What cyber claims are we seeing?
Here’s a sampling:
#1 – Stolen Employee Laptop
The laptop belonging to an employee of a medical research institute was stolen. The laptop, containing the electronic protected health information (ePHI) of approximately 296,000 patients and research participants, was not encrypted. The ePHI included names, dates of birth, addresses, social security numbers, diagnoses, and laboratory results. Given the nature of the information stored on the laptop and the fact that the laptop was not encrypted, the incident was determined to be a reportable breach under HIPAA. The institute reported the incident to the Department of Health and Human Services (DHHS) and the Office for Civil Rights (OCR). After a full investigation, the OCR concluded that the institute’s security policy did not comply with the HPAA Security Rule in that it was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the institute. The OCR imposed civil fines and penalties against the clinic. Counsel was ultimately successful in helping the insured achieve a settlement with the OCR which reduced the fines and penalties and included a corrective action plan. Cyber insurance covered the legal expenses incurred in responding to the OCR’s investigation and the OCR settlement. Total Expenses: $1,600,000
#2 – Exposure of Credit Card Data
A security breach of a retail chain’s card reader system resulted in the exposure of credit card data of over 2,000 cardholders. An investigation of the security breach determined that customers’ credit card data had been ‘skimmed’ off the compromised system by criminals to be sold on the black market, and the store failed to maintain the required data security controls under the Payment Card Industry Data Security Standard (PCI DSS). The acquiring bank imposed fines and assessments in the amount of $380,000 against the store for failing to comply with PCI DSS. Cyber insurance covered the PCI DSS fines and assessment.
#3 – Social Engineering
A large hotel chain suffered a data breach due to a form of social engineering called “pretexting” in which an individual tricks another party into divulging confidential information. In this case, the hacker posed as an employee in the hotel chain’s corporate IT department and convinced two other employees to enter their employee IDs and passwords into a fake, or “phishing”, website. The hacker used the employees’ security credentials to access the personally identifiable information (“PII”) of hotel guests. The breach exposed the names, home addresses, email addresses, phone numbers, driver’s license numbers, license plate numbers, credit card numbers and telephone numbers of thousands of customers. The Federal Trade Commission (FTC) investigated and found that a lack of technical safeguards, such as multi-factor authentication, contributed to the theft of customer information. The FTC also found that the hotel chain failed to report the data breach to federal authorities, as required by law. At the conclusion of its investigation, the FTC ordered the company to pay $595,000 in civil penalties. Cyber liability insurance would cover the civil penalties, as well as any costs associated with defending the hotel chain in the investigation.