Tag Archives: security

Consumer Response Options To The Equifax Security Breach

Equifax, one of the three major consumer credit reporting agencies, was the victim of a criminal cyber-attack this summer that potentially impacted 145.5 million people in the United States. Hackers gained access to company data that contains highly sensitive information, including social security numbers, driver’s license numbers, addresses, birth dates, credit card information, and more.  Although there have been other cyber-security breaches in recent years, this attack is particularly concerning for many consumers due to the ultra-sensitive nature of the information.  Additionally, the information that Equifax maintains in their databases is much more extensive than the information that was exposed in previous publicized security breaches.

For those that assume they are not impacted by the breach because they have never personally used Equifax, think again. Any individual that has requested a credit report or uses credit could potentially be affected.  Equifax handles the data of 820 million consumers and works with more than 91 million companies around the world.  Although Equifax has promised to notify those potentially affected by e-mail, Equifax suggests visiting the Equifax website to check for a potential impact. Equifax is also offering the opportunity for consumers to enroll in one year of free credit monitoring and identity theft protection offered through TrustedID (an Equifax product).  For those consumers that receive an affirmative potential impact result, enrolling in one year of free credit monitoring is one way to monitor whether a thief is attempting to use your social security number for credit purposes. Enrolling in TrustedID does not take away consumers’ rights to take legal action against Equifax. Consumers must make an independent decision as to whether they should follow Equifax’s advice.

Some consumers may have considered freezing their credit. While this is a viable option for preventing thieves from opening any lines of credit under their stolen social security numbers, consumers considering this option should also consider the difficulties associated with trying to re-open and re-freeze their credit.  Other options consumers have for protecting themselves after the Equifax breach include resetting passwords, setting fraud alerts with credit reporting agencies, and vigilantly monitoring bank and credit card statements.

Share Button

Don’t Make Your Cyber Insurance Coverage Illusory – Address Cyber Security Practices Before Purchasing Coverage

cyber insuranceThe risks of purchasing cyber insurance coverage before a business addresses its existing cyber security practices has just been made painfully clear by a recent case filed by an insurer in California.  Columbia Casualty, a unit of Chicago-based CNA, is seeking a judicial ruling that it is not obligated to pay a $4.125 million class action settlement paid by California based Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, arising out of a data breach at the hospital.

According to the complaint: (1) the insurer issued a cyber insurance claims made policy to the hospital effective from October 1, 2013, to October 1, 2014; (2) the hospital subsequently suffered a data breach involving over 32,500 confidential medical records between October 8, 2013, and December 2, 2013; (3) a class action lawsuit was filed against the hospital on or about January 27, 2014, with a $4.125 million settlement receiving preliminary court approval on or about December 24, 2014; and (4) the insurer agreed to fund the settlement, subject to a complete reservation of rights.  Click here to review the complaint.

In its complaint, the insurer has asserted that a “failure to follow minimum required practices” exclusion precluded coverage on the alleged ground that the hospital did not follow its own description of its data security system in the insurance application. In the complaint, the insurer also asserted that the hospital’s failure to follow the data security protocols detailed in its application constituted a misrepresentation, and that all coverage was forfeited as a result of the alleged misrepresentation. As a result, the insurer has requested reimbursement of defense and settlement payments.

This case highlights the need for a policyholder to be diligent from the first day it reviews and completes an application for cyber insurance to make sure it understands the requirements for coverage. Stakeholders in information technology, treasury, finance, legal and risk management should all be involved in any review of a cyber insurance application to insure that appropriate coverage language is in place.  In addition, after cyber coverage is purchased, a policyholder must be vigilant in implementing its cyber security practices, and create a record sufficient to prove that it has complied with policy requirements.  At the end of the day, money spent on cyber insurance coverage is well spent only if covered losses are ultimately paid by the insurer.

