Скачать презентацию Healthcare Information Data Security and Privacy Trevor Weyland Скачать презентацию Healthcare Information Data Security and Privacy Trevor Weyland

a56abcab07c005d6e4c8aee46f05d994.ppt

  • Количество слайдов: 46

Healthcare Information Data Security and Privacy Trevor Weyland Senior FINPRO Healthcare Practice Marsh Vice Healthcare Information Data Security and Privacy Trevor Weyland Senior FINPRO Healthcare Practice Marsh Vice President Leadership, Knowledge, Solutions…Worldwide.

The Data Threat Is Not Going Away Privacy, computer and network security are not The Data Threat Is Not Going Away Privacy, computer and network security are not just internet issues. Any entity that transacts business using: – a computer network; or – confidential information is at risk. “Essentially, data loss is no longer a question of what if? The only question is when? ” Managing the Data Loss Crisis By David Bartlett and Larry Smith Risk Management Magazine, June 2008 Marsh—Leadership, Knowledge, Solutions…Worldwide. 1

Key Data Healthcare information Credit card information Personally identifiable information Corporate information of others Key Data Healthcare information Credit card information Personally identifiable information Corporate information of others Own data Marsh—Leadership, Knowledge, Solutions…Worldwide. 2

Plaintiffs Individuals Government Affected businesses Class actions alleging Failure to protect patient information/data Failure Plaintiffs Individuals Government Affected businesses Class actions alleging Failure to protect patient information/data Failure to make correct and timely notification Marsh—Leadership, Knowledge, Solutions…Worldwide. 3

The Costs Investigate the breach Crisis management Determine statutory obligations Provide written notification Offer The Costs Investigate the breach Crisis management Determine statutory obligations Provide written notification Offer complimentary credit monitoring Provide identity theft relief services Regulatory actions and scrutiny Costs to re-create data Legal liability to others Marsh—Leadership, Knowledge, Solutions…Worldwide. 4

This is the reality…… Marsh—Leadership, Knowledge, Solutions…Worldwide. 5 This is the reality…… Marsh—Leadership, Knowledge, Solutions…Worldwide. 5

Healthcare Information Data Security and Privacy Threat Environment Legal Framework Risk Management Insurance Solutions Healthcare Information Data Security and Privacy Threat Environment Legal Framework Risk Management Insurance Solutions Marsh Approach Marsh—Leadership, Knowledge, Solutions…Worldwide. 6

Threat Environment Social Media/Networking Technology: – Hackers, viruses, etc. Internal: – Structural vulnerability – Threat Environment Social Media/Networking Technology: – Hackers, viruses, etc. Internal: – Structural vulnerability – Rogue employees – Careless staff Old school: – Laptop theft External: – Dumpster diving – Organized crime: ú Foreign ú Domestic – Hackers – Phishing Regulatory Marsh—Leadership, Knowledge, Solutions…Worldwide. 7

Data Loss by Type 2009: How Data Is Lost Disposal Improper 11% Virus 3% Data Loss by Type 2009: How Data Is Lost Disposal Improper 11% Virus 3% Unknown 6% Web Exposure 9% Email 5% Fraud/Social Engineering 12% Theft 24% Hack 15% Snail Mail 5% Lost 9% Source: http: //datalossdb. org/ Marsh—Leadership, Knowledge, Solutions…Worldwide. 8

SURVEY: Security at Work* 22. Does your employer have a formal policy for you SURVEY: Security at Work* 22. Does your employer have a formal policy for you to use the Internet at work? Yes 38% No 19% Not sure 44% 23. Have you had any training on how to keep your computer safe and secure? Yes 43% No 55% Not sure 3% 24. Do you ever bring your work laptop home and connect to your home network? Yes 24% No 75% Not sure 2% 25. Does your employer allow access from your home computer to the company systems files or other types of data normally available to you at the office? Yes 29% No 28% Not sure 43% *2010 Online Safety Study by National Cyber Security Alliance, Norton by Symantec & Zogby International (Oct 2010) Marsh—Leadership, Knowledge, Solutions…Worldwide. 9

What is your breach universe? What do you think the most likely cause is What is your breach universe? What do you think the most likely cause is of an event? – Hacking, extortion, policies & procedures, theft, internal fraud, disgruntled employee Multiple locations: – Admissions/scheduling – Physicians, nurses, physician assistants – Clinicians – Pharmacists – Health insurance providers The data breach threat greatly increases due to the exchange Marsh—Leadership, Knowledge, Solutions…Worldwide. The entire health information exchange 10

