Support Center
 Fully Canadian-based and fully bilingual call center specially trained for ID Theft Issues
 Triage Center
 General ID Theft questions, issues or concerns
 Credit Specialists for credit-related matters on your credit report or credit monitoring service
 Certified Investigators for fraud consultation and restoration matters
 Identity Monitoring Services
 Assistance in ordering 2 bureau credit reports
 Real-time 1 Bureau Credit Monitoring and Alerts (optional, requires independent agreement with
Equifax Canada)
 Non-Credit Monitoring Services
 Monitoring Services for Minors
Fraud Consultation
 Use of Kroll’s Certified Investigators for consultation on a potential fraud matter.
Identity Restoration
 Use of Kroll’s Certified Investigators for restoration services on behalf of the victim.
 Remove the burden of restoration from the victim with an assigned Certified Investigator
 Assure a more thorough recovery by leveraging a credentialed Certified Investigator
Marsh
57
Thank You
Alex Ricardo, CIPP
Zone Leader – Eastern US and Canada, Nationwide
Office: 212.833.3354
1166 Avenue of the Americas Cell: 646.934.4100 (24/7)
New York, NY 10036
Marsh
58
4
5
Issues in Risk Management:
Privacy and Data Breach
Understanding the Risk and Managing a Crisis
Robert Parisi
Senior Vice President
Marsh USA Inc.
Risk Overview
1
What are the risks?
 Privacy, computer, and network security are not just Internet issues.
 Any entity that transacts business using:
– a computer network; or
– confidential information is at risk.
 3000 B.C.
– Chinese merchants disperse shipments so as to minimize the risk
of total loss.
“Essentially, data loss is no longer a question of what if?
The only question is when?” And how severe.
62
What are the risks?
Part II
 Legal liability to others for computer security breaches
 Legal liability to others for privacy breaches
 Regulatory actions and scrutiny
 Loss or damage to data / information
 Loss of revenue due to a computer attack
 Extra expense to recover / respond to a computer attack
 Loss or damage to reputation
 Cyber-extortion
 Cyber-terrorism
63
2
Threat Environment
 Social Media/Networking
 Technology:
– Hackers, viruses, etc.
 Internal:
– Structural vulnerability
– Rogue employees
– Careless staff
 Old School:
– Laptop theft
 External:
– Dumpster diving
– Organized crime:
 Foreign
 Domestic
– Hackers
– Phishing
 Regulatory
64
Risk Identification
Potential Risk Event
Likelihood
Potential Impact
Low
Low
Low - Medium
Medium
Legal liability to others for privacy breaches
High
High
Privacy breach notification costs and credit monitoring
High
Medium
Privacy regulatory action defense and fines
Low
Medium
Costs to repair damage to your information assets
Low
Medium
Medium (overall)
Medium (overall)
High (e-commerce)
High (e-commerce)
Loss of revenue due to a failure of security at a
dependent technology provider
Low
Medium
Cyber-extortion threat
Low
Medium
Website copyright / trademark infringement claims
Legal liability to others for computer security breaches
(non-privacy)
Loss of revenue due to a failure of security
or computer attack
65
3
Coverage Overview
What are the gaps in traditional policies?
Traditional insurance was written for a world that no longer exists.
Attempting to fit all of the risks a business faces today into traditional
policy is like putting a round peg into a square hole.
– Errors and Omissions (E&O): Even a broadly worded E&O
policy is still tied to “professional services” and often further
tied to a requirement that there be an act of negligence.
– Commercial General Liability (CGL): Covers only bodily and
tangible property—Advertising Injury / Personal Injury (AI/PI)
section has potential exclusions/limitations in the area of
web advertising.
– Property: Courts have consistently held that data isn’t
“property”— “direct physical loss” requirement not satisfied.
– Crime: Requires intent and only covers money, securities, and
tangible property.
– Kidnap and Ransom (K&R): No coverage without amendment
for “cyber-extortion.”
67
4
Security and Privacy Insurance Policy Coverage Overview
Note: All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies.
Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk.
Not covered
Covered
See notes
Dependant upon specifics of claims, may not be covered
Privacy and Cyber Perils
Property
General
Liability
Traditional
Fidelity Bond
Computer
Crime
E&O
Special Risk
Broad Privacy
and Cyber Policy
Destruction, corruption, or theft of your electronic information
assets/data due to failure of computer or network
Information asset protection
Theft of your computer systems resources
Information asset protection
Business interruption due to a material interruption in an element of
your computer system due to failure of computer or network
security (including extra expense and forensic expenses)
Network Business Interruption
Business interruption due to your service provider suffering an
outage as a result of a failure of its computer or network security
Network Business Interruption
(sublimitted or expanded based
upon risk profile)
Indemnification of your notification costs, including credit
monitoring services
Privacy Liability (sub-limited)
Defense of regulatory action due to a breach of privacy regulation
Privacy Liability (sub-limited)
Coverage for fines and penalties due to a breach of privacy
regulation
Privacy Liability
Threats or extortion relating to release of confidential information or
breach of computer security
Cyber Extortion
