Data Breach: Understanding the Risk and Managing a
Transcription
Data Breach: Understanding the Risk and Managing a
November 2010 Data Breach: Understanding the Risk and Managing a Crisis Seminar Presented by: Marsh Canada Limited Kroll Ontrack Kroll Fraud Solutions Gowling Lafleur Henderson LLP Presented in cooperation with: Kroll Ontrack Kroll Fraud Solutions Gowling Lafleur Henderson LLP Data Breach: Understanding the Risk and Managing a Crisis Toronto - November 9, 2010 Montréal – November 10, 2010 Leadership, Knowledge, Solutions…Worldwide. Speakers Data Breach: Understanding the Risk and Managing a Crisis Seminar Lisa R. Lifshitz Partner, Gowling Lafleur Henderson LLP (Toronto only) Danielle Waldman Associate, Gowling Lafleur Henderson LLP (Montreal only) Theodore Thiesen Managing Consultant, Kroll Ontrack Alex Ricardo Zone Leader, Kroll Fraud Solutions Robert Parisi Senior Vice President, Marsh USA Inc. Marsh—Leadership, Knowledge, Solutions…Worldwide. 2 1 Lisa R. Lifshitz Partner Toronto YEAR OF CALL • 1995 Ontario EDUCATION • McGill University, LLB and BCL • Carleton University, BA High Hons. and MA in Soviet and Eastern European Studies t 416-369-4632 f 416-369-7250 [email protected] Lisa R. Lifshitz is a partner in Gowlings' Toronto office, practising in the areas of information technology and business law. A member of the Firm’s Technology Industry Practice Group, Lisa specializes in preparing and negotiating technology licences and agreements, including software licences, reseller, distribution, development, system acquisition, maintenance and support agreements, joint venture agreements, outsourcing agreements, confidentiality and professional services agreements. Lisa has extensive experience in preparing and negotiating Internet- and ecommerce-related contracts, including agreements for website development and maintenance, online retail, cloud computing, web hosting, and website terms and conditions. Lisa advises on technology law matters for a diverse client base, from emerging companies to large institutions. She provides technology-related advice on financings and acquisitions, including export control and open source advice on cross-border deals. Lisa is also the founder and co-chair of the Firm's national Privacy & Information Management Practice Group. As a member of the Firm's Life Sciences Industry Group, Lisa also advises pharmaceutical companies in the areas of product licensing (including drugs and medical devices) and has extensive experience negotiating services agreements, supply agreements, distribution/reseller agreements, funding and promotion agreements, quality assurance agreements, clinical trial agreements and transition agreements. Lisa also has extensive experience in the procurement of technology for health care providers and in assisting pharmaceutical companies in government tenders. Lisa is currently the vice chair, subcommittees, of the Cyberspace Law Committee of the Business Law Section of the American Bar Association and is the past-chair, subcommittee on Membership and Public Relations of the Cyberspace Law Committee. Lisa is a former director of the Information Technology Law Association (ITechLaw), director and treasurer of the Canadian IT Law Association (IT.Can), Canada's leading technology law organization and is the past chair of the International Technology and Electronic Commerce Section of the Ontario Bar Association. She is also the past-chair of the IT.Can’s ad hoc committee on ecommerce and is past-chair, vice chair and treasurer of the Toronto Computer Lawyers Group. COMMUNITY INVOLVEMENT Lisa currently sits on the board of the McGill Alumni Association of Toronto. She is the past president of the board of directors for the Children’s Aid Society of Toronto and has also served on the board of directors of eHealth Ontario and the Ontario Society for the Prevention of Cruelty to Animals. ARTICLES, PAPERS & PRESENTATIONS Lisa has authored numerous articles for such publications as Business Law Today, Internet and E-Commerce Law in Canada, e-Commerce Law Report, DataGuidance and the BNA International World Data Protection Report. She has spoken on technology law issues for the American Bar Association, IT.Can, the Ontario Bar Association, the Law Society of Upper Canada, Insight, Lexpert, ITechLaw, Federated Press and the Canadian Institute. RECOGNITIONS Listed in Chambers Global Guide 2010 in Information Technology Repeatedly recommended, Computer & IT Law, Canadian Legal Lexpert Directory, 2005-2010 Selected as leading lawyer in Internet & e-Commerce by 2010 Who's Who Legal RELATED SERVICES Technology Privacy & Information Management Corporate Finance, Securities & Public M&A Energy Financial Regulatory Law Financial Services Infrastructure Life Sciences Danielle Waldman Associate Toronto YEAR OF CALL t 416-369-6182 f 416-862-7661 [email protected] • 2006 Ontario Danielle Waldman is an associate in Gowlings' Toronto office, practising in the area of business law with a specialization in technology, energy and infrastructure. EDUCATION Danielle’s energy and infrastructure practice focuses on mergers and acquisitions, wind power projects, solar projects, corporate matters including structuring, financing and governance, and commercial and regulatory matters in the energy and infrastructure sectors. Danielle has also advised various international solar and wind developers with respect to entering the Canadian marketplace. • University of Western Ontario, LLB • York University, BA Hons. in Economics & Business, specializing in Financial Analysis Danielle’s technology practice includes preparing and negotiating software license and maintenance and support agreements, website development agreements and other Internet related agreements for various clients, including those in the energy and infrastructure sectors. She also advises clients with respect to privacy law matters, online consumer protection issues and financings of both early and midstage technology companies. ARTICLES, PAPERS & PRESENTATIONS Danielle has authored and co-authored publications for the American Bar Association, the Consumer Finance Quarterly Law Report, the Ontario Bar Association - Entertainment, Media and Communications Newsletter and various Gowlings newsletters. MEMBERSHIPS Canadian Bar Association Ontario Bar Association Law Society of Upper Canada RELATED SERVICES Advertising, Marketing and Regulatory Affairs Copyright Law Corporate Finance, Securities & Public M&A Energy Infrastructure Intellectual Property Technology Theodore J. Theisen, MCSE, MCP+I Managing Consultant, Secure Information Services and Computer Forensics Consulting Theodore Theisen is a managing consultant for Kroll Ontrack’s Secure Information Services and Computer Forensics Consulting group. In this capacity, Mr. Theisen provides investigative expertise, analytical assistance and digital forensic support to contribute to client success. He holds broad experience in information technology and investigations involving high technology elements, such as cyber-counterintelligence, cyber-counterterrorism, criminal