SlideShare una empresa de Scribd logo

Cyber & Privacy Liability for Health Care Industry

Descargar como PPTX, PDF
F
FerrariT1
1 de 13
USI Insurance Services Cyber and Privacy Liability for Healthcare Providers USI Management and Professional Services
Cyber and Privacy Exposures Are Significant Sources of Liability Claims Against Healthcare Providers Cyber Liability: Privacy Liability: Liability arising out of 1st and 3rd Party risks misuse or improper associated with on-line disclosure of Personal Data - activities - Internet, Social Security Number Network and Data Assets or Credit Card) Confidential 1
Cyber & Privacy Claims are Not Covered under Traditional Insurance Policies The Insurance Gap Errors & General Property Crime Omissions Liability Insurance Insurance • Typically excludes a • Excludes damage • Coverage is specific • Covers loss due to security breach to and corruption of to physical employee theft of • Typically tied electronic data loss or damage to money, securities or to/requires an act of • Covers only tangible property other property negligence to “tangible” property (named) • Property must be trigger coverage • Personal & • Courts have tangible and have advertising liability consistently held intrinsic value does not cover that data is not • No coverage for violations/misuse of tangible property confidential private information information Confidential 2
Providers Increasingly Challenged to Manage Expanding Regulations with Limited Budgets and Resources State Breach Laws: 46 states have enacted legislation requiring security breach notification involving personal information – with no “overarching” Federal law, state statutes control. Health Insurance Portability and Accountability Act (HIPAA): Applies to health care businesses and any employer that provides health care benefits Payment Card Industry Data Security Standard (PCI DSS): Worldwide security standard created to prevent credit card fraud Federal Trade Commission (FTC): 2012-13 most active enforcer; new role similar to the EEOC of the last three years Health Insurance Portability Credit TransactionsAct (HIPAA): Applies to healthpassed in Fair and Accurate and Accountability Act (FACTA): Disposal Rule, care businesses and any employer that provides health care benefits identity theft and allows consumers to 2003, created standards to help reduce obtain a free annual credit report Hi Tech: Applies to certain healthcare facilities and is an expansive amendment to HIPAA Confidential 3
Healthcare Industry Number One Target For Criminal Organizations Looking for Personal Information  Health records commonly include date of birth, social security number, credit card number and address  Healthcare breaches increased 32% in 2011 over 2010  Providers increasingly utilize hospital, pharmacy, payor and network computer systems to transmit patient information electronically  Lack of employee training in data security and privacy in healthcare  Lax office procedures related to confidential patient information  Increased Cyber and Privacy Liability regulatory challenges:  HIPAA Act (Federal)  HI-TECH (Federal) & PPACA  State laws (e.g., California Confidentiality of Medical Info) Confidential 4
Average Cost of Data Breach in 2011: $5.5million* Health system accidently posts medical records of thousands of patients on Internet. Class action suit filed seeks $10 million in damages. OCR notification costs $1+ million with total costs at $20+ million. May 2012: two physician clinics settled for $100,000 with HHS and OCR regarding HIPAA violations; investigation triggered by public calendar posting of patient appointments. Small MA hospital settled with State Attorney General for $750,000 on HIPAA violations; hospital shipped three boxes of unencrypted data to third party to be erased; only two boxes arrived at facility. June 2012: CT Medical Board fined a doctor $20,000 for unauthorized download of patient data. May 2012: Receptionist at psychological institution found liable for $2 million in ID theft and fraud; ordered to pay approximately $360,000 in restitution. Fines against institution under discussion. Information no longer resides exclusively on servers: Data has gone mobile, limiting the effectiveness of firewalls and other controls at even the most advanced *Poneman Institute and Symantec firms! Confidential 5
