2010 Professional Risk Symposium: EPL, E&O and Fiduciary Chicago, IL ~ March 18 & 19, 2010 Data Breach: Red Flag Rule, HITECH Act & Litigation Update

2010 Professional Risk 2010 Professional Risk Symposium: EPL, E&OSymposium: EPL, E&O

and Fiduciaryand Fiduciary

Chicago, IL ~ March 18 & 19, 2010

Data Breach: Red Flag Rule, Data Breach: Red Flag Rule, HITECH Act & Litigation UpdateHITECH Act & Litigation Update

Data Breach: Red Flag Data Breach: Red Flag Rule, HITECH Act & Rule, HITECH Act & Litigation UpdateLitigation Update

Moderator:

Lori S. Nugent, Esq., Partner, Wilson Elser

Panelists:

Nancy Lyons Callahan, CPCU, CIPP, Consultant

Michael Carr, Vice President, Navigators Pro

Manny Cho, Senior Vice President, Program Management, Aon Affinity Business Insurance Solutions

K Royal, JD, CIPP, Privacy & Security Officer, Assistant Vice President, Concentra

The Rising Tide of The Rising Tide of Cyber Crime: Cyber Crime:

The Problem, Solutions and The Problem, Solutions and Practical TipsPractical Tips

• Overview of Data Breaches

• Government Efforts to Fight Cyber Crime

• Cyber Liability Trends

Overview of Data Breaches:How Big is the

Cyber Crime Problem?

The Breach Leader:

Healthcare,

Banking, or

Other Business?

The Breach Leader:Business

Records Breached in 2009Based on Identity Theft Resource Center® (“ITRC”) data at

http:/ / www.idtheftcenter.org/ artman2/ uploads/ ITRC_ Breach_ Stats_ Report_ 20100106_ 1.pdf

Business 58.9%

Government/Military35.7%

Medical/Healthcare 5.1%%

Educational 0.4%

Banking/Credit/Financial 0.1%

Frequent Types of Data Breaches

• Office Break In

• Laptop/USB Drive Mislaid or Stolen

• Paper Document Lost or Thrown Away

• Mailing Error

• MisFax

Severe Types of Data Breaches

• SQL Injection Attacks

• Botnets

• Social Engineering

• P2P Networks

• Employee/Former Employee/Vendor

Government Efforts to Fight Cyber Crime with New Laws

and Regulations

• State Laws and Trends

• Key Federal Laws, Regulations and Practical Ways to Comply

• Cyber Liability Litigation Trends


and Regulations

• State Laws and Trends 45 States with Breach Notification Laws

• Texas

• Nevada

• Massachusetts

Attorney General/Other Agency Notification


and Regulations

• Key Federal Laws, Regulations and Practical Ways to Comply

Red Flags Rule

HITECH Act

Federal DATA Bill


and Regulations

• Red Flags Rule: Detect, Prevent and Mitigate Identity Theft Applies to

• Financial Institutions• Creditors

Regularly accept deferred payment

• Covered Accounts Permit multiple payments/transactions At risk for identity theft


and Regulations

• Red Flags Rule - Covered Accounts? Does the operation offer or maintain

accounts for personal, family or household purposes that involve or are designed to permit multiple payments or transactions?

Does the operation have accounts at risk for identity theft or for the company from a financial, operational, compliance, reputation or litigation risk standpoint?


and Regulations

• Red Flags Rule: Even if outside of Red Flags Rule,

consider:

• Negligence Exposure/Hindsight Bias

• Reputational Risk


and Regulations

Red Flags Rule: Practical Steps1) Identify PII

2) Specify security in place

3) Detect “red flags” indicating potential theft

4) Specify responses to “red flags”

5) Train employees on “red flags” and responses

6) Update “red flags” at least annually

7) Written plan approved by Board of Directors


and Regulations

HITECH Act Covers: Healthcare Providers Insurers Clearinghouses Business Associates


and Regulations

HITECH Act Applies to handling Protected Health Information (“PHI”)

including: Personal information about patient health, as well as other

protected information such as name, Social Security number, address and insurance account numbers.

