Kimberly B. Holmes, Esq., RPLU VP, Product Development, Chief … · 2016-02-24 · About the...
Transcript of Kimberly B. Holmes, Esq., RPLU VP, Product Development, Chief … · 2016-02-24 · About the...
Cyber Insurance in an Evolving Liability Landscape: Informed, Strategic Expectations
Monday, February 29, 2016 2:00pm – 3:00pm
Kimberly B. Holmes, Esq., RPLU VP, Product Development, Chief Underwriting Office
OneBeacon Insurance Group [email protected]
Conflict of Interest
Kimberly B. Holmes, Esq., RPLU
Has no real or apparent conflicts of interest to report.
About the Speaker
Kimberly B. Holmes, Esq., RPLU
Vice President, Product Development
Chief Underwriting Office, OneBeacon Insurance Group
Ms. Holmes is responsible for Product Development across all management and professional liability product lines for OneBeacon Insurance Group as well as for providing cyber liability technical guidance and oversight across all industry segments on behalf of the company’s Chief Underwriting Office. Ms. Holmes has been a frequent speaker at health care and cyber liability industry events for more than 10 years and has authored materials on health care, health care reform and health care cyber liability for various industry publications and professional liability organizations. Kim served as Deputy Worldwide Product Manager for Chubb’s Health Care management liability practice for almost 10 years, in addition to developing and executing strategy and guidance as Chubb’s Health Care Cyber Product Manager, helping Chubb to secure in 2012 the American Hospital Association’s exclusive endorsement as cyber insurance carrier to the health care industry. Ms. Holmes is a member of the American Bar Association’s Health Law section and is admitted to the Connecticut state, federal and Maine state bars.
Session Description & Learning Objectives
PHI breaches and criminal hacking in the health care industry rose dramatically in 2015 – mandating that
organizations have a tailored, solid cyber insurance program in place before and after a breach. With
heightened OCR scrutiny and audits coming in 2016, documenting your organization’s privacy and security
best practices and procedures has never been more critical. Making assumptions about what types of
insurance should protect your organization in the wake of a data breach can be risky, and so is not watching your business associates closely.
Learning Objectives:
Evaluate cyber insurance options and how different coverages are designed for different exposures stemming from a malicious service disruption or other form of data breach event
Explain the pitfalls of making assumptions regarding what various (non-cyber) insurance products may/may not address in the wake of a health care cyber /data privacy breach event
Describe evolving cyber liability trends in the health care industry
Assess how to mitigate your organization’s liability (under federal and state law) before a malicious hacking or other data breach occurs
Summarize the benefits of well-planned and executed business associate agreements while evaluating how and why it is critical to monitor these relationships on an ongoing basis
Today’s Cyber Insurance Landscape:
Challenges for Cyber Insurance Industry Today:
Lack of Sound Actuarial Data
Disproportionate Disclosure vs. Breach Frequency
Decision Makers Often Not Convinced Insurance is Needed
Evolving Litigation Claims Landscape
Evaluating Cyber Insurance Options: What Coverage Covers What?
Types of Cyber Insurance Coverage Available
Third Party Liability: Cyber Liability (Standard Insuring Clause) First Party Costs: Privacy Notification Expenses Crisis Management Expenses (PR, Forensic, Legal,
Reward) E-Business Interruption Expenses E-Theft Loss E-Communication Loss E-Threat Expenses (Extortion) E-Vandalism Expenses
Evaluating Cyber Insurance Options: Knowing Your Organization’s Needs
Types of Cyber Insurance Coverage Available
Dedicated cyber liability products:
Standalone (monoline) products
Portfolio & Package products
Network Security coverage
Privacy coverage
1st Party Costs coverage
3rd Party Liability coverage
Types of Cyber Insurance Coverage Available
Sub-limits on traditional “non-cyber” products:
D&O (Director & Officer Liability) coverage
E&O (Errors & Omissions Liability) coverage
Professional Liability coverage
Hospital Professional Liability
Physician Professional Liability
Miscellaneous Professional Liability
GL/P&C coverage
BEWARE Assuming “Other” Insurance Will Fully Respond to your Breach
Pitfalls in Assuming “Other” Insurance will fully respond to your Breach
Wrongful Act” definitions may trigger, but only for 3rd party liability (defense/settlement) exposures
No 1st Party coverage (Notification mandated under HIPAA for PHI breaches)
Other policy exclusions may apply to limit coverage
Bodily Injury exclusion
Internet exclusion
Computer systems exclusion
Acts of foreign government exclusion
Intentional acts exclusion
Evolving Cyber Liability Trends in the Health Care Industry
Recent Market/Claim Developments:*
Hacking frequency in health care industry significantly on the rise in 2015:
Texas Health and Human Services (2 million individuals; Nov., 2015)
Excellus BC/BS (10 million individuals; Sept., 2015)
UCLA Health System (4.5 million individuals, July, 2015)
Office of Personnel Management (21.5 million individuals; June, 2015)
Premera (11 million individuals; March, 2015)
Anthem (80 million individuals; Feb., 2015)
*http://www.privacyrights.org/data-breach/new
Recent Judicial Developments:
November, 2015: ALJ dismisses FTC action against LabMd
Impacts FTC ability to prosecute data breach actions under FTC Act
FTC failed to show LabMd’s conduct harmed or would harm consumers as required by “unfairness” prong of FTC Act (alleging data breaches are de facto “unfair trade/business practice”)
September, 2015: 7th Circuit declined to hear appeal on Neiman Marcus case; plaintiffs have standing to proceed without actual damages
Plaintiffs may proceed to sue for damages to prevent identity theft/fraud in wake of data breach even before actual identity theft/damages occur
Recent OCR Developments: (per Jocelyn Samuels, OCR Director,
speaking at recent Healthcare Enforcement Compliance Institute, Wash. D.C.)