computer intrusions, intellectual property rights violations and internet fraud, bolstering his ability to respond to and solve critical client issues. Mr. Theisen previously served as a Special Agent for the Federal Bureau of Investigation in Minnesota and Delaware. He was one of the first Special Agents assigned to the Minnesota Cyber Crime Task Force, and was instrumental in pioneering sophisticated investigative techniques for cyber investigations. During his tenure in Delaware, Mr. Theisen collaborated with the United States Attorney’s Office in the District of Delaware to conduct cyber investigations. He further assisted the Delaware State Police with the implementation of the Delaware Child Predator Task Force and conducted forensic examinations of digital evidence to ascertain facts associated with cyber investigations. In both Minnesota and Delaware, Mr. Theisen conducted investigations involving the theft of trade secrets, violations of copyrights, software piracy, and other elements of intellectual property rights violations. Further, he worked closely with international Legal Attaches and collaborated with other United States government agencies regarding the pursuit of international elements of his investigations. Prior to his work as a Special Agent, Mr. Theisen worked for a large online brokerage as a systems engineer, where he gained extensive information technology experience on multiple platforms. Theodore J. Theisen, MCSE, MCP+I Managing Consultant, Secure Information Services and Computer Forensics Consulting 1242 Bridgewater Drive West Chester, PA 19380 610 431 1405 Mobile 646 306 8754 [email protected] Mr. Theisen received his B.S. in Biology from the University of Nebraska in Omaha, Nebraska. www.krollontrack.com Copyright © 2010 Kroll Ontrack Inc. All Rights Reserved. Fraud Solutions – Data Breach Services Team Alex Ricardo CIPP Zone Leader +1 212 833 3354 - office +1 646 934 4100 - mobile [email protected] 1166 Avenue of the Americas New York, NY 10036 United States Alex Ricardo serves the Data Breach Services Team of Kroll’s Fraud Solutions practice as the Zone Leader for the Northeast, Southeast portions of the US as well as Canada, nationwide. Alex is based in New York City focusing on solutions for Breach Preparedness, Breach Response and Identity Theft Protection. He brings to Kroll a fourteen-year background of service to Fortune 500 corporations and government agencies, addressing information leakage prevention, data/e-discovery, messaging encryption, and internal threat management. His extensive experience with technology and content security as well as regulatory mandates provides Kroll clients with a broad spectrum perspective from which to address their needs for sensitive data defense, response, and recovery solutions. Prior to joining Kroll, Alex worked with Tablus (acquired by RSA/EMC), a leading provider of enterprise solutions designed to safeguard sensitive corporate data whether at rest, in motion, or in use. Before that, his sales engineering efforts at Tumbleweed Communications (acquired by Axway – Sopra Group), CipherTrust (acquired by Secure Computing – McAfee), and PostX (acquired by IronPort - Cisco) focused on internet communications security and content management for regulatory compliance. Alex’s background in the software industry combined with his extensive knowledge of security threats and mitigation best practices assures his clients of a comprehensive problem-solving approach. Alex is a Certified Information Privacy Professional (CIPP) which is a credential issued by the International Association of Privacy Professionals (IAPP). This credential demonstrates Alex’s breadth of knowledge on privacy principles, general privacy law and information security best practices throughout the United States and around the globe. Fraud Solutions – Data Breach Services Team Professional Experience Alex Ricardo International Business Development. Alex’s expertise has been solicited to aid agencies of the United States, including the Federal Bureau of Investigation (FBI), Department of Labor (DOL), Internal Revenue Service (IRS), Federal Depository Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC); as well as the governments of Hong Kong (Hong Kong Post, Office of the Government Chief Information Officer) and Australia (Australian Tax Office (ATO), Australian Government Information Management Office (AGIMO), Department of Justice, Australian Foreign Affairs and Trade Office, Reserve Bank of Australia and Health eSignature Authority. Service Consultant. Alex worked on PosteCS®, a web-based secure document delivery and e-messaging solution jointly commissioned by the US Postal Service, Canada Post Corporation and La Poste of France. PosteCS helps businesses communicate privately over the Internet. His responsibilities with this engagement led him to work closely with national posts of other countries, including Germany, Portugal, and Singapore. Speaker and Facilitator. Alex has been an invited speaker at conferences nationwide, including: New York City Bar Association (www.nycbar.org), Healthcare Financial Management Association (www.hfma.org), American Society for Healthcare Risk Management (www.ashrm.org), Professional Liability Underwriter Soceity (www.plusweb.org), Midwest Higher Education Compact (www.mhec.org), College and University Professionals Associations (www.cupa.org), University Risk Management & Insurance Association (www.urmia.org), Financial Executives International (www.financialexecutives.org), SecureWorld (www.secureworldexpo.com), Angelbeat (www.angelbeat.com) and various seminars sponsored by Marsh (www.mmc.com) as well as network security firms such as FlatEarth networking (www.flatearth.net). On behalf of the office of the Consulate General of the United States – Hong Kong and Macau (www.hongkong.usconsulate.gov) he facilitated a security summit of Hong Kongbased IT executives of US corporations to discuss information loss attacks, identity theft and data leakage prevention. Education Stevens Institute of Technology, B.E., Materials and Polymer Engineering - 1992 Stevens Institute of Technology, Technology Management Graduate Program Professional Affiliations Certified Information Privacy Professional (CIPP) International Association of Privacy Professionals (IAPP) (www.privacyassociation.org) Fellow, Council on Litigation Management (www.litmgmt.org) InfraGard – New York Chapter (www.infragard.org) Anti-Phishing Working Group (www.antiphishing.org) LinkedIn (www.linkedin.com/in/alexricardo) Certifications and Awards ■ Microsoft Certified Systems Engineer (MCSE) ■ Microsoft Certified Professional Plus Internet (MCP+I) ■E xemplary Service Award, Federal Bureau of Investigation, for achievements at National Joint Terrorism Task Force, 2006 ■D edicated Service Award, Federal Bureau of Investigation, for contributions to the Terrorist Screening Operations Unit, 2008 ■U nited States Attorney Award, United States Attorney’s Office, District of Delaware, for contributions to Project Safe Childhood/Internet Crimes Against Children, 2010 Complete curriculum vitae available upon request. www.krollontrack.com Copyright © 2010 Kroll Ontrack Inc. All Rights Reserved. 