This document summarizes cyber and privacy liability insurance coverage options for healthcare providers. It outlines key exposures including liability from data breaches involving personal information. Traditional insurance policies often exclude these risks. The document then describes available 1st party coverage for losses directly suffered by an organization, such as data restoration expenses. It also outlines 3rd party coverage for losses suffered by patients, including notification costs, credit monitoring, and privacy liability coverage for failures to protect private data. Additional specialized coverages are mentioned. Contact information is provided to learn more.
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
The revelations of the Heartbleed vulnerability in April and the recent implementation of Australia’s new privacy regime in March have put data breaches firmly back in the limelight. Clare Coulson finds out more...
Massachusetts New Data Security Laws Presentationbillanetworks
Secure Your Data. It\'s now the Law.
Massachusetts has issued new regulations that will soon go into effect mandating that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” comply with strict requirements for safeguarding and disposing of personal information.
Don\'t miss this opportunity to understand how
201 CMR 17.00 et seq. will affect your business.
If your company accepts credit cards or stores any customer information, you need to attend this important seminar to understand what will now be required of your company under Massachusetts law. Our experts will detail the regulations and how they impact Massachusetts-based companies. We will discuss the compliance structure as well as outline the steps you will need to take to be in compliance with these new regulations.
WARNING
Failure to comply with the new law exposes a company to substantial monetary penalties. Attorney advertising. Prior results do not guarantee a similar outcome.
http://events.anetworks.net
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
The revelations of the Heartbleed vulnerability in April and the recent implementation of Australia’s new privacy regime in March have put data breaches firmly back in the limelight. Clare Coulson finds out more...
Massachusetts New Data Security Laws Presentationbillanetworks
Secure Your Data. It\'s now the Law.
Massachusetts has issued new regulations that will soon go into effect mandating that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” comply with strict requirements for safeguarding and disposing of personal information.
Don\'t miss this opportunity to understand how
201 CMR 17.00 et seq. will affect your business.
If your company accepts credit cards or stores any customer information, you need to attend this important seminar to understand what will now be required of your company under Massachusetts law. Our experts will detail the regulations and how they impact Massachusetts-based companies. We will discuss the compliance structure as well as outline the steps you will need to take to be in compliance with these new regulations.
WARNING
Failure to comply with the new law exposes a company to substantial monetary penalties. Attorney advertising. Prior results do not guarantee a similar outcome.
http://events.anetworks.net
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Personally Identifiable Information ProtectionPECB
“If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business. Each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.” These words were spoken two weeks ago by the American president Barack Obama, who urged Congress to pass a series of cybersecurity and privacy laws that will protect even more the data privacy of customers and children in schools. Once again the data Privacy and Regulation topic became newspaper headlines.
Texas Privacy Laws - Tough New ChangesJim Brashear
Overview of principal Texas privacy laws and amendments that became effective September 1, 2012. Some say the new Texas law is tougher than federal HIPAA laws.
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
As the nation and the world adapted to the coronavirus pandemic, businesses became accustomed to employees working from home. Even as the states reopened from the mandated “lockdown”, many companies and employees alike found advantages to working remotely. Today, we live in a world where the hybrid of in-office work and remote work from home is the “new” normal. Home computers or other remote locations are more vulnerable than ever to cyber-attacks. Organizations need to build people-centric cybersecurity strategies to protect against business email compromises or email account compromises. Increasingly risky websites are being transmitted through corporate emails. The speaker will discuss some of the newest trends in cyberattacks which are continually evolving and growing. Ransomware can hit in seconds. Credit card use is higher than ever, and some cyber-crime groups live to target payment card information. This program has been designed to offer real-life examples and practical steps which may be taken to thwart business-fraud and cyber-crime.
