Transcript Cyber Insurance Yes, you need it!

Pennsylvania Association of Mutual
Insurance Companies
Annual Spring Conference
March 12, 2015
Presented by:
Jamie Orye, JD, RPLU
Beazley Group



What is Cyber Insurance?
What Coverages are Typically in a Cyber
Insurance Policy?
What’s Truly Important to Have (or Not Have)
in YOUR policy?



The term “cyber insurance” has a variety of
different meanings depending on who is
using it and how they are applying it.
Cyber insurance policy forms and coverages
differ significantly from carrier to carrier.
Cyber insurance and coverages are constantly
evolving and changing.

Technology Errors and Omissions Coverage
“Cyber and privacy insurance is often confused with technology
errors and omissions (tech E&O) insurance. In contrast to cyber
and privacy insurance, tech E&O coverage is intended to protect
providers of technology products and services, such as
computer software and hardware manufacturers, website
designers, and firms that store corporate data on an off-site
basis. Nevertheless, tech E&O insurance policies do contain a
number of the same insuring agreements as cyber and privacy
policies.
-- International Risk Management Institute (IRMI)

Covered under a Commercial General Liability
policy
As of May 1, 2014, the Insurance Services Office introduced
“Exclusion – Access or Disclosure of Confidential or Personal
Information and Data-related Liability – with Limited Bodily
Injury Exception”.

Insurance “designed to [respond to and ]
mitigate losses from a variety of cyber
incidents, including data breaches, business
interruption and network damage.”
-- US Department of Homeland Security

Breach Response Services (1st party)

Information Security & Privacy Liability (3rd party)

Regulatory Defense & Penalties Coverage (3rd party)

Business Interruption Coverage (1st party)

Data Restoration Coverage (1st party)

Cyber Extortion Coverage (1st party)

Media Liability (3rd party)

Legal Analysis: costs associated with hiring

Computer Forensics: costs associated hiring

Notification: costs to print and mail letters to
specialized attorneys to determine your
responsibilities and duties under applicable data
breach and privacy statutes
specialized computer forensics firms to determine
the existence and extent of a data breach
affected individuals

Credit Monitoring: costs of offering 12 or 24

Call Center: costs of setting up a call center that

Crisis Management/Public Relations: costs
months of credit monitoring with one or all three
of the national credit bureaus
affected individuals receiving the notice can call
with questions or for additional information
associated with hiring a specialized crisis
management firm to assist in the mitigation of any
adverse publicity resulting from the data breach
Computer Forensics
$500 - $600 per hour
Pre-Claim Legal Fees
$500 - $600 per hour
Notification Costs
$1-$2 per affected individual
Credit Monitoring
$20-$30 per affected individual
15%-25% acceptance rate
Call Center
$4,000 - $5,000 setup costs plus per
minute charge for each phone call
received. For dedicated support, add
$50-$60 per hour per person.
Claim / Regulatory Defense
$600 - $700 per hour
Liability
Varies
Average Cost of a Data Breach in the US
$5.4M per breach / $188 per record*
*The 2013 Cost of Data Breach: Global Analysis by the
Ponemon Institute
12

Liability (and defense) resulting from harm
suffered by third-parties due to a data breach

Examples:
◦ Costs incurred by an affected individual in dealing
with identity theft and fraud resulting from the
breach of their private information
◦ Costs incurred by a business for which you handle
private information in dealing with their own
notification requirements resulting from the breach
of that private information

October 2012:

February 2014:
Nationwide Mutual Insurance discovered
a data breach in which impacted the “name, Social Security
number, driver's license number and/or date of birth and
possibly marital status, gender, and occupation, and the
name and address of their employer” of approximately 1.1M
Americans. FBI and various Attorneys General including
North Carolina’s are notified. Affected individuals are
notified.*
Federal judge in Kansas dismisses two
proposed class actions due to no evidence of actual harm.**
* http://www.zdnet.com/article/nationwide-mutual-hackaffected-1-1-million-americans/
** http://www.law360.com/articles/508534/nationwide-mutualdefeats-data-breach-class-actions



Costs associated defending a claim brought by a
regulatory/law enforcement entity or agency
pursuant to federal or state data breach
regulations and any resulting penalties assessed.
Office of Civil Rights (OCR): tasked with
enforcement of HIPAA & HITECH statutes
State Attorneys General: may bring regulatory
enforcement actions under state data breach laws
or unfair trade practices/consumer protection
laws


An insured’s loss of income and extra
expense costs resulting from a data breach or
computer network security event.
Sony Corporation: cyber attack took down
entire system for two days and left them
operating on reduced systems for several
weeks.



Costs to recreate deleted, destroyed,
corrupted or altered data due resulting from
a data breach.
Restoring data from backup tapes
Manually entering data from paper files if no
backup tape is available

Payment made to terminate the threat to
breach your computer network security in
order to:
◦ Destroy data
◦ Prevent access to computer systems
◦ Introduce a virus to your computer system or a
third party’s computer system
◦ Interrupt or suspend the functioning of your
computer system

Coverage for liability arising out of content
created or used by you. May be limited to
online content only.
◦ Defamation, libel, slander
◦ Plagiarism, misappropriation of ideas
◦ Copyright and trademark infringement

Adequate limits

Separate limit of coverage for first party breach
response coverage

Coverage for your vendors’ breaches involving
your information

Coverage for a suspected incident

Modified Intentional Acts Exclusion / Rogue
Employee Coverage


February 2013:
Mass Mutual Life Insurance Company
notifies a number of its customers (more than 500 in
California; 37 in Maryland) of a data breach resulting when a
third-party service provider, Convey Compliance Solutions,
inadvertently mailed 1099 tax forms to incorrect addresses.
Two years of credit monitoring was offered to all affected
individuals.*
*Privacy Rights Clearinghouse; CA & MD Office of Attorney
General Websites

Unencrypted Data Exclusion

Safeguard exclusion


Coverage that only extends to personally
identifiable information
Failure to follow your own privacy policy
exclusion



Traditional insurance policies (commercial
general liability, property, workers
compensation) do not provide cyber
coverage.
Policy forms and coverage differ significantly
from carrier to carrier
Carrier and breach response vendor(s)
experience is an important factor to consider
when purchasing a policy
25