Cyber Insurance in an Evolving Liability Landscape: Informed, Strategic Expectations

Monday, February 29, 2016 2:00pm – 3:00pm

Kimberly B. Holmes, Esq., RPLU VP, Product Development, Chief Underwriting Office

OneBeacon Insurance Group kholmes@onebeacon.com

Conflict of Interest

Kimberly B. Holmes, Esq., RPLU

Has no real or apparent conflicts of interest to report.

About the Speaker

Kimberly B. Holmes, Esq., RPLU

Vice President, Product Development

Chief Underwriting Office, OneBeacon Insurance Group

Ms. Holmes is responsible for Product Development across all management and professional liability product lines for OneBeacon Insurance Group as well as for providing cyber liability technical guidance and oversight across all industry segments on behalf of the company’s Chief Underwriting Office. Ms. Holmes has been a frequent speaker at health care and cyber liability industry events for more than 10 years and has authored materials on health care, health care reform and health care cyber liability for various industry publications and professional liability organizations. Kim served as Deputy Worldwide Product Manager for Chubb’s Health Care management liability practice for almost 10 years, in addition to developing and executing strategy and guidance as Chubb’s Health Care Cyber Product Manager, helping Chubb to secure in 2012 the American Hospital Association’s exclusive endorsement as cyber insurance carrier to the health care industry. Ms. Holmes is a member of the American Bar Association’s Health Law section and is admitted to the Connecticut state, federal and Maine state bars.

Session Description & Learning Objectives

PHI breaches and criminal hacking in the health care industry rose dramatically in 2015 – mandating that

organizations have a tailored, solid cyber insurance program in place before and after a breach. With

heightened OCR scrutiny and audits coming in 2016, documenting your organization’s privacy and security

best practices and procedures has never been more critical. Making assumptions about what types of

insurance should protect your organization in the wake of a data breach can be risky, and so is not watching your business associates closely.

Learning Objectives:

Evaluate cyber insurance options and how different coverages are designed for different exposures stemming from a malicious service disruption or other form of data breach event

Explain the pitfalls of making assumptions regarding what various (non-cyber) insurance products may/may not address in the wake of a health care cyber /data privacy breach event

Describe evolving cyber liability trends in the health care industry

Assess how to mitigate your organization’s liability (under federal and state law) before a malicious hacking or other data breach occurs

Summarize the benefits of well-planned and executed business associate agreements while evaluating how and why it is critical to monitor these relationships on an ongoing basis

Today’s Cyber Insurance Landscape:

Challenges for Cyber Insurance Industry Today:

Lack of Sound Actuarial Data

Disproportionate Disclosure vs. Breach Frequency

Decision Makers Often Not Convinced Insurance is Needed

Evolving Litigation Claims Landscape

Evaluating Cyber Insurance Options: What Coverage Covers What?

Types of Cyber Insurance Coverage Available

Third Party Liability: Cyber Liability (Standard Insuring Clause) First Party Costs: Privacy Notification Expenses Crisis Management Expenses (PR, Forensic, Legal,

Reward) E-Business Interruption Expenses E-Theft Loss E-Communication Loss E-Threat Expenses (Extortion) E-Vandalism Expenses

Evaluating Cyber Insurance Options: Knowing Your Organization’s Needs

Types of Cyber Insurance Coverage Available

Dedicated cyber liability products:

Standalone (monoline) products

Portfolio & Package products

Network Security coverage

Privacy coverage

1st Party Costs coverage

3rd Party Liability coverage

Types of Cyber Insurance Coverage Available

Sub-limits on traditional “non-cyber” products:

D&O (Director & Officer Liability) coverage

E&O (Errors & Omissions Liability) coverage

Professional Liability coverage

Hospital Professional Liability

Physician Professional Liability

Miscellaneous Professional Liability

GL/P&C coverage

BEWARE Assuming “Other” Insurance Will Fully Respond to your Breach

Pitfalls in Assuming “Other” Insurance will fully respond to your Breach

Wrongful Act” definitions may trigger, but only for 3rd party liability (defense/settlement) exposures

No 1st Party coverage (Notification mandated under HIPAA for PHI breaches)

Other policy exclusions may apply to limit coverage

Bodily Injury exclusion

Internet exclusion

Computer systems exclusion

Acts of foreign government exclusion

Intentional acts exclusion

Evolving Cyber Liability Trends in the Health Care Industry

Recent Market/Claim Developments:*

Hacking frequency in health care industry significantly on the rise in 2015:

Texas Health and Human Services (2 million individuals; Nov., 2015)

Excellus BC/BS (10 million individuals; Sept., 2015)

UCLA Health System (4.5 million individuals, July, 2015)

Office of Personnel Management (21.5 million individuals; June, 2015)

Premera (11 million individuals; March, 2015)

Anthem (80 million individuals; Feb., 2015)

