Carriers Are Only as Secure as Their Weakest Link
What do you really know about the strengths and weakness of the cybersecurity measures taken by the subrogation counsel and recovery vendors you engage to assist with subrogation recoveries? This past April, Yahoo entered into a $117.5 million settlement in a proposed class action suit in San Jose, California, arising out of two major data breaches which occurred in 2016. Wendy’s similarly settled a claim in 2018, and on July 22, 2019, Equifax agreed to pay $425 million to those affected by a data breach which victimized the consumer credit reporting agency.
Cyber attackers have actively begun turning their sights on insurance companies and law firms. Trial lawyers go where the money is. Federal and state regulators are increasingly bringing enforcement actions against companies that suffer data breaches. Under the Federal Trade Commission Act, the FTC has asserted broad authority to initiate enforcement actions based on a company’s alleged failure to safeguard personal information and related deceptive practices. They are aggressively pursuing legal actions against companies and financial institutions that have violated consumers’ privacy rights, misled them by failing to maintain security for sensitive consumer information, or caused substantial consumer injury. It is the sign of our times and there will be a price to pay for insurance companies who are not paying attention.
There was a time when insurance companies, third-party adjusting companies, and subrogation vendors all chose subrogation counsel solely based on their expertise and the subrogation results they could produce. Some choose the lowest bidder. Oh, how times have changed. Data breaches and privacy issues can lead to unplanned expenses, business disruptions, as well as regulatory enforcement actions, and even lawsuits. When one deals in medical and health information, safeguarding protected health information (PHI) and maintaining a high level of cybersecurity has climbed to the top of the list of concerns when choosing outside counsel.
Today’s digital and tech-controlled world is expanding at the speed of light and the issues of privacy, HIPAA compliance, and data security are rife with legal implications for the unwary insurance company or third-party adjusting firm. Companies have a legal duty to rise to meet the many challenges posed by a demanding modern digital marketplace, including protecting personal information, securing proprietary data, stopping cyberattacks, and managing electronic files. But they also have a practical obligation to do so; protecting themselves in the event of a breach. Even the most sophisticated insurance company spending hundreds of thousands of dollars on cybersecurity are only as secure as the weakest subrogation vendor or law firm they utilize. Today, it is as important to ascertain that a subrogation law firm is as secure and compliant as it is successful.
The business of law has learned a lesson from the rest of the business world: if you want to increase profits, keep overhead low. Over the years, the number of eager, young lawyers who have hung a shingle outside of their living room or cut corners in order to gain an edge and offer subrogation clients the lowest possible fee, present those same clients with a mounting risk that no client should ignore. The mere occurrence of a data breach can do significant damage to an insurance company’s or subrogation vendor’s reputation. Those who do not take adequate measures to ensure that data breaches involving medical records and other confidential information are not only gambling in the truest sense of the word, but their brand and their reputation hang in the balance.
Lawyers who use Microsoft Outlook as their case management software and who have not scored themselves and utilized third-party IT vendors to evaluate and secure their networks and systems expose their clients to unreasonable risks of breaches and other liability. They have a legal duty to minimize these risks and such duties are not only prudent in order to protect clients, but they are demanded ethically.
The recent trend is for cyberattack to target municipalities and law firms, but insurance companies are quickly becoming viewed as easy targets as well. Data breaches and cyber threats involving or targeting lawyers and law firms are becoming commonplace, and many law firms will simply pay ransom to get their business back up and running, encouraging even more attacks. But this doesn’t solve the breach. Law firms have an ethical duty and a major professional responsibility as custodians of highly sensitive information. Law firms are inviting targets for hackers. In one highly publicized incident, hackers infiltrated the computer networks at some of the country’s most well-known law firms, likely looking for confidential information to exploit through insider trading schemes. Nicole Hong & Robin Sidel, Hackers Breach Law Firms, Including Cravath and Weil Gotshal, WALL ST. J. (Mar. 29, 2016). The data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be. Formal Opinion 477R, ABA explains a lawyer’s ethical responsibility to use reasonable efforts when communicating client confidential information and PHI using the Internet. Sadly, even compliance with statutes such as state breach notification laws, HIPAA, or the Gramm-Leach-Bliley Act does not necessarily achieve compliance with lawyer ethics obligations.