Healthcare Holds or Transmits More Personal Data than I Privacy and Cyber Liability for Healthcare Providers – Increased and Unique Risks Any Other U.S. Business Segment  HIPAA virtually unenforced from 2005 to 2010. Starting with the passage of the Hi-Tech Act, the Dept. of Health and Human Services has stepped up enforcement actions through the Office of Civil Rights (OCR).  Plaintiff Attorney fees have increased as complexity and potential awards have increased. A patchwork of both State and Federal statutes provide multiple actionable causes and there is no sign of abatement.  Beginning September 2012, with rules expanding in January of 2013, TX HB300 expands HIPAA requirements to businesses of all shapes and sizes in Texas, exponentially increasing statutory exposure. Bottom Line: Healthcare businesses must begin evaluating their cyber and privacy liability exposures and consider insurance coverage solutions! Confidential 6
Almost 50% of Losses Come From Fraud and Hacking Hack 30% FraudSe 17% StolenLaptop 9% Web 8% Disposal_Document 6% StolenDocument 4% Unknown 4% StolenComputer 3% SnailMail 3% Email 3% LostDrive 2% LostDocument 2% Virus 2% StolenDrive 2% LostMedia 1% LostMedia 0% LostTape 0% LostMobile 0% DisposalComputer 0% StolenMobile 0% MissingLaptop 0% StolenMedia 0% MissingMedia 0% LostLaptop 0% StolenTape 0% Source: http://datalossdb.org Confidential 7
The USI SOLUTION MARKET EXPERIENCE EXPERTISE LEVERAGE • Coverage is modular • Dedicated team of • Access to the – it is essential to Network Security & leading network of know which Privacy experts insurance carriers coverage fits a • Experience in the • Ability to creatively specific risk policy features tailor coverages to • Policy language critical to Health meet the needs of varies from carrier to Care Providers each unique client carrier, no two policies are the same. Confidential 8
1st Party Coverage Losses Your Company Suffers Directly Cyber Extortion: Covers costs to investigate, negotiate and settle if credibly threatened or if an extortion demand is received. Wording is essential, as distinction between extortion/terrorism/act of war, etc. is developing. Data Asset/Data Restoration: Covers data restoration expenses after a covered data breach; this does NOT mean cost of new software/hardware, but restoration to pre-loss condition. Business Interruption: Covers costs and expenses resulting from a shut down of operations due to a covered data breach; not always included in standard coverage. The “waiting period” for coverage is typically 24 hours. However, this should be discussed, as some organizations (high tech, online services, etc) require a shorter trigger. Crisis Management: Covers cost to hire a public relations firm to protect brand image and reputation following a breach. Confidential 9
3rd Party Coverage Losses Suffered By Your Patients or Clients Covers insured’s economic Covers defense and damages Privacy Liability Coverage Media or Content Liability liability when hackers / related to allegations of insured’s unauthorized users access failure to protect private or and Breach Response Insured’s systems to inflict confidential patient data, whether damage on others. in electronic or paper forms defense and settlement costs. Covers unauthorized access, unauthorized use and Coverage may include denial of service attacks, etc. following, subject to sub-limits or per-record basis: Notification Expenses Credit Monitoring Event Management Governmental Regulatory Claims Confidential 10
Additional 3rd Party Coverage Intellectual Property: Responds to loss arising from infringement of trademark, copyright and other protected sources – typically a SEPARATE POLICY is required to provide more expansive coverage for patent portfolios Media or Content Liability: Responds to advertising injury for losses arising from display of material online and advertising, Confidential 11
Interested in Learning More? Toni L Ferrari Commercial Insurance Executive, Healthcare Practice Mid-Atlantic Region Phone: 757 640 5466 Mobile: 757-406-5229 toni.ferrari@usi.biz Confidential 12

