Check out today’s article by Chris Mondics of the Philadelphia Inquirer. Mondics, citing yours truly and several other top professionals in the field, covers the increased attention being paid to cybercrime and the role of employee training as a preventative measure. Happy 4th!
On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy. Ouch. Let’s back up.
In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet. P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium. Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.
Really? Yes, really.
Those new, old-school Air Jordans are retro cool (and I have them). Those new cyberinsurance retroactive dates – eh.
I blogged about retroactive dates here. Reminder: an insurance policy retroactive date is the day prior to which otherwise covered occurrences are not covered. In the first policy placed with a particular carrier, this will usually be the policy’s inception date as well. In my prior post, I discussed the problem of data breaches that occur prior to the retroactive date, but which are not discovered (and litigated, regulated, remediated etc.) until after that date. Since many data breaches are not immediately discovered, this sequence could seriously impact coverage, particularly for new entrants to the market.
Here’s another twist. What about the alleged “wrongful act” that purportedly caused the breach (the “occurrence” if you want to get technical about it)? A plaintiff or regulator may contend that the “wrongful act” was the failure to implement particular security measures, and that may have occurred years before the breach. If the policy ties the retroactive date to not only the “occurrence,” but also the”wrongful act” that did or allegedly caused it, double whammy. And because the wrongful act could be at least alleged to have occurred at any time, this language could be placing coverage determinations in the hands of plaintiffs and regulators. Dangerous.
FYI, NBD is “internet slang” for “no big deal.” “Internet slang” is what my little brother uses in text messages.
Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission. The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute. In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end. There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.
You probably are not. The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams. A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company. The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.
Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences? The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’ Without “unauthorized access,” coverage may be hard to come by. But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam. In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.
On April 28, 2016, Angie Singer Keating (CEO of IT security firm Reclamere), Renee Martin (a true HIPAA expert) and little old me will be presenting the first of a three-part series on data breach preparedness, response and mitigation for companies that maintain personal health information. It’s a breakfast series, so we’ll start early, with bagels and coffee (and something healthy I’m sure) at 7:30 AM and the presentation going from 8 AM – 9 AM.
To get the nitty-gritty details and RSVP, follow this link. Hope to see you there!
Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach. On February 5, 2016, hackers froze the hospital out of its electronic patient records. Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later. Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland. The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk. It is one, however, that a cyberinsurance can cover.
“Can.” Not necessarily “does.”
Policies have drawn a distinction between cyber extortion and other types of network security breaches. At the most general level, there seems to be little difference. It all starts with unauthorized access. A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records. Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.
Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax. There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers. Many think that this is a move in the right direction.
In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015. At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule. In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount. Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.
What about everyone else?
Many (lucky) institutions lack historical data breach response cost information. They therefore struggle to select cyber policy limits. A popular approach is to multiply the total number of records maintained by an average “per-record” data breach cost, a figure increasingly identified by reputable studies. Sounds easy. Too easy. This approach has the comfort of feeling scientific, but it suffers from a serious flaw. There is wild inconsistency among thought leaders as to what’s “average.” Consider the following:
The Ponemon Institute’s 2015 Cost of Data Breach Study analyzed data breaches at 350 companies, with breaches implicating from 3,000 – 100,000 records. Ponemon concluded that the average per-record cost of a data breach was $217 (for non-health records).
The NetDiligence 2015 Cyber Claims Study considered actual claims information from insurance carriers concerning 160 data breaches, with breaches compromising from 1 to over 100 million records. It found that the average per-record cost of a data breach was nearly $1,000.
ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred. This is fraud. But is it “computer fraud”?
In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t. New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds. It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so. The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”. The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker. Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.
In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion. A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions. The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.” The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.