We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

Similar documents
CyberRisk: What we know and what we don't know

RIMS Cyber Presentation

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Cyber Risk Management

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

Cyber Risks & Insurance

Evaluating Your Company s Data Protection & Recovery Plan

What is a privacy breach / security breach?

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Cyber Risks & Cyber Insurance

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

Anatomy of a Data Breach

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Defending Litigation After a Data Breach

Cyber Incident Response When You Didn t Have a Plan

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

ARE YOU HIP WITH HIPAA?

PCI Fines and Assessments A Little Insight to the Process Jason Bucher, Senior Underwriting Manager

Cyber Insurance 2017:

CYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

CYBER LIABILITY REINSURANCE SOLUTIONS

PAI Secure Program Guide

Cyber-Insurance: Fraud, Waste or Abuse?

To Notify Or Not To Notify Is No Longer The Question Robin Campbell Chandra Westergaard

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Critical Issues in Cybersecurity:


Determining Whether You Are a Business Associate

Data Breach and Cyber Risk Update November 17, 2011

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009

Data Breach Financial Protection Program Terms and Conditions

Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Cyber Risk Mitigation

Healthcare Data Breaches: Handle with Care.

Privacy and Data Breach Protection Modular application form

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

Cyber, Data Risk and Media Insurance Application form

Protecting Against the High Cost of Cyberfraud

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Invas ion of Privacy, Hacking and Intellectual Property Claims : Are You Covered?

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

Priciest HIPAA Incidents of 2015

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

Trends in Cyber-Insurance Coverage to Meet Insureds Needs

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

HIPAA and Lawyers: Your stakes have just been raised

HEALTHCARE BREACH TRIAGE

503 SURVIVING A HIPAA BREACH INVESTIGATION

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

RISK TRACK. Privacy and Data Protection

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HIPAA Compliance Guide

Cyber & Privacy Liability and Technology E&0

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

HIPAA Background and History

PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016

Cyber/Privacy Coverage

MICHIGAN STATE UNIVERSITY

UCLA Policy 420: Breaches of Computerized Personal Information

University Data Policies

HIPAA Security How secure and compliant are you from this 5 letter word?

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

The Anthem Data Breach:

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Summary Comparison of Current Senate Data Security and Breach Notification Bills

Paul T. McGurkin, Jr Drummers Lane, Suite 302 Office: Wayne, PA Fax:

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Cyber Enhancement Endorsement

PCI FAQ Q: What is PCI? ALL process, store transmit Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)?

Cyber Liability Insurance for Sports Organizations

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

EXCERPT. Do the Right Thing R1112 P1112

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

Emerging legal and regulatory risks

Be Careful What You Wish For: The Final Rule Is Out

AFTER THE OMNIBUS RULE

WEEK 1/FEBRUARY 17, 2016 MODULE #1

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Aon Cyber Risk and Directors & Officers Forum CRM011

How to Cut Down on Security Risks:

PRIVACY AND CYBER SECURITY

HIPAA & The Medical Practice

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Privacy and Security Standards

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

Paul Jones, Jones & Co. Kathleen Rice, Faegre Baker Daniels, LLP

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Business Associate Risk

CYBERINSURANCE TRENDS AND DEVELOPMENTS

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Transcription:

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber Protection

Data Creates Duties What data do you access, and why? Where is it? How well is it protected? Who can access it? Why? When do you purge it? How do you purge it?

Threats Malicious attack Hackers in network, malware and viruses, phishing scams (ransomware), physical theft of hardware and paper Rogue employees Employees Negligence related to use and storage of data, failure to follow or learn policies and procedures, loss of portable devices, mis-mailing of paper, unencrypted emails to the wrong recipients Business partners Any of the above can occur to a business partner with whom data is shared

Ever Changing Definitions Personally identifiable information (PII) - i.e., Social Security number, driver's license number, bank account information, credit card information, online/financial account username and password, medical information, health insurance information, and email address and password Protected health information (PHI) - Information created or received by a covered entity or business associate relating to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies or can be used to identify the individual Payment card industry information (PCI) - Cardholder data Contracts

State Regulatory Exposures 48 states (plus Puerto Rico, Washington D.C., Virgin Islands) require notice to residents after unauthorized access to personally identifiable information Require companies to notify resident consumers of security breaches of unencrypted computerized personal information (includes health information in some states) Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due "without unreasonable delay", but some strict states (30/45/90 days) Some states are requesting an Assurance of Voluntary Compliance Some states allow private right of action for violations

Unwritten Rules Pennsylvania: (AG likes notice if incident affects significant number of PA residents, though no statutory requirement) California: (DHCS interprets California data breach statute to cover paper breaches, and expects CA legislature to update statute soon to clearly cover paper breaches) Indiana: (anything over 30 days is "unreasonable delay") Connecticut: (2 years of credit monitoring) (90 days probably "unreasonable delay")

