Cyber Insurance in an Evolving Liability Landscape: Informed, Strategic Expectations Monday, February 29, 2016 2:00pm 3:00pm

Cyber Insurance in an Evolving Liability Landscape: Informed, Strategic Expectations Monday, February 29, 2016 2:00pm 3:00pm Kimberly B. Holmes, Esq., RPLU VP, Product Development, Chief Underwriting Office OneBeacon Insurance Group kholmes@onebeacon.com

Conflict of Interest Kimberly B. Holmes, Esq., RPLU Has no real or apparent conflicts of interest to report.

About the Speaker Kimberly B. Holmes, Esq., RPLU Vice President, Product Development Chief Underwriting Office, OneBeacon Insurance Group Ms. Holmes is responsible for Product Development across all management and professional liability product lines for OneBeacon Insurance Group as well as for providing cyber liability technical guidance and oversight across all industry segments on behalf of the company s Chief Underwriting Office. Ms. Holmes has been a frequent speaker at health care and cyber liability industry events for more than 10 years and has authored materials on health care, health care reform and health care cyber liability for various industry publications and professional liability organizations. Kim served as Deputy Worldwide Product Manager for Chubb s Health Care management liability practice for almost 10 years, in addition to developing and executing strategy and guidance as Chubb s Health Care Cyber Product Manager, helping Chubb to secure in 2012 the American Hospital Association s exclusive endorsement as cyber insurance carrier to the health care industry. Ms. Holmes is a member of the American Bar Association s Health Law section and is admitted to the Connecticut state, federal and Maine state bars.

Session Description & Learning Objectives PHI breaches and criminal hacking in the health care industry rose dramatically in 2015 mandating that organizations have a tailored, solid cyber insurance program in place before and after a breach. With heightened OCR scrutiny and audits coming in 2016, documenting your organization s privacy and security best practices and procedures has never been more critical. Making assumptions about what types of insurance should protect your organization in the wake of a data breach can be risky, and so is not watching your business associates closely. Learning Objectives: Evaluate cyber insurance options and how different coverages are designed for different exposures stemming from a malicious service disruption or other form of data breach event Explain the pitfalls of making assumptions regarding what various (non-cyber) insurance products may/may not address in the wake of a health care cyber /data privacy breach event Describe evolving cyber liability trends in the health care industry Assess how to mitigate your organization s liability (under federal and state law) before a malicious hacking or other data breach occurs Summarize the benefits of well-planned and executed business associate agreements while evaluating how and why it is critical to monitor these relationships on an ongoing basis

Today s Cyber Insurance Landscape:

Challenges for Cyber Insurance Industry Today: Lack of Sound Actuarial Data Disproportionate Disclosure vs. Breach Frequency Decision Makers Often Not Convinced Insurance is Needed Evolving Litigation Claims Landscape

Evaluating Cyber Insurance Options: What Coverage Covers What?

Types of Cyber Insurance Coverage Available Third Party Liability: Cyber Liability (Standard Insuring Clause) First Party Costs: Privacy Notification Expenses Crisis Management Expenses (PR, Forensic, Legal, Reward) E-Business Interruption Expenses E-Theft Loss E-Communication Loss E-Threat Expenses (Extortion) E-Vandalism Expenses

Evaluating Cyber Insurance Options: Knowing Your Organization s Needs

Types of Cyber Insurance Coverage Available Dedicated cyber liability products: Standalone (monoline) products Portfolio & Package products Network Security coverage Privacy coverage 1 st Party Costs coverage 3 rd Party Liability coverage

Types of Cyber Insurance Coverage Available Sub-limits on traditional non-cyber products: D&O (Director & Officer Liability) coverage E&O (Errors & Omissions Liability) coverage Professional Liability coverage Hospital Professional Liability Physician Professional Liability Miscellaneous Professional Liability GL/P&C coverage

BEWARE Assuming Other Insurance Will Fully Respond to your Breach

Pitfalls in Assuming Other Insurance will fully respond to your Breach Wrongful Act definitions may trigger, but only for 3 rd party liability (defense/settlement) exposures No 1 st Party coverage (Notification mandated under HIPAA for PHI breaches) Other policy exclusions may apply to limit coverage Bodily Injury exclusion Internet exclusion Computer systems exclusion Acts of foreign government exclusion Intentional acts exclusion

Evolving Cyber Liability Trends in the Health Care Industry

Recent Market/Claim Developments:* Hacking frequency in health care industry significantly on the rise in 2015: Texas Health and Human Services (2 million individuals; Nov., 2015) Excellus BC/BS (10 million individuals; Sept., 2015) UCLA Health System (4.5 million individuals, July, 2015) Office of Personnel Management (21.5 million individuals; June, 2015) Premera (11 million individuals; March, 2015) Anthem (80 million individuals; Feb., 2015) *http://www.privacyrights.org/data-breach/new