Bottom Line Impact: Up to $50,000/violation; $1,500.00/year + other

remedies Potential criminal penalties for involved

employees Connecticut Enforcement Against Health Net


and Regulations

HITECH Act’s Stringent Notification: 60 day notification requirement

New guidelines for letter content and address verification

Maintain and report log of breaches to HHS

Breaches of 500 or more records require posting to “prominent media outlets” and immediate notification to HHS


and Regulations

• Federal Data Accountability and Trust Act (DATA): Pending federal legislation to create

consistent customer data breach notification

• Focus on "data brokers"

• Requires customers to be notified of breach and provided with quarterly credit reports at no charge


and Regulations

(Federal DATA Act) (cont’d)

Types of data leaks that require notice: • Social Security Numbers (SSNs)• Credit card or debit card information• Financial account numbers• State identification• Driver's license numbers

Status: http://thomas.loc.gov, using House bill number, H.R.2221


and Regulations

Real World Compliance: What Works

• Red Flags Document/Training• Coordination:

IT Legal Human Resources Operations handling PII or PHI

• Commercial Reasonableness/Hindsight Bias

Cyber Litigation Trends

Privacy/Security Breaches• Avoiding Spoliation• Jurisdiction• Motions to Dismiss• Class Certification and Settlement

Technology Errors & Omissions• Vendor Contracts

Cyber Media Liability• Social Media• Email Publishing

Cost of a Data Breach: Example

Tangible CostsLegal Fees $100,000Customer Notification 10,000Public Relations 20,000Credit Monitoring 50,000Customer Demands

• Reimbursement 300,000Forensic Investigation 25,000

Total $505,000 Insurable Costs $505,000 (Less any applicable Deductible)

Cost of a Data Breach: Example

Intangible Costs

• Loss of Customer Goodwill/Trust

• Loss of Future Revenues Due to Reputation Damage

• Employee Downtime

RM Security Breach RM Security Breach ManagementManagement

•Identify Stakeholders•Establish Analysis and Communication Protocols•Evaluate Vendor Needs•Remediation and Recovery Procedures•Human Resource Involvement•Testing (DRP)

•Breach Containment•Damage Determination•Legal Analysis•Communication

•Analyze Requirements (State and Fed Considerations)•Consider All Notification Methods•Third Party Vendors for Notification and PR(?)•Roll Out Notifications Over Time

•Insurance Remedies•Credit Monitoring •Public Relations•Customer Retention Plans•Implementation of IT Upgrades

•Public Relations•Ongoing Marketing Efforts•IT as part of the Ongoing Solution•HR Involvement TBD

Pre-Breach Response Planning

Incident Analysis

Incident Disclosure

Loss Mitigation

Communication &

Remediation

Cyber Liability Marketplace

• Evolution of Cyber Insurance

• Who is in the Hot Seat?

• Risk Management and Underwriting Considerations

Evolution of Cyber InsuranceEvolution of Cyber Insurance

February 24, 2010ACI Insurance Regulation Conference 26

Past

Internet and e-commerce

Present

Identity Theft and Privacy Regulations

Future

Social Media, Cloud

Computing, Expanded BI,

Additional Regulation

Who is in the Cyber Who is in the Cyber Hot Seat?Hot Seat?

• Directors and Officers

• Accountants

• Insurance Brokers

• Lawyers

Risk Management and Risk Management and Underwriting Underwriting

ConsiderationsConsiderations• Large Operations

• Smaller Operations

• Cloud Computing and Emerging Technology

• Media Savvy for Everyone


ConsiderationsConsiderations• Target of Choice or Opportunity?• Security Answers from Face Book• Basic Issues

Employee awareness/limited to business Password security—Administrator too! Patch management Avoid using/keeping PII and PHI absent need Paper records Adopt defenses to known attack methods Coverage gaps in traditional policies

• Media: Does coverage follow you where you publish?


ConsiderationsConsiderations

Large Risk Underwriting Considerations• Risk Selection - mix of industries, primary vs. excess• Limits Management - aggregate, sub limits • Risk Analysis - complex insureds, evolving risk

management practices• Pricing - more claims experience, new exposures• Coverage - expanding, customized• Competition - new entrants, shifting appetites,

additional services

Questions?

Documents

2010 Professional Risk Symposium: EPL, E&O and Fiduciary Chicago, IL ~ March 18 & 19, 2010 Data Breach: Red Flag Rule, HITECH Act & Litigation Update