2 Professional Biography Robert Parisi, Jr. Senior Vice President Current Responsibilities Robert Parisi is a senior vice president and Technology, Network Risk & Telecommunications specialist in Marsh’s New York City headquarters. His current responsibilities include advising clients on issues related to technology, privacy, and cyber related risks as well as negotiating with the carriers on terms and conditions. Experience Prior to joining Marsh, Robert was the senior vice president and Chief Underwriting Officer (CUO) of eBusiness Risk Solutions at AIG. Robert joined AIG in 1998 as legal counsel for its Professional Liability group and held several executive and legal positions, including CUO for Professional Liability and Technology. While at AIG, Robert oversaw the creation and drafting of underwriting guidelines and policies for all lines of Professional Liability. In addition to working with AIG, Robert has also been in private practice, principally as legal counsel to various Lloyds of London syndicates. While at Marsh, Robert has worked extensively with healthcare clients, in particular several BC/BS affiliates and numerous hospitals, assisting them in analysis of their risk as well as in the placement of coverage for cyber and privacy risks. Education JD from Fordham University School of Law BA in Economics from Fordham College Affiliations Spoken at various business, technology, legal, and insurance forums throughout the world Written, on issues effecting professional liability, privacy, technology and telecommunications, media, intellectual property, computer security, and insurance Admitted to practice in New York and the U.S. District Courts for the Eastern and Southern Districts of New York Honored by Business Insurance (2002) magazine as one of the Rising Stars of Insurance In 2009, honored by Risk & Insurance magazine as a Power Broker Data Breach Notification in Canada: Your Legal Obligations Lisa R. Lifshitz Danielle Waldman Gowling Lafleur Henderson LLP Toronto Data Breach Notification in Canada Overview • Privacy framework – Private Sector – Health Sector – Public Sector (which will not be discussed in this presentation) • Privacy breach notification in Canada – Existing Law – Pending Legal Amendments 1 Privacy Framework Q: How is privacy in the private sector regulated in Canada? A: Canadian businesses and private sector organizations are subject to federal or provincial privacy protection legislation governing both customer and (with some exceptions) employee information. Federal: Personal Information Protection and Electronic Documents Act (“PIPEDA”) • PIPEDA, a federal statute, regulates the collection, use and disclosure of personal information by federal works, undertakings and businesses, including personal information about their employees. • PIPEDA applies to federally-regulated private sector organizations. • PIPEDA also applies to all personal information that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to PIPEDA or to substantially similar legislation. • Largely does not apply in provinces that have substantially similar privacy legislation, namely Alberta, British Columbia and Quebec. Privacy Framework Provincial • British Columbia, Alberta, and Quebec have their own privacy legislation that regulates the private sector. – British Columbia: Personal Information Protection Act – Alberta: Personal Information Protection Act – Quebec: An Act Respecting the Protection of Personal Information in the Private Sector • In all the other provinces and territories, PIPEDA applies to the collection, use and disclosure of personal information by the private sector. 2 Privacy Framework How is privacy in the health sector regulated in Canada? • Saskatchewan, Manitoba, Alberta and Ontario have each passed legislation to deal specifically with personal health information by public and private sector health care providers and other health care organizations. – Saskatchewan: Health Information Protection Act – Manitoba: Personal Health Information Act – Alberta: Health Information Act – Ontario: Personal Health Information Protection Act • New Brunswick recently enacted the Personal Health Information Privacy and Access Act that came into force on September 1, 2010. Privacy Breach Notification Privacy Breach Notification in Canada Private Sector – Alberta – British Columbia – PIPEDA Health Sector – Ontario – New Brunswick – Newfoundland and Labrador 3 Privacy Breach Notification What is privacy breach? • Privacy Breach occurs when there is “unauthorized access to or collection, use or disclosure of personal information. • Common privacy breaches happen when personal information of customers, patients, clients or employees is lost, stolen, or mistakenly disclosed. • E.g. a computer containing private information is stolen or hacked. Privacy Breach Notification – Alberta Alberta Personal Information Protection Act (“PIPA”) • First Canadian jurisdiction to require mandatory privacy breach notification by private sector organizations. • In force May 1, 2010. • Private sector organizations are required under mandatory privacy breach notification provisions to notify the Privacy Commissioner if personal information under its control is, without authorization accessed, lost, or disclosed. • Failure to notify Commissioner of a breach is an offence • Organizations can face a fine of up to $100,000 under 59(2)(b). 4 Privacy Breach Notification – Alberta When must the Commissioner be notified? • Threshold of notification: “real risk of significant harm” • “Significant harm” means “a material harm; it has non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation”. PIPA Information Sheet 11 • “Real risk” means “a reasonable degree of likelihood that the harm could result”; must be more than “merely speculative” and not simply “hypothetical or theoretical”. PIPA Information Sheet 11 • Once the threshold is met the security breach must be reported to the Commissioner without unreasonable delay. Privacy Breach Notification – Alberta Who must notify the Commissioner? • Organization with control of the personal information. • “Control” of personal information is broadly defined and is not limited to information in an organization’s physical possession. • E.g. if organization contracts with another business and contractor suffers a security breach principal organization remains responsible for ensuring Commissioner is notified if harm threshold is met. PIPA Information Sheet 11 5 Privacy Breach Notification – Alberta What are the contents of notice to the Commissioner? (section 19 of the PIPA Regulations) • A description of the circumstances of the loss or unauthorized access or disclosure; • The date on which, or time period during which, the loss or unauthorized access or disclosure occurred; • A description of the personal information involved in the loss or unauthorized access or disclosure; • An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure; • An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure; • A description of any steps the organization has taken to reduce the risk of harm to individuals; a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; and • The name of and contact information for a person who can answer, on behalf of the organization, the Commissioner’s questions about the loss or unauthorized access or disclosure. Privacy Breach Notification – Alberta Alberta PIPA • When notified, Commissioner will review the information provided and determine whether affected individuals need to be notified (see section 37.1). • Commissioner can direct organization to notify individuals in form and manner of PIPA regulations (see section 19.1 of the PIPA Regulations). • Purpose of notification to individuals is to allow the individual to take steps to reduce his/her risk of harm, or the extent of the harm, where possible. 