WGA InsureBlog

Researchers at UC San Diego and the University of Washington demonstrated that a car’s electronics, including its brakes and locks, could be remotely taken over through the car’s bluetooth wireless technology.  The potential for Product Liability disasters might come through wrongdoing by criminals intent upon controlling an armored car or a delivery van carrying expensive electronics.  It also might allow a disgruntled employee attack a customer or a boss at a car dealership.  Worse, of course, are the implications for terrorism possibilities. More information about the study is available in New York Times article here.

Connect with Phil Edmundson on LinkedIn.

Thomas Edison said that genius is 1% inspiration and 99% perspiration. In the realm of privacy breach responses, the formula for genius might be expressed as 1% perspiration and 99% preparation. The contrasting responses of Hamilton Beach Brands and of Health Net to recent breaches demonstrate the importance of being prepared to act swiftly when the time comes.

Hamilton Beach

In early January 2011, Hamilton Beach discovered that some malicious code had been placed on the server processing its online ordering. The hacker code captured credit card data entered by would-be purchasers, before that data was encrypted and sent for processing. The credit card information was then automatically Read more…

Most experts predict that 2011 will bring a significant increase in regulatory proceedings and fines against companies that suffer privacy breaches. The mushrooming number of privacy-related laws at the federal, state, local and foreign levels provides fertile ground for investigations and enforcement actions. Potential regulatory protagonists may come from the federal Department of Health and Human Services, the FTC, the SEC, FINRA, State Attorneys General, the EU, or other sources.

The July 2010 settlement by Health Net of a HIPAA enforcement action by the Connecticut Attorney General provides a window to the potential near-term future. In settlement of an action resulting from its loss of a portable hard drive containing unencrypted patient records, Health Net paid a $250,000 fine, agreed to an additional contingent payment of up to $500,000, agreed to take several corrective steps – and spent more than $7,000,000 Read more…

Recent attacks on commercial websites by supporters of WikiLeaks’ chief, Julian Assange, demonstrate a new level of complexity and risk on the internet. Large companies like MasterCard and PayPal as well as small companies are equally exposed to Distributed Denial of Service (DDOS) attacks that can shut down a website for its other customers. These attacks can come from internet crowds or mysterious governmental or government-sponsored entities.

DDOS attacks can lead to lost sales both during a shutdown and after. Customers may not come back quickly to a site that was not able to service their needs. Insurance coverage for these interruptions of business are not perfect but they are improving. Major insurers for this coverage include Chartis, Chubb and various underwriters at Lloyds of London.

The issue of data security has become a hot topic in nearly every media and news outlet with the international embarrassment and diplomacy crisis brought on by WikiLeaks. As the media advocate for open secrets, the concerns over privacy and electronic data security have again become a high priority.  Nowhere is this generating more interest and concern than within the healthcare field.

“The embarrassing leak of a quarter-million State Department documents by WikiLeaks has recharged the debate over electronic medical records, raising concern that the government may not be capable of safeguarding Americans’ most intimate healthcare secrets when their records go digital,” was reported on Fox News last week. Read more…

The lead story in the Wall Street Journal today reports Facebook in Privacy Breach. The article describes how several of the applications available on Facebook transmit identifying information to Internet tracking and advertising companies. The breach affects millions of users. An especially resonant sentence in the article notes that “The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.”

A casual reader of the article might understandably think that the Facebook breach has little relevance to the risks that most companies confront in the collection and handling of confidential information. While it is true that most don’t have 500 million customers or embed third-party applications in their websites, several important aspects of Facebook seemingly sui generis situation can have analogues for almost all companies.

Some important questions raised by the Facebook matter could also arise for any other company that collects confidential personal information. Read more…

Back in July, the South Shore Hospital announced that computer files containing personally identifiable information had been lost. The lost files were stored on back-up computer tapes that had been sent to a service provider for destruction, but the tapes never reached their destination. The hospital disclosed the loss of the data and notified federal and state authorities, and engaged forensic specialists to investigate the the breach and assess the likelihood that confidential personal information was actually compromised.

The notification process and what they legally concluded is the subject of a new WGA White Paper in which we examine whether or not this would be covered by insurance. In the paper we examine the trigger for insurance coverage under privacy insurance policies and the nuance of this rapidly developing, but still very new area of insurance. Read more…

Earlier this week, the Wall Street Journal reported on a rash of new litigation filed in the U.S. District Court for the Central District of California against “cookies”, the ubiquitous markers of our electronic activity. The lawsuits claim that, despite earlier rulings that allow internet sites to place these small text files on users’ computers, that newer versions of this technology result in online tracking that violates privacy and data security standards. The lawsuits, which seek class action status, accuse companies of violations of the Computer Fraud and Abuse Act and similar laws. The suits name Cable News Network (CNN), Travel Channel and other large media organizations as defendants. Read more…

On August 13, 2010, the front page of The Boston Globe reported that four Massachusetts hospitals are investigating how the unshredded health records of thousands of patients ended up at a public dump. At least some of the records contain sensitive medical information and Social Security numbers. The situation highlights the difficulties that organizations – and healthcare organizations in particular – face in protecting confidential patient or other personal information when many different people have access to such information in the normal performance of their duties. Read more…

On August 4, 2010, it was reported that officials in the town of Hingham, Massachusetts would be notifying approximately 1,300 individuals whose names and Social Security Numbers were mistakenly sent to about 30 town officials. Hingham officials indicated that they were notifying the state attorney general’s office and the Office of Consumer Affairs and Business Regulation of the breach in accordance with Massachusetts law.

A town official had emailed a document containing the personally identifiable information to about 30 department heads. When the official was notified that the document contained confidential personal information, he recalled the email, which had been sent to accounts maintained on the town’s protected server. The official said that about half of the emails had been successfully retrieved and destroyed before the recipients had opened them and seen the personal information. Read more…