Recomendados

Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Massachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws PresentationMassachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws Presentationbillanetworks
 
Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013- Mark - Fullbright
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...David Cunningham
 

Recomendados

Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Massachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws PresentationMassachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws Presentationbillanetworks
 
Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013- Mark - Fullbright
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...David Cunningham
 
CIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalCIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalMorgan Jones
 
111cyber crimes
111cyber crimes111cyber crimes
111cyber crimesrinushalu
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 
2015 Labris SOC Annual Report
2015 Labris SOC Annual Report2015 Labris SOC Annual Report
2015 Labris SOC Annual ReportLabris Networks
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
Data Theft Restrospective
Data Theft RestrospectiveData Theft Restrospective
Data Theft Restrospectiveolambel
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
FBI And Cyber Crime | Crime Stoppers International
FBI And Cyber Crime | Crime Stoppers International FBI And Cyber Crime | Crime Stoppers International
FBI And Cyber Crime | Crime Stoppers International Scott Mills
 
Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016Jennifer Sharf Adler
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data BreachShawn Tuma
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Cyber Theft Solutions
Cyber Theft SolutionsCyber Theft Solutions
Cyber Theft Solutionswbesse
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 

Más contenido relacionado

La actualidad más candente

CIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalCIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalMorgan Jones
 
111cyber crimes
111cyber crimes111cyber crimes
111cyber crimesrinushalu
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 
2015 Labris SOC Annual Report
2015 Labris SOC Annual Report2015 Labris SOC Annual Report
2015 Labris SOC Annual ReportLabris Networks
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
Data Theft Restrospective
Data Theft RestrospectiveData Theft Restrospective
Data Theft Restrospectiveolambel
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
FBI And Cyber Crime | Crime Stoppers International
FBI And Cyber Crime | Crime Stoppers International FBI And Cyber Crime | Crime Stoppers International
FBI And Cyber Crime | Crime Stoppers International Scott Mills
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data BreachShawn Tuma
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Cyber Theft Solutions
Cyber Theft SolutionsCyber Theft Solutions
Cyber Theft Solutionswbesse
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 

La actualidad más candente (20)

CIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalCIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survival
 
111cyber crimes
111cyber crimes111cyber crimes
111cyber crimes
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information Protection
 
2015 Labris SOC Annual Report
2015 Labris SOC Annual Report2015 Labris SOC Annual Report
2015 Labris SOC Annual Report
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New Changes
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
Data Theft Restrospective
Data Theft RestrospectiveData Theft Restrospective
Data Theft Restrospective
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
FBI And Cyber Crime | Crime Stoppers International
FBI And Cyber Crime | Crime Stoppers International FBI And Cyber Crime | Crime Stoppers International
FBI And Cyber Crime | Crime Stoppers International
 
Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data Breach
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
 
Cyber Theft Solutions
Cyber Theft SolutionsCyber Theft Solutions
Cyber Theft Solutions
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 

Similar a Cyber & Privacy Liability for Health Care Industry

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Druva
 
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...Protected Harbor
 
Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015Brian Levine
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...CBIZ, Inc.
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
Privacy Presentation for SOCAP-3
Privacy Presentation for SOCAP-3Privacy Presentation for SOCAP-3
Privacy Presentation for SOCAP-3Gary Kazmer
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
Future of privacy - Insights from Discussions Building on an Initial Perspect...
Future of privacy - Insights from Discussions Building on an Initial Perspect...Future of privacy - Insights from Discussions Building on an Initial Perspect...
Future of privacy - Insights from Discussions Building on an Initial Perspect...Future Agenda
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
 
Getting the social side of pervasive computing right
Getting the social side of pervasive computing rightGetting the social side of pervasive computing right
Getting the social side of pervasive computing rightblogzilla
 

Similar a Cyber & Privacy Liability for Health Care Industry (20)

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
Document-3.docx
Document-3.docxDocument-3.docx
Document-3.docx
 
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...
 
Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Privacy Presentation for SOCAP-3
Privacy Presentation for SOCAP-3Privacy Presentation for SOCAP-3
Privacy Presentation for SOCAP-3
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
Future of privacy - Insights from Discussions Building on an Initial Perspect...
Future of privacy - Insights from Discussions Building on an Initial Perspect...Future of privacy - Insights from Discussions Building on an Initial Perspect...
Future of privacy - Insights from Discussions Building on an Initial Perspect...
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
Getting the social side of pervasive computing right
Getting the social side of pervasive computing rightGetting the social side of pervasive computing right
Getting the social side of pervasive computing right
 

Cyber & Privacy Liability for Health Care Industry

  • 1. USI Insurance Services Cyber and Privacy Liability for Healthcare Providers USI Management and Professional Services
  • 2. Cyber and Privacy Exposures Are Significant Sources of Liability Claims Against Healthcare Providers Cyber Liability: Privacy Liability: Liability arising out of 1st and 3rd Party risks misuse or improper associated with on-line disclosure of Personal Data - activities - Internet, Social Security Number Network and Data Assets or Credit Card) Confidential 1
  • 3. Cyber & Privacy Claims are Not Covered under Traditional Insurance Policies The Insurance Gap Errors & General Property Crime Omissions Liability Insurance Insurance • Typically excludes a • Excludes damage • Coverage is specific • Covers loss due to security breach to and corruption of to physical employee theft of • Typically tied electronic data loss or damage to money, securities or to/requires an act of • Covers only tangible property other property negligence to “tangible” property (named) • Property must be trigger coverage • Personal & • Courts have tangible and have advertising liability consistently held intrinsic value does not cover that data is not • No coverage for violations/misuse of tangible property confidential private information information Confidential 2
  • 4. Providers Increasingly Challenged to Manage Expanding Regulations with Limited Budgets and Resources State Breach Laws: 46 states have enacted legislation requiring security breach notification involving personal information – with no “overarching” Federal law, state statutes control. Health Insurance Portability and Accountability Act (HIPAA): Applies to health care businesses and any employer that provides health care benefits Payment Card Industry Data Security Standard (PCI DSS): Worldwide security standard created to prevent credit card fraud Federal Trade Commission (FTC): 2012-13 most active enforcer; new role similar to the EEOC of the last three years Health Insurance Portability Credit TransactionsAct (HIPAA): Applies to healthpassed in Fair and Accurate and Accountability Act (FACTA): Disposal Rule, care businesses and any employer that provides health care benefits identity theft and allows consumers to 2003, created standards to help reduce obtain a free annual credit report Hi Tech: Applies to certain healthcare facilities and is an expansive amendment to HIPAA Confidential 3
  • 5. Healthcare Industry Number One Target For Criminal Organizations Looking for Personal Information  Health records commonly include date of birth, social security number, credit card number and address  Healthcare breaches increased 32% in 2011 over 2010  Providers increasingly utilize hospital, pharmacy, payor and network computer systems to transmit patient information electronically  Lack of employee training in data security and privacy in healthcare  Lax office procedures related to confidential patient information  Increased Cyber and Privacy Liability regulatory challenges:  HIPAA Act (Federal)  HI-TECH (Federal) & PPACA  State laws (e.g., California Confidentiality of Medical Info) Confidential 4
  • 6. Average Cost of Data Breach in 2011: $5.5million* Health system accidently posts medical records of thousands of patients on Internet. Class action suit filed seeks $10 million in damages. OCR notification costs $1+ million with total costs at $20+ million. May 2012: two physician clinics settled for $100,000 with HHS and OCR regarding HIPAA violations; investigation triggered by public calendar posting of patient appointments. Small MA hospital settled with State Attorney General for $750,000 on HIPAA violations; hospital shipped three boxes of unencrypted data to third party to be erased; only two boxes arrived at facility. June 2012: CT Medical Board fined a doctor $20,000 for unauthorized download of patient data. May 2012: Receptionist at psychological institution found liable for $2 million in ID theft and fraud; ordered to pay approximately $360,000 in restitution. Fines against institution under discussion. Information no longer resides exclusively on servers: Data has gone mobile, limiting the effectiveness of firewalls and other controls at even the most advanced *Poneman Institute and Symantec firms! Confidential 5
