CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

Privacy Breaches & Insurance: A Year in Review and What Lies Ahead in 2013

By Celeste King on Posted in Coverage, Cyber Breach, Insurance, Year in Review

 CYBER AND PRIVACY BREACHES: A YEAR IN REVIEW AND WHAT LIES AHEAD FOR 2013

Join us on December 4, 2012 from 10:00 – 11:00 C.S.T. for “Cyber and Privacy Breaches: A Year in Review and What Lies Ahead for 2013, ” the final 2012 session of our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact

You can register here for the December 4, 2012 webinar.

 

Back to School: Are Schools Making the Grade in Cyber Security? Our Webinar Series Continues on September 6

By Kari Timm on Posted in Cyber Breach, Education, Insurance, Privacy, Webinar

Join us on September 6, 2012 at 10:00 C.S.T. for “Back to School: Are Schools Making the Grade in Cyber Security,” the fifth webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact

Our September 6 webinar addresses cyber and privacy risks for schools, as well as the insurance issues presented by these risks.

You can register here for the September 6 webinar.

We look forward to seeing you in cyber space on the 6th!

State Attorney General HIPAA Training Now Available to Anyone

By Krista Figlewicz on Posted in Attorney General Action, Health Records Privacy, Healthcare, HIPPA, HITECH

The Office for Civil Rights (OCR) has made its state attorney general HIPAA enforcement training material available to anyone.  “Although developed for state AGs, the training materials provide a great deal of information about the content and enforcement of the HIPAA Rules that may be of interest to a broader audience,” OCR said on its website.  As a result, the materials are useful to anyone involved in HIPAA privacy and security compliance.

The training materials include videos and slides from the in-person training sessions for state attorney generals conducted in 2011.

Training Topics Available Include:

  • General introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • State attorney generals roles and responsibilities under HIPAA and the HITECH Act
  • Resources for state attorney generals in pursuing alleged HIPAA violations
  • HIPAA enforcement support and results

Business Insurance’s Judy Greenwald quotes Celeste King

By Krista Figlewicz on Posted in Federal Legislation, Uncategorized

Celeste King was recently quoted by Business Insurance’s Judy Greenwald in her article “Federal cyber legislation could simplify state laws.”  The article addresses the need for federal legislation in addition to pitfalls of various state legislation.  You can read the article here.

Pulling the Plug: Cyber Risks and the Energy & Utilities Industries — Our Cyber & Privacy Webinar Series Continues May 22

By Kari Timm on Posted in Energy, Insurance, Privacy, Utilities, Webinar

Join us on May 22, 2012 at 10:00 C.S.T. for “Pulling the Plug: Cyber Risks and the Energy & Utilities Industries,” the fourth webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact

Our May 22 webinar addresses cyber and privacy risks for the energy and utilities industries, as well as the insurance issues presented by these risks.

You can register here for the May 22 webinar.

We look forward to seeing you in cyber space on May 22nd!

Behind the Curtain: Just whose risks are being insured?

By Celeste King on Posted in Business Practices, Coverage, Cyber Breach, Data Breach, Insurance, Reinsurance

In today’s challenging economy, it is hard to turn away new business, whether from a client who provides a law firm with steady work, or a broker who contracts for investment services or a health care organization that contracts with a nursing registry.  But what happens when the new client demands that as part of the deal, the vendor undertake security measures, including indemnification for cyber breaches?  In some of these transactions, the vendor accepts the consequences not only for its own breaches but also for the breached data of another.

Business contracts that include the use of PII may require the following from vendors:

  • written information security program;
  • requirements for notifying the business partner of breaches;
  • restrictions to the vendor’s network on a need-to-know basis;
  • data encryption, password, user ID’s and biometric requirements;
  • annual review of technical vulnerabilities;
  • data destruction policies.

The contract may also require the vendor to indemnify the business partner for claims, damages, costs and attorney fees arising from allegations that a privacy breach was caused by the vendor or even a third-party to whom the vendor gave PII.

To some businesses faced with these contractual burdens the answer is privacy insurance.  If the vendor is alleged to have breached a security contract or otherwise contributed to a breach, then it wants to shift costs of those consequences to the insurer.

But do all insurers realize that extending cyber coverage to one company may mean assuming the obligations of another?  To avoid any such unwelcome surprises, the insurance application should ask about these other contractual arrangements, the underwriting guidelines should contemplate them, and above all, the brokers and underwriters should review these contractual terms so they understand the scope of the risks.  Although this could involve a substantial number of hours, time spent on the front end of the process can save money on the back end.

Ponemon and Symantec Release 2011 Cost of Data Breach Study

By Krista Figlewicz on Posted in Business Practices, Cyber Breach, Cyber Costs, Data Breach, Uncategorized

The Ponemon Institute and Symantec Corporation have released the seventh annual U.S. Cost of Data Breach along with data breach studies for the United Kingdom, Germany, France and Italy (Australia and India aren’t yet posted to the Symantec site).  Here are some of the findings (please note that these are averages and each country had varying numbers of organizations included):

United States:

  • The cost of data breaches in the U.S. declined for the first time in seven years (organizational costs decreased from $7.2 million to $5.5 million and the cost per record has decreased from $214 to $194).
  • Customers are remaining loyal after breach.
  • Breaches were caused by negligence (39%), IT or business process failure (24%), and malicious or criminal attack (37%).
  • Business costs declined from $4.54 million to $3.01 million.
  • A CISO reduced breach costs by an average of $80 per record.  Outside consultants saved an additional $41 per record.
  • Notification costs increased probably due in part to increased laws and regulations.