Additional healthcare risk! Third party due diligence is spotty 50% don’t require proof that Additional healthcare risk! Third party due diligence is spotty 50% don’t require proof that third parties run background checks on employees 40% do not require proof that they conduct employee training Trust more, expect more • Healthcare organizations that have breached patient data have a 6% average churn rate, compared to retail’s average of 2% Security system work-arounds • When asked what was most likely to put patient info at risk, lack of attention to security policy by staff was most frequently cited (31%) Marsh—Leadership, Knowledge, Solutions…Worldwide. 2010 Study with HIMSS Analytics 11

2010 U. S. Cost of a Data Breach Study Symantec sponsored Ponemon Institute (3/8/2011) 2010 U. S. Cost of a Data Breach Study Symantec sponsored Ponemon Institute (3/8/2011) • Data breach costs have continued to rise. The average organizational cost of a data breach increased to $7. 2 million, up from $6. 8 million in 2009. Data breaches in 2010 cost companies an average of $214 per compromised record, up $10 (5%) • Malicious or criminal attacks are the most expensive and are on the rise. In this year’s study, 31% of all cases involved a malicious or criminal act, up 7% from 2009, and averaged $318 per record, up 43% from 2009 • Negligence remains the most common threat. The number of breaches caused by negligence edged up one point to 41% • Companies are more vigilant about preventing system failures. System failure dropped nine points to 27% in 2010 Marsh—Leadership, Knowledge, Solutions…Worldwide. 12

Which Laws and Rules Apply? Federal: – Financial data (Gramm-Leach-Bliley Act) – Website data Which Laws and Rules Apply? Federal: – Financial data (Gramm-Leach-Bliley Act) – Website data and “red flag” rules (FTC) – Government data (Privacy Act) – Children’s information (COPPA) – Education information (FERPA) – Medical information (HIPAA) – Health Information Technology for Economic and Clinical Health Act (HITECH) Increase in enforcement Extended HIPAA obligations to Business Associates Breach Notification Rule Marsh—Leadership, Knowledge, Solutions…Worldwide. 13

Which Laws and Rules Apply? State Laws: – – HITECH Act lets state attorneys Which Laws and Rules Apply? State Laws: – – HITECH Act lets state attorneys general enforce the health data protection provisions of HIPAA – Security Breach Notification statutes http: //www. ncsl. org/Default. aspx? Tab. Id=13489 “Proscriptive” statutes requiring encryption or other methods to secure data (at least 6 states, including CA, CT, MA, NY, NJ, NV) Contractual: – – Standard purchase orders – Payment Card Industry Data Security Standards – Business Associate Agreements under HIPAA Outsourced data International Law – EU Data Protection Directive and EU member country privacy laws are more strict than the US with respect to private consumer information. Marsh—Leadership, Knowledge, Solutions…Worldwide. 14

HITECH’s Impact on HIPAA: Increase in Enforcement Civil monetary penalties range from $100 to HITECH’s Impact on HIPAA: Increase in Enforcement Civil monetary penalties range from $100 to $50, 000 per violation, with annual caps ranging from $25, 000 to $1, 500, 000 for violations of the same requirement Criminal penalties vary from $50, 000 and/or 1 year imprisonment to $250, 000 and/or 10 years HHS to conduct mandatory “periodic audits” to ensure compliance with the new provisions State Attorneys General - action in U. S. District Court on behalf of residents of the state who have been threatened or adversely affected by a HIPAA violation – May collect fines/penalties as damages, as well as costs and attorneys fees Whistleblowers coming soon Breach Notification rules establish affirmative reporting duties and make penalties easier to assess Marsh—Leadership, Knowledge, Solutions…Worldwide. 15

HITECH’s Impact on HIPAA: Extension of HIPAA to Business Associates Prior to HITECH’s enactment, HITECH’s Impact on HIPAA: Extension of HIPAA to Business Associates Prior to HITECH’s enactment, Business Associates (i. e. , many vendors and independent contractors of health providers and health plans) were not directly liable for violations of the HIPAA Privacy and Security Rules. HITECH has extended the obligation to comply with the HIPAA Security Rule and much of the HIPAA Privacy Rule directly to Business Associates. Marsh—Leadership, Knowledge, Solutions…Worldwide. 16

HITECH’s Impact on HIPAA: Breach Notification Rule Incident must be a HIPAA Violation – HITECH’s Impact on HIPAA: Breach Notification Rule Incident must be a HIPAA Violation – Unauthorized use, access, disclosure of PHI “Poses a significant risk of financial, reputational, or other harm to the individual” – Must perform a “facts and circumstances” risk assessment for each breach PHI involved must be “unsecured” – Information that is either not encrypted or not destroyed. All PHI in paper form is “unsecured”. Not subject to an exception for inadvertent, harmless mistakes – Unintentional access by an employee made in good faith, within scope of authority, and no further impermissible use or disclosure – Inadvertent disclosure between persons authorized to access PHI, so long as no further impermissible use or disclosure – Disclosure to an unauthorized person, if good faith belief that the person would not be able to retain the information Marsh—Leadership, Knowledge, Solutions…Worldwide. 17

