Ullico | Data Breaches
Ullico Bulletin

Protect Your Organization (and Yourself) From Data Breaches

By Justin Patten, Director of Underwriting


Data breaches are incidents in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. This data includes:

Personal Identifiable Information (PII)

  • Social Security Numbers
  • Dates of Birth
  • Addresses
  • Bank Account Information
  • Health Care Information

Other information that can be breached:

  • Credit/Debit Card Numbers
  • Emails, Password, and User Names

More and more high-profile data breaches are making the news, including stolen personal information from pension funds and union members.

In our industry, we have seen these recent claims:

  • Ransomware – a hacker steals a union's IP address and demands payment for retrieval
  • Physical Theft – a robber steals a trustee's laptop from his car while he's dining in a restaurant
  • Phishing – after a fund administrator clicks a link on a fraudulent email, a health & welfare fund experiences unauthorized access to its computer system that results in the acquisition of personal health information belonging to participants and their dependents
  • Wire Transfer Email Fraud – an administrative assistant responds to a fake invoice that appears to come from his superior at the union

Trustees aren't always protected, even when funds employ a top notch third party administrator ("TPA"). The Department of Labor's Advisory Council on Employee Welfare and Pension Benefit Plans says that TPAs do "not have a comprehensive and consistent regulatory framework to guide their data security programs." Even with a framework in place, TPAs' cyber policies oftentimes do not extend to their clients' exposures, as trustees may think. We have even seen administrator service agreements that pass liability on to funds in these instances. At the end of the day, unions and benefit funds want to protect their members and participants as completely as possible.

By taking the right precautions, you can manage risks and make sure you're protected from liability when a breach occurs.

Consider these sobering statistics*:

  • The number of data breaches increased at least 40 percent in 2016. A majority of these breaches involved the exposure of Social Security numbers.
  • A third of these breaches were caused by human error. For example, a union accidentally printed social security numbers in the address labels of marketing brochures sent to members.

The Role of Cyber Insurance

Cyber insurance is an affordable risk management tool to protect entities from exposures due to data breaches and cybercrimes. Trustees sometimes assume they're already protected by their Fiduciary Liability or another type of insurance, but that's not always the case. Even if the state of domicile has more lenient cyber security laws, they might still have obligations to consider. For instance, if retirees move out of state, breached entities must comply with retirees' new resident states as well. Also, federal laws may apply, such as HIPAA and FERPA, depending on the type of compromised information.

Union leaders and trustees should also be concerned with damage to the organizations' reputations. If a breach occurs, the last thing they should have to worry about is finding partners to coordinate public relations efforts. Some cyber insurance providers can handle the logistics of notification through pre-negotiated partnerships with privacy counsel and incident response vendors. Should a breach occur, they'll work on your behalf to handle public relations. This ensures you get the most protection for your dollar and quick response time.

Some cyber insurance policies also include additional risk management tools, including telephone hotlines to report claims and credit monitoring services to help mitigate future liability after a breach occurs.

Are You Covered?

The right cyber insurance helps transfer risk while complementing other liability policies, but not all insurance contracts are the same. An insurance broker can help determine your risk exposure and what coverage you need. Common coverages include:

  • Privacy liability: Losses arising from failure to protect sensitive personal or health information in electronic or hard copy format
  • Breach notifications: Data breach counsel and a network of experts providing crisis management services including legal, computer forensics, regulatory and individual notification guidance, call center, credit monitoring and identity restoration services
  • Media liability: Coverage for claims related to multimedia activities such as defamation, libel, plagiarism, or copyright infringement
  • System damage and business interruption: Restore, re-collect, and replace data
  • Regulatory proceedings: Coverage for civil regulatory actions, expenses related to information requests, compensatory awards, and regulatory penalties and fines to the extent permitted by law
  • Threats and extortions: Monies paid by policyholder following threat
  • PCI fines: Fines and penalties from non-compliance with Payment Card Industry Data Security Standards

Information on cyber insurance from Ullico Casualty Group Inc. is available at: ullico.com/casualty

Brokers and representatives from unions, benefit funds, and joint apprenticeship training committees may submit a short form on the cyber page to obtain a no-cost indication for this valuable coverage.

Justin Patten

Justin Patten
Director of Underwriting
Ullico Casualty Group, LLC

Justin Patten manages a book of Professional Liability business and supervises a team of Underwriters. He also works on coverage language and oversees implementations of system modifications. Previously, Patten worked for Strayer University as a Specialist in the Student Financial Services department. Patten graduated from University of Maryland College Park with a Bachelor of Arts in Economics.

How to Lower the Risk of Cybertheft

  • Limit employee access to sensitive information
  • Require employees to separate business email from personal email
  • Conduct regular audits
  • Use antivirus software
  • Insert firewalls, pop up blockers
  • Uninstall any unnecessary software
  • Maintain backup information (run daily at a minimum)
  • Check security settings
  • Use secure connections
  • Use Encryption
  • Setup a multi-factor authentication for participants to access records
  • Require participants to create strong passwords and require they change it regularly

Tips for Individual Users

  • Don't use public wi-fi services, work computers, or public computers to check your accounts
  • Be cautious when using unfamiliar ATM machines and credit card scanners
  • Use caution before clicking on links or opening attachments
  • Do not reply to emails or inbound phone calls that ask for account or personal information
  • Monitor your account statement, checking balances, transaction activity – every month!
  • Create strong passwords, security questions and change your password frequently
  • Don't share passwords with anyone
  • Check your credit report regularly

*ITRC http://www.idtheftcenter.org/2016databreaches.html

Advisory Council on Employee Welfare and Pension Benefit Plans, "Cyber Security Considerations for Benefit Plans."

© 2021 Ullico

FaceBook Twitter LinkedIn YouTube Flickr

Site Map  |  Contact Us  |  Legal & Privacy
www.ullico.com    jrpwww.ullico.com    6759    This site is best viewed in Chrome, Firefox, Safari or IE11 (with Compatability Turned Off)