Data Breach Insurance

Roberta D. Anderson [email protected] @RobertaEsq

Cyber Security Issues in the

Healthcare Industry

PBI 21st Annual Health Law Institute

Center March 13, 2015

AGENDA

 Practical Risk and Exposure  Legal And Regulatory Framework  Trends

 What To Do Before And After A Breach  Potential Coverage Under “Legacy” Policies

 Potential Coverage

 Limitations Of “Legacy” Insurance Policies  Cutting Edge “Cyber” Products

 Types Of Coverage  Avoid The Traps!

 How To Enhance “Off-The-Shelf” Cyber Insurance Forms Through Negotiation

 Audience Q&A 1

PRACTICAL RISK AND

EXPOSURE

PRACTICAL RISK AND EXPOSURE

 Malicious attacks

Advanced Persistent Threats Social engineering Viruses, Worms, Trojans DDoS attacks

 Data breach  Software vulnerability

(HeartBleed)

 Unauthorized access (spyware)  Inadequate security and system glitches  Employee mobility and disgruntled employees

 Lost or stolen mobile and other portable devices

 Vendors/outsourcing (the function but not the risk) & the “cloud”

 Human error  The Internet of Things/

Medical Devices

3

4

5

Source: Ponemon Institute 2014 Cost of Data Breach Study – Global

PRACTICAL RISK AND EXPOSURE

6

Source: Ponemon Institute LLC Cost of Data Breach Study:

Global Analysis (May 2014)

7

Source: Ponemon Institute LLC Cost of Data Breach Study:

Global Analysis (May 2014)

 Breach Notification Costs/Identity Monitoring  Computer Forensics/PR Consulting  Loss of Customers/Revenue  Damaged Reputation/Brand

 Regulatory Actions/Fines/Penalties/Consumer Redress

 Lawsuits & Defense Costs  Loss of “Crown Jewels”

 Business Interruption & Supply Chain Disruption  Drop in Stock Price/Loss of Market Share  Potential D&O Suits (Target)

PRACTICAL RISK AND EXPOSURE

 “[T]he average total cost of a data breach for the companies participating in this research increased 15 percent to $3.5 million”

PRACTICAL RISK AND EXPOSURE

 “The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.”

 “However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.”

 “These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million)”

 “[W]e do not include data breaches of more than approximately 100,000 compromised records in our analysis.”

9

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ ₁₀

“[T]here are only two types

of companies: those that

have been hacked and

those that will be. And even

they are converging into

one category: companies

that have been hacked and

will be hacked again.”

Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012)

“[T]here are only two types

of companies: those that

have been hacked and

those that will be.

“[T]here are only two types

of companies: those that

have been hacked and

those that will be. And even

they are converging into

one category: companies

that have been hacked and

will be hacked again.”

12

LEGAL AND REGULATORY

FRAMEWORK

13

LEGAL AND REGULATORY FRAMEWORK

 Federal Cybersecurity/Data Privacy Laws

 Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH)

 Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act

 Federal Trade Commission Act

 State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes

 47 states, D.C., & U.S. territories breach notification laws  State Security Standards (MA, CA, CT, RI, OR, MD, NV)  SEC Cybersecurity Guidance

 NIST Cybersecurity Framework

FEDERAL PRIVACY LAWS

 HIPAA

“A covered entity or business associate must, in accordance with §164.306 [“Security standards: General rules”] … [i]Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart….” (45 C.F.R. §164.316(a).)

 HITECH

 “A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information … shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.” (42 U.S.C. §17932.) 15

 Industry-specific, e.g. HIPAA / HITECH

v v

FEDERAL PRIVACY LAWS

16

HHS OCR AND HIPAA/HITECH

 Privacy Rule

 Security Rule

 Breach Notification Rule

FEDERAL PRIVACY LAWS

 Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act

 “It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.” (15 U.S.C. §1681.)

 Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR § 681.1.) 18

FEDERAL PRIVACY LAWS

 Federal Trade Commission Act

Section 5 empowers the FTC to “prevent . . . unfair or deceptive acts or practices in or affecting commerce”:

The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. § 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. § 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. § 45(a)(2).) ₁₉

STATE PRIVACY LAWS/CONSUMER

PROTECTION LAWS

SEC CYBERSECURITY GUIDANCE

 “[A]ppropriate disclosures may include”:

 “Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences”;

 “To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;

 “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;  “Risks related to cyber incidents that may remain undetected

for an extended period”; and

Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

21  “Description of relevant insurance coverage.”

“We note your disclosure that an unauthorized party was able to gain access to your computer network ‘in a prior fiscal year.’ So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber

security insurance policy, including any material limits on coverage.”

