your source for professional liability education and networking. press to bankrupt your company...
TRANSCRIPT
Y o u r s o u r c e f o r p r o f e s s i o n a l l i a b i l i t y e d u c a t i o n a n d n e t w o r k i n g .
Press <Enter> to Bankrupt Your Company
Cyber Liability for Small and Medium Business
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Moderator: Jake Kouns, Director of Cyber Security and Technology Risks Underwriting, Markel
Panelists: Jason Bucher, Senior Underwriter of Professional Liability, Admiral
Craig Dunn, VP - Financial Services Broker, AmWINS
Kai Hecker, Campbell & Chadwick
Rich Mather, Assistant Vice President, Errors and Omissions Claims, Allied World
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Agenda
A. Case Example - Cyber Liability for Small to Medium Businesses
B. State of the MarketC. Legal OverviewD. Cyber Liability CoverageE. Data Breaches and ClaimsF. Predictions and Q&A
Y o u r s o u r c e f o r p r o f e s s i o n a l l i a b i l i t y e d u c a t i o n a n d n e t w o r k i n g .
Case ExampleCyber Liability for Small to Medium Businesses
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Case Details (redacted)
• A small company who reviewed medical records for workers compensation and auto casualty insurance claims
• Records were transmitted from clients to the business via electronic portal for the business to review
• Web Portal was secure with proper encryption• New Years Eve break in to the business’ physical location results
in electronic equipment being stolen including backup tapes and storage devices
• Data not encrypted while ‘At Rest’ – as such the data is construed as lost and breached as per HIPAA / HITECH and subject to notification requirements
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Need More Info
• What are some important pieces of additional information that we need to know to understand just how bad this could be?– The amount of records impacted amount to
approximately 14,000 – Clarification on the type of data lost– Clarification on encryption– Legal understanding (customer states involved)– No collectible or applicable insurance held
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Case – Insurance Study• What types of widely available Insurance
products could have been their salvation?– First Party Data Privacy Coverage
• A $50,000 sub limit may have been sufficient
– Third Party Data Privacy Coverage– Technology E&O vs. Monoline Data Privacy
coverage• Either form would have assisted on front end – but the
third party liability cover may have demanded Tech E&O
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Case – Insurance Study• What would be some of the concerns with the
policy to ensure coverage was sufficient?– Exclusions that need be minded:
• Unencrypted Data, Failure to Update / Maintain Security, Failure to meet / Exceed security on app
– Definitions that need be minded:• Definition of Expenses included, Definition of coverage
triggers and Data covered– Conditions that need be minded:
• Notification requirements, vendor stipulations– Limits / Sub-limits
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Case Continues, and Thickens
• What do you think happened to this company? What were the impacts?– Cost to Notify and Mitigate the loss was greater
than available cash on hand– Pending Liability from clients and individuals
forced drastic action– Chapter 7 Bankruptcy was filed 69 days after the
break in!!
Y o u r s o u r c e f o r p r o f e s s i o n a l l i a b i l i t y e d u c a t i o n a n d n e t w o r k i n g .
State of the MarketHow is cyber liability really doing? Is it selling? Who is buying it?Where is it in the product life cycle?
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
State of the Market
• Observations from the field have led to the following points for discussion:– Awareness is widespread– Market participation is growing– Claims experience is building– Product access and support needs attention
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Awareness is Widespread
• Agents, Brokers, Business Owners inundated with e-blasts, market announcements, claims examples…– Details and nuances often overlooked– Marketing vs. Underwriting– The ‘trap’ of the term / phrase Cyber
• Concept of Privacy Liability overlooked
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Participation is Growing
• Growing is an understatement • Multiple interpretations of the hazards faced,
leads to confusion• Multiple offerings – Monoline, Endorsements
to other Professional lines, Modules to other Casualty lines
• No ‘Market Standard’ per se – but emerging trends and concepts
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Experience is Building
• Carriers are starting to pay out• Brokers have first hand experience of what a
‘Data Breach Response’ entails• Emerging metrics and statistics on loss
payments are assisting in building rate commonality
• Loss support service expenses are dropping
Y o u r s o u r c e f o r p r o f e s s i o n a l l i a b i l i t y e d u c a t i o n a n d n e t w o r k i n g .