6 Privacy Breach Notification – BC British Columbia Personal Information Protection Act (“PIPA”) • April 2008 Final Report of the Special Committee to Review PIPA. • Committee recommended requirement to notify in carefully defined and controlled circumstances (e.g., loss of confidential medical records). • Breadth of any enacted notification provision remains to be seen. Privacy Breach Notification – PIPEDA Federal legislation - PIPEDA • Current framework for privacy breach notification in the private sector outside of Alberta is PIPEDA. • Voluntary security breach notification. • Guidelines from Federal Privacy Commissioner. • Anticipation that breach notification may become a mandatory mechanism (Bill C-29). 7 Privacy Breach Notification – PIPEDA Federal legislation – PIPEDA • Applies to personal information that is collected, used or disclosed by all: • Federal Works • Undertakings; and • Businesses • Includes personal information about employees. • Also applies to personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to PIPEDA or substantially similar legislation. Privacy Breach Notification – PIPEDA • Currently, under PIPEDA data breach requirements subject to certain voluntary guidelines created by the Privacy Commissioner’s Office in August 2007 entitled ‘Key Steps for Organizations in Responding to Privacy Breaches’. • The Commissioner also developed an associated Checklist to assist organizations in ensuring they have dealt with all relevant considerations of the breach. • Four key steps to consider when responding to a breach: 1. 2. 3. 4. Breach containment and preliminary assessment; Evaluation of the risks associated with the breach; Notification; and Prevention 8 Privacy Breach Notification – PIPEDA 1. Breach Containment and Preliminary Assessment • Take immediate common sense steps to limit the data breach. • Immediately contain the breach • Determine who should be made aware of the incident internally and potentially externally. • If appears to involve theft/criminal activity, notify the police. Privacy Breach Notification – PIPEDA 2. Evaluation of the Risks Associated with Breach • What Personal Information was involved? • What was the cause and extent of the breach? • What individuals were affected by the breach? • What is the foreseeable harm that could result from the breach? 9 Privacy Breach Notification – PIPEDA 3. Notification • Notification is an “important mitigation strategy”. • In determining whether to notify, companies should consider: • • • • • • Legal and contractual obligations. Risk of harm to the individual. Reasonable risk of identify theft or fraud? Risk of physical harm. Risk of humiliation or damage to reputation. Ability of individual to avoid or mitigate possible harm. Privacy Breach Notification – PIPEDA When/How/Who Should Notify • As soon as reasonably possible. • Preferred method direct notification (e.g. phone, letter or email). • Organization with direct relationship with individual should notify. Content of Notification: • • • • • • Information about the incident and timing. Description of information involved. General account of organization’s steps to control/reduce harm. Organization’s available assistance. Contract information for questions. If applicable, indicate whether Privacy Commissioner has been notified. 10 Privacy Breach Notification – PIPEDA 4. Prevention • Investigate the breach with view of developing a prevention plan depending on nature/type of breach (i.e. isolated or systemic). • • • • Possible security audit of physical and technical security. Review of policies and procedures including any changes to reflect lessons learned. Review of employee training practices. Review of service delivery partners. Privacy Breach Notification – PIPEDA Penalties & Enforcement • No penalty under PIPEDA for actual failure to follow guidelines (problematic!) • However, Federal Privacy Commissioner has power to investigate underlying breach. • Section 14 allows a complainant, after receiving Commissioner’s report to apply to Federal Court for a hearing of the complaint. • Available remedies include an order to correct practices, publish notice of action taken/proposed to correct practice, and damages. 11 Privacy Breach Notification – PIPEDA Bill C-29: Making Notification Mandatory • Federal government tabled Bill C-29 to amend PIPEDA (passed first reading May 25, 2010) • Bill C-29 proposes mandatory breach notification provisions similar to those legislated in Alberta imposing data breach reporting and notification duties on organizations. • Bill C-29 would impose duties to 1) report “material” breaches of security safeguards to Commissioner; 2) notify individuals of breach when “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”; and 3) notify other organizations if they might reduce the risk of harm or mitigate the harm from the breach. Privacy Breach Notification – PIPEDA Bill C-29 • “Materiality” assessed in relation to the sensitivity of the information at risk, the number of persons affected and whether or not breach was an isolated incident or systemic problem. • “Real risk” based on the sensitivity of the information and the probability that the personal information will be misused. • “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. 12 Privacy Breach Notification - PIPEDA • Organizations required to give notification “as soon as feasible” after confirming the breach and concluding notification is required. • Notice must provide sufficient information to allow the individual to understand the significance of the breach to them and to take possible steps to mitigate harm. • Note that unlike Alberta’s amendments to PIPA, the amendments do not give the Commissioner the power to order notification to individuals even if a material breach has been reported. This is left to the discretion of the organization. Privacy Breach Notification – Health Sector Personal health information legislation – Ontario – New Brunswick – Newfoundland and Labrador 13 Privacy Breach Notification – Ontario Ontario Personal Health Information Protection Act (“PHIPA”) • PHIPA requires ‘health information custodians’ (e.g., hospitals, physicians, laboratories) to notify affected individuals in circumstances where the privacy of their personal health information has been compromised. • Notification required in every case of breach. • Commissioner: when laptop / mobile computing device is lost or stolen, the statutory obligation to notify will not apply if personal health information properly encrypted. Section 12(2), PHIPA Privacy Breach Notification – New Brunswick New Brunswick Personal Health Information Privacy and Access Act (“PHIPAA”) • Came into force on September 1, 2010. • Custodians required to notify at the first reasonable opportunity the individual to whom the information relates and the Privacy Commissioner. • Notification is not required where reasonably believed the breach will not lead to identification of patient or other adverse impact. • If information appropriately encrypted, notification likely not required. 