15
Cyber Liability/ Data Breach Protection The Policy with Risk Management Services

Cyber liability insurance and risk management program

Embed Size (px)

Citation preview

Page 1: Cyber liability insurance and risk management program

Cyber Liability/ Data Breach Protection

The Policy with Risk Management Services

Page 2: Cyber liability insurance and risk management program

Do you know?

• When the new federal HIPAA/HITECH final ruling became law? March 26, 2013

• When is the law enforceable? Sept. 23, 2013

“These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates”.

Leon Rodriguez, Director of the Office of Civil Rights

Page 3: Cyber liability insurance and risk management program

What is new to the federal law?

• Business Associates/Business Associates Agreements

• Notice Requirements (Federal & your State)• Penalty Structure: $100-$50,000 per violation

maximum $1,500,000 for all violations of an identical provision per year

Page 4: Cyber liability insurance and risk management program

Examples of Legal Requirements

• Federal Laws– Health information (HIPAA/HITECH)– Financial information (Graham-Leach Bliley Act)– Education information (FERPA)– Information of children under 13 (COPPA)– Sensitive employee information (GINA, FMLA)

• State Laws– Breach notification in 46 states– Disclosure of SSNs– Processing of Medical information– Destruction/Disposal– “Reasonable measures” to safeguard personal information

Page 5: Cyber liability insurance and risk management program

State Laws

46 of 50 states plus the District of Columbia, Puerto Rico & the Virgin Islands have data breach laws related to Personal Information (PI); many contain subsets of data that may be contained within medical records- Personal Health Information (PHI)States w/o laws: Alabama, Kentucky, New Mexico, and South Dakota• Usually protects data of residents residing in the state from certain

types of disclosures• CEs and BAs must be aware of these laws in the event of a breach• Differing requirements regarding who must be notified (State Attorney

General, law enforcement, media outlets, the individual), the timing for such notice, and the manner of the notice

Page 6: Cyber liability insurance and risk management program

OCR /State Attorney General Investigations

Hospice of North Idaho• 12/31/12: Theft of unencrypted laptop with EPHI of 41 patients• First HIPAA breach settlement involving less than 500 patients• $50,000 payment

Ashley Industrial Molding, Inc Employee Welfare Benefit Plan (Indiana)• 8/09/11: Hacking/IT incident of 506

Massachusetts Mutual Life Insurance Company, MassMutual Financial Group• 6/5/13: The 401(k) retirement plan information of certain clients was

inadvertently exposed when a MassMutual account manager sent an email on May 8. Names, Social Security numbers, investment elections, and account balances

Page 7: Cyber liability insurance and risk management program

Attorneys General Beginning to Use HIPAA Enforcement Authority

Accretive Health, Inc. sued by Minnesota AG• Suit followed breach of 23,000 patient’s PHI• AG used combination of HIPAA and state law to close

Accretive down in MN for two-year period• 7/31/12: $2.5M fine

South Shore Hospital sued by Massachusetts AG• Suit followed breach of PHI of 800,000 patient’s PHI on

unencrypted back-up tapes lost during shipment• 5/24/12: $750,000 fine

Page 8: Cyber liability insurance and risk management program

Research

Brown & Brown-Tampa Programs Division’s research to find the best product to meet your client’s needs yielded the Beazley Breach Response Select. Beazley Breach Response was involved in 6 of 9 major breaches in the United States last year sending out 9.6 million notices.

Excellent Coverage including Risk Management Services.

Page 9: Cyber liability insurance and risk management program

Policy HighlightsIf a breach occurs one call to report it & Beazley takes over…

• Privacy Liability• Privacy Notification Expense• Regulatory Liability

– HIPAA/HITECH Fines & Penalties• Network Security Liability• Media/Website Liability• Public Relations and Crisis Management Expense• Credit Monitoring Expense• Legal and Forensic Expense• Theft Resolution Services• Cyber Extortion Loss• Data Protection Loss• Business Interruption Coverage

Page 10: Cyber liability insurance and risk management program

Coverage Limits• Information Security & Privacy Liability $1,000,000*

• Regulatory Defense & Penalties $100,000*

• Website Media Content Liability $100,000*

• Payment Card Industry(PCI) fines and Cost $50,000

* Higher limits available upon request

Page 11: Cyber liability insurance and risk management program

Coverage Limits Continued

• Privacy Breach Response Services* – Notification to Individual Clients 25,000 individuals

– Credit Monitoring 3 Credits Bureaus for 12 months

– Identity Theft Resolutions Up to 5,000 cases

– Foreign Notification $50,000

*Breach Response Services are OUTSIDE of the Limits of Liability

• First Party Coverage– Cyber Extortion Included– Data Protection Loss Included– Forensic Expense $50,000**– Business Interruption Loss Included** higher limits available upon request

Page 12: Cyber liability insurance and risk management program

Scope of Services (1)Step-by-Step Procedures to Lower Risk

• Understand the scope of “personal information” (“PI”)

• Determine where PI is stored• Collect/retain the minimum

amount of PI required for business needs

• Destroy PI when no longer needed

• Risk assessment guidance• Develop and implement an

Incident Response Plan

On-line Compliance Materials

• Federal and state compliance materials

• Summaries of federal and state laws

• Sample policies & procedures

• Continuing updates and electronic notification of significant changes

Page 13: Cyber liability insurance and risk management program

Scope of Services (2)Periodic Newsletter &“Privacy Posts”• Sent by email• Significant changes in federal

and state laws/regulations• Breach and data security

news• Links to related On-line

information

Privacy Posts for events requiring immediate attention

Phone/E-mail Support

Consultants & attorneys answer questions, including:• Health care & HIPAA

compliance issues• Data breach prevention

issues• Data Security best practices• Computer forensic issues

Page 14: Cyber liability insurance and risk management program

Scope of Services (3)Training Modules

• On-line training material– Specific, to-the-point

• Awareness bulletins & posters

• Webinars– for privacy compliance and IT

staff

Handling Data Breaches

Guidance provided to:• Respond to a data breach

Page 15: Cyber liability insurance and risk management program

Questions???

Thank you& look forward to quoting for you soon!!!

Martha Oddo 813-222-4133 [email protected] Patel 813-222-4358 [email protected]