Know the Odds: The Cost of a Data Breach in 2017

Source: Security Intelligence: Larry Ponemon & Wendi Whitmore

We’ve all heard that when it comes to experiencing a data breach, the question is not if it will happen, but when. You may be wondering about the actual odds of it happening to your organization.

Think about it this way: The chances of being struck by lightning this year are 1 in 960,000. When it comes to experiencing a data breach, according to the Ponemon Institute’s “2017 Cost of Data Breach Study: Global Overview,” the odds are as high as 1 in 4. Therefore, organizations must understand the probability of being attacked, how it affects them and, even more importantly, which factors can reduce or increase the impact and cost of a data breach.

Rapid Response Drives Down the Cost of a Data Breach

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 12th annual “Cost of Data Breach Study” is out. The findings revealed that the average total cost of a data breach is $3.62 million in 2017, a decrease of 10 percent over last year. Additionally, the global average cost per record for this year’s report is $141, which represents a decrease of 11.4 percent over last year.

Despite the reduction in cost, the average size of a data breach increased by 1.8 percent to 24,089 records. The influencers that impact the cost of a data breach are driven by the country and the IT initiatives underway.

The good news is that organizations can take measures to minimize cost and impact. The 2017 “Cost of Data Breach Study” found that having access to an internal or outsourced incident response team has been the top cost-reducing factor for three years running. An incident response team typically accelerates the time frame in which security events can be contained, which is a significant factor in reducing the overall cost of a breach.

The IBM X-Force Incident Response and Intelligence Services (IRIS) team specializes in providing incident response planning, program development, remediation and threat intelligence to clients in over 133 countries. The team has experience responding to and helping to contain many of the largest data breaches in the world.

Five Steps to Accelerate Your Incident Response

Listed below are five additional tips to help accelerate your organization’s response to a breach.

  1. Speed to respond is critical. The more quickly you can identify what’s happened, what the attacker has access to, and how to contain and remove that access, the more successful you will be.
  2. Set up retainers in advance. In the event of a breach, an experienced team of incident response experts can help you quickly identify and contain the attack, and minimize costly delays.
  3. Access the data needed to answer investigative questions. Be prepared to provide responders with logs and tools to help them understand what happened. For example, what did the attackers access and what did they copy or remove from your environment?
  4. Mitigate the attacker’s access quickly. Plan with the IT staff in advance to understand how to be effective and efficient in a crisis. Consider the following:
    1. How to execute an enterprisewide password reset quickly;
    2. How to reset your service accounts; and
    3. How many of your service accounts have domain administrator credentials.
  1. Establish an internal communications plan. If you have to shut down parts of your environment or reset thousands of users’ passwords, your employees will have a lot of questions. This speculation can have critical ramifications, so it’s important to document a plan to ensure that your employees understand what they can and cannot share publicly.
Insurance a second line of defence against cyberattack losses

Insurance a second line of defence against cyberattack losses

DAVID ISRAELSON | The Globe and Mail

Even if small or medium-sized businesses do everything to protect themselves against hackers, they may want to consider a second line of defence – cyberliability insurance.

It’s relatively new, but it’s a growing area for insurance companies. And with the advent of worldwide threats such as the recent WannaCry ransomware virus, it is suddenly a more urgent consideration than ever.

“We haven’t had a lot of requests so far, but it’s a huge field,” says Mark Lipman, president of Consolidated Insurance Brokers Ltd. in Toronto.

By the end of last year, the worldwide market for cyberinsurance was about $3-billion (U.S.), according to a report from Allied Market Research of Portland.

The market is expected to grow year over year by 28 per cent and reach $14-billion in gross premiums by 2022, Allied’s report says.

Mr. Lipman says that, to date, the SMBs his brokerage deals with tend to add on a small amount of cyber-related coverage to their standard commercial policies.

“It’s usually around $25,000 in coverage – which costs an extra $100 on a $1,000 commercial policy,” he says.

Mr. Lipman adds that his firm recommends that SMBs boost their coverage, because of the ever-growing risk of cyberattacks. “We put it [a recommendation] in all the letters we send, either to take coverage or to increase it.”