Lawyers have an ethical obligation to use technology competently to safeguard confidential information against unauthorized access or loss, and to supervise and train lawyers and staff. Attorneys must employ reasonable efforts to score, monitor, and ensure that the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data are secure. It is vitally important that insurance companies ask the question that they dread asking and many law firms dread answering: “Is our data secure?”
At Matthiesen, Wickert & Lehrer, S.C. (MWL), we conduct constant cybersecurity training, test our employees, employ data security counseling (in-house and outside), and conduct regular data security audits. Each year, MWL utilizes a third-party IT company to evaluate our software and network to ensure we are not vulnerable to a data breach. We scored well last year, because of the steps we take to safeguard our system. Insurance companies must ask for the score results for their outside subrogation law firm vendors. Cheaper is not always better; and it is rarely secure.
Over the last several years, MWL has taken dramatic steps to increase and maintain cybersecurity. We conducted a time-consuming and expensive multi-phase security upgrade process, and our security posture is very good. Our network is protected by industry-standard firewalls to provide segmentation of public and private traffic. Traffic processed through the firewall is then managed by deep-packet inspection firewalls safeguarding internal systems. All logical access is managed centrally by local LDAP-based directory systems. Our management staff oversees network user configuration, user authorization, and user termination. Our Intrusion Detection System is built into the firewall and monitored accordingly. Cybersecurity specialists are brought in from our IT Provider. They follow our incident response plan and escalate in communication with network engineers and our internal management. The IT Provider performs phishing simulations, network audits, and risk assessments regularly. Our IT Provider has a cybersecurity specialist with SANS certifications who advises us on our software and network. Additionally, our IT Provider brought in a HIPAA compliance professional to work with us to ensure all HIPAA rules that pertain to our line of business are being followed. All staff are required to take HIPAA security training annually to protect ePHI and PII. This training is about ninety minutes on average, and they must score 80% or higher on an extensive test. As part of the test, a person posing as a vendor walked into the employee entrance and began making his way back to our secure server room. If he had been able to get in without being stopped, it would have reflected poorly on our scores. If your current subrogation law firm or vendor is not doing the same; you and your insured’s data, sensitive medical information and PHI is not secure.
As an insurance company with petabytes of sensitive data entrusted to you, due diligence and prudent risk management present ten questions you should ask your subrogation vendors and insist on complete and verified answers:
- How do you approach Cybersecurity Risk Management throughout your organization?
There are a lot of security policies, tools, and procedures that a company can implement. Every breach that has made the news recently involved companies who had security initiatives in place. Unfortunately, they were securing the wrong concerns. A robust risk management program must be driven from the executive level and require that risks are identified, safeguards are evaluated, and solutions are put in place to mitigate these risks. Everything starts here. The answer to this question should include a list of identified risks and key initiatives specifically designed to protect your data.
- What Cybersecurity Framework are you using to evaluate your organization?
Several frameworks provide listings of critical cybersecurity controls. Some frameworks focus on specific areas like financial data (PCI-DSS), some are designed for international work (ISO27001), and others can be customized (NIST CSF). A framework is essential to gauge how aligned an organization’s practices are with current best-practices. If there is a deviation from these frameworks, the law firm should be able to explain how their risk management approach has exempted them from that control.
The NIST Cybersecurity Framework (CSF) is recommended because it provides outcomes, maturity levels, and alignment with business and risk objectives.
- What access do you have to cybersecurity expertise and is cybersecurity given regular attention during board meetings?
The threat landscape is a moving target, always changing. Unfortunately, many firms approach cybersecurity as a one-and-done exercise. If your firm takes cybersecurity seriously, they will have regular access to qualified cybersecurity consultants who provide them with audits, penetration tests, training, and current climate updates. Does your legal team take cyber awareness seriously?
- Do you provide specialized cybersecurity training for your staff with a focus on protecting sensitive or regulated data and incorporating continuous reinforcement?
Many companies are purchasing simple online security training. These programs often include an annual review and take less than an hour. But if these programs are going to transform the culture of the company, then you want to make sure they have these features. Training should include specialized sessions about protecting PHI data. We have all been to a seminar only to forget most of it within a week. You can evaluate a company’s concern for cybersecurity by their commitment to reinforcement training throughout the year. Ask for specifics.
- Do you have adequate anti-exploit protection in place for all endpoints?
Every computer that connects to your network is a threat portal. If a user browses to a malicious website, clicks on a phishing email, or inserts a compromised flash-drive, you can assume their computer is now compromised. And now an attacker can use this computer to steal credentials, phish other employees, and capture network data. It is essential that every device has filtering that recognizes known threats and malicious behaviors. The anti-malware protection installed can be evaluated based on 1) how thoroughly it scans the system, 2) how quickly it can react to a perceived threat, and 3) the ability to restore the system to a known good state.
- Is your network protected with content filtering, URL filtering, and a properly configured firewall with regular review?
While it is important to protect every computer, the rest of the network infrastructure must not be neglected. Like the walls of a castle, protecting the flow of traffic across the network helps in detecting intrusions, and provides another defense layer. All traffic entering and leaving the firewall should have the URL and content reviewed to identify malicious activity. A firewall should drop all traffic coming from the outside unless first initiated from authorized internal traffic or with a thoroughly vetted exception plan.
- Is your staff required to use end-to-end encryption when working remotely?
Legal staff will have a need to access sensitive data while in a courtroom, during interviews, or carrying out other activities that take them off-site. They will need to work through a network that is not managed by their cybersecurity team. Do they have a policy and plan that requires the encryption of data from the law firm’s system, across any other networks, onto the legal staff’s computer and back?
- What is your process for monitoring the reception, storage, and destruction of sensitive data?
Data that is unmanaged is data that will be compromised. There should be safe mechanisms in place to receive, store, and adequately destroy any sensitive data collected before, during, and after a legal proceeding. Data access should be logged and monitored.
- Do you have controls, encryption policies, and tracking for all removable media?
The standard policy should be to require data only to be stored in safe data storage within the company’s protected network. If an exception is needed, it should be explained, monitored, and encrypted throughout the process. Finally, there must be a safe way of destroying the data once it is returned.
- Have you performed a gap-analysis on your cybersecurity insurance?
During a breach response, cybersecurity insurance should provide funds to cover forensic analysis, recovery, and even litigation. But cybersecurity insurance is still growing up in the industry, and policies have not fully settled on coverage amounts or exclusions. As litigations are processed, it is becoming clear that many companies have gaps in their ability to draw upon funds when they are most needed. It is crucial that the company you are relying upon to protect your data has the means in place if required.
If you do not get satisfactory answers to these questions, you are at risk. Effectively combatting and safeguarding against data breaches and cybersecurity disasters is time-consuming and expensive, but it is the world we now live in. If your subrogation vendor or law firm is not willing or able to adequately answer the above questions, you should find one who is. Not only do slightly lower contingency fees not result in larger net subrogation recoveries (in fact, it is just the opposite), but even if they did, they would not be worth the risk of a major data breach that could damage your company’s reputation and hard-earned brand permanently.
MWL has all of the necessary security tools in place to protect the network, endpoints, and email. We can answer the above ten questions and your subrogation vendors should be able to also. These protections include signature-based malware detection, protection and removal, firewall with no open ports, VPN with aggressive pre-shared keys, host-based internet filtering, spam filters and RMM evaluated and automated patching of endpoints and servers. MWL is not cloud based. MWL utilizes internal servers for storing, accessing, processing and transmitting information. We utilize a secure and isolated colocation center for disaster recovery and business continuity. Cybersecurity at MWL is ongoing, proactive, and approved by management. Awareness and training are extensive and regular. MWL would be happy to provide security policies or an executive summary of our latest Cybersecurity Review, Network Penetration Test and Website Application Vulnerability Report.
We urge you to provide a copy of this article to your current subrogation vendor and ask them to answer the above questions, provide their latest scores, and provide a summary of the hardware, software, and procedures they have in place to protect and safeguard you. You should settle for nothing less.
No matter how hard they try and how much money they spend, insurance companies are only as secure as their weakest link: and that weak link is often their subrogation counsel.