If you have questions or would like to discuss cyber insurance coverage for your business, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

Cyber Insurance: A Valuable Tool In The Cyber Security Readiness Toolbox

cyber insuranceCyber security breaches impose significant costs on affected businesses that can materially affect their finances and reputation. Such costs include expenses related to various federal and state law breach notification requirements, as well as significant civil liability and regulatory fines. Now more than ever, stakeholders in businesses that handle a significant amount of personal identifying information, or hold key trade secrets, must educate themselves about the threat of a potential cyber security breach, as well as the tools available to help mitigate that threat.

Any response to this potential threat should include a review of the degree to which the risks of a cyber security breach are covered by the various insurance policies held in a business’ insurance portfolio. Such a review should address whether all operational, legal and regulatory risks have been identified; whether everyone who needs to be, whether inside or outside the business, is covered (for example, cloud providers and various other vendors and third-party service providers); whether policy language creates unintended exclusions or gaps in coverage; and whether all first party and third party costs associated with such a breach are addressed. First party coverage addresses theft and fraud, forensic investigation costs, business interruption, extortion and computer data loss and restoration, while third party coverage addresses litigation and regulatory expenses, notification costs, crisis management and public relations costs, credit monitoring, privacy liability and media liability.

We encourage businesses to carefully review with their respective insurance and legal advisors the terms of their existing insurance coverage to help gauge their readiness to respond to a cyber security breach. If you have questions about your organization’s cyber security insurance coverage, or that of your vendors and third-party service providers, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

New Sheriff In Town: FTC Enters The Fray As A Federal Enforcer Of Healthcare Data Breaches

SheriffOver the last several years, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has significantly increased its HIPAA healthcare data breach enforcement posture, resulting in aggregate fines exceeding more than $10 million since June 2013.   Despite these increased enforcement efforts, however, the Federal Trade Commission (“FTC”) has now entered the fray as an additional federal enforcer of healthcare data breaches.

In August 2013, the FTC filed an administrative complaint against LabMD, a Georgia cancer detection services laboratory, for failing  to provide reasonable and appropriate security for protected health information (“PHI”) on its computer networks, resulting in a breach affecting over 9,000 consumers’ billing information.  The FTC claimed that this alleged security failure and consumer harm represented an unfair act or practice under Section 5 of the FTC Act.  In the course of rejecting LabMD’s motion to dismiss, the FTC asserted its jurisdiction by stating that nothing in HIPAA indicated an intent of Congress to restrict the FTC’s authority over alleged unfair data security practices such as those at issue in the LabMD case, and that nothing in HIPAA or HHS’ rules negated the FTC’s authority to enforce the FTC Act.  On May 12, 2014, a federal district court dismissed LabMD’s motion for a preliminary injunction to stop the FTC’s administrative proceeding.  Regardless of the outcome of the FTC administrative proceeding, businesses should take note that on January 28, 2014, LabMD announced it would be winding down its operations, citing the debilitating effects of the FTC’s investigative practices and litigation.

Businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules now need to be concerned with more than the OCR and state Attorneys General, who are given direct enforcement power under HIPAA, in that the FTC has now clearly asserted itself as an additional regulator of healthcare data breaches.  Businesses should remain diligent in their HIPAA compliance efforts as a breach of PHI may result in multiple enforcement actions.  For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

Cyber-Risk: It’s Not Just An IT Issue, It’s A Board Issue

Cyber-RiskOn June 10, 2014, U.S. Securities and Exchange Commissioner Luis A. Aguilar spoke at the New York Stock Exchange “Cyber Risks and the Boardroom” Conference.  With the high number of recent successful cyber-attacks, Commissioner Aguilar suggests that cyber-risk must be considered a part of a board’s overall risk oversight. It is the board’s responsibility to ensure the adequacy of the company’s cybersecurity measures.  Aguilar cites to suggestions for how this can be done, including boards reviewing annual budgets for privacy and IT security programs, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks.  Aguilar encourages companies to conduct regular risk assessments and cites the recently released Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (“NIST”) as the likely standard for best practices in assessing a company’s cybersecurity risks. In short, boards need to be or get educated on cybersecurity risks and be proactive in trying to minimize such risks.

Commissioner Aguilar’s speech can be found at: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946

Share Button