Cyber and Data Breach Losses, - PowerPoint Presentation

Slide1

Cyber and Data Breach Losses,Recent U.S. Court Decisions, Risk Management and Investigations

Jean M. Lawler and Jean M. Daly

Murchison & Cumming, LLP

Los Angeles, CA

www.murchisonlaw.comSlide2

Cyber and Data Breach Losses in the US -Quantifying Costs & Vulnerable IndustriesSlide3

Cyber Risks = Privacy, Security, SafetyInfiltration and Attack on Computer Systems for Unauthorized or Criminal PurposesTerrorismDamage to Computers, Data, SoftwareData Breach in the Traditional SenseThe release of secure information to an unsecure or non-trustworthy environment.A security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, or used by unauthorized individuals.

Slide4

Reported Financial Impact of Data BreachesTJ Maxx(2007) $162mHeartland Payment Systems(2007) $140mEpsilon (2011) $100m-$4 billionSony PlayStation(2011) $171m

Vet. Admin.(2013) Up to $500m

Hannaford Bros.(2013) $252m

Target(2013) $250m (to date)

Home Depot(2014) $56m(date)

Anthem(2014) $100m (to date)

Sony(2014) $100mSlide5

Reported Average Breach Costs Data Breach – average cost in 2015 increased 23% to 3.79 million, over 2014.Cost Paid per Lost or Stolen Record – average cost in 2015 was $154, up from $145 in 2014. Slide6

2013 Target Breach - by the Numbers 1,800 stores breached40 million cards stolen70 million personal information records stolen90 lawsuits

46% Loss in Profits

$100 Million in security upgradesSlide7

2015 Ashley Madison – By the Numbers30 million names & personal info releasedAt least 3 suicides, destruction of careers, extortion, blackmail and divorceFive class action lawsuits filed in US and one in Canada; each seeking $500m+ in damagesCustomers reported to be located in all US zip codes except three:

Nikolai, Alaska, pop. 94 (2010);

Perryville Alaska, pop. 113 (2010) – only 10 households with internet;

Polvadera, New Mexico, pop. 269 (2010) – can’t get internet reception in areaSlide8

Vulnerable IndustriesThe U.S. Department of Homeland Security’s Response Team (ICS-CERT) has reported that that in the year ending September 30, 2015, there were 295 cyber incidents, including 97 reported attacks against critical manufacturing sector, primary metals, machinery and electrical and transportation equipment.Slide9

Vulnerable Industries – Law FirmsAt special risk due to client information maintained – potential use for insider trading and other criminal activity. March 26, 2016 WSJ report details risks; 2016 - FBI issues alert to law firms.March 30, 2016 – American Lawyer article re attacks on law firms, including Cravath. “Panama Papers”.

May 5, 2016 - Law360 reports that class action Plaintiff firms announce they are gearing up to bring malpractice suits v. law firms re exposure of client information/failure to properly secure. Slide10

Vulnerable Industries - HealthcareSince 2010, at least 158 medical providers, insurers and hospitals have been hacked, including patient records, insulin pumps, heart monitors, x-ray communications systems and other medical devices.July 2014, Community Health Systems (second largest for-profit hospital system in U.S.) - 4.5 million patient records stolen.

July 2015, 4.5 million patient records hacked from UCLA Health System.

2016, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 ransom in bitcoin.Slide11

Vulnerable Industries - HospitalityKey Areas of Vulnerability for Hotels: Daily Operations – use of credit cardsTheft by EmployeesPublic Wi-Fi AccessGeneral Computer Network Systems

February 2014 – Las Vegas Sands Casino attacked by Iranian hackers who brought the operation to a standstill by shutting down PCs, servers and wiping hard drives clean. (Reportedly in retaliation for CEO comments about Iranian govt.)

2015 data breaches at Las Vegas Hard Rock HotelSlide12

Vulnerable Industries - UniversitiesIn 2014, 30 University Data Breaches via hacking and malware. Five reported to have been larger than the Sony Hack:University of Maryland: 300,000+ student and faculty records, including DOBs/SSNs

North Dakota University: 300,000+ names, SSNs

Butler University: 200,000+ DOBs, driver licenses, SSNs, and bank accounts

Indiana University: 146,000+ SSNs

Arkansas State University: 50,000+ SSNs

Other Schools: UC Santa Barbara, Iowa State, Johns Hopkins, Penn State, Auburn, UC Irvine, etc.Slide13

Vulnerable Industries - InsuranceCompanies reported to have been targeted for cyber losses in 2015 include:Millers Mutual GroupBlue Cross/Blue Shield (various companies)CEMEX Inc Health Plan

Partners Healthcare

Summit Health

St. Agnes Health CareSlide14

New and Emerging RisksCyber attacks on Internet connected devices. Most famous example is the use of the computer virus, Stuxnet, to weaken Iran’s nuclear facilities.Most recent example is attack at German Steel mill.Other attacks are in the “research stages”, eg. attacks focused on targeting connected vehicles.

