Cyber & Data Risk Insurance

Thursday, September 27 to Friday, September 28, 2012

New York Marriott Downtown, New York, NY

9:30 Main Conference Registration and Coffee Served

10:00 Co-Chairs’ Welcoming Remarks

Darren A. Bowie
Chief Privacy Officer and Associate General Counsel
American International Group, Inc.

Kirstin Simonson, CPCU, ARM, AU, ASLI
Underwriting Director — Global Technology
Th e Travelers Companies, Inc.

10:05 Th e Current State of the Market: New Exposures,Coverage Options, Claims Trends, Pricing and Selling, and What Policyholders Should Now Be Looking for in a Policy

Oliver Brew
Vice President, Specialty Casualty
Liberty International Underwriters

Jenny Bradford, J.D.
Vice President Financial Products
Regions Financial Corporation

Meredith Schnur
Senior Vice President, Professional Risk Group
Distributed Insurance Brokerage, Wells Fargo Insurance

Moderator:
Nick Economidis
Underwriter, Specialty Lines
Beazley Group

New Exposures & Coverage Options

• How has the market evolved and grown?
• What are the new coverage options and exposures?
• Encryption, removable storage, & other tech solutions
• Effective management in claims process, handling, and notification
• What are the costs associated with breach?
• Change in adapter rates in retail, financial, and healthcare
What Policyholders Are and Should be Looking For in a Cyber Policy
• What liability and first-party coverages are desirable?
• Identifying and understanding pitfalls in coverage
• Reasons companies have or have not bought coverage
• How standards are evolving in response to new technology threats
• Consumer redress: when is it covered and when not?
• Filling in the coverage gap: Understanding the disconnect in what is purchased and what is actually covered

Key Considerations for Cyber Liability Coverage

• Understanding of the products and its varieties in the market
• What is the effect of expanded risk on insurance coverage?
• Whether a cyber liability product should be stand alone or better built as an existing product or as an endorsement

Pricing, Selling and Marketing Cyber Risk Policies

• Pricing of network security and privacy policies
• Examining the competitive marketplace and how various types of coverage are formulated
• Where do brokers see the coverage going and what are the most significant issues that need to be addressed?
• Tailoring the product to accommodate a buyer’s needs:
Privacy issues; media exposures; and security breaches
• How various types of coverage are formulated and priced
• Marketing and selling coverage

11:05 Th e Latest Federal Regulatory Developments and Enforcement Actions and Their Impact on Coverage and Litigation

Alain Sheer
Senior Attorney, Division of Privacy and Identity Protection
Federal Trade Commission

Austin P. Berglas
Assistant Inspector, Inspection Division
Federal Bureau of Investigation

Debra Hampson
Assistant Vice President and Assistant General Counsel
Th e Hartford — Corporate Privacy Office

Dawn Morgenstern, CHPC
Privacy Offi cial and Financial Privacy Officer
Walgreens Privacy Office

Darren A. Bowie
Chief Privacy Officer and Associate General Counsel
American International Group, Inc.

Moderator:
Richard Bortnick
Member
Cozen O’Connor

Changing Regulatory Landscape and Its Implication for Coverage

• Clarifying uncertainty of current regulations
• Analysis of U.S. Government’s Comprehensive National Cyber security Initiatives
• What should carriers and brokers be doing to ensure compliance with new laws and regulations?
• Responding to gov. agency/law enforcement request for data
• Communication between private companies and government
• Cyber crime trends: what the FBI is seeing and strategies to prevent and better understand cyber crime

Emerging Trends in FTC Enforcement and Litigation

• Recent FTC investigations, enforcement actions, and settlements stemming from data privacy breaches
• Under what circumstances will courts award money judgments for financial breaches

Examining the Impact of the SEC Guidance

• Disclosure to shareholders on annual reports
• What happens when publicly traded companies fail to properly disclose a breach?
– Assessing whether there is a connection to breach and value of stock decreasing
• Adhering to SEC guidance
– Protecting the company’s brand or presence in the market
by reporting the breach in the annual report
– Assessing the company’s vulnerability to shareholder action
• How does the SEC guidance affect coverage?