14 Privacy Breach Notification – Newfoundland Newfoundland and Labrador Personal Health Information Act (“PHIA”) • Not yet fully in force. • Notify individual(s) and Commissioner at first reasonable opportunity after breach where custodian reasonably believes there has been a “material breach” (as defined in the regulations). • Notification not required where custodian reasonably believes breach will not have an adverse impact on individual. • Full Proclamation anticipated December 2010. Recommendations/Conclusion Organizations should: • Incorporate into their privacy breach protocol a step requiring reporting to the Privacy Commissioner of any serious breach; • Ensure employees are aware of, and in compliance with, policies and practices regarding breach notification; • Develop a comprehensive security program to protect the confidentiality, integrity and availability of all information, not just personal; • Develop data classification standards that identify personal information; • Conduct a risk assessment of all personal information and ensure proper security controls are in place to protect it; and • Be proactive and start revising and developing policies for handling security breaches. Mandatory notification likely the way of the future. 15 Questions or Comments? Thank you! Lisa R. Lifshitz 416.369.4632 [email protected] Danielle Waldman 416.862.6182 [email protected] montréal ottawa toronto hamilton waterloo region calgary vancouver moscow london 16 The Art of Breach Crisis Management Alex Ricardo, CIPP www.KrollFraudSolutions.com Will you become a statistic? McMaster eBusiness Research Centre (MeRC) reports that in 2008, 23% of Canadians have been victimized, up from 17% in 2006. Fastest growing white collar crime in Canada ($2B) and the world, recently surpassed drugs as highest grossing crime in the world. 2009 Rotman-TELUS joint study, annual losses from breaches have increased from $423,469 to $834,149. Up in all categories. Individual identity theft issues can take up to 175 hours and $1,500 to resolve. Tremendous media exposure and growing class-action litigation. 31% 22% 28% 19% Identity Theft Crime by Age in 2009 1-29 Marsh 30-39 40-49 50+ 35 1 2009 How Data is Lost (General) Inside Perpetrator (Accidental and Malicious Intent) Source: www.DataLossDB.org Marsh 36 2009 How Data is Lost (General) Inside vs. Outside the Organization Source: www.DataLossDB.org Marsh 37 2 Data Breach Statistics: Data Loss by Type Source: www.DataLossDB.org Marsh 38 How can Identity Theft affect your financial security and healthcare? Money and time are at risk The risk of the thoroughness of the recovery can be based on restoration method “20 Step Guides” – self-restoration “Fraud Specialist” – usually in-house trained or paralegals Certified Investigator-conducted restoration Identity Theft affects beyond credit Criminal activity/record Collector harassment Higher insurance rates/premiums Difficulty in securing or obtaining employment Damaged driving record Healthcare/Welfare issues Canada Revenue Agency (CRA) issues The average identity theft takes 175 hours and $1,500 to resolve by a lay-person. FTC Survey Marsh 39 3 Breaches: By the numbers…. Cost of a breach record Cost per record: $204 USD (2009) VICTIM COSTS Notification Call Center Identity Monitoring (credit/non-credit) Identity Restoration $10.00 DIRECT COSTS Discovery/Data Forensics Loss of Employee Productivity $14.00 INDIRECT COSTS Restitution Additional Security and Audit Requirements Lawsuits Regulatory Fines $40.00 $140.00 OPPORTUNITY COSTS Loss of Consumer Confidence Loss of Funding © Ponemon Institute Marsh 40 Breaches: By the numbers…. Consumer Confidence Survey 80% I monitor the details of my accounts more often 60% It did not change my relationship 55% I trust that company or institution less with my personal information 37% I use their services less, but maintain a relationship 33% I closed my accounts 31% I am more confident in my relationship with that company or institution 30% I would never purchase products from them again 29% I stopped donating money or sponsoring the institution 29% I would never maintain a relationship with the institution in the future I switched providers (medical, insurance or banking) I use their products or services more often I have opened more accounts 0% 23% 18% 16% 10% 20% 30% 40% 50% 60% 70% 80% 90% © Javelin Strategy & Research Marsh 41 4 Case Studies on ID Theft •Heartland •TJX (Winners – Home Sense) •Alberta Health Services - Healthcare Identity Fraud •Passport Canada •Chrysler Financial Canada •Toronto Hydro •Western, Ryerson, Memorial & Centennial College •Employment Fraud •Broken Business Practices •Email sent to wrong person (send all) •University Job Fair – Higher Education •Methamphetamines, Gangs and Organized Crime Identities are a currency •Fraud Rings – Websites (Shadow Crew) and Chatrooms Marsh 42 Post Breach Investigation and Documentation Has the breach been contained? Isolate the affected system to prevent further exposure Have you engaged expert outside counsel? Data Forensics Legal Counsel Breach Crisis Management Services Reputational Risk Advisory Have you considered using a third-party forensics team? Credible third party assessment Reliable Chain of Custody Backups of all pertinent system logs Attorney-client privilege Marsh 43 5 The Forensics Front Theodore “Ted” Theisen Prepare/Prevent: A Holistic Approach Data Mapping & Inventory Table Top Exercises Data Accessibility Assessment Data Security Assessment and Strategy Vulnerability Testing Credit Monitoring Network Monitoring Records Retention Consulting Data Preservation and Collection Compliance and Global Data Privacy Incident Response Strategy Data Archiving Incident Response Marsh 45 6 Respond/Remediate: A Holistic Approach Incident Response Data Preservation and Collection Breach Scope Determination Information Security Consulting Network and Forensic Data Analysis Breach Investigation Business Investigation Services Custodian Interviews Breach Notification Breach Contact Call Center Support Identity Theft Investigation and Restoration Credit Report and NonCredit Searches Expert Testimony Continuous Credit Monitoring Information