Tag Archives: breach

Where to Turn for Cyber Assistance?

Virtually every company owns, licenses or maintains personal information and other sensitive data. Until recently, companies were not legally required to implement cybersecurity policies, procedures or controls specifically designed to protect personal and other sensitive information. Some companies might even have decided not to comply because of perceived high implementation costs and complex operational changes. However, recent expansions in a number of laws have changed this dynamic. Across the U.S., state regulations are being promulgated that require companies to implement and maintain a reasonable level of cybersecurity controls. Some of these laws provide for significant penalties in cases of non-compliance. As companies begin to take steps toward compliance with these regulations, one significant source of assistance is the cyber insurance market.

New Privacy and Cybersecurity Regulations

As of the writing of this article, at least 25 state laws impose obligations on their corporate citizens to have reasonable data and information security practices to protect sensitive data from unauthorized disclosure. Some laws go even further and prescribe specific standards that corporate citizens must follow to protect the privacy rights of those states’ residents.

Two of the most stringent regulations currently in effect are in New York and Massachusetts, while a third, which may very well be the most stringent regulation, becomes effective in California on Jan. 1, 2020.

New York state’s recently passed, “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, applies to businesses that maintain private information of New York residents, regardless of whether such entities actually conduct business within New York. SHIELD requires covered entities to implement “reasonable safeguards,” taking into account administrative, technical and physical safeguards such as training, risk assessments, regular testing of key controls and procedures and the disposal of private information within a reasonable time after it is no longer needed. Similar requirements exist in Massachusetts, Ohio, Oregon and Vermont.

See also: Hidden Dangers for Cybersecurity  

SHIELD also allows for possible fines for violations of the notification requirements up to $250,000. Notably, the imposition of the “reasonable safeguards” requirements brings the new law closer to New York’s 2017 Department of Financial Services’ Cybersecurity Regulation, which prescribes holistic security measures applicable to a broad swath of financial services companies operating under New York’s banking, insurance and financial services laws.

In addition, many of New York’s small and medium-sized businesses in industries unaccustomed to the regulations applicable to the financial sector will now be required to address their security measures and implement controls, including risk assessments, to protect sensitive information and systems from unauthorized use or access.

Massachusetts’ current regulation, 201 CMR 17.00, et seq., establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The regulations apply to all persons who own or license personal information about a resident. 201 CMR 17.03 and 17.04 impose obligations on covered entities to implement prescribed safeguards, including (this is a small sample from the list set forth in the statute):

  • A comprehensive, written information security program that contains administrative, technical and physical safeguards.
  • Designation of one or more employees to maintain the information security program.
  • Identification and assessment of reasonably foreseeable internal and external risks, and evaluation of the effectiveness of current safeguards for limiting such risks.
  • Continuing employee education and training.
  • Measures to oversee third-party service providers, including requiring such vendors by contract to implement and maintain appropriate security measures for personal information.
  • Password management and controls.

California’s much discussed California Consumer Privacy Act, see oag.ca.gov/privacy/ccpa, Assembly Bill 375 (CCPA) becomes effective on Jan. 1, 2020. The CCPA is a significant expansion of privacy rights granted to consumers and shifts the burden of compliance regarding consent and the collection, use, storage and destruction of personal data to businesses. The CCPA’s expansive requirements placed on businesses relative to the collection and use of personal data bring California much closer in line with the privacy culture of the European Union and its GDPR.

While California, Massachusetts and New York have been at the forefront of imposing affirmative obligations on businesses requiring implementation of comprehensive cybersecurity policies and protocols, more than 25 states in total have laws that address data security practices of private-sector entities. Most of these data security laws require businesses that own, license or maintain personal information concerning a resident of that state (in several cases, including even entities who maintain such personal information but who are not doing business in the state) to implement and maintain “reasonable security procedures and practices,” taking into account the size and resources of the entity and the nature of the information it holds.

Accordingly, businesses with personal information in their systems – for example, unencrypted combinations of names with Social Security numbers, driver’s license numbers, account numbers, PINs, biometrics, etc. – are required, by law, to adopt, implement, maintain and regularly update their information security programs. The conjunction of new obligations imposed by states like Massachusetts and New York, with the expansion in privacy rights granted to California residents in the CCPA, leaves companies with little choice but to take cyber security and corporate privacy with the utmost seriousness and spend time and resources in advance of any type of occurrence.

