www.hubinternational.com

The Role of Insurance in

Managing Cyber Risk

Late 1990s : Viruses, Network Failures & “Y2K”

Mid 2000’s : Large scale hacks – payment cards & identity theft

• Increased regulation of privacy matters

2008: Theft of intellectual property & trade

secrets; cyber espionage

2011: “Hacktivism” and politically motivated attacks

2014: State Sponsored attacks; “Internet of Things”;

& National Security Concerns

The Evolution of “Cyber Risk”

1

State Regulations

New or Effective in 2015

• Connecticut (90 day deadline and credit monitoring)

• California (notice to DPH within 15 days. 1 year of credit monitoring. User name and pw = PII)

• New Jersey (some health insurers must encrypt)

• North Dakota (regulator notice if over 250)

• Montana (medical info and TIN)

• Utah (student data)

• Nevada (medical info and user name and pw)

• Washington (paper, regulator, 45 days)

• Wyoming (user name and pw, medical info, TIN)

• Oregon (regulator notice if over 250)

• Rhode Island (paper, regulator notice if over 500, 45 days)

States with Unwritten Rules

• Pennsylvania (AG requests notice if incident affects PA residents, though no statutory requirement)

• California (DHCS interprets California data breach statute to cover paper breaches, and expects CA legislature to update statute soon to clearly cover paper breaches)

• Indiana (anything over 30 days is “unreasonable delay”)

• Connecticut (2 years of credit monitoring) (90 days probably “unreasonable delay”)

• North Carolina (routinely inquires as to timeline of events)

2

Federal Regulations and

Requirements

New

HIPAA/ HITECH (Protect and safeguard PHI)

– OCR unofficially mandates automatic investigation if over 500 affected

– Covered Entities and their Business Associates subject to rules

FTC (Regulates unfair or deceptive acts and practices) (security must be reasonable and in accordance with entity’s

own policies)

– Approx. 50 privacy investigations since 2002, and dozens of fines ($22.5 million - Google 2012)

– Actively enforcing health care vendor rules (breach reporting for non-HIPAA entities)

FCC (Regulates communications networks) (TeleCom carriers must take precautions to secure customer data)

– First ever data breach fine (October 2014)($10 million-TerraCom and YourTel America)

Important

July 7, 2015 - 47 State AGs write to Congress, urging U.S. to preserve state authority over data breaches

SEC (More aggressive cyber role expected) (required to disclose significant corporate events; apply adequate

safeguards)

FERPA (Protect privacy of student records; federal funding can be, but never has been, cut off following

violation)

SOX (Requires security controls, and auditors require disclosure if such controls are inadequate)

GLB (Privacy Rule suggests notification; Safeguards Rule suggests written security plan)

FACTA (Red Flags Rule requires procedures to detect and prevent identity theft)

3

Regulatory Enforcement

(Current Examples)

HHS/OCR

– Cancer Care Group ($750,000 settlement, August 31, 2015)

• OCR found widespread non-compliance, and lack of policies, after laptop bag with

unencrypted media exposed records of 55,000 patients

– State-Run Community Mental Health Facility ($150,000 settlement, Dec. 2014)

• Organization failed to patch systems and continued to run outdated, unsupported

software resulting in exposure of 2,743 medical records

FCC

– $25 million fine against ATT for unauthorized disclosure of information (April 2015)

State

– Indiana –Assurance of Voluntary Compliance (AVC)(multiple fines ranging from $4,000 to

$20,000)

– Zappos ($106,000 fine assessed by 9 states)

– TD Bank – 260,000 affected ($850,000 nine state fine plus $650,000 Mass. fine in

December 2014)

4

EU Data Protection Directive:

Regulatory framework relating to processing, transfer, and use of personal

information

Jurisdiction reaches outside the EU

Breach notification requirements to Supervisory Authorities and affected

individuals • Notice to the Supervisory Authorities required within 72 hours and notice to affected individuals without

undue delay

European regulators will be able to fine companies who do not comply with the EU

rules up to 2% of their global annual turnover.

EU Safe Harbor rule invalidated.

Canada

Digital Privacy Act – requires mandatory beach notification

Mexico, Costa Rica and Germany

Notice requirements

Jurisdictional issues

International Privacy Laws

5

Civil Litigation

Robins v. Spokeo (U.S. Supreme Ct.) (Pending)

– Allegation that Spokeo posted false information. Privacy (not breach) case - implications for

cyber.

– Supreme Court to decide whether violation of statute that allows automatic statutory

damages, without any actual damages (as Plaintiffs allege FCRA does), confers standing

even if no other harm alleged (Circuit Court said yes).

