Data Breach and Senior Living Communities May 29, 2015

Similar documents
Managing Cyber & Privacy Risks

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

DATA BREACH COVERAGE

Network Security & Privacy Landscape

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Mitigating and managing cyber risk: ten issues to consider

COMPLIANCE ALERT 10-12

Cyber Insurance Presentation

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Discussion on Network Security & Privacy Liability Exposures and Insurance

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Overview of the HIPAA Security Rule

Cyber-Crime Protection

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

What would you do if your agency had a data breach?

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Liability & Data Breach Insurance Claims

Joe A. Ramirez Catherine Crane

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

The Impact of HIPAA and HITECH

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Aftermath of a Data Breach Study

Cyber Threats: Exposures and Breach Costs

Law Firm Cyber Security & Compliance Risks

Beazley presentation master

Privacy Rights Clearing House

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cyber Liability. What School Districts Need to Know

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

CYBER RISK SECURITY, NETWORK & PRIVACY

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Cyber Risks in Italian market

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Cyber/ Network Security. FINEX Global

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Cybersecurity Risk Transfer

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Data Privacy & Security: Essential Questions Every Business Must Ask

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Special Report The HITECH Act

Data Breach Response Planning: Laying the Right Foundation

Cyber Liability Insurance

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Transcription:

Data Breach and Senior Living Communities May 29, 2015

Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs 4. Obligations and Responsibilities Imposed By State and Federal Government 5. Incident Risk Control Measures (Pre/Post) 6. Funding Data Breach Risk 7. Key Organizational Data Breach Questions

Current Data Breach Trends & Issues

2015 Verizon Data Breach Report

Data Breaches On The Rise Over 37 million Healthcare & Nonprofit records breached from 1,202 data breaches made public since 2005 Reported Healthcare & Nonprofit Data Breach Incidents 2011 2012 218 242 + 11% A survey of U.S. small businesses found that 55% of those responding have had a data breach, but only 33% notified individuals that their PII had been exposed. 2013 284 + 17% Source: 2013 Ponemon Institute Poll 2014 83 Incomplete data Source: Privacy Rights Clearinghouse, May 1, 2015

Understanding Why The Senior Living Industry May Be A Target

Why The Senior Living Industry Is Exposed.

Breach Scenarios Real Cases 1 Hacking 2 Stolen Laptop January 1, 2013 Riderwood Village Senior Living had 5 laptops stolen (4 unencrypted); 8,507 records exposed 3 Lost USB 4 Breach Caused by Vendor

Breach Scenarios Real Cases 5 Stolen Briefcase March 1, 2014 Briefcase with PHI stolen from independent contractors home, exposing 508 resident records 6 Document Disposal 7 Employee Error 8 Unauthorized Access

Data Breach Costs

Typical Breach Response Costs Legal Forensics Crisis Management Notification $300 - $600 per hour $250 - $600 per hour $150 per hour or legal rate $1 -$3 per letter Call Handling $7 - $25 per call Credit & Fraud Monitoring $8 - $75 per person Identity Theft Resolution $400 per case

Helping Businesses Manage Risk Direct Costs Crisis management Public relations Print & mail notification letters Remediation services Legal & forensic services Law suits $188 per record Average cost of a U.S. data breach of which 68% pertains to indirect costs Indirect Costs Customer churn Increased customer acquisition activities Damaged reputation Loss of goodwill Employee time & resources Factors That Influence U.S. Data Breach Costs Incident response plan Decrease $34 $37 Quick notification to victims Increase Strong security posture Decrease $42 Decrease $13 Consultants engaged Source: Ponemon Cost of Data Breach Study

Obligations and Responsibilities Imposed By State and Federal Government

What is Secured PHI? HIPAA security rule encryption standard Hard copy records must be shredded Under HHS encrypted records are a safe harbor - unauthorized access does not require notice to HHS

Federal HIPPA HITECH Highlights Requires notice of a breach of unsecured PHI within 60 days Notice must include a brief description of the event, the PHI involved and the steps to take to protect from future harm Must notify the media and HHS if more than 500 individuals affected; Report to HHS annually all breaches less than 500 http://transparency.cit.nih.gov/breach/index.cfm Breach = Unauthorized acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule which comprises the security or privacy of the PHI and poses a significant risk of financial, reputational or other harm

FTC Rules Regarding Notice by Business Associates Applies to vendors of personal health records, Personal Health Record-related entities, third-party service providers and non-profits. Requires FTC notice within 10 business days of discovery by a healthcare entity for more than 500 consumers; all others annually Vendors are responsible for notifying a healthcare entity without unreasonable delay within 60 days of discovery Agreements with vendors must include requirement for immediate notice of data breach Unlike HITECH all breaches require notice by the vendor even if minimal risk of harm

