The government is continuing to ask for more help from the private sector to defend against cyber attacks. The National Infrastructure Advisory Council (NIAC) recently published a report discussing current cyber threats and urging private companies and executives to join forces with the government to better address those threats. The report proposes “public-private and company-to-company information sharing of cyber threats at network speed,” among other things discussed here.
On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.
In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).
OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
In its tenth OCR Cyber Awareness Newsletter of the year (Newsletter), the Office for Civil Rights (OCR) reminded HIPAA-covered entities and business associates of the importance of selecting an appropriate authentication method to protect electronic protected health information (ePHI). Authentication is the process used to “verify whether someone or something is who or what it purports to be and keeps unauthorized people or programs from gaining access to information.” The Newsletter notes that the health care sector has been a significant target of cybercrime and that some incidents result from weak authentication methods.
Authentication methods can consist of one or more factors and are often described as: (1) something you know, such as a password; (2) something you are, such as a fingerprint; or (3) something you have, such as a mobile device or smart card. Single-factor authentication requires use of only one of the methods. Multifactor authentication requires use of two or more methods (for example, a password prompt followed by an additional prompt to a mobile device). Continue Reading OCR Guidance Underscores Importance of Authentication under HIPAA
On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses” (the Guide).
The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:
- Start with security;
- Control access to data sensibly;
- Require secure passwords and authentication;
- Store sensitive personal information securely and protect it during transmission;
- Segment networks and monitor anyone trying to get in and out of them;
- Secure remote network access;
- Apply sound security practices when developing new products that collect personal information;
- Ensure that service providers implement reasonable security measures;
- Implement procedures to help ensure that security practices are current and address vulnerabilities; and
- Secure paper, physical media and devices that contain personal information.
The FTC also offers an online tutorial titled “Protecting Personal Information.”
We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.
Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL) policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of insurance coverage for data breaches, court decisions about whether insureds can force their insurance companies to cover costs for data breaches under the broad language of CGLs have been mixed, and little appellate-level authority exists.
On May 18, 2015, the Connecticut Supreme Court unanimously affirmed a state appellate court decision that an IBM contractor was not insured under its CGL for the $6 million in losses it suffered as the result of a data breach of personal identifying information (PII) for over 500,000 IBM employees. The contractor lost computer backup tapes containing the employees’ PII in transit when the tapes fell off of a truck onto the side of the road. After the tapes fell out of the truck, an unknown party took them. There was no evidence that anyone ever accessed the data on the tapes or that the loss of the tapes caused injury to any IBM employee. Nevertheless, IBM took steps to protect its employees from potential identity theft, providing a year of credit monitoring services to the affected employees. IBM sought to recover more than $6 million dollars in costs it incurred for the identity protection services from the contractor, and negotiated a settlement with the contractor for that amount.
The contractor filed a claim under its CGL policy for the $6 million in costs it had reimbursed to IBM. The insurer refused to pay. In subsequent litigation with the contractor, the insurer made two main arguments. First, it argued that it only had the duty to defend against a “suit,” and that the negotiations between the contractor and IBM were not a “suit.” Second, the insurer argued that the loss of the tapes was not an “injury” covered by the policy.
The Connecticut Supreme Court adopted both of the insurer’s arguments, and the decision highlights two key areas for any company considering whether it needs additional insurance coverage for data breaches: what constitutes an “injury” under a CGL, and when an insurer is required to reimburse a company for costs associated with an injury. First, the court held that the loss of the computer tapes was not a “personal injury” under the CGL, because there had been no “publication” of the information stored on the tapes. In other words, because there was no evidence that anyone accessed or used the stolen PII, the court found that the data breach did not constitute a “personal injury” under the policy—even though the contractor spent millions of dollars reimbursing IBM for costs associated with the data breach.
Second, the court found that the CGL policy only required the insurer to reimburse costs stemming from a lawsuit or “other dispute resolution proceeding.” The contractor’s voluntary negotiations with IBM to reimburse it for the cost of data protection services were not a “suit” or “other dispute resolution proceeding” under the policy. Thus, the court reasoned that the insurer was not obligated to cover the contractor’s costs under the CGL policy.
Even with the recent decision from the Connecticut Supreme Court, however, some companies have been able to get compensation from their insurance providers even without appellate-level precedent. Sony recently settled with its insurers in a dispute over whether the insurers would cover data-breach losses under Sony’s CGL. Sony had sought insurance coverage when it was sued by customers after hackers stole confidential data of millions of Sony PlayStation users. Its insurance claim was based on policy language covering costs for “personal advertising injury,” which the policy defined specifically as “oral or written publication in any manner of the material that violates a person’s right to privacy.” The insurers refused to provide coverage, arguing that under the policy and case-law precedent, an insurer would only be obligated to provide coverage if the insured party caused the data to be published. Because third-party hackers, not Sony, stole the data (and arguably “published” it), the insurers claimed they had no duty to provide coverage.
A New York trial court judge ruled from the bench in favor of the insurance companies, concluding that the policy language only covered injuries stemming from publication of data by the insured, not by a third party such as a hacker. Sony appealed the decision, but prior to a decision from the appellate court, the parties settled for undisclosed terms. The settlement seems to suggest that the insurers were not convinced the appellate court would uphold the trial court’s decision.
While some companies have been successful in obtaining coverage for data-breach liability under their CGL, there are no guarantees. As these cases illustrate, insurers may not willingly provide such coverage under CGLs, requiring companies to engage in expensive legal battles with their insurers about coverage while they are simultaneously defending themselves in litigation arising directly from data breaches. As companies continue to experience major—and costly—data breaches at an increased rate, it is imperative for companies to understand exactly what their CGL insurance policy will cover and to consider obtaining a cyber-specific insurance policy to specifically address data breaches and other cyberattack risks.