The Role of Cyber Insurers

It is clear now that instituting and managing cybersecurity protections are no longer merely options for companies in all industry sectors. One key resource for any business in developing and deploying a cybersecurity program is its cyber insurer.

In today’s environment, businesses of all sizes should purchase cyber insurance. Cyber insurance is designed to cover numerous risks associated with both privacy and technology. Moreover, cyber insurance is there to respond after an incident occurs.

See also: It’s Time for the Cyber 101 Discussion  

Most traditional insurance policies do not cover measures like those contemplated by the various regulations. However, a few cyber insurers provide value-added risk control services along with free or reduced-cost access to cyber security vendors that can help an insured through this process. These services are available to the policyholder upon binding coverage with the insurer in advance of any actual cyber occurrence.

CNA, for example, recently launched a suite of cyber security services. CNA CyberPrep is a program of cyber risk services designed to aid cyber policyholders in cyber threat identification, mitigation and response.

  • Identifying cybersecurity posture is a critical beginning. Services include detailed analyses from a network of free or reduced-cost cybersecurity experts, reports that provide a snapshot of policyholder security posture and numerous recommendations for improvement.
  • Working in collaboration with their broker, CNA Risk Control, and Cyber Underwriting, policyholders execute the cybersecurity experts’ recommendations to mitigate their cyber risks and improve their cybersecurity posture.
  • CNA CyberPrep continues to benefit policyholders. In the event of a cyber breach, CNA’s panel of experienced incident response vendors provide guidance and strategies to help expedite recovery and minimize loss.

Offering these types of services is in the best interests of both insurers and policyholders, as an ounce of prevention is worth a pound of cure. Also, given the regulatory developments across the U.S., companies should, more than ever, take advantage of their cyber insurer’s ability to help facilitate this process.

Simply put, companies can no longer fail to implement cybersecurity policies, procedures and controls. Failure to comply with the state and federal laws and regulations can easily result in substantial fines and mandated corrective action. Some states also permit individuals to sue when failures result in loss of their personal information, potentially resulting in treble damages under unfair competition laws.

Given the staggering costs of non-compliance, businesses must implement appropriate cybersecurity policies and procedures, keep them current, train their employees and use the latest technical protections. When selecting your cyber insurer, look for one that can help supply the requisite resources for a comprehensive – and compliant – cybersecurity program.

Equifax Breach: The Implications

The massive data breach suffered by Equifax has both serious consequences for consumers and potentially profound long-term implications for commerce and the nascent cyber insurance industry.

In the three days since Equifax’s press release announcing the breach potentially exposing names, addresses, birthdates, Social Security numbers and other information for about 143 million U.S. consumers, both the federal Consumer Financial Protection Bureau and New York State Attorney General Eric Schneiderman have criticized the giant credit bureau’s response and, in particular, an “arbitration clause” that may severely curtail the legal rights of any consumers who take advantage of free credit monitoring offered by Equifax.

The arbitration clause is included in the terms of service for Equifax’s credit monitoring program and, as reported by the Washington Post, bars consumers from participating in class action law suits, requiring instead that all disputes be settled by “binding individual arbitration” and limiting consumers’ rights to discovery and appeal. Equifax has stated the arbitration clause won’t apply in this case, but some have warned that the company’s statement may not be legally binding. Consumer beware.

See also: VPNs: How to Prevent a Data Breach 

The harm to consumers may last a lifetime as people have the same birthdate from cradle to grave, most will have just one Social Security number and many will use but one name. Yet, Equifax is offering just one year of credit monitoring.

For now, it appears that Equifax is failing crisis response 101. Instead of impressing consumers, clients and public officials with its transparency and earnest desire to make things right, the company has attracted criticism that undermines efforts to limit damage to its reputation, rebuild trust and inspire confidence. The gold standard in crisis management remains Johnson & Johnson’s handling of the 1982 Tylenol tampering case that led to seven fatalities in Chicago. That is playbook for business.

But the Equifax breach and its response raise several other critical issues. Most obviously, what should consumers be doing to protect themselves? (See “The Equifax Data Breach: What to Do” at the Federal Trade Commission’s website for a number of useful suggestions, including checking credit reports.)

