On January 2, 2013 The Department of Health and Human Services (“HHS”) announced that it had entered into a Resolution Agreement with Hospice of North Idaho (“HONI”) to settle alleged HIPAA violations resulting from the theft of an unencrypted laptop computer containing the electronic personal health information of 441 patients.  This is the first HHS settlement involving the breach of protected health information (“PHI”) involving fewer than 500 individuals. 

After being notified by HONI of the stolen laptop, the HHS Office Civil Rights (“OCR”) conducted an investigation and concluded the following: 

• HONI did not conduct an accurate and thorough risk analysis as required by the HIPAA Security Rule, especially with respect to an evaluation of the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted by portable devices.  
• HONI did not have in place police or procedures to address the security of PHI stored or transmitted in portable electronic devices. 

 In entering into the Resolution Agreement, HONI agreed to pay $50,000 and enter into two-year corrective action plan with HHS.  A copy of the Resolution Agreement can be found at:  http://www.hhs.gov.privacy/hipaa/enforcement/examples/honi-agreement.pdf.

 Although this case is unique in that it is the first settlement by HHS of a data breach involving fewer than 500 individuals, the facts that gave rise to the action by HHS are all too familiar.  The breach resulted from the theft of an unencrypted laptop and HHS was troubled by the provider’s alleged lack of a risk analysis and appropriate policies and procedures to protect PHI stored in or transmitted by portable electronic devices.  In this era of increased HIPAA enforcement, covered entities and business associates must remain vigilant in their HIPAA compliance efforts.  This includes, without limitation, (i) conducting thorough risk assessments, (ii) developing and updating robust HIPAA policies and procedures, and (iii) conducting ongoing HIPAA training and awareness programs with all staff.   In essence, affected entities must create what OCR has often referred to as a “culture of compliance.”  Moreover, emphasis should be placed on the use and safeguards of portable electronic devices, which, as in this case, are frequently at the center of a data breach.

   Send article as PDF   

Regular Cyberinquirer readers may recall the following holiday poem by Amanda Lorenz. Like the Yule Log, we here at Cyberinquirer Central have decided to republish Amanda’s poem on an annual basis at holiday time, barring extenuating circumstances. Hope you agree that it remains fresh and timely. In any event, enjoy! And happy holiday season from your friends at Cyberinquirer.

Twas the month before Christmas and all through the house,
All the children were networking with the click of a mouse.
Cyber thieves were nestled all snug in their chairs,
Waiting for shoppers to unknowingly share.

 As I shopped for him and he shopped for me,
The thieves stole our money and our financial history.
We did not even realize that this information was taken,
And we thought the denial of our credit card was mistaken.
Using Phishing or SMiShing and hacking the links,
Our private information was retrieved in a blink.

 Perhaps we should have shopped on a network that was secure,
Or at least checked our credit reports monthly to be sure,
That thieves were not using our names and our faces
To purchase plane tickets to tropical places.
So to all of the shoppers who like to avoid the crowd,

Protect your info this season and make CyberInquirer proud!

Happy Holidays from CyberInquirer!

   Send article as PDF   

Since the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules became effective in April 2003, there has been minimal enforcement activity by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”).   However, this has changed dramatically over the last two years, as evidenced by some recent high-profile and high-penalty enforcement actions taken by OCR.  In addition to being concerned about OCR investigations, moreover, covered entities and business associates must also be on the alert for enforcement actions by state Attorney Generals, potential class action lawsuits, and OCR’s HIPAA audit program.  Even though many in the health care industry are sitting in a holding pattern waiting for the HIPAA/Health Information Technology for Economic and Clinical Health (“HITECH”) Act final rules, covered entities and business associates should thus be as vigilant as ever, if not more so, in their HIPAA compliance efforts.

Read the rest of this entry »

For those captivated by recent events in astronomy, parallels can be drawn between the recent landing of NASA’s rover Curiosity on planet Mars and the public discourse on data security in Canada. With the distinction that one is effectively equipped with the right budget and tools to achieve its actual objective, both have come a very long way, both have managed to blaze through layers of clouds, both seek to secure ingredients essential to life, and both are now aimlessly wandering about unchartered territories.

A decisive factor in Barrack Obama’s 2008 political campaign was the extensive use of individual, thin sliced consumer data to send highly tailored messages to gain political support. Within 13 years, Google has become the most valuable brand in the world through the aggregation of vast amounts of data including search data, or data held in Gmail accounts. This information is then used to create an advertising cruise missile, which is much more efficient than the old method of pattern bombing.

