In partnership with

John F. Mullen is the Managing Partner of the Philadelphia Regional Office and Chair of the US Data Privacy and Network Security Group with Lewis Brisbois Bisgaard & Smith.john.mullen@lewisbrisbois.com

David Lewison is the National Co-Practice Leader for the Financial Services Practice of AmWINS Brokerage Group, an insurance wholesaler with more than 90 offices in 16 countries.david.lewison@amwins.com

Scared Straight, Don’t Let Your Cyber Liabilities Take You Off Course:

Part I: Case Studies and Horror StoriesPart 2: Loss Trends and Insurance

Presented by: David Lewison and John MullenAmWINS Brokerage Lewis Brisbois

What Can Go Wrong?• Breach examples from John Mullen

– California focused– Hospitals– Doctor Groups– Regulatory Investigations

• Fines, Penalties, Disruption of business

– Talking Points:• What happened?• How did the health system/doctor group respond?• What actions did the regulators take?• What did the plaintiffs want?• How did insurance help?• What was your worst case scenario?• How has it turned out to date?

Cyberliability Exposure and Coverage Webinar

Part 2: Loss Trends and Insurance

Presented by: David Lewison

Loss Trends and Insurance

Topics to be covered:1. Data breach trends2. Data breach expenses and claims3. Definitions4. Laws5. Available insurance6. Insurance that doesn’t apply7. Gaps in some insurance policies8. Questions to consider

2013 Data Breach Info

http://datalossdb.org

http://www.privacytrustgroup.com/12Identitytheftstatis.htm

Losses To Consumers as a Result of Identity Theft

Average losses, per each victim of identity theft, approaches $10,000 per victim per attack. (FraudInvest/ JavlinBBB)  

Victims spend, on average, $4,000 recovering from a single incident of ID theft.  (FTC/ FraudInvest)Victims spend 175 to 600 hours over months or years to recover. (FTC/IDTResource)

A more recent study indicated that most victims spend closer to 600 hours recovering ‐ 300% more time than indicated in previous studies.  (IDTResource)

Employees rarely take all of their recovery time out of personal time.  Many victims take time at work negatively affecting their work productivity. (FactExpert)

$3.8 billion total is lost from consumer spending annually – seriously affecting our economy. (FTC)  

• An average identity theft victim loses $10,000 and spends another $4,000 to recover from the identity theft.

Identity Theft Adds Up

Source:  Federal Trade Commission (February 2014): Consumer Sentinel Network Data Book

• Multiply the $14,000 in average individual losses from the previous slide times the roughly 290,000 cases in 2013 and you get approximately $4.1 Billion in potential damages.  This is before including pain, suffering, legal fees and other demands from the victims.

Regulatory Exposures

Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information

Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies

Timing requirements vary

Some states allow private right of action for violations

State level breach notice: 47 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customersafter unauthorized access to PII/PHI.

Evolving Exposures

VERMONTNotice to affected individuals within 45 days of breach discovery

Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner)

KENTUCKYBecame 47th state with breach notification law in April 2014

NEVADAData collectors doing business in NV to comply with PCI-DSS

MASSACHUSETTS“Written information security plan” for businesses storing MA resident personal information

CALIFORNIAEmail address and PW = PII

Strict health information protection

Notice to Department of Public Health and affected individuals within 5 business days of learning of breach.

Non-compliance subject to $500 per day/per violation up to $250,000

Regulatory Exposures

HITECH Act

Extends HIPAA to “business associates” of HIPAA covered entities

First national breach notification requirement> 500 HHS < 500 year end

Permits state Attorneys General to enforce HIPAA

Final Rule is now law of the land:

Privacy and Security Rules now apply to Business Associates;

Impermissible disclosure is now presumed to be a breach;

Business Associates now directly liable to HHS

HIPAA Enforcement Examples

• Parkview Health System, Inc.– Parkview Health System was to return 5,000-8,000 patient

records to a doctor.– Parkview employees knew doctor wasn’t home and dropped of

71 boxes at the doctor’s house, leaving them “unattended and accessible to unauthorized persons on the driveway of the physician’s home.” No allegations of theft/access.

– Doctor filed complaint with OCR, alleging violation of HIPAA Privacy Rule

– Parkview hit with $800,000 fine on June 23, 2014

HIPAA Enforcement Examples

• N.Y. Presbyterian (NYP) and Columbia University (CU)– NYP and CU operate a shared data network and a shared

network firewall that is administered by employees of both entities.

– A physician employed by CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.

– The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

– NYP and CU hit with $4.8 million fine/settlement May 8, 2014

Anatomy of a Breach Response

BREACH DISCOVERYEXPERTS Breach coach Forensics Public relations

INVESTIGATION— internal/forensic/criminal How did it happen When did it happen Is it still happening Who did it happen to What was accessed/acquired Encrypted/protected

NOTICE OBLIGATIONS State Federal Other (i.e., PCI, FDIC, Insurance Regulators)

NOTICE METHODSWrittenElectronicSubstituteMedia

DEADLINESCan be from 48 hours to “without unreasonable delay”

INQUIRIESState regulators (i.e. AG, PD)Federal regulators (i.e. OCR)Federal agencies (i.e. SEC, FTC)Consumer reporting agencies

LITIGATIONSubrogationClass action

Regulatory / Compliance Cost

BREACH COSTS Forensics vendor

Notification vendor

Call centers

PR vendor

ID theft insurance

Credit monitoring

ID restoration

Attorney oversight

PLANNING AND DATA MANAGEMENT Breach planning (Mass.)

ID Theft monitoring (red flags)

PCI DSS (Nevada and merchants)

HIPAA

Litigation Trends

SINGLE PLAINTIFF Identity theft Privacy

GOVERNMENT ACTION Attorney General (Goldthwait, South

Shore, Accretiv, Health Net) FTC (Choice Point, American

United Mortgage) HHS (Hospice of North Idaho,

Massachusetts Eye and Ear, Alaska Dept. of HHS)

BANKS Cost of replacing credit cards Reimbursement of fraudulent

charges Business interruption

CLASS ACTION Failure to protect data Failure to properly notify Failure to mitigate NO VERDICTS. . . YET

Defense Eroding

Stollenwerk v. Tri West – assert actual identity theft

Krottner v. Starbucks Corp. – increased risk of identity theft constitutes an injury-in-fact

Anderson v. Hannaford – alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort)

AvMed – class action settlement approved where no proof of actual fraud or monetary loss

----------------------------------------------------------------------------------------------------------

ITERA (Identity Theft Enforcement and Restitution Act) – pay an amount equal to the value of the time reasonably spent

In re Hannaford Bros. Data Security Breach Litigation – does time equal money? No. But if there is fraud, credit monitoring damages may be due.

ChoicePoint Data Breach Settlement – FTC paid for “time they may have spent monitoring their credit or taking other steps in response”

Possible Means of Disclosure

– Lost or stolen laptops, computers, or other computer storage devices

– Backup tapes lost in transit

– Lost paper records

– Hackers

– Employee theft

– Poor business practices

– Internal security failures

– Viruses, Trojan Horses, and computer security loopholes

– Improper disposition of information19

Data Loss Expenses

Statistics from the Ponemon Institute 2013 Cost of Breach Study:• Average total cost per reporting company: $5.4 million• Average per-record cost of a data breach: $136

(Expect about $37 per record for notification and credit monitoring)

Per Capita Costs of a Breachby Industry Classification

Healthcare $233Financial $215Hospitality $114Services $134Pharma $207Average $194

Data Loss Expense Estimator

Graph of Average Cost

Claims Examples

• Claims Scenario #1: 24,000 patient records compromised at a mid-sized hospital. State regulations requirements were triggered. The hospital was required to notify every patient of the breach via Certified Mail

– Damages: $240,000– Defense Costs: $42,500– TOTAL AMOUNT PAID: $282,500

• Claims Scenario #2: A pharmacy sold a computer to a private individual that still contained prescription records including the names, addresses, social security numbers and medication lists of pharmacy customers. State law regulations required certified notification to all of the affected parties. Two lawsuits were filed: 1) Plaintiff alleged damages due to job loss as a result of the disclosure; 2) Plaintiff alleged her identity was stolen and sued to recover the costs of correction and emotional distress. A HIPAA investigation was triggered

– TOTAL AMOUNT PAID IN EXCESS OF: $410,000

Examples of Health Care Businesses with Privacy Exposure

• Ambulatory Services/Emergency• Clinical Research Organizations• Doctor/Dental Groups• Drug Testing Agency• Electronic Medical Record Storage Firms• Health Clubs• Hospitals• Long-Term Care Facility• Pharmaceutical Companies• Medical Schools• Medical Billing• Medi Spa’s• Radiology Center

Cyberliability Insuring Agreements

• 1st Party Business Interruption – Covers lost business income in the event a virus infection shuts you down.

• 1st Party Data Asset – Covers your expenses to recover lost data.• Cyberextortion – Covers expenses and ransom if a hacker threatens to shut you

down. This insuring agreement often covers reward amounts offered to catch the extortionist.

• Network Security – Covers your liability when hackers use your system to inflict damage on others.

• Privacy– Notification Expenses – when data is lost, you must notify all potential victims within a short

period of time as required by state laws.– Credit Monitoring – Policies will cover up to 1 year of credit monitoring services for those

exposed. In some cases 2 years of monitoring will be available.– Credit Repair Services – 1 Year of services to repair credit of an actual identity theft. – Crisis Management – Public Relations expense coverage to protect your image.– Regulatory Defense and expenses – Many new regulations exist related to the protection of

confidential data. The insurance will provide defense cost coverage for regulatory proceedings and in some cases cover penalties where insurable.

• Electronic Media – Covers website content liability (copyright, libel, slander, etc...)

Why Cyber Isn’t Covered on Other Policy Forms

• General Liability covers bodily injury and property damage, not stolen identities.• Property Insurance does not consider data as property• Media Liability policies are only covering content for libel, slander and copyright. • E&O policies are covering services for others for a fee. Some will cover invasion of

privacy, but will only respond to actual damages. You won’t get notification expense coverage or credit monitoring services coverage on an E&O policy. Also, many businesses hold PII without being in a service industry which would be required to buy E&O.

• Intellectual Property Coverage (Patent/Copyright). These policies are designed to protect you from claims brought by competitors and other third parties. This coverage responds to theft of ideas, products or content, not identities, private records or money.

• Crime Insurance covers employee theft of money, securities and property. A data record can be stolen, but you may not see a financial loss for many years. For financial institutions some carriers are combining a crime policy with the security/privacy policy because there can be an overlap. The theft of funds through a network could hit both policies. If an employee is involved in the theft, you could trigger the crime as well as the liability portion of the privacy/security. In absence of the privacy/security policy, there wouldn’t be coverage for the notification and credit monitoring.

Coverage Gaps in Current Cyber Forms• Many “Internet” policy forms only cover web content, not identities.• Many insurers will only offer $250,000 of notification and credit monitoring expense coverage

while others will offer up to the policy limit.• A handful of insurers will insure regulatory civil fines and penalties where insurable. Others only

provide defense.• Pay attention to the sublimits offered. Every insurer offers something different. Some insurers

have coinsurance provisions applicable to the expense coverage.• Some policy forms are only covering paper records if generated electronically• Some insurers are not covering employee records. (insured vs insured exclusions)• Some insurers are not covering data breaches caused by employees of the insured. (Rogue

employees)• Some insurers will cover mental anguish and emotional distress arising from a privacy breach,

others will exclude anything arising out of or related to bodily injury.• Some insurers have exclusions applicable if the insured does not continuously upgrade or

maintain the same level of security as was in place at the time coverage was bound.

Questions to Consider• Do you hold any private data of clients, vendors, employees or others?• Are you aware of the notice requirements in each state if you lose control of that data?• What steps would you take/who would you call if you lost those private records?• Do you have a corporate wide privacy policy? • Do you have a disaster plan specific to data breaches?• Are your records stored electronically? Paper? Are the records secure? Do you

shred?• Do any employees have access to private client records? Do you allow use of USB

drives on computers with access to private data?• Are any records ever handled by a third party?• Are all of your laptops and wireless connections encrypted?• Are you confident your antivirus and firewall systems are 100% effective?• Have any of your systems been programmed by non-employees?• How would your clients respond if you lost their private records?• If your network was damaged or disabled by a virus or hacker attack, would it be

material to your revenues/income? Do you have a backup system? How long would it take you to recover?

• Are you prepared for a Department of Health and Human Services Compliance Audit?