I. Key Federal and State Legal Requirements and Guidance. A. Insurance Company Disaster Planning Disaster Preparedness and Response

Transcription

1 CLIENT MEMORANDUM IN THE WAKE OF STORM SANDY, INSURANCE COMPANIES SHOULD ENSURE THAT THEIR BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS COMPLY WITH LEGAL REQUIREMENTS AND BEST PRACTICES How do insurance companies prepare for the risks presented to their own business operations by natural disasters such as Storm Sandy? In the immediate aftermath of Storm Sandy, insurers disaster response to policyholders and regulators is an immediate priority. Also important to insurers, however, is an assessment of the risks presented to their own business operations by such natural disasters. This client memorandum focuses on the following key aspect of insurers disaster risk assessment and recovery efforts: the protection of data, information technology, business records and private medical and financial information. More specifically, set forth herein is: (1) a summary of significant statutory and regulatory frameworks that relate directly or indirectly to insurance company disaster recovery planning; and (2) a practical assessment of data protection and recovery best practices that insurance companies should consider implementing to minimize risk and maximize compliance. I. Key Federal and State Legal Requirements and Guidance A. Insurance Company Disaster Planning Disaster Preparedness and Response New York-licensed insurers are expected to prepare for, and respond to, disasters as set forth in various circular letters issued by the New York Department of Financial Services (the NYDFS or the Department ). 1 Such disaster preparedness standards incorporate a Business Continuity Plan Questionnaire ( BCPQ ) to assure the [NYDFS] that each [insurer] has taken steps to put in place a Business Continuity Plan that would reasonably ensure that the recovery of critical business processes could take place in the event of a disaster. 2 The BCPQ also ensures that the business continuity plan has been tested, is kept in a secure off-site location, and addresses all significant business activities, including financial functions, telecommunications services, data processing, and network services. 3 Similarly, the Florida Office of Insurance Regulation (the FLOIR ) has issued guidance to ensure insurance company preparedness for the hurricane season. 4 Such guidance addresses N.Y. Circ. Ltr (Apr. 9, 2012) (applicable to authorized property/casualty insurers ); see also N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized health insurers ); N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized life insurers ). N.Y. Circ. Ltr (Apr. 9, 2012). See NYDFS Business Continuity Planning Questionnaire, See, e.g., Fla. Info. Memo. OIR M (June 8, 2005). NEW YORK WASHINGTON PARIS LONDON MILAN ROME FRANKFURT BRUSSELS in alliance with Dickson Minto W.S., London and Edinburgh

2 disaster recovery plans to ensure company facilities are operational post-storm, which include reviewing functions such as backup power, backup telephone systems or call centers, backup staffing, technology issues, system access, and contract resources for services restoration. 5 B. Risk & Solvency Assessment Insurers business continuity and disaster plans are subject to regulatory examination as part of the risk-focused financial condition examination process. For examinations beginning in 2010, state insurance regulators have applied a revised risk-focused examination approach to better incorporate prospective risk assessment related to insurer solvency and focus on management s ability to identify, assess and manage the insurer s business risks. The NAIC Financial Condition Examiners Handbook provides that the person responsible for maintaining, updating and testing the insurer s business continuity and disaster recovery plans should be identified and interviewed, and that the insurer s Chief Risk Officer should be interviewed regarding the company s plan for operating in crisis/disaster business continuity. Confirmation that an insurer s disaster recovery plan has been tested is an additional element of the examiner s riskfocused examination. It is also noteworthy that the NAIC recently adopted the Risk Management and Own Risk and Solvency Assessment Model Act ( ORSA Model Act ), and has proposed an Own Risk and Solvency Assessment ( ORSA ) Guidance Manual. Although ORSA Model Act and ORSA Guidance Manual are not prescriptive, if adopted by the states, they would require covered insurers to assess, monitor, document and report on business operations risks. C. The Sarbanes-Oxley Act Of 2002: Business Continuity For Publicly Traded Companies The Sarbanes-Oxley Act of 2002 ( SOX ) does not directly address disaster recovery planning; however, it does cover business continuity planning with respect to an organization s operations in the event of a disaster, including maintaining operations in order to prepare timely accurate financial statements. Compliance with Section 404 of SOX requires organizations to design and establish controls and infrastructure with the aim of protecting and preserving business records from loss, destruction, or unauthorized alteration. This would include: (1) the establishment of a control environment; (2) risk assessment; (3) the implementation of control activities; (4) the creation of effective communications and information flows; and (5) monitoring. 6 D. HIPAA: Protected Health Information The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and its implementing regulations (collectively, HIPAA ), impose various obligations regarding disaster recovery 5 6 See id. See Committee of Sponsoring Organizations of the Treadway Commission, Internal Control Integrated Framework (Dec. 2011),

3 plans on insurance companies that qualify as covered entities or business associates within the meaning of the law. 7 As an overarching matter, HIPAA-covered insurers must establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain [EPHI]. The provisions of HIPAA s implementing regulations covering business continuity and disaster recovery planning are established as part of the HIPAA Security Rule 8 and are located at 45 C.F.R (Administrative Safeguards), 45 C.F.R (Physical Safeguards), and 45 C.F.R (Technical Safeguards). As identified in the following list, some of the provisions established under HIPAA regulations are Required ( R ), whereas others are Addressable ( A ). 9 These provisions include: (1) a data backup plan (R); 10 (2) a disaster recovery plan (R); 11 (3) an emergency mode operation plan (R); 12 (4) an emergency access procedure (R); 13 (5) contingency operations procedures (A); Whether a given insurer s activities relating to health care or health information will result in regulation under HIPAA can be a complex question for which advice from counsel should be sought. Initially, HIPAA s requirements only applied to covered entities (essentially health plans, health care clearinghouses, and healthcare providers), in connection with their use of electronic protected health information ( EPHI ), which is defined as individually identifiable health information that is either transmitted by electronic media or maintained in electronic media. However, these requirements have recently been expanded to directly cover business associates as well, which are organizations that perform, or assist a covered entity in the performance of, a function or activity involving the use or disclosure of EPHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. As the Department of Health and Human Services ( HHS ) is in the process of finalizing further HIPAA rules, it is not currently enforcing these requirements against business associates, but state attorneys general have done so, and HHS will as well when it finalizes its rules. The Security Rule is located at 45 C.F.R Part 160 and Subparts A and C of Part 164. When an implementation specification is required, a HIPAA-covered insurer must comply with the implementation specification as written. By contrast, when an implementation standard is addressable, a HIPAA-covered insurer has somewhat more flexibility. As a threshold matter, an addressable implementation specification must be complied with if it is reasonable and appropriate for the insurer to do so. However, if a HIPAA-covered insurer, after a risk assessment and analysis, determines that complying with a particular implementation specification is not reasonable or appropriate, it must consider whether there is a reasonable and appropriate alternative that accomplishes the same purpose. If the HIPAA-covered insurer determines that there is no reasonable or appropriate alternative, it must document why it would not be reasonable and appropriate to implement the implementation specification. Thus, in general, HIPAA compliance requires an additional level of analysis and documentation by covered insurers. 45 C.F.R (a)(7)(ii)(A); see also 45 C.F.R (d)(2)(iv) (HIPAA-covered insurers must create a retrievable, exact copy of EPHI, when needed, before movement of equipment). 45 C.F.R (a)(7)(ii)(B). 45 C.F.R (a)(7)(ii)(C). 45 C.F.R (a)(2)(ii) C.F.R (a)(2)(i)

4 (6) an applications and data criticality analysis (A); 15 and (7) testing and revision procedures (A). 16 Specifications 1 and 2 above require a HIPAA-covered insurer to create procedures to back up and be able to restore exact copies of EPHI if lost. Specifications 3-5 cover procedures for the continuation of critical business processes to protect the security of and maintain access to EPHI during an emergency. Specification 6 covers access to the insurer s facilities in support of the activities covered in the prior specifications, and specification 7 covers the need to ensure that all of the procedures herein are reviewed and revised on a timely basis. It is important that HIPAA-covered insurers understand that the provisions cited above are not waived or suspended in the event of a federally declared emergency or disaster. 17 Although the Secretary of the Department of Health & Human Services may suspend certain provisions of the HIPAA Privacy Rule in the event of a federally declared emergency or disaster, 18 the provisions that may be suspended have no bearing on those cited above, which appear in the Security Rule. Although the federal government may exercise discretion when enforcing HIPAA, insurers should not be lulled into a false sense of security; a failure to comply with HIPAA s emergency and disaster requirements cannot be explained away by the occurrence of an emergency or disaster. E. The Gramm-Leach-Bliley Act: Nonpublic Personal Information Pursuant to Title V of the Gramm-Leach-Bliley Act (the GLBA ), 15 U.S.C. 6801, et seq., financial institutions, including insurers, must protect the security and confidentiality of customers nonpublic personal information. GLBA requires that each state insurance agency establish appropriate standards for financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any C.F.R (a)(7)(ii)(E). 45 C.F.R (a)(7)(ii)(D). Office for Civil Rights, Health Information Privacy Frequently Asked Questions, Pursuant to 42 U.S.C. 1320b-5, the Secretary of HHS may waive certain provisions of the HIPAA Privacy Rule following a presidential declaration of an emergency or a disaster. The Secretary must, in turn, declare a public health emergency as well. Following such a joint declaration, the Secretary may waive the following provisions of the HIPAA Privacy Rule: (1) the requirements to obtain a patient s agreement to speak with family members or friends involved in the patient s care (45 C.F.R (b)); (2) the requirement to honor a request to opt out of the facility directory (45 C.F.R (a)); (3) the requirement to distribute a notice of privacy practices (45 C.F.R ); (4) the patient s right to request privacy restrictions (45 C.F.R (a)); and (5) the patient s right to request confidential communications (45 C.F.R (b)). These waivers exceed those disclosures already permitted by law. See Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations, Sept. 2, 2005,

5 customer. 19 In New York, for example, Regulation 173 requires that each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. 20 Although not explicit, the protections required for such nonpublic personal information would reasonably relate to disaster preparedness and recovery. II. Best Practices The complex priorities of assessing, monitoring, and planning for risks in order to maintain business operations while protecting confidential policyholder information present unique challenges to the insurance industry. Highlights of significant considerations and best practices in this regard are set forth below. We note that a given insurer may be subject to one or more of the laws discussed above, and thus some of the practices below may also be legal requirements; this is particularly true for HIPAA-covered insurers. Please consider discussing your business continuity / disaster recovery plan with counsel to ensure compliance with such requirements. A. Key First Steps The first step any insurer should take in the business continuity planning process is to analyze its vulnerabilities. To do so, an insurer should conduct: (1) a business impact analysis; and (2) a risk analysis. The business impact analysis is the process through which the insurer must determine which systems and data should be viewed as critical and which should be viewed as noncritical. The risk analysis is the process through which the insurer considers the potential circumstances that could constitute a disaster, i.e., a threat to the critical systems and data identified in the business impact analysis. Both steps naturally involve a cost/benefit analysis, but an insurer must take care to go beyond a consideration of operational losses and take into account legal costs for failure to comply with various federal, state, and local laws and regulations that mandate specific procedures and redundancies depending on the regulatory structure covering the insurer. 1. Business Impact Analysis / Data Classification Policy The business impact analysis is the first study an insurer must conduct as part of its business continuity planning. Most insurers are already aware of which systems and data are critical from an operational and a profit-making perspective, but this analysis must take into account any legal requirements to which a given insurer is subject. Certain regulatory structures have explicit requirements that state in detail which systems and data are critical. For example, insurers covered by HIPAA are subject to regulations that classify data (e.g., as EPHI) and mandate specific requirements in the event of an emergency. 21 On the other hand, other laws may not be as explicit. For example, as noted above, while SOX does not have a specific disaster recovery U.S.C. 6801(b). 11 N.Y.C.R.R ; see also N.Y. OGC Opinion No (Feb. 14, 2002). See 45 C.F.R (a)(7)

6 requirement, the statute does generally speak to business continuity planning with respect to an organization s operations in the event of a disaster, including maintaining operations in order to continue to prepare timely and accurate financial statements. 2. Risk Analysis / Determine Threats Once insurers, through a business impact analysis, have determined which systems and data are critical, the insurers must next consider which possible threats exist to the security, confidentiality, integrity, and availability of that data, and whether those threats call for specific pre- or post-response actions. Naturally, this analysis will reflect the business judgments of a given insurer, as some threats are more likely than others, but insurers subject to various regulatory structures must take all reasonable threats into account. Any threat that could affect the regulated systems or data is a potential liability for the insurer, and all reasonable threats must therefore be considered and mitigated to the extent possible. In some cases, the regulatory structure will suggest certain risks. For example, HIPAA contains a nonexhaustive list that includes fire, vandalism, system failure, and natural disaster. 22 Other authorities speak more broadly, such as the guidance put forth by the NYDFS, which requires insurers to plan for and protect against damages arising from natural and man-made disasters. 23 Companies should consider threats unique to their business model, location(s), and other particular attributes. B. Security Controls (Physical, Electronic/Access Control) Many types of disasters identified through the risk analysis will challenge an insurer s ability to maintain the security of critical systems and data. However, it would be imprudent to assume that noncompliance with any established sector-specific or other applicable regulatory or similar data and systems integrity obligations would be deemed acceptable simply because a disaster is underway or has occurred. Thus, an insurer must ensure that the appropriate data and systems security protocols are followed leading up to and maintained during a disaster to avoid exposing itself to legal liability. Insurers should evaluate possible mechanisms for ensuring the security of critical systems and data, including both physical and electronic access controls. Depending on the data at risk, this regulatory requirement or best practice relates to both the system(s) and data recovery/restoration process and the emergency access procedure discussed, infra. Further, as the insurer recovers from a disaster, it should, at a minimum, ensure that the confidentiality, integrity, and availability of systems and data are not compromised by a security breach. As part of this pre-disaster planning and risk analysis, insurers should consider whether their established, pre-disaster access controls should, and under what circumstances, be extended to other personnel (internal or external) in response to an emergency C.F.R (a)(7)(i). See N.Y. Circ. Ltr (Apr. 9, 2012) (applicable to all authorized property/casualty insurers, among other entities); N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized health insurers ); N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized life insurers ). 24 See Emergency Access Procedure, infra

7 C. Backup, Emergency Access, and Restoration Mechanisms As part of the business impact and risk analyses, insurers should determine which systems and data are critical, i.e., those that cannot, as a legal or business imperative, be compromised as the result of a disaster. As part of this determination, insurers should employ loss prevention measures to ensure that effective backup and restoration mechanisms are in place to ensure the safety of the systems and data identified as critical from the threats identified as reasonable during the risk analysis phase. 1. Backup Procedures The backup procedures an insurer should implement will vary based on operational needs and any legal requirements to which the entity is subject. The type of data backed up should at least include that which was determined to be critical under the business impact analysis, supra. For example, HIPAA-covered insurers are only explicitly required to create and maintain retrievable exact copies of [EPHI]. 25 However, a HIPAA-covered insurer must take into account the nature of the EPHI it holds, including the frequency with which it changes, to ensure that backups are sufficiently regular so as to avoid running afoul of HIPAA s data integrity requirements. 26 As an example of a more general requirement, as part of an insurer s business continuity plan, the NYDFS asks insurers to ensure their [business continuity] plan contain[s] a list of critical computer application programs, operating systems and data files. 27 Other statutes, such as SOX, may have additional backup requirements. 2. Emergency Access Procedures During or in the aftermath of a disaster, but before a full restoration via backup, certain insurers will be required to maintain or immediately resume access to their critical systems and data as identified by the business impact analysis. To the extent required by any regulatory requirements to which the insurer is subject, insurers should ensure that they are able to do so. For example, HIPAA requires procedures for obtaining necessary [EPHI] during an emergency. 28 This could potentially require the redundancy of critical systems that provide an alternate access path in the event that primary systems become unavailable due to a disaster or other emergency situation. Furthermore, it could require changes to access controls in the event that alternate personnel (e.g., internal IT technicians or other external IT forensics specialists) are needed to retrieve or otherwise ensure access to critical systems or data. Similarly, the NYDFS asks insurers whether, in drafting a business continuity plan, the insurer has developed adequate C.F.R (a)(7)(ii)(A). See, e.g., 45 C.F.R (c). NYDFS Business Continuity Planning Questionnaire, 45 C.F.R (a)(2)(ii)

8 manual processing procedures for use until the electronic data processing function can be restored. 29 Insurers should carefully evaluate any such access changes made in the event of a disaster and implement procedures to ensure the confidentiality and integrity of critical systems and data. Although legal provisions may impose a requirement for ongoing access to the systems and data, any decision to relax documented security controls to facilitate such access should be directed and controlled by senior supervisory personnel. If such deviations from established security controls are deemed necessary to comply with law or business imperatives, supervision and monitoring would likely need to be heightened to maintain the confidentiality and integrity of the affected systems and data, both to ensure that no breaches occur during the disaster and to ensure that once the disaster is resolved, normal security controls are restored. 3. Restoration Procedures Data restoration procedures will similarly vary based on operational needs and any regulatory requirements to which the insurer is subject. Some laws may contain explicit requirements. For example, HIPAA requires procedures to restore any loss of [EPHI] data. 30 However, the question is broader than the mere restoration of data, as the data must be restored to an available system that is actually accessible. To that end, the insurer s risk analysis (see supra) should anticipate this need and be guided in this regard. If possible disasters include environmental ones such as storms that could have a severe region-wide impact, the entity should consider a restoration plan that involves more secure, off-site facilities outside a given region. For example, as part of an insurer s business continuity plan, the NYDFS asks whether an insurer has an agreement in place to use a specific alternate site and computer hardware to restore data processing operations after a disaster occurs and whether the site [has] a backup generator in place in case of local power outages, a fire detection and suppression system and moisture sensors in place under the raised floor. 31 Moreover, the NYDFS asks whether an insurer s business continuity plan contains a list of supplies that would be needed in the event of a disaster, together with names and phone numbers of the suppliers. 32 The NYDFS stresses the importance of an insurer undertak[ing] steps in managing [its] supply chain as part of its business continuity plan. 33 Similarly, the FLOIR suggests that insurers, when considering a disaster recovery plan to ensure company facilities are operational post-storm, address physical resources such as office space, back-up power... back-up telephone system... technology NYDFS Business Continuity Planning Questionnaire, 45 C.F.R (a)(7)(ii)(B) (emphasis added). NYDFS Business Continuity Planning Questionnaire,

9 issues, computers / laptops / printers / calculators, system access, server alternatives, [and] contract resources for services restoration[.] 34 D. Policy Distribution Mechanism / Documentation Plan A disaster recovery plan is only effective if an insurer s employees are trained and aware of it. Moreover, certain laws require covered insurers to ensure that employees have ready access to the plan. For example, HIPAA requires mandated procedures to be in written (or electronic) form, and for that documentation to be available to those persons responsible for implementing the procedures. 35 When evaluating an insurer s business continuity plan, the NYDFS asks whether the insurer s business continuity plan clearly describe[s] senior management roles and responsibilities associated with the declaration of an emergency and implementation of the business continuity and disaster recovery plans. 36 Moreover, the NYDFS looks to see whether an insurer s business continuity plan clearly identif[ies] the general process by which the threat will be assessed and the specific individuals who are authorized to declare an emergency. 37 Therefore, it is important for insurers to carefully consider mechanisms for ensuring that their employees are sufficiently aware of and trained in the company s emergency procedures, such that they are able to adequately respond in the event of a disaster. Access to emergency plans and policies is also critical. Thus, while an insurer may choose to provide electronic access to copies of (or updates to) its disaster recovery plan documents, the insurer should strongly consider regularly making hard copies of such plans/policies available to key personnel, as a loss of power or a system failure is a common type of disaster that would be identified in the risk analyses of nearly every company. For example, the NYDFS asks insurers whether copies of the [business continuity] plan [are] kept in relevant off-site locations. 38 E. Test and Review Process Finally, one of the most important best practices to employ is the regular testing, review, and redrafting, where necessary, of the procedures discussed above and the documentation that results. As part of the business continuity planning process, the NYDFS asks insurers whether their business continuity plan is current, based on a business impact analysis, [has] been tested [and whether that test has occurred in the last year]. 39 Moreover, the NYDFS asks insurers to Fla. Info. Memo. OIR M (June 8, 2005). 45 C.F.R (b). NYDFS Business Continuity Planning Questionnaire,

10 review the plan to ensure that it covers all significant business activities, including financial functions, telecommunication services, data processing, [and] networking services, and to ensure that a restoration priority [has] been assigned to all significant business activities. 40 A regular review of the business impact analysis and risk analysis serves to ensure that all necessary systems and data designated as critical are examined regularly and tested to determine whether then-current procedures are sufficient and will work as planned. Too many companies neglect this important step and, following a disaster, find that their procedures did not function as planned, or worse yet, that backup, emergency access, or restoration of critical systems and data is not achievable. Such a failure can expose insurers to serious liability. Again, insurers should seek advice from counsel during each review stage of their business continuity plans to ensure that they account for the most current federal, state, and local laws, regulations, and guidance, as well as industry best practices. * * * * * * * * * * * * * * * If you have any questions regarding this new proposal, please contact Leah Campbell ( , lcampbell@willkie.com), Francis M. Buono ( , fbuono@willkie.com), McLean B. Sieverding ( , msieverding@willkie.com), Carissa M. Mann ( , cmann@willkie.com), Benjamin B. Williams ( , bbwilliams@willkie.com), or the Willkie attorney with whom you regularly work. Willkie Farr & Gallagher LLP is headquartered at 787 Seventh Avenue, New York, NY Our telephone number is (212) , and our facsimile number is (212) Our website is located at December 11, 2012 Copyright 2012 Willkie Farr & Gallagher LLP. All Rights Reserved. This memorandum may not be reproduced or disseminated in any form without the express permission of Willkie Farr & Gallagher LLP. This memorandum is provided for news and information purposes only and does not constitute legal advice or an invitation to an attorney-client relationship. While every effort has been made to ensure the accuracy of the information contained herein, Willkie Farr & Gallagher LLP does not guarantee such accuracy and cannot be held liable for any errors in or any reliance upon this information. Under New York s Code of Professional Responsibility, this material may constitute attorney advertising. Prior results do not guarantee a similar outcome