Technology Remediation Marsh 46 Kroll Case Study #1 Situation Marsh 47 7 Kroll Case Study #1 Kroll was critical to the investigation and breach remediation and notification process. Information Security/Breach Assessment – Gathered facts from numerous sources to determine scope of breach – Responded and located backup tapes of stolen data Data Review Services, Computer Forensics, Data Recovery and Information Security Consulting – Rebuilt server environment based on backup tapes, with assistance of Data Recovery and Computer Forensics teams – Exhaustive inventory of all data included on the drives; including reviewing data for consumers’ personal information – Information Security Assessment and Penetration Test (on-going) Enhanced Identity Theft Consultation and Restoration Services – Member notifications (approximately ½ million notifications delivered) – Identity theft restoration Marsh 48 Kroll Case Study #1 Solution Continued Kroll Infrastructure One isolated network and two video servers 210 computers – Five review rooms with tables/desks and chairs – – Data Audio ▪ Received 3,167,619 audio file ▪ Reviewed 1,206,239 audio files (after searching/filtering) Video ▪ Received & reviewed 160,110 video files People – 420 reviewers (a total of 89,700 labor hours) Timing 7.5 weeks of review Approx. two weeks of initial planning and final production – Two shifts, Monday – Saturday (6:30am – 4:30am) – – Marsh 49 8 Thank You Theodore J Theisen Managing Consultant Marsh Kroll Ontrack 1242 Bridgewater Drive West Chester, PA 19380 Office: 610.431.1405 Mobile: 646.306.8754 Email: [email protected] For More Information: www.KrollOntrack.com 50 9 Post Breach Crisis Management Customers Board of Directors Have you carefully considered … Privacy Commissioners Shareholders With whom you will communicate? Auditors Financial Analysts What you will communicate? Employees Law Enforcement How you will communicate? Management Media When you will communicate? Consumer Reporting Agencies Payment Card Providers Provincial Governments Marsh 51 Notification Timing When should my notifications be released? Has the breach been contained? Has a reasonable investigation been concluded? Some Provinces require notification in a timely manner Are you comfortable with knowing enough about the event? Are you being transparent and truly helping the victims? Have you considered timing of notification to those Privacy Commissioner’s offices? Marsh 52 1 Responding to Questions and Answering Calls “The Call Center” Deliver remedy with notification Avoid deluge of calls Remove frustration from victims Who will the victim’s call? Availability Language barriers Knowledge of event Knowledge of identity theft concerns Non-credit related fraud Employment fraud, Cheque, Healthcare, Utility and Insurance Ability to investigate and provide an affidavit for liability Pre-existing conditions Incorrect information in credit report Unrelated rejection for credit Insurance fraud Marsh 53 Providing Protection to Victims What services will you make available? Protection against credit and non-credit fraud Investigative services for non-credit fraud Handling of inconsistent cross-bureau data Insurance How will the services you provide help victims of ID Theft? Government issued ID fraud, healthcare fraud, insurance fraud, check fraud, employment fraud, utility fraud (80% of fraud) Investigators DIY kits How will you handle the deceased, minors and expatriates? Unique notification Credit services not an option Marsh 54 2 Best Practices Breach Preparedness and Prevention Maintain a Cyber Risk Transfer Instrument Have a Proper Background Screening Program for new hires and vendors. Pre-Arrange a Breach Service Provider, Outside Counsel and Reputational Risk Advisor All specializing in Privacy Law and Breach Crisis Management Provide “Certification” through e-Learning to employee base on safeguarding data Develop an Incident Response Plan Internal Staff, Outside Counsel, Reputational Risk Advisor, Breach Service Provider Conduct annual Risk Assessments and Tabletop Exercises. Hold an internal “Privacy Summit” to identify vulnerabilities Risk, Compliance and Privacy, HR, Legal, IT, C-level representation (CFO), Physical Security / Facilities Keep General Counsel’s office current to various federal and provincial disclosure laws and updates Marsh 55 Best Practices Breach Crisis Management Retain an outside counsel who specializes in Privacy Law and Breach Crisis Management Notify Correctly vs. Quickly Diffuse anger and emotion among constituents Provide remedy with notification Identity an accurate breach universe to minimize public exposure to event Unique constituents Leverage an Outside Call Center Retain a Reputational Risk Advisor who specializes in Breach Crisis Management Investigate – Investigate – Investigate Have outside counsel retain any data forensics investigation Potentially minimize public exposure to event Leverage a Breach Service Provider to conduct Recovery Pre-Existing ID Theft Victims More thorough recovery and restoration Marsh 56 3 Kroll Breach Response Services Enrollment and Notification Services Enrollment of constituents from a breach universe Construction, compliance review, print & delivery fulfillment of notifications Address Verification Services Solution Support Center Fully Canadian-based and fully bilingual call center specially trained for ID Theft Issues Triage Center General ID Theft questions, issues or concerns Credit Specialists for credit-related matters on your credit report or credit monitoring service Certified Investigators for fraud consultation and restoration matters Identity Monitoring Services Assistance in ordering 2 bureau credit reports Real-time 1 Bureau Credit Monitoring and Alerts (optional, requires independent agreement with Equifax Canada) Non-Credit Monitoring Services Monitoring Services for Minors Fraud Consultation Use of Kroll’s Certified Investigators for consultation on a potential fraud matter. Identity Restoration Use of Kroll’s Certified Investigators for restoration services on behalf of the victim. Remove the burden of restoration from the victim with an assigned Certified Investigator Assure a more thorough recovery by leveraging a credentialed Certified Investigator Marsh 57 Thank You Alex Ricardo, CIPP Zone Leader – Eastern US and Canada, Nationwide Kroll Fraud Solutions Office: 212.833.3354 1166 Avenue of the Americas Cell: 646.934.4100 (24/7) New York, NY 10036 Email: [email protected] For More Information: Marsh www.KrollFraudSolutions.com 58 4 www.KrollFraudSolutions.com 5 Issues in Risk Management: Privacy and Data Breach Understanding the Risk and Managing a Crisis Robert Parisi Senior Vice President Marsh USA Inc. Leadership, Knowledge, Solutions…Worldwide. Risk Overview 1 What are the risks? Privacy, computer, and network security are not just Internet issues. Any entity that transacts business using: – a computer network; or – confidential information is at risk. 3000 B.C. – Chinese merchants disperse shipments so as to minimize the risk of total loss. “Essentially, data loss is no longer a question of what if? The only question is when?” And how severe. Marsh—Leadership, Knowledge, Solutions…Worldwide. 