Legal OverviewPractical steps to keep a company’s cyber horses in the barn?What information must be protected?What is the current legal stance in Texas?Texas’ new HIPPA companion law Massachusetts’ obligations and requirements Patco Construction Co. vs People’s United Bank
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Cyber Liability
Who’s coming after you? Individual Victims The State of Texas
Attorney General Licensing Agency
Other State AG’s Federal Government Foreign Governments Shareholders / Partners Contract Parties / Data Owners
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Cyber Liability
46 States & DC have notification laws AL, KY, NM & SD do not. Senate just killed uniform national rules
HIPAA & Banking notification requirements
Canada & E.U. requirements
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Cyber Liability
Texas Mandatory Notification requirement Duty to Protect Sensitive Personal Information
“A business shall implement and maintain reasonable procedures […] to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business…”
Bonus: Includes nonprofit athletic & sports associations
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Cyber Liability
Who can sue you? Individual Victims The State of Texas
Attorney General Licensing Agency
Other State AG’s Federal Government Foreign Governments Shareholders / Partners Contract Parties / Data Owners
Covered? Cyber Defense
Cyber ? CGL/E&O ?
same same* Unlikely D&O CGL
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Which Laws are Applicable to me?
Y o u r s o u r c e f o r p r o f e s s i o n a l l i a b i l i t y e d u c a t i o n a n d n e t w o r k i n g .
Cyber Liability CoverageNew Exposures?New Coverage Options?How brokers, underwriters, and the client can better work together?
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Common Privacy Breach Allegations
• Invasion of the customer’s (or employee’s) right to privacy
• Failure to implement and maintain reasonable security procedures
• Unfair, deceptive, and unlawful business practices
• Negligence
• Emotional distress
• Individually or as class actions
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Classes with Privacy Exposure
• Auditor• Bank/Financial Institution• Data Storage/Destruction firms• Debt collectors• Drug Testing Agency• Health Clubs• Hospitals/Medical Group• Hotel• Insurance Agent/Broker• Insurance Company• Internet Kiosk operator• Investment Advisor• Lawyers
• Medical Billing Firm• Mortgage Broker• Pension Plan Administrators• Pharmaceutical company with
clinical trials• Private Investigators• Public Entities• Real Estate Agent/Title Agent• Retail store• School• Staffing Firm• Travel Agent• Web based e-Commerce
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Cyber Liability Insuring Agreements
• 1st Party Business Interruption – Covers lost business income in the event a virus infection shuts you down.
• 1st Party Data Asset – Covers your expenses to recover lost data.• Cyber Extortion – Covers expenses and ransom if a hacker threatens to shut you down.
This insuring agreement often covers reward amounts offered to catch the extortionist.• Network Security – Covers your liability when hackers use your system to inflict damage
on others.• Privacy
– Notification Expenses – when data is lost, you must notify all potential victims within a short period of time as required by state laws.
– Credit Monitoring – Policies will cover up to 1 year of credit monitoring services for those exposed. In some cases 2 years of monitoring will be available.
– Credit Repair Services – 1 Year of services to repair credit of an actual identity theft. – Crisis Management – Public Relations expense coverage to protect your image.– Regulatory Defense and expenses – Many new regulations exist related to the
protection of confidential data. The insurance will provide defense cost coverage for regulatory proceedings and in some cases cover penalties where insurable.
• Electronic Media – Covers website content liability (copyright, libel, slander, etc...)
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Why Cyber Isn’t Covered on Other Policy Forms
• General Liability covers bodily injury and property damage, not stolen identities.• Property Insurance does not consider data as property• Media Liability policies are only covering content for libel, slander and copyright. • E&O policies are covering services for others for a fee. Some will cover invasion of privacy,
but will only respond to actual damages. You won’t get notification expense coverage or credit monitoring services coverage on an E&O policy. Also, many businesses hold PII without being in a service industry which would be required to buy E&O.
• Intellectual Property Coverage (Patent/Copyright). These policies are designed to protect you from claims brought by competitors and other third parties. This coverage responds to theft of ideas, products or content, not identities, private records or money.
• Crime Insurance covers employee theft of money, securities and property. A data record can be stolen, but you may not see a financial loss for many years.
– For financial institutions some carriers are combining a crime policy with the security/privacy policy because there can be an overlap. The theft of funds through a network could hit both policies. If an employee is involved in the theft, you could trigger the crime as well as the liability portion of the privacy/security.
– In absence of the privacy/security policy, there wouldn’t be coverage for the notification and credit monitoring.
