Cyber InsuranceYes, Mutual Insurance Company, you

need it!

Presented by:Jamie Orye, JD, RPLU

Beazley Group

Pennsylvania Association of Mutual Insurance Companies

Annual Spring ConferenceMarch 12, 2015

What is Cyber Insurance?

What Coverages are Typically in a Cyber Insurance Policy?

What’s Truly Important to Have (or Not Have) in YOUR policy?

Agenda

The term “cyber insurance” has a variety of different meanings depending on who is using it and how they are applying it.

Cyber insurance policy forms and coverages differ significantly from carrier to carrier.

Cyber insurance and coverages are constantly evolving and changing.

First, a few notes …

What is Cyber Insurance?

Technology Errors and Omissions Coverage

“Cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Nevertheless, tech E&O insurance policies do contain a number of the same insuring agreements as cyber and privacy policies.

-- International Risk Management Institute (IRMI)

Let’s Start with What It’s Not

Covered under a Commercial General Liability policy

As of May 1, 2014, the Insurance Services Office introduced “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-related Liability – with Limited Bodily Injury Exception”.

Let’s Start with What It’s Not

Insurance “designed to [respond to and ] mitigate losses from a variety of cyber incidents, including data breaches, business interruption and network damage.”

-- US Department of Homeland Security

So … What is it?

What Coverages are Typically in a Cyber Insurance Policy?

Breach Response Services (1st party) Information Security & Privacy Liability (3rd party) Regulatory Defense & Penalties Coverage (3rd

party) Business Interruption Coverage (1st party) Data Restoration Coverage (1st party) Cyber Extortion Coverage (1st party) Media Liability (3rd party)

Components of a Cyber Insurance Policy

Legal Analysis: costs associated with hiring specialized attorneys to determine your responsibilities and duties under applicable data breach and privacy statutes

Computer Forensics: costs associated hiring specialized computer forensics firms to determine the existence and extent of a data breach

Notification: costs to print and mail letters to affected individuals

Breach Response Services

Credit Monitoring: costs of offering 12 or 24 months of credit monitoring with one or all three of the national credit bureaus

Call Center: costs of setting up a call center that affected individuals receiving the notice can call with questions or for additional information

Crisis Management/Public Relations: costs associated with hiring a specialized crisis management firm to assist in the mitigation of any adverse publicity resulting from the data breach

Breach Response Services

12

Typical CostsComputer Forensics $500 - $600 per hour

Pre-Claim Legal Fees $500 - $600 per hour

Notification Costs $1-$2 per affected individual

Credit Monitoring $20-$30 per affected individual

15%-25% acceptance rate

Call Center $4,000 - $5,000 setup costs plus per minute charge for each phone call received. For dedicated support, add $50-$60 per hour per person.

Claim / Regulatory Defense $600 - $700 per hour

Liability Varies

Average Cost of a Data Breach in the US

$5.4M per breach / $188 per record*

*The 2013 Cost of Data Breach: Global Analysis by the Ponemon Institute

Liability (and defense) resulting from harm suffered by third-parties due to a data breach

Examples:

◦ Costs incurred by an affected individual in dealing with identity theft and fraud resulting from the breach of their private information

◦ Costs incurred by a business for which you handle private information in dealing with their own notification requirements resulting from the breach of that private information

Information Security & Privacy Liability

October 2012: Nationwide Mutual Insurance discovered a data breach in which impacted the “name, Social Security number, driver's license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer” of approximately 1.1M Americans. FBI and various Attorneys General including North Carolina’s are notified. Affected individuals are notified.*

February 2014: Federal judge in Kansas dismisses two proposed class actions due to no evidence of actual harm.**

Liability Illustration: Nationwide

* http://www.zdnet.com/article/nationwide-mutual-hack-affected-1-1-million-americans/

** http://www.law360.com/articles/508534/nationwide-mutual-defeats-data-breach-class-actions

Costs associated defending a claim brought by a regulatory/law enforcement entity or agency pursuant to federal or state data breach regulations and any resulting penalties assessed.

Office of Civil Rights (OCR): tasked with enforcement of HIPAA & HITECH statutes

State Attorneys General: may bring regulatory enforcement actions under state data breach laws or unfair trade practices/consumer protection laws

Regulatory Defense & Penalties

An insured’s loss of income and extra expense costs resulting from a data breach or computer network security event.

Sony Corporation: cyber attack took down entire system for two days and left them operating on reduced systems for several weeks.

Business Interruption

Costs to recreate deleted, destroyed, corrupted or altered data due resulting from a data breach.

Restoring data from backup tapes

Manually entering data from paper files if no backup tape is available

Data Restoration

Payment made to terminate the threat to breach your computer network security in order to:

◦ Destroy data◦ Prevent access to computer systems◦ Introduce a virus to your computer system or a

third party’s computer system◦ Interrupt or suspend the functioning of your

computer system

Cyber Extortion

Coverage for liability arising out of content created or used by you. May be limited to online content only.

◦ Defamation, libel, slander◦ Plagiarism, misappropriation of ideas◦ Copyright and trademark infringement

Media Liability

What’s Truly Important to Have (or Not Have) in Your

Policy?

Adequate limits

Separate limit of coverage for first party breach response coverage

Coverage for your vendors’ breaches involving your information

Coverage for a suspected incident

Modified Intentional Acts Exclusion / Rogue Employee Coverage

The “Haves”

February 2013: Mass Mutual Life Insurance Company notifies a number of its customers (more than 500 in California; 37 in Maryland) of a data breach resulting when a third-party service provider, Convey Compliance Solutions, inadvertently mailed 1099 tax forms to incorrect addresses.

Two years of credit monitoring was offered to all affected individuals.*

Illustration: Coverage for Your Vendors’ Breaches

*Privacy Rights Clearinghouse; CA & MD Office of Attorney General Websites

Unencrypted Data Exclusion

Safeguard exclusion

Coverage that only extends to personally identifiable information

Failure to follow your own privacy policy exclusion

The “Have Nots”

Traditional insurance policies (commercial general liability, property, workers compensation) do not provide cyber coverage.

Policy forms and coverage differ significantly from carrier to carrier

Carrier and breach response vendor(s) experience is an important factor to consider when purchasing a policy

Conclusion

25

Questions?