The less obvious but perhaps more profound issues raised by the massive data breach at Equifax pertain to the future of commerce and cyber insurance. With the breach exposing several of the data elements typically used to verify people’s identities, one must wonder what will happen if businesses and financial institutions lose confidence in their ability to confirm we are who we say we are. Imagine a world in which merchants can no longer accept credit cards. Imagine a world in which banks and credit unions can no longer make loans. Imagine a world in which one can no longer bank or trade securities online. And, lest one succumb to the notion that advanced biometric security measures will save the day, understand that biometric data is stored in computer files that can be hacked just like birthdates, Social Security numbers and the like. Changing stolen user IDs and passwords is easy, but what is the fix when hackers steal retinal scans, fingerprints and the like?

The hope is of course that bright minds will find ways to protect us from criminal hackers and other nefarious parties who would do us harm, and yes — bright minds are already on the case. Witness in particular the rise of cyber insurance, and focus not on the compensation paid by cyber insurers in the wake of cyber incidents but rather on the underwriting done when cyber insurance policies are written and insurers’ work with clients to prevent and control losses. In many ways, this is emblematic of a larger movement in insurance and risk management from indemnification to loss prevention as the application of advanced analytics to big data enables intervention before losses occur. But while this might seem a new model, it is actually one that has been with us for quite a long time. People don’t buy boiler and machinery insurance because they want to be paid after boilers explode. Rather, people would prefer that boilers don’t blow up, and they want the benefit of the engineering and inspection services delivered during the underwriting process.

See also: Aggressive Regulation on Data Breaches  

Nonetheless, there will be times when cyber losses occur, and cyber insurers will be called upon to respond. The Equifax breach provides a mere hint as to the coverage limits insureds may require and the amount of capacity, or capital, cyber insurers may need to cover the risk. Insurers that can figure out how to price and underwrite cyber risk have a tremendous opportunity to do well by doing good. One key will be successfully quantifying and managing aggregation risk (the accumulation of risk as a result of covering multiple insureds using the same or similar systems, etc.).

Cyber Attacks Shift to Small Businesses

Small- and mid-sized businesses (SMBs) are increasingly at risk for data breach class-action lawsuits that typically have targeted large corporations.

Large companies are learning to address cyber threats. Hackers are responding by setting their sights on SMBs. So it’s simply more productive and efficient to attack poorly protected companies that could take weeks or even months to notice they’ve been breached.

As the risk of exposure moves downstream, the associated class-action lawsuits surely will follow. Statistics from the Identity Theft Resource Center show that the number of data breaches reported in 2016 exceeded 2015 levels by 40%, a worrying trend for those in the small business sector that likely will bear a greater percentage of those breaches going forward. The data stores held by SMBs may be smaller, but they’re no less rich in value to hackers. They contain financial data, healthcare information and other tantalizing personal details.

Security falls short

Unfortunately, because SMBs often lag behind larger companies in the sophistication and scope of their defensive measures, they’re much more susceptible to litigation centered on charges of negligence or a lack of due diligence. Exposures in the SMB sector also could go undetected for long periods, leaving more records vulnerable and increasing the size of the victim pool that may be interested in suing.

See also: The Key to Survival in Wild West of Cyber  

Smaller firms’ responses to the risk of cyber attack and litigation depend largely on their industry. Even the smallest healthcare entities are typically well-adapted to address potential data breaches and cyber risks. Long-standing mandates such as HIPAA — as well as a robust, centralized breach-reporting mechanism — have made companies in the medical space a little paranoid about their heavily regulated environment.

Behind the curve

Other small business sectors aren’t as prepared for the risk of a breach. Outside healthcare, the professional services industry, including legal and accounting, is much less aware of where threats exist or how to mitigate them. Many small firms don’t understand their responsibilities regarding data privacy or how data breach notification laws apply to them. Without a good awareness of data privacy concerns, obligations and solutions, these businesses are easy targets for any hacker who happens upon them.

Litigation bills add up

Data-breach class-action lawsuits can result in million-dollar judgments, but devastating costs may be incurred even if a settlement never materializes. A breached small business still needs to defend itself against litigation, and that takes money. Between legal counsel, forensic investigations, data recovery and any other steps the company may be required to take, the company is likely to incur significant financial penalties no matter which way the lawsuit goes.

See also: Can Trump Make ‘the Cyber’ Secure?  

Some SMBs are realizing they aren’t prepared for a cyber attack. The truly savvy ones are waking up to the prospect that, just as with the professional and employment liability insurance they already have, it would be wise to pursue coverage to defer defensive and recovery costs around their cyber liabilities. With the specter of more breaches — and more class-action lawsuits — coming down the pipeline, SMBs must find a way to minimize the threat of exposures while also putting protective measures in place should they find themselves facing litigation.