12:25 Networking Luncheon for Speakers & Delegates

1:25 The View from the States: Emerging State Regulatory and Enforcement Activities and the Growing Authority of the State AG Offices

Susan E. Voss
Commissioner
Iowa Insurance Division

Lyman C. Taylor, III
Section Chief, Consumer Mediation and Identity Th eft Unit
Offi ce of the Indiana Attorney General

Travis LeBlanc
Special Assistant Attorney General
California Department of Justice

Barbara Anthony
Office of the Undersecretary, Commonwealth of Massachusetts
Office of Consumer Affairs and Business Regulation

Moderator:

Scott N. Godes
Counsel
Dickstein Shapiro LLP

• Recent state Attorney General actions involving notification under state breach notification laws

• Balancing state breach notification requirements with responsibilities arising under other federal and state laws
• Notification guidelines: how soon a company is required to inform customers of a data breach
• Effectively communicating with State Attorneys General and other interested regulators
• Coordinating the timing and content of notification to law enforcement, customers, credit bureaus etc…
• Handling multi-state investigations and enforcement actions when a breach spans multiple states
• How to work with state AGs without sacrificing your position
• Civil or criminal penalties for failure to disclose, or for security/privacy failures discovered as a result of disclosing
• Private right of action: whether this option exists; are plaintiffs succeeding in this area?
• What kinds of breaches, if any, are companies exempt from reporting
• Using cyber risk insurance most effectively to assist with related cost
• Lessons learned from: recent fi nes for lost/breached patient healthcare records; state action against business associates under HITECH

CLOUD COMPUTING AND ITS IMPACT ON CYBER LIABILITY POLICIES

2:40 A Focus on Third Party Vendors: Due Diligence on Selection and Credentialing Vendors, Implementing Effective Protocols to Access the Cloud, and Minimizing the Effects of Business Interruption When Data Is Lost/Stolen

Joshua M. Ladeau
Sr. Underwriter
Allied World Assurance Company

Lara Kehoe Hoffman
Privacy and Data Security Counsel
Autodesk, Inc.

George R. Schalick, Jr. RPLU
Assistant Vice President
Philadelphia Insurance Companies

• Due diligence on third party vendors and making sure vendors treat your data properly
• Examining security concerns and heightened risk when data is lost, stolen, and/or damaged
• Steps a business can take to secure the process to access the cloud
• Outsourcing data storage to third party vendors
• Drafting key terms in the contract with the third party vendor
• What happens when third party vendor loses data? Who has protection?
• Managing data stored with multiple third party vendors
• Business interruption when the third party vendor loses data
• Localizing risk and examining how your data is collected and stored in centralized locations

3:20 Afternoon Break

3:30 Negotiating and Drafting Specialized Cyber Risk Provisions and Policies to Cover Data Loss Arising from Cloud Computing

Jim Charron, CPCU
Practice Leader — Technology
Zurich NA

Laura Johnson
Vice President
Euclid Managers, LLC

Laurie A. Kamaiko
Partner
Edwards Wildman Palmer LLP

Kirstin Simonson, CPCU, ARM, AU, ASLI
Underwriting Director — Global Technology
The Travelers Companies, Inc.

• Ins-and-outs of negotiating, drafting and managing claims for this highly specialized coverage
• Identify and address problematic areas and map out coverage issues
• How do you cover risk when data is stored at a third party site?
– Coverage for risk of lost income, corrupted data and
increased expenses
– Cyber vs traditional property perils
– The role of an enterprise risk management program in cyber security
• Cyber liability policies with multiple vendors in the cloud industry
– What/Who is covered in in the event of breach?
– Where does the liability start and stop?
• How does cloud computing affect claims handling?
– What factors do carriers consider in assessing loss exposures
presented by a claim against a provider or a user?
– Understanding the relationship between the client and
the third party vendor
• Indemnification issues and the associated costs
• Determining the risk associated with transmitting or storing data in a foreign location with a third party vendor
– Impact of potential territorial disputes on what is covered/not covered
– Privacy regulations
– Terrorism, social unrest
– Weather
– Export regulations

• What is causing the data breach and how do the cyber policies apply?
• Examining specialized cyber liability products to cover data loss
• Minimizing risk on cloud computing by carefully protecting data

4:25 Litigation Round Up: Using Recent Cases and Class Actions to Assess What Breaches & Resulting Claims Are Worth

Ronald Raether
Partner
Faruki Ireland & Cox PLL

Carl E. Metzger, Esq.
Partner
Goodwin Procter LLP

Robert Parisi, Jr.
Senior Vice President, National Practice Leader
Tech/Telecom E&O and Network Risk, Marsh FINPRO

