Failure to Encrypt Data Still Poses Major Threat

The information gathered as a result of California’s enhanced data breach law was released by the state attorney general’s office on July 1.  The report states there were 131 data breaches reported to the attorney general’s office in 2012 and those breaches exposed the personal information of 2.5 Million residents of California.  Additional findings:

Cloud Computing Exposures: LJ’s List of What to Watch Out For

As previously discussed, using the cloud can create a variety of new risks and considerations for companies. Here’s a fresh list of items to watch out for based on the following cloud scenario. Note: negligent error or omission is still the greatest exposure a company can face from a professional liability insurance perspective.  Using the cloud only increases this exposure because the cloud is outside the company’s control. 

Scenario

A company decides to use the cloud for its infrastructure, service, storage and phone service.  The cloud provider stores the company’s data overseas. 

Exposures

1.  Transmission of data to servers outside the United States may cause the company to be an exporter under the EAR. This could be a new exposure if the company is not otherwise considered an exporter.  An unintentional violation of the EAR may result in an administrative penalty ranging from $11,000 to $120,000 per violation.

Final Rule Removes Harm Standard

The Final Rule for HIPAA Privacy, Security and Enforcement Rules is scheduled to be effective on March 26 of this year.  One of the many changes applicable to the privacy and security rules is a change regarding the breach notification requirement for unsecured protected health data of individuals.  The Final Rule requires a risk assessment, and sets out guidelines for it, in order to avoid notifying of affected individuals of a breach.  Notification of a breach can now only be avoided if the risk assessment shows there is very little chance that the protected health info has been compromised.  Previously, if it was determined that the breach posed no significant risk of harm to the individual, then notification was not mandatory.

Survey Shows Small Businesses Lack Security Procedures

Symantec and The National Cyber Security Alliance studied the security habits and beliefs of small businesses across the U.S. in a September of 2012 survey.  For the survey, a small business is defined one with less than 250 employees.  The results seem to indicate small businesses do feel secure even though they appear to lack security policies and practices.  Here’s a sampling of the survey results:

Employee Devices Used at Work Create Security Exposure

In its article, How IT is failing to teach users about BYOD security threats and some solutions, CiteWorld reports on a survey of the mobile device habits of 400 workers in a variety of industries and jobs. Specifically, the survey analyzes the security on the employee device used for work.  Some survey results:

*Nearly half of those surveyed reported their company IT department had not discussed device security with them.

*Over half of those surveyed said their company did not have a formal security policy for devices or were unsure if there was a policy.

*About 75 percent reported their company did not have the ability to remotely wipe data from their device or they did not know whether or not the company could wipe their device.

Cost of Data Breach Decreases

According to the 2011 Cost of Data Breach Study:  United States, the cost per lost record for a data breach has declined for the first time in the past seven years.  In 2010, it was $214.  In 2011, it was $194.  A key contributor to the cost decrease, according to the study, is the hiring of a Chief Information Security Officer or the use of an outside consultant to assist with response to a data breach.   In a continuing signal to how common the data breach has become, the study reports more company clients are remaining loyal to the company when it suffers a breach.  The report also identifies the central causes of the data breach.  These include company employees or insiders who are negligent and criminal attacks.   Read more about the study or review the 2010 study conclusions.

Update for Worst Courtrooms

The 2011/2012 Judicial Hellholes report from the American Tort Reform Foundation identifies Philadelphia at the top of the list, followed by California, West Virginia and South Florida.  Two counties in Illinois, Madison and St Clair, round out the top five.  The top four do not appear to have changed from the 2010/2011 report but there has been some shifting around for fifth place.  Cook County IL, the previous holder of fifth place, has been moved all of the way off the rankings to the watch list.   The report reasons the lack of civil justice reform keeps it on the watch list but since it experienced a relatively low-key year, it was allowed to fall from fifth place.  Of note, Madison County IL was previously on the watch list but moved clear up to a fifth place ranking due in part to the large number of asbestos related cases. 

Survey Suggests Most Companies Do Not Buy Network Privacy/Security Policies

Insurance Journal recently reported on a survey by Towers Watson indicating that the majority  of companies do not buy cyber insurance.   The report, 2012 Risk and Finance Manager Survey, shows over  7o percent of those surveyed are not buying network security /privacy liability policies.  According to the survey, this number has not changed significantly from the previous year and when coverage is purchased, lower limits are procured, with about 40% of the buyers opting for limits of 1 to 5 million. 