NJ Breach Law Highlights

NJ Breach Law Highlights

Incident Risk Control Measures (Pre/Post)

Recommendations To Address HITECH, FTC and NJ Regulations Update Document Retention Policies Modify Contracts To Require Immediate Notice and Reimbursement for Notification Costs Create An Incident Response Plan Staff training

Before A Breach Consider This 1 How many customers/employees does the business have and do they have a data retention policy? Data Loss 2 What types of data are stored and who does it belong to? 3 Who has access to that data? 4 5 Is there a breach response plan in place? In the event of a breach, what response services will be needed and how will expenses get covered? Not if. But when...

Data Risk Calculator Results For commercial policyholders to spot and fix data security gaps Reporting capabilities for clients Date, Score, User Name

Data Security Tools

Data Risk Management Website Services supported via a co-branded, secure website Includes a Knowledge Center

Data Security Tools

Post Breach Response Considerations Breach Counseling Determine if a privacy breach occurred Assess severity of the event Explain breach response requirements and best practices Crisis Management Time-saving professional service to guide you in handling a breach Work closely with policyholder and claims to outline an action plan Public relations assistance to help restore your business reputation Notification Assistance Remediation Planning Drafting and review service for creating notification letters Support in drafting and delivering alternative forms of notification Assistance in discussions with 3 rd parties that need to be notified Service recommendations to impacted individuals such as call handling, monitoring products, and identity theft resolution services Evidentiary Support Documentation of steps taken and remediation services provided to manage the privacy breach Expert Testimony witness if a claim goes to court

Potential Breach Response Services Needed Complete Solution Data Breach Forensics * Identify cause and extent of breach Minimize impact Recommendations to prevent future exploitation Print/Mail House * Letter preparation Printing Mailing Tracking Reporting Call Handling * Toll-free number Dedicated fraud specialists Identify special handling needs Call center metrics Remediation * Credit file reviews Place fraud alerts Victim resolution services Post fraud followup Comprehensive case files *Additional fee required

Multidisciplinary backgrounds Data Security IT Computer Forensics Breach Response Team Business Admin Privacy Law

Funding Data Breach Risk

Privacy Breach Coverages Privacy Breach Expense Legal Forensic investigations Crisis management Notification Call center support Credit monitoring Fraud remediation PR assistance 3 rd Party (Liability) Defense costs Fines Penalties

First Party Coverages Business Interruption - BI incurred as the direct result of a cyber incident which causes system failure. Data Restoration - Pays for the restoration of any data stored on the insured s computer system that is lost due to a cyber incident (excess normal operating costs) Cyber Extortion Payments - Pays expense and/or loss incurred as the result of any cyber extortion threat against an insured. Crisis Management Expenses - Pays crisis management and public relations expense incurred as the result of a cyber incident. 3

First Party Coverages (cont d) Notification Expenses - Pays expenses incurred by Insured to notify customers whose sensitive personal information has been breached. Credit Monitoring Expenses Pays expenses incurred after a breach to provide credit monitoring to those third individuals impacted by breach. Forensic Costs Pays costs incurred for a forensics firm to determine the cause, source and extent of a Network Attack; or investigate, examine and analyze the Named Insured s Network, to find the cause, source and extent of a Data Breach. 3

Third Party Coverage Privacy Liability Coverage - Covers loss arising out of the organization s failure to protect sensitive personal or corporate information in any format, including liability arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code. Regulatory Actions - Pays legal costs, fines and penalties as a result of regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation. 3

Key Questions: Who owns data? Who is responsible for a loss of data stored on the cloud or with my Electronic Medical Record provider? Do insurance policies require me to encrypt data and install firewalls on my servers? What about cell phones, laptops, thumb drives? What if I outsource my data to a third party IT vendor? Do I have to wait for an insurance company to approve my response to a breach or can I just respond? Business Interruption If a data breach prevents me to operate my business, how long will it take me before an I can get payment from my insurance policy? How does a retro date limit coverage under a data breach policy?

The Presenters Gary Uzelac, CPCU Johnson Kendall Johnson guzelac@jkj.com 215.579.6420 Gary Gilmore Wiley Mission gfgilmore@wileymission.org 856.983.0411 De Andre Salter Professional Risk Solutions deandre@prsbrokers.com 908.834.8401 ext 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information