Lori Nugent
Co-Chair, Data Security & Privacy Practice
Wilson Elser Moskowitz Edelman & Dicker LLP

The Shape of Litigation

• Why am I being sued? Publicity, industry and data type, other factors that lead to lawsuits and government investigations: Bank and credit card cases; Healthcare; Retailers
• Not all claims are alike: Examining Plaintiff ’s theories and the laws
they rely on
– ABCs of a claim — UDTPA, CDA, SCA, FCRA and other statutes and common law claims
– Claims arising from minimum standards clauses in policies
– Claims relating to service providers, payment processors, and application/point-of-sale system providers
• Class actions vs. Individual claims: how companies may be found liable for a data breach that may trigger class action
• What else do they want? Damages and other relief sought by plaintiffs

Recent Litigation Trends

• No harm, no foul: Determining whether Plaintiff suffered a cognizable injury
– What kinds of tangible harm is legally compensable?
– Dismissing cases on speculative damages
– Plaintiff ’s attorneys pleading around damage issue by arguing plaintiff s must worry about reputation, change in credit card numbers, SS#, and are entitled to credit and monitoring services
– Difficulty of proving causation
• Government instituted actions and the benefits to private litigants
• So why settle? Lessons from the latest litigation and settlements
– Addressing quantifiable damage and the economic loss doctrine

What Claims Are Really Worth

• The true cost of resolution: settlements, damages & remediation
• Business interference, public relations issues and other factors
• Litigation and consulting costs: how do they factor in and how can they be minimized?
• Lessons learned from future product development and underwriting
• Responding to entities seeking defense and indemnification

5:20 Healthcare Highlights: HIPAA, HHS, HITECH, EMR, OCR Enforcements, Initiatives, and Investigations in the Cyber & Data Risk Insurance Context

John F. Mullen
Partner
Nelson Levine de Luca & Horst, LLC

Kimberly B. Holmes
Assistant VP, Health Care, CSI Deputy Product Manager
Chubb Specialty Insurance

EMR, HIPAA

• Impact of HIPAA pushing healthcare entities to EMR
• Problems associated with EMR and lack of electronic security
• Aggregated exposure when patient’s file exposed
• Training healthcare entities to use EMR and implementing proper controls and procedures
• Impact of state attorney generals bringing actions under federal law
• Understanding goals in using EMR

HIPAA, HHS

• Protecting and encrypting health records until 2014
• HHS imposing fines for violating regulation
• Reporting lost information to HIPAA or HHS

HITECH

• How HITECH is expanding its reach to business associates
• Moving data across several parties and exposing PHI to
hackers/criminals

OCR

• Enforcing HITECH as part of federal regulatory enforcement
• Bringing action for failing to protect healthcare information Class Action Claims
• Defense of class action claims
• Countering and minimizing the effects of the Plaintiff ’s bar when
they track and monitor websites that report data breaches within healthcare facilities
• How do you respond to damage mitigation requests?
• Reporting data breaches to HHS

6:00 Conference Adjourns



7:30 Continental Breakfast

8:00 Privacy Liability Exposures and Liability for Overseas

Data Breaches: Th e EU Data Protection Directive, Risk Assessment, and Harmonizing International Regulations With Domestic Standards for Multinational Companies

Lori Bailey
Global Head of Professional Liability
Zurich General Insurance

Allen Cross
Cyber Risk Management Consultant & Producer
INSUREtrust

Dan Trueman
Underwriting
ANV

• Changes in international legislation/regulations and how to comply, and harmonize them with domestic notification standards
• How could a company’s e-business activities harm innocent users?
• Special concerns regarding compliance and liability for companies with overseas breaches
• How to resolve differences when dealing with multinationals
• Rights under international data protection laws
• Analysis of EU Data Protection Directive
– Member states passing additional requirements and notifying individuals, which triggers a whole host of different requirements
– Achieving IT standards to comply with the EU Directive

8:55 Reasonable and Prudent Breach Control Measures, Standards and Safeguards: Preventing Breach, Implementing Effective Breach Protocols, and Examining Procedures to Mitigate Damages If a Breach Does Occur

Jake Kouns
Director, Cyber Security and Technology Risks Underwriting
Markel Corporation

Asim Khan
Counsel
Samsung Electronics America

Katie Timm
Counsel, Corporate Privacy Office
The Hartford

Russell Schrader
Chief Privacy Officer, Associate General Counsel
Global Enterprise Risk, Visa Inc.