Privacy Policies Required for Mobile Apps

The California Attorney General’s Office recently announced a new privacy agreement with major mobile app platforms.  The announcement notes the already existing California Online Privacy Protection Act does apply to mobile applications.  So, mobile apps in use by California residents are required to include a privacy policy if personally identifiable information is collected.  The penalty imposed on app developers and app platforms for non-compliance is reported to be up to $500,000 per use of the offending app. The Attorney General’s announcement suggests privacy policies are not typical to mobile apps, with stats indicating that just five percent of all mobile applications include a privacy policy.  Of course having a privacy policy does not ensure data will remain private.  It could; however, help eliminate surprises like the ones reported recently regarding private info use in a Twitter app and in Apple iOS applications

Data Breach Study

As previously discussed, the cost per lost record for a data breach is $214 (according to a 2010 Ponenom Institute study).  Now, Experian Data Breach Resolution and Ponenom Institute have released results of their study on the  Aftermath of a Data Breach.  This study polled more than 500 IT professionals about one key data breach at their companies.  Highlights of some of the results:

-Half of the breaches were caused, where cause could be identified, by insiders (primarily negligent but 16 percent were reported as being caused by malicious insiders).

-60 percent of respondents indicated data lost or stolen was not encrypted.

-Over 60 percent of respondents said their companies did not offer credit monitoring services following the data breach.

-Respondents felt the best course of action to minimize the negative impact of the breach included hiring legal counsel, evaluating the harm to victims and hiring forensic experts.

Based on these highlights, insurance options that provide for forensic expert expenses and do not exclude breaches when arising from unencrypted data could be some of the more attractive coverage options for buyers.  Read more coverage considerations for privacy/security exposures.

Reading the Fine Print

We’ve discussed Terms of Service agreements in the past but a recent article in Smart Money magazine highlights some of the difficulties these and other fine print type agreements impose on the user.  Just a few interesting statistics from the article:

—The number of words in software licenses contracts has increased by 40 percent in the past 7 years.

—Transparency Labs (which is starting a web-based service designed to translate America’s largest corporate contracts into easier to understand text for free) estimates the cost of info not readily seen inside disclosures costs each household in the U.S. at least $2,000 a year.

—In a study related to research  conducted by John Marshall Law School and DePaul University regarding if the fine print is actually read prior to agreeing to it, over 90 percent of participants signed a contract saying they would do push-ups on demand and give other participants electric shocks.

While the article does not touch on fine print used in the professional liability insurance world, it certainly must exist.  In fact, we have some at the bottom of this blog. 

Security Threat Predictions for 2012

It’s that time of year again when predictions are made for top security threats for the upcoming year.  CNet offers up 5 key threats including malicious Android apps, utility hacking, hacktivism, e-voting security issues and increasing privacy exposures due to over-sharing of personal info via social networks.  As noted by Network World, Gartner also includes hacking as an increasing exposure in its IT predictions for 2012.  Specifically, it suggests hackers will generate new attack methods that along with new software vulnerabilities could generate a 10 percent growth in the financial impact of cybercrimes each year until 2016.  According to ZDNet, the 2012 threat predictions from McAfee also include mention of hacking and mobile phones.  Further, McAfee suggests other devices may be targeted such as GPS tracking and medical devices.  While spam may not have appeared at the top of the prediction lists for the last couple of years, McAfee does mention the possibility of spam increasing in 2012.  To review previous predictions, use the links below.

Security Threat Predictions for 2011

Security Threat Predictions for 2010

The Corporate Security Policy Reaches Out to Personal Phones

There is an interesting exchange on Eric Goldman’s Technology and Marketing Law Blog re corporate policies requiring employees to submit to their mobile phones being wiped in the event the phone is lost or stolen or the employee is suspected of compromising trade secrets.  The intriguing part of the policy is that it applies to personal phones used for company purposes, such as checking company email.  We have discussed the use of corporate and personal devices in the past in relation to what a company can control; however, this discussion raises more questions about what companies are allowed to do or even should do in relation to an employee’s personal phone. 