*http://www.privacyrights.org/data-breach/new

Recent Judicial Developments:

November, 2015: ALJ dismisses FTC action against LabMd

Impacts FTC ability to prosecute data breach actions under FTC Act

FTC failed to show LabMd’s conduct harmed or would harm consumers as required by “unfairness” prong of FTC Act (alleging data breaches are de facto “unfair trade/business practice”)

September, 2015: 7th Circuit declined to hear appeal on Neiman Marcus case; plaintiffs have standing to proceed without actual damages

Plaintiffs may proceed to sue for damages to prevent identity theft/fraud in wake of data breach even before actual identity theft/damages occur

Recent OCR Developments: (per Jocelyn Samuels, OCR Director,

speaking at recent Healthcare Enforcement Compliance Institute, Wash. D.C.)

Impending launch of countrywide HIPAA Phase II audits, early 2016

“Compliance” (aka, ENFORCEMENT) is focus

“Desk” audits principally the focus

CEs AND BAs will both be subjects of audits

Audit protocols to be released prior to Phase II launch

OCR Major Concerns:

CE ongoing failures to address known issues and deficiencies

Lack of encryption

Lack of BAAs

Mitigating Your Organization’s Liability BEFORE a Breach Occurs

BEFORE the Breach happens…

ENCRYPT, ENCRYPT, ENCRYPT

DOCUMENT, DOCUMENT, DOCUMENT policies/procedures & training

DISSEMINATE & COMMUNICATE to entire organization

Conduct a thorough, organization-wide, risk analysis (yourself or with an outside vendor)

Document action plan to address findings/deficiencies

Identify resources that will be committed to address above findings/deficiencies

Confirm your Breach Response Team (internal points of contact, outside legal counsel, outside vendors, local/regional FBI and HHS office contacts)

Actually USE your Incident Response Plan (IRP) & Document Findings

Remember…

OCR is tired of reminding CEs to do “the basics”

Encryption, Risk Analysis, put BAAs in place

No need to ask for trouble - ADDRESS THESE FIRST

DOCUMENT what you’ve done/assessed/found/identified to fix or address; if it’s not written down, it never happened

OCR review/scrutiny will all be Monday morning quarterbacking of your efforts – have evidence you’ve really done what you say you’ve done

A coordinated response on the front end among all your Breach Response team members ensures a more seamless outcome on the back end

OCR has stated that it is not looking to put non-compliant organizations out of business, and will consider an organization’s resources when assessing fines/considering settlements

IRPs should be dynamic, active tools that you assess, update, reconfigure as needed – NOT a static document that sits on the shelf

Business Associate Agreements: Best Practices to Consider

Business Associate Agreements WHAT they should include:

Audit Rights for the Covered Entity (CE)

CE right to review BA contracts with subcontractors

CE right to inspect:

BA facilities, infrastructure, security systems

BA books and records

BA Responsibilities

Financial obligations

Indemnification obligations

Action obligations in the wake of a breach

Notification to affected individuals, media, HHS

Business Associate Agreements WHY they should include outlined rights and responsibilities….and be audited regularly:

You want to show OCR that you are aware of your ultimate liability (and responsibility) as a CE for a breach of your PHI on your BA’s watch – awareness & action on your part may mitigate your liability in OCR’s assessment after the fact

If you’ve negotiated the rights to inspect, audit, review: DO IT – you’ve set the floor now on your due diligence responsibility

If you find deficiencies upon audit, INSIST that your BA remediate them and document the exchange to evidence your best efforts to address the non-compliance

Having clear indemnification provisions (if possible) allows an insurance carrier to see an avenue of potential recovery should your policy be triggered by a breach event/claim

Notification costs can be extensive depending on the number of PHI records at issue; have “who’s paying for it” clearly spelled out in the BAA

Summary

Many different cyber insurance coverage options exist; identify your organization’s exposures, coverage needs, and customize terms accordingly to maximize the coverage your organization needs for the premium dollars spent

Depending on the size of your organization and number of PHI records, absorbing the bottom line cost of a data breach, uninsured, can be devastating. Do NOT assume that other “non-cyber” insurance products can substitute for a standalone cyber insurance product.

Hacking frequency is significantly increasing in the health care industry as it is widely known that health care lags behind other industry sectors in IT infrastructure while at the same time widespread sharing of electronic PHI is increasing astronomically

OCR’s planned launch of HIPAA Audits Phase II during 2016 , focusing on desk audits and compliance, should underscore the need to document, document, document your organization’s ACTIVE cyber best practices BEFORE a breach event occurs

Business Associate Agreements (BAA) are a must to have in place to satisfy OCR audit review, but actively auditing your Business Associates routinely (as provided for in the BAA) shows the due diligence that may reduce your organization’s exposure after a breach

Questions ?

kholmes@onebeacon.com