While this may sound like a self-serving sales pitch by insurers, trends and statistics suggest that the threat of attacks on SMBs is not only real, but also growing fast.

“Cybersecurity insurance is becoming a must-have for most businesses. There is simply no way for an organization to be completely protected from a breach,” say Rohit Sethi, chief security officer for Security Compass, a Toronto-headquartered firm that provides tech-based protection for corporate data.

“This is especially true for SMBs who rarely have security teams on staff and can scarcely afford many leading-edge security solutions. Insurance helps mitigate the financial impact to any company, but every business should treat it as an additional safeguard,” he says.

Small businesses appear to be growing targets for phishers, spear-phishers and cyber-ransomers. A report by security firm Symantec noted in 2014 that attackers targeted small businesses 34 per cent of the time – an increase from 11 per cent just three years before.

Lawyer Lisa Lifshitz, a partner at Toronto firm Torkin Manes LLP, says it has been estimated that criminals launch 3.5 new digital threats against SMBs every second.

Writing in Canadian Lawyer magazine, she said that, “29 per cent of all small businesses have experienced a computer-based attack that affected their reputations, involved the theft of business information, resulted in the loss of customers or experienced network and data centre downtime.”

While any SMB can be a cybercriminal’s target and suffer damage, the risk goes up if the business’s data is ultrasensitive. Since 2014, LawPro, the mandatory insurance program covering Ontario-based lawyers, includes coverage for up to $250,000 for cybercrime.

This coverage is “modest” for firms whose data can easily be compromised in, say, a $1-million residential real-estate deal. “We say modest because, like the fraud risks the profession has faced over the years, there is no way to predict the total possible exposure,” LawPro says.

Lawyers (and others) should always look to what’s covered and what’s not covered in their cyberpolicies, says Addison Cameron-Huff, a Toronto-based tech lawyer. “The interesting part of every policy is the exclusions,” he says.

Indeed, LawPro cautions its lawyer policy holders to “remember that any losses from cybercrime that are not connected with the provision of legal services will not be covered … [such as] damage to equipment or software, business interruption and reputational harm.”

Lawyers, and any other SMBs, can buy coverage that either pays out more or includes more possible types of losses. But it’s buyer beware, Ms. Lifshitz warns.

“Every insurance company deals with coverage differently. There are always going to be carve-outs” for situations that insurers won’t cover, she says.

Speaking in an interview, Ms. Lifshitz adds that insurance companies will do their own due diligence of SMBs before offering coverage. It’s the equivalent of having an inspector come to your house to see whether you have railings and fire alarms before you get home coverage.

If a smaller entity hasn’t taken the steps to become cyberinsurance ready, they’re not going to get coverage, she says.

The Insurance Bureau of Canada has published a checklist for businesses looking for cyberinsurance. These businesses should ask themselves:

– How many records with personal information does your company keep?

– How much sensitive commercial information do you keep?

– What security do you have in place that might reduce your insurance premium?

– Do you need to encrypt all your laptops, phones and tablets?

– Do any third parties you deal with have unencrypted media?

– Would you be able to make a claim on the policy you choose even if you haven’t discovered a breach for several months or years?

Five Pitfalls Of Cybersecurity Insurance: Lessons From The United States

Five Pitfalls Of Cybersecurity Insurance: Lessons From The United States

Article by Ruth Promislow and Ethan Schiff

Given the increasing threat of cyberattacks and the corresponding costs, businesses are increasingly considering cybersecurity insurance. But insurance is only as effective as the scope of the coverage. Though Canadian courts have not yet interpreted insurance policies in the cybersecurity context, American cases highlight five noteworthy pitfalls.

  1. Coverage Denied Because the Insured Did Not Comply with Underlying Obligations

Just as health coverage may be contingent upon the insured maintaining a healthy lifestyle, cybersecurity insurance may be contingent upon the insured meeting certain technical standards. In Columbia Casualty Co v Cottage Health System, the insurer denied coverage and alleged that the insured failed to comply with required “procedures and risk controls”, which imposed an obligation to “follow minimum required practices”.

