Those new, old-school Air Jordans are retro cool (and I have them).  Those new cyberinsurance retroactive dates – eh.

I blogged about retroactive dates here.  Reminder: an insurance policy retroactive date is the day prior to which otherwise covered occurrences are not covered.  In the first policy placed with a particular carrier, this will be usually be the policy’s inception date as well.  In my prior post, I discussed the problem of data breaches that occur prior to the retroactive date, but which are not discovered (and litigated, regulated, remediated etc.) until after that date.  Since many data breaches are not immediately discovered, this sequence could seriously impact coverage, particularly for new entrants to the market.

Here’s another twist.  What about the alleged “wrongful act” that purportedly caused the breach (the “occurrence” if you want to get technical about it)?  A plaintiff or regulator may contend that the “wrongful act” was the failure to implement particular security measures, and that may have occurred years before the breach.  If the policy ties the retroactive date to not only the “occurrence,” but also the”wrongful act” that did or allegedly caused it, double whammy.  And because the wrongful act could be at least alleged to have occurred at any time, this language could be placing coverage determinations in the hands of plaintiffs and regulators.  Dangerous.

FYI, NBD is “internet slang” for “no big deal.”  “Internet slang” is what my little brother uses in text messages.

Anyway.

Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission.  The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute.  In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end.  There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.

You probably are not.  The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams.  A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company.  The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.

Whoa.

Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences?  The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’  Without “unauthorized access,” coverage may be hard to come by.  But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam.  In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.

On April 28, 2016, Angie Singer Keating (CEO of IT security firm Reclamere), Renee Martin (my colleague at Dilworth and a true HIPAA expert) and little old me will be presenting the first of a three-part series on data breach preparedness, response and mitigation for companies that maintain personal health information.  It’s a breakfast series, so we’ll start early, with bagels and coffee (and something healthy I’m sure) at 7:30 AM and the presentation going from 8 AM – 9 AM.  Location is Dilworth Paxson, 1500 Market Street, Suite 3500E, Philadelphia, PA.

To get the nitty-gritty details and RSVP, follow this link.  Hope to see you there!

Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach.  On February 5, 2016, hackers froze the hospital out of its electronic patient records.  Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later.  Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland.  The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk.  It is one, however, that a cyberinsurance can cover.

“Can.”  Not necessarily “does.”

Policies have drawn a distinction between cyber extortion and other types of network security breaches.  At the most general level, there seems to be little difference.  It all starts with unauthorized access.  A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records.  Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.

Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax.  There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers.  Many think that this is a move in the right direction.

In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015.  At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule.  In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount.  Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.

What about everyone else?

Many (lucky) institutions lack historical data breach response cost information.  They therefore struggle to select cyber policy limits.  A popular approach is to multiply the total number of records maintained by an average “per-record” data breach cost, a figure increasingly identified by reputable studies.  Sounds easy.  Too easy.  This approach has the comfort of feeling scientific, but it suffers from a serious flaw.  There is wild inconsistency among thought leaders as to what’s “average.”  Consider the following:

The Ponemon Institute’s 2015 Cost of Data Breach Study analyzed data breaches at 350 companies, with breaches implicating from 3,000 – 100,000 records.  Ponemon concluded that the average per-record cost of a data breach was $217 (for non-health records).

The NetDiligence 2015 Cyber Claims Study considered actual claims information from insurance carriers concerning 160 data breaches, with breaches compromising from 1 to over 100 million records.  It found that the average per-record cost of a data breach was nearly $1,000.

ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred.  This is fraud.  But is it “computer fraud”?

In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t.  New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds.  It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so.  The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”.  The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker.  Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.

In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion.  A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions.  The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.”  The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.

Hollywood Presbyterian Medical Center recently made headlines when cyber-extortionists prevented access to all electronic patient files for 10 days.  Reports of the hackers demands ranged from $3.4 million dollars to 3.4 million bitcoin (over $1.4 billion).  In the end, a $17,000 ransom unlocked the files.  One has to wonder, however, what type of threat to patient well-being persisted during the intervening week and a half due to this historic disruption of a business charged with keeping us healthy, and, in some cases, alive.

A few days ago, the New York Times ran an article by Fred Kaplan about another Hollywood hack – the one in the 1983 film “War Games,” where Matthew Broderick hacked into the United States Military’s defense command system.  The article reports that President Ronald Reagan saw the movie, and it prompted him to pose a question to his highest-ranking advisors: “Could this really happen?”

After General John Vessey, Jr. reported back, “the problem is actually much worse than you think,” Reagan issued the first official U.S. policy statement on cybersecurity…in 1984.  Though Congress overrode the directive due to privacy concerns (30 years ago, they didn’t want the NSA spying on Americans…now…), research leading to the directive revealed that hacking was a known threat as far back as the 1960’s.

Health and Human Services’ (HHS) Office for Civil Rights recently issued a $239,000.00 HIPAA fine to Lincare, Inc.  I don’t know if the fine will be covered by cyberinsurance.  I don’t even know whether the company has cyberinsurance.

What I do know is that the fact pattern highlights a critical coverage issue for healthcare entities.  The Lincare breach did not involve electronic records.  An employee had stored physical records for 278 patients in his home.  When the employee moved, he left the records behind.  They were discovered by a third party who was – surprise – not authorized to access them.  Earlier this month, an administrative law judge affirmed the relatively hefty fine in light of the modest number of compromised records.

Had Lincare’s breach been of the electronic variety, a cyberinsurance policy with regulatory coverage would likely pick up the tab (dependent on policy language, of course).  The situation is  more complicated when physical documents are involved.  There’s case law on how physical data breaches interact with other types of insurance, such as commercial general liability (CGL), but I’m not aware of any reported case determining whether a physical breach triggers cyberinsurance coverage (if you are, let me know).

Contact Information