Presentation on theme: "Your source for professional liability education and networking. Press to Bankrupt Your Company Cyber Liability for Small and Medium Business."— Presentation transcript:
Your source for professional liability education and networking. Press to Bankrupt Your Company Cyber Liability for Small and Medium Business
Professional Liability Underwriting Society Moderator: Jake Kouns, Director of Cyber Security and Technology Risks Underwriting, Markel Panelists: Jason Bucher, Senior Underwriter of Professional Liability, Admiral Craig Dunn, VP - Financial Services Broker, AmWINS Kai Hecker, Campbell & Chadwick Rich Mather, Assistant Vice President, Errors and Omissions Claims, Allied World
Professional Liability Underwriting Society Agenda A.Case Example - Cyber Liability for Small to Medium Businesses B.State of the Market C.Legal Overview D.Cyber Liability Coverage E.Data Breaches and Claims F.Predictions and Q&A
Your source for professional liability education and networking. Case Example Cyber Liability for Small to Medium Businesses
Professional Liability Underwriting Society Case Details (redacted) A small company who reviewed medical records for workers compensation and auto casualty insurance claims Records were transmitted from clients to the business via electronic portal for the business to review Web Portal was secure with proper encryption New Years Eve break in to the business physical location results in electronic equipment being stolen including backup tapes and storage devices Data not encrypted while At Rest – as such the data is construed as lost and breached as per HIPAA / HITECH and subject to notification requirements
Professional Liability Underwriting Society Need More Info What are some important pieces of additional information that we need to know to understand just how bad this could be? – The amount of records impacted amount to approximately 14,000 – Clarification on the type of data lost – Clarification on encryption – Legal understanding (customer states involved) – No collectible or applicable insurance held
Professional Liability Underwriting Society Case – Insurance Study What types of widely available Insurance products could have been their salvation? – First Party Data Privacy Coverage A $50,000 sub limit may have been sufficient – Third Party Data Privacy Coverage – Technology E&O vs. Monoline Data Privacy coverage Either form would have assisted on front end – but the third party liability cover may have demanded Tech E&O
Professional Liability Underwriting Society Case – Insurance Study What would be some of the concerns with the policy to ensure coverage was sufficient? – Exclusions that need be minded: Unencrypted Data, Failure to Update / Maintain Security, Failure to meet / Exceed security on app – Definitions that need be minded: Definition of Expenses included, Definition of coverage triggers and Data covered – Conditions that need be minded: Notification requirements, vendor stipulations – Limits / Sub-limits
Professional Liability Underwriting Society Case Continues, and Thickens What do you think happened to this company? What were the impacts? – Cost to Notify and Mitigate the loss was greater than available cash on hand – Pending Liability from clients and individuals forced drastic action – Chapter 7 Bankruptcy was filed 69 days after the break in!!
Your source for professional liability education and networking. State of the Market How is cyber liability really doing? Is it selling? Who is buying it? Where is it in the product life cycle?