  1. Coverage Denied Because the Incorrect Party Was Injured

In P.F. Chang’s v Federal Insurance Co, the insured (P.F. Chang’s) made a claim on its insurance due to a data breach resulting in stolen records belonging to its customers. P.F. Chang’s did not suffer an injury. The court concluded that the relevant insurance policy did not cover P.F. Chang’s because the policy required that the claimant suffer an injury. The policy at issue was marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.”

  1. Coverage Denied Because the Incorrect Party Caused the Injury

In Zurich American Insurance Co v Sony Corp of America et al,1 Sony made a claim on its insurance for defence and indemnification due to losses resulting from a data breach by criminal hackers. The policy provided coverage for “oral or written publication in any manner of the material that violates a person’s right of privacy.” The court held, however, that the policy only provided coverage if Sony published the material itself. Since the hackers published the material, Zurich had no obligation to indemnify Sony.

  1. Coverage Denied Because the Cyber Activity Was Merely Incidental

Cybersecurity insurance may only provide coverage if the loss clearly results from cyber activity. In Apache Corp v Great American Insurance Company, the insured became the victim of fraud after an employee wrongfully determined that a known vendor’s telephone and email request to transfer money was authentic. The request turned out to be fraudulent and the insured reimbursed the vendor. The insured made a claim based on its insurance which covered for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer…”. The court held that the circumstances were not covered because the computer use was not the direct result of the loss, but rather was “merely incidental”.

  1. Coverage Denied Because the Litigation Was Outside the Scope of Covered Claims

Insurance may provide coverage for certain claims to the exclusion of others. In Travelers Property Casualty Company of America v Federal Recovery Services Inc, the insured made a claim based on costs incurred for litigation resulting from a tort claim for intentional misuse of its data storage activities. The insurer denied the claim because the policy only provided coverage if the loss was caused by “any error, omission or negligent act.” The court held that the lawsuit against the insured for “knowledge, willfulness, and malice” was outside the scope of the coverage.

Conclusion

The United States case law highlights the importance of understanding your company’s risks and vulnerabilities in order to define the precise scope of cybersecurity insurance required. A risk and vulnerability assessment is a critical component to establishing an overall cybersecurity plan that will mitigate risk and corresponding damages.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Swiss Re: Cyber insurance market escalating rapidly

Swiss Re: Cyber insurance market escalating rapidly

Swiss Re:

  • The potential costs of cyber-attacks are escalating rapidly; cyber security and resilience are a growing concern for firms
  • A dedicated cyber insurance market is developing fast, but the scale of cover is still relatively modest
  • Product & process innovations, and Big Data and smart analytics, will help foster improved cyber insurance solutions
  • Governments can play an important role in boosting cyber resilience
  • This is the first report published by the Swiss Re Institute, which officially launches today

Cyber risk is a growing concern for businesses, with recent attacks demonstrating that the costs of a cyber breach can escalate well beyond managing the fallout of lost or corrupted data. Swiss Re’s latest sigma report “Cyber: getting to grips with a complex risk”, says businesses need to do much more to integrate cyber security into their risk management programmes. Initiatives to boost cyber resilience are underway. A dedicated cyber insurance market is developing rapidly, but so far the scope of cover is modest relative to potential exposure. Product and process innovation and also advanced analytics will help foster improved cyber insurance solutions and extend both the boundaries of insurability and reach of cover. Ultimately, some cyber risks, especially those related to extreme catastrophic loss events, may be uninsurable. For such risks, there may be a case for a government-sponsored back-stop.

In its Sigma report titled “Cyber: Getting to grips with a complex risk,” Swiss Re said, “the costs of a cyber breach can escalate well beyond managing the fallout of lost or corrupted data.”