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
FBI And Cyber Crime | Crime Stoppers International Scott Mills
Crime Stoppers International 32nd Training Conference Presentation October 25, 2011 by Cyber Crime FBI Unit Chief David Wallace in Montego Bay, Jamaica
Does your organization take credit card information? Do you store personal information on your staff, clients or donors. Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
Come learn the basics of these industry regulations, including:
-Who it applies to
-Requirements for compliance
-Penalties for noncompliance
If you missed the webinar Marianne Halvorsen of http://Halvorsenonrisk.com gave on March 25th, 2013, please take a look at the slide presentation that accompanied the webinar. In it you will learn the different types of risks to your company, the costs when an event happens, and how you can protect yourself in the event of a cyber breach.
Personally Identifiable Information ProtectionPECB
“If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business. Each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.” These words were spoken two weeks ago by the American president Barack Obama, who urged Congress to pass a series of cybersecurity and privacy laws that will protect even more the data privacy of customers and children in schools. Once again the data Privacy and Regulation topic became newspaper headlines.
Texas Privacy Laws - Tough New ChangesJim Brashear
Overview of principal Texas privacy laws and amendments that became effective September 1, 2012. Some say the new Texas law is tougher than federal HIPAA laws.
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
As the nation and the world adapted to the coronavirus pandemic, businesses became accustomed to employees working from home. Even as the states reopened from the mandated “lockdown”, many companies and employees alike found advantages to working remotely. Today, we live in a world where the hybrid of in-office work and remote work from home is the “new” normal. Home computers or other remote locations are more vulnerable than ever to cyber-attacks. Organizations need to build people-centric cybersecurity strategies to protect against business email compromises or email account compromises. Increasingly risky websites are being transmitted through corporate emails. The speaker will discuss some of the newest trends in cyberattacks which are continually evolving and growing. Ransomware can hit in seconds. Credit card use is higher than ever, and some cyber-crime groups live to target payment card information. This program has been designed to offer real-life examples and practical steps which may be taken to thwart business-fraud and cyber-crime.
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
FBI And Cyber Crime | Crime Stoppers International Scott Mills
Crime Stoppers International 32nd Training Conference Presentation October 25, 2011 by Cyber Crime FBI Unit Chief David Wallace in Montego Bay, Jamaica
Does your organization take credit card information? Do you store personal information on your staff, clients or donors. Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
Come learn the basics of these industry regulations, including:
-Who it applies to
-Requirements for compliance
-Penalties for noncompliance
If you missed the webinar Marianne Halvorsen of http://Halvorsenonrisk.com gave on March 25th, 2013, please take a look at the slide presentation that accompanied the webinar. In it you will learn the different types of risks to your company, the costs when an event happens, and how you can protect yourself in the event of a cyber breach.
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...Protected Harbor
Cybersecurity Risks in Third-Party Cloud Apps (2022) is a comprehensive whitepaper that examines the evolving threat landscape surrounding third-party cloud applications. Delve into the intricate web of security concerns and mitigation strategies to safeguard your organization's sensitive data from potential breaches and unauthorized access. Explore the dynamic challenges posed by third-party cloud apps in 2022 and equip your business with actionable insights to fortify its digital ecosystem against emerging cybersecurity threats.
Network Security and Privacy Liability - Four Reasons Why You need This Cove...CBIZ, Inc.
The average cost for each lost or stolen record containing sensitive and confidential information increased from $201 to $217.1 Any business that uses technology or collects confidential information (social security information, medical records, credit card numbers, account numbers, passwords or any “non public personal” information) needs to review their potential exposures.
Advanced PII / PI data discovery and data protectionUlf Mattsson
We will discuss using Advanced PII/PI Discovery to Find & Inventory All Personal Data at an Enterprise Scale.
Learn about new machine learning & identity intelligence technology.
You will learn how to:
• Identify all PII across structured, unstructured, cloud & Big Data.
• Inventory PII by data subject & residency for GDPR.
• Measure data re-identifiability for pseudonymization.
• Uncover dark or uncatalogued data.
• Fix data quality, visualize PII data relationships
• Apply data protection to discovered sensitive data.
The Best Online Security Service for
CIM – Central Management
Log Monitoring
Intrusion Detection Systems
Firewall Monitoring System
Host based IDSs
Vulnerability Scanning
Evidence Retention
CIM Intelligence
A must to see for all,......!!!
