In this third and final part of a special series, IBA looks at two must-have features that brokers and agents should demand in a modern cyber policy.
Privacy Regulatory Defense and Penalties
This crucial component of a cyber policy provides coverage for regulatory fines and penalties and/or regulatory compensatory awards incurred in privacy regulatory proceedings brought by federal, state, or local governmental agencies.
To illustrate the importance of privacy regulatory defense, Jeremy Barnett, senior vice president of marketing at NAS Insurance Services, gives the example of a large hotel chain that suffered a data breach in 2015 due to “pretexting”. Pretexting is a form of social engineering which involves an individual tricking another party into divulging confidential information.
“In this case, the hacker posed as an employee in the hotel chain’s corporate IT department and convinced two other employees to enter their employee IDs and passwords into a fake, or ‘phishing’, website,” Barnett says.
“The hacker used the employees’ security credentials to access the personally identifiable information (“PII”) of hotel guests. The breach exposed the names, home addresses, email addresses, phone numbers, drivers’ license numbers, license plate numbers, credit card numbers and telephone numbers of thousands of customers.”
In the ensuing investigation, the Federal Trade Commission (FTC) found that a lack of technical safeguards contributed to the theft of customer information. The FTC also reported that the hotel chain failed to report the data breach to federal authorities, as they are required to do so by law.
“At the conclusion of its investigation, the FTC ordered the company to pay $595,000 in civil penalties,” Barnett says. “Cyber liability insurance would cover the civil penalties, as well as any costs associated with defending the hotel chain in the investigation.”
The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures that was created to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
Barnett gives the example of another hotel chain that reported that the payment systems in three of its locations had been infected with malware.
“Forensic investigations following the breach concluded that the hotel chain’s point-of-sale terminals at the three locations had been compromised resulting in the theft of sensitive cardholder data when payment cards were swiped through the card reader,” Barnett says.
“Assessments were levied against the hotel chain by credit card companies for failure to maintain proper security controls as required by the Payment Card Industry Data Security Standard.”