Recent high-profile cyber-attacks increasingly demonstrate that the costs of a cyber security breach extend beyond managing the fallout of lost or corrupted data. Firms must now factor in the potential damage to their reputation, physical and intellectual property, and also disruption to business operations. The increasing scope and magnitude of potential costs associated with cyber-incidents reflect the ever-evolving cyber risk landscape, which in turn is being shaped by three main dynamics:

– the growing speed and scope of digital transformation;

– the widening sources of vulnerability from hyper-connectivity, with the rapid spread of, for example, internet-enabled devices and cloud computing;

– and the growing sophistication of hackers alert to the potential economic gains from successful cyber-attacks.

Despite increased awareness of the dangers, firms are generally ill-prepared to cope with cyber risks. Relatively few firms have integrated cyber security into their mainstream risk management. Regulation could be a catalyst for change with legislation coming into force in many jurisdictions requiring firms to build enhanced data protection safeguards. As a result, “firms – large and small – need to invest more in cyber security architecture to develop robust pre-and post-loss risk management capabilities,” says Swiss Re Chief Economist Kurt Karl.

While a dedicated cyber insurance market was developing rapidly, the scope of its cover was modest relative to potential exposure, it pointed out.

“Product and process innovation and also advanced analytics will help foster improved cyber insurance solutions and extend both the boundaries of insurability and reach of cover.”

Nevertheless, some cyber risks, especially related to extreme catastrophic loss events, might be uninsurable, Swiss Re said.

Given this, the reinsurer argued for a government-sponsored backstop similar to the state support for protection against catastrophic terrorism risks.

“More broadly, governments have an important role in promoting cyber resilience, including measures to improve cyber information capture and diffusion, and setting laws and regulations about how cyberspace is used and protected. By reshaping incentives and increasing awareness of cyber threats, governments can further nudge the private sector into developing improved market-led solutions,” the report said.

The sigma report is e published under the “Swiss Re Institute” banner. The Swiss Re Institute was formally launched on Wednesday with an intention to provide high-quality research and outreach capabilities under one-roof.

Thinking of your target’s acquisition: is your cybersecurity risk assessment sufficient?

In 2015, we have seen several important cybersecurity breaches in the industry. Some of them have been extensively mediatized while others remained less known by the general public. Recently, the online dating website Ashley Madison was hacked and the identity of millions of users revealed all around the world. Even more recently, we learned that over 500 million users’ Yahoo accounts had been hacked in 2014 and this news came out shortly after the acquisition of Yahoo by telecom giant Verizon. Can these attacks jeopardize your upcoming transaction? They absolutely can. As a matter of fact, Verizon asked for a $1 billion discount off its initial offer of $4.8 billion to acquire Yahoo and just recently said that it has a reasonable basis to believe that the massive data breach of email accounts represents a material impact that could allow Verizon to withdraw from the deal. The burden seems to now be on Yahoo to demonstrate the full impact of the breach.

These attacks raise an important question: are companies aware of the importance of conducting thorough cybersecurity due diligence in their M&A transactions? Here are a few tips that could be helpful when it comes to assessing the cybersecurity risk of a targeted company:

  1. Do not wait until the end of your due diligence. Start assessing the risk at the earliest stage of the due diligence process. It is important to ask the target what its most important and useful IT systems are and the most common risk associated with them. Are they covered by complete and extensive IT policies? Are they regularly updated and evaluated by IT experts? Those are examples of questions that need to be asked while conducting your IT due diligence.
  2. Know exactly the most important systems that need to be considered. Since due diligence in cybersecurity can be very expensive for the buyer, it is important to identify what systems or technologies are most at risk of being subject to a cyber-attack. By tailoring your risk assessment, you are controlling the cost while making sure to investigate the proper systems with a higher risk of being hacked that will endanger the success of your transaction.
  3. Do not engage in any cybersecurity risk assessment if your company does not have internal IT experts or extensive knowledge in this area. It is no easy task when it comes to estimate the cost of a potential cybersecurity problem within the target’s systems. Not only is it important to discover such problems but it is also very important to be able to evaluate how such problem could negatively impact the transaction and what the best way to fix those problems is, before engaging in further discussions or negotiations. If your company does not have the internal team to proceed with the cybersecurity due diligence, you should consider retaining the services of external IT specialists.
  4. Consider the importance of obtaining cyber insurance. Since cyber-attacks can be highly expensive for a company, the importance of cyber insurance (not only in the specific context of an M&A transaction) is rising for many companies throughout the market. According to an IBM survey conducted in 2016, the average cost of a data breach reached $6.03 million this year, which represents a 12.5% increase compared to 2015. The software-maker McAfee estimated that the total cost of cybercrime in the global economy can reach up to US$575 billion per year. The costs are high and most of the time very difficult to estimate so that is why companies should consider having cyber insurance in order to protect themselves from such costs and uncertainty. Cyber insurance policies can cover a wide range of risks from network security liability to regulatory defense and penalties and network extortion.

