Tag Archives: cyber

Don’t Make Your Cyber Insurance Coverage Illusory – Address Cyber Security Practices Before Purchasing Coverage

cyber insuranceThe risks of purchasing cyber insurance coverage before a business addresses its existing cyber security practices has just been made painfully clear by a recent case filed by an insurer in California.  Columbia Casualty, a unit of Chicago-based CNA, is seeking a judicial ruling that it is not obligated to pay a $4.125 million class action settlement paid by California based Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, arising out of a data breach at the hospital.

According to the complaint: (1) the insurer issued a cyber insurance claims made policy to the hospital effective from October 1, 2013, to October 1, 2014; (2) the hospital subsequently suffered a data breach involving over 32,500 confidential medical records between October 8, 2013, and December 2, 2013; (3) a class action lawsuit was filed against the hospital on or about January 27, 2014, with a $4.125 million settlement receiving preliminary court approval on or about December 24, 2014; and (4) the insurer agreed to fund the settlement, subject to a complete reservation of rights.  Click here to review the complaint.

In its complaint, the insurer has asserted that a “failure to follow minimum required practices” exclusion precluded coverage on the alleged ground that the hospital did not follow its own description of its data security system in the insurance application. In the complaint, the insurer also asserted that the hospital’s failure to follow the data security protocols detailed in its application constituted a misrepresentation, and that all coverage was forfeited as a result of the alleged misrepresentation. As a result, the insurer has requested reimbursement of defense and settlement payments.

This case highlights the need for a policyholder to be diligent from the first day it reviews and completes an application for cyber insurance to make sure it understands the requirements for coverage. Stakeholders in information technology, treasury, finance, legal and risk management should all be involved in any review of a cyber insurance application to insure that appropriate coverage language is in place.  In addition, after cyber coverage is purchased, a policyholder must be vigilant in implementing its cyber security practices, and create a record sufficient to prove that it has complied with policy requirements.  At the end of the day, money spent on cyber insurance coverage is well spent only if covered losses are ultimately paid by the insurer.

If you have questions or would like to discuss cyber insurance coverage for your business, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

The Anthem Breach – Assessing Employer Notification Requirements

anthem breachOn February 13, 2015, Anthem, Inc. (Anthem) announced that on January 29, 2015, it discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers who were or are currently covered by Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem.  Anthem stated that it believed the suspicious activity may have occurred over the course of several weeks beginning in early December, 2014.  Anthem has reported that the information accessed may have included individual names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information, including income data.  For more information concerning the breach, click here to access the website created by Anthem to update employers about the breach.

Anthem is one of the largest health benefits companies in the United States. Through its affiliated health plans, Anthem companies deliver health benefit solutions through a portfolio of integrated health care plans and related services, along with a range of specialty products such as life and disability insurance benefits, dental, vision, behavioral health benefit services, as well as long term care insurance and flexible spending accounts.  Headquartered in Indianapolis, Indiana, Anthem, Inc. is an independent licensee of the Blue Cross and Blue Shield Association serving members in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin; and specialty plan members in other states.

Employers who have Anthem plans or use Anthem as a third party administrator (TPA) for their health plans should review their plan documents to understand what rights and obligations the parties have in the event of a data security breach.

Federal And State Breach Notification Requirements.  With respect to federal and state breach notification requirements, if protected health information was involved in the attack, the attack was most likely was a breach under HIPAA and subject to the HIPAA breach notification reporting rules.  Given the nature of the information involved in the attack, most clients of Anthem will likely treat the attack as a breach under HIPAA and follow HIPAA’s breach notification reporting rules. In addition, forty seven states have separate breach notification reporting statutes that may be triggered when certain sensitive information (such as Social Security numbers) is breached.  Since the rules vary from state to state, an affected employer will need to determine which State breach notification reporting statutes apply.

What Affected Employers Should Do Now.  While Anthem’s investigation continues, affected employers should consider taking steps now to insure required breach reporting requirements are met.

  • Obligation To Provide HIPAA Breach Notification.  Breach notification obligations under HIPAA may depend on whether an employer’s health plan is fully insured or self-funded; and, if self-funded, whether Anthem has contractual obligations under its business associate agreement (Agreement) with an affected employer to provide the required notification.  If a plan is fully insured, Anthem will likely be obligated to provide the notification.  If a plan is self-funded, Anthem may also be obligated to provide the notification pursuant to its Agreement with the employer. Affected employers should review their Agreement with Anthem to make this determination.
  • Obligation To Provide State Breach Notification.  Under many State breach notification reporting statutes, the party that lost the data is the one responsible for issuing notification of the breach.  A review by an affected employer of the applicable State breach notification reporting statutes will be required to determine its obligation to report the Anthem breach to its employees.  An affected employer should also consider confirming with the respective State Attorney General that following the HIPAA breach notification reporting requirements will satisfy that State’s breach notification reporting requirements.
  • Communication With Employees.  Affected employers should urge employees affected by the Anthem breach to be extra vigilant for “phishing” schemes – targeted emails with embedded links that might seek to gain access to additional information – and any other suspicious written or verbal communications.  Employees should also be encouraged to immediately change their passwords to all sensitive accounts and should monitor credit card and other financial accounts to guard against unusual activity.  In addition, in its communications with its employees regarding the Anthem breach, an affected employer should note that any information regarding the Anthem beach has been provided by Anthem (where applicable), and that employer is not making any representations about the breach or surrounding facts.
  • Review Anthem Mitigation Efforts.  An affected employer should confirm with Anthem the steps currently being taken protect the employer’s employees and other affected individuals.  The affected employer will want to review any agreements with Anthem to determine whether the victim protection, client indemnification, and paid notification being proposed by Anthem are consistent with Anthem’s obligations under such agreements.
Share Button

Cyber Insurance: A Valuable Tool In The Cyber Security Readiness Toolbox

cyber insuranceCyber security breaches impose significant costs on affected businesses that can materially affect their finances and reputation. Such costs include expenses related to various federal and state law breach notification requirements, as well as significant civil liability and regulatory fines. Now more than ever, stakeholders in businesses that handle a significant amount of personal identifying information, or hold key trade secrets, must educate themselves about the threat of a potential cyber security breach, as well as the tools available to help mitigate that threat.

Any response to this potential threat should include a review of the degree to which the risks of a cyber security breach are covered by the various insurance policies held in a business’ insurance portfolio. Such a review should address whether all operational, legal and regulatory risks have been identified; whether everyone who needs to be, whether inside or outside the business, is covered (for example, cloud providers and various other vendors and third-party service providers); whether policy language creates unintended exclusions or gaps in coverage; and whether all first party and third party costs associated with such a breach are addressed. First party coverage addresses theft and fraud, forensic investigation costs, business interruption, extortion and computer data loss and restoration, while third party coverage addresses litigation and regulatory expenses, notification costs, crisis management and public relations costs, credit monitoring, privacy liability and media liability.

We encourage businesses to carefully review with their respective insurance and legal advisors the terms of their existing insurance coverage to help gauge their readiness to respond to a cyber security breach. If you have questions about your organization’s cyber security insurance coverage, or that of your vendors and third-party service providers, contact a member of the McGrath North Privacy and Data Security Group.

Share Button