Network Security and

Privacy
Today’s web-based technology and extensive public and private
computer networks afford the State of Oregon (Oregon) and your
residents, students, employees, and others more speed and
convenience in delivering your services and business functions than
ever before. However, the benefits of technology are also fraught with
new and complex risks. These include computer security breaches,
information theft, extortion and business interruption due to viruses,
worms, malicious code or hacker attacks, and identity theft losses
through security breaches and phishing techniques.

Have you considered?

ƒ How Oregon’s services (i.e. transportation, education, law

enforcement) would be affected if you were targeted in an attack
that corrupted data, forcing you to bring down your network or a
critical application?
ƒ The liability risk associated with online access should a hacker
gain unauthorized access to your confidential information
(university endowment, DMV info- SSNs; healthcare info) to
perpetrate identity theft?
ƒ The risk associated with disgruntled employees or service
providers and their authorized access to your systems?
ƒ The liability risk associated with distributing a denial of service
attack out to your alliances and vendors?
ƒ The cost to notify and the liability risk associated with state
Security Breach Notification laws?

The insurance industry has responded to these developments by

offering a range of products that protect against these perils.
Understanding these products, what they cover and when they are
appropriate is yet another layer of complexity in the management of
cyber risks for Oregon. To begin with, Oregon should consider their
exposure to several key network security and privacy risks.
Unauthorized Access or Use

At the heart of many of these exposures is unauthorized network

access or use:
ƒ From employees, vendors, students or outside hackers
ƒ From a stolen/hacked user name and password, phishing
incident or inappropriate acts of an authorized user
ƒ From a virus, Trojan horse or other form of malicious code
ƒ Is the result of a lost or stolen PDA, laptop, Blackberry or other
mobile device
Malicious Code
The rising incidence of malicious code – viruses, worms, Trojan
horses – is causing network damage and crippling denial-of-service
attacks. Network or application disruptions can result in large losses
for educational institutions as you rely more and more on e-learning.

Theft of Proprietary and Competitive Data

Electronic theft of confidential data can wreak havoc on Oregon’s
educational institutions. Consider the research data that sits on a
server at your universities.

Reliance on Network Operations

Network outages may result in the temporary shutdown of a one of the
Oregon’s critical operations. If critical business and operational functions
are outsourced to vendors, day-to-day control over operations may be lost
despite contractual agreements.

Downstream Liability
There can be a liability risk to third parties – vendors, university alumni,
research business partners, airlines – for passing on malicious code or
facilitating an attack via your network.

Changing Laws and Regulations

Insurance companies aren’t the only ones responding to the rise of e-risks.
Legislators have further raised network security to a strategic business
concern and continue to impact financial institutions.

ƒ Gramm-Leach-Bliley Act (GLBA) requires compliance for security and

privacy of consumer financial data.
ƒ Oregon Senate Bill 583 -- On July 12, 2007, Oregon's Governor Theodore
Kulongoski signed the Oregon Consumer Identity Theft Protection Act (S.B.
583), a comprehensive data security law that creates two significant
obligations for Oregon businesses (and companies that do business in
Oregon). First, businesses must develop, implement and maintain reasonable
safeguards to protect the security, confidentiality and integrity of personal
information. This likely will require taking steps such as performing a risk
assessment, preparing written policies and training employees. Second,

w
 businesses must notify state residents of data breaches involving their
computerized personal information. The law took effect on October 1, 2007.
ƒ Compliance with the HIPAA security regulations went into effect April
20, 2005. All health plans, health care clearing houses, hospitals,
clinics, and providers who transmit any health information in electronic
form must now comply with the Electronic Protected Health
Information regulations. You need to ensure the integrity and
confidentiality of individually identifiable health information and protect
against any anticipated unauthorized access from insiders as well as
outsiders (hackers) so as to prevent theft, misuse or destruction of
Electronically Protected Health Information.

Network Security / Privacy Claims &

Incidents – Large Losses

Class action involving an insured who allowed third parties to $5,000,000

obtain login IDs and passwords to sensitive personal data within
its control.
Class action involves a credit card processing company that allowed $5,000,000
a breach of network security to expose significant credit card
data to data thieves.
Employee stole personal data and sold it to a gang of cyber- $2,100,000
thieves who were able to use the data for fraud and identity theft
Retailer breach allowed credit card data to be obtained $16,000,000+

