1. Privacy and Security Risks in a Digital Age Risk Management Strategies January 26, 2009 professional underwriters, inc .

3. Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing

4. A Sectoral Approach… National Security Corporate IT Governance Health Care Payment Cards Consumer Protection Financial Services Infrastructure Protection Other Higher Education

6. …Which has Led to Compliance “Silos”

8. Managing Information Risks Avoid Mitigate Control Transfer Assume RISK

9. Response: A Unified Approach to Information Security Compliance Includes Insurance Coverage Addresses all of the legal requirements: Security, Privacy and Identity Theft Uses popular standards and compliance frameworks Risk Assumption, Mitigation and Control Risk Transfer Comprehensive Risk Management Program

19. FTC Security Enforcement Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc. Deceptive Trade Practices Unfair Trade Practices Practices that "threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club ) GLBA Safeguards Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp. )

24. Unified Approach To Security      Security Awareness and Training      Contracts X X    Review/Evaluation      Contingency Planning      Security Incident Procedures      Management of Information Access      Workforce Security      Assigned Security Responsibility      Security Management Process Administrative Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practices

25. Unified Approach to Security      Transmission Security      Person or Entity Authentication      Integrity Controls      Audit Controls      Access Control Technical Safeguards      Device and Media Controls      Workstation Use and Security      Facility Access Controls Physical Safeguards State FTCA PCI DSS NIST FIPS ISO 27002 Security Practice

26. Consider all of Your Security and Privacy Compliance Requirements SOX FTCA State International PCI DSS ISO FTCA (CO) COBIT COSO OECD AICPA PCI 1.2 Follow a UNIFIED APPROACH to Compliance

27. Part 2 Risk Transfer: A Valuable Tool for Risk Management Avoid Mitigate Control Transfer Assume RISK Transfer

28. Data Breach Focal Points Organizations continue to face mounting consequences with their lack of protection of private data. Unauthorized Disclosure or Breach of Your PII Personally Identifiable Information Credit Card or Bank Account Numbers Social Security Numbers Customer Records Protected Health Information Laptop Theft Backup Tape Theft Wireless Access Breach E-Commerce Breach Rogue Employees Data Leakage Hacks & Viruses Vendors/ Outsourcing

39. Thank You Adam Sills AVP, Technology Liability Underwriting (860)-284-1382 [email_address] M. Peter Adler Attorney at Law Direct: 202.220.1278 Direct Fax: 800.684.2749 [email_address] Hamilton Square 600 Fourteenth Street, N.W. Washington DC 20005-2004 202.220.1200 Fax: 202.220.1665 www.pepperlaw.com professional underwriters, inc