Professional Liability Underwriting Society State of the Market Observations from the field have led to the following points for discussion: – Awareness is widespread – Market participation is growing – Claims experience is building – Product access and support needs attention
Professional Liability Underwriting Society Awareness is Widespread Agents, Brokers, Business Owners inundated with e-blasts, market announcements, claims examples… – Details and nuances often overlooked – Marketing vs. Underwriting – The trap of the term / phrase Cyber Concept of Privacy Liability overlooked
Professional Liability Underwriting Society Participation is Growing Growing is an understatement Multiple interpretations of the hazards faced, leads to confusion Multiple offerings – Monoline, Endorsements to other Professional lines, Modules to other Casualty lines No Market Standard per se – but emerging trends and concepts
Professional Liability Underwriting Society Experience is Building Carriers are starting to pay out Brokers have first hand experience of what a Data Breach Response entails Emerging metrics and statistics on loss payments are assisting in building rate commonality Loss support service expenses are dropping
Your source for professional liability education and networking. Legal Overview Practical steps to keep a companys cyber horses in the barn? What information must be protected? What is the current legal stance in Texas? Texas new HIPPA companion law Massachusetts obligations and requirements Patco Construction Co. vs Peoples United Bank
Professional Liability Underwriting Society Cyber Liability Whos coming after you? Individual Victims The State of Texas Attorney General Licensing Agency Other State AGs Federal Government Foreign Governments Shareholders / Partners Contract Parties / Data Owners
Professional Liability Underwriting Society Cyber Liability 46 States & DC have notification laws AL, KY, NM & SD do not. Senate just killed uniform national rules HIPAA & Banking notification requirements Canada & E.U. requirements
Professional Liability Underwriting Society Cyber Liability Texas Mandatory Notification requirement Duty to Protect Sensitive Personal Information A business shall implement and maintain reasonable procedures […] to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business… Bonus: Includes nonprofit athletic & sports associations
Professional Liability Underwriting Society Cyber Liability Who can sue you? Individual Victims The State of Texas Attorney General Licensing Agency Other State AGs Federal Government Foreign Governments Shareholders / Partners Contract Parties / Data Owners Covered? Cyber Defense Cyber ? CGL/E&O ? same same* Unlikely D&O CGL
Professional Liability Underwriting Society Which Laws are Applicable to me?
Your source for professional liability education and networking. Cyber Liability Coverage New Exposures? New Coverage Options? How brokers, underwriters, and the client can better work together?
Professional Liability Underwriting Society Common Privacy Breach Allegations Invasion of the customers (or employees) right to privacy Failure to implement and maintain reasonable security procedures Unfair, deceptive, and unlawful business practices Negligence Emotional distress Individually or as class actions
Professional Liability Underwriting Society Classes with Privacy Exposure Auditor Bank/Financial Institution Data Storage/Destruction firms Debt collectors Drug Testing Agency Health Clubs Hospitals/Medical Group Hotel Insurance Agent/Broker Insurance Company Internet Kiosk operator Investment Advisor Lawyers Medical Billing Firm Mortgage Broker Pension Plan Administrators Pharmaceutical company with clinical trials Private Investigators Public Entities Real Estate Agent/Title Agent Retail store School Staffing Firm Travel Agent Web based e-Commerce
Professional Liability Underwriting Society Cyber Liability Insuring Agreements 1st Party Business Interruption – Covers lost business income in the event a virus infection shuts you down. 1st Party Data Asset – Covers your expenses to recover lost data. Cyber Extortion – Covers expenses and ransom if a hacker threatens to shut you down. This insuring agreement often covers reward amounts offered to catch the extortionist. Network Security – Covers your liability when hackers use your system to inflict damage on others. Privacy – Notification Expenses – when data is lost, you must notify all potential victims within a short period of time as required by state laws. – Credit Monitoring – Policies will cover up to 1 year of credit monitoring services for those exposed. In some cases 2 years of monitoring will be available. – Credit Repair Services – 1 Year of services to repair credit of an actual identity theft. – Crisis Management – Public Relations expense coverage to protect your image. – Regulatory Defense and expenses – Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage for regulatory proceedings and in some cases cover penalties where insurable. Electronic Media – Covers website content liability (copyright, libel, slander, etc...)
Professional Liability Underwriting Society Gaps in Current Cyber Forms Many Internet policy forms only cover web content, not identities. Many insurers will only offer $250,000 of notification and credit monitoring expense coverage while others will offer up to the policy limit. A handful of insurers will insure regulatory civil fines and penalties where insurable. Others only provide defense. Pay attention to the sublimits offered. Every insurer offers something different. Some insurers have coinsurance provisions applicable to the expense coverage. Some policy forms are only covering paper records if generated electronically Some insurers are not covering employee records. (insured vs insured exclusions) Some insurers are not covering data breaches caused by employees of the insured. (Rogue employees) Some insurers will cover mental anguish and emotional distress arising from a privacy breach, others will exclude anything arising out of or related to bodily injury. Some insurers have exclusions applicable if the insured does not continuously upgrade or maintain the same level of security as was in place at the time coverage was bound.