Retailer had data stolen from a database for 108 of the chain's 175 $6,500,000 to
stores $9,500,000
Retailer had credit card data compromised on as many as $1,600,000
180,000 customers who held private-label branded credit cards
Restaurant allowed credit card data to be accessed due to a $725,000
network security breach
Information collector/broker disclosed sensitive and personal Policy Limit Loss
information on over a hundred thousand Americans. ($15,000,000 reserved)
Financial Institution had security related Network Business $25,000,000 +
Interruption Loss
Credit card processor infected by virus like computer script Policy Limit Loss
which exposes millions of credit card holder details. ($15,000,000 reserved)
Online marketplace suffered a security breach Policy Limit Loss
($25,000,000 reserved)

w
Lawsuit related to the alleged unlawful use of electronic drivers $700,000+ to date
license information. Case is still pending class certification.
Computer virus infects insured’s computer system, attaching to $14,000,000
software installed on insured’s product. Only discovered after the
“infected” product is shipped.
Disgruntled employee continuously corrupts data in a system used to $50,000,000 +
improve his company’s product already on the market. Corruption
causes delays, cost overruns, and other problems
Organized crime group obtains customer information and product $10,000,000 +
serial numbers from a company’s computer systems that handles
replacement shipments for defective products. Inputs fraudulent
information causing replacement products to be shipped to locations
then collected by the crime group, and sold on the black market.

Are You Protected?

Most insurance policies have the following gaps. We can review Oregon’s
primary P&C policies {Property, CGL, Crime, and Professional Liability) to
provide more specific detail to your coverage and recommendations on
how to further mitigate the risk.
Property:
Usually requires physical damage to a tangible asset to trigger coverage.
Data is not considered tangible property in most policies. Also, computer
viruses and hacker attacks seldom damage your systems “physically.”
Also, most property policies include computer virus exclusions, or provide
for small sub-limits of coverage.
General Liability:
Physical damage or bodily injury trigger is not activated in a network
security breach. Advertising Injury and Personal Injury coverage can be
difficult to trigger as a result of intentional and/or criminal acts, like breach
of confidential data due to a hacker or computer virus.
Crime:
Covers theft of money and securities, but often does not cover the theft of
data, information, and account numbers (including credit card data).
Professional Liability/E&O:
Intentional acts are usually excluded. Often, an event such as a security
breach can not only harm your client, but also your client’s customers.
Many E&O policies do not respond to these types of security
breach/disclosure of sensitive data events.
Cyber Risk Insurance
Cyber Risk insurance provides both first- and third-party protection for risks
incurred by Oregon’s Internet and network operations.

w
 What kinds of perils can be included?
ƒ Implantation or spread of a Computer Virus
ƒ Security breaches such as unauthorized access and unauthorized
use
ƒ Content Infringement (website copyright, trademark, domain names)
ƒ Cyber Extortion
ƒ Breach of Privacy / Identity Theft (electronic and non-electronic)
ƒ Denial of Service outages
ƒ Destruction, modification, or disclosure of electronic data
ƒ Loss of Business Income due to a network security breach
ƒ Information theft
ƒ Fraud (including theft of customer funds or credit card/account
numbers)
ƒ Theft of computer system resources
ƒ Covered acts caused by Service Providers
ƒ Negligent release of confidential information
ƒ Expenses associated with breach of security notification requirements

Insurance policies are modular. An insurance program can be built to provide

protection for the following:

Network Liability-- Liability arising from the interruption of your e-Business

communications caused by damage to your computer programs or data that
results from virus, hacking, a denial of service attack, a denial of access or a
simple mistake by your authorized personnel in the administration of your
computer system or handling of your e-Business information assets
(administrative error). This also includes liability for transmission of a computer
virus to a third party via a covered computer system or the failure to prevent the
use of your computer system in a denial of service attack.

Electronic Media Liability -- Actual or alleged acts committed in the course of

your e-Business communications, including in the course of providing access,
publishing, hosting, collaboration and conducting e-commerce. e-Publishing
Offenses include:

ƒ Defamation, libel & slander, product disparagement and trade libel

ƒ Violation of rights of privacy
ƒ Misappropriation and plagiarism of advertising ideas or materials or
literary or artistic formats or styles or performances

w
 ƒ Infringement of copyright, title, slogan, trademark, trade name/dress,
service marks or names.

Business Income Loss -- Comprised of Earnings Loss and/or Expenses Loss as

defined below.

a) Earnings Loss: Loss of gross margin you sustain due to an e-

Communications disruption from a qualifying cause, which exceeds
the waiting period stated in the declarations.
b) Expenses Loss: The additional expense that you expect to incur
during the period of the e-Communications disruption that is over
and above the cost that reasonably and necessarily would have
been incurred to conduct your business had no e-Communications
disruption occurred (Not including restoration costs or investigative
expenses as defined below).

Dependent Business Income Loss -- Earnings loss and/or expenses loss you
expect to sustain as a result of, and during, an e-Communications disruption
sustained by a third party on which you depend for the services to support your e-
Business Communications.

