/ /

Cyber/Data Breaches

Jerry Trupin

“There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.” Robert Mueller, former director of the FBI.1

Cyber/data breaches2 are big news. And it’s not just the Targets and Home Depots of the world. Firms large and small are targets. Some authorities say that small- er firms are desirable targets because they have less sophisticated (or non-existent) protection.

In 2013, the New York Attorney General’s office recorded more than 900 data security breaches. (The total number of breaches was undoubtedly greater. Nine hundred is the total of breaches that were reported to the AG’s office. There were many breaches for which reporting wasn’t required as New York law requires reporting only when 5,000 New York residents’ information has been lost or stolen. And there were undoubtedly some that were required to be reported, but weren’t.)

Particularly interesting was that hacking was not the only data security breach category to reach record highs; 2013 was also a record year for insider wrongdoing and inadvertent data disclosure events. Entities experiencing a data breach covered the entire spectrum of New York business. The list included firms in the retail services, financial services, health care, banking, insurance, professional services, educational, government agency, loan services, hospitality, technology, telecommunications, credit reporting, credit card, non- profit, and public utility sectors.3

Westchester-Fairfield-Hudson CPCU chapter presented a panel discussion of cyber and data risks on November 21st that was chock full of interesting information. A key point was that the inevitability of being hacked doesn’t mean you shouldn’t lock the door and put bars on the windows. Loss control is always the first place to start.

Requiring that all data be encrypted, including that stored on laptops, has jumped to the top of the loss prevention list. Laptops get lost or misplaced and are often stolen for the value of the hardware, not for the information stored on them. State laws require notice to those whose unencrypted PII (personally identifiable information)4 was stored on a misplaced or stolen computer as well as when it’s stolen by hacking.

The theft of a laptop belonging to a South Carolina college staff member contained the PII of 20,000 former and current students. Because the information was not encrypted, the college was required to notify all 20,000 even though there was no evidence that the thief had ever done anything with the files; the laptop was probably stolen for its value as hardware, not because it contained marketable data.5 Encryption creates a safe-harbor exemption from the notice requirement in most states.

Assembling the names and addresses of 20,000 students and sending letters to them is no small job, but it’s only the small part of the potential damages from a cyber/data breach. Some of the other possible costs include:

  • Finding and hiring a “breach coach” (someone, usually an attorney, who has experience in the steps to take to cope with a cyber/data breach).
  • Finding and hiring an expert to test the system and determine the extent and cause of the breach.
  • Providing credit monitoring to assuage affected individuals. Notification expense can be costly, especially if the firm decides to offer credit monitoring services to its affected customers. (An argument in favor of offering credit monitoring is that, on average, only 10 percent of those who receive the offer will accept, but everyone seems to appreciate the gesture even if they don’t accept.)
  • Setting up and staffing a call center to handle questions from those whose data has been lost.
  • Retaining a public relations/crisis management firm to lessen the dam- age to the firm’s reputation.
  • Responding to the credit card issuers’ demands for reimbursement of their cost to replace the cards, which can be as much as $8 per card. (When credit card numbers and pins are stolen, credit card issuers frequently distribute new cards.)

Most of these items can be covered by insurance. The first two alone are good reasons for small firms to purchase the insurance. Insurance companies that specialize in cyber/data breach insurance can immediately recommend qualified sources for these services.

Forty seven states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws requiring businesses to notify those whose information may have been breached.6 The law applies to any firm doing business in the state, not just business domiciled in the state.

The loss of information pertaining to state residents also triggers a requirement to notify authorities, generally the state attorney general, if the number of records exceeds a certain figure, frequently 500. In New York, the number is 5,000 and in New Jersey it is 1,000, but Connecticut seems to require notice even if only one resident’s information is compromised. To add to the tasks faced a firm whose records have been breached, New York requires that the breach be reported to three agencies: the NYS Attorney General, the NYS Office of Information Technology Services’ Enterprise Information Security Office, and the Department of State’s Division of Consumer Protection.

Experienced cyber/breach professionals recommend notifying attorneys general in the affected states as soon as possible when required by law. Delayed notice leads officials to think you have something to hide.

In addition to state cyber/data breach regulations, Federal rules apply in certain situations. HIPAA covered entities and their business associates must provide notification of the breach to affected individuals, the Secretary of the Department of Health and Human Services, and, in certain circumstances, to the media. HHS issued regulations called for by the Health Information Technology for Economic and Clinical Health (HITECH) Act requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals that their health information records are breached.7

What’s more, the Federal Trade Commission is getting active in the cyber/data breach area. In April 2014, a Federal court held that the FTC could take action against Wyndham hotels for failure to protect customers’ PII.8

In addition to encrypting all data, firms that accept credit cards should become PCI (Payment Card Industry) compliant; most already are.