62 What are the risks? Part II Legal liability to others for computer security breaches Legal liability to others for privacy breaches Regulatory actions and scrutiny Loss or damage to data / information Loss of revenue due to a computer attack Extra expense to recover / respond to a computer attack Loss or damage to reputation Cyber-extortion Cyber-terrorism Marsh—Leadership, Knowledge, Solutions…Worldwide. 63 2 Threat Environment Social Media/Networking Technology: – Hackers, viruses, etc. Internal: – Structural vulnerability – Rogue employees – Careless staff Old School: – Laptop theft External: – Dumpster diving – Organized crime: Foreign Domestic – Hackers – Phishing Regulatory Marsh—Leadership, Knowledge, Solutions…Worldwide. 64 Risk Identification Potential Risk Event Likelihood Potential Impact Low Low Low - Medium Medium Legal liability to others for privacy breaches High High Privacy breach notification costs and credit monitoring High Medium Privacy regulatory action defense and fines Low Medium Costs to repair damage to your information assets Low Medium Medium (overall) Medium (overall) High (e-commerce) High (e-commerce) Loss of revenue due to a failure of security at a dependent technology provider Low Medium Cyber-extortion threat Low Medium Website copyright / trademark infringement claims Legal liability to others for computer security breaches (non-privacy) Loss of revenue due to a failure of security or computer attack Marsh—Leadership, Knowledge, Solutions…Worldwide. 65 3 Coverage Overview What are the gaps in traditional policies? Traditional insurance was written for a world that no longer exists. Attempting to fit all of the risks a business faces today into traditional policy is like putting a round peg into a square hole. – Errors and Omissions (E&O): Even a broadly worded E&O policy is still tied to “professional services” and often further tied to a requirement that there be an act of negligence. – Commercial General Liability (CGL): Covers only bodily and tangible property—Advertising Injury / Personal Injury (AI/PI) section has potential exclusions/limitations in the area of web advertising. – Property: Courts have consistently held that data isn’t “property”— “direct physical loss” requirement not satisfied. – Crime: Requires intent and only covers money, securities, and tangible property. – Kidnap and Ransom (K&R): No coverage without amendment for “cyber-extortion.” Marsh—Leadership, Knowledge, Solutions…Worldwide. 67 4 Security and Privacy Insurance Policy Coverage Overview Note: All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Not covered Covered See notes Dependant upon specifics of claims, may not be covered Privacy and Cyber Perils Property General Liability Traditional Fidelity Bond Computer Crime E&O Special Risk Broad Privacy and Cyber Policy Destruction, corruption, or theft of your electronic information assets/data due to failure of computer or network Information asset protection Theft of your computer systems resources Information asset protection Business interruption due to a material interruption in an element of your computer system due to failure of computer or network security (including extra expense and forensic expenses) Network Business Interruption Business interruption due to your service provider suffering an outage as a result of a failure of its computer or network security Network Business Interruption (sublimitted or expanded based upon risk profile) Indemnification of your notification costs, including credit monitoring services Privacy Liability (sub-limited) Defense of regulatory action due to a breach of privacy regulation Privacy Liability (sub-limited) Coverage for fines and penalties due to a breach of privacy regulation Privacy Liability Threats or extortion relating to release of confidential information or breach of computer security Cyber Extortion Liability resulting from disclosure of electronic information and electronic information assets Network Operations Security Liability from disclosure confidential commercial and/or personal information (i.e. breach of privacy) Privacy Liability Liability for economic harmed suffered by others from a failure of your computer or network security (including written policies and procedures designed to prevent such occurrences) Network Operations Security Marsh—Leadership, Knowledge, Solutions…Worldwide. 68 Coverage Overview Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems. Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody, or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business. Crisis Management and Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for a forensic investigation or for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations. Marsh—Leadership, Knowledge, Solutions…Worldwide. 69 5 Coverage Overview (continued) Cyber Extortion: Ransom or investigative expenses associated with a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system. Network Business Interruption: Reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of network security to prevent a security breach. Includes sub-limited coverage for dependent business interruption. Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate, or recollect your data and other intangible assets (i.e. software applications) that are corrupted or destroyed by a computer attack. Marsh—Leadership, Knowledge, Solutions…Worldwide. 70 Privacy Liability Why is it different from cyber liability? Breach of Privacy: Damages / Covered Loss: – Disclosure of confidential – Legal liability information: Personal Commercial – Cause doesn’t matter: Negligence Intentional acts Computers Vendors Dumpsters Phishing Employees – Defense and claims expenses – Regulatory defense costs – Vicarious liability when control of information is outsourced Crisis Coverage: Marsh—Leadership, Knowledge, Solutions…Worldwide. – Credit remediation, credit monitoring, and ID theft investigation – Forensic expenses – Cover for crisis and public relations expenses – Cover for notification costs 71 6 Benchmarking and Risk Modeling Privacy Event Modeling: Potential Value of a Privacy Event Based Upon Number of Records Compromised Number of Records Compromised Assumptions: 100,000 250,000 500,000 1,000,000 Privacy Notification Costs $400,000 $1,000,000 $2,000,000 $4,000,000 Call Center Costs $100,000 $250,000 $500,000 $1,000,000 $1,000,000 $2,500,000 $5,000,000 $10,000,000 $500,000 $1,250,000 $2,500,000 $5,000,000 $2,000,000 $5,000,000 $10,000,000 $20,000,000 Credit Monitoring Cost Identity Theft Repair Total Estimated Expenses** Notification costs – $4 per record Call center costs - $5 per call (20 percent expected participation) Credit monitoring - $50 per record (20 percent expected participation) Identity theft repair - $500 per record (5 percent of those monitored experience theft) **Regulatory Actions: Since a regulatory action usually precedes the civil action, substantial expense-legal and forensic can be incurred even for events where no one is actually harmed or even at risk of harm. Marsh—Leadership, Knowledge, Solutions…Worldwide. 