Your source for professional liability education and networking. Data Breaches and Claims What are the data breach and claims trends? How should you manage Third Party Vendors? Real Examples & How Insurance Has Responded
Professional Liability Underwriting Society Data Breach Trends
Professional Liability Underwriting Society Data Breaches and Claims Third Party Liability Claims/Regulatory Agency Investigations: – Liability based on allegations of direct harm Provable identity theft with traditional damages Claims from third parties who incurred response costs to a breach by the insured – Liability theory based on harm avoidance/possibility of harm – Liability theory based on statutory violations with no need for traditional damages
Professional Liability Underwriting Society How to Manage Third Party Vendors First, understand How Your Policy Treats Breaches By Vendors This is particularly critical for coverage for first party expenses. Review your Contracts with Vendors re Indemnity, Security Protocols for Handling Data Confirm Vendors have their own Insurance Coverage
Professional Liability Underwriting Society How to Manage Third Party Vendors Understand How Your Policy Treats Breaches By Vendors This is particularly critical for coverage for first party expenses. Review your Contracts with Vendors re Indemnity, Security Protocols for Handling Data Confirm Vendors have their own Insurance Coverage Critical that this happens before the ink dries.
Professional Liability Underwriting Society Cyber Liability Investigation Mitigation Regulatory Compliance Legal Costs 5000 records $970, $750, $194 per record $15k per case $1,720, Settlements + Fines
Professional Liability Underwriting Society Data Loss Expenses Statistics from the Ponemon Institute 2011 Cost of Breach Study: Average total cost per reporting company: $5.5 million Average per-record cost of a data breach: $194 (Expect about $60 per record for notification and credit monitoring) Per Capita Costs of a Breach by Industry Classification Healthcare$240 Financial$247 Hospitality$116 Services$185 Pharma$276 Average$194 Cause of Data Breach System glitch24% Negligence39% Cybercrime or Hack37%
Professional Liability Underwriting Society Claims Examples Claims Scenario #1: 24,000 patient records compromised at a mid-sized hospital. State regulations requirements were triggered. The hospital was required to notify every patient of the breach via Certified Mail – Damages: $240,000 – Defense Costs:$42,500 – TOTAL AMOUNT PAID: $282,500 Claims Scenario #2: A pharmacy sold a computer to a private individual that still contained prescription records including the names, addresses, social security numbers and medication lists of pharmacy customers. State law regulations required certified notification to all of the affected parties. Two lawsuits were filed: 1) Plaintiff alleged damages due to job loss as a result of the disclosure; 2) Plaintiff alleged her identity was stolen and sued to recover the costs of correction and emotional distress. A HIPAA investigation was triggered – TOTAL AMOUNT PAID IN EXCESS OF: $410,000
Professional Liability Underwriting Society Identity Theft Adds Up Source: Federal Trade Commission (February 2012): Consumer Sentinel Network Data Book: reports/sentinel-cy2011.pdfhttp://www.ftc.gov/sentinel/reports/sentinel-annual- reports/sentinel-cy2011.pdf Multiply the $14,000 in average individual losses from the previous slide times the roughly 280,000 cases in 2011 and you get approximately $3.9 Billion in potential damages. This is before including pain, suffering, legal fees and other demands from the victims.
Professional Liability Underwriting Society Cyber Liability Microsoft Encrypted File System Microsoft Bitlocker TrueCrypt Encrypt Data Secure Paper SuGAR mandatory Super Geek Assistance Required
Your source for professional liability education and networking. Predictions and Q&A
Professional Liability Underwriting Society Moderator: Jake Kouns, Director of Cyber Security and Technology Risks Underwriting, Markel - Panelists: Jason Bucher, Senior Underwriter of Professional Liability, Admiral - Craig Dunn, VP - Financial Services Broker, AmWINS - Kai Hecker, Campbell & Chadwick - Rich Mather, Assistant Vice President, Errors and Omissions Claims, Allied World - Contact Us