Impending launch of countrywide HIPAA Phase II audits, early 2016
“Compliance” (aka, ENFORCEMENT) is focus
“Desk” audits principally the focus
CEs AND BAs will both be subjects of audits
Audit protocols to be released prior to Phase II launch
OCR Major Concerns:
CE ongoing failures to address known issues and deficiencies
Lack of encryption
Lack of BAAs
Mitigating Your Organization’s Liability BEFORE a Breach Occurs
BEFORE the Breach happens…
ENCRYPT, ENCRYPT, ENCRYPT
DOCUMENT, DOCUMENT, DOCUMENT policies/procedures & training
DISSEMINATE & COMMUNICATE to entire organization
Conduct a thorough, organization-wide, risk analysis (yourself or with an outside vendor)
Document action plan to address findings/deficiencies
Identify resources that will be committed to address above findings/deficiencies
Confirm your Breach Response Team (internal points of contact, outside legal counsel, outside vendors, local/regional FBI and HHS office contacts)
Actually USE your Incident Response Plan (IRP) & Document Findings
Remember…
OCR is tired of reminding CEs to do “the basics”
Encryption, Risk Analysis, put BAAs in place
No need to ask for trouble - ADDRESS THESE FIRST
DOCUMENT what you’ve done/assessed/found/identified to fix or address; if it’s not written down, it never happened
OCR review/scrutiny will all be Monday morning quarterbacking of your efforts – have evidence you’ve really done what you say you’ve done
A coordinated response on the front end among all your Breach Response team members ensures a more seamless outcome on the back end
OCR has stated that it is not looking to put non-compliant organizations out of business, and will consider an organization’s resources when assessing fines/considering settlements
IRPs should be dynamic, active tools that you assess, update, reconfigure as needed – NOT a static document that sits on the shelf
Business Associate Agreements: Best Practices to Consider
Business Associate Agreements WHAT they should include:
Audit Rights for the Covered Entity (CE)
CE right to review BA contracts with subcontractors
CE right to inspect:
BA facilities, infrastructure, security systems
BA books and records
BA Responsibilities
Financial obligations
Indemnification obligations
Action obligations in the wake of a breach
Notification to affected individuals, media, HHS
Business Associate Agreements WHY they should include outlined rights and responsibilities….and be audited regularly:
You want to show OCR that you are aware of your ultimate liability (and responsibility) as a CE for a breach of your PHI on your BA’s watch – awareness & action on your part may mitigate your liability in OCR’s assessment after the fact
If you’ve negotiated the rights to inspect, audit, review: DO IT – you’ve set the floor now on your due diligence responsibility
If you find deficiencies upon audit, INSIST that your BA remediate them and document the exchange to evidence your best efforts to address the non-compliance
Having clear indemnification provisions (if possible) allows an insurance carrier to see an avenue of potential recovery should your policy be triggered by a breach event/claim
Notification costs can be extensive depending on the number of PHI records at issue; have “who’s paying for it” clearly spelled out in the BAA
Summary
Many different cyber insurance coverage options exist; identify your organization’s exposures, coverage needs, and customize terms accordingly to maximize the coverage your organization needs for the premium dollars spent
Depending on the size of your organization and number of PHI records, absorbing the bottom line cost of a data breach, uninsured, can be devastating. Do NOT assume that other “non-cyber” insurance products can substitute for a standalone cyber insurance product.
Hacking frequency is significantly increasing in the health care industry as it is widely known that health care lags behind other industry sectors in IT infrastructure while at the same time widespread sharing of electronic PHI is increasing astronomically
OCR’s planned launch of HIPAA Audits Phase II during 2016 , focusing on desk audits and compliance, should underscore the need to document, document, document your organization’s ACTIVE cyber best practices BEFORE a breach event occurs
Business Associate Agreements (BAA) are a must to have in place to satisfy OCR audit review, but actively auditing your Business Associates routinely (as provided for in the BAA) shows the due diligence that may reduce your organization’s exposure after a breach
Questions ?