Read the rest of this entry »

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently,  Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut.  Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

Read the rest of this entry »

Recent unauthorized access to British Columbia Institute of Technology’s computer network, which contained personal medical information of approximately 12,680 individuals, is yet another reminder of risks of exposure to data breaches. That none of the data on BCIT’s computer network was compromised or misused is reflective of a low-profile non-hacker intrusion, and of the ease with which computer networks can be infiltrated. Indeed, a sophisticated hacker would know better than to leave massive amounts of data, rightly labeled by some as the “oil” of the 21^st century, uncompromised. More curious than uncompromised data, however, is BCIT’s notification in the absence of an actual data breach, and mandatory breach notification provisions under B.C. privacy law.

Read the rest of this entry »

A quick google search will reveal thousands of hundreds of thousands of hits for the term cyberstalking. Indeed, as of today, there are over 900,000 posts where the word is used. Perhaps not surprisingly, many of the listings involve teen cyberbullying and child protection issues. There are also large numbers of celebrities who are cyberstalked or otherwise harassed. Beyond juveniles and celebrities, the most frequently stalked demographic are 18-32 year old females, a cohort to which some of our own bloggers (and co-publishers) belong. Curiously, reports indicate that more and more women are also the cyberstalkers, not just the victims. Anecdotal stories suggest many of these women are married but unhappy with their lives.

Read the rest of this entry »

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters. 

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

Read the rest of this entry »

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as  the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Read the rest of this entry »

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that ”the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s  ”recommendations.”

Read the rest of this entry »

Businesses that necessarily require their customers to disclose credit card and personal information, beware.   Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for ”mitigation damages” arising from alleged negligence and breach of contract were viable.  Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011). 

In Anderson, the electronic payment processing  system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes.  Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008.  A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported. 

Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards.  Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer.  Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards. 

Read the rest of this entry »

I. Overview

Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.

Read the rest of this entry »

I.                    Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders.  While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions.  The Asia-Pacific region typifies such a lack of uniformity.  At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 

75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months.  Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined.  Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009.  See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).  Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program.  Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies.   

Read the rest of this entry »

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…

At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Read the rest of this entry »

The yellow fever outbreak of summer 1798 was the worst in Philadelphia’s history. Over 5,000 residents were infected, and nearly 1,300 died, causing even President Washington to flee. On the night of September 1st, 1798, the vault at Carpenter Hall was breached and the then-massive amount of $162,821 went missing. This first bank robbery in the United States, attributed as an “inside job”, ushered in an era of robberies that turned criminals into celebrities. Jesse James, Bonnie and Clyde, and John Dillinger have become legends. At present, the risk of yellow fever has been mitigated due to vaccines. The risk of bank vaults being physically robbed similarly has been reduced.

Read the rest of this entry »

Computer hacking is a constantly evolving and growing threat.  While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades. 

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry.  Of course, the cost of a security breach may have something to do with that.  According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation. 

One particularly alluring target for hackers has been educational institutions.  While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise. 

In 2007, educational institutions accounted for 25% of all reported data breaches.  This number jumped to 33% in 2008.  See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

Faced with revitalizing a deteriorated economy, formulating a national budget, and the aftermath of Osama Bin Laden’s death, President Barack Obama has his hands full. Yet, in the midst of all the issues commanding the White House’s attention, the Obama Administration somehow has found time to address the threats to our nation’s cyber security.

According to Business Insurance, on Thursday, May 12, 2011, the Obama Administration proposed cyber security legislation to improve protection for individuals and the federal government’s computer and network systems. The proposed legislation would address national data breach reporting by creating simpler and standardized reporting requirements for the 47 states that contain such requirements. The proposal would also synchronize penalties for computer crimes with other crimes. Additionally, the government, through the Department of Homeland Security, would become directly involved in assisting the industry as well as state and local governments in policing and enforcing cyber security. The proposed legislation encourages the state and local governments to share information with the Department of Homeland Security about cyber threats or related incidents by providing them with immunity for doing so.  
 
Read the rest of this entry »

Following the publication of our original post on the implications of a cyber attack on investors’ securities portfolios (see here), we have been asked by scores of readers whether securities fraud litigation arising from cyber crime has ensued. Not surprisingly, the answer is “yes.”

Indeed, we have located at least two such cases, one a putative securities fraud class action against a payment processing company and the second an SEC initiated action against a private investor. The results may (or may not) surprise you, depending on your perspective of trial courts’ levels of judicial activism and willingness to render substantive decisions at early stages of litigation.

