Overview
1. Disaster Planning Gone Wrong
2. Disaster Recovery and Protecting your Insurance Claim
3. Cyber Liability – NKOTB
Page 2 of 20
What to do Before the Loss1. Know Who to Call
• Insurance Agent/Company• Recovery and Restoration Companies• Industrial Hygienist
2. Have Crisis and Claim Management Teams in Place• Facilities/Construction• Team Resources• Finance• Risk Management/Insurance• Real Estate
3. Have a Segregated Insurance Recovery Account in Place to Track Expenses
4. Have a Panel Adjustor in Place if You Have a Layered Insurance Program
9
What to Do After the Loss
1. Stop/Mitigate the Damage (Duty to Do So)
2. Call your insurance agent/company as soon as possible (immediately).
3. Secure the Site
4. Implement Incident Command and Initiate Your Crisis and Claim Teams
5. Document Damages (Photos/Records)
6. Keep Everything (Insurer’s Right to Salvage)
7. Don’t forget about employee and customer safety
10
Settling the ClaimWhat to Claim1. Property Damage
• Building• Furniture, Fixtures and Equipment• Inventory
2. Extra Expenses/Increased Cost of Working• Overtime• Expenses to Reduce Business Interruption
3. Business Interruption/Loss of Profits
4. Other Coverages• Debris removal / Decontamination Costs / Demolition
Expediting Costs / Professional Fees / Protection of Property
11
Target Corp. said that the huge data breach it suffered late 2013 happened after an intruder stole a vendor’s user ID and password and used them to gain access to the company’s computer system.
What was stolen:
40 Million
Customer Credit and Debit Card Numbers,Security Code
Root Cause:Malware
Source: DataBreachToday.Com; StarTribune.com14
15
February 2014: Hackers obtained user ID and password from “a small number” of employees. Hackers then accessed a database containing all users records and copied “a large part” of those credentials.
What was stolen:
145 Million
Users Credentials
Root Cause:Cyber Attack
Source: New York Times
16
Home Depot: April 2014 Malware installed on cash register system across 2,200 stores. Home Depot said that criminals used a third-party vendor's user ID and password to enter the perimeter of its network.
What was stolen:
56 Million
Credit Card InformationOther Personal DataEmails
Root Cause:Malware
Source: Associated Press
17
August 2014: Community Health Systems, which operates 203 hospitals across the United States, announced that hackers broke into its computers and stole data on 4.5 million patients.
What was stolen:
4.5 Million
Names, DOB, Addresses, Phone Numbers, SSN
Root Cause:Cyber Attack
Source: Modern Healthcare
18
February 2015: Anthem, American’s second-largest health insurer in the US. Attacker obtained user ID and password of five IT personnel. The data was exfiltrated using public external web storage.
What was stolen:
78.8 Million
Names, DOB, SSN, Addresses, Phone Numbers, Employment info
Root Cause:Phishing / Malware Keyboard Logger
Source: CNN Money, USA Today
Why Data is a Target...What Stolen Data is WorthSocial Security Number $3.00 Credit Card Info $1.50 Date of Birth $3.00 Medical Record Data $50.00
What’s the Exposure
Average Cost of a Data Breach is $3 - 4MM or $150 to $180 for Every Lost or Stolen Record
What Does This Pay For:• Audit and consulting services• Legal services for defense and compliance• Services to Victims / Identity Protection
1. Loss Reputation / Lost Business / Loss Productivity
2. Only 51% of RIMS Members Buy Privacy/Cyber Liability Insurance
20
Root Causes of Data Breaches
Human Error31%
Malicious Attack44%
System Glitch25%
Source: Ponemon Institute/Symantec
Federal & Statutory Requirements Following a Breach
1. There is no uniform federal law on data breaches.• HIPAA Health Insurance Portability and Accountability Act• HITECH established encryption and destruction protocols for PHI• Gramm-Leach-Bliley Act (GLBA) for Financial Institutions• The Payment Card Industry Data Security Standards (PCI-DSS• Office of Management and Budget (OMB) “Breach Notification Policy”
For Federal Agencies
2. State security breach notification laws generally follow a similar framework: • Delineating who must comply with the law; • Defining the terms “personal information” and “breach of security”;• Adopting requirements for notice; • Creating penalties, enforcement authorities, and remedies.
3. Florida Statutes. 501.171, 282.0041, 282.318(2)(i)
Q&AJim Carter
Manager, Risk & Insurances ServicesBayCare Health System, Inc.
2985 Drew St.Clearwater, FL 33759
Tel. 727-754-9234Email. [email protected]