This article was originally posted on ThirdCertainty. It was written by Eduard Goodman.

How Bureaucracy Drives WC Costs

Workers’ compensation is one of the most highly regulated lines of insurance. Every form filed and every payment transaction is an opportunity for a penalty. Claims can stay open for 30 years or longer, leading to thousands of transactions on a single claim. Each state presents different sets of compliance rules for payers to follow. This bureaucracy is adding significant cost to the workers’ compensation system, but is it improving the delivery of benefits to injured workers?

Lack of Uniformity

Workers’ compensation is regulated at the state level, which means every state has its own set of laws and rules governing the delivery of indemnity and medical benefits to injured workers. This state-by-state variation also exists in the behind-the-scenes reporting of data. Most states now require some level of electronic data interchange (EDI) from the payers (carriers or self-insured employers). There is no common template between the states; therefore carriers must set up separate data feeds for each state. This is made even more complex when you factor in the multiple sources from which payers must gather this data for their EDI reporting. Data sources include employers, bill review and utilization review vendors. The data from all these vendors must be combined into a single data feed to the states. If states change the data reporting fields, each of the vendors in the chain must also make changes to their feeds.

Variation also exists in the forms that must be filed and notices that must be posted in the workplaces. This means that payers must constantly monitor and update the various state requirements to ensure they stay in full compliance with the regulations.

Unnecessary Burden

Much of the workers’ compensation compliance efforts focus on the collection of data, which is ultimately transmitted to the states. The states want this information to monitor the system and ensure it is operating correctly, but is all this data necessary? Some states provide significant analytical reports on their workers’ compensation systems, but many do little with the data that they collect. In a world concerned about cyber risk, collecting and transmitting claims data creates a significant risk of a breach. If the data is not being used by the states, the risk associated with collecting and transmitting it seems unnecessary.

Another complication is that there are multiple regulators involved in the system for oversight in each jurisdiction. Too often, this means payers have to provide the same information to multiple parties because information sent to the state Department of Insurance is not shared with the state Division of Workers’ Compensation and vice versa.

Some regulation is also outdated based on current technology. Certain states require the physical claims files to be handled within that state. However, with many payers now going paperless, there are no physical claims files to provide. Other states require checks to be issued from a bank within those states. Electronic banking makes this requirement obsolete.

How Is This Driving Costs?

All payers have a significant amount of staffing and other resources devoted to compliance efforts. From designing systems to gathering and entering data, this is a very labor-intensive process. There have not been any studies on the actual costs to the system from these compliance efforts, but they easily equate to millions of dollars each year.

States also impose penalties for a variety of things, including late filing of forms and late and improper payment of benefits. The EDI process makes it possible for these penalties to be automated, but that issue raises the question of the purpose of the penalties altogether. These penalties are issued on a strict liability basis. In other words, either the form was filed in a timely manner or it was not. A payer could be 99% compliant on one million records, but they would be automatically penalized for the 1% of records that were incorrect. In this scenario, are the penalties encouraging compliance, or are they simply a source of revenue for the state? A fairer system would acknowledge where compliance efforts are being made. Rather than penalize every payer for every error, use the penalties for those that fall below certain compliance thresholds (say, 80% or 90% compliance).

The laws themselves can be vague and open to interpretation, which leads to unnecessary litigation expenses. Terms such as “reasonable” and “usual and customary” are intentionally vague, and often states will not provide further definition of these terms.

How Can We Improve?

One of the goals of workers’ compensation regulations is to ensure that injured workers are paid benefits in a timely manner at the correct rate and that they have access to appropriate medical treatment. There was a time when payers had offices located in most states, with adjusters handling only that state. Now, with most payers utilizing multi-state adjusters, payers must be constantly training and educating their adjusters to ensure that they understand all of the nuisances of the different states that they handle.

The ability to give input to regulators is also invaluable, and payers should seek opportunities to engage with organizations to create positive change. Groups such as the International Association of Industrial Accident Boards and Commissions (IAIABC) and the Southern Association of Workers’ Compensation Administrators (SAWCA) provide the opportunity for workers’ compensation stakeholders to interact with regulators on important issues and also provides the opportunity to seek uniformity where it makes sense (EDI, for example).

There needs to be better transparency and communication between all parties in the rule-making process so that regulators have a better understanding of the impact these rules have on payers and the effort required to achieve compliance.