Liability resulting from disclosure of electronic information and
electronic information assets
Network Operations Security
Liability from disclosure confidential commercial and/or personal
information (i.e. breach of privacy)
Privacy Liability
Liability for economic harmed suffered by others from a failure of
your computer or network security (including written policies and
procedures designed to prevent such occurrences)
Network Operations Security
68
Coverage Overview
Network Security Liability: Liability to a third party as a result of a failure of
your network security to protect against destruction, deletion, or corruption of a
third party’s electronic data, denial of service attacks against internet sites or
computers; or transmission of viruses to third party computers and systems.
Privacy Liability: Liability to a third party as a result of the disclosure of
confidential information collected or handled by you or under your care,
custody, or control. Includes coverage for your vicarious liability where a
vendor loses information you had entrusted to them in the normal course of
your business.
Crisis Management and Identity Theft Response Fund: Expenses to
comply with privacy regulations, such as communication to and credit
monitoring services for affected customers. This also includes expenses
incurred in retaining a crisis management firm for a forensic investigation or for
the purpose of protecting/restoring your reputation as a result of the actual or
alleged violation of privacy regulations.
69
5
Coverage Overview (continued)
Cyber Extortion: Ransom or investigative expenses associated with a threat
directed at you to release, divulge, disseminate, destroy, steal, or use the
confidential information taken from the insured, introduce malicious code into
your computer system; corrupt, damage, or destroy your computer system, or
restrict or hinder access to your computer system.
Network Business Interruption: Reimbursement of your loss of income and
/ or extra expense resulting from an interruption or suspension of computer
systems due to a failure of network security to prevent a security breach.
Includes sub-limited coverage for dependent business interruption.
Data Asset Protection: Recovery of costs and expenses you incur to restore,
recreate, or recollect your data and other intangible assets (i.e. software
applications) that are corrupted or destroyed by a computer attack.
70
Privacy Liability
Why is it different from cyber liability?
 Breach of Privacy:
 Damages / Covered Loss:
– Disclosure of confidential
– Legal liability
information:
 Personal
 Commercial
– Cause doesn’t matter:
 Negligence
 Intentional acts
 Computers
 Vendors
 Dumpsters
 Phishing
 Employees
– Defense and claims expenses
– Regulatory defense costs
– Vicarious liability when control of
information is outsourced
 Crisis Coverage:
– Credit remediation, credit
monitoring, and ID theft
investigation
– Forensic expenses
– Cover for crisis and public
relations expenses
– Cover for notification costs
71
6
Benchmarking and Risk Modeling
Privacy Event Modeling: Potential Value of a Privacy Event
Based Upon Number of Records Compromised
Number of Records
Compromised
Assumptions:
100,000
250,000
500,000
1,000,000
Privacy Notification Costs
$400,000
$1,000,000
$2,000,000
$4,000,000
Call Center Costs
$100,000
$250,000
$500,000
$1,000,000
$1,000,000
$2,500,000
$5,000,000
$10,000,000
$500,000
$1,250,000
$2,500,000
$5,000,000
$2,000,000
$5,000,000
$10,000,000
$20,000,000
Credit Monitoring Cost
Identity Theft Repair
Total Estimated Expenses**
Notification costs – $4 per record
Call center costs - $5 per call (20 percent expected
participation)
Credit monitoring - $50 per record (20 percent
expected participation)
Identity theft repair - $500 per record (5 percent of
those monitored experience theft)
**Regulatory Actions: Since a regulatory action usually precedes the civil action, substantial expense-legal and forensic can be incurred
even for events where no one is actually harmed or even at risk of harm.
73
7
Recent Paid Claims
 Employee of mortgage lender sold applicant information to third parties:
 Amount paid by insurer for notices and claim: $15,000,000 (excess layers also impacted)
 Employee of credit union who sold information to outsiders:
 Amount paid by insurer for liability claim and first party loss: $1,800,000
 Third party hacker stole credit card information:
 Amount paid by insurer for liability claim: $5,000,000 (Note that this was the primary policy limit.
Claim eroded excess limits as well.)
 Third party hacker stole passwords and used passwords to gain access to personal information:
 Amount paid by insurer for liability claim (class action): $8,000,000+
 Employee sold customer data to others:
 Amount paid by insurer for liability claim: $9.1M
 Employee stole and sold information to identity theft ring:
 Amount paid by insurer for notice and liability claim: $2.6M
 Unauthorized access to database resulting from stolen passwords:
 $4.5M
 Insured's employees released proprietary information of the claimant to third parties:
 $715K
Source: various carriers
74
Actual Paid Claims (con’t)
 Employee misappropriated confidential information from a competitor:
 Amount paid by insurer for liability claim: $200,000
 Rogue employee at medical provider stole and sold over 40,000 patient records containing
Personally Identifiable Information:
 Amount paid by insurer notification costs: $675,000
 Insured lost tapes containing medical insurance information and social security numbers (SSNs):