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
Future of privacy - Insights from Discussions Building on an Initial Perspect...Future Agenda
The initial perspective on the Future of Privacy kicked off the Future Agenda 2.0 global discussions taking place through 2015. This summary builds on the initial view and is updated as we progress the futureagenda2.0 programme. www.futureagenda.org
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
Protected Harbor's 2022 Legal Services Data Breach Trend Report is a comprehensive analysis of the evolving cybersecurity landscape in the legal industry. This report offers valuable insights into emerging trends, challenges, and opportunities that legal professionals and firms may encounter in the year ahead. Through in-depth research and expert analysis, it sheds light on the impact of technological advancements, changing regulations, and client expectations on legal services. Stay ahead of the curve with this indispensable guide to the future of legal services.
Getting the social side of pervasive computing right
Cyber & Privacy Liability for Health Care Industry
1. USI Insurance Services
Cyber and Privacy Liability
for Healthcare Providers
USI Management and Professional Services
2. Cyber and Privacy Exposures Are Significant Sources of
Liability Claims Against Healthcare Providers
Cyber Liability: Privacy Liability:
Liability arising out of
1st and 3rd Party risks
misuse or improper
associated with on-line
disclosure of Personal Data -
activities - Internet,
Social Security Number
Network and Data Assets
or Credit Card)
Confidential 1
3. Cyber & Privacy Claims are Not Covered under
Traditional Insurance Policies
The Insurance Gap
Errors & General Property Crime
Omissions Liability Insurance Insurance
• Typically excludes a • Excludes damage • Coverage is specific • Covers loss due to
security breach to and corruption of to physical employee theft of
• Typically tied electronic data loss or damage to money, securities or
to/requires an act of • Covers only tangible property other property
negligence to “tangible” property (named) • Property must be
trigger coverage • Personal & • Courts have tangible and have
advertising liability consistently held intrinsic value
does not cover that data is not • No coverage for
violations/misuse of tangible property confidential
private information information
Confidential 2
4. Providers Increasingly Challenged to Manage Expanding
Regulations with Limited Budgets and Resources
State Breach Laws: 46 states have enacted legislation requiring security breach
notification involving personal information – with no “overarching” Federal
law, state statutes control.
Health Insurance Portability and Accountability Act (HIPAA): Applies to
health care businesses and any employer that provides health care benefits
Payment Card Industry Data Security Standard (PCI DSS): Worldwide
security standard created to prevent credit card fraud
Federal Trade Commission (FTC): 2012-13 most active enforcer; new role
similar to the EEOC of the last three years
Health Insurance Portability Credit TransactionsAct (HIPAA): Applies to healthpassed in
Fair and Accurate and Accountability Act (FACTA): Disposal Rule, care businesses and
any employer that provides health care benefits identity theft and allows consumers to
2003, created standards to help reduce
obtain a free annual credit report
Hi Tech: Applies to certain healthcare facilities and is an expansive amendment
to HIPAA
Confidential 3
5. Healthcare Industry Number One Target For Criminal
Organizations Looking for Personal Information
Health records commonly include date of birth, social
security number, credit card number and address
Healthcare breaches increased 32% in 2011 over 2010
Providers increasingly utilize hospital, pharmacy, payor
and network computer systems to transmit patient
information electronically
Lack of employee training in data security and
privacy in healthcare
Lax office procedures related to confidential
patient information
Increased Cyber and Privacy Liability regulatory challenges:
HIPAA Act (Federal)
HI-TECH (Federal) & PPACA
State laws (e.g., California Confidentiality of
Medical Info)
Confidential 4
6. Average Cost of Data Breach in 2011: $5.5million*
Health system accidently posts medical records of thousands of patients on Internet.
Class action suit filed seeks $10 million in damages. OCR notification costs $1+ million
with total costs at $20+ million.
May 2012: two physician clinics settled for $100,000 with HHS and OCR regarding
HIPAA violations; investigation triggered by public calendar posting of patient
appointments.