Recent Judicial Developments: November, 2015: ALJ dismisses FTC action against LabMd Impacts FTC ability to prosecute data breach actions under FTC Act FTC failed to show LabMd s conduct harmed or would harm consumers as required by unfairness prong of FTC Act (alleging data breaches are de facto unfair trade/business practice ) September, 2015: 7 th Circuit declined to hear appeal on Neiman Marcus case; plaintiffs have standing to proceed without actual damages Plaintiffs may proceed to sue for damages to prevent identity theft/fraud in wake of data breach even before actual identity theft/damages occur

Recent OCR Developments: (per Jocelyn Samuels, OCR Director, speaking at recent Healthcare Enforcement Compliance Institute, Wash. D.C.) Impending launch of countrywide HIPAA Phase II audits, early 2016 Compliance (aka, ENFORCEMENT) is focus Desk audits principally the focus CEs AND BAs will both be subjects of audits Audit protocols to be released prior to Phase II launch OCR Major Concerns: CE ongoing failures to address known issues and deficiencies Lack of encryption Lack of BAAs

Mitigating Your Organization s Liability BEFORE a Breach Occurs

BEFORE the Breach happens ENCRYPT, ENCRYPT, ENCRYPT DOCUMENT, DOCUMENT, DOCUMENT policies/procedures & training DISSEMINATE & COMMUNICATE to entire organization Conduct a thorough, organization-wide, risk analysis (yourself or with an outside vendor) Document action plan to address findings/deficiencies Identify resources that will be committed to address above findings/deficiencies Confirm your Breach Response Team (internal points of contact, outside legal counsel, outside vendors, local/regional FBI and HHS office contacts) Actually USE your Incident Response Plan (IRP) & Document Findings

Remember OCR is tired of reminding CEs to do the basics Encryption, Risk Analysis, put BAAs in place No need to ask for trouble - ADDRESS THESE FIRST DOCUMENT what you ve done/assessed/found/identified to fix or address; if it s not written down, it never happened OCR review/scrutiny will all be Monday morning quarterbacking of your efforts have evidence you ve really done what you say you ve done A coordinated response on the front end among all your Breach Response team members ensures a more seamless outcome on the back end OCR has stated that it is not looking to put non-compliant organizations out of business, and will consider an organization s resources when assessing fines/considering settlements IRPs should be dynamic, active tools that you assess, update, reconfigure as needed NOT a static document that sits on the shelf

Business Associate Agreements: Best Practices to Consider

Business Associate Agreements WHAT they should include: Audit Rights for the Covered Entity (CE) CE right to review BA contracts with subcontractors CE right to inspect: BA facilities, infrastructure, security systems BA books and records BA Responsibilities Financial obligations Indemnification obligations Action obligations in the wake of a breach Notification to affected individuals, media, HHS

Business Associate Agreements WHY they should include outlined rights and responsibilities.and be audited regularly: You want to show OCR that you are aware of your ultimate liability (and responsibility) as a CE for a breach of your PHI on your BA s watch awareness & action on your part may mitigate your liability in OCR s assessment after the fact If you ve negotiated the rights to inspect, audit, review: DO IT you ve set the floor now on your due diligence responsibility If you find deficiencies upon audit, INSIST that your BA remediate them and document the exchange to evidence your best efforts to address the noncompliance Having clear indemnification provisions (if possible) allows an insurance carrier to see an avenue of potential recovery should your policy be triggered by a breach event/claim Notification costs can be extensive depending on the number of PHI records at issue; have who s paying for it clearly spelled out in the BAA

Summary Many different cyber insurance coverage options exist; identify your organization s exposures, coverage needs, and customize terms accordingly to maximize the coverage your organization needs for the premium dollars spent Depending on the size of your organization and number of PHI records, absorbing the bottom line cost of a data breach, uninsured, can be devastating. Do NOT assume that other non-cyber insurance products can substitute for a standalone cyber insurance product. Hacking frequency is significantly increasing in the health care industry as it is widely known that health care lags behind other industry sectors in IT infrastructure while at the same time widespread sharing of electronic PHI is increasing astronomically OCR s planned launch of HIPAA Audits Phase II during 2016, focusing on desk audits and compliance, should underscore the need to document, document, document your organization s ACTIVE cyber best practices BEFORE a breach event occurs Business Associate Agreements (BAA) are a must to have in place to satisfy OCR audit review, but actively auditing your Business Associates routinely (as provided for in the BAA) shows the due diligence that may reduce your organization s exposure after a breach

Questions? kholmes@onebeacon.com