Alion Science and Technology Corp. S-1 filing (March 2014)

SEC CYBERSECURITY GUIDANCE

22

“We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the ‘certain other coverage’

that may reduce your exposure to Data Breach losses”

Target Form 10-K (March 2014)

SEC CYBERSECURITY GUIDANCE

“Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and

sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a companys cybersecurity measures needs to be a critical part of a board of director’s risk oversight

responsibilities . . . . In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting

reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company

from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity

oversight responsibility, do so at their own peril.”

Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014

SEC Cybersecurity Guidance

24

NIST CYBERSECURITY FRAMEWORK

 NIST Cybersecurity Framework—provides a common taxonomy and mechanism for organizations to:

 Describe their current cybersecurity posture;  Describe their target state for cybersecurity;

 Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;

 Assess progress toward the target state;

 Communicate among internal and external stakeholders about cybersecurity risk.

 The Framework is voluntary (for now)

25

NIST CYBERSECURITY FRAMEWORK

NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/ 85% of security budgets currently go here According to Gartner: By 2020, 75% of security budgets will go towards detection and response

NIST CYBERSECURITY FRAMEWORK

27

PCI DSS

“PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.”

28

TRENDS

• Providence Health & Services ($100K) • CVS Pharmacy ($2.25M) • Rite-Aid ($1M) • Management Services Organization of Washington ($35K) • Cignet ($4.3M)

• Massachusetts General Hospital ($1M)

• UCLA Health Services ($865K) • Blue Cross Blue Shield of

Tennessee ($1.5M) • Idaho State University ($400K)

30

• Shasta Regional Medical Center ($275K)

• WellPoint ($1.7M) • Affinity Health Plan ($1.2M) • Adult & Pediatric Dermatology,

P.C. ($150K)

• Skagit County, WA ($215K) • Alaska Medicaid ($1.7M) • Phoenix Cardiac Surgery, P.C.

($100K)

• Massachusetts Eye and Ear Infirmary ($1.5M) • Hospice of North Idaho ($50K)

TRENDS—OCR RESOLUTION AGREEMENTS

30

 Risk assessments

 Encryption

 Business Associate Agreements/Vendor Agreements

 Documentation of breaches

 Policies and procedures

 Notice and Consent

 EU US Safe Harbor

TRENDS—ENFORCEMENT HOT BUTTONS

31

TRENDS—ARTICLE III STANDING—CLAPPER

TRENDS—ARTICLE III STANDING—GALARIA

33

TRENDS—ARTICLE III STANDING—NEIMAN

MARCUS

34

TRENDS—ARTICLE III STANDING—SONY

TRENDS—ARTICLE III STANDING—MICHAELS

STORES

36

TRENDS—ARTICLE III STANDING—ADOBE

37

TRENDS—SHAREHOLDER LITIGATION—

TARGET

TRENDS—SHAREHOLDER LITIGATION—

WYNDHAM

39

TRENDS—REGULATORY ACTION—WYNDHAM

40

TRENDS—FTC REGULATORY ACTION—

WYNDHAM

TRENDS—SEC—“THE NEW SHERIFF”

TRENDS—FCC

AN INTERNATIONAL ISSUE

Only 20 percent of IT professionals frequently communicate with executive management about potential cyberattacks?

HELP

Is our breach response plan up to date and effective? Is it 5 o’clock yet?

Do we have insurance to cover this?

What’s the deal with our vendors?

45

BEFORE AND AFTER A BREACH

46

WHAT TO DO BEFORE AN INCIDENT?

 Pro-active management of cyber risks at the C-Suite

level

 Assessment of key risks impacting the business and

identifying critical information assets

 A graded cybersecurity assessment

 Regular internal training on information management

and IT security

 Have an incident response plan in place before a

cybersecurity incident

 Pay attention to vendor contracts

 Address and mitigate risk through insurance

Source: Ponemon Institute LLC Cost of Data Breach Study:

Global Analysis (May 2014)

v

v

v

WHAT TO DO BEFORE AN INCIDENT?

48

WHAT TO DO AFTER AN INCIDENT?

 Look (hopefully) to the incident response plan

 Notification of a security breach must be given to all or

some of:



Potentially impacted individuals

State AGs / Regulators

 “Breach coach” counsel should:



Advise on who, when, and how to notify

Engage pre-vetted forensics professionals and

other crisis management responders (e.g.,

credit monitoring,

public relations)

49

 Don’t panic. Follow the plan.

 Mobilize first-response team

 Immediately call breach coach counsel

 Forensics

 Investigate, isolate, contain, and secure systems / data  Preserve evidence

 Document everything

 PR

 Consider contacting law enforcement

 Start thinking notification

WHAT TO DO AFTER AN INCIDENT?

1. Record the date and time of discovery and time when response efforts begin

2. Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan.

3. Investigate, while preserving evidence

4. Stem additional data loss 5. Document everything known

about the breach. 