73 7 Recent Paid Claims Employee of mortgage lender sold applicant information to third parties: Amount paid by insurer for notices and claim: $15,000,000 (excess layers also impacted) Employee of credit union who sold information to outsiders: Amount paid by insurer for liability claim and first party loss: $1,800,000 Third party hacker stole credit card information: Amount paid by insurer for liability claim: $5,000,000 (Note that this was the primary policy limit. Claim eroded excess limits as well.) Third party hacker stole passwords and used passwords to gain access to personal information: Amount paid by insurer for liability claim (class action): $8,000,000+ Employee sold customer data to others: Amount paid by insurer for liability claim: $9.1M Employee stole and sold information to identity theft ring: Amount paid by insurer for notice and liability claim: $2.6M Unauthorized access to database resulting from stolen passwords: $4.5M Insured's employees released proprietary information of the claimant to third parties: $715K Source: various carriers Marsh—Leadership, Knowledge, Solutions…Worldwide. 74 Actual Paid Claims (con’t) Employee misappropriated confidential information from a competitor: Amount paid by insurer for liability claim: $200,000 Rogue employee at medical provider stole and sold over 40,000 patient records containing Personally Identifiable Information: Amount paid by insurer notification costs: $675,000 Insured lost tapes containing medical insurance information and social security numbers (SSNs): Amount paid by insurer for call center services and credit monitoring costs: $400,000 + other pending costs Rogue employee stole and sold customer data of over 3,000,000 customers to others: Amount paid by insurer for liability claim and notification / credit monitoring: $7.1M Hotel network was hacked, gaining access to personally identifiable information: Amount paid by insurer for notification costs, forensic investigation, crisis management, and credit monitoring: $420,000 +other pending costs Insured accidentally published non-public student information on their Web site: Amount paid by insurer for notification and credit monitoring costs: $100,000+ Employee of a college accidentally emailed personal information of over 20,000 students: Amount paid by insurer for notification and call center costs: $38,000 Source: Chartis Marsh—Leadership, Knowledge, Solutions…Worldwide. 75 8 The Marsh Approach MMC Privacy Solution Placement of coverage is the last step in the process Insurance is never a valid alternative to good risk management Similarly, relying upon technology as some mythical “silver bullet” that will defend against all risks is to turn a blind eye to major risks facing every commercial entity Marsh’s approach to the privacy and cyber risks combines elements of: – Assessment; – Remediation; – Prevention; – Education; and – Risk transfer. Marsh—Leadership, Knowledge, Solutions…Worldwide. 77 9 MMC Privacy Solution: Assessment – Specialized privacy and information security assessment to assist you in evaluating internal policies and procedures related to human, physical, and network security, privacy, and breach preparedness. – Risk Mapping: Once the privacy and information security assessment has been completed, Marsh works with you to identify your potential exposure to a breach—this includes a scorecard, a gap analysis of your breach response policies and procedures, and a risk map identifying and evaluating both the severity and probability of key privacy and information security risks. – Benchmarking and Modeling: Going beyond simple matching you against what your peers do, Marsh will add a layer of benchmarking that details the costs and expenses associated with likely risk scenarios, including an analysis of a catastrophic privacy and information security event. – Coverage Gap Analysis: Marsh reviews your in force insurance policies to determine what coverage may be available to respond to claims and losses in the event of computer attack, breach of privacy, or loss of confidential information. Marsh—Leadership, Knowledge, Solutions…Worldwide. 78 The Underwriting Process 10 Underwriting Process for E-Business Insurance Quote process: Application Security self-assessment: – Security ISO 27001/2 Approach to underwriting is different by insurer Principal primary markets: – CNA – ACE – AXIS – CHUBB – Beazley – Hiscox – Chartis – KILN Market capacity: over $400 million Marsh—Leadership, Knowledge, Solutions…Worldwide. 80 Thank You Robert Parisi Senior Vice President, FINPRO National Practice Leader for Tech/Telecom E&O and Network Risk Marsh Office: 212.345.5924 1166 Avenue of the Americas New York, NY 10036 Email: [email protected] For More Information: www.marsh.com Marsh—Leadership, Knowledge, Solutions…Worldwide. 81 11 Legal Notice The information contained herein is based on sources we believe reliable, but we did not verify nor do we guarantee its accuracy. It should be understood to be general risk management and insurance information only. Marsh makes no representations or warranties, expressed or implied, concerning the financial condition, solvency, or application of policy wordings of insurers or reinsurers nor does Marsh make any representations or warranty that coverages may be placed on terms acceptable to you. The information contained in this presentation provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation, and should not be relied upon as such. Statements concerning tax and/or legal matters should be understood to be general observations based solely on our experience as risk consultants and insurance brokers and should not be relied upon as tax and/or legal advice, which we are not authorized to provide. Insureds should consult their own qualified insurance, tax and/or legal advisors regarding specific risk management and insurance coverage issues. Marsh assumes no responsibility for any loss or damage sustained in reliance of this presentation. Marsh is part of the family of MMC companies, including Guy Carpenter, Mercer, and the Oliver Wyman Group (including Lippincott and NERA Economic Consulting). The materials, data and/or methodologies used in this presentation are proprietary to Marsh. This document or any portion of the information it contains may not be copied or reproduced in any form without the permission of Marsh Canada Limited, except that clients of any of the companies of MMC need not obtain such permission when using this report for their internal purposes, so long as this page is included with all such copies or reproductions. Copyright 2010 Marsh Inc. All rights reserved. Marsh—Leadership, Knowledge, Solutions…Worldwide. 82 Presented in cooperation with: Kroll Ontrack Kroll Fraud Solutions Gowling Lafleur Henderson LLP Data Breach: Understanding the Risk and Managing a Crisis Toronto - November 9, 2010 Montréal – November 10, 2010 Leadership, Knowledge, Solutions…Worldwide. 12