Dentists are at Risk – Cyber / Privacy

Thomas J. Sheehan Insurance recently presented to The Savannah Dental Society regarding Cyber and Privacy Liability. Here is a copy of the document used to guide the discussion. Dental Society Document

Here is a complete list of every question needed to provide you with a Cyber and Privacy Liability Quote:

  1. What is the gross revenue for your practice?
  2. Does your practice, or an outsourced firm, back up your data and systems at least once a week, and store these backups in an offsite location?
  3. Does your practice have antivirus and firewalls in place and that these are regularly updated (at least quarterly)?
  4. Are you aware of any or have any grounds for suspecting any circumstances which might give rise to a claim?
  5. Within the last 5 years, has your company suffered any system intrusions, tampering, virus or malicious code attacks, loss of data, loss of portable media, hacking incidents, extortion attempts, or data theft, resulting in a claim in excess of $25,000 that would be covered by this insurance?
  6. Does your practice have dual control when transferring funds in excess of $25,000 to external parties?
  7. Does your practice provide training for staff members who transact funds in excess of $25,000 externally?
  8. Have there been any losses for a Cyber Deception Event in the past year in excess of $10,000?

Coverages that are available on Cyber and Privacy Liability policies include:

Privacy Liability:

Defense and indemnity from 3rd party claims

Regulatory:

Fines and penalties from state and federal agencies including HIPPA.

Security Breach Response:

IT Forensics, Lawyers, Notifications, PR firm, Credit Monitoring, Call Centers, etc. This is the coverage that notifies your clients of a breach, secures your network, and notifies the attorney general

Security Liability:

Suits and costs that arise due to a distribution of malicious code

Media Liability:

This coverage applies to your website and print material for copy write material, liable, slander, and if someone were to hack your site and add malicious information

Extortion:

This is for if a terrorist (bad guy) were to request funds either to stop a disruption or prevent a disruption in your network. Example #1 – your network is locked and they request funds to give you the password to unlock your network. Example #2 – bad guy tells you they will launch a DDOS attack (denial of services attack) if your do not pay bitcoin. (DDOS attack will overload your network with information and then the network will go down)

Business Interruption / Data Restoration:

Your network has been damaged and is down for an extended period of time. You can recoup the funds you would have earned during the time you were down. The data restoration is provided to restore data that was damaged or deleted during a breach.

PCI Assessments (Payment Card Industry):

PCI fines and assessments are assessed if your firm is not in compliance with the PCI rules of accepting cards, or there is a breach of card information.

Cyber Deception:

Reimbursement for release of funds due to deceptive instructions to release a wire transfer to a fraudulent bank account. Example – Your bookkeeper receives an email that looks like it is coming from you. The email is requesting an invoice be paid, and provides a wire transfer number. Your bookkeeper releases the funds, but soon after it is discovered the email was fraudulent.