Attacks on infrastructure and services - utilities, banking systems, governments, transportation

See Lloyds May 2015 “Business Blackout” Risk Assessment

Emerging risks losses will eclipse the massive cyber losses seen to date. Slide15

Coverage Litigation for U.S. Cyber Losses – What are the U.S. Courts Saying? Slide16

CGL Policy – 4th Cir. Federal Court 2016Potential Coverage for Data BreachTravelers Prop. Cas. Co of Am. v. Portal Healthcare Solutions, LLC, US Court of Appeals for the 4

th

Circuit. 2016 U.S. App LEXIS 6554 Unpublished Decision April 11, 2016.

Facts: Portal’s business was electronic safekeeping of medical records for hospitals, clinics, and other medical providers. Medical records of patients at Glen Falls, VA hospital were posted to the internet, so that they were publicly accessible. Putative Class Action lawsuit alleged that Portal had failed to secure its server so that unauthorized users could access online medical records.

Holding:

Potential for Coverage and Duty to Defend under Coverage B.

Enumerated offense – electronic publication of material regarding a person’s private life. This was a “publication” that invaded patient’s right of privacy.Slide17

CGL Policy – Connecticut Supreme Court 2015No Coverage for Data BreachRecall Total Information Management v. Federal Insurance Co. (Conn S. Ct 2015) 115 A3d 458. Connecticut Supreme Court, May 2015.

Note: This is the first state high court to rule on available of coverage for a data breach under a CGL policy.

Facts: A cart holding IBM computer tapes fell out of the back of a transportation contractor’s van, onto the roadway, near a highway exit ramp. Approximately 130 tapes, which contained social security numbers, birth dates an contact information for past and present IBM employees, were recovered from the road.

Holding: No Coverage.

Coverage B – There was no “publication” of material that violated a person’s right to privacy. There was no indication that anyone ever accessed the confidential information on the tapes. Slide18

CGL Policy – NY State Court 2014No Coverage for Data BreachZurich Am. Ins. Co. v. Sony Corp. (NY S. Ct, Feb, 2014, No. 651982/2011) 2014 NY Misc Lexis 5141)Facts: This involved the 2014 Sony PlayStation hack where confidential information of millions of users was stolen from Sony’s PlayStation Network. The question raised in the declaratory relief action was whether the accessing of data by attackers amounts to a publication by the insured. The hack was initiated and completed by an outside third party.

Holding: No Coverage

Coverage B – the release of the confidential data constituted a “publication” of material. However, the enumerated offense of oral or written publication of materials that violates a person’s right to privacy could not be triggered through the actions of third parties, the publicity or disclosure must be by the insured. Slide19

CGL Policy – California Appellate 2009 No Coverage for Data BreachTom Joseph Santos v. Peerless Ins. Co. 2009 Cal. App. LEXIS 3415

Facts: Policyholder Santos was an officer and owner of a company who had been authorized to resell and provide services for Apple products. Apple claimed that Santos had breached the Apple computer network to access nonpublic information, which was admitted by Santos. Santos sought defense and coverage.

Holding: No Coverage.

Coverage A – no “occurrence”. Breach was intentional.

Coverage B – no “personal or advertising injury” because it was not alleged that Apple’s privacy rights had been violated.

Slide20

D&O Policy – California Federal Court 2009No Coverage for Data BreachGreenwich Ins. Co. v. Media Breakaway LLC 2009 U.S. Dist. LEXIS 63454(C.D. CA 2009). US District Court, Central District of California.Facts: Media Breakaway was an on-line marketing company that rewarded its contractors and affiliates for directing Internet traffic to its websites. The affiliates hacked into the social media website MySpace and misappropriated user logins and passwords.

Holding: No coverage.

Underlying claims were predicated on alleged intentional wrongful conduct.

Exclusion for Profit from Illegal Actions (“profit…to which such insured is not legally entitled”).Slide21

Cyber Policy – Utah Federal Court 2016No Coverage Because No “E&O Wrongful Act”Travelers v. Federal Recovery Services Inc. ____ F. Supp. 3d ____(2016)

United States District Court, Utah, January 12, 2016

Facts: Travelers Property Casualty of America provided a cyber insurance policy to Salt Lake City based Federal Recovery Services, a business that provides processing, storage, transmission and other handling of electronic data for its customers. Federal Recovery had refused to transfer some requested data until Global Fitness Holdings, with which it had a contract, met certain demands for compensation. Global sued and Federal Recovery sought defense from Travelers under the policy.

Holding: No Coverage.

The complaint alleged knowledge, willfulness, and malice while the Cyber First Policy covered only errors, omissions, and negligent acts. An “errors and omissions wrongful act” did not include intentional activities or willful misconduct. Slide22

Cyber Policy – Illinois Federal Court 2015Data Breach Subrogation Action SettledTravelers Cas. & Surety Co. v. Ignition Studio, Inc. (ND Ill, filed Jan. 21, 2015, No. 1:15-cv-00608) United States District Court, Northern District Illinois.

Facts: Travelers sought to recover from a third party amounts it had paid for data breach notification obligations on behalf of its insured, Alpine Bank. Alpine had hired Ignition Studio, Inc. to design and service the bank’s website. Travelers alleged that Ignition negligently designed and maintained the website, allowing hackers to access the site through the server on which it was hosted. Alpine spent over $150,000 complying with its data breach notification obligations, for which it was reimbursed by Travelers. Travelers sued as Alpine Bank’s assignee and subrogee.

Holding: In April 2015, Travelers settled with the web design company according to a stipulation filed with the court. Slide23

Cyber Policy – California Federal Court 2015DRA re Coverage for Data Breach Dismissed Columbia Cas. Co. v. Cottage Healthcare Sys. (CD Cal, July 17, 2015, No. 2:15-cv-03432) 2015 US Dist Lexis 93456 US District Court, Central District California.

Facts: Columbia sought to recoup $4.125 million it had paid under reservation of rights for settlement of a class action suit arising from the disclosure of electronic medical records. Columbia alleged that insured or its third party vendor stored medical records on a system that was fully accessible from the internet without having installed security measures to protection the information. Columbia claimed that an exclusion barring coverage for a data breach claim arising out of any failure of an insured to continuously implement the procedures and risk controls identified in the insured’s application for insurance applied to preclude coverage.

Holding: Case was dismissed on procedural grounds. Slide24

ISO RESPONDS – CGL Exclusions Effective May 1, 2014CG 21 06 05 14 – Exclusion – Access or Disclosure of Confidential or Personal Information and Data –Related Liability, with Bodily Injury ExceptionCG 21 07 05 14 – Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – Limited BI Exception not included

CG 21 08 05 14 – Exclusion – Access or Disclosure of Confidential or Personal Information (Coverage B only)Slide25

Assess, Investigate, Manage and Respond to an Attack or BreachSlide26

Risk ManagementAssessment of the RiskType of insured and its vulnerability Type of data on computer systemInfrastructure.Potential time sensitive vulnerability to a breach or hackSlide27

Understand the Cyber Attack LifecycleFirst Phase: Initial Reconnaissance(the attacker conduct research on the target)Identify websites tat may be vulnerable to web application vulnerabilitiesAnalyze target organization’s current or projected business activitiesUnderstand the target organization’s internal organization and productsResearching conferences attended by employees

Browsing social media sites to more effectively identify and socially-engineer employees

Second Phase: Initial Compromise

Third Phase: Establish a Foothold into the system

Fourth Phase: Escalate Privileges(obtain greater access)

Fifth Phase: Internal Reconnaissance(explore the environment)

Sixth Phase: Move Laterally(Move from system to system internally)

Seventh Phase: Maintain Presence

Eighth Phase: Complete Mission(acquisition of material/information)Slide28

General Investigation TechniquesDiscovery of BreachData Retrieval IP addresses or Internet Service Providers(ISP)Device basedData Investigation time stamps, images, text documents, GPS locations, encrypted dataSlide29

Law Enforcement TechniquesUtility of Digital EvidenceReceiving Digital EvidencePreserving Digital EvidenceRecovering Digital Evidence(digital forensics)Understanding Digital Evidence(experts)Discovery of BreachStop the breach/recovery Slide30

Working with Law Enforcement Relationship and Interaction with Law EnforcementAssess the situationConduct initial investigationIdentify possible evidenceSecure devices, preserve evidence and court ordersPotential prosecutions and insurance issuesSlide31

Concluding Comments and ObservationsThank you.Slide32

Cyber and Data Breach Losses,Recent U.S. Court Decisions, Risk Management and Investigations

Jean M. Lawler and Jean M. Daly

Murchison & Cumming, LLP

Los Angeles, CA

www.murchisonlaw.com