Lisa J. Sotto
Partner
Hunton & Williams LLP
Effective Cyber Risk Assessment and Remediation

• Implementing surveys, protocols, and asking the right questions
• Going through a remediation checklist
• Evaluating and changing the protocol
– Maintaining the plan and keeping it updated
• Investigating an incident and incident response plans

Mitigating Damages Once a Breach Does Occur

• What procedures should be in place immediately following a breach?
• How your forensics work with law enforcement
• Having specific set of skills examiners and ethical hackers to look at breach, what information was compromised, and whether the recourse is civil or criminal

Corporate Governance

• How the client should be managing risk
• Who is responsible for providing the information or expanding the lines of communication?
• Creating a risk committee to find ways to obtain the right stakeholders
• Ensuring IT talks to compliance and everyone is on the same page
• Understanding the scope, nature, and technical aspect of data breach
• What is the role of the CIO?

9:55 Morning Break

A FOCUS ON ONLINE RISK, EXPOSURE, AND DATA BREACH

10:05 Evaluating Risks as a Result of the Latest Cyber Threats:

Social/Interactive Media, and Mobile Workforces

Michael Dockery, CISSP CISA, CISO
AVP Information Security Office
Cincinnati Insurance Companies

Orrie Dinstein
Chief Privacy Leader and Senior Counsel — IT & IP
GE Capital

Jon Neiditz
Partner
Nelson Mullins Riley & Scarborough LLP

Larry Collins
Vice President E-Solutions
Zurich Services Corporation

Leigh McMullan
Vice President — Management and Professional Services Division
(MAPS) Crum & Forster Insurance Company

Social Media

• Identifying potential opportunities and pitfalls
• Assessing the risks to employers when employees post comments about employer on social media sites, and the NLRB views on the matter
• Internal “social business” strategies: changes in communications,workflows and cyber-risks
• Addressing the gap in the GL form that excludes interactive media coverage
– Modifying the GL policy to include coverage for posts on LinkedIn, Twitter, Facebook, Blogs
– Modifying the E&O coverage
– Modifying coverage on advertiser’s liability extension, e-media extension
• Dealing with the E&O issue when the client/company sues the agent/broker for coverage they assumed existed but did not exist
– Areas of fault in policy language, drafting, or broker’s inability to recognize it
• How does interactive media coverage affect risk managers?
• Addressing privacy concerns when employers ask employees for their Facebook password
– Addressing concerns with social media investigation services
– Hiring consultants/risk mangers to investigate

Mobile Workforce

• Examining the risks and rewards of a “bring your own device” policy in the workplace – how this “consumerization of IT” including the development of “shadow IT” and personal clouds impacts the traditional IT role and increases cyber-risks
• Dealing with off -site employees utilizing remote access points, including their mobile devices or other resources that lack sufficient security controls

11:05 Responding to Stepped up Regulation and Enforcement of Online Tracking, Data Collection, and Issues Related to Digital Identity

Brad Bolin
Senior Corporate Counsel
Best Buy Legal

Michael T. Spadea
Director
Promontory Financial Group, LLC

Brian L. Hengesbaugh
Partner
Baker & McKenzie LLP

Online Tracking and the Regulatory Initiatives

• Addressing statutes that prohibit online tracking
• How the FTC and the Attorney Generals have taken a proactive role in ensuring companies protect the privacy rights of citizens
– Addressing federal legislation and FTC guidance on privacy rights and how the states are responding
– Guidance on uniform breach notification requirements
– Who is responsible aft er the data is breached?
– States that require the company to notify the victim who resides in the state of the breach
• Th e expanding definition of what is “protected information”
• How company self-regulation can help protect the security of consumers at the same time
• What is the FTC guideline on GeoLocation and privacy including mobile devices, tracking, and downloading applications?