For more, please see our previous posts on how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction and the ways regulatory bodies have begun managing these risks.

Source:

Norton Rose Fulbright’s lawyers in Canada cover the full range of areas involved in deal-making. Our Deal Law Wire blog is about sharing our insights with you. From corporate law to cross-border, antitrust/competition, intellectual property, employment and labour and pension matters and more, our lawyers offer a Canadian and truly global perspective that few practices in the world can rival.

Canada: Cyberbullying And The Implications For Insurers

Canada: Cyberbullying And The Implications For Insurers

Article by Michael Blinick and Leona Kung (Student-at-Law)

There can be no doubt that cyberbullying is a new and disturbing development that significantly impacts society these days. In a 2009 General Social Survey, Statistics Canada reported that 7% of adult internet users were cyberbullied.1 It has resulted in various high profile suicides involving teens and has contributed to some of the most horrific events of recent years. 2 A troubling variation of the commonly understood scope of cyberbullying is the sharing online of private and highly intimate videos of a sexual nature that were never intended to be shared publicly, colloquially referred to as ‘revenge porn’. Not surprisingly, this new form of bullying raises new societal issues, including new potential exposure for insurers.

Doe 464533 v. N.D3 and the new tort of Public Disclosure of Private Facts

On January 21, 2016, the Ontario Superior Court released the decision in Doe 464533 v. N.D. representing the first Canadian decision recognizing the new cause of action of “public disclosure of private facts”, an invasion of privacy tort.

In this case, the defendant posted an intimate video of the plaintiff on a pornographic website without her knowledge or consent. The plaintiff had sent the video to the defendant, who was her on-again-off-again boyfriend, on the understanding that it was private. When confronted by the plaintiff, the defendant admitted to posting the video and subsequently removed it from the website. Despite the removal, the plaintiff claimed to have suffered mental injuries as a result of the defendant’s actions and sought compensation for same.

Justice Stinson found that the defendant’s actions caused significant psychological and emotional harm to the plaintiff and awarded her compensatory general damages, aggravated damages and punitive damages totaling $100,000. 4 Although the video was removed, Justice Stinson recognized that there was no way to know how many times it was viewed or downloaded or copied elsewhere. In making his decision, Justice Stinson recognized the current role of technology in perpetuating the invasion of privacy.

The Honourable Justice Stinson cited American legal scholar William L. Prosser, who described the tort of public disclosure of private facts in his article “Privacy”. 5 Justice Stinson essentially adopted the elements of the cause of action enumerated by Professor Prosser, namely: 1) the disclosure of the private facts must be a public disclosure, not a private one; 2) the facts disclosed to be public must be private facts and not public ones; and 3) the matter publicized or the act of the publication would be a) highly offensive to a reasonable person, and b) is not of legitimate concern to the public. 6

Potential Impact of Decision for Insurer’s

With this decision, the court took a step towards responding to the increased awareness regarding the rise of social media and cyberbullying. At the same time, the recognition of this new privacy tort as a cause of action impacts certain insurers and gives rise to a new potential area of exposure. As demonstrated, victims of cyberbullying may now file civil actions against the perpetrator alleging the public disclosure of private facts where private facts, videos, pictures or other private information are shared. If the perpetrator is a child or dependent, then the plaintiff may also commence a claim against the parents of the cyberbully for negligent supervision when there is a failure to control their child or dependent and fails to prevent the harm caused by the child or dependent. Such a negligence claim against the parents has been held to be a distinct claim from the intentional tort claim against the child7 and not derivative from the child’s intentional acts in certain circumstances. 8

If the parents are named in the action, then their homeowners or tenant insurance policy insurer may have to respond. As a homeowner’s insurance policies generally includes both property coverages and liability coverages, including personal liability coverage for the insured’s personal activities worldwide, insurers could have a separate duty to defend. 9 As the duty to defend is triggered by the true nature of claims alleged in the pleadings, 10 it is not relevant, at the initial stage of the inquiry, whether the parents will be proven to be negligent.

It is true that the personal liability coverage from a homeowners’ policy may very likely contain an exclusion clause against providing coverage for an insured’s intentional or criminal acts, thereby excluding coverage for the child’s intentional cyberbullying, or cyber public disclosure of private acts. However, the exclusion clause may not necessarily exclude coverage for claims of negligence or claims of failure to act or supervise, as against the parents.

For example, in Durham District, a negligence claim was advanced against the parents for failing to properly supervise and discipline their son, who had set fire to the contents of his high school’s plastic recycling bin. In this case, the Ontario Court of Appeal interpreted the exclusionary clause in the homeowner’s insurance policy narrowly and construed the ambiguity against the insurer-drafter to hold that negligence claims were not excluded by the clause. Therefore, the insurer had a duty to defend the parents against the negligent supervision claim against them, while the claim against the child’s intentional act was excluded from coverage.

This contrasts with the decision in Unifund Assurance Co. v. E.(D.),11 a recent decision from the Court of Appeal that involved a negligence claim against the parents of a minor for their failure to investigate and take reasonable care to prevent the bullying that their daughter participated in against another minor at their school. As the parents’ homeowner’s policy specifically and unambiguously excluded the “failure of any person insured to take steps to prevent… psychological or emotional abuse” 12, the Court of Appeal held that the negligent supervision claim against the parents was separately and specifically excluded from coverage.

Therefore, absent a specific exclusion clause, a homeowner’s insurance policy may have to respond to negligent supervision claims against the parents where there is a cause of action against their child for the public disclosure of private acts. In Doe 464533, had the plaintiff instituted proceedings against the defendant’s parents for their failure to exercise reasonable supervision at the time of the posting of the video, then their homeowner’s policy insurer may very well have had to defend the parents’ claims even if the child’s intentional acts were excluded from coverage. In light of this, it may be prudent for insurers to reexamine the exclusions clauses in their homeowner’s policy to address the potential for these claims against the parents given the realities of the world that we currently live in and the potential for an increase in the number of claims that insurers could be asked to respond to.

Footnotes

1.Perreault, S, Statistics Canada, Self-reported Internet Victimization in Canada, 2009, (15 September 15, 2011) online:

2.See e.g. CBC News, “B.C. girl’s suicide foreshadowed by video”, (11 October 2012) online: CBC News ; and “Cyber-bullying-linked suicides rising, study says”, (20 October 2012) online: CBC News.

3.Doe 464533 v. N.D, 2016 ONSC 541.

4.Note that this was the amount claimed by the Plaintiff.

5.William L. Prosser, “Privacy”, 48 Cal. L. Rev. (1960).

6.For further details on the decision, see previous McCague Borlack article “New Privacy Tort Recognized in Ontario: Jane Doe 464533 v. X” published in February 2016

7.Durham District School Board v Grodesky, 2012 ONCA 270 at para 14; and Godonoaga (Litigation Guardian of) v Khatambakhsh (Guardian of) (2000), 49 OR (3d) 22 (Ont. C.A.) at para 20.

8.See Durham District, supra note 5.

9.See Godonoaga, supra note 4.

10. Non-Marine Underwriters, Lloyd’s of London v Scalera, [2000] 1 SCR 551.

11. 2015 ONCA 423.

12. Ibid. at para 24.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Page 1 of 212

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest