PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Transcription

1 PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

2 The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry, ACE encourages policyholders to recognize that different types of breaches can impact all industries. Education Unauthorized Access to Network A student gained unauthorized access to a university s servers, which contained personal information of approximately 150,000 current students, faculty and alumni. The university retained legal counsel to assist in the breach response process and hired a forensics firm to determine the nature and scope of the breach. After considering its regulatory obligations, the university notified the impacted individuals and the appropriate regulators regarding the incident. The matter has not resulted in a third party claim or regulatory proceeding. $375,000 for forensics, legal fees, notification, and call center services Employee Misplaced Laptop An employee of a college misplaced her laptop, which contained the personal information of approximately 5,000 students. The college retained legal counsel, notified the impacted individuals, and offered credit monitoring services. The appropriate state regulators were also notified in accordance with applicable law. $75,000 in legal fees, notification, credit monitoring, and call center services Misplaced Hard Drives A school misplaced three hard drives containing the health information of approximately 4,000 students. The exposed information included names, dates of birth, social security numbers, medical and behavioral health services, treatment plans, and medications. The school retained counsel, notified the impacted students, and offered credit monitoring services. Approximately $35,000 in notification, credit monitoring, and legal fees Technology Unauthorized Access to Network A large technology company detected an unauthorized intrusion into its servers, which contained employee names, passwords and confidential documents. The company contained the breach and immediately hired a forensic investigation firm to determine the scope of the breach. The company also retained a law firm and a crisis management firm to assist in notifying its clients regarding the breach. $550,000 for forensics, legal fees, and crisis management costs Employee s Laptop Stolen A laptop was stolen from an employee s car. The insured, a technology company, notified the impacted individuals and offered credit monitoring services. $75,000 for notification, credit monitoring services, and legal fees to determine the insured s regulatory obligations Healthcare External Vendor Misplaced Laptops A large healthcare provider contracted with a national vendor to assist with an office relocation. During the course of the relocation, the provider discovered a discrepancy of several laptops that contained protected health information belonging to its members. The provider retained legal counsel to analyze its regulatory obligations as well as vendors to conduct forensics, to notify impacted individuals, and to offer credit monitoring services. Subsequently, the provider was the subject of a regulatory inquiry and was named as a defendant in a class action lawsuit. $7,000,000 for forensics, legal fees, notification, call center services, and credit monitoring $2,000,000 for legal fees related to the class action suit and responses to regulatory inquiries 2

3 Healthcare (cont d) Employee Lost Flash Drive An employee of an $800 million healthcare provider lost a flash drive containing the protected health information of approximately 600 individuals. The provider notified the affected individuals and provided credit monitoring services. Various state regulators were also notified in accordance with applicable law. $110,000 for notification, call center services, credit monitoring, and legal fees to determine the insured s regulatory obligations Employee Misplaced Flash Drive An employee of a healthcare provider inadvertently misplaced a flash drive that contained protected health information of approximately 300 patients. The provider retained counsel and notified the impacted individuals. $45,000 in legal fees and notification costs Hospital Bills Misplaced An employee of an insured in the healthcare industry reported that a box containing printouts of patient hospital bills and professional fee medical claim forms was missing from her office. The insured determined there was a possible risk of harm for approximately 20 patients, as their names, addresses, phone numbers, social security numbers, dates of birth, and diagnoses were printed on the claim forms. $7,500 for notification and credit monitoring expenses Former Employee Shared Client Information A former employee of the insured, a $500 million hospital system, stole confidential paper files from the former employer containing the personal information of approximately 750 patients. The insured notified the affected patients and reported the matter to the appropriate state regulators. Retail Website Breached Users of a $250 million online retailer s website began experiencing fraudulent credit card charges. The retailer s IT group contacted its web hosting company, which conducted a review of the data stored on the servers. Subsequently, a virus was found and removed. The breach resulted in a compromise of close to 1 million records and the fraudulent use of 50 credit cards. The retailer also incurred fines and penalties for not being Payment Card Industry (PCI) compliant. $750,000 for notification, call center services, and legal fees to determine the insured s regulatory obligations $500,000 in assessments for lack of PCI compliance Employee s Laptop Stolen An employee of a retailer left a laptop in his car, which was stolen. The laptop contained personal information of the retailer s employees. The retailer retained legal counsel and notified its employees of the incident. $15,000 for legal fees and notification costs Credit Card Information Stolen by Employee A $100 million retail company s employee improperly obtained the credit card information of a client and fraudulently used the information to make illegal purchases. The employee was caught and prosecuted. The client s attorney demanded that the insured provide credit monitoring services and compensate the client for her damages. $75,000 for the settlement amount and legal fees $50,000 for legal fees and notification costs $10,000 for legal fees to respond to regulatory inquiries 3

4 Services Private Information Disclosed Due to Printing Error A $50 million business services company conducted a mailing project for a customer and inadvertently mailed out approximately 60,000 envelopes bearing account numbers on the outside of the envelopes. $320,000 for notification and credit monitoring services Laptops Stolen from Office Five laptops were stolen from the office of a professional services company. The laptops contained personal information of approximately 35,000 customers, including names and social security numbers. The insured incurred notification and credit monitoring costs. $200,000 for notification, credit monitoring services, and legal fees Database Access Inadvertently Shared with Third Party A professional services company s online program, which contained client profiles that included credit card information and other personal information, allowed its clients to manage their accounts within the program. An employee inadvertently provided access to the entire system to a third party. An investigation suggested that approximately 20 client profiles were accessed by the third party during the relevant time period. The company retained a national vendor to investigate the security incident and to notify any affected individuals. $45,000 for forensics, notification costs, and legal fees Other Industries Personal Information Posted Online A local municipality inadvertently posted tax licensing applications on its website, resulting in the improper release of personal information. The insured conducted forensics, retained the services of both legal counsel and a public relations firm, and is in the process of notifying the impacted individuals and offering credit monitoring services. $150,000 to date for legal fees, notification, credit monitoring, and Public Relations services Laptop Stolen from Employee An employee of a travel services firm left a laptop in his car, which was then stolen. The laptop contained personal information. The insured engaged an attorney and a vendor to notify the affected individuals and to offer credit monitoring services. $20,000 in notification, credit monitoring, and legal fees Personal Information Posted Online Due to a software error, a non-profit organization s website, which allowed the payments of registration fees, disclosed the personal information of 25 members. The organization immediately shut down its website, retained legal counsel, notified the impacted individuals, and offered credit monitoring services. $10,000 for notification, credit monitoring, and legal fees 4

5 CONTACT US ACE Group 436 Walnut Street Philadelphia, PA The claim scenarios described here are hypothetical and are offered solely to illustrate the types of situations that may result in claims. These scenarios are not based on actual claims and should not be compared to an actual claim. The precise coverage afforded by any insurer is subject to the terms and conditions of the policies as issued. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. Insurance is provided by ACE American Insurance Company, Philadelphia, Pennsylvania, or, in some states, other insurers within the ACE Group. The product information above is a summary only. The insurance policy actually issued contains the terms and conditions of the contract. All products may not be available in all states. Surplus lines insurance sold only through licensed surplus lines producers. Additional information can be found at ACE /13 5