Developing standards in technology would be helpful for both the payers and the states. If your systems cannot effectively communicate with the other systems, you cannot be efficient. Upgrading technology across the industry, particularly on the regulatory side, has to become a priority.

Finally, we need to give any statutory reforms time to make an impact before changing them again because the constant change adds to confusion and drives costs. In the last 10 years, there have been more than 9,000 bills introduced in various jurisdictions related to workers’ compensation. Of those, about 1,000 have actually been turned into law. People expect that these reforms will produce the desired results immediately, when in reality these things often take time to reach their full impact.

These issues were discussed in depth during an “Out Front Ideas With Kimberly and Mark” webinar on Feb. 9, 2016. View the archived webinar at http://www.outfrontideas.com/archives/.

It’s Time for a Data Breach Warning Label

The breach at Home Depot is only the most recent in a torrent of high-profile data compromises. Data and identity-related crimes are at record levels. Consumers are in uncharted territory, which raises a question: Is it time to do for data breaches and cybersecurity what the nutritional label did for food? I believe we need a Breach Disclosure Box, and that it can be a powerful consumer information and education tool.

Once just a normal part of doing business, data breaches today can sap a company’s bottom line — and that’s the best-case scenario. At their worst, data breaches represent an extinction-level event. The real-world effects for consumers can be catastrophic. Because there is a patchwork of state and federal laws related to data security—some good, some bad, all indecipherable—and none that work together, it’s impossible to know just how safe your personally identifiable information is, and has been, at the places where you shop and with the companies and professional organizations where you do business.

Data security, identity-related consumer issues and privacy are all areas screaming for big-picture solutions. This is a situation in search of a paradigm shift—one that produces tools that enable consumers to make informed choices.

There is a precedent that could serve as a template. It was passed in 1988, though not implemented until 2000. You may recognize its name—it’s called the Schumer Box. This is the law that put the fine print of credit terms and conditions in your face—bigger, bolder and easier to understand. You see it all the time featured in those countless pleas for your credit business that land in your email and your mailbox.

The Schumer Box is simple. It requires that financial services companies provide certain information to the consumer when making a pitch for their business—information like long-term rates, the annual percentage rate for purchases and the cost of financing—and that the information be displayed in a standardized fashion. The Schumer Box is to credit cards what the nutritional label is to food.

A Concise Disclosure for Breaches

The Breach Disclosure Box that I am proposing would need to be simple, too. While I believe it is important to create a system that informs consumers about breaches, bear in mind that all breaches are not alike. There are breaches where the only piece of compromised information was a credit card number, which can be easily replaced and for which the consumer had zero liability. Then there are breaches involving Social Security numbers, detailed banking data or personal health information. These are very different situations. But they all share one thing in common: Something about you is “out there” and can be used by a criminal to commit either a crime against you or in your name.

The “solution” — regardless of a breach’s severity — is the same. I place “solution” in scare quotes because it’s a misnomer to talk about solutions and identity-related crime in the same breath. There is no solution to the pandemic, only containment strategies and best practices.

The Breach Disclosure Box would be a crucial part of data-related best practices at the consumer level where it’s all about the 3 M’s: Minimizing your exposure, monitoring your public records and financial accounts and managing any damage that occurs from data compromises.

Best practices can mean the difference between having a bad day and being financially ruined (or worse), and knowledge of a company’s data security track record can help consumers be better-informed about the risks they’re taking – and ultimately to decide if the risk is worth it.

The Breach Disclosure Box would also be a catalyst for companies to step up their game on data security as well as design and implement a breach preparedness plan that promotes an urgent, transparent and empathetic response to any compromise of consumer and employee data.

While the following list of Breach Box disclosures could be longer or shorter, the basic idea of a Breach Disclosure Box is essential to consumer safety in this ever-changing and crafty world of data-related crime and data breaches. The box should list:

  • How many times has this company been breached within the past five years?
  • If there has been a breach, what kind(s) of information was exposed?
  • Does this company encrypt all consumer and employee data?
  • Does this company have a breach notification policy?
  • What did the company offer affected consumers?
  • What type(s) of information are customers obligated, or not obligated, to provide?
  • Best practices for avoiding victimization (The 3 M’s)

The contents of the Breach Disclosure Box would ultimately have to be framed by lawmakers and interested parties intent on limiting the amount of ink spilled (or bytes used) to comply with whatever the legislation looks like when it leaves committee; but this bipartisan issue goes way beyond blue state-red state politics. When it comes to data-related crime, we’re all in the same state—a state of emergency.