What cyber claims have we seen lately?

 

Here are a few:

 

#1 – Stolen Employee Laptop

A regional life insurance company moved to new offices.  During the move, several laptops, computers and printers were stolen.  One of the laptops contained personal information, including social security numbers of over 36,000 clients. Forensic investigation expenses, legal fees, and notification expenses totaled over $200,000.

 

#2 – Fraudulent Wire Transfers

The accounting department at an electronics manufacturing company discovered a series of unusual wire transfer requests during a quarterly audit.  After further investigation, it was determined that the e-mail accounts of several executives had been compromised, and, as a result, several wire transfer requests had been sent to the accounting department by hackers using “spoof” email accounts.  Over $600,000 in funds had been transferred to unknown bank accounts in four countries. Some of the funds stolen in the fraudulent wire transfer were reimbursed by the bank. Cyber Crime insurance covered the amount not reimbursed by the bank.

 

#3 – Cyber Extortion

An employee at a law firm opened a link in an email that appeared to be sent by another employee of the firm, but was actually sent by a hacker. The link contained a ‘CryptoLocker’ virus that, when opened, immediately began to encrypt all files on the employee’s computer, including the firm’s finance and payroll files. The virus was discovered when the employee tried to access a file, and an alert appeared on the screen, notifying that all files had been encrypted and could only be unlocked if a ‘ransom’ was paid in BitCoin.  An IT expert was retained by the firm’s cyber insurance company to investigate the threat. The IT expert determined that the threat was credible and advised the firm to pay the ransom to recover the files and avoid further exposure and/or loss.  Cyber insurance paid for the ransom payment, IT costs and legal expenses, which totaled approximately $10,000.

October, 2017

What cyber claims are we seeing?

 

Here’s a sampling:

 

#1 – Stolen Employee Laptop

The laptop belonging to an employee of a medical research institute was stolen. The laptop, containing the electronic protected health information (ePHI) of approximately 296,000 patients and research participants, was not encrypted. The ePHI included names, dates of birth, addresses, social security numbers, diagnoses, and laboratory results. Given the nature of the information stored on the laptop and the fact that the laptop was not encrypted, the incident was determined to be a reportable breach under HIPAA. The institute reported the incident to the Department of Health and Human Services (DHHS) and the Office for Civil Rights (OCR). After a full investigation, the OCR concluded that the institute’s security policy did not comply with the HPAA Security Rule in that it was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the institute. The OCR imposed civil fines and penalties against the clinic. Counsel was ultimately successful in helping the insured achieve a settlement with the OCR which reduced the fines and penalties and included a corrective action plan.  Cyber insurance covered the legal expenses incurred in responding to the OCR’s investigation and the OCR settlement. Total Expenses: $1,600,000

 

#2 – Exposure of Credit Card Data

A security breach of a retail chain’s card reader system resulted in the exposure of credit card data of over 2,000 cardholders. An investigation of the security breach determined that customers’ credit card data had been ‘skimmed’ off the compromised system by criminals to be sold on the black market, and the store failed to maintain the required data security controls under the Payment Card Industry Data Security Standard (PCI DSS). The acquiring bank imposed fines and assessments in the amount of $380,000 against the store for failing to comply with PCI DSS. Cyber insurance covered the PCI DSS fines and assessment.

 

#3 – Social Engineering

A large hotel chain suffered a data breach due to a form of social engineering called “pretexting” in which an individual tricks another party into divulging confidential information. In this case, the hacker posed as an employee in the hotel chain’s corporate IT department and convinced two other employees to enter their employee IDs and passwords into a fake, or “phishing”, website. The hacker used the employees’ security credentials to access the personally identifiable information (“PII”) of hotel guests. The breach exposed the names, home addresses, email addresses, phone numbers, driver’s license numbers, license plate numbers, credit card numbers and telephone numbers of thousands of customers. The Federal Trade Commission (FTC) investigated and found that a lack of technical safeguards, such as multi-factor authentication, contributed to the theft of customer information. The FTC also found that the hotel chain failed to report the data breach to federal authorities, as required by law. At the conclusion of its investigation, the FTC ordered the company to pay $595,000 in civil penalties.  Cyber liability insurance would cover the civil penalties, as well as any costs associated with defending the hotel chain in the investigation.

September, 2017