Your Obligations To Keep Information Private

Legal Framework

Many professionals including lawyers, doctors, retail establishments , accountants and more have some obligations with regard to protecting client information. This includes doctors and lawyers who are under the HIPAA[1] Security Rule is a national standards for the security of electronic protected health information. A minority of states[2]—including Massachusetts, California, Connecticut, Rhode Island, Oregon, Maryland, and Nevada—have also enacted laws requiring businesses to maintain data security standards to protect state residents’ personal information from being compromised. During the past decade, Congress [3] has enacted a number of laws governing data security in certain specific contexts, including:

  • the Fair Credit Reporting Act (“FCRA”), which imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies;
  • the Children’s Online Privacy Protection Act (“COPPA”), which requires covered website operators to maintain reasonable procedures to protect the personal information of children;
  • the Health Insurance Portability and Accountability Act (“HIPAA”), which requires health care providers to maintain security standards for protected health information;
  • the Health Information Technology for Economic and Clinical Health (HITECH) Act, which strengthens penalties for HIPAA violations and extends HIPAA violation liability to “business associates” to whom protected health information is disclosed (e.g., third-party administrators, accounting firms providing services to health care providers);

Mitigating Risk: Cyber Insurance is Not Enough

Several companies rely on Cyber Insurance to minimize their risk as company. While cyber insurance helps offer an extra layer of defense in a company’s robust cyber security program, it is not a substitute for managing the company’s cyber risk[4].

Companies hence require to take steps in-order to reduce exposure. This is why most insurers do not provide a one cost fits all. Instead[5] what they review current safeguards and then quote a price. Some of the requirements insurers pose are:

  • Back up your data at least once a week and store it in an offsite location
  • Antivirus and firewalls in place and that are regularly updated
  • Enforce policies concerning when internal and external communication should be encrypted
  • Personally identifiable information (PII) or personal health information (PHI stored on laptop computers and portable media (flash drives, back-up tapes) protected by encryption
  • Have a privacy policy
  • Types of Sensitive Information Held on servers: Social Security Numbers, Credit Card Information, Personal Health Information (PHI), Bank Account Information, Employee Information and Third Party Corporate Data

Underwriters within insurance companies look at the following[6] to calculate premiums for Cyber Liability Insurance i.e. companies can reduce their premiums by implementing these protocols, which is an opportunity for internet security companies:

  • Set standards and processes for proper data management
  • Encrypt or use other protective measures to safeguard personal information
  • Decide what type of personal data to maintain, how to store and for how long
  • Require a strong password to protect all PC’s and mobile devices that access company system
  • Protect each individual PC with automatic updates of operating system and applications from centrally updated and monitored anti-virus, anti-spyware and anti-spam software
  • Implement a secure email system
  • Limit employee use of the internet and email to company purposes and eliminate all connections to personal sites
  • Obtain secure website capability – firewall that includes anti-virus, anti-spyware, and anti-spam services along with content filtering and intrusion prevention, detection and real-time reporting
  • Know the procedures for working with third party vendors – banks, shredding services, hardware disposal, or outsourced efficiencies such as credit card processing
  • Have a backup system that regularly retrieves data from the company server and stores it off site
  • Involve employees in creating a cyber security focused culture and periodically review procedures to evaluate and update practices
  • Develop a crisis response plan
    • What to do in the event of a data breach
    • What to do in the event of a disaster that affects data storage
    • Train all employees and periodically review procedures to evaluate and update practices

Companies like FireEye Inc can help small-medium businesses[7] to reduce their cyber insurance premiums. Recently FireEye Inc and Lockton Insurance[8] have announced a product called Advanced Risk Assessment Services for Insurance Industry to help their clients understand risk. FireEye Inc retails[9] it’s service at $8,000 plus some subscriptions/maintenance fee.

Coverage

Within the industry the term cyber liability insurance cover is often used to describe a range of covers – in very much the same way that the word cyber is used to describe a broad range of information security related tools, processes and services. Detailed summary of insurance covers of each company is available in the excel sheet: insurance for small companies and startups v2.xlsx. Generally, most cyber liability insurance cover:

  • Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
  • Multimedia/Media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
  • Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
  • Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.

Cost for Businesses if Hacked

In 2011, the average cost to business owners per record compromised was $194[10], almost $200 per record. At that rate a lost laptop, cyber liability attack, rogue employee hack or data breach to a company storing 5,000 records could mean up to $1,000,000 in legal, reporting & remediation expenses, or more. Insureon recommends[11] that small businesses should revisit their exposure and their state data breach laws. Florida, for example, just passed a law that fines up to $500,000 for data breaches.

In addition if companies data is compromised they are obliged to notify clients, repair damage, and perhaps perform forensics to determine what data was taken. To compute the potential losses companies can use this calculator[12]:

data-breach-calculator

Cost of Cyber Insurance

Cyber insurance policy premiums are not one size fits all, as premiums are factored on a company’s industry, services, data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue. The cheapest premium (cost to company) of a policy, for a medium size company was $700[13]. Typical cyber insurance costs[14] for various industries are:

Fiber Optics Communications Provider
Revenue: $35 million
Limit: $10 million
Premium: $47,000

Pharmacy Benefits Management Company
Revenue: $4 billion
Limit: $5 million
Premium: $84,000

Industry: Healthcare
Revenue: $25 million
Limit: $1 million
Premium: $12,900

Industry: Healthcare, Social Worker
Revenue: $120,000
Limit: $1 million
Premium: $859

Industry: Education
Revenue: $25 million
Limit: $1 million
Premium: $6,000

Industry: Financial
Revenue: $100 million
Limit: $1 million
Premium: $37,000

Industry: Retail
Revenue: $50 million
Limit: $1 million
Premium: $26,000

Industry: E-commerce
Revenue: $50 million
Limit: $1 million
Premium: $37,000

Restaurant
Revenue: $50 million
Limit: $1 million
Premium: $10,000

Industry: Manufacturing
Revenue: $100 million
Limit: $10 million
Premium: $50,000

Healthcare IT Provider
Revenue: $1.2 million
Limit: $5 million
Premium: $15,900

Healthcare SaaS Provider (startup)
Revenue: $1.5 million
Limit: $5 million
Premium: $30,420

Electronic Health Records (EHR) Provider
Revenue: $5 million
Limit: $1 million
Premium: $8010

Data Hosting Provider (startup)
Revenue: $200K
Limit: $1 million
Premium: $2750

Healthcare IT Consultant
Revenue: $150k
Limit: $1 million
Premium: $3298

Clinical Data Analysis Research Software (startup)
Revenue: $20,000
Limit: $2 million
Premium: $4900

e-Waste Company
Revenue: $1.5 million
Limit: $2 million
Premium: $3564

Psychologists Office
Revenue: $1 million
Limit: $1 million
Premium: $1600

Doctors Office
Revenue: $700,000
Limit: $500,000
Premium: $649

Online Retailer
Revenue: $500,000
Limit: $1 million
Premium: $1100

Professional Consulting Services
Revenue: $400,000
Limit: $1 million
Premium: $1200

Doctors Office
Revenue: $1.7 million
Limit: $1 million
Premium: $1800

SaaS Provider
Revenue: $3 million
Limit: $2 million
Premium: $6000

Fast Food
Revenue: $15 million
Limit: $1 million
Premium: $9000

Hospital
Revenue: $170 million
Limit: $5 million
Premium: $42,000

Data Storage Center
Revenue: $15 million
Limit: $20 million
Premium: $120,000

 

HIPAA and the American Bar Association

Background

The HIPAA Security Rule establishes national standards to protect individuals’ electronic health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.[44].

Notable examples of HIPAA breach settlements:

  • New York-Presbyterian Hospital and Columbia University Medical Centre disclosed 6800 patient information to Google resulting in $4.8 million settlement[45].
  • WellPoint Inc. agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of HIPAA[46]
  • Alaska Department of Health and Human Services agreed to pay the U.S. Department of Health and Human Services’ $1.7 million to settle potential violations of HIPPA.[47]

Widespread Protests

Keeping the settlements and requirements both the American Hospital Association and the American Medical Association called for immediate withdrawal[48] of the rule when it was first proposed in 1998, and in this case the HIAA joined with the provider lobbies to protest the rule, claiming that the insurance industry was already held to rigorous computer security standards under state law. Saying that sever breaches are still punishable by law:

server-breach-law-table

Other reason for protests:

  1. HIPAA is claimed by many as unnecessary as it requires the health care industry to begin treating medical records in the same way that the federal government treats national defence secrets—as a form of classified information.
  2. According to chairman of American Bar Association “Even the most sophisticated medical centres are unlikely to come close to meeting HIPAA’s security standards”.

Although, not everyone is against HIPAA and perhaps its here to stay:

According to Deven McGraw[49], director of the Health Privacy Project at the Centre for Democracy & Technology “As much as HIPAA has been criticised and kicked around, I am seeing other sectors looking to HIPAA as a model for privacy regulation, because it does a reasonably good job at balancing the needs of the healthcare industry with the rights and concerns of patients. As far as impact, HIPAA really has made a difference. Even where it didn’t change the law dramatically, the amount of awareness to health privacy and security it has brought—and the amount of compliance it has engendered—has been substantial.”

 

SOURCES:

 

[1] Source: http://www.hhs.gov/ocr/privacy/

[2] Source: http://www.lexology.com/library/detail.aspx?g=cc5c9a56-7a60-46ab-9cf4-f36cada0cafa

[3] Source: http://www.lexology.com/library/detail.aspx?g=cc5c9a56-7a60-46ab-9cf4-f36cada0cafa

[4] Source: http://databreachinsurancequote.com/wp-content/uploads/2015/01/CDRM_Bloomberg-BNA_World-Data-Protection-Report.pdf

[5] Source: http://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/

[6] Source: http://pbpinsurance.com/index.php/01/main/data-breaches-and-cyber-liability

[7] Source: https://www.fireeye.com/solutions/small-and-midsize-business.html

[8] Source: http://www.lockton.com/newsroom/post/fireeye-announces-advanced-risk-assessment-services-for-insurance-industry

[9] Source: http://community.spiceworks.com/topic/444856-has-anyone-used-fireeye-malware-protection-system

[10] Source: http://www.castlerockagency.com/cyber-liability-insurance.html

[11] Source: http://www.prnewswire.com/news-releases/insureon-fewer-small-businesses-buying-cyber-liability-insurance-since-targets-breach-268097651.html

[12] Source: http://www.hubinternational.com/data-breach-cost-calculator/

[13] Source: http://www.castlerockagency.com/cyber-liability-insurance.html

[14] Source: http://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/

 

[44] Source: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

[45] Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/jointbreach-agreement.html

[46] Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html

[47] Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html

[48] Source : http://content.healthaffairs.org/content/19/6/231.full.pdf

[49] Source: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_050150.hcsp?dDocName=bok1_050150