Date post: | 15-Jan-2017 |
Category: |
Business |
Upload: | summit-professional-networks |
View: | 267 times |
Download: | 1 times |
www.hubinternational.com
The Role of Insurance in
Managing Cyber Risk
Late 1990s : Viruses, Network Failures & “Y2K”
Mid 2000’s : Large scale hacks – payment cards & identity theft
• Increased regulation of privacy matters
2008: Theft of intellectual property & trade
secrets; cyber espionage
2011: “Hacktivism” and politically motivated attacks
2014: State Sponsored attacks; “Internet of Things”;
& National Security Concerns
The Evolution of “Cyber Risk”
1
State Regulations
New or Effective in 2015
• Connecticut (90 day deadline and credit monitoring)
• California (notice to DPH within 15 days. 1 year of credit monitoring. User name and pw = PII)
• New Jersey (some health insurers must encrypt)
• North Dakota (regulator notice if over 250)
• Montana (medical info and TIN)
• Utah (student data)
• Nevada (medical info and user name and pw)
• Washington (paper, regulator, 45 days)
• Wyoming (user name and pw, medical info, TIN)
• Oregon (regulator notice if over 250)
• Rhode Island (paper, regulator notice if over 500, 45 days)
States with Unwritten Rules
• Pennsylvania (AG requests notice if incident affects PA residents, though no statutory requirement)
• California (DHCS interprets California data breach statute to cover paper breaches, and expects CA legislature to update statute soon to clearly cover paper breaches)
• Indiana (anything over 30 days is “unreasonable delay”)
• Connecticut (2 years of credit monitoring) (90 days probably “unreasonable delay”)
• North Carolina (routinely inquires as to timeline of events)
2
Federal Regulations and
Requirements
New
HIPAA/ HITECH (Protect and safeguard PHI)
– OCR unofficially mandates automatic investigation if over 500 affected
– Covered Entities and their Business Associates subject to rules
FTC (Regulates unfair or deceptive acts and practices) (security must be reasonable and in accordance with entity’s
own policies)
– Approx. 50 privacy investigations since 2002, and dozens of fines ($22.5 million - Google 2012)
– Actively enforcing health care vendor rules (breach reporting for non-HIPAA entities)
FCC (Regulates communications networks) (TeleCom carriers must take precautions to secure customer data)
– First ever data breach fine (October 2014)($10 million-TerraCom and YourTel America)
Important
July 7, 2015 - 47 State AGs write to Congress, urging U.S. to preserve state authority over data breaches
SEC (More aggressive cyber role expected) (required to disclose significant corporate events; apply adequate
safeguards)
FERPA (Protect privacy of student records; federal funding can be, but never has been, cut off following
violation)
SOX (Requires security controls, and auditors require disclosure if such controls are inadequate)
GLB (Privacy Rule suggests notification; Safeguards Rule suggests written security plan)
FACTA (Red Flags Rule requires procedures to detect and prevent identity theft)
3
Regulatory Enforcement
(Current Examples)
HHS/OCR
– Cancer Care Group ($750,000 settlement, August 31, 2015)
• OCR found widespread non-compliance, and lack of policies, after laptop bag with
unencrypted media exposed records of 55,000 patients
– State-Run Community Mental Health Facility ($150,000 settlement, Dec. 2014)
• Organization failed to patch systems and continued to run outdated, unsupported
software resulting in exposure of 2,743 medical records
FCC
– $25 million fine against ATT for unauthorized disclosure of information (April 2015)
State
– Indiana –Assurance of Voluntary Compliance (AVC)(multiple fines ranging from $4,000 to
$20,000)
– Zappos ($106,000 fine assessed by 9 states)
– TD Bank – 260,000 affected ($850,000 nine state fine plus $650,000 Mass. fine in
December 2014)
4
EU Data Protection Directive:
Regulatory framework relating to processing, transfer, and use of personal
information
Jurisdiction reaches outside the EU
Breach notification requirements to Supervisory Authorities and affected
individuals • Notice to the Supervisory Authorities required within 72 hours and notice to affected individuals without
undue delay
European regulators will be able to fine companies who do not comply with the EU
rules up to 2% of their global annual turnover.
EU Safe Harbor rule invalidated.
Canada
Digital Privacy Act – requires mandatory beach notification
Mexico, Costa Rica and Germany
Notice requirements
Jurisdictional issues
International Privacy Laws
5
Civil Litigation
Robins v. Spokeo (U.S. Supreme Ct.) (Pending)
– Allegation that Spokeo posted false information. Privacy (not breach) case - implications for
cyber.
– Supreme Court to decide whether violation of statute that allows automatic statutory
damages, without any actual damages (as Plaintiffs allege FCRA does), confers standing
even if no other harm alleged (Circuit Court said yes).
– Could open data breach class action floodgates in states whose statutes allow for
automatic statutory damages.
Neiman Marcus (July 2015)
– Actual fraud (reimbursed) and threat of “imminent” future harm confer standing.
– Seventh Circuit joins minority of Circuits (along with First, Ninth - but some post-Clapper
District Courts hold otherwise -, Eleventh, and a District Court in the Eighth) as data breach
class friendly.
– The Third Circuit, and District Courts in the Second, Fourth, Fifth, Sixth, Tenth and D.C.
Circuits are less favorable for Plaintiffs.
6
Civil Litigation
CGL Coverage – Zurich v. Sony (NY State, 2014): PII stolen by hackers not “publication” under
personal and advertising liability coverage in CGL policy (Zurich and Sony settled in May 2015).
– Travelers v. P.F. Chang’s (D. Conn. 2014): Court closed pending results of class-action appeals, all of which were dismissed at trial stage.
Cyber Coverage – Columbia Casualty (CNA) v. Cottage Health System (C.D. Cal., May 2015)
– CNA sought to avoid coverage because Cottage failed to follow minimum required practices and for misrepresentation of security controls in application.
– Case dismissed (without prejudice) for failure to first engage in alternative dispute resolution as required in policy.
Target – Banking litigation – banks won class certification in September (U.S.D.C. Minn.)
– 10/23/15 - District Court holds forensic investigation protected from discovery by attorney-client and work product privileges.
7
Best Practices Post Incident
Experience on Response Team
– Post data incident is not the time to learn the ins and outs of incident
response
Use Counsel to Establish Privilege
– Counsel directs forensics, notice drafting, and other vendors so that, in the
event of litigation or regulatory investigation, all documents and
communications are not discoverable
– Guard Attorney-Client Privilege: do not share forensic reports, legal analysis
and drafts with clients or third parties if not absolutely necessary
Do not use terms “Breach” or “PII” or “PHI” lightly – these are
statutorily defined legal terms the use and admission of which have
consequences
8
Best Practices Post Incident
Do not rush to go public
– Tremendous desire to go public fast, but an inability to answer questions
that will inevitably follow can be devastating
– If you notify 4 hours after discovery there will be people who charge you
with delay, so “delay” is unavoidable.
Prepare for litigation
– Preserve all relevant documents
Covered Entities and Business Associates
– Should prepare for OCR investigations
Conduct risk assessment and Implement data
security improvements prior to being asked
by a regulator
9
Best Practices Post Incident
Incident Response Plan
Subcontractor/Service Provider Agreements
Technical Security (Firewalls, Anti-virus, Patching, Encryption)
HIPAA Compliance: Risk Assessment and Management,
Training, Policies & Procedures
Insure
10
Threat Sharing Initiatives
Cybersecurity Information Sharing Act
– Designed to facilitate Homeland Security, DOD, and DOJ “to
share cybersecurity threat information with private entities,
nonfederal government agencies, state, tribal, and local
governments, the public, and entities under threats.”
– Passed Senate on October 27, currently pending approval of
House.
Executive Order
– Promoting Private Sector Cybersecurity Information Sharing –
February 2015
– Encourages information sharing
Private
– Sharing within industry, via the blogosphere, via the news, etc.
11
Cyber Risk Insurance
12
Cyber Risk Traditional Policies vs. Cyber Risk Policy
Property General
Liability Crime K&R E&O Cyber Risk
1st Party Privacy/Network Risks
Physical damage to data only X X
Virus/Hacker damage to data only X X X X
DOS (Denial of Service) Attack X X X X
BI Loss from security event X X X X
Extortion or Threat X X X X
Employee Sabotage of data only X X X
3rd Party Privacy/Network Risks
Theft/Disclosure of private information X X X
Confidential Corporate information breach X X X
Technology E&O X X X X Combinable
Media Liability (electronic content) X X X
Privacy Breach expense/notification X X X X X
Damage to 3rd Party’s data only X X
Regulatory Privacy Defense/Fines X X X X X
Virus/Malicious code transmission X X X
X Coverage Not
Likely Possible Coverage
Coverage
Available
13
Cyber Risk Risk Transfer to Insurance
14
Network Security Liability: Liability to a third party as a result of a failure of your
network security to protect against destruction, deletion, or corruption of a third
party’s electronic data, denial of service attacks against internet sites or computers;
or transmission of viruses to third party computers and systems.