Other recommended loss prevention steps are:

  • Install and maintain firewalls
  • Use anti-virus software
  • Don’t use vendor-supplied system for passwords or other security measures
  • Restrict access to data on a “need to know” basis
  • Assign unique user IDs to everyone with system access
  • Restrict physical access to servers
  • Track and monitor who is accessing data
  • Regularly test security systems and processes

Let your clients know that these are important protections. It’s a good way to open a discussion of cyber/data breach insurance.

What does Cyber/Data Breach Insurance Cover?

Data breach insurance is similar in many ways to standard insurance cover- ages like homeowners or BOP policies; it combines first and third party coverages.

The usual first-party coverages include:

  • Repair or replace damaged or corrupted equipment and records
  • Customer notification expenses and credit protection services
  • Business income and extra expenses due to damage to intangible property Business income loss due to destruction of tangible property is handled by standard property coverage. However, those coverages exclude or severely limit coverage for business income and extra expense resulting from loss or damage of intangible property like cyber and data. Most cyber/data breach policies can provide business income coverage. The coverage mirrors standard business income coverage. For example, if hackers corrupt an on-line retailer’s computer system, the business income loss will be similar to one that might occur if a fire damaged its premises. The insurance will also provide extra expense coverage to get the insured ?up and running again.
  • Cyber Extortion Payments ?While they don’t send a message with words cut out of a magazine demanding a ransom payment to restore your files, cyber extortion is a booming industry! In the past month both a consultant I work with and a client were victims. In both cases the story was the same: booting their computers brought up a message that all files were locked and demanding a ransom to unlock them. Payment was demanded in bitcoins—bitcoin is a software-based online payment system which the US Treasury has called a decentralized virtual currency. It’s attractive for legitimate uses as the transaction costs are much less than the 2-3% charged by credit card companies. It’s even more attractive for criminal use because there’s no central authority, making the transactions very difficult to trace.9

The outcome was different in the two cases. Our client’s IT people were able to restore all vital files. My consultant associate was not as fortunate. He was unable to get his files restored. He’s struggling to recreate vital records (and no, he didn’t have insurance).

Cyber extortion coverage, like kidnap and ransom insurance, will pay for a skilled negotiator to deal with the “kidnappers” and will reimburse the insured for any ransom paid with the insurer’s consent. Incidentally, in both cases that I heard about, the victims were advised not to pay the ransom. IT people generally feel that making a payment will not generate any response other than, possibly, a demand for more payments. Responding to someone who has already been hacked increases the chance that the hacker will be identified.

Third Party exposures include:

  • Claims based on acts, errors, or omissions that result in or follow a cyber/data breach
  • Fines or penalties assessed in a data privacy regulatory proceeding
  • Invasion of the right to privacy
  • Breach of contract and violation of consumer fraud act
  • Regulatory actions including fines and penalties

In addition, the policies usually provide coverage for claims based on trans- mitting viruses, denial of service attacks, etc. that corrupt the recipient’s computer system.

There’s no standard cyber/data policy form. Not every insurer offers every coverage and not every insured needs all of them. One insurer offers the following coverages:

  • Multimedia liability
  • Security and Privacy liability
  • Privacy Regulatory Defense and Penalties
  • Privacy Breach Response Costs, Notification Expenses, Breach Support and Credit Monitoring
  • Reputation repair assistance
  • Network Asset Protection
  • Cyber Extortion
  • Cyber Terrorism

You have to compare the policy forms to find one that’s cost-effective. Some authorities recommend working with an intermediary who specializes in cyber/data insurance.

Policies can sometimes be tweaked to broaden cover. Some areas to check suggested by the panelists at the CPCU seminar include:

  • Be sure that the virus definition is broad enough to provide broad coverage for hacking.
  • If possible, broaden the definition of customer information to include confidential information and trade secrets.
  • Look for coverage for regulatory matters (e.g., FTC).
  • Be sure that the liability section pro- vides coverage for fines and penalties including penalties called for under PCI compliance agreements.

Cyber/data coverage insurance premiums are on track to exceed $2 billion for 2014; twice the premium volume written just last year. This is an area that calls for your involvement.