OneBeacon offers products and risk management services to help insureds protect data and private

Protection for client's personal information

By Phil Zinkewicz

In 1983, a mildly entertaining film titled “War Games” starred Matthew Broderick, Dabney Coleman and Ally Sheedy. The film, still shown today on television cable networks, is about a teen-aged computer whiz kid (Broderick) who accidentally taps into a government early warning system and nearly starts World War III. Back in 1983, the film was considered a bit contrived, probably because Broderick was made to be a genius and all the adults in the film were a bit moronic. Also, the average moviegoer would never take seriously computer breaches that could create such havoc.

But this is 2010, and we all know better. In today’s world of computer systems and programs of infinite complexity, almost anything can happen and the results can be dramatic.

One of the most infamous inci­dents of computer breach was first revealed in January 2007 when TJX Companies announced that it was the victim of an unauthorized computer systems intrusion. It had discovered in mid-December of the previous year that its computer systems were compromised and that customer data was stolen. The hackers accessed a system that stores data on credit card, debit card, check and merchan­dise return transactions.

In addition to credit card numbers, personal information such as Social Security numbers and driver’s license numbers from 451,000 customers were downloaded by the intruders. The breach was possible due to a non-secure wireless network in one of the stores.

By the end of March 2007, the number of affected customers had reached 45.7 million, and this had prompted credit card bureaus to seek legislation requiring retailers to be responsible for compromised customer information saved in their systems.

The intrusion was kept confidential as requested by law enforcement. TJX said, at the time, that it was working with defense contractor General Dynamics, IBM and Deloitte to upgrade computer security.

Eleven men have been charged in the theft, and one, Damon Patrick Toey, has pleaded guilty to numerous charges related to the breach. One man, Jonathan James, professed his innocence and later committed suicide. The alleged ringleader, Albert Gonzalez, was indicted in August 2009 for attacking Heartland Payment Systems in which 130 million records were compromised—possibly the largest retail store attack in U.S. history.

Not exactly World War III, but certainly the stuff of which films are made.

According to a new study by Ponemon Institute, employees routinely engage in activities that put sensitive data at risk: downloading data onto unsecured mobile devices (61%), sharing passwords (47%), losing data-bearing devices (43%), and turning off their mobile devices’ security tools (21%). And, reflective of the blurring of the lines between personal and professional lives, they are using Web-based personal e-mail in the office (52%), downloading Internet software onto an employer’s devices (53%), and engaging in online social networking while in the workplace (31%). With the exception of social networking, measured for the first time in 2009, each of these risky behaviors represents an increase compared to 2008 results.

As serious as this risky behavior is in the retail and credit card industries, it is even more so in the health care industry. For example, Connecticut’s Attorney General Richard Blumenthal is investigating Blue Cross Blue Shield’s loss of confidential information, including tax identification and Social Security numbers for 800,000 health care providers nationwide.

The attorney general is also seeking additional identity theft protection for affected doctors, thera­pists and other professionals, according to a statement from the attorney general’s office issued late last year. “We are vigorously investigating this appalling data loss, needlessly exposing more than 18,000 Connecticut doctors and professionals to devastating identity theft,” Blumenthal said in a statement. “Failing to promptly notify [a] provider of the breach is inexcusable and a possible violation of state law. Waiting two months left providers severely at risk, needlessly and irresponsibly exposing them to financial mayhem,” he said.

In February 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health (HITECH) Act, which includes new privacy require­ments that experts have called “the biggest change to the health care privacy and security environment since the original HIPAA privacy rule.”

All of these developments have, of course, attracted the attention of the insurance industry, recognizing there are new exposures that need to be addressed.

New products

One of the most recent new products to hit the market comes from OneBeacon Professional Insurance (OBPI), a member of OneBeacon Insurance Group. OneBeacon Professional Insurance recently announced a new Network Security and Privacy Liability product, targeted to all classes of business that store personal information—including multimedia companies, retail firms and health care organizations.

“With the prevalence of company security breaches and ever-changing privacy regulations, there is a heightened concern around the safety of personal information,” says David Molitano, OneBeacon Professional Insurance’s vice president of technology, miscellaneous E&O and media liability. “Our goal is to help our insureds with their need to protect data and private information by offering tailored insurance solutions and forward-thinking risk management services.”

On the health care industry end, OBPI’s client list includes hospitals of any size, physician groups, managed care organizations, long term care facilities and health care facilities. “Every year, there are more and more attempts on the part of intruders to hack into organizations’ private information,” says Molitano. “For some people, hacking into a health organization’s information data is just done for the glory. It’s another medal they can show to the hacking com­munity. But, for many, such intrusions are a high-stakes game, where the financial rewards can be great.”

Susan Angelo, senior vice president, managed care division leader of OBPI, says: “Health care organizations sometimes collect more information than banks do. Hackers sell that information and buyers can use it to have expensive procedures (not just specifically surgery) on another person’s insurance card.”

OBPI’s Network Security and Privacy Liability insurance includes coverage options such as network security liability, privacy liability, first-party business interruption and Web site media occurrence liability coverage, all available to clients through one standard policy form.

Says Molitano: “For qualified accounts, OneBeacon Professional Insurance will offer limits up to $10 million, and both primary and excess policy coverages are available. Specialized protection and features include coverage for certain Web site media offenses, innocent insured protection, worldwide coverage, breach notification costs coverage, regulatory claim coverage, extortion threat coverage, and more.

“Our solution is designed for businesses holding private information, including health care organizations and medical facilities that must comply with strict rules regarding information security and protecting against theft of private information,” he says.

Molitano and Angelo say that, on the risk management side, OBPI is holding Webinars that provide information on network security and privacy. “Our first Webinar was held on February 24 for our own insureds. It was a sort of a Freshman 101 class, an introduction to the issues,” they say. “Other Webinars will follow. We are also working with brokers and speaking to their groups.”