6. Interview those involved in discovering the breach and anyone else who may know about it. 7. Consider notifying law enforcement

after consulting with legal counsel 8. Revisit state and federal regulations

governing your industry and the type of data lost.

9. Determine all persons/entities that need to be notified, i.e. customers, employees, the media, 10. Ensure all notifications occur within

any mandated timeframes. Don’t Panic. Follow the plan.

WHAT TO DO AFTER AN INCIDENT?

51

Source: Ponemon Institute LLC Cost of Data Breach Study:

Global Analysis (May 2014) v

v

WHAT TO DO AFTER AN INCIDENT?

52

POTENTIAL COVERAGE

UNDER “LEGACY” POLICIES

POTENTIAL COVERAGE

 Directors’ and Officers’ (D&O)

 Errors and Omissions (E&O)/Professional Liability

 Employment Practices Liability (EPL)

 Fiduciary Liability

 Crime

Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)

 Property

 Commercial General Liability (CGL)

57

POTENTIAL COVERAGE

 Coverage B Provides Coverage for Damages

Because of “Personal and Advertising Injury”

 “Personal and Advertising Injury”: “[o]ral or written

publication, in any manner, of material that violates a

person’s right of privacy”

What is a “Person’s Right of Privacy”?

What is a “Publication”?

Does the Insured Have to “Do” Anything Affirmative And Intentional to Get Coverage?

58

LIMITATIONS OF “LEGACY” POLICIES

LIMITATIONS OF “LEGACY” INSURANCE

POLICIES

60

LIMITATIONS OF “LEGACY” INSURANCE

POLICIES

61

ISO states that “when this endorsement is attached, it will result in a reduction of coverageduetothedeletionofan exception withrespect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

LIMITATIONS OF “LEGACY” INSURANCE

POLICIES

LIMITATIONS OF “LEGACY” INSURANCE

POLICIES

63

LIMITATIONS OF “LEGACY” INSURANCE

POLICIES

64

cv

LIMITATIONS OF “LEGACY” INSURANCE

POLICIES

cv

 Zurich American Insurance Co. v. Sony Corp. of America et al.

LIMITATIONS OF “LEGACY” INSURANCE

POLICIES

66

CUTTING EDGE “CYBER” PRODUCTS

67

CUTTING EDGE “CYBER” PRODUCTS

 Privacy And Network Security

Provides Coverage for Liability (Defense and Indemnity) Arising Out of Data breaches, Transmission of Malicious Code, Denial of Third-Party Access to the Insured’s Network, and Other Network Security Threats

 Regulatory Liability

Provides Coverage for Liability (Defense and Indemnity) Arising Out of Administrative or Regulatory Investigations, Proceedings, Fines and Penalties

 Crisis Management

Provides Coverage for Forensics Experts, Notification, Call Centers, ID Theft Monitoring, PR and Other Crisis Management Activities

 Media Liability

CUTTING EDGE “CYBER” PRODUCTS

 Network Interruption And Extra Expense (and CBI)

Expense Caused By Malicious Code, DDoS Attacks, Unauthorized Access to, or Theft of, Information, and Other Network Security Threats

 Digital Asset Coverage

 Provides Coverage for Damage To or Theft of the Insured’s Own Systems and Data

 Cyber Extortion

 Provides Coverage for Losses Resulting From Extortion, e.g., Payment of an Extortionist’s Demand to Prevent a Cybersecurity Incident

 Emerging Markets

69

klgates.com back

REMEMBER THE SNOWFLAKE

klgates.com

72

TRAP EXAMPLE

73

75

TRAP EXAMPLE

76

TRAP EXAMPLE

77

AVOIDING THE TRAPS

78

AVOIDING THE TRAPS

REMEMBERING THE SNOWFLAKE

TIPS FOR A SUCCESSFUL PLACEMENT

■ Embrace a Team Approach

■ Understand the Risk Profile ■ Review Existing “Legacy” Coverages ■ Purchase Specialty “Cyber” Coverage as Needed ■ Remember the “Cyber” Misnomer

■ Spotlight the “Cloud”

■ Consider the Amount of Coverage

■ Pay attention to the Retroactive Date and ERP

■ Look at Defense and Settlement Provisions ■ Engage Coverage Counsel

80

AVOIDING THE TRAPS

BEWARE

THE

FINE

PRINT

81

“A well drafted policy will

reduce the likelihood that

an insurer will be able to

avoid or limit insurance

coverage in the event of a

claim.”

Roberta D. Anderson, Partner, K&L Gates LLP (March 13, 2015)

82

AUDIENCE Q&A

Roberta Anderson Partner KL Gates LLP (412) 355-6222 [email protected] Twitter: @RobertaEsq Linkedin: robertaandersonesq Insurance Thought Leadership