HITECH’s Impact on HIPAA: Breach Notification Rule Notification must be made “without unreasonable delay” HITECH’s Impact on HIPAA: Breach Notification Rule Notification must be made “without unreasonable delay” but no later than 60 calendar days after discovery Notification to some or all of the following: 1. Individual whose PHI was subject of breach ú when, what, efforts to investigate, steps to mitigate, contact for additional information ú Company’s website if outdated contact info for 10+ individuals 2. HHS http: //transparency. cit. nih. gov/breach/index. cfm ú immediately if 500+ individuals; ú Log and report annually for < 500 people 3. Prominent Media Outlets ú if breach involves 500 individuals who are residents of one state or jurisdiction Marsh—Leadership, Knowledge, Solutions…Worldwide. 18

Attorney General and OCR Enforcement January 13, 2010 State Attorney General filed suit against Attorney General and OCR Enforcement January 13, 2010 State Attorney General filed suit against a managed care organization, which lost a portable external hard drive containing 7 years of data for 446, 000 state residents. – Demanded identity theft insurance, reimbursement for credit freezes, and credit monitoring for 2 years – Sought $5, 000 per violation, court costs and attorney fees – On July 6, 2010, entity agreed to pay $250, 000 to resolve alleged violations. Amount would increase to $500, 000 if later determined that data was misused and 250 or more individuals file claims of identity theft. – “Corrective Action Plan" in which entity is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports. Marsh—Leadership, Knowledge, Solutions…Worldwide. 19

Attorney General and OCR Enforcement July 2010 National pharmacy agrees to pay OCR $1 Attorney General and OCR Enforcement July 2010 National pharmacy agrees to pay OCR $1 million to settle complaint involving improper disposal of prescriptions and pill bottles. – Also agreed to a 3 year corrective action plan – Signed a consent order with the FTC which will be in place for 20 years. Order requires external, independent assessments of its stores’ compliance. Marsh—Leadership, Knowledge, Solutions…Worldwide. 20

Fines & Penalties California Department of Public Health (“CDPH”): AB 211 & SB 541 Fines & Penalties California Department of Public Health (“CDPH”): AB 211 & SB 541 Community Hospital of San Bernardino, San Bernardino County: The hospital was assessed a $250, 000 fine after the facility failed to prevent unauthorized access of 204 patients’ medical information by one employee. Rideout Memorial Hospital, Marysville, Yuba County: The hospital was assessed a $100, 000 fine after the facility failed to prevent unauthorized access of 33 patients’ medical information by 17 employees. Enloe Medical Center, Chico, Butte County: The hospital was assessed a $130, 000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by seven employees. Marsh—Leadership, Knowledge, Solutions…Worldwide. 21

Breach Example July 17, 2010 Hospital: 800, 000 records containing sensitive, personal health, and Breach Example July 17, 2010 Hospital: 800, 000 records containing sensitive, personal health, and financial information were compromised when Hospital's data management company lost backup tapes containing copies of the hospital's most sensitive databases created between 2006 and early 2010. The files were slated for destruction prior to loss. They contained the mother lode for potential identity thieves: names, addresses, phone numbers, dates of birth, Social Security numbers, patient health information, and even bank account data. Marsh—Leadership, Knowledge, Solutions…Worldwide. 22

Marsh Data Breach Modeling Marsh—Leadership, Knowledge, Solutions…Worldwide. 23 Marsh Data Breach Modeling Marsh—Leadership, Knowledge, Solutions…Worldwide. 23

Information Risk is a Board Issue Costs can be substantial Reputational damage D&O suits: Information Risk is a Board Issue Costs can be substantial Reputational damage D&O suits: – Negligence – Lack of oversight – Should have known that data is valuable/costly – Failure to buy appropriate insurance The mega incidents: – Sony – Epsilon – T J Max – Heartland Payment Systems – US Veterans Affairs Marsh—Leadership, Knowledge, Solutions…Worldwide. 24