 Amount paid by insurer for call center services and credit monitoring costs: $400,000 +
other pending costs
 Rogue employee stole and sold customer data of over 3,000,000 customers to others:
 Amount paid by insurer for liability claim and notification / credit monitoring: $7.1M
 Hotel network was hacked, gaining access to personally identifiable information:
 Amount paid by insurer for notification costs, forensic investigation, crisis management, and
credit monitoring: $420,000 +other pending costs
 Insured accidentally published non-public student information on their Web site:
 Amount paid by insurer for notification and credit monitoring costs: $100,000+
 Employee of a college accidentally emailed personal information of over 20,000 students:
 Amount paid by insurer for notification and call center costs: $38,000
Source: Chartis
75
8
The Marsh Approach
MMC Privacy Solution
 Placement of coverage is the last step in the process
 Insurance is never a valid alternative to good risk management
 Similarly, relying upon technology as some mythical “silver bullet” that
will defend against all risks is to turn a blind eye to major risks facing
every commercial entity
 Marsh’s approach to the privacy and cyber risks combines elements
of:
– Assessment;
– Remediation;
– Prevention;
– Education; and
– Risk transfer.
77
9
MMC Privacy Solution: Assessment
– Specialized privacy and information security assessment to assist you in
evaluating internal policies and procedures related to human, physical, and
network security, privacy, and breach preparedness.
– Risk Mapping: Once the privacy and information security assessment has
been completed, Marsh works with you to identify your potential exposure to
a breach—this includes a scorecard, a gap analysis of your breach response
policies and procedures, and a risk map identifying and evaluating both the
severity and probability of key privacy and information security risks.
– Benchmarking and Modeling: Going beyond simple matching you against
what your peers do, Marsh will add a layer of benchmarking that details the
costs and expenses associated with likely risk scenarios, including an
analysis of a catastrophic privacy and information security event.
– Coverage Gap Analysis: Marsh reviews your in force insurance policies to
determine what coverage may be available to respond to claims and losses
in the event of computer attack, breach of privacy, or loss of confidential
information.
78
The Underwriting Process
10
Underwriting Process for E-Business Insurance
 Quote process:
 Application
 Security self-assessment:
– Security ISO 27001/2
 Approach to underwriting is different by insurer
 Principal primary markets:
– CNA
– ACE
– AXIS
– CHUBB
– Beazley
– Hiscox
– Chartis
– KILN
 Market capacity: over $400 million
80
Thank You
Robert Parisi
Senior Vice President, FINPRO
National Practice Leader for Tech/Telecom E&O and Network Risk
Marsh
Office: 212.345.5924
1166 Avenue of the Americas
New York, NY 10036
www.marsh.com
81
11
Legal Notice
The information contained herein is based on sources we believe reliable, but we did not verify nor do
we guarantee its accuracy. It should be understood to be general risk management and insurance
information only. Marsh makes no representations or warranties, expressed or implied, concerning the
financial condition, solvency, or application of policy wordings of insurers or reinsurers nor does Marsh
make any representations or warranty that coverages may be placed on terms acceptable to you. The
information contained in this presentation provides only a general overview of subjects covered, is not
intended to be taken as advice regarding any individual situation, and should not be relied upon as such.
Statements concerning tax and/or legal matters should be understood to be general observations based
solely on our experience as risk consultants and insurance brokers and should not be relied upon as tax
and/or legal advice, which we are not authorized to provide. Insureds should consult their own qualified
insurance, tax and/or legal advisors regarding specific risk management and insurance coverage issues.
Marsh assumes no responsibility for any loss or damage sustained in reliance of this presentation.
Marsh is part of the family of MMC companies, including Guy Carpenter, Mercer, and the Oliver Wyman
Group (including Lippincott and NERA Economic Consulting).
The materials, data and/or methodologies used in this presentation are proprietary to Marsh. This
document or any portion of the information it contains may not be copied or reproduced in any form
without the permission of Marsh Canada Limited, except that clients of any of the companies of MMC
need not obtain such permission when using this report for their internal purposes, so long as this page
is included with all such copies or reproductions.
Copyright 2010 Marsh Inc. All rights reserved.
82
Presented in cooperation with:
 Kroll Ontrack
 Kroll Fraud Solutions
 Gowling Lafleur Henderson LLP
Data Breach: Understanding the Risk
and Managing a Crisis
Toronto - November 9, 2010
Montréal – November 10, 2010
12

Data Breach: Understanding the Risk and Managing a

Transcription

Similar documents

Newsletter 7 1984 - Tools and Trades History Society

Form 990 for GLADWYNE MONTESSORI SCHOOL (23

fsource.org

STOKE CITY FC Carlo Nash - National Literacy Trust

PIPEDA 101 PowerPoint (Done by Communications)

PIPEDA 101 PowerPoint (Done by Communications)

FOIPPA Toolkit

HIPAA the HIPPO

a risk based approach to cyber security