– Could open data breach class action floodgates in states whose statutes allow for

automatic statutory damages.

Neiman Marcus (July 2015)

– Actual fraud (reimbursed) and threat of “imminent” future harm confer standing.

– Seventh Circuit joins minority of Circuits (along with First, Ninth - but some post-Clapper

District Courts hold otherwise -, Eleventh, and a District Court in the Eighth) as data breach

class friendly.

– The Third Circuit, and District Courts in the Second, Fourth, Fifth, Sixth, Tenth and D.C.

Circuits are less favorable for Plaintiffs.

6

Civil Litigation

CGL Coverage – Zurich v. Sony (NY State, 2014): PII stolen by hackers not “publication” under

personal and advertising liability coverage in CGL policy (Zurich and Sony settled in May 2015).

– Travelers v. P.F. Chang’s (D. Conn. 2014): Court closed pending results of class-action appeals, all of which were dismissed at trial stage.

Cyber Coverage – Columbia Casualty (CNA) v. Cottage Health System (C.D. Cal., May 2015)

– CNA sought to avoid coverage because Cottage failed to follow minimum required practices and for misrepresentation of security controls in application.

– Case dismissed (without prejudice) for failure to first engage in alternative dispute resolution as required in policy.

Target – Banking litigation – banks won class certification in September (U.S.D.C. Minn.)

– 10/23/15 - District Court holds forensic investigation protected from discovery by attorney-client and work product privileges.

7

Best Practices Post Incident

Experience on Response Team

– Post data incident is not the time to learn the ins and outs of incident

response

Use Counsel to Establish Privilege

– Counsel directs forensics, notice drafting, and other vendors so that, in the

event of litigation or regulatory investigation, all documents and

communications are not discoverable

– Guard Attorney-Client Privilege: do not share forensic reports, legal analysis

and drafts with clients or third parties if not absolutely necessary

Do not use terms “Breach” or “PII” or “PHI” lightly – these are

statutorily defined legal terms the use and admission of which have

consequences

8

Best Practices Post Incident

Do not rush to go public

– Tremendous desire to go public fast, but an inability to answer questions

that will inevitably follow can be devastating

– If you notify 4 hours after discovery there will be people who charge you

with delay, so “delay” is unavoidable.

Prepare for litigation

– Preserve all relevant documents

Covered Entities and Business Associates

– Should prepare for OCR investigations

Conduct risk assessment and Implement data

security improvements prior to being asked

by a regulator

9

Best Practices Post Incident

Incident Response Plan

Subcontractor/Service Provider Agreements

Technical Security (Firewalls, Anti-virus, Patching, Encryption)

HIPAA Compliance: Risk Assessment and Management,

Training, Policies & Procedures

Insure

10

Threat Sharing Initiatives

Cybersecurity Information Sharing Act

– Designed to facilitate Homeland Security, DOD, and DOJ “to

share cybersecurity threat information with private entities,

nonfederal government agencies, state, tribal, and local

governments, the public, and entities under threats.”

– Passed Senate on October 27, currently pending approval of

House.

Executive Order

– Promoting Private Sector Cybersecurity Information Sharing –

February 2015

– Encourages information sharing

Private

– Sharing within industry, via the blogosphere, via the news, etc.

11

Cyber Risk Insurance

12

Cyber Risk Traditional Policies vs. Cyber Risk Policy

Property General

Liability Crime K&R E&O Cyber Risk

1st Party Privacy/Network Risks

Physical damage to data only X X

Virus/Hacker damage to data only X X X X

DOS (Denial of Service) Attack X X X X

BI Loss from security event X X X X

Extortion or Threat X X X X

Employee Sabotage of data only X X X

3rd Party Privacy/Network Risks

Theft/Disclosure of private information X X X

Confidential Corporate information breach X X X

Technology E&O X X X X Combinable

Media Liability (electronic content) X X X

Privacy Breach expense/notification X X X X X

Damage to 3rd Party’s data only X X

Regulatory Privacy Defense/Fines X X X X X

Virus/Malicious code transmission X X X

X Coverage Not

Likely Possible Coverage

Coverage

Available

13

Cyber Risk Risk Transfer to Insurance

14

Network Security Liability: Liability to a third party as a result of a failure of your

network security to protect against destruction, deletion, or corruption of a third

party’s electronic data, denial of service attacks against internet sites or computers;

or transmission of viruses to third party computers and systems.

Privacy Liability: Liability to a third party as a result of the disclosure of confidential

information collected or handled by you or under your care, custody or control.

