W ho Needs Cyber I nsurance? A Review of I nsurable Privacy Exposures Today George N. Allport Chubb Specialty I nsurance And Steven H. Anderson XL I nsurance Antitrust Notice � The Casualty Actuarial Society is com m itted to adhering strictly to the letter and spirit of the antitrust law s. Sem inars conducted under the auspices of the CAS are designed solely to provide a forum for the expression of various points of view on topics described in the program s or agendas for such m eetings. � Under no circum stances shall CAS sem inars be used as a m eans for com peting com panies or firm s to reach any understanding – expressed or im plied – that restricts com petition or in any w ay im pairs the ability of m em bers to exercise independent business judgm ent regarding m atters affecting com petition. � I t is the responsibility of all sem inar participants to be aw are of antitrust regulations, to prevent any w ritten or verbal discussions that appear to violate these law s, and to adhere in every respect to the CAS antitrust com pliance policy. Slide 2 Chubb & Son, a division of Federal Insurance Company Legal Disclaim er The view s, inform ation and content expressed herein are those of the authors and do not necessarily represent the view s of any insurers of the Chubb Group of I nsurance Com panies or of XL I nsurance. This presentation is advisory in nature and necessarily general in content. No liability is assum ed by reason of the inform ation provided. W hether or not or to w hat extent a particular loss is covered depends on the facts and circum stances of the loss and the term s and conditions of the policy as issued. The precise coverage afforded is subject to the term s and conditions of the policies as issued. The inform ation provided should not be relied on as legal advice or a definitive statem ent of the law in any jurisdiction. For such advice, an applicant, insured, listener or reader should consult their ow n legal counsel. Slide 3 Chubb & Son, a division of Federal Insurance Company 1
Caring Hands Hospital System A Unit of CH Healthcare, Inc. Caring Hands Tour The New ED Celebrates “Teach Your Child to Cook Month” Slide 4 Chubb & Son, a division of Federal Insurance Company “The Cyber I D Thief” On a “black hat” website, Myra learns how to write a SQL Injection script that allows her to gain access to Caring Hands databases through their website. She is able to access and download over the Internet names, addresses and Social Security numbers of 11,500 CH patients. She then sells the information to mobsters in Eastern Europe. Caring Hands, in accordance with HIPAA, notifies their patients of the “breach”. Slide 5 Chubb & Son, a division of Federal Insurance Company Data Breaches – Grow ing I n Num ber! Between January 10 th , 2005 and March 6 th , 2011 5 1 5 ,0 0 2 ,2 6 9 records containing “sensitive personal information” have been involved in security breaches! Source: Privacy Rights Clearinghouse A Chronology of Data Breaches Updated March 8 th , 2011 www.privacyrights.org Slide 6 Chubb & Son, a division of Federal Insurance Company 2
Num ber of Data Breaches 600 500 400 300 200 100 0 2005 2006 2007 2008 2009 2010 Privacy Rights Clearinghouse, Chronology of Data Breaches Slide 7 Chubb & Son, a division of Federal Insurance Company Data Breaches By I ndustry ( 2 0 0 7 – 2 0 1 0 ) Non-Profit 3% Other 12% Health Care 21% Financial Services 14% Government/ Retail/Merchant 10% Military 19% Education 21% Privacy Rights Clearinghouse, Chronology of Data Breaches Slide 8 Chubb & Son, a division of Federal Insurance Company Breaches By Cause ( 2 0 0 7 -2 0 1 0 ) Unknown 3% Stationary Device 6% Unintended Disclosure 19% Portable Device 29% Hacking 17% Physical Loss Insider 14% 11% Payment Card Fraud 1% Privacy Rights Clearinghouse, Chronology of Data Breaches Slide 9 Chubb & Son, a division of Federal Insurance Company 3
So, W hy Does Caring Hands Care? Slide 1 0 Chubb & Son, a division of Federal Insurance Company State Statutes California first state to enact “security breach notification” legislation – July 1, 2003 [ SB 1386] . Currently, 46 other states have enacted some type of security breach notification legislation, including: � Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Maine, Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, Washington and Wyoming. Slide 1 1 Chubb & Son, a division of Federal Insurance Company The Reach Of The Law s Slide 1 2 Chubb & Son, a division of Federal Insurance Company 4