  • 7. Healthcare Holds or Transmits More Personal Data than I Privacy and Cyber Liability for Healthcare Providers – Increased and Unique Risks Any Other U.S. Business Segment  HIPAA virtually unenforced from 2005 to 2010. Starting with the passage of the Hi-Tech Act, the Dept. of Health and Human Services has stepped up enforcement actions through the Office of Civil Rights (OCR).  Plaintiff Attorney fees have increased as complexity and potential awards have increased. A patchwork of both State and Federal statutes provide multiple actionable causes and there is no sign of abatement.  Beginning September 2012, with rules expanding in January of 2013, TX HB300 expands HIPAA requirements to businesses of all shapes and sizes in Texas, exponentially increasing statutory exposure. Bottom Line: Healthcare businesses must begin evaluating their cyber and privacy liability exposures and consider insurance coverage solutions! Confidential 6
  • 8. Almost 50% of Losses Come From Fraud and Hacking Hack 30% FraudSe 17% StolenLaptop 9% Web 8% Disposal_Document 6% StolenDocument 4% Unknown 4% StolenComputer 3% SnailMail 3% Email 3% LostDrive 2% LostDocument 2% Virus 2% StolenDrive 2% LostMedia 1% LostMedia 0% LostTape 0% LostMobile 0% DisposalComputer 0% StolenMobile 0% MissingLaptop 0% StolenMedia 0% MissingMedia 0% LostLaptop 0% StolenTape 0% Source: http://datalossdb.org Confidential 7
  • 9. The USI SOLUTION MARKET EXPERIENCE EXPERTISE LEVERAGE • Coverage is modular • Dedicated team of • Access to the – it is essential to Network Security & leading network of know which Privacy experts insurance carriers coverage fits a • Experience in the • Ability to creatively specific risk policy features tailor coverages to • Policy language critical to Health meet the needs of varies from carrier to Care Providers each unique client carrier, no two policies are the same. Confidential 8
  • 10. 1st Party Coverage Losses Your Company Suffers Directly Cyber Extortion: Covers costs to investigate, negotiate and settle if credibly threatened or if an extortion demand is received. Wording is essential, as distinction between extortion/terrorism/act of war, etc. is developing. Data Asset/Data Restoration: Covers data restoration expenses after a covered data breach; this does NOT mean cost of new software/hardware, but restoration to pre-loss condition. Business Interruption: Covers costs and expenses resulting from a shut down of operations due to a covered data breach; not always included in standard coverage. The “waiting period” for coverage is typically 24 hours. However, this should be discussed, as some organizations (high tech, online services, etc) require a shorter trigger. Crisis Management: Covers cost to hire a public relations firm to protect brand image and reputation following a breach. Confidential 9
  • 11. 3rd Party Coverage Losses Suffered By Your Patients or Clients Covers insured’s economic Covers defense and damages Privacy Liability Coverage Media or Content Liability liability when hackers / related to allegations of insured’s unauthorized users access failure to protect private or and Breach Response Insured’s systems to inflict confidential patient data, whether damage on others. in electronic or paper forms defense and settlement costs. Covers unauthorized access, unauthorized use and Coverage may include denial of service attacks, etc. following, subject to sub-limits or per-record basis: Notification Expenses Credit Monitoring Event Management Governmental Regulatory Claims Confidential 10
  • 12. Additional 3rd Party Coverage Intellectual Property: Responds to loss arising from infringement of trademark, copyright and other protected sources – typically a SEPARATE POLICY is required to provide more expansive coverage for patent portfolios Media or Content Liability: Responds to advertising injury for losses arising from display of material online and advertising, Confidential 11
  • 13. Interested in Learning More? Toni L Ferrari Commercial Insurance Executive, Healthcare Practice Mid-Atlantic Region Phone: 757 640 5466 Mobile: 757-406-5229 toni.ferrari@usi.biz Confidential 12