Printed from BusinessInsurance.com

Risk managers face tangled mass of cyber security laws

Posted On: Oct. 2, 2015 12:00 AM CST

SAN FRANCISCO — Risk managers face 47 state laws on breach notification, while federal efforts to address cyber risks remain at a rudimentary level, law enforcement struggles to address the issue, and regulators become more actively involved.

he FBI's M. K. Palmore, who is San Francisco-based assistant special agent in charge, said during a keynote address during Business Insurance's cyber summit on Monday, “I wish we had moved faster and identified more talent for the fight” against hackers, who are outpacing the law enforcement legal system. The FBI “could not possibly open each cyber-related crime brought to its attention,” he said.

“The government is simply not in position to prevent the high number of cyber intrusion events we see. In fact, the private sector sees more collectively than government entities can see on an annual basis,” Mr. Palmore said.

With “collaboration and effective cooperation we can begin to put a dent into this issue,” and allow us to “operate in a relatively secure environment,” he said.

“We're behind the eight ball on the problem, and we continue to move as fast as we can, but we have difficulties” addressing the problem, and this extends to Congress “creating laws to help protect us.” There has certainly been progress, “but we're not there yet,” said Mr. Palmore.

At the congressional level, “there does seem to be some movement toward getting some sort of legislation for data sharing,” said Mark Humphreys, vice president of litigation and risk management for Santa Monica, California-based real estate development and investment firm Watt Cos., who spoke during a session at the conference on the legislative and regulatory landscape.

With respect to developing a blueprint on the issue, though, the “conversation is ongoing, but I would say it's really at a rudimentary phase,” said Catherine A. Mulligan, senior vice president of the management solutions group for specialty products with Zurich North America.

“You've got to start someplace, I think,” said Eric C. Cernak, Hartford, Connecticut-based vice president of the strategic products division and U.S. cyber and privacy risk practice leader for Munich Reinsurance Co. “The challenge is, there's a perception the federal government doesn't have a great track record securing their own data.”

Ms. Mulligan also warned that she “would exercise caution about pushing legislation for the sake of legislation.” There “can be bad things that can result from a cyber event that the insurance industry is still trying” to resolve, and it is not clear “what sort of legislation the federal government might come up with to mandate that,” she said.

Mr. Cernak said there is also “a lot of uncertainty right now” with respect to cyber risks and the Terrorism Risk Insurance Act. The industry is “waiting for more clarity” on this issue, he said.

Meanwhile, at the state level, nine states revised their statutes with respect to data breaches last year, said John Farley, New York-based vice president and practice leader of cyber risk management services at Hub International Ltd. Keeping up with all this activity “is a very difficult task,” he said.

There may be more regulatory activity. Mr. Cernak pointed to the ruling earlier this year by the 3rd U.S. Circuit Court of Appeals in Philadelphia involving Parsippany, New Jersey-based hotel chain Wyndham Worldwide Corp., which “enforced the idea that the (Federal Trade Commission) has the authority now” to http://www.businessinsurance.com/article/20150824/NEWS06/150829941 police the issue. The appellate ruling upheld an April 2014 lower court ruling allowing the case to go forward without ruling on the merits.

We are also “now starting to see consumer groups advocating for the (Federal Communications Commission's) jurisdiction to become broader” in this area, said Melissa K. Ventrone, partner with law firm Wilson Elser Moskowitz Edelman & Dicker L.L.P. in Chicago. “They have the jurisdiction to impose fines,” she said, adding that the FCC has a Cybersecurity and Communications Reliability Division.