“Personal I nform ation” Exam ples Illinois and District of Columbia don’t require that a security code be accessed along with a credit or debit card number. Oregon includes Passport number or other United States issued identification number. California, along with Missouri, includes “medical information” and “health insurance information”. Kansas and Maryland don’t define “personal information”. Slide 1 3 Chubb & Son, a division of Federal Insurance Company Methods of Notification � Written (I.e. first class mail); � Electronic (I.e. email); � Telephonic; � Substitute; � Email; � Notice on Website; and � Notice to, or in, Media. Slide 1 4 Chubb & Son, a division of Federal Insurance Company HI PAA Update - 2 0 0 9 � Requires notification within 60 days of a privacy breach involving an individual's HIPAA-covered personal health information � Requires business associates to meet most security requirements that previously applied only to covered entities. � Authorizes state attorneys general to bring suit for HIPAA violations � Requires notification of the Departm ent of Health & Human Services and the media in privacy breaches involving 500 or more individuals. Slide 1 5 Chubb & Son, a division of Federal Insurance Company 5
Gram m -Leach-Bliley Act Financial Services Modernization Act of 1 9 9 9 requires that financial institutions: � “ensure the security and confidentiality of customer records and information; � protect against anticipated threats or hazards to the security or integrity of such records; � and protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” Generally criticized by privacy advocates because enforcement rests solely with Federal regulators and the individual has no private right of action. Slide 1 6 Chubb & Son, a division of Federal Insurance Company Typical Breach Related Expenses Forensics Notification Public Relations � Legal Expenses for � Legal review and � Advertising & Outside Attorney assessm ent Press Releases � Cost of Forensic � Crafting letter or � Services for Exam ination other Effected Persons: notification � Cost To Rem ediate � Credit Discovered � Printing or design Monitoring Vulnerabilities � Mailing or other transm ission � Call Center Operations Slide 1 7 Chubb & Son, a division of Federal Insurance Company 20 09 Annual Study: Cost of a Data Breach Costs By Activity Breach; Ponem on I nstitute, LLC, January, 2 01 0 Activity Percent Dollar Outbound Contact 6% $12 Public Relations/Communications 1% $2 Inbound Contact 5% $10 Legal Services - Defense 14% $29 Identity Protection Services 2% $4 Investigation & Forensics 8% $16 Audit & Consulting Services 12% $24 Legal Services - Compliance 2% $4 Free or Discounted Services 1% $2 Lost Customer Business 40% $82 Customer Acquisition Cost 9% $18 Total 100% $203 Slide 1 8 Chubb & Son, a division of Federal Insurance Company 6
“Notification” – Then “Litigation” Legal Notification � Response to � Crafting letter or Claim s or Suits other � Paym ent of notification Judgm ents or Public Relations � Printing or design Settlem ents Forensics � Advertising & � Legal Expenses for � Mailing or other Press Releases Outside Attorney � transm ission Call Center � Cost of Forensic Operations Exam ination � Other Services for � Cost To Rem ediate Effected Persons: Discovered � Credit Vulnerabilities Monitoring Slide 1 9 Chubb & Son, a division of Federal Insurance Company Dam ages – An Obstacle For Persons � Loss of w ages due to tim e taken to prove “identity theft” to MasterCard and Visa; � Expense of legal and other resources necessary to prove “identity theft” to MasterCard and Visa; � Loss of business advantage due to effect of fraudulent charges on FI CO scores; � Fear, em otional distress, m ental anguish Slide 2 0 Chubb & Son, a division of Federal Insurance Company W hose Fault I s I t, Anyw ay? I m m ediately follow ing the discovery of their breach, Caring Hands retains a Ace I nvestigators, a forensic investigator, to identify the cause of the breach. Ace quickly discovers that Health Care Designs, the com pany CH hired to design and build their w ebsite, did not em ploy standard security m easures w hen coding the w ebsite. This m ade it easy for Myra to hack the site and access the patient data. Caring Hands brings a suit against HCD to recoup their notification costs. Slide 2 1 Chubb & Son, a division of Federal Insurance Company 7
Recommend
More recommend