Category Archives: Risk Management

Electronic Health Records, Network Security, Privacy, Risk Management

HITECH Public Data Breaches: Majority Caused by Theft

Last month, the Health Information Trust Alliance published an analysis of the 108 breaches reported to HHS from Sept. 23, 2009 (when reporting first started under the HITECH Act) to mid-July.  This review illustrates the major impact of theft on healthcare providers.   Of 108 total reported breaches, 68 were the result of theft.  Indeed, the only type of breach experienced by every healthcare industry sector was theft.   The most common thefts involved laptops and removable data drives and devices.   The majority of the data found on these devices remains unencrypted.  This lack of encryption is significant given that, as with the breach notification laws in most states, there is a notification safe harbor under the HITECH Act implementation regulations whenever the stolen data is encrypted. 

This review of HHS reported breaches highlights what risk managers have likely known for some time now, namely that it is important to better train employees regarding the use and maintenance of laptops/memory devices.  Although not nearly as “top of mind” as better training, risk managers are now understanding the value in deploying system-wide encryption solutions.  There is obviously much less likelihood of the breach turning into a major financial incident when there is no notification.  In other words, whether the added expense of encryption — both financial and time-driven — is worth it to a healthcare provider gets answered each day there is another publicly noticed breach.

Electronic Health Records, Network Security, Privacy, Risk Management

AON Disclosure Impacts 22,000 Retirees

According to a story published today in the News Journal, Aon Consulting is mailing letters to approximately 22,000 State of Delaware retirees after it inadvertently posted social security numbers, gender information and dates of birth in a Request for Proposal (RFP) the company prepared for the State.  The RFP information was posted by AON to the procurement section of the Delaware website for five days before it was discovered and removed.  This is not the first data breach for Aon Consulting.  In May 2008, an AON laptop containing the names and Social Security numbers of 57,160 people related to a Verizon engagement was stolen from a New York City restaurant. The laptop was never recovered.

Moreover, it is not the first time a global broker has compromised client data.  On May 9, 2006, a Marsh subsidiary lost a personal computer containing records of more than a half million New Yorkers.  The lost data includes social security numbers and dates of birth.   And, in 2008, Willis lost a data tape in India that contained data belonging to numerous clients who, in turn, had to report to their clients

These events are a stark reminder that no one is 100% immune — even those who are in the risk management business are vulnerable to a data breach.  Indeed, Marsh, AON and Willis are the three largest brokers in the world and have built over the years very sophisticated risk management practices to assist clients address their exposures.   Accordingly, the message here is not to think any less of these brokers but rather to recognize the magnitude of the challenges faced by all firms when  managing data risk.  In other words, if a breach can hit these folks, it can hit just about anyone.

Law Firm, Litigation Management, PCI Compliance, Privacy, Risk Management

BigLaw Warning: Law Firms Face Increasing Risks When Handling Personal Information

In a pair of articles sent out by CNA to its law firm insureds, two large law firms showcase (by way of their privacy and risk management departments) the rising data loss exposures faced by all law firms.  An article written by seasoned privacy attorneys from Hunton & Williams provides “an overview of key privacy and information security issues impacting the practice of law.”   And, in an article written by Ann Ostrander, the Senior Director of Loss Prevention at Kirkland & Ellis, we learn of how Kirkland addresses part of its data confidentiality problem by deploying a sophisticated web-based solution. 

Ms. Ostrander provides some good common sense advice when she writes:

With new rules, new precedents and new information technologies continuing to complicate and inflate the ways in which information is created and communicated, the risk of unexpected incidents, breaches or gaps is increasing. Thankfully, educational resources, technology and services exist which can enable organizations to enhance their capabilities and reduce risk. As more firms adopt more rigorous approaches to managing confidentiality and compliance, they’re creating stricter de-facto standards and expectations for the legal industry as a whole.  In this context, every firm should carefully consider the state of confidentiality management in their environment, as this is an issue whose profile will only continue to grow.

Because the Hunton attorneys are very process driven in their approach, they advocate law firms build out new security processes such as those found in a vendor management program.  As with Ms. Ostrander, Hunton’s privacy group, however, ends by providing a baseline of what every law firm should be doing:

For law firms, it is difficult to overemphasize the importance of (i) understanding how the firm collects, uses and otherwise processes personal information, (ii) thoroughly analyzing the firm’s relevant legal obligations, and (iii) implementing a comprehensive privacy and information management strategy to address these obligations. 

Although diminishing billable hours may tear into a firm’s ability to implement the firm-wide technology initiatives found at BigLaw firms such as Kirkland, the rewards found in adequately addressing data loss exposures will pay long-term dividends for any sized law firm.   As chronicled in the Hunton article, there are many regulatory landmines on the horizon.  It may be hard for a client to justify staying with its law firm after the firm is hit with a public rebuke regarding its data security – especially when there are so many other competitors in the water.  

Moreover, all law firms can, and should, be known as stalwarts of data privacy “future” best practices – and not just what is considered a current best practice.   In fact, it can be argued that the smaller the law firm, the easier it is to run such an office.  Although  attorney-client privileged material is already sacrosanct within all law firms, as counsel to banks, retailers, healthcare providers, and other users of sensitive data, law firms should live and breathe data protection on behalf of their clients.  There is a financial silver lining to any upgrade expense given that  new  implementations immediately become marketing fodder for rainmakers.  In other words, as some clients point to their use of sophisticated data management procedures when marketing their services, so should law firms when marketing their own services.

Financial Reporting, Law Firm, Litigation Management, Middle Market Business, Risk Management

NJ Appellate Division Rules Shareholders Can Inspect Board Minutes

An August 17, 2010 New Jersey decision may be negative for businesses in New Jersey despite what on the surface is  a win for a large corporation.   In Cain v. Merck & Co., Inc., the New Jersey Appellate Division addressed whether the New Jersey Business Corporation Act entitles shareholders to inspect the minutes of the board of directors and the minutes of executive committees, and if so, the breadth of that right of inspection.  According to the court, resolution of these questions:  centers on the proper construction of N.J.S.A. 14A:5-28(4) of the Act. In pertinent part, that statute allows shareholders, upon proof of a “proper purpose,” to examine “the books and records of account, minutes, and record of shareholders of a corporation.” N.J.S.A. 14A:5-28(4).

In what appears to be a case of first impression in New Jersey, the Appellate Division concluded that the qualified right of inspection under the statute extends to the minutes of the board of directors and the executive committee – and not just to the minutes of the shareholder meeting.   The court, however, limited this right of inspection to only those portions of the board minutes that address their “proper purpose.”  In other words, shareholders are “not entitled to examine the minutes in order to explore unsubstantiated allegations of general mismanagement.”

It is not clear whether Merck will appeal given that it, in effect, won its alternative argument, namely that the review should be limited to discussions related to a study conducted by Merck rather than a broader review that on its face does not have such a  “proper purpose.”  According to a Merck spokesman, “we’re evaluating our next steps.” 

If left as binding authority, this decision may have huge ramifications for large and public businesses in New Jersey.   As it stands, the decision extends the reach of the statute – which appears on its face to be limited to shareholder meetings – to the much more deliberative board meetings of a corporation.  It gives litigants a new tool and may cause directors to be more restrained when providing advice given their decision-making process may now be opened up to a much greater extent.  Moreover, this obviously potentially increases the liability of directors and officers so there may be a potential increase in claims – with a resulting increase in D&O insurance premiums.   Although the lower court did recognize that the minutes should be redacted for privileged material, now that the door is open, future judges will have free reign to decide what is deemed “a proper purpose” or privileged material.   In other words, there is no guarantee a future judge won’t allow the fishing expedition rejected by the Appellate Division in this case.

Middle Market Business, Network Security, Privacy, Risk Management

Network World: Do You Need Network Security and Privacy Insurance?

Two recent articles have come up with differing viewpoints regarding the merits of buying network security and privacy (NSAP) insurance.  On the one hand, an article in Network World has taken the position that it is almost foolish not to have NSAP insurance given the potential damages, increasing threats and the inability to safeguard against all such threats.  The author reasons:  “Just because you have fire extinguishers and sprinklers in your business doesn’t mean you don’t also buy fire insurance – the potential risk is too high. It’s time many companies considered security insurance too.”

An article in the Monitor titled College Officials Wary of ‘Cyber Insurance’ for Private Data suggests that purchasing NSAP insurance should actually be avoided given it does nothing to solve the ultimate problem, namely safeguarding  data.    Specifically, representatives from the University of Texas-Pan American and South Texas College said they were confident in their information security systems and saw little value in NSAP policies — despite the fact “higher education institutions across the nation have purchased [NSAP insurance] to offset large expenses following a data breach.”  According to Bob Lim, UTPA vice president of information technology, “Rather than spending money at the back end, use your resources to prevent (risk).  There’s better use in working to fight intrusion than being scared of it.”

The thrust of UTPA’s argument runs something like this: 

We need to adequately protect sensitive data in order to safeguard our reputation.  If we sustain a breach, there is something greater at stake than just the cost of the breach – it’s the hit to our reputation, which is very difficult to monetize.  Accordingly, we are better served by spending our resources and money on prevention rather than on the backend for a solution that may not even properly cover us. 

Ironically, this is the very same argument that large financial institutions made years ago when they opted not to buy NSAP insurance.  They believed that their reputations were sacrosanct so they needed to avoid a breach at all costs – buying the insurance was evidence a breach was even possible.  If you asked around today, most of these institutions currently have NSAP insurance – with towers that well exceed $100 million.   Why the change in position?

There are three factors that caused large financial institutions to change their collective tunes.  First, because so many organizations have been hit with very public breaches, the reputational hit became less and less of a reputational concern.  After all, if everyone is being hit, the “before” is not as important as the “after”, i.e., how you treat your customers post-breach.  And, that is the second reason why the insurance option became more attractive.  NSAP insurance quickly funds and allocates resources after a breach.  Sort of like an experienced swat team entering the picture.   Financial institutions started to realize the benefits in having risk professionals assist in the post-breach aftermath.  Finally, the IT departments began to realize insurance was not an indictment on their capabilities but actually a way to fund the costs of a breach without touching their own IT budgets.  In other words, rather than being opponents of the coverage, CTOs and CIOs became champions of it when they saw the direct benefits in obtaining the coverage.  

All of this begs the question.  Are financial insitutions smarter or are the folks from UTPA?  When does NSAP insurance begin to make sense?   As with most questions related to the purchase of insurance, it depends on your risk appetite, exposures, controls, and ability to financially withstand an incident.   Taking such factors into consideration, it is clear that the answer will vary widely.  It is suggested that management at least start the process of determining whether NSAP insurance makes – especially since the options are getting better by the day.   Who knows.  Maybe UTPA will ultimately change its position as more and more breaches of colleges and universities are reported.

Electronic Health Records, Network Security, Risk Management

Healthcare Industry Hit Hard with Data Breaches

According to the ID Theft Resource Center, 97 of the 341 organizations that sustained a significant data breach in the first half of 2010 were in the healthcare industry.  By comparison, only 38 breaches were reported at banking and other financial institutions.   As shown by the breach sustained by BCBS Tennessee, the direct costs for breaches can exceed $10 million.  And, the repercussions for these breaches are not even limited to direct mitigation or liability expense.  For example, the California Department of Health has fined five hospitals a total of $675,000 for repeatedly failing to provide adequate security for patient data. 

Given the HITECH Act’s desire to increase usage of EHRs, healthcare providers are now scrambling with new software systems that leave them quite vulnerable until full tested.  Moreover, the public may be losing patience with healthcare providers given more and more breaches are now being reported.  This can only lead to an emboldened plaintiffs’ bar. 

What’s a healthcare provider to do? 

It can be argued that there is not much a healthcare provider can do to avoid a breach other than improve security and continue to train its staff.   After all, how can you stop an employee from going around security protocols and stealing data?   As for lost or stolen laptops, that will likely never abate — as illustrated by recent laptop thefts in Texas and Oregon.  Having a robust vendor management program in place is helpful but can never fully prevent rogue contractors from losing or stealing data.  In other words, the risk can be mitigated against (somewhat) but never fully removed so long as healthcare data remains valuable, healthcare providers stay in the healthcare business (and not data security business), and workers continue to make mistakes.  There is a risk management approach, however, that should be seriously evaluated by every participant in the healthcare industry. 

In the same manner medical malpractice insurance is standard in the healthcare industry, network security and privacy insurance should be seriously considered as a risk transfer tool.  Depending on the size, sophistication, and needs of an organization, the terms can be very affordable and flexible.  For example, a hospital with $30 million in revenue can now obtain a comprehensive policy that will safeguard against a breach impacting 250,000 patients for under $15,000.   The bad news is that most insurance professionals or brokers are unaware of the correct pricing or terms for such coverage.  Accordingly, they rely on wholesale brokers who are inundated with submissions and have a tough time qualifying leads (given they do not interact directly with  insureds) — which, in turn, prevents some organizations from getting the attention they deserve.  Thankfully, there are risk professionals out there with the right background to help cash-strapped healthcare organizations obtain the right protection at the right price.  At the very least, healthcare providers and plans should reach out to these risk professionals to obtain a “ballpark” quote. 

Armed with a ballpark quote,  organizations are at least able to determine whether it makes sense to pursue coverage.  Getting a ballpark quote requires minimal effort.  In order to obtain a ballpark, please simply provide your revenue.  We will get back to you within several days with a ballpark insurance quote for network security and privacy insurance.

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

Hospital Data Continues to be at Serious Risk with Third-Party Vendors

According to the 2010 HIMSS Analytics Report: Security of Patient Data, even though providers continue to update their security infrastructure, patient data remains at serious risk.  And, despite new statutory requirements for healthcare privacy and security, these critical gaps remain.  The study’s conclusion is not that surprising given new healthcare breaches are being reported on a daily basis.

One improvement that can be immediately implemented with little cost outlay is the initiation of a vendor risk management program.  Recent changes to how HHS views business associates and new data security laws in states such as Massachusetts  actually now make it imperative that hospitals affirmatively manage the risks inherent in having third-party companies handle sensitive data.  There are certainly enough incidents to justify the attention.  For example, a company hired by South Shore Hospital to dispose of patient records simply outsourced the work to a second company.  It was this second company – a company that did not directly contract with the hospital – that lost 800,000 patients’ files.

Lost or stolen laptops used by the contractors of business associates litter the data breach landscape.  Incidents such as the one that impacted New Mexico’s Medicaid Salud! Plan is fairly common.  The Plan members were hit with a breach not arising out of the direct negligence of DentaQuest, a company that processes claims and provides dental benefits for the Plan; but instead, from the negligence of an employee of West Monroe Partners – a company hired by DentaQuest.  A West Monroe employee had an unencrypted laptop with protected information in the trunk of a car when the vehicle was stolen.  Although it may not always be convenient, most employees should know by now not to leave a laptop in a car – especially if it is unencrypted.  It’s not easy, however, for a hospital to enforce a policy on a company it does not even know exists.

There are two basic risk management suggestions to be gleaned from these incidents.   Not only should the obvious indemnifications be negotiated in all business associate agreements, hospitals need to require business associates vet  subcontractors to ensure they also have proper security controls in place.   In fact, this is actually dictated by the recent statutory changes referenced above.  And, if a hospital purchases insurance to cover the costs of a breach, it should confirm that the insuring agreement broadly covers third-party incidents.  Given that network security and privacy insurance remains a nascent market – albeit one that is now rapidly growing – not all insurance contracts are the same when it comes to how far the third-party coverage net reaches.   NSAP insurance should also be included in every insurance clause requirement – with a provision requiring that subcontractors also procure the necessary minimum coverages.

Hospitals should never forget that their data security is only as strong as their weakest link – which given cost-cutting measures undertaken by business associates may sometimes be an unknown company with weak security controls.

Electronic Health Records, Litigation Management, Network Security, Privacy, Risk Management

NSAP Insurance Full Policy Limits Must Cover First Party Data Breach Costs

A recently disclosed $10 million data breach expense bill raises an issue that has been percolating the network security and privacy (NSAP) insurance marketplace for several years now.  The publicly disclosed expenses involve BlueCross BlueShield of Tennesee (BCBST).

According to BCBST, in October 2009, “57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a [BCBST] call center.”  And, as of June 11, 2010, the total number of current and former compromised BCBST members is 998,936.  Although there has been no documented incident of identity theft or credit fraud of BCBST members as a result of this theft, BCBST has incurred to date $10 million in costs.  These expenses are driven by its retention of Kroll to investigate the theft, e.g., determine which members were impacted, Equifax credit monitoring, LifeLock services, notification costs, and call center expense. 

The key takeaway from incidents such as this one turns on the fact there is no lawsuit to defend – and no NSAP liability policy trigger to set in motion.  The only trigger is first-party driven, namely the internal expenses incurred to deal with a data breach incident. 

As with most NSAP insurance buyers, the growing number of Blues who have actually purchased NSAP insurance have agreed to sub-limits on their first-party expenses that are usually a fraction of the full liability limit.   This is unacceptable given victims such as BCBST are often forced to expend millions of dollars without seeing a single lawsuit or regulatory complaint.  In fact, the goal of spending so much on the front end is to avoid litigation. 

The good news is that there are a few NSAP insurers who are willing to offer full limits for first-party expenses incurred as a result of a data breach.   These insurers should be evaluated when looking at NSAP insurance for the first time.  And, upon renewal, if your current insurer does not provide the limits you need for the expenses you are most likely to incur, either have your current broker evaluate other insurers or turn to a new broker who can help locate better options.

Risk Management

9th Circuit: GL Policy Provides Patent Coverage

As reported by Wilson Elser, the Court of Appeals for the Ninth Circuit has ruled against a GL insurer looking to avoid picking up the tab for a patent suit.  After being sued for patent infringement for its online “build your own” car feature, Hyundai sought GL coverage under the “advertising injury” clause – specifically alleging that the patent infringement suit triggered the “misappropriation of advertising ideas” coverage grant.  The suit was ultimately rebuked in the lower court and Hyundai appealed.  In reversing the dismissal, the Ninth Circuit found that “the advertising itself constituted the (injurious) use of the patented method.”

Specifically, the Circuit Court reasoned:

The third-party patent infringement claims here alleged that Hyundai’s web-based advertisement violated the third party’s advertising-method patents. We hold that, in the context of the facts of this case, the third-party patent infringement claims constituted allegations of “misappropriation of advertising ideas” for purposes of the insurance policy.

Although the decision was decided on narrow grounds and the recent Bilski decision likely narrows the field of future online business method patents, the ruling remains a wakeup call to insurers who want nothing to do with patent suits.

IT Consultants, Middle Market Business, Risk Management, Small Business

Tech Vendors Need Strong Hybrid Mix of Legal and Risk Management Counsel to Avoid Fraud Lawsuits

A growing list of technolgy vendor settlements should be a wake up call to tech vendors both large and small.   For example, last month, HP resolved a legacy EDP lawsuit to the tune of $460 million.  The facts of the case are not very complicated.  A decade ago, British firm BSkyB retained EDS to provide a CRM system for BSkyB’s help centers.  Two years later the contract was terminated and BSkyB completed the job using its own IT staff.  It also filed an action against EDS for misrepresention regarding its capabilities.  Although the initial contract included a liability clause that capped damages, the clause was ultimately rendered invalid due to fraud.

This past May, SAP and Waste Management announced the settlement of a lawsuit involving a failed ERM implementation.   Waste Management sued SAP for fraud in March 2008 over an allegedly failed waste and recycling revenue management system.   Waste Management allegedly sustained direct damages of over $100 million.   SAP responded in its original Answer that Waste Management didn’t “timely and accurately define its business requirements” nor provide “sufficient, knowledgeable, decision-empowered users and managers” to work on the project.  Much of Waste Management’s allegations turned on representations made by salespersons who were allegedly only concerned about licensing software that would create larger year-end bonuses.   According to its revised complaint, if a newer version had been used, “the multi-million dollar sales price for the software could not be immediately recognized as revenue under the accounting rules for revenue recognition,” and those salespeople involved in the deal would not receive bonuses.  According to its quarterly earnings filing regarding the reported settlement, Waste Management received “a one-time cash payment” in accordance with the settlement. The terms of the settlement were not disclosed.     

The price of a tech suit goes down steeply after fraud charges are dismissed.  For example, a lawsuit brought by a county government went from $10 million in alleged damages to an eventual settlement of $575,000 given there were only breach of contract claims remaining  after the fraud claims were earlier dismissed from the action.   Another action brought by yet another county government may not go as well for the tech vendor (Deloitte Consulting) given the fraud claims remain front and center throughout the complaint filed on May 28, 2010.

Claims are not only brought against tech vendors for millions of dollars.  Last year, Epicor was sued after a client spent $244,656.42 on an ERP implementation.  Again, the complaint sounded in contract breach but had negligent representation as well as fraud claims.  Here’s a list of similar suits

Moreover, tech vendors can include those who sell products such as iPhones rather than license software.   Earlier this month, Apple was hit with numerous suits seeking damages arising from the fact the latest iPhone has significant reception issues depending on how the phone is held.  Specifically, one suit accuses Apple of “general negligence, breach of warranty, deceptive trade practices, intentional misrepresentation, negligent misrepresentation, and fraud by concealment.”

For over twenty-five years, courts have allowed fraud claims to mingle with the negligence and breach of contract claims typically brought against technology vendors.  It is so much easier to prove (as was done in the EDP suit) that someone lied when contracting as opposed to showing how a contracted for systems implementation was not technically performing as promised.  Moreover, if fraud is proven, it will not only vitiate the limitation of liability and exclusion of consequential damages found in nearly all tech agreements, punitive damages may also become available.  In other words, a fraud claim is the magic bullet used by most plaintiffs to go around iron-clad contracts and the bar against awarding punitive damages in a contract dispute.

To best combat fraud claims, there are certain things that a tech vendor should do before, during and after a contract is negotiated.  For counsel on that front and for access to related risk management and contracting tools, please reach out.