Cyber liability insurance and risk management program


Published on

Published in: Economy & Finance, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber liability insurance and risk management program

  1. 1. Cyber Liability/ Data Breach Protection The Policy with Risk Management Services
  2. 2. Do you know? • When the new federal HIPAA/HITECH final ruling became law? March 26, 2013 • When is the law enforceable? Sept. 23, 2013 “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates”. Leon Rodriguez, Director of the Office of Civil Rights
  3. 3. What is new to the federal law? • Business Associates/Business Associates Agreements • Notice Requirements (Federal & your State) • Penalty Structure: $100-$50,000 per violation maximum $1,500,000 for all violations of an identical provision per year
  4. 4. Examples of Legal Requirements • Federal Laws – Health information (HIPAA/HITECH) – Financial information (Graham-Leach Bliley Act) – Education information (FERPA) – Information of children under 13 (COPPA) – Sensitive employee information (GINA, FMLA) • State Laws – Breach notification in 46 states – Disclosure of SSNs – Processing of Medical information – Destruction/Disposal – “Reasonable measures” to safeguard personal information
  5. 5. State Laws 46 of 50 states plus the District of Columbia, Puerto Rico & the Virgin Islands have data breach laws related to Personal Information (PI); many contain subsets of data that may be contained within medical records- Personal Health Information (PHI) States w/o laws: Alabama, Kentucky, New Mexico, and South Dakota • Usually protects data of residents residing in the state from certain types of disclosures • CEs and BAs must be aware of these laws in the event of a breach • Differing requirements regarding who must be notified (State Attorney General, law enforcement, media outlets, the individual), the timing for such notice, and the manner of the notice
  6. 6. OCR /State Attorney General Investigations Hospice of North Idaho • 12/31/12: Theft of unencrypted laptop with EPHI of 41 patients • First HIPAA breach settlement involving less than 500 patients • $50,000 payment Ashley Industrial Molding, Inc Employee Welfare Benefit Plan (Indiana) • 8/09/11: Hacking/IT incident of 506 Massachusetts Mutual Life Insurance Company, MassMutual Financial Group • 6/5/13: The 401(k) retirement plan information of certain clients was inadvertently exposed when a MassMutual account manager sent an email on May 8. Names, Social Security numbers, investment elections, and account balances
  7. 7. Attorneys General Beginning to Use HIPAA Enforcement Authority Accretive Health, Inc. sued by Minnesota AG • Suit followed breach of 23,000 patient’s PHI • AG used combination of HIPAA and state law to close Accretive down in MN for two-year period • 7/31/12: $2.5M fine South Shore Hospital sued by Massachusetts AG • Suit followed breach of PHI of 800,000 patient’s PHI on unencrypted back-up tapes lost during shipment • 5/24/12: $750,000 fine
  8. 8. Research Brown & Brown-Tampa Programs Division’s research to find the best product to meet your client’s needs yielded the Beazley Breach Response Select. Beazley Breach Response was involved in 6 of 9 major breaches in the United States last year sending out 9.6 million notices. Excellent Coverage including Risk Management Services.
  9. 9. Policy Highlights If a breach occurs one call to report it & Beazley takes over… • Privacy Liability • Privacy Notification Expense • Regulatory Liability – HIPAA/HITECH Fines & Penalties • Network Security Liability • Media/Website Liability • Public Relations and Crisis Management Expense • Credit Monitoring Expense • Legal and Forensic Expense • Theft Resolution Services • Cyber Extortion Loss • Data Protection Loss • Business Interruption Coverage
  10. 10. Coverage Limits • Information Security & Privacy Liability $1,000,000* • Regulatory Defense & Penalties $100,000* • Website Media Content Liability $100,000* • Payment Card Industry(PCI) fines and Cost $50,000 * Higher limits available upon request
  11. 11. Coverage Limits Continued • Privacy Breach Response Services* – Notification to Individual Clients 25,000 individuals – Credit Monitoring 3 Credits Bureaus for 12 months – Identity Theft Resolutions Up to 5,000 cases – Foreign Notification $50,000 *Breach Response Services are OUTSIDE of the Limits of Liability • First Party Coverage – Cyber Extortion Included – Data Protection Loss Included – Forensic Expense $50,000** – Business Interruption Loss Included ** higher limits available upon request
  12. 12. Scope of Services (1) Step-by-Step Procedures to Lower Risk • Understand the scope of “personal information” (“PI”) • Determine where PI is stored • Collect/retain the minimum amount of PI required for business needs • Destroy PI when no longer needed • Risk assessment guidance • Develop and implement an Incident Response Plan On-line Compliance Materials • Federal and state compliance materials • Summaries of federal and state laws • Sample policies & procedures • Continuing updates and electronic notification of significant changes
  13. 13. Scope of Services (2) Periodic Newsletter & “Privacy Posts” • Sent by email • Significant changes in federal and state laws/regulations • Breach and data security news • Links to related On-line information Privacy Posts for events requiring immediate attention Phone/E-mail Support Consultants & attorneys answer questions, including: • Health care & HIPAA compliance issues • Data breach prevention issues • Data Security best practices • Computer forensic issues
  14. 14. Scope of Services (3) Training Modules • On-line training material – Specific, to-the-point • Awareness bulletins & posters • Webinars – for privacy compliance and IT staff Handling Data Breaches Guidance provided to: • Respond to a data breach
  15. 15. Questions??? Thank you & look forward to quoting for you soon!!! Martha Oddo 813-222-4133 Urvish Patel 813-222-4358