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Gaps in Current Cyber Forms
• Many “Internet” policy forms only cover web content, not identities.• Many insurers will only offer $250,000 of notification and credit monitoring expense coverage
while others will offer up to the policy limit.• A handful of insurers will insure regulatory civil fines and penalties where insurable. Others
only provide defense.• Pay attention to the sublimits offered. Every insurer offers something different. Some
insurers have coinsurance provisions applicable to the expense coverage.• Some policy forms are only covering paper records if generated electronically• Some insurers are not covering employee records. (insured vs insured exclusions)• Some insurers are not covering data breaches caused by employees of the insured. (Rogue
employees)• Some insurers will cover mental anguish and emotional distress arising from a privacy breach,
others will exclude anything arising out of or related to bodily injury.• Some insurers have exclusions applicable if the insured does not continuously upgrade or
maintain the same level of security as was in place at the time coverage was bound.
Y o u r s o u r c e f o r p r o f e s s i o n a l l i a b i l i t y e d u c a t i o n a n d n e t w o r k i n g .
Data Breaches and ClaimsWhat are the data breach and claims trends?How should you manage Third Party Vendors?Real Examples & How Insurance Has Responded
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Data Breach Trends
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Data Breaches and Claims
• Third Party Liability Claims/Regulatory Agency Investigations:– Liability based on allegations of direct harm
• Provable identity theft with traditional damages• Claims from third parties who incurred response costs
to a breach by the insured– Liability theory based on harm avoidance/possibility of
harm– Liability theory based on statutory violations with no need
for traditional damages
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
How to Manage Third Party Vendors
• First, understand How Your Policy Treats Breaches By Vendors
• This is particularly critical for coverage for “first party” expenses.
• Review your Contracts with Vendors re Indemnity, Security Protocols for Handling Data
• Confirm Vendors have their own Insurance Coverage
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
How to Manage Third Party Vendors
• Understand How Your Policy Treats Breaches By Vendors
• This is particularly critical for coverage for “first party” expenses.
• Review your Contracts with Vendors re Indemnity, Security Protocols for Handling Data
• Confirm Vendors have their own Insurance Coverage• Critical that this happens before the “ink dries”.
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Cyber Liability
Investigation Mitigation Regulatory
Compliance Legal Costs
5000 records
$970,000.00 $750,000.00
$194 per record
$15k per case
$1,720,000.00+ Settlements
+ Fines
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Data Loss Expenses
Statistics from the Ponemon Institute 2011 Cost of Breach Study:• Average total cost per reporting company: $5.5 million• Average per-record cost of a data breach: $194
(Expect about $60 per record for notification and credit monitoring)
Per Capita Costs of a Breachby Industry Classification
Healthcare $240
Financial $247
Hospitality $116
Services $185
Pharma $276
Average $194
Cause of Data Breach
System glitch 24%
Negligence 39%
Cybercrime or Hack 37%
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Claims Examples
• Claims Scenario #1: 24,000 patient records compromised at a mid-sized hospital. State regulations requirements were triggered. The hospital was required to notify every patient of the breach via Certified Mail
– Damages: $240,000– Defense Costs: $42,500– TOTAL AMOUNT PAID: $282,500
• Claims Scenario #2: A pharmacy sold a computer to a private individual that still contained prescription records including the names, addresses, social security numbers and medication lists of pharmacy customers. State law regulations required certified notification to all of the affected parties. Two lawsuits were filed: 1) Plaintiff alleged damages due to job loss as a result of the disclosure; 2) Plaintiff alleged her identity was stolen and sued to recover the costs of correction and emotional distress. A HIPAA investigation was triggered
– TOTAL AMOUNT PAID IN EXCESS OF: $410,000
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Identity Theft Adds Up
Source: Federal Trade Commission (February 2012): Consumer Sentinel Network Data Book: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2011.pdf
• Multiply the $14,000 in average individual losses from the previous slide times the roughly 280,000 cases in 2011 and you get approximately $3.9 Billion in potential damages. This is before including pain, suffering, legal fees and other demands from the victims.
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Cyber Liability
Microsoft Encrypted File System Microsoft Bitlocker TrueCrypt
Encrypt Data Secure Paper
SuGAR mandatorySuper Geek Assistance Required
Y o u r s o u r c e f o r p r o f e s s i o n a l l i a b i l i t y e d u c a t i o n a n d n e t w o r k i n g .
Predictions and Q&A
P r o f e s s i o n a l L i a b i l i t y U n d e r w r i t i n g S o c i e t y
Moderator: Jake Kouns, Director of Cyber Security and Technology Risks Underwriting, Markel - [email protected] Panelists: Jason Bucher, Senior Underwriter of Professional Liability, Admiral - [email protected] Craig Dunn, VP - Financial Services Broker, AmWINS - [email protected]
Kai Hecker, Campbell & Chadwick - [email protected] Rich Mather, Assistant Vice President, Errors and Omissions Claims, Allied World - [email protected]
Contact Us