United Kingdom:

  • The cost per record increased from £71 to £79.  However, organizational costs decreased from £1.9 million to £1.75 million.
  • Customers are remaining loyal after breach.
  • Breaches were caused by negligence (36%), IT or business process failure (33%), and malicious or criminal attack (31%).
  • Business costs declined from £910,000 to £780,000.
  • A CISO reduced breach costs by an average of £18 per record.  Outside consultants saved an additional £11 per record.
  • Notification costs decreased slightly from £170,000 to £140,00 probably due in part to greater efficiency in notification.

Germany:

  • The cost per record increased from €138 to €146.  Organizational costs increased from €3.38 million to €3.4 million.
  • Customers are remaining loyal after breach.
  • Breaches were caused by negligence (38%), IT or business process failure (19%), and malicious or criminal attack (42%).
  • Business costs declined from €1.5 million to €1.33 million.
  • A CISO reduced breach costs by an average of €76 per record.  Outside consultants saved an additional €16 per record.
  • Notification costs increased slightly from €220,000 to €230,000.

France:

  • The cost per record increased from €98 to €122.  Total organizational costs increased 16% from €2.2 million to €2.55 million.
  • Customers often abandoned organizations after a breach.
  • Breaches were caused by negligence (30%), IT or business process failure (26%), and malicious or criminal attack (43%).
  • Business costs increased from €688,779 to €782,749.
  • A CISO reduced breach costs by an average of €63 per record.  Outside consultants saved an additional €4 per record.
  • Detection and escalation costs increased from €580,000 to €750,000.
  • Notification costs increased slightly from €111,000 to €112,000.

Italy:

  • For this first year report, organizations spent an average of €78 per record.  The average organizational cost for 2011 is €1,387,798.
  • Customers often abandoned organizations after a breach.
  • Breaches were caused by negligence (39%), IT or business process failure (33%), and malicious or criminal attack (28%).
  • Business costs were on average €474,793.
  • Organizations that notified victims of the data breach within 30 days saved an average of €29 per record.  A CISO reduced breach by an average of €23 per record.
  • Average cost to notify victims was €57,500.

Overall it seems that organizations across the world have recognized the danger of data breaches and have begun to take the steps necessary to mitigate costs.  Although it wasn’t included in the studies, it would be interesting to know what percentage of the costs above are being covered by insurance.

The Web is Round: Reinsuring Cyber Risks

By Krista Figlewicz on Posted in Uncategorized, Webinar

Join us on January 31, 2012 at 10:00 C.S.T for “The Web is Round: Reinsuring Cyber Risks,” the third webinar in our Webinar Series on Cyber and Privacy Breaches and their Insurance Impact.

Our third webinar (PDF) on January 31 addresses reinsurance and cyber/privacy risks.

For those interested in joining us on January 31 for the presentation you can register here.

Our continuing series topics will address cyber risks for the Retail and Financial Services industries, and Professional Liability.

We look forward to seeing you in cyber space on the 31st!

Healthcare Organizations still “under the weather” according to Ponemon’s Second Annual Study on Patient Privacy and Data Security

By Krista Figlewicz on Posted in Cyber Breach, Damages, Data Breach, Federal Legislation, Health Records Privacy, Healthcare, HIPPA, HITECH, physician, Uncategorized

Although Ponemon’s Second Annual Benchmark Study on Patient Privacy and Data Security has shown some improvement for health organizations the overall message is still bleak.  The second annual report examines changes from the past year that may have affected privacy and data protection in healthcare organizations.  It also looks as how well the healthcare organizations are able to comply with the notification requirements mandated by HITECH and HIPAA.  According to the report the top three causes for a data breach are: lost or stolen devices, third-party errors and accidental employee actions.

Below are some of the concerns in this year’s findings followed by some positive results that will hopefully continue to improve in the next report.

Concerns:

  • Data breaches are costing on average $2,243,700 (almost $200,000 more than 2010′s study).
  • The frequency of data breaches has increased 32% from 2010.
  • 96% of healthcare provides have had at least one data breach in the last two years (many are due to employee or third-party error).
  • 81% of organizations use mobile devices to handle PHI, but 49% do nothing to protect the devices.
  • The number of cases of identity theft resulting from data breaches has increased from 26% to 29%.
  • 90% of healthcare organizations acknowledge that breaches cause harm to patients, but only 65% offer protective services.
  • The number of lost stolen records per breach increased from 1,769 to 2,575.

Positive Results:

  • More healthcare organizations are complying with HITECH and other federal regulations.
  • Organizations are creating more policies, procedures and security to deal with breaches instead of just handling on a case by case basis.
  • More breaches are being discovered by employees.
  • The number of data breaches discovered by patients dropped from 41% to 35%.
  • 58% of respondents believe that administrative personnel understand the importance of protecting patient data.
  • There has been a 6% increase in the number of respondents who believe their organization has policies that will prevent or quickly detect unauthorized patient data access.

It is obvious from the news that the number of data breaches continue to rise.  Healthcare organizations are being affected by cutbacks and while additional technology could help to alieve some breaches it won’t solve the problem.  Money might even be better spent on educating employees and third parties who handle patient information and making sure they protect it.

Click here to obtain your own copy of the report.