Data Breach Insurance

Transcription

1 Cyber Security Issues in the Healthcare Industry PBI 21st Annual Health Law Institute Pennsylvania Convention Center March 13, 2015 Roberta D. AGENDA Practical Risk and Exposure Legal And Regulatory Framework Trends What To Do Before And After A Breach Potential Coverage Under Legacy Policies Potential Coverage Limitations Of Legacy Insurance Policies Cutting Edge Cyber Products Types Of Coverage Avoid The Traps! How To Enhance Off-The-Shelf Cyber Insurance Forms Through Negotiation Audience Q&A 1 PRACTICAL RISK AND EXPOSURE 2 1

2 PRACTICAL RISK AND EXPOSURE Malicious attacks Advanced Persistent Threats Social engineering Viruses, Worms, Trojans DDoS attacks Data breach Software vulnerability (HeartBleed) Unauthorized access (spyware) Inadequate security and system glitches Employee mobility and disgruntled employees Lost or stolen mobile and other portable devices Vendors/outsourcing (the function but not the risk) & the cloud Human error The Internet of Things/ Medical Devices PRACTICAL RISK AND EXPOSURE Source: Ponemon Institute 2014 Cost of Data Breach Study Global 2

3 Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) 6 Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) 7 PRACTICAL RISK AND EXPOSURE Breach Notification Costs/Identity Monitoring Computer Forensics/PR Consulting Loss of Customers/Revenue Damaged Reputation/Brand Regulatory Actions/Fines/Penalties/Consumer Redress Lawsuits & Defense Costs Loss of Crown Jewels Business Interruption & Supply Chain Disruption Drop in Stock Price/Loss of Market Share Potential D&O Suits (Target) 8 3

4 PRACTICAL RISK AND EXPOSURE [T]he average total cost of a data breach for the companies participating in this research increased 15 percent to $3.5 million The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year s study. However, German and US organizations on average experienced much higher costs at $195 and $201, respectively. These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million) [W]e do not include data breaches of more than approximately 100,000 compromised records in our analysis

5 [T]here are only two types of companies: those that have been hacked and those those that will that be. will And be. even they are converging into one category: companies that have been hacked and will be hacked again. Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012) 12 LEGAL AND REGULATORY FRAMEWORK 13 LEGAL AND REGULATORY FRAMEWORK Federal Cybersecurity/Data Privacy Laws Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH) Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act Federal Trade Commission Act State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes 47 states, D.C., & U.S. territories breach notification laws State Security Standards (MA, CA, CT, RI, OR, MD, NV) SEC Cybersecurity Guidance NIST Cybersecurity Framework 14 Industry Standards, e.g., PCI DSS 5

6 FEDERAL PRIVACY LAWS HIPAA A covered entity or business associate must, in accordance with [ Security standards: General rules ] [i]implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart. (45 C.F.R (a).) HITECH A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result 15 of such breach. (42 U.S.C ) FEDERAL PRIVACY LAWS Industry-specific, e.g. HIPAA / HITECH v v 16 HHS OCR AND HIPAA/HITECH Privacy Rule Security Rule Breach Notification Rule 17 6

7 FEDERAL PRIVACY LAWS Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter. (15 U.S.C ) Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR ) 18 FEDERAL PRIVACY LAWS Federal Trade Commission Act Section 5 empowers the FTC to prevent... unfair or deceptive acts or practices in or affecting commerce : The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. 45(a)(2).) 19 STATE PRIVACY LAWS/CONSUMER PROTECTION LAWS 20 7

8 SEC CYBERSECURITY GUIDANCE [A]ppropriate disclosures may include : Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences ; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks ; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences ; Risks related to cyber incidents that may remain undetected for an extended period ; and Description of relevant insurance coverage. 21 Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, SEC CYBERSECURITY GUIDANCE We note your disclosure that an unauthorized party was able to gain access to your computer network in a prior fiscal year. So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage. Alion Science and Technology Corp. S-1 filing (March 2014) 22 SEC CYBERSECURITY GUIDANCE We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the certain other coverage that may reduce your exposure to Data Breach losses Target Form 10-K (March 2014) 23 8

9 SEC Cybersecurity Guidance Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a companys cybersecurity measures needs to be a critical part of a board of director s risk oversight responsibilities.... In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril. 24 Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014 NIST CYBERSECURITY FRAMEWORK NIST Cybersecurity Framework provides a common taxonomy and mechanism for organizations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity risk. The Framework is voluntary (for now) 25 NIST CYBERSECURITY FRAMEWORK 85% of security budgets currently go here According to Gartner: By 2020, 75% of security budgets will go towards detection and response NIST Unveils Cybersecurity Framework,

10 NIST CYBERSECURITY FRAMEWORK 27 PCI DSS PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. 28 TRENDS 29 10

11 30 TRENDS OCR RESOLUTION AGREEMENTS Providence Health & Services ($100K) CVS Pharmacy ($2.25M) Rite-Aid ($1M) Management Services Organization of Washington ($35K) Cignet ($4.3M) Massachusetts General Hospital ($1M) UCLA Health Services ($865K) Blue Cross Blue Shield of Tennessee ($1.5M) Idaho State University ($400K) Shasta Regional Medical Center ($275K) WellPoint ($1.7M) Affinity Health Plan ($1.2M) Adult & Pediatric Dermatology, P.C. ($150K) Skagit County, WA ($215K) Alaska Medicaid ($1.7M) Phoenix Cardiac Surgery, P.C. ($100K) Massachusetts Eye and Ear Infirmary ($1.5M) Hospice of North Idaho ($50K) 30 TRENDS ENFORCEMENT HOT BUTTONS Risk assessments Encryption Business Associate Agreements/Vendor Agreements Documentation of breaches Policies and procedures Notice and Consent EU US Safe Harbor 31 TRENDS ARTICLE III STANDING CLAPPER 32 11

12 TRENDS ARTICLE III STANDING GALARIA 33 TRENDS ARTICLE III STANDING NEIMAN MARCUS 34 TRENDS ARTICLE III STANDING SONY 35 12

13 TRENDS ARTICLE III STANDING MICHAELS STORES 36 TRENDS ARTICLE III STANDING ADOBE 37 TRENDS SHAREHOLDER LITIGATION TARGET 38 13

14 TRENDS SHAREHOLDER LITIGATION WYNDHAM 39 TRENDS REGULATORY ACTION WYNDHAM 40 TRENDS FTC REGULATORY ACTION WYNDHAM 41 14

15 TRENDS SEC THE NEW SHERIFF 42 TRENDS FCC 43 AN INTERNATIONAL ISSUE 44 15

16 Do we have insurance to cover this? What s the deal with our vendors? HELP Only 20 percent of IT professionals frequently communicate with executive management about potential cyberattacks? FTC, SEC, FINRA, oh My And now FCC Is it 5 o clock yet? What do our disclosures say? Byte me. Is our breach response plan up to date and effective? What s PCI DSS? Do we have an incident response plan in place? 45 BEFORE AND AFTER A BREACH 46 WHAT TO DO BEFORE AN INCIDENT? Pro-active management of cyber risks at the C-Suite level Assessment of key risks impacting the business and identifying critical information assets A graded cybersecurity assessment Regular internal training on information management and IT security Have an incident response plan in place before a cybersecurity incident Pay attention to vendor contracts Address and mitigate risk through insurance 47 16

17 WHAT TO DO BEFORE AN INCIDENT? v v v Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) 48 WHAT TO DO AFTER AN INCIDENT? Look (hopefully) to the incident response plan Notification of a security breach must be given to all or some of: Potentially impacted individuals State AGs / Regulators Breach coach counsel should: Advise on who, when, and how to notify Engage pre-vetted forensics professionals and other crisis management responders (e.g., credit monitoring, public relations) 49 WHAT TO DO AFTER AN INCIDENT? Don t panic. Follow the plan. Mobilize first-response team Immediately call breach coach counsel Forensics Investigate, isolate, contain, and secure systems / data Preserve evidence Document everything PR Consider contacting law enforcement Start thinking notification 50 17

18 WHAT TO DO AFTER AN INCIDENT? Don t Panic. 1. Record the date and time of discovery and time when response efforts begin 2. Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan. 3. Investigate, while preserving evidence 4. Stem additional data loss 5. Document everything known about the breach. Follow the plan. 6. Interview those involved in discovering the breach and anyone else who may know about it. 7. Consider notifying law enforcement after consulting with legal counsel 8. Revisit state and federal regulations governing your industry and the type of data lost. 9. Determine all persons/entities that need to be notified, i.e. customers, employees, the media, 10.Ensure all notifications occur within any mandated timeframes. 51 WHAT TO DO AFTER AN INCIDENT? v v Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014)

19 POTENTIAL COVERAGE UNDER LEGACY POLICIES 56 19

20 POTENTIAL COVERAGE Directors and Officers (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy) Property Commercial General Liability (CGL) 57 POTENTIAL COVERAGE Coverage B Provides Coverage for Damages Because of Personal and Advertising Injury Personal and Advertising Injury : [o]ral or written publication, in any manner, of material that violates a person s right of privacy What is a Person s Right of Privacy? What is a Publication? Does the Insured Have to Do Anything Affirmative And Intentional to Get Coverage? 58 LIMITATIONS OF LEGACY POLICIES 59 20

21 LIMITATIONS OF LEGACY INSURANCE POLICIES 60 LIMITATIONS OF LEGACY INSURANCE POLICIES 61 LIMITATIONS OF LEGACY INSURANCE POLICIES ISO states that when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data

22 LIMITATIONS OF LEGACY INSURANCE POLICIES 63 LIMITATIONS OF LEGACY INSURANCE POLICIES 64 LIMITATIONS OF LEGACY INSURANCE POLICIES cv cv 65 22

23 LIMITATIONS OF LEGACY INSURANCE POLICIES Zurich American Insurance Co. v. Sony Corp. of America et al. 66 CUTTING EDGE CYBER PRODUCTS 67 CUTTING EDGE CYBER PRODUCTS Privacy And Network Security Provides Coverage for Liability (Defense and Indemnity) Arising Out of Data breaches, Transmission of Malicious Code, Denial of Third-Party Access to the Insured s Network, and Other Network Security Threats Regulatory Liability Provides Coverage for Liability (Defense and Indemnity) Arising Out of Administrative or Regulatory Investigations, Proceedings, Fines and Penalties Crisis Management Provides Coverage for Forensics Experts, Notification, Call Centers, ID Theft Monitoring, PR and Other Crisis Management Activities Media Liability 68 23

24 CUTTING EDGE CYBER PRODUCTS Network Interruption And Extra Expense (and CBI) Provides Coverage for Lost Business Income and Extra Expense Caused By Malicious Code, DDoS Attacks, Unauthorized Access to, or Theft of, Information, and Other Network Security Threats Digital Asset Coverage Provides Coverage for Damage To or Theft of the Insured s Own Systems and Data Cyber Extortion Provides Coverage for Losses Resulting From Extortion, e.g., Payment of an Extortionist s Demand to Prevent a Cybersecurity Incident Emerging Markets 69 REMEMBER THE SNOWFLAKE back klgates.com AVOID THE TRAPS klgates.com 24

25 72 TRAP EXAMPLE

26 TRAP EXAMPLE 75 TRAP EXAMPLE 76 AVOIDING THE TRAPS 77 26

27 AVOIDING THE TRAPS 78 TIPS FOR A SUCCESSFUL PLACEMENT REMEMBERING THE SNOWFLAKE AVOIDING THE TRAPS Embrace a Team Approach Understand the Risk Profile Review Existing Legacy Coverages Purchase Specialty Cyber Coverage as Needed Remember the Cyber Misnomer Spotlight the Cloud Consider the Amount of Coverage Pay attention to the Retroactive Date and ERP Look at Defense and Settlement Provisions Engage Coverage Counsel 80 27

28 BEWARE THE FINE PRINT 81 A well drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance coverage in the event of a claim. Roberta D. Anderson, Partner, K&L Gates LLP (March 13, 2015) 82 AUDIENCE Q&A 83 28

29 Roberta Anderson Partner KL Gates LLP (412) Linkedin: robertaandersonesq Insurance Thought Leadership 29