Extended Business Income Loss or Extended Dependent Business Income

Loss -- The business income loss or dependent business income loss you
sustain during the period of restoration following an e-Communications disruption.

Restoration Costs -- The actual & necessary expenses you expect to incur to
replace, restore, or recreate your e-Business information assets to the level or
condition at which they existed prior to the loss.

Public Relations Expenses -- The actual & necessary expense fees & costs you
expect to pay to an approved public relations consultant for planning & executing
your public relations campaign in order to protect or restore your professional
reputation in response to media coverage of any: e-Communications disruption,
network interruption or qualifying cause. Up to $1,000,000 for costs associated
with notifying consumers of the potential breach of their personal identifiable
information (i.e. Identity Theft; Ca. Consumer Data Protection law as well as other
security breach laws).

Investigative Expenses -- The actual, reasonable and necessary expenses you

incur during the waiting period to respond to an e-Communications disruption or
to the occurrence of any damage to, destruction of or loss of use your e-Business
information assets, so that you may prevent, minimize or mitigate any further
damage to your e-Business information assets, minimize the duration of the e-
Communications disruption and gather preliminary forensic evidence to be used
in making a determination of coverage to be provided under this policy and
preserve critical evidence of any wrongdoing.

Extortion Threat(s) -- Amounts paid to terminate a threat to introduce

unauthorized code into your computer system or a computer system that is under

w
your direct control, or to divulge, disseminate or utilize your e Business
information assets without authorization.

Where do you begin?

To start the process of choosing the right cyber protection, we suggest the
following action plan.
ƒ Review your technical and information security policy safeguards
ƒ Examine your current insurance programs for coverage and potential
gaps
ƒ Review and strengthen, as appropriate, your contracts with service
providers and vendors, specifically organizations providing data, IT or
security services
ƒ Analyze your risks and vulnerabilities and plan for funding losses.

Optional Service:
How do you identify and assess Oregon’s Information Risks?

Willis can perform an Information Risk Assessment to assist you in your analysis
of your information and network risks, your risk mitigation tools in place, and the
insurance currently in place to transfer risk. After reviewing the security, policies
and procedures, and your current insurance program, we can determine whether
or not your current insurance programs would be sufficient to mitigate such risk or
additional enhancements or products should be considered.

The assessment is primarily concerned with:

Integrity – the impact to the business if the wrong information is used to make
decisions

ƒ Damage to data and business interruption costs to fix corrupted

information caused by malicious code, viruses, sabotage, etc.
ƒ Liability for failure to serve residents/customers due to corrupted
information

Confidentiality – the impact to services and business if critical information gets

into the wrong hands
ƒ Liabilities due to breach of privacy or sensitive information
ƒ Impact on reputation due to a publicized breach
ƒ Attorney client privilege

Availability – the impact if critical information is not available for use when needed
ƒ Business Continuity
ƒ Downtime

w
 ƒ Physical events and non-physical events (i.e. fire, administrative /
programming error, hacker, DDoS)

Willis will conduct an Information Risk Assessment to identify potential threats,

vulnerabilities and liabilities associated with your use of data and information
technology. Our process will include reviewing and assessing security policies,
system documentation, security architecture, network vulnerabilities, system
development processes, third-party contracts, interfaces/access controls for
vendors, training materials, marketing materials and the overall capabilities of the
company’s information security controls.

The approach of the assessment includes the following:

Information Asset Identification - Willis will conduct on-site interviews to assess

and identify the resources and information that constitute the system. Interviews
will be concentrated on identifying the critical business systems with key
management, IT personnel and users.

Threat Identification - Willis will conduct on-site interviews and/or small work-
group sessions with key management team members and technology
administrators to uncover potential threat agents that may impact the
confidentiality, integrity and availability of the organization’s information. We will
leverage resources provided by industry and federal agencies to determine the
risk from natural, human, environmental and technical threats.

Vulnerability Identification - Willis will conduct or review technical assessments

to detect vulnerabilities and to check how effective the controls are preventing
unauthorized access due to those vulnerabilities.

Control Analysis - An important step is considering controls and mitigation steps

in already place to reduce risk. Analyzing and measuring the controls will cover
many areas including, but not limited to:

ƒ Asset Classification and Control

Willis will assess countermeasures currently implemented to manage the security

of information in the organization.

Insurance Policy Gap Analysis - Willis will assess your existing insurance
policies in terms of coverage terms, limitations, retentions and other conditions of
coverage, particularly the Property, General Liability, Crime, and Errors &
Omissions policies. Details regarding historical claims or suits related to the
organizations information and technology infrastructure are also reviewed.