Documente Academic
Documente Profesional
Documente Cultură
COMMITTEE 10-14-11
o 3rd Party Insurance: Privacy (Data Breach), Security, Intellectual Property, Media Content o Loss Control (Cyber Security) o 16. Questions You Need to Ask
o Expenses to protect clients (including notification costs) o Other expenses to mitigate loss (including publicity costs) o Theft of data & intangible property o Loss of your future income o Cyber extortion
the customers for unauthorized charges made on their credit cards. Security Businesses that unknowingly spread a worm, virus, or other corrupting files via email to 3rd parties could face liability from those 3rd parties for revenues lost as a result of the virus overloading the 3rd parties' computer network (denial of service).
posted a message on a bulletin board accusing another doctor with receiving kickbacks from a company trying to obtain a contract to provide pathology services to the university. The university doctor sued, and a jury awarded him $675,000.
a competitor's trademarked name on its website was sued by the competitor for trademark infringement and unfair competition.
Family Educational Rights Privacy Act (FERPA) HIPAA Gramm Leach Bliley Act
5
It beefed-up HIPAA by requiring notification of potential private health information (PHI) breaches. It went into effect 2/17/09, but as of 9/23/09 HITECH now includes all "business associates Business associates are persons or entities who perform services on behalf of a HIPAA-covered entity and in so doing access the PHI of the covered entity. Businesses have 60 days to report a breach once discovered. Breaches over 500 persons requires notice to the media! HITECH will be enforced by the Department of Health and Human Services (DHHS). DHHS will do annual audits and levy fines for non-compliance.
requires doctors offices, hospitals and other providers (including business associates) to establish a written procedure to identify warning signs ("red flags) of identity theft .
Consumer Notification o Is now required in 46 states, PR & DC o Is based on the location of the consumer, not the business location o Example: In New York - NY Business Law Section 899-aa requires notice of breach of security of all computerized personal information held by both public and private entities (Consumers Union 8/21/2007)
Credit monitoring & restoration is not typically required by state law, but may soon be imposed by judicial or regulatory decision, based on precedents being set by current settlements
TJX class action for damages to ID theft victims as well as credit monitoring services: $40,800,000 settlement with VISA, $24,000,000 settlement with MasterCard
Cyber Negligence
Plaintiffs are now challenging the standard of care on their Personal Identifiable Information (Pll) and Personal Health Information (PHI). Example
o One publicly-disclosed case involved San Diego-based Ligand Pharmaceuticals Inc... o A lab assistant found a box with 38 former employees' personnel records o The assistant then used the information to acquire 75 credit cards, $100,000 in merchandise, opened 20 cellular telephone accounts and rented three apartments! o The assistant was subsequently convicted and imprisoned, but then 14 of the former employees filed suit, charging Ligand with negligence. o A confidential "significant six-figure" settlement was approved by the court.
Personally Identifiable Information (PII) o Any Credit Card Information o Any Personal Financial Information o All Social Security Numbers o All Drivers License Numbers o Any Banking Information o Any Employment Information o Any Insurance Information
Servers Electronic Tape Backup Laptops USBs (flash drives) Handheld Devices (iPads) CDs/DVDs/floppy disks Paper!
9 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
Insurance
Who sells it? 1. 2. 3. 4. 5. 6. 7. 8. 9. Chartis (AIG) (netAdvantage) CNA (netProtect) Beazley Chubb Evanston Hiscox (affirmative Contractual Liability included) Markel American Philadelphia + 9 other insurers to date
1. Business Interruption 2. Crisis Management Expense 3. Extortion/Threat Expenses 4. Privacy (Notification Expense of Data Breach) [if 3rd Party (Other-Than-The-Insured)] 5. Privacy Liability (Data Breach) 6. Security 7. Administrative & Regulatory Actions 8. Intellectual Property 9. Media/Content 3rd Party - Privacy Coverage Regulatory Defense & Expenses many new regulations exist related to the protection of confidential data. Insurance will provide defense cost coverage for regulatory proceeding and even penalties where insurable. Credit Monitoring policies may cover up to 1 year of credit monitoring services for those exposed. In some cases 2 years of monitoring may be available. Credit Repair Services policies may cover 1 year of services to repair credit of an actual identity theft. Privacy: Data Breach Example Hackers broke into a Virginia web site used by pharmacists to track prescription drug abuse The hackers made a copy of the records, deleted the original, then encrypted their copy A ransom demand was then made for $10,000,000 in exchange for the password to the encrypted records 8 million records were stolen and encrypted !
An online business processer inadvertently provided access to a non-authorized user. Confidential customer contact information was exposed to unauthorized users. A regulatory investigation for the data privacy incident lead to a fine. Loss: Private suit for loss of/damage to data settled for $875,000. Defense expenses incurred were in excess of $275,000.
A bank employee had a laptop with sensitive client data missing. Regulatory investigation is ongoing. Multiple lawsuits are pending by individuals whose data has been compromised. Loss: Total defense costs now exceed $700,000.
A pharmacy sold to an individual a computer that still contained prescription records including the names, addresses, social security numbers and medication lists of pharmacy customers. State law required certified notification to all of the affected parties. Two lawsuits were filed: 1) Employee plaintiff alleged damages due to job loss as a result of the disclosure; 2) Client plaintiff alleged her identity was stolen and sued to recover the costs of correction and emotional distress. A HIPAA investigation was triggered. Loss in excess of $410,000
Security Coverage
Covers:
Third party economic loss resulting from a network and information security failure (security breach) Unauthorized access & unauthorized use
Security: Statistics for 2008 o At least 43% of businesses have experienced some kind of cyber security incident. o Annual reported losses from cyber security in 2008 were $288,618 per business. incidents
o Financial fraud was the most expensive type of incident with an average reported cost of $463,100. [Source: Computer Security Institute, CSI Computer Crime and Security Survey 2008. ] Security: Losses Breakdown The percentage of incidents for each category has remained consistent from 2007 to 2008. Insider abuse, laptop & virus incidents are still the more common occurrence.
Privacy Policy Information Security Policy Computer Usage Policy Incident Response Plan
Physical (Hardware) Security Controls Locks, portable equipment restrictions, theft controls
12. Have any of your systems been programmed by nonemployees? 13.How would your clients respond if you lost their private records? 14.If your network was damaged or disabled by a virus or hacker attack, would it affect your income? 15.Do you have a backup system? 16.How long would it take you to recover?
Summary Basically
Every business has an exposure to Cyber Risk! Every business needs Cyber Insurance!
Credits o June Wysocki, AmWins, Grand Rapids, MI o Jim Whetstone, Hiscox US, Chicago, IL o Dark Reading (IWKBTnewsletters@techweb.com) o National Underwriter o Rough Notes o American Agent & Broker o IRMI o Business Insurance