Privacy Liability: Liability to a third party as a result of the disclosure of confidential
information collected or handled by you or under your care, custody or control.
Includes coverage for your vicarious liability where a vendor loses information you
had entrusted to them in the normal course of your business.
Electronic Media Content Liability: Coverage for personal injury, and trademark
and copyright claims arising out of creation and dissemination of electronic content.
Regulatory Defense and Penalties : Coverage for costs associated with response to
a regulatory proceeding resulting from an alleged violation of privacy law causing a
security breach.
Breach Event Expenses: Expenses to comply with privacy regulations, such as
notification and credit monitoring services for affected customers. This also includes
expenses incurred in retaining a crisis management/PR firm, privacy attorney and
computer forensic investigator.
Network Extortion: Reimbursement for payment made under duress to prevent or
terminate an extortion threat.
Network Business Interruption: Reimbursement of your loss of income and / or
extra expense resulting from an interruption or suspension of computer systems due
to a failure of network security or system failure. Includes sub-limited coverage for
dependent business interruption.
Data Asset Protection: Recovery of costs and expenses you incur to restore,
recreate, or recollect your data and other intangible assets (i.e., software applications)
that are corrupted or destroyed by a computer attack.
Cyber Risk Risk Transfer to Insurance
15
JOHN F. MULLEN, Partner, Philadelphia
Lewis Brisbois Bisgaard & Smith LLP Attorneys
John F. Mullen is the Managing Partner of the Philadelphia Regional Office and
Chair of the US Data Privacy and Network Security Group with Lewis Brisbois
Bisgaard & Smith. Mr. Mullen concentrates his practice on first- and third- party
privacy and data security matters, and (with his team) serves as a data breach
coach/legal counsel for entities coping with data privacy issues. Mr. Mullen is
well-versed in the complex state, federal, and international rules and laws
governing data collection, storage and security practices and breach response
obligations. Mr. Mullen has been on the forefront of developing the cyber
market in the insurance industry, and continues to assist insurers, brokers, risks
managers, underwriters, product specialists and professional claims personnel
in navigating this rapidly-developing territory.
Mr. Mullen holds a B.S. from Pennsylvania State University (1987) and a J.D.
from Arizona State University, College of Law (1991).
Bios
16
MICHELLE M. LOPILATO, Senior Vice President
Director of Cyber and Technology Solutions
HUB International New England
Michelle joined HUB International in August 2012 as a Professional and
Specialty Lines Executive, bringing with her 12 years of focused experience
with a particular expertise in Cyber Risk. As of December 2014, Michelle’s
primary focus is building out HUB's Cyber and Technology practice. As the
Director of Cyber and Technology Solutions, Michelle is responsible for
advising clients and prospects on issues related to cyber, privacy and
technology related risks, as well as, negotiating with carriers on policy terms
and conditions. In addition, Michelle is responsible for cyber/technology
product development and production for the entire Eastern Region of HUB.
Michelle is well known for her subject matter expertise as it relates to financial
and professional lines of liability insurance coverage with a particular
expertise in program design and the marketing and administration of complex
Cyber Risk and Technology programs. In that role, she has been the client
advisory and marketing specialist for some of the largest publicly and privately
held risks in the New England region.
Michelle is licensed Property & Casualty Producer and a member of the
Professional Liability Underwriting Society (PLUS).
Bios
17
John Farley, AIC, Vice President, Cyber Risk
Management Services
HUB International Limited John Farley is currently serving as a Vice President and Cyber Risk Practice
Leader for HUB International’s Risk Services Division John is based in New
York City and brings 23 years of risk consulting experience to the firm. While
working at HUB International John has performed a variety of cyber risk
consulting services for clients across many industries, including but not limited
to healthcare, retail, financial services, manufacturing, higher education and
information technology companies. He serves as a resource for pre-break
incident planning and post-data breach response in network security & privacy
liability consulting.
When a breach occurs John acts as a central coordinator between all parties
involved - the client, insurance carriers, and any outsourced service provider
hired, including , IT forensics experts, privacy attorneys, public relations firms,
call center operators and other breach response service providers. In this role
he applies extensive knowledge in data breach response best practices and to
works diligently with clients to achieve optimal results in cost mitigation.
John holds a B.A., English, Minor in Business Management from Manhattan
College and also is a Certified and licensed Associate in Claims (AIC)
Bios
18
John Mullen
Lewis Brisbois Bisgaard & Smith LLP Attorneys
[email protected] > 215-977-4056
Michelle Lopilato
HUB International New England
[email protected] > 978-661-6655
John Farley
HUB International Limited
[email protected] > 212-338-2150
Contact Information
19