this material is presented for informational purposes only and is not intended to constitute legal...
TRANSCRIPT
This material is presented for informational purposes only and is not intended to constitute legal advice.©Reed Smith LLP 2011.
DATA SECURITY AND PRIVACY INSURANCE RECOVERY:
A SAFETY NET FOR THE NETALL INDUSTRY DAY
“PUTTING IT ALL TOGETHER”
GREATER KANSAS CITY CHAPTER
NOVEMBER 11, 2011J. Andrew MossInsurance Recovery GroupChicago, Illinois
Today’s Discussion: Data Security Risks
What Laws and Rules Apply?
Insurance Options and Solutions
Risk Management
Questions and Answers
What Do Companies Want (Need) to Protect?
Private customer data
Website user data
Employee information
Confidential business information
Intellectual property
Reputation
The Ability to do business
How Data and Security Breaches Occur Technology failure (firewall or server compromised)
Intentional criminal action by outsider (hacker, laptop theft, tablet or smartphone hacking/theft/cloning)
Employee misconduct (data/financial embezzlement, unauthorized disclosures, curiosity, retaliation)
Human error (lost laptop/smartphone/tablet, misdirected fax or email, improper configuration of computer security systems, improper trash disposal)
Vendor error (misdirected packages and mail)
Acts of God (papers blowing from site of disaster)
Some Data Breaches Reported in 2011: Law firm lost portable hard drive containing information about case including 161 patients
suing doctor; data included names, addresses, Social Security Numbers, DoB, and insurance information.
Veterans’ paper records removed improperly from Florida VA hospital; included names and SSNs. Information was used to open debit accounts, and possibly involved in credit card scams. Perpetrators caught with paper records in motel room.
Personal credit rating information of 420,000 vehicle loan customers of Hyundai Capital plus 13,000 security passwords acquired by hackers.
Personal and protected health information of 93,500 patients of Hartford Hospital on lost hard drive.
Source: http://www.databreachwatch.org/data-breach-alerts
Some Representative Cases: TJX - $107,000,000 reserve fund for theft of credit card numbers in hacking attack
Countrywide – theft of Social Security Numbers by rogue employee resulted in 40+ class actions and regulatory actions, $6,500,000 in reimbursement
Blue Cross/Blue Shield of Tennessee -- $7,000,000 in insured loss for theft of computer hard drives containing personal information
Massachusetts General Hospital --$1,000,000 for losing patient records
Citigroup – unauthorized access to customer information in 1% of its North American credit card accounts
TD Ameritrade: agreement to pay $2,500,000 to $6,500,000 to computer breach victims who received SPAM
Theft or Loss of Confidential Information
Science Applications International Corp. (SAIC):
military contractor that transports the data for the U.S. military’s health care provider, Tricare
Computer tapes stolen from SAIC employee’s car containing highly sensitive information approximately 5 million beneficiaries (servicemen, veterans, civil service and their families) in 10 states, including lab test results
Multiple class actions filed against SAIC, other contractors and agencies of the U.S. government
$4.9 billion in damages alleged
Tricare ordered SAIC to offer 1 year of free credit monitoring to the approximately 5 million beneficiaries potentially affected by the breach
Note that the stolen tapes would require sophisticated equipment to decode, so the risk of further disclosure may be small
Loss of Confidential Customer InformationHealth Net: Health Net was sued by Connecticut AG for failing to secure
medical records and not promptly notifying consumers of a massive security breach. A portable disk drive containing millions of pages of claims information and medical records for 1.5 million members disappeared from a Health Net office in May 2009.
In July 2010, HealthNet settled for $250,000 (in addition to the $7,000,000 it had already spent) and promised to: Implement a “corrective action plan.” Pay $500,000 more to Connecticut if the personal
information is actually accessed. Provide 2 years of free credit monitoring services, $1 million
in identity theft insurance and enrollment in fraud resolution services for 2 years, if needed.
Provide extra protection against cases of identity theft occurring between May 2009 and the date the credit monitoring service program takes effect.
Unwitting Loss of Confidential Customer InformationStanford Hospital:
The New York Times reported on September 8, 2011 that private medical data for nearly 20,000 emergency room patients at Stanford Hospital (affiliated with Stanford University) was exposed to public view for a year due to the negligence of a billing contractor and unknowing conduct of a job applicant
Contractor (a sole practitioner) sent a spreadsheet containing the information to a job applicant, who unwittingly posted it online on a career tutoring website
Lawsuit seeking $20,000,000 in damages filed against hospital and several contractors in California court in Los Angeles.
2010 U.S. Cost of a Data Breach StudyPonemon Institute• Data breach incidents cost U.S. companies Data breach incidents cost U.S. companies $204$204 per compromised customer per compromised customer
record record in 2009, compared to $202 in 2008in 2009, compared to $202 in 2008• The The average total cost per incident increased to $6.75Maverage total cost per incident increased to $6.75M, up from $6.65M in the , up from $6.65M in the
previous yearprevious year• Malicious attacks were more costly and severeMalicious attacks were more costly and severe• Negligent insider breaches have decreased due to awareness and training on Negligent insider breaches have decreased due to awareness and training on
protecting private information – 58% have expanded their use of encryptionprotecting private information – 58% have expanded their use of encryption• Third party organizations accounted for 42% of all breach cases Third party organizations accounted for 42% of all breach cases – these – these
remain the most costly due to additional investigation and consulting feesremain the most costly due to additional investigation and consulting fees• The most expensive case in the study cost nearly The most expensive case in the study cost nearly $31,000,000$31,000,000 to resolve, the least to resolve, the least
was $750,000was $750,000• The study was comprised of 45 breaches with a range of 5,000 to 101,000 The study was comprised of 45 breaches with a range of 5,000 to 101,000
compromised recordscompromised records
SURVEY: Data Security at Work*22. Does your employer have a formal policy for you to use the Internet at work?
Yes 38% No 19% Not sure 44%
23. Have you had any training on how to keep your computer safe and secure?
Yes 43% No 55% Not sure 3%
24. Do you ever bring your work laptop home and connect to your home network?
Yes 24% No 75% Not sure 2%
25. Does your employer allow access from your home computer to the company systems files or other types of data normally available to you at the office?
Yes 29% No 28% Not sure 43% *2010 Online Safety Study by National Cyber Security Alliance, Norton by Symantec & Zogby International (Oct 2010)
Performance Art?
‘Dead Drops’ is an anonymous, offline, peer to peer file-sharing network in public space. I am ‘injecting’ USB flash drives into walls, buildings and curbs accessible to anybody in public space. You are invited to go to these places (so far 5 in NYC) to drop or find files on a dead drop. Plug your laptop to a wall, house or pole to share your favorite files and data. Each dead drop contains a readme.txt file explaining the project. http://datenform.de/blog/dead-drops-preview/
What Laws and Rules May Apply? Federal:
Financial data (Gramm-Leach-Bliley Act) Website data and “red flag” rules (FTC) Government data (Privacy Act) Children’s information (COPPA, FTC) Educational information (FERPA) Medical information (HIPAA) Health Information Technology for
Economic and Clinical Health Act (HITECH) Computer Fraud and Abuse Act (CFAA) Driver’s Privacy Protection Act (DPPA) Personal Privacy and Security Act of 2011;
Data Breach Notification Act; Personal Data Protection and Breach Accountability Act of 2011 all recently introduced)
What Laws and Rules May Apply? State Laws:
Security Breach Notification statutes (46 states plus DC, PR and VI) http://www.ncsl.org/Default.aspx?TabId=13489
HITECH Act lets state attorneys general enforce the health data protection provisions of HIPAA “Proscriptive” statutes requiring encryption or other methods to secure data (at least 6 states,
including CA, CT, MA, NY, NJ, NV) Notification of State Attorneys’ General statutes (CA, TX)
Contractual: Business Associate Agreements under HIPAA Standard purchase orders Payment Card Industry Data Security Standards Outsourced data
What Laws and Rules Apply?
