What an HIE needs to know about insurance and cyber coverage Arturo Perez-Reyes Senior Vice President, Executive Liability Practice

Transcription

1 What an HIE needs to know about insurance and cyber coverage Arturo Perez-Reyes Senior Vice President, Executive Liability Practice 1

2 Key concepts History Phoenicians Lloyds Franklin Indemnity Insurance is not a speculative risk It depends on large numbers It produces a social good Contracts Policies are contracts of good faith They are contracts of adhesion Ambiguities favor insureds Regulation Controlled by states But a Federal responsibility 2

3 Insurance lines common to all firms General liability covers liabilities form bodily injury and property damage; advertising and personal injuries; and has sub-limits for medical expense Auto for non-owned and hired liabilities covers a firm in case it is named when an employee drives or rents; can cover property damage Workers compensation exclusive remedy for workplace injuries by employees Employers liability covers the same kind of claim brought by workers who refuse the statutory benefits Property covers first-party losses of tangible property caused by insured perils Business interruption covers loss of income or extra expense caused by same Umbrella raises the limits on several liability lines and can add extra coverage Excess raises the limits on one liability line 3

4 Lines common to many firms Directors and officers (aka Management liability) covers allegations of wrongful acts by officers and board members Employment-practices liability covers allegations of discrimination, harassment, or termination Fiduciary liability cover liabilities that stem from retirement plans like 401K Crime (aka Fidelity) covers embezzlement, unauthorized transfer, computer fraud, theft, or robbery E&O or professional liability covers wrongful acts when delivering services; often has privacy, media, interruption Privacy covers loss of private or confidential information (found in E&O forms) 4

5 Lines for specialized needs Cargo covers the movement of goods while in transit Trade-credit protects accounts receivable from non payment Political risk protects against expropriation or wars Kidnap and ransom protects and sequestration and hostage taking Pollution covers liabilities from discharge of toxins Product recall a first-party coverage that removes dangerous products Builders risk covers the property of all parties at building sites Warranties backs product or service promises made to consumers Bonds not insurance, but a type of credit instrument; backs contracts Travel Risk Management (TRM) 5

6 Key Vocabulary Limits: per claim vs in the aggregate Deductible vs self-insured retention Occurrence vs claims-made forms First-party vs third party coverage London vs US placements Sharing risk with layers vs quota share Packages vs monoline placements Blankets vs scheduled coverage Admitted vs non-admitted insurers Tails or extended-reporting periods Contract exclusions vs insured contracts Named insured vs additional insured Notice to additional insureds Not adding yourself to PL as an AI 6

7 Do traditional lines provide coverage? General Liability Excludes employee-related claims Excludes professional-service related claims Excludes IP infringement save in advertising Professional Liability Often excludes privacy, security, and media Does not cover costs of breach notifications, credit monitoring, and identity remediation Excludes regulatory defense, actions, fines, and penalties Courts have found that business and IT systems are not professional

8 Privacy policy triggers LIABILITY--The trigger for this coverage is a lawsuit alleging a breach of privacy or confidentiality, a tort alleging an information-security injury, or an infringement of multimedia. REGULATORY The trigger for this coverage is a governmental action by a privacy regulator. The policy pays defense as well as fines and awards. PRIVACY EXPENSES The trigger for this coverage is a potential breach of a privacy statute. It pays for forensic analysis as well as victim notification credit monitoring, and support services. OTHER EXPENSES The trigger are three: an extortion threat as well as a logical attack that destroys data or causes network-interruption that impacts profits. OTHER FINES The trigger is a written demand from a credit-card association for a monetary fine or penalty because of your noncompliance with PCI-DSS.

9 Loss scenarios INSURER ESTIMATES SCENARIO 1 SCENARIO 2 SCENARIO 2 ASSUMPTIONS individuals breached 100,000 1,000,000 10,000,000 Type of data PHI PHI PHI Monitoring years Brand recognition Yes Yes Yes LEGAL AND REGULATORY Defense and damages $300,000 $6,000,000 $60,000,000 Regulatory fines and penalties $1,500,000 $1,500,000 $1,500,000 PCI assessments and card re-issue $0 $0 $0 SUBTOTAL $1,800,000 $7,500,000 $61,500,000 BREACH RESPONSE Public relations $39,000 $156,000 $195,000 Notification $100,000 $800,000 $6,000,000 Credit monitoring $178,231 $1,782,312 $17,823,120 ID restoration $15,914 $159,135 $1,591,350 Call center $26,000 $206,000 $2,006,000 SUBTOTAL $359,145 $3,103,447 $27,615,470 INVESTIGATION Forensics $45,000 $270,000 $2,520,000 Legal guidance $25,000 $100,000 $300,000 SUBTOTAL $70,000 $370,000 $2,820,000 TOTAL COST $2,229,145 $10,973,447 $91,935,470 COST PER INDIVIDUAL $22.29 $10.97 $9.19

10 Sample HC structure $35,000,000 $30,000,000 $25,000,000 $20,000,000 $15,000,000 $10,000,000 $5,000,000 $0

11 Privacy and securtiy liability Covers lawsuits relating to breaches of privacy Covers employee suits Covers clients and customer suits Covers business-confidentiality suits Most forms cover confidentiality, but some not Some forms cover trade secrets, but some not Covers suits relating to information security attacks Your systems could end up hosting bot nets that make DOS attacks or host malware Your network could allow hackers to attack partners Covers suits caused by vendors breaching privacy and security Your value chain can drag you into suits

12 Electronic-media coverage Covers personal injuries via electronic media Libel Slander Disparagement Growing problem on social media SMS Twitter Facebook Google Plus Blogging Covers IP infringements via electronic media Copyright Trademark; trade dress (No patent or trade-secret infringement) Also growing problem Image infringement via websites, Flickr, Pinterest Plagiarism via and white papers Trademark violations via PowerPoint

13 Regulatory defense and fines Defense against regulators can take years TJX did not finish with investigations and fines for three years Federal regulators include FTC, HHS, OCR, and various banking regulators Europe is stricter; safe harbors are shrinking Fifty seven states have privacy reporting statutes; MA is severe California led and has 81different privacy laws Attorneys general have been active and can enforce HIPAA Several industry groups also fine; e.g. PCI penalties are common and expensive

14 Example: Federal privacy fines In 2014, New York-Presbyterian Hospital and Columbia University agreed to pay $4.8 million for breaching 6,800 individuals (5/14). Also HHS imposed a $150,000 fine for an unencrypted USB drive (1/14). In 2013, OCR issued 6 resolutions. Penalties ranged up to $1.7M for Wellpoint (7/13). Corrective actions range from 60 days to two years. In 2012, Google paid $22.5 million to settle FTC charges about tracking cookies (8/12). The MA Eye & Ear Infirmary agreed to pay $1.5 million for an unencrypted laptop (9/12) In 2011, MA General Hospital settled for $1 million and a 3-year corrective plan (2/11). Cignet Health paid a $4.3 million penalty for refusing patients access to medical records (2/11). UCLA Health System paid a $865,000 settlement and received a 3-year corrective plan for allowing unauthorized access to PHI. (7/11) February 26, 2015 Change footer 14

15 Example: 2013 fines in California All fines at

16 Breach-expense coverage Policy is triggered by breach of a statute Covers paper, phone, and electronic media Global in territory, because of Internet Policy forms vary Better forms have next to no sub limits Some forms provide dollars; others number of victims Some forms require permission; others not Forensic analysis Infosec assistance Crisis management PR and legal coaching Victim notification Mail and 24/7 phone Credit monitoring One year Identity remediation Only better forms pay

17 Interruption and extortion Interruption trigger is loss of revenue; calculation can be forensic or agreed value Pays net profits during the period of interruption Extortion trigger is a threat or demand Pays for security consultation Can pay the extortion demand Has a waiting period of hours that can be bought down Policy also pays extra expense during the period of interruption

18 ARTURO PEREZ-REYES Overview--Arturo Perez-Reyes has worked for 14 years as a risk consultant and broker for Marsh, Barney and Barney, and now Hub International. He helps companies identify, quantify, and insure liability and property risks from technology, services, value chains, intellectual property, privacy, security, and compliance. Technology and privacy insurance-- He has placed technology errors-and-omissions, professional liability, and privacy insurance for complex and large clients. He helped develop the first privacy policies and recently produced hybrid products that provide both insurance and information-security services domestically and in London. On E&O placements, he manuscripts coverage to adjust for exposures, gaps, and overlaps. He has placed coverage for industries such as retail, financial institutions, law firms, healthcare organizations, travel-hospitality, utilities, manufacturers, telecom, gambling, pharmaceutics, manufacturing, web-services, and technology. Enterprise risk management--he has also done enterprise-risk consulting for mid-cap to Fortune 50 companies. The studies have identified, quantified, and mitigated liabilities and losses from data losses, privacy violations, confidentiality torts, intellectual-property invalidation and litigation as well as from new technologies, emerging services, IT value chains, information sharing, and regulatory compliance. His clients have included Google, Yahoo, Intel, Sun, HP, Cisco, Adobe, Symantec, Verisign, Oracle, ESET, Epicor, Stanford, UCSF, UCB, Adventist Health, Erickson, IGT, CUNA Mutual, Bloomberg, etc. In addition, he has consulted in the UK, and EU on technology risk, service liabilities, business interruption, and professional liability. He has expertise in financial institutions, web services, software, telecos, retail, gaming, education, healthcare, and technology. He has presented nationally and internationally at industry