Collecting Data

• Assessing the litigation eff orts taken against organizations improperly collecting information on customers
• Addressing California zip code cases
• Providing proper notice and the ability to opt out if you collect information from customers
• Determining whether data collection is a violation of a person’s privacy

Online Business Advertising

• Collecting information based on online activity and using it to target advertisement
• Purchasing data from vendors
• Selling information collected by tracking consumers to data aggregators and then using the information to re-sell
• Increasing importance of mobile apps

Digital Identity

• Who will have access to digital identity and what are the legal ramifications?
• Managing online presence with numerous accounts
• What is the responsibility of companies to protect individuals?
– Assessing whether self-regulation in this industry is starting to show cracks
– Will the federal government step in once the breaches get bigger and bigger?

11:55 “Hacktivism” by Outside Agents: Th e Scope of the Problem and How to Prevent and Respond to Incidents and Compromised Records

Tim Stapleton, CIPP/US
Global Deputy Head of Professional Liability
Zurich General Insurance

Christopher Novak
Managing Principal
Verizon Business Investigative Response

Toby Merrill
Vice President
ACE Professional Risk, ACE USA

• Examining the brief history of internet activism and its impact on modern society
• Hacktivism — what is it, and how can it impact an organization?
• Who is targeted — common characteristics of victim organizations
• Identifying the common methods of attack used in hacktivism
• Examining website defacement
• Targeting emails, online banking, prepaid credit cards, online stores, etc. for fraudulent purposes
• What is the financial impact?

12:40 Networking Luncheon for Speakers and Delegates

1:40 How the Broker, Underwriter, and the Client Can Stay on the Same Page and Effectively Communicate and Address Issues, Concerns, and Requirements in the Cyber Liability Policy

Adam Sills
Vice President
Allied World National Assurance Company

David Molitano
Vice President, Content, Technology and Services Division Leader
OneBeacon Professional Insurance

Tyler O’Connor
Professional Liability Broker
CRC Insurance Services, Inc.

Nancy Edwards
Vice President and Chief Security Officer
State Auto Insurance Companies

Moderator:
Richard Betterley
President
Betterley Risk Consultants, Inc.

Brokers

• Selling coverage with adequate education, training
• Challenge of selling coverage in smaller space relative to other types of coverage
• Demonstrating exposures & requirements for clients and understanding how the product works from risk to risk
• Differentiating between cyber & data risk coverage v. technology coverage
Client
• Ensuring the client understands and appreciates that the system is subject to breach
• How can the client implement a dedicated IT compliance office and employee training to ensure security is effective
• Walking through with the client for a first party privacy event whether it is a data loss, hack of records, process notification, and/or getting involved with service providers
• What does the client do when they first speak to attorney and what will attorney say to the client?

Underwriters

• What exclusions do you foresee and what do we not already have?
• Understanding coverage is a moving target
• Assessing the claims that are coming in now that underwriters are arguing that is not covered

2:35 Notification & Crisis Management Services Coverage Under a Cyber Policy

George N. Allport
Vice President & Financial Fidelity Product Manager,
Chubb Specialty Insurance

Mark Camillo
Vice President — Professional Liability
Chartis Insurance

Notification and Crisis management expenses are a fundamental coverage within Cyber policies. What any particular Insured may need may depend on the nature of their operations, the types of data they store and the level of services they want to off er to affected individuals. This session will review how modern Cyber policies are addressing current and evolving levels of service, including:
• The pros and cons of covering notification and crisis management expenses based on a per person basis versus a dollar limit
• Evaluating the reasoning behind the insurer’s response to a breach:
cover the cost, split the cost from notifying affected parties, or combine costs
• The value versus the cost of providing credit or other “monitoring” services
• Strategies on take-up-rate vs. Improvements.

3:15 Selling and Pricing Cyber Liability Policies for Small Businesses

David Lewison
GST — Financial Services Practice Support Leader
AmWINS Brokerage Group

Eric Cernak
Vice President, Strategic Products Division
Hartford Steam Boiler Inspection & Insurance Co.

Kelly Geary
Sr. Vice President, Legal Counsel & Head of Claims
HCC Specialty

Tracie Grella
Global Head of Professional Liability
Chartis Insurance

• Examining data breach exposures for small businesses
• Minimizing risk of data breaches for small businesses
• Assessing the appropriate coverage for small business: mono-line coverage vs. endorsements to various commercial lines policies
• How the expenses associated with cost of breach motivate buyers to purchase products

4:00 Conference Ends — Workshop B Begins

Brochure

- click image for pdf -

- Actions -

- Share -

Location:
New York Marriott Downtown
New York, NY