International Law: EU Data Protection Directive and EU member country
privacy laws are more strict than the US with respect to private consumer information.
“Article 29 Working Party” – panel of European privacy commissioners from each EU member collaborate to issue opinions and resolutions on matters involving privacy and personal data protection.
Opinions of Article 29 Working Party: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm
What Do You Need to Consider When Faced With a Security Breach or Data Loss or Claim?
Are any insurers owed notice and/or cooperation?
Is notice owed to the persons whose information was or may have been compromised?
Which government authorities should be contacted?
Considerations When Faced With a Security Breach or Data Loss or Claim
Response Steps:
• Receive initial report and determine responsibilities
• Initial investigation
• Initial communications
• Investigation
• Determine nature and extent of the incident
• Containment, control, and correction
• Notifications: who, when, where, how, and what (and insurance)
• Conclude investigation and prepare incident report
• Retain report
Insurance Recovery Considerations in the Face of a Security Breach or Data Loss: Timely notice of claim (claims made and
reported?) Consent to incur prudent or necessary
expenses may be required: costs of crisis stage or legal compliance
such as breach notification letters, credit monitoring, call center, forensics (up to $30 or more per customer)
defense expenses (private claims; governmental/regulatory claims)
Insurance Recovery Considerations in the Face of a Security Breach or Data Loss
Communications with insurers: presumably are not privileged law enforcement considerations,
e.g., requests to maintain secrecy during investigation
Check Traditional Forms of Insurance for Coverage
Review Company Policies With a Data Privacy and Information Security Lens Directors’ and Officers’ Liability (D&O) Professional Liability/Media (E&O) Comprehensive General Liability (CGL) Property Damage/Business Interruption Fidelity/Financial Institution Bond/Crime
Policy Fiduciary Liability Employment Practices Liability (EPL)
Consider Newer Products:
“Cyberliability” Policies
Data Privacy and Security Policies – a number of new and revamped products on the market Stand-alone policies Endorsement and “package policies”
Consider Newer Products (con’t):
Policies are negotiable and should be compared and tailored where possible.
Check the financial health of all potential insurers.
Security and Data Privacy Insurance May Cover Liability Based On: misappropriation of private information from the
company or a third party unintentional disclosure of private information that
results in identity theft failure to protect confidential information from
disclosure or misappropriation failure to disclose or notify victims of actual or potential
identity theft negligent transmission of viruses, worms, logic bombs
or trojan horses violations of federal, state, local or foreign laws or
regulations governing privacy, including certain regulatory actions
Security and Data Privacy and Cyberliability Insurance Also May Cover: Defense expenses, notice costs, claims
administration Business interruption loss for interruption to
computer systems due to security failures (unauthorized access, malware or denial of service attacks)
Expenses for providing notice of security failures to consumers and/or hiring public relations professionals for the purpose of maintaining goodwill, reputation
Costs to restore or replace destroyed, disrupted, damaged or deleted electronic information
Extortion payments Criminal rewards
Further Considerations for Security and Data Privacy and Cyberliability Insurance Coverage:
Insurer’s Right to Investigate?
Insurer’s Duty to Defend?
“Cookie cutter” response?
Security and Privacy Liability Coverage Overview:
Electronic Media Liability: Electronic Media Liability: display of display of electronic content on your websites.electronic content on your websites.
Network Security Liability: Network Security Liability: destruction, destruction, deletion, or corruption of a 3deletion, or corruption of a 3rdrd party’s party’s electronic data.electronic data.
Privacy Liability: Privacy Liability: failure to properly failure to properly handle, manage, store or otherwise handle, manage, store or otherwise control personally identifiable control personally identifiable information.information.
Regulatory Actions: Regulatory Actions: investigative investigative demand or civil proceeding regarding demand or civil proceeding regarding actual or alleged violation of privacy actual or alleged violation of privacy laws.laws.
Identity Theft Response Fund: Identity Theft Response Fund: communication to and credit monitoring communication to and credit monitoring services for affected individuals. services for affected individuals.
Electronic Media Liability: Electronic Media Liability: display of display of electronic content on your websites.electronic content on your websites.
Network Security Liability: Network Security Liability: destruction, destruction, deletion, or corruption of a 3deletion, or corruption of a 3rdrd party’s party’s electronic data.electronic data.
Privacy Liability: Privacy Liability: failure to properly failure to properly handle, manage, store or otherwise handle, manage, store or otherwise control personally identifiable control personally identifiable information.information.
Regulatory Actions: Regulatory Actions: investigative investigative demand or civil proceeding regarding demand or civil proceeding regarding actual or alleged violation of privacy actual or alleged violation of privacy laws.laws.
Identity Theft Response Fund: Identity Theft Response Fund: communication to and credit monitoring communication to and credit monitoring services for affected individuals. services for affected individuals.
First Party Security and Privacy Coverages:
Network Business Interruption: Network Business Interruption: loss of loss of income or extra expense due to a failure income or extra expense due to a failure of network security.of network security.
Data Asset Protection: Data Asset Protection: costs and costs and expenses incurred to restore, recreate, expenses incurred to restore, recreate, or regain access to any software or or regain access to any software or electronic data. electronic data.
Cyber Extortion: Cyber Extortion: ransom or investigative ransom or investigative expenses associated with a threat expenses associated with a threat directed at the company to release, directed at the company to release, divulge, disseminate, destroy, steal, or divulge, disseminate, destroy, steal, or use the confidential information or use the confidential information or damage the company's computer damage the company's computer system.system.
Network Business Interruption: Network Business Interruption: loss of loss of income or extra expense due to a failure income or extra expense due to a failure of network security.of network security.
Data Asset Protection: Data Asset Protection: costs and costs and expenses incurred to restore, recreate, expenses incurred to restore, recreate, or regain access to any software or or regain access to any software or electronic data. electronic data.
Cyber Extortion: Cyber Extortion: ransom or investigative ransom or investigative expenses associated with a threat expenses associated with a threat directed at the company to release, directed at the company to release, divulge, disseminate, destroy, steal, or divulge, disseminate, destroy, steal, or use the confidential information or use the confidential information or damage the company's computer damage the company's computer system.system.
Typical Exclusions: violations of intellectual property rights products liability, violations of guarantees or warranties,
false advertising violation of anti-spam, blast-fax and similar laws misappropriation of trade secrets by or with the active
assistance of current or former employees misconduct of senior management infrastructure failures, e.g., blackouts, unless caused by
the negligence of the insured inability to use, performance of, development of,
expiration of or withdrawal of support of certain technology products or software
content created by third parties for posting and storage on the insured’s websites
Beware! Inaccurate applications can void
coverage severability will only take you so far review carefully (with
counsel) before submitting applications to insurers
Trigger traps retro dates claims made and reported interrelated wrongful acts and claims
Maximizing Potential Insurance Recovery Gather and review all potentially relevant policies or
indemnity agreements Provide timely notice of breaches, claims or potential
claims to all primary and excess insurers Obtain consent to defense arrangements and
advancement/reimbursement of defense expenses (may differ if insurer defends)
Adhere to cooperation obligations and respond to reasonable requests for information (caution: beware of privilege issues)
Respond to asserted coverage defenses Obtain consent to settlement or payment of judgment Resolve coverage disputes (check policy language
first!)
Consider Lessons Learned for Purchase/Renewal
Terms, conditions, and exclusions may be negotiable
Insurance applications may be discoverable in litigation with third parties
As the distance between Retroactive Date and Inception Date lengthens, policies become more valuable
Stay up on trends and coverage options to remain at or above market standard
Other Options?
Risk Mitigation Through Technology upfront, costly to do it right, and back end, costly to do it wrong.
Consider going through privacy policy application process in order to educate yourself (and your board, senior management) on best practices that your company may not be practicing.
Any Questions?