Significant Exposures

  • Storing social security numbers, driver license numbers, bank account numbers – whether for clients or employees; 

  • Access to client health information;

  • In the process of going paperless or storing paper files; 

  • Providing online access for members; 

  • Selling, donating or recycling computers;

  • Investment Advisors; 

  • Posting pictures or information about members online; 

  • Relying on a computer network on a daily basis;

  • Allowing laptops to be removed from the premises; 

  • Maintaining a social networking page; 

  • Maintaining a blog.

   

Practical Applications

 

  • Third-Party Loss Resulting From a Security or Data Breach;

  • Direct First-Party Costs Resulting From a Breach;

  • Lost Income & Operating Expense Resulting From a Security or Data Breach;

  • Threats to Disclose Data / Attack a System to Extort Money;

  • Online Defamation & Copyright Trademark Infringement.

 

A multitude of coverage options assure YOU

are able to promptly respond to and prevent

future, more costly damages.

 

CYBER  

Liability Privacy Data Loss

 

Securing Privacy in an Unsecure World

________________________________

 

      

In a rapidly changing environment, CYBER Insurance Programs provide thorough insurance solutions to address cyber-security RISK.  By way of their available risk management tools, these programs help to prevent and safeguard against computer hacking, sensitive data breaches, employee error, as well as several other potentially pressing problems. 

    

From innovative loss prevention tools to educational items, available resources are capable of helping to prevent a cyber-security breach.  Plus, the services of a "cyber-breach resolution team" are an option, if a breach does occur, and means our insured entities receive sensible, responsive guidance along the way.

     

First-Party Coverage for

Costs Associated with a Breach

    

  • IT Forensic costs – the costs to determine what information may have been breached or accessed improperly. This can been very costly to determine.

  • Notification Costs – the costs to notify individuals, businesses, regulators and to run a call center related to the notification.

  • Credit Protection Costs – the costs to provide credit monitoring services to the affected parties which is often offered as a part of the notification.

  • Crisis Management Costs – this covers the cost to hire a Public Relations firm to help protect your business reputation.

   

Third-Party Liability

Related to a Breach

  

This section covers the costs to defend and indemnify or settle claims related to a breach of Personally Identifiable Information (PII) including credit card numbers, social security numbers, bank account information, as well as personal health information or sensitive corporate information.

 

   This can cover costs related to:

 

  •  breach of contract

  •  negligent protection of data

  •  network security breaches

  •  transmission of software viruses

  •  denial of service attacks

  •  regulatory actions related to a breach

  •  PCI fines and penalties

Cyber Claim Scenarios

    

Human Error

An employee of a private high school mistakenly distributed via e-mail, the names, social security numbers, birthdates, and medical information of students and their parents, and faculty  creating a privacy breach. Overall, more than 750 individuals’ personal information was compromised.

 

Theft of Digital Assets

A regional retailer contracted with a third-party service provider. A burglar stole two laptops of the service provider containing the data of over 800,000 clients of the retailer. Under applicable notification laws, the retailer – not the service provider – was required to notify affected individuals. Total expenses incurred for notification and crisis management to customers was nearly $5,000,000.

 

Unauthorized Access

An international computer hacking group gained access to the computerized check-out register system of a regional sporting goods store chain - stealing credit and debit card information of some 115,000+ customers, resulting in a flood of fraudulent purchases both inside and outside the country.

 

_____________________________________________________________

      

POINT OF INTEREST

"The Cost of Data Breach Incidents for Companies Located in the United States"*

 

     The total average cost for each lost or stolen record containing sensitive and confidential information is presently $221 per compromised record. Making up this total, $145 pertains to indirect costs, and $76 represents the direct costs. Indirect costs include the time employees spend on data breach notification efforts or investigations of the incident. Direct costs refer to what companies spend to minimize the consequences of a data breach and to assist victims. These costs include engaging forensic experts to help investigate the data breach, hiring a law firm, and offering victims identity protection services.

  

     Certain factors reduced the cost of data breach. Having an incident response plan and team in place, extensive use of encryption, employee training, BCM [business continuity management] involvement and extensive use of data loss prevention technologies are viewed as reducing the cost of data breach. Data breaches due to third party error, extensive migration to the cloud or rush to notify increased data breach costs. For example, an incident response team can decrease the average cost of data breach from $221 to $195.20 (decrease = $25.80). In contrast, third party breaches increased the average cost to $241.30 (increase = $20.30).

  

     In addition to this cost data, the [global] study puts the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.

   

*This research was sponsored by IBM

and independently conducted by Ponemon Institute LLC, June 2016.

 

_____________________________________________________________

 

Cyber Coverage Today

   

Cyber coverage can mean different things to different people. Most commonly, cyber coverage is some combination of these 4 components:  1) Errors and omissions liability; 2) media liability; 3) network security; and 4) privacy. Coverage has evolved most significantly as it relates to network security and privacy.

 

Errors and Omissions (E&O).  E&O liability addresses claims arising from errors in the performance of your services.  This can include technology services - like software and consulting, or more traditional professional services like lawyers, doctors, architects, and engineers.

 

Media Liability.  These are advertising injury claims such as infringement of intellectual property, copyright and trademark infringement, and libel and slander.  Due to the Internet presence of a large number of businesses today, technology companies have seen this coverage evolve from their general liability insurance to being bundled into a media component ~ i.e. a separate cyber / media liability policy.  Coverage can be extended to offline content too.

 

Network Security.  A failure of network security can lead to many different exposures, including a consumer data breach, destruction of data, virus transmission, and cyber extortion.  The culprits might be looking to shut your network down so you can’t conduct business, either for financial or political gain.  Network security coverage can also apply if you’re holding trade secrets or patent applications for a client, and that information is accessed due to a failure of your security.

 

Privacy.  Privacy does not have to involve a network security failure.  It can be a breach of physical records, such as files tossed in a dumpster -- or human errors, such as a lost laptop -- and even sending a file full of customer account information to the wrong email address.  Companies have also faced liability from returning a photocopier with a hard drive containing unwiped customer tax records.  A privacy breach can also include an action like wrongful collection of information.

 

Network Security and Privacy Liability

 

What’s unique about privacy and network security protection is that both first-party COSTS and third-party LIABILITIES may be covered.  First-party coverage applies to the direct costs for responding to a privacy breach or security failure, and third-party coverage applies when people make claims against you, or regulators demand information from you.

 

Data breaches and network security failures happen.  In fact, Norton—Symantec has reported that some 107 million security events occurred this past year in the U.S. and 690 million globally. The likelihood that your business is next is no longer so far-fetched. Fortunately, cyber coverage has evolved from its early days as an E&O component for technology companies into an inclusive offering, with cover for both first-party and third-party costs.

    

  ______________________________________________________

  

Cyber Claim Scenarios - continued...

   

Stolen laptop of small health care business results in a $50,000 regulatory fine.  A laptop containing the protected health information of more than 715 patients was stolen out of an employee’s car.  As a result, the Office of Civil Rights (OCR) investigated and found the entity had not conducted a risk analysis to safeguard the information and did not have policies or procedures in place to address mobile device security as required by the HIPAA Security Rule. The OCR fined the healthcare business $50,000.

 

Printer’s error allows unauthorized access to sensitive information.  A printing company accidentally included a user name and password in a client’s brochure, which was posted on the client’s website.  The login information enabled access to the client’s customers’ medical records and other personal information, including names, Social Security numbers, addresses, driver’s license numbers and credit information.  The printer’s client engaged an outside forensics firm, notified the individuals and offered free credit monitoring.  The client then sought recovery of these costs from the printing vendor. 

 

Unencrypted laptop containing employee data stolen from business services firm.  A laptop belonging to a business services firm’s employee was stolen from his car.  The laptop contained unencrypted personal data of a client’s employees, including their names, Social Security numbers, and home addresses.  Failing to encrypt the data was a direct violation of the firm’s contract with their client.

    

Securing Privacy in an Unsecure World

________________________________

    

88.015