Insuring Data Breach RiskErrors and Omissions and Cyber Liability Insurance

From the Headlines

DATA BREACHES ARE VERY COSTLY

• In 2014 cost of an average breach for an organization in 2014 Ponemon study

increased to $5.9 million!

• In 2014 the average per-record cost of a data breach increased from $188 to $201.

Why Do You Need E&O?

• Your GL Policy specifically excludes data breaches

• Effective May 1, 2014 CG 21 06 05 14 — excludes coverage, under Coverages A and B, for injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.

Regulatory Demands

• HIPAA, FTC, GLB, and PCI DSS 3.0

▫ establishes responsibility for handling confidential information

• Property limitation of liability in UCC 7-204 does not apply to services

• Fines are just the tip of the iceberg

▫ Notification costs can be very high

▫ Lawsuits (example – patients sue covered entity who seeks to recover losses from you)

HUGE RISK

HUGE MISUNDERSTANDING

Critical Coverage Elements

• Privacy Wrongful Act

• Notification & Credit Monitoring Expenses

• Rogue Employee Protection

• Crisis Management/Public Relations Expenses

• Civil Fines & Penalties

• Extortion

• Bodily Injury

• Hammer Clause

• Limits/Sublimits

Critical Coverage Elements

• Available Claims Resources

Claims: Perpetual Storage 2008

• Breach Costs without a Breach

• ~1.5M Patient Billing Records Potentially Involved

• Notification & Credit Monitoring Costs

• Public Relations Costs

• Client Costs (Univ of Utah - estimated at $3.3M)

• Legal Costs

Claims: Recall 2007

• Vendor Outsourcing/General Liability Issues

• ~500k Employee Potentially Involved

• Notification & Credit Monitoring Costs

• Public Relations Costs

• Client Costs (IBM estimated at $6M)

• Legal Costs

Claims: GRM - 2010

• Encryption and/or Employee Error Issue?

• ~1.7M People Potentially Involved

• Notification & Credit Monitoring Costs

• Public Relations Costs

• Client Costs (NYC HHC estimated at >$350M)

• Legal Costs

Claims: Iron Mountain - 2006

• Employee Error Issue

• 17,000 People Potentially Involved

• Notification & Credit Monitoring Costs

• Public Relations Costs

• Client Costs (Long Island Railroad)

• Legal Costs

How would a breach be handled under

a cyber policy purchased through BIS?• Make sure you have breach

response plan that includes insurance response info

• Call data breach hotline

• Activate incident response plan or DR/BCP

• Confer with carrier’s breach response team

• File incident data sheet with response team

• Response team assists in drafting a breach notification letter

• Law enforcement, regulators, client & management approve letter

• Notification letter sent to impacted parties

• Assistance provided in media relations and credit bureau notification if needed.

• Response team handles calls from impacted individuals

• Continued assistance with client claims, fines and litigation

• *Note – this scenario assumes first-party and third-party coverage in the example provided.

Final thoughts: Ops mitigation

• Best mitigation strategy is to avoid risk exposure▫ Require encryption wherever possible▫ Train employees completely▫ Ensure third-party vendors provide equal

protection & contract assurance

• Invest in adequate policies and processes like those advocated by PRISM Privacy Plus▫ Contact Brightstone Consulting for assistance in

crafting an information security policy, conducting a risk assessment, or training employees.

For insurance assessment or E&O quote information please contact Brian Jungeberg at Brightstone Insurance

440.260.1002 - bjungeberg@brightstoneins.com

For assistance with Privacy Plus preparation, compliance-related issues or other operational mitigation contact Jim Booth at Brightstone Consulting

919.696.7754 - jbooth@brightstoneconsulting.com