Federal Regulations July 7, 2015-47 State AGs write to Congress, urging U.S. to preserve state authority over data breaches HIPAA/ HITECH OCR unofficially mandates automatic investigation if over 500 affected Covered Entities and their Business Associates subject to rules GLBA (Financial Institutions) - Privacy Rule suggests notification; Safeguards Rule suggests written security plan FERPA (Students) - Federal funding can be, but never has been cut off following violation SOX (Publicly Traded Companies) - Requires security controls, and auditors require disclosure if such controls are inadequate FACTA (Reuse of credit information) Red Flags Rule requires procedures to detect and prevent identity theft SEC (More aggressive cyber role expected) FTC Approx. 50 privacy investigations since 2002, and dozens of fines ($22.5 million Google 2012) Actively enforcing health care vendor rules (breach reporting for non-hipaa entities) FCC (Regulates communications networks) First ever data breach fine (October 2014) ($10 million-terracom and YourTel America)

Payment Card Industry (PCI) Payment Card Industry Security Standards Council (Visa, MasterCard, AmEx, Discover, JCB International) Requires merchants and service providers to abide by certain protocols to protect customers' credit card information Imposes "assessments" and "fines" on offending merchants and service providers (can be millions) Violations of PCI DSS have multiple consequences Impact on standard of care industry investigations, outside lawsuits Small minority of states have incorporated PCI-DSS requirements into data protection laws Privileged forensics vs PFI

Anatomy of a Breach Response BREACH DISCOVERY EXPERTS Breach coach Forensics Public relations INVESTIGATION - internal/forensic/criminal How did it happen? When did it happen? Is it still happening? Who did it happen to? What was accessed/acquired? (What wasn't?) NOTICE OBLIGATIONS State Federal Other (i.e. PCI) Deadlines Can be 48 hours NOTIFICATION PROCESS Written Electronic Substitute To Media VENDORS Printing, Mailing and Call Center Credit Monitoring INQUIRIES State Regulators (i.e. AG, PD) Federal Regulators (i.e. OCR) Federal Agencies (i.e. SEC, FTC) Consumer reporting agencies Potential Plaintiffs LITIGATION Government Entities Class Action Indemnification

Data Breach Litigation Federal jurisdictions that have found Article III standing in the absence of identity theft: Sixth Circuit - Galaria et al. v. Nationwide Mutual Insurance Company No. 15-3387, 2016 WL 4728027 (6th Cir. September 12, 2016) Seventh Circuit - Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) Eighth Circuit - Kuhns v. Scottrade, Inc., No. 16-3426, No. 16-3542, 2017 WL 3584046 (8th Cir. Aug. 21, 2017) (dismissed on other grounds) Ninth Circuit - Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)

Data Breach Litigation Settlements In re Anthem Inc. Data Breach Litigation, 5:15-md-02617 (N.D. Ca.) Pending Court Approval Settlement valued at $115 million to end litigation over 2015 data breach affecting approximately 80 million Settlement includes an additional two years of credit monitoring available to the individuals involved in the breach or alternative cash compensation to those already enrolled with credit monitoring services $15 million of settlement dedicated to pay certain out-of-pocket expenses class members incurred Remijas et al. v. the Neiman Marcus Group LLC, 1:14-cv-01735 (N.D. Ill) $1.6 settlement between Nieman Marcus and a class of customers whose credit card data was exposed in 2013 data breach Approximately 370,385 cards were used during a three month window in which card-scraping malware was operating on the company s computer system Customers who file a claim showing their card was used during the window will receive $100

Best Practices Pre Incident Empower Senior Executives Talk to your IT Security folks. Gain an appreciation of the many challenges and risk landscape Not many Firms can say: how many records they have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged? Assess and test your own staff and operations Prepare and test incident response plan Document your due care measures (training and enforcement) Secure appropriate insurance Execute service level agreements manage your vendors Repeat

Best Practices Post Incident Ensure experience on Response Team Post data incident is not the time to learn the ins and outs of incident response Establish Incident Response Team of decision-makers (if not established already) as things move too fast for typical bureaucracy Use Counsel to Establish Privilege Counsel directs forensics, notice drafting, and other vendors so that, in the event of litigation or regulatory investigation, all documents and communications are not discoverable Guard Attorney-Client Privilege: do not share forensic reports, legal analysis and drafts with clients or third parties if not absolutely necessary

Best Practices Post Incident Do not use terms "Breach" or "PII" or "PHI" lightly these are statutorily defined legal terms the use and admission of which have consequences Do not rush to go public Tremendous desire to go public fast, but an inability to answer questions that will inevitably follow can be devastating If you notify 4 hours after discovery there will be people who charge you with delay, so "delay" is unavoidable Prepare for litigation and regulatory investigation Preserve all relevant documents Conduct risk assessment and implement data security improvements prior to being asked by a regulator

Your Schinnerer Cyber Team Jason Bucher Senior Cyber Underwriter Phone: (913) 685-6166 jason.bucher@schinnerer.com Zach Atya Cyber Assistant Account Executive Phone: (301) 961-9893 Zacharia.Atya@schinnerer.com Mark Schulz Cyber Underwriter Phone: (860) 723-5663 Mark.Schulz@schinnerer.com 14

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback