Professional Documents
Culture Documents
Privacy
Today’s web-based technology and extensive public and private
computer networks afford the State of Oregon (Oregon) and your
residents, students, employees, and others more speed and
convenience in delivering your services and business functions than
ever before. However, the benefits of technology are also fraught with
new and complex risks. These include computer security breaches,
information theft, extortion and business interruption due to viruses,
worms, malicious code or hacker attacks, and identity theft losses
through security breaches and phishing techniques.
Downstream Liability
There can be a liability risk to third parties – vendors, university alumni,
research business partners, airlines – for passing on malicious code or
facilitating an attack via your network.
w
businesses must notify state residents of data breaches involving their
computerized personal information. The law took effect on October 1, 2007.
Compliance with the HIPAA security regulations went into effect April
20, 2005. All health plans, health care clearing houses, hospitals,
clinics, and providers who transmit any health information in electronic
form must now comply with the Electronic Protected Health
Information regulations. You need to ensure the integrity and
confidentiality of individually identifiable health information and protect
against any anticipated unauthorized access from insiders as well as
outsiders (hackers) so as to prevent theft, misuse or destruction of
Electronically Protected Health Information.
Retailer had data stolen from a database for 108 of the chain's 175 $6,500,000 to
stores $9,500,000
Retailer had credit card data compromised on as many as $1,600,000
180,000 customers who held private-label branded credit cards
Restaurant allowed credit card data to be accessed due to a $725,000
network security breach
Information collector/broker disclosed sensitive and personal Policy Limit Loss
information on over a hundred thousand Americans. ($15,000,000 reserved)
Financial Institution had security related Network Business $25,000,000 +
Interruption Loss
Credit card processor infected by virus like computer script Policy Limit Loss
which exposes millions of credit card holder details. ($15,000,000 reserved)
Online marketplace suffered a security breach Policy Limit Loss
($25,000,000 reserved)
w
Lawsuit related to the alleged unlawful use of electronic drivers $700,000+ to date
license information. Case is still pending class certification.
Computer virus infects insured’s computer system, attaching to $14,000,000
software installed on insured’s product. Only discovered after the
“infected” product is shipped.
Disgruntled employee continuously corrupts data in a system used to $50,000,000 +
improve his company’s product already on the market. Corruption
causes delays, cost overruns, and other problems
Organized crime group obtains customer information and product $10,000,000 +
serial numbers from a company’s computer systems that handles
replacement shipments for defective products. Inputs fraudulent
information causing replacement products to be shipped to locations
then collected by the crime group, and sold on the black market.
Most insurance policies have the following gaps. We can review Oregon’s
primary P&C policies {Property, CGL, Crime, and Professional Liability) to
provide more specific detail to your coverage and recommendations on
how to further mitigate the risk.
Property:
Usually requires physical damage to a tangible asset to trigger coverage.
Data is not considered tangible property in most policies. Also, computer
viruses and hacker attacks seldom damage your systems “physically.”
Also, most property policies include computer virus exclusions, or provide
for small sub-limits of coverage.
General Liability:
Physical damage or bodily injury trigger is not activated in a network
security breach. Advertising Injury and Personal Injury coverage can be
difficult to trigger as a result of intentional and/or criminal acts, like breach
of confidential data due to a hacker or computer virus.
Crime:
Covers theft of money and securities, but often does not cover the theft of
data, information, and account numbers (including credit card data).
Professional Liability/E&O:
Intentional acts are usually excluded. Often, an event such as a security
breach can not only harm your client, but also your client’s customers.
Many E&O policies do not respond to these types of security
breach/disclosure of sensitive data events.
Cyber Risk Insurance
Cyber Risk insurance provides both first- and third-party protection for risks
incurred by Oregon’s Internet and network operations.
w
What kinds of perils can be included?
Implantation or spread of a Computer Virus
Security breaches such as unauthorized access and unauthorized
use
Content Infringement (website copyright, trademark, domain names)
Cyber Extortion
Breach of Privacy / Identity Theft (electronic and non-electronic)
Denial of Service outages
Destruction, modification, or disclosure of electronic data
Loss of Business Income due to a network security breach
Information theft
Fraud (including theft of customer funds or credit card/account
numbers)
Theft of computer system resources
Covered acts caused by Service Providers
Negligent release of confidential information
Expenses associated with breach of security notification requirements
w
Infringement of copyright, title, slogan, trademark, trade name/dress,
service marks or names.
Dependent Business Income Loss -- Earnings loss and/or expenses loss you
expect to sustain as a result of, and during, an e-Communications disruption
sustained by a third party on which you depend for the services to support your e-
Business Communications.
Restoration Costs -- The actual & necessary expenses you expect to incur to
replace, restore, or recreate your e-Business information assets to the level or
condition at which they existed prior to the loss.
Public Relations Expenses -- The actual & necessary expense fees & costs you
expect to pay to an approved public relations consultant for planning & executing
your public relations campaign in order to protect or restore your professional
reputation in response to media coverage of any: e-Communications disruption,
network interruption or qualifying cause. Up to $1,000,000 for costs associated
with notifying consumers of the potential breach of their personal identifiable
information (i.e. Identity Theft; Ca. Consumer Data Protection law as well as other
security breach laws).
w
your direct control, or to divulge, disseminate or utilize your e Business
information assets without authorization.
Optional Service:
How do you identify and assess Oregon’s Information Risks?
Willis can perform an Information Risk Assessment to assist you in your analysis
of your information and network risks, your risk mitigation tools in place, and the
insurance currently in place to transfer risk. After reviewing the security, policies
and procedures, and your current insurance program, we can determine whether
or not your current insurance programs would be sufficient to mitigate such risk or
additional enhancements or products should be considered.
Integrity – the impact to the business if the wrong information is used to make
decisions
Availability – the impact if critical information is not available for use when needed
Business Continuity
Downtime
w
Physical events and non-physical events (i.e. fire, administrative /
programming error, hacker, DDoS)
Threat Identification - Willis will conduct on-site interviews and/or small work-
group sessions with key management team members and technology
administrators to uncover potential threat agents that may impact the
confidentiality, integrity and availability of the organization’s information. We will
leverage resources provided by industry and federal agencies to determine the
risk from natural, human, environmental and technical threats.
Insurance Policy Gap Analysis - Willis will assess your existing insurance
policies in terms of coverage terms, limitations, retentions and other conditions of
coverage, particularly the Property, General Liability, Crime, and Errors &
Omissions policies. Details regarding historical claims or suits related to the
organizations information and technology infrastructure are also reviewed.