CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

Pulling the Plug: Cyber Risks and the Energy & Utilities Industries — Our Cyber & Privacy Webinar Series Continues May 22

By Kari Timm on Posted in Energy, Insurance, Privacy, Utilities, Webinar

Join us on May 22, 2012 at 10:00 C.S.T. for “Pulling the Plug: Cyber Risks and the Energy & Utilities Industries,” the fourth webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact

Our May 22 webinar addresses cyber and privacy risks for the energy and utilities industries, as well as the insurance issues presented by these risks.

You can register here for the May 22 webinar.

We look forward to seeing you in cyber space on May 22nd!

Behind the Curtain: Just whose risks are being insured?

By Celeste King on Posted in Business Practices, Coverage, Cyber Breach, Data Breach, Insurance, Reinsurance

In today’s challenging economy, it is hard to turn away new business, whether from a client who provides a law firm with steady work, or a broker who contracts for investment services or a health care organization that contracts with a nursing registry.  But what happens when the new client demands that as part of the deal, the vendor undertake security measures, including indemnification for cyber breaches?  In some of these transactions, the vendor accepts the consequences not only for its own breaches but also for the breached data of another.

Business contracts that include the use of PII may require the following from vendors:

  • written information security program;
  • requirements for notifying the business partner of breaches;
  • restrictions to the vendor’s network on a need-to-know basis;
  • data encryption, password, user ID’s and biometric requirements;
  • annual review of technical vulnerabilities;
  • data destruction policies.

The contract may also require the vendor to indemnify the business partner for claims, damages, costs and attorney fees arising from allegations that a privacy breach was caused by the vendor or even a third-party to whom the vendor gave PII.

To some businesses faced with these contractual burdens the answer is privacy insurance.  If the vendor is alleged to have breached a security contract or otherwise contributed to a breach, then it wants to shift costs of those consequences to the insurer.

But do all insurers realize that extending cyber coverage to one company may mean assuming the obligations of another?  To avoid any such unwelcome surprises, the insurance application should ask about these other contractual arrangements, the underwriting guidelines should contemplate them, and above all, the brokers and underwriters should review these contractual terms so they understand the scope of the risks.  Although this could involve a substantial number of hours, time spent on the front end of the process can save money on the back end.

Ponemon and Symantec Release 2011 Cost of Data Breach Study

By Krista Figlewicz on Posted in Business Practices, Cyber Breach, Cyber Costs, Data Breach, Uncategorized

The Ponemon Institute and Symantec Corporation have released the seventh annual U.S. Cost of Data Breach along with data breach studies for the United Kingdom, Germany, France and Italy (Australia and India aren’t yet posted to the Symantec site).  Here are some of the findings (please note that these are averages and each country had varying numbers of organizations included):

United States:

  • The cost of data breaches in the U.S. declined for the first time in seven years (organizational costs decreased from $7.2 million to $5.5 million and the cost per record has decreased from $214 to $194).
  • Customers are remaining loyal after breach.
  • Breaches were caused by negligence (39%), IT or business process failure (24%), and malicious or criminal attack (37%).
  • Business costs declined from $4.54 million to $3.01 million.
  • A CISO reduced breach costs by an average of $80 per record.  Outside consultants saved an additional $41 per record.
  • Notification costs increased probably due in part to increased laws and regulations.

United Kingdom:

  • The cost per record increased from £71 to £79.  However, organizational costs decreased from £1.9 million to £1.75 million.
  • Customers are remaining loyal after breach.
  • Breaches were caused by negligence (36%), IT or business process failure (33%), and malicious or criminal attack (31%).
  • Business costs declined from £910,000 to £780,000.
  • A CISO reduced breach costs by an average of £18 per record.  Outside consultants saved an additional £11 per record.
  • Notification costs decreased slightly from £170,000 to £140,00 probably due in part to greater efficiency in notification.

Germany:

  • The cost per record increased from €138 to €146.  Organizational costs increased from €3.38 million to €3.4 million.
  • Customers are remaining loyal after breach.
  • Breaches were caused by negligence (38%), IT or business process failure (19%), and malicious or criminal attack (42%).
  • Business costs declined from €1.5 million to €1.33 million.
  • A CISO reduced breach costs by an average of €76 per record.  Outside consultants saved an additional €16 per record.
  • Notification costs increased slightly from €220,000 to €230,000.

France:

  • The cost per record increased from €98 to €122.  Total organizational costs increased 16% from €2.2 million to €2.55 million.
  • Customers often abandoned organizations after a breach.
  • Breaches were caused by negligence (30%), IT or business process failure (26%), and malicious or criminal attack (43%).
  • Business costs increased from €688,779 to €782,749.
  • A CISO reduced breach costs by an average of €63 per record.  Outside consultants saved an additional €4 per record.
  • Detection and escalation costs increased from €580,000 to €750,000.
  • Notification costs increased slightly from €111,000 to €112,000.

Italy:

  • For this first year report, organizations spent an average of €78 per record.  The average organizational cost for 2011 is €1,387,798.
  • Customers often abandoned organizations after a breach.
  • Breaches were caused by negligence (39%), IT or business process failure (33%), and malicious or criminal attack (28%).
  • Business costs were on average €474,793.
  • Organizations that notified victims of the data breach within 30 days saved an average of €29 per record.  A CISO reduced breach by an average of €23 per record.
  • Average cost to notify victims was €57,500.

Overall it seems that organizations across the world have recognized the danger of data breaches and have begun to take the steps necessary to mitigate costs.  Although it wasn’t included in the studies, it would be interesting to know what percentage of the costs above are being covered by insurance.

The Web is Round: Reinsuring Cyber Risks

By Krista Figlewicz on Posted in Uncategorized, Webinar

Join us on January 31, 2012 at 10:00 C.S.T for “The Web is Round: Reinsuring Cyber Risks,” the third webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact.

Our third webinar (PDF) on January 31 addresses reinsurance and cyber/privacy risks.

For those interested in joining us on January 31 for the presentation you can register here.

Our continuing series topics will address cyber risks for the Retail and Financial Services industries, and Professional Liability.

We look forward to seeing you in cyber space on the 31st!

Healthcare Organizations still “under the weather” according to Ponemon’s Second Annual Study on Patient Privacy and Data Security

By Krista Figlewicz on Posted in Cyber Breach, Damages, Data Breach, Federal Legislation, Health Records Privacy, Healthcare, HIPPA, HITECH, physician, Uncategorized

Although Ponemon’s Second Annual Benchmark Study on Patient Privacy and Data Security has shown some improvement for health organizations the overall message is still bleak.  The second annual report examines changes from the past year that may have affected privacy and data protection in healthcare organizations.  It also looks as how well the healthcare organizations are able to comply with the notification requirements mandated by HITECH and HIPAA.  According to the report the top three causes for a data breach are: lost or stolen devices, third-party errors and accidental employee actions.

Below are some of the concerns in this year’s findings followed by some positive results that will hopefully continue to improve in the next report.

Concerns:

  • Data breaches are costing on average $2,243,700 (almost $200,000 more than 2010′s study).
  • The frequency of data breaches has increased 32% from 2010.
  • 96% of healthcare provides have had at least one data breach in the last two years (many are due to employee or third-party error).
  • 81% of organizations use mobile devices to handle PHI, but 49% do nothing to protect the devices.
  • The number of cases of identity theft resulting from data breaches has increased from 26% to 29%.
  • 90% of healthcare organizations acknowledge that breaches cause harm to patients, but only 65% offer protective services.
  • The number of lost stolen records per breach increased from 1,769 to 2,575.

Positive Results:

  • More healthcare organizations are complying with HITECH and other federal regulations.
  • Organizations are creating more policies, procedures and security to deal with breaches instead of just handling on a case by case basis.
  • More breaches are being discovered by employees.
  • The number of data breaches discovered by patients dropped from 41% to 35%.
  • 58% of respondents believe that administrative personnel understand the importance of protecting patient data.
  • There has been a 6% increase in the number of respondents who believe their organization has policies that will prevent or quickly detect unauthorized patient data access.

It is obvious from the news that the number of data breaches continue to rise.  Healthcare organizations are being affected by cutbacks and while additional technology could help to alieve some breaches it won’t solve the problem.  Money might even be better spent on educating employees and third parties who handle patient information and making sure they protect it.

Click here to obtain your own copy of the report.

Need a Break Over the Thanksgiving Weekend? Test Your Cyber Knowledge With Cyber Word Find!

By Krista Figlewicz on Posted in Uncategorized

 

 

Cyber jargon develops as fast as cyber technology.  Have fun with Cyber Word Find (PDF) to see how many words you can identify.  Stumped?  Click on our CyBIR Glossary tab for clues.  If you complete the puzzle, email it to cyber@wwmlawyers.com and receive a prize!

Best wishes for a Happy Thanksgiving from your friends at WWM.

UPDATE: Click here (PDF) for the solution to the puzzle.

“Say Ahhh…Cyber Risks and the Health Care Industry” Webinar Recording Available

By Kari Timm on Posted in Coverage, Health Records Privacy, Healthcare, HIPPA, Webinar

On November 15, we hosted “Say Ahhh…Cyber Risks and the Health Care Industry,” the second webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact.  For those of you who could not join us on the 15th, you can access a recording of the webinar, the slides and the post-event Q&A.  Simply contact us at cyber@wwmlawyers.com for log-in instructions.  A recording of the first webinar in the series, “Cyber Data: If You Use It, Don’t Lose It: An Introduction to Cyber and Privacy Breaches and Their Insurance Impact,” is also available.

UPDATE: California Governor Signs Bill Exempting Gas Stations from Song-Beverly Zip Code Prohibition

By Kari Timm on Posted in Business Practices, Credit Card Transaction, Privacy Legislation, Retail

UPDATE (November 15, 2011):  On October 9, 2011, California Governor Edmund G. Brown, Jr. signed Assembly Bill 1219, exempting gas stations from the Song-Beverly/Pineda prohibition on collecting zip codes in certain instances.  The new law took effect immediately.

As we previously reported, Assembly Bill 1219 was initially intended to counteract the impact of the Pineda decision on retailers in California.  The Pineda decision prohibits retailers from requesting and recording zip codes from credit card customers.  The decision, which was retroactive, sparked a tidal wave of lawsuits against retailers under the Song-Beverly Credit Card Act of 1971.  However, the bill that was ultimately passed had been watered down significantly and now provides little relief as it only pertains to gas stations in limited settings.

* * *

UPDATE (August 29, 2011):  On August 25, 2011, the California Senate Judiciary Committee voted to pass Assembly Bill 1219, which will allow gas stations to collect zip codes from customers in certain instances.  Before doing so, however, the Committee amended the bill to include an urgency clause.  According to the amendment, the “immediate implementation of this statute will prevent potential disruption of gasoline station services throughout the state.”  If the bill is signed into law by the governor (or allowed to become law without a signature), the urgency clause will require that the bill take effect immediately.  In light of the Senate amendments, the bill will return to the Assembly for review.

* * *

The California legislature has once again watered down the bill that was proposed to counteract the Pineda decision, leaving little hope that retailers (or their insurers) will find any relief from the Pineda decision.

As we previously reported, shortly after the Pineda decision came down, California Assemblymember Henry T. Perea introduced Assembly Bill 1219, which would have allowed retailers to collect zip codes in certain instances — namely to prevent fraud and identity theft.  Before passing the bill to the Senate, the California Assembly amended the bill to limit it to transactions at motor fuel dispensers and payment islands with automated cashiers — Strike 1!

On June 22, 2011, Senator Noreen Evans, Chair of the Senate Judiciary Committee, recommended that the bill be scaled back even further.  The Pineda decision prompted the filing of more than 150 class action lawsuits.  As initially proposed, the bill was intended to clarify existing law and in doing so, would affect the pending litigation.  In her comments on the bill, Senator Evans expressed the Committee’s concern with bills that interfere with pending litigation.  According to Senator Evans, the Committee is concerned that such interference would: 1) result in a financial windfall to a private party; 2) prevent a court from deciding a case based on the laws in place at the time the cause of action accrued; or 3) allow the legislature to circumvent the judiciary.

Given these concerns, Senator Evans recommended that the bill be further amended to specifically state it it will only apply to actions filed on or after January 1, 2012 — Strike 2!

A hearing on the bill was scheduled for July 5, 2011.  The hearing, however, has been postponed by the Committee.

At this rate, it is hard to tell when (or if) this bill will ever be passed.  What is certain is that whatever version may ultimately be enacted will bear little resemblance to the bill initially proposed and will provide little, if any, assistance to retailers in California or their insurers.  Between the Pineda decision, the amendments to this bill and the Pineda-like suit recently filed in Massachusetts, 2011 is proving to be a tough year for retailers.

(Originally posted July 14, 2011)