Cyber Crime Survey Results

Ponemon Institute has released its Second Annual Cost of Cyber Crime Study (sponsored by ArcSight, an HP Company).   The study surveyed 50 U.S. larger-sized companies, e.g. companies with more than 700 enterprise seats connected to networks/systems.

Summary results include:

*Median annual cost of cyber crime is nearly $6 million, which is an over 50 percent increase from last year’s study results.

*More than 1 successful cyber attack each week is commonplace.

*Cyber attacks are typically generated by malicious code, denial of service, device theft and web-based attacks.

California Enhances Data Breach Law

Companies doing business in California have until January 1, 2012 to begin complying with an enhanced data breach law that was signed by the Governor of California on August 31, 2011.  Of course California already has a data breach notification law—this new law just expands it.  The new law creates requirements for content in breach notification letters such as including a description of the incident, detailing the types of personal information exposed and offering contact info for credit reporting agencies in California.   In addition, companies are now also required to send the notification letter to the state attorney general’s office if the breach impacts 500 or more individuals in California.  Check out the Security section of our blog for more security-related news.

Targeted Attacks Affect Small and Mid-Sized Businesses

While security breaches at large companies, such as the recent incident at Sony, may grab more headlines, it appears the security risk facing small and mid-sized businesses should not be overlooked.  Symantec has released numbers concerning the number of targeted attacks (e.g. one malicious email targeted to one individual) experienced by businesses small and large.  Their results, from Symantec.cloud, indicate that from the start of 2010 to late July of this year, 40 percent of targeted attacks have been sent to businesses with less than 500 employees while less than 30 percent of the targeted attacks have been to companies with more than 5,000 employees.  Symantec also provides numbers by industry that suggest small and mid-sized businesses operating in the following sectors are at higher risk:  Mineral and Fuel, Non-Profit, Engineering, Marketing and Recreation.  Further, in a recent study commissioned by McAfee which surveyed 100 IT professionals at businesses with 500 or more employees, 26 percent of respondents reported targeted attacks to their data centers in the cloud as a serious concern.

Insuring Statutory Damages

The original intent of the statutory damage could be described as a way for a plaintiff to have some level of recovery after being wronged in situations where it is difficult to provide evidence of the amount of the injury.  Now, the extent of the current statutory damage’s reach appears to be broader than that, turning what was once perhaps designed as mere compensation to more of a penalty in amounts that can be difficult to qualify or manage for the defendant.  Jones Day offers a summary of the popular types of statutory damages and their effects in today’s litigation. In their article, they suggest “statutory damages now have a life of their own.” 

Are the threats of statutory damages insurable?  For the professional liability insurance world, it varies by the type of the statute and the services the policy is designed to cover.   Generally, look first at the definition of damages.  If you find an exclusion for punitive, exemplary or multiplied damages, then it raises some doubt about the coverage for statutory damages.  In addition, check for exclusions relating to the statutory damage statutes such as exclusions for violations of consumer protection laws. 

Privacy and Security Coverage: LJ’s Top 7 list of What to Watch Out For

Here’s a fresh list of provisions to carefully evaluate and watch for when considering first-party and third-party liability privacy and security coverage options.

1.  Exclusions for failure to maintain a specified level of security standard, e.g. PCI compliant.

2.  Exclusions for a programming error.

3.  Exclusions for failure to update software and/or  implement patches.

4.  No coverage for physical theft or loss of  paper files, back-up disks, laptops etc. containing personally identifiable information.

5. No coverage for privacy notification or crisis management expenses following a covered security breach if there is no legal requirement to notify.

6. Exclusions for employee failure to periodically update passwords.

7. Exclusions for data that is not encrypted.

This is third installment of the LJ’s List of What to Watch Out For.  Check out the Tech Professional Liability and the Third-party security lists.

Sony Security Breach and Coverage Considerations

There is much conversation about the cost of the security breach that Sony recently experienced.  While a breach of this magnitude is thankfully not the norm, it does provide an opportunity to consider the impact of security breaches and what can be done to protect against them.  In addition to insuring the professional liability or negligent errors and omissions exposure arising from a company’s failure to prevent the breach,  it does appear that several expenses from a breach can readily be insured.