 In re: Heartland Payment Systems, No. 09-1043 (D.N.J. Dec. 07, 2009) remains the paradigm for such litigation. To facilitate its payment processing services, Heartland Payment Systems (“Heartland”) stored millions of credit and debit card numbers on its internal computer network. In December 2007, hackers launched a Structured Query Language Attack (“SQL attack”) on Heartland’s payroll management system. To its credit, Heartland was able to successfully avert the attack before any personally identifiable information was stolen. At the same time, however, the company failed to detect malicious software (“malware”) which had been placed on the network by the SQL attack.  The malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers.  Heartland did not discover the breach until January 2009, at which time it notified government authorities and publicly disclosed the event.  Over the course of the following month, Heartland’s stock price dropped over $15 per share. Perhaps not surprisingly, shareholder class actions ensued.

In their complaint, plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. Specifically, plaintiffs claimed that the defendants concealed the SQL attack and misrepresented the general state of Heartland’s data security.  Plaintiffs further alleged that the defendants’ conduct was fraudulent because they were aware that Heartland’s network had been breached, yet they had not fully remedied the problem Read the rest of this entry »

Google, Facebook, Twitter, Foursquare—millions of Americans, including myself, depend on these cyber sites as their gateway to information and communication in the outside world.  What we may not realize, or choose to ignore for convenience’s sake, is that this gateway lies on a two-way street. The information that we seek using websites such as Google and what we communicate on Facebook and Twitter provide companies with vital data to better market their products to us.  This use of information is referred to as “data mining. ”

An example of data mining can be seen in the advertisements that pop up on the side of your Facebook home page.  Such ads are often relevant to the information posted on your “Profile” page, such as advertisements promoting products from your college alma mater. 

At the outset, data mining seems like a win-win situation for both the consumer and the seller—the consumer is marketed with a product in which they are seemingly interested and the company has utilized its advertising budget in an informed, cost-effective manner.  At the same time, however, the threat of an invasion of privacy is real and has the attention of members of Congress and federal officials to create legislation regulating the way in which, and the extent to which, our personal information is shared with third parties. 

Read the rest of this entry »

On July 23, 2010, the United States Court of Appeals for the Eighth Circuit issued an important decision in Eyeblaster, Inc. v. Federal Ins. Co., 2010, U.S. App. LEXIS 15152, No. Civ. A. 08-3640, finding concurrent coverage under both a General Liability (“CGL”) insurance policy and a separate Information and Network Technology Errors and Omissions Liability (“E&O”) policy in circumstances where an online marketing company installed software on a consumer’s computer system, allegedly corrupting the computer’s software operating system.

Eyeblaster Inc. (“Eyeblaster”), the policyholder, is a company that creates, delivers and manages online interactive advertising. For the period December 5, 2006, to December 5, 2007, it was insured under two concurrent policies issued by Federal Insurance Company (“Federal”): (1) a CGL policy covering occurrences which cause damage to tangible property, and (2) an E&O policy which covered claims for financial loss caused by a wrongful act in connection with a product’s failure to perform its intended function or serve its intended purpose, resulting in damage to intangible property. As to the latter policy, intangible property included software, data and other electronic information. Both policies were “duty to defend” forms.

Read the rest of this entry »

Interviewing for your first job as a teenager is as exciting as it is intimidating. Thoughts of what to do with your first paycheck consume your mind as you rehearse your best “do-you-want-fries-with-that” smile. The interview proceeds flawlessly and you start to count the dollar signs as you await the job offer. But imagine your surprise when you are informed that you did not get the job because your background check revealed that you are over $75,000 in debt and five years behind in your child support payments for your eleven year old child…a terrifying thought considering you are only 16 years old.

Adults aren’t the only victims of identity theft. Child identity theft is an increasing and understated crime. A child’s Social Security Number (“SSN”) is the perfect target, as the theft typically goes undetected until years after the crime has taken place. Indeed, the crime might not be discovered until the rightful owner/victim uses his or her SSN for the first time years later. This revelation often occurs when the victim applies for his or her first job or financial aid before college.

The scheme works as follows: businesses are using various techniques to search the Internet for dormant SSNs. These numbers often belong to long-term inmates, dead people or children. Obtaining them is not as difficult as one may think, as SSNs are distributed systematically depending on age, geographical location and when the number is issued. Once it has been determined that no one is actively using the number to obtain credit, the numbers are offered for sale.

Read the rest of this entry »