Includes coverage for your vicarious liability where a vendor loses information you

had entrusted to them in the normal course of your business.

Electronic Media Content Liability: Coverage for personal injury, and trademark

and copyright claims arising out of creation and dissemination of electronic content.

Regulatory Defense and Penalties : Coverage for costs associated with response to

a regulatory proceeding resulting from an alleged violation of privacy law causing a

security breach.

Breach Event Expenses: Expenses to comply with privacy regulations, such as

notification and credit monitoring services for affected customers. This also includes

expenses incurred in retaining a crisis management/PR firm, privacy attorney and

computer forensic investigator.

Network Extortion: Reimbursement for payment made under duress to prevent or

terminate an extortion threat.

Network Business Interruption: Reimbursement of your loss of income and / or

extra expense resulting from an interruption or suspension of computer systems due

to a failure of network security or system failure. Includes sub-limited coverage for

dependent business interruption.

Data Asset Protection: Recovery of costs and expenses you incur to restore,

recreate, or recollect your data and other intangible assets (i.e., software applications)

that are corrupted or destroyed by a computer attack.

Cyber Risk Risk Transfer to Insurance

15

JOHN F. MULLEN, Partner, Philadelphia

Lewis Brisbois Bisgaard & Smith LLP Attorneys

John F. Mullen is the Managing Partner of the Philadelphia Regional Office and

Chair of the US Data Privacy and Network Security Group with Lewis Brisbois

Bisgaard & Smith. Mr. Mullen concentrates his practice on first- and third- party

privacy and data security matters, and (with his team) serves as a data breach

coach/legal counsel for entities coping with data privacy issues. Mr. Mullen is

well-versed in the complex state, federal, and international rules and laws

governing data collection, storage and security practices and breach response

obligations. Mr. Mullen has been on the forefront of developing the cyber

market in the insurance industry, and continues to assist insurers, brokers, risks

managers, underwriters, product specialists and professional claims personnel

in navigating this rapidly-developing territory.

Mr. Mullen holds a B.S. from Pennsylvania State University (1987) and a J.D.

from Arizona State University, College of Law (1991).

Bios

16

MICHELLE M. LOPILATO, Senior Vice President

Director of Cyber and Technology Solutions

HUB International New England

Michelle joined HUB International in August 2012 as a Professional and

Specialty Lines Executive, bringing with her 12 years of focused experience

with a particular expertise in Cyber Risk. As of December 2014, Michelle’s

primary focus is building out HUB's Cyber and Technology practice. As the

Director of Cyber and Technology Solutions, Michelle is responsible for

advising clients and prospects on issues related to cyber, privacy and

technology related risks, as well as, negotiating with carriers on policy terms

and conditions. In addition, Michelle is responsible for cyber/technology

product development and production for the entire Eastern Region of HUB.

Michelle is well known for her subject matter expertise as it relates to financial

and professional lines of liability insurance coverage with a particular

expertise in program design and the marketing and administration of complex

Cyber Risk and Technology programs. In that role, she has been the client

advisory and marketing specialist for some of the largest publicly and privately

held risks in the New England region.

Michelle is licensed Property & Casualty Producer and a member of the

Professional Liability Underwriting Society (PLUS).

Bios

17

John Farley, AIC, Vice President, Cyber Risk

Management Services

HUB International Limited John Farley is currently serving as a Vice President and Cyber Risk Practice

Leader for HUB International’s Risk Services Division John is based in New

York City and brings 23 years of risk consulting experience to the firm. While

working at HUB International John has performed a variety of cyber risk

consulting services for clients across many industries, including but not limited

to healthcare, retail, financial services, manufacturing, higher education and

information technology companies. He serves as a resource for pre-break

incident planning and post-data breach response in network security & privacy

liability consulting.

When a breach occurs John acts as a central coordinator between all parties

involved - the client, insurance carriers, and any outsourced service provider

hired, including , IT forensics experts, privacy attorneys, public relations firms,

call center operators and other breach response service providers. In this role

he applies extensive knowledge in data breach response best practices and to

works diligently with clients to achieve optimal results in cost mitigation.

John holds a B.A., English, Minor in Business Management from Manhattan

College and also is a Certified and licensed Associate in Claims (AIC)

Bios

18

John Mullen

Lewis Brisbois Bisgaard & Smith LLP Attorneys

John.Mullen@lewisbrisbois.com > 215-977-4056

Michelle Lopilato

HUB International New England

Michelle.Lopilato@hubinternational.com > 978-661-6655

John Farley

HUB International Limited

John.Farley@hubinternational.com > 212-338-2150

Contact Information

19