Small MA hospital settled with State Attorney General for $750,000 on HIPAA violations;
hospital shipped three boxes of unencrypted data to third party to be erased; only two
boxes arrived at facility.
June 2012: CT Medical Board fined a doctor $20,000 for unauthorized download of
patient data.
May 2012: Receptionist at psychological institution found liable for $2 million in ID theft
and fraud; ordered to pay approximately $360,000 in restitution. Fines against institution
under discussion.
Information no longer resides exclusively on servers:
Data has gone mobile, limiting the effectiveness of
firewalls and other controls at even the most advanced
*Poneman Institute and Symantec
firms!
Confidential 5
7. Healthcare Holds or Transmits More Personal Data than I
Privacy and Cyber Liability for Healthcare Providers – Increased and Unique Risks
Any Other U.S. Business Segment
HIPAA virtually unenforced from 2005 to 2010. Starting with
the passage of the Hi-Tech Act, the Dept. of Health and
Human Services has stepped up enforcement actions
through the Office of Civil Rights (OCR).
Plaintiff Attorney fees have increased as complexity and
potential awards have increased. A patchwork of both State
and Federal statutes provide multiple actionable causes and
there is no sign of abatement.
Beginning September 2012, with rules expanding in
January of 2013, TX HB300 expands HIPAA requirements
to businesses of all shapes and sizes in Texas,
exponentially increasing statutory exposure.
Bottom Line: Healthcare businesses must begin
evaluating their cyber and privacy liability exposures
and consider insurance coverage solutions!
Confidential 6
9. The USI SOLUTION
MARKET
EXPERIENCE EXPERTISE
LEVERAGE
• Coverage is modular • Dedicated team of • Access to the
– it is essential to Network Security & leading network of
know which Privacy experts insurance carriers
coverage fits a • Experience in the • Ability to creatively
specific risk policy features tailor coverages to
• Policy language critical to Health meet the needs of
varies from carrier to Care Providers each unique client
carrier, no two
policies are the
same.
Confidential 8
10. 1st Party Coverage
Losses Your Company Suffers Directly
Cyber Extortion: Covers costs to investigate, negotiate and settle if
credibly threatened or if an extortion demand is received. Wording is
essential, as distinction between extortion/terrorism/act of war, etc. is
developing.
Data Asset/Data Restoration: Covers data restoration expenses after
a covered data breach; this does NOT mean cost of new
software/hardware, but restoration to pre-loss condition.
Business Interruption: Covers costs and expenses resulting from a shut
down of operations due to a covered data breach; not always included in
standard coverage. The “waiting period” for coverage is typically 24 hours.
However, this should be discussed, as some organizations (high tech, online
services, etc) require a shorter trigger.
Crisis Management: Covers cost to hire a public relations firm to protect
brand image and reputation following a breach.
Confidential 9
11. 3rd Party Coverage Losses Suffered
By Your Patients or Clients
Covers insured’s economic Covers defense and damages
Privacy Liability Coverage
Media or Content Liability
liability when hackers / related to allegations of insured’s
unauthorized users access failure to protect private or
and Breach Response
Insured’s systems to inflict confidential patient data, whether
damage on others. in electronic or paper forms
defense and settlement costs.
Covers unauthorized
access, unauthorized use and Coverage may include
denial of service attacks, etc. following, subject to sub-limits or
per-record basis:
Notification Expenses
Credit Monitoring
Event Management
Governmental Regulatory Claims
Confidential 10
12. Additional 3rd Party Coverage
Intellectual Property:
Responds to loss arising from
infringement of trademark, copyright
and other protected sources –
typically a SEPARATE POLICY is
required to provide more expansive
coverage for patent portfolios
Media or
Content Liability:
Responds to advertising injury for
losses arising from display of
material online and advertising,
Confidential 11
13. Interested in Learning More?
Toni L Ferrari
Commercial Insurance Executive, Healthcare Practice
Mid-Atlantic Region
Phone: 757 640 5466
Mobile: 757-406-5229
toni.ferrari@usi.biz
Confidential 12