In assessing the risks related to cybersecurity, insurers have closely examined the technology put in place by insureds to safeguard data or other private information. This is not surprising because privacy and data security tends to focus on sophisticated hackers in other countries that have the latest technology at their disposal. While professional hackers, hacktivists and terrorists undoubtedly pose an enormous threat, we have recently seen an uptick in the number of data security stories involving employees. At present, it appears an insured’s technology is only as good as the training provided to an insured’s employees.
Just last week, we reported on employees of the St. Louis Cardinals hacking into the network of the Houston Astros. Even if the Cardinals organization had no knowledge of the hacking, the allegations against its employees do not put the Cardinals in the best light.
On June 12, 2015, there were reports that employees of Cuesta College in San Luis Obispo, California were notified of a database breach where employee names, addresses and Social Security numbers were sent to a private email account. After investigating the breach the main suspect was an employee of the College who accessed the College’s network while she was at her home on medical leave. By June 18, 2015, the employee, Lacey Fowler, was charged with a felony count of improperly accessing computer data. Fowler was a Human Resources Manager at the College.
In another unfortunate example, Crain’s New York reported that the Montefiore Health System in New York was informed by law enforcement on May 15, 2015 that it had a breach of the private information of more than 10,000 of its patients. The breach, occurring between January 2013 and June 2013, appears to have been committed by a former assistant clerk. The Manhattan D.A. that is prosecuting the case against the former employee said: “we’ve seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers.” The investigation showed the employee was selling private patient records for as little as $3 per record. The article states that “Montefiore has a reputation among hospitals for its significant investment in technology and analytics.”
Obviously, the fact that the employee in the Montefiore case was willing to jeopardize his job for $3 per records demonstrates the potential threat created by employees regardless of the hospital’s technology.
Consequently, when providing insurance coverage for data security, an insurer’s investigation should go beyond merely looking at the technology the applicant has in place. Further, we have seen this focus on the insured’s technology in the Columbia Cas. Co. v. Cottage Health Sys., where an insurer has taken the position that the insured misrepresented its technology in the application for cyber insurance. While the most-advanced technology is important, a substantial factor in the integrity of an insured’s security is based on the training and monitoring provided to an insured’s employees.