Information Risk is Cross-Functional… What types of data are stored in the network? Has Information Risk is Cross-Functional… What types of data are stored in the network? Has a separate committee of directors been established to independently deal with security and privacy issues and meets with IT on a regular basis? Vendors – Insurance requirements, indemnification obligations and limitations of liability. Is there an Internal Risk team (distinct from audit team) that conducts a technology audit every quarter that includes security control testing? Are significant deficiencies on the technology audit communicated to the Board an appropriate budget allocated to mitigate risk based on severity? Do you have an incident response plan or business continuity plan that includes data breach events? Is the information security plan cross functional? (e. g. Legal, Risk Management, Finance, IT, etc. ) Marsh—Leadership, Knowledge, Solutions…Worldwide. 25

Breach Crisis Management Validate what data was lost Retain an outside counsel who specializes Breach Crisis Management Validate what data was lost Retain an outside counsel who specializes in Privacy Law and Breach Crisis Management Notify: – Correctly vs. quickly – Diffuse anger and emotion among constituents – Provide remedy with notification – Identify an accurate breach universe to minimize public exposure to event Leverage an outside call center Retain a reputational risk advisor who specializes in breach crisis management Investigate – Have outside counsel retain any data forensics investigation – Potentially minimize public exposure to event Marsh—Leadership, Knowledge, Solutions…Worldwide. 26

Prevention Plans - Technological Use laptop encryption and auto-lockouts. Password-protect all access points to Prevention Plans - Technological Use laptop encryption and auto-lockouts. Password-protect all access points to patient information. Encrypt patient information when it is stored. Encrypt patient information before transmitting the information. Use anti-virus software that prevents spyware. Marsh—Leadership, Knowledge, Solutions…Worldwide. 27

Prevention Plans - Policies Conduct background checks on employees with access. Train employees with Prevention Plans - Policies Conduct background checks on employees with access. Train employees with regard to policy. Have employees sign acknowledgment of training and review them for compliance. Create a system for receiving information about deficiencies or breaches in security. Ensure proper disposal of old records and equipment. Choose an outside audit of programs and compliance. Designate responsible person. 28 Marsh—Leadership, Knowledge, Solutions…Worldwide. 28

Prevention Plans - Third Parties Impose contractual obligations on all third parties that have Prevention Plans - Third Parties Impose contractual obligations on all third parties that have access to information. Request third party’s security policies and procedures. Ask for any independent certification of third party’s security practices. Request indemnification for breaches. 29 Marsh—Leadership, Knowledge, Solutions…Worldwide. 29

Sample Tech Vendor insurance requirement language Professional Liability Insurance with an aggregate limit of Sample Tech Vendor insurance requirement language Professional Liability Insurance with an aggregate limit of liability not less than XXX Million Dollars ($XX, 000). Such insurance shall cover any and all errors, omissions or negligent acts in the delivery of PRODUCTS, SERVICES and/or LICENSED PROGRAMS under this AGREEMENT. Such errors and omissions insurance shall include coverage for claims and losses with respect to network risks (such as data breaches, unauthorized access/use, ID theft, invasion of privacy, damage/loss/theft of data, degradation, downtime, etc. ) and intellectual property infringement, such as copyrights, trademarks, service marks and trade dress. The Professional Liability Insurance retroactive coverage date shall be no later than the EFFECTIVE DATE of this agreement. SUPPLIER shall maintain an extended reporting period providing that claims first made and reported to the insurance company within two (2) years after termination of the AGREEMENT will be deemed to have been made during the policy period. Marsh—Leadership, Knowledge, Solutions…Worldwide. 30

What Are the Gaps in Traditional Policies? Errors and Omissions Commercial General Liability (CGL) What Are the Gaps in Traditional Policies? Errors and Omissions Commercial General Liability (CGL) Property Crime Kidnap & Ransom Marsh—Leadership, Knowledge, Solutions…Worldwide. 31

Cyber Coverage: A Brief History 2000 2011 Limited marketplace Over 10 primary carriers Stand Cyber Coverage: A Brief History 2000 2011 Limited marketplace Over 10 primary carriers Stand alone option only Ability to integrate with E&O Painful underwriting Streamlined No coverage for internal acts Contemplates all acts Tied to a failure of your network security Failure to safeguard information Third party coverage trigger was a lawsuit Loss of information is trigger Marsh—Leadership, Knowledge, Solutions…Worldwide. 32

Cyber Coverage: A Brief History 2000 2011 No coverage for acts of vendors Coverage Cyber Coverage: A Brief History 2000 2011 No coverage for acts of vendors Coverage extends to information holders No coverage for statutory and loss mitigation coverage Covered No coverage for regulatory fines & penalties Covered No loss control services Provided Business interruption coverage trigger is a failure of Coverage can extend to system failure network security Marsh—Leadership, Knowledge, Solutions…Worldwide. 33

Which Costs does Security/Privacy Insurance Address? Legal liability to others for computer security breaