Articles Posted in News and Policy

If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you.  The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016.  There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program.  Do you want the high-level overview?  Of course you do.  Here is what Privacy Shield compliance will probably entail:

  1.  Revise your privacy policy to comply with the new requirements/language.
  2. Select a third-party dispute mechanism to handle complaints from EU data subjects.

You probably are not.  The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams.  A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company.  The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.


Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences?  The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’  Without “unauthorized access,” coverage may be hard to come by.  But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam.  In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.

On April 28, 2016, Angie Singer Keating (CEO of IT security firm Reclamere), Renee Martin (a true HIPAA expert) and little old me will be presenting the first of a three-part series on data breach preparedness, response and mitigation for companies that maintain personal health information.  It’s a breakfast series, so we’ll start early, with bagels and coffee (and something healthy I’m sure) at 7:30 AM and the presentation going from 8 AM – 9 AM.

To get the nitty-gritty details and RSVP, follow this link.  Hope to see you there!

Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach.  On February 5, 2016, hackers froze the hospital out of its electronic patient records.  Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later.  Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland.  The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk.  It is one, however, that a cyberinsurance can cover.

“Can.”  Not necessarily “does.”

Policies have drawn a distinction between cyber extortion and other types of network security breaches.  At the most general level, there seems to be little difference.  It all starts with unauthorized access.  A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records.  Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.

Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax.  There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers.  Many think that this is a move in the right direction.

In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015.  At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule.  In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount.  Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.

What about everyone else?

Hollywood Presbyterian Medical Center recently made headlines when cyber-extortionists prevented access to all electronic patient files for 10 days.  Reports of the hackers demands ranged from $3.4 million dollars to 3.4 million bitcoin (over $1.4 billion).  In the end, a $17,000 ransom unlocked the files.  One has to wonder, however, what type of threat to patient well-being persisted during the intervening week and a half due to this historic disruption of a business charged with keeping us healthy, and, in some cases, alive.

A few days ago, the New York Times ran an article by Fred Kaplan about another Hollywood hack – the one in the 1983 film “War Games,” where Matthew Broderick hacked into the United States Military’s defense command system.  The article reports that President Ronald Reagan saw the movie, and it prompted him to pose a question to his highest-ranking advisors: “Could this really happen?”

After General John Vessey, Jr. reported back, “the problem is actually much worse than you think,” Reagan issued the first official U.S. policy statement on cybersecurity…in 1984.  Though Congress overrode the directive due to privacy concerns (30 years ago, they didn’t want the NSA spying on Americans…now…), research leading to the directive revealed that hacking was a known threat as far back as the 1960’s.

I’m pleased to announce that Louis Guard, Counsel and Chief of Staff at Hobart and Smith Colleges, and I will be presenting at the University Risk Management and Insurance Association’s Western Regional Conference on February 17, 2016 in Denver, Colorado.  The presentation, “Cyber 2.0: What We’ve Learned So Far and What We Haven’t,” will discuss the need for cyberinsurance in the higher education industry, the critical elements of coverage and several specific, complex issues faced by schools in this context.  Whether your school is considering procuring cyberinsurance for the first time or is looking to identify key issues in the renewal process, we’ll give you concrete take-aways to facilitate a more informed and more up-to-date analysis.  Plus, we’re hilarious.  See you in Denver!

The Target data breach reportedly impacted over 100 million people.  The Anthem breach, approximately 80 million.  And the Ashley Madison hack made almost 40 million users nibble their nails while the world skimmed that now infamous “list.” But one of the most notable cyberinsurance developments of 2015 was the introduction of a policy designed to protect just one person.

The big retailers, financial institutions and healthcare organizations dominate the data breach headlines, but high-net-worth individuals have exposure to the same types of cyber security issues more typically associated with large corporations.  For obvious reasons, hackers have begun to turn their attention to the theft of high-net-worth individuals’ financial data and account information.  Hackers have also begun to cause considerable trouble by digging into high-profile individuals’ healthcare records, and by posing as these individuals on social media platforms.  And without IT departments protecting networks and responding to threats, the rich and the famous have become a fairly enticing target for cyber crime.

In 2015, Privilege Underwriters Reciprocal Exchange (PURE) introduced CyberSafe Solutions, a cyberinsurance policy for high-net-worth individuals.  The policy covers identity theft, unauthorized financial transactions and liability for cyber-related actions and damages.  With the policy, PURE also provides cybersecurity educational resources, a help line and a ten-point cyber risk assessment of the policy holder’s home network.  Through its partnership with Concentric Advisors, PURE is also offering a more in-depth home cyber security audit, a detailed analysis of policyholders’ web profiles to gauge type and scope of security exposure and “CyberShield,” a product that is basically an alarm system/emergency responder for your home network.  These risks are not likely covered by homeowner’s or any other insurance, and yet they are becoming among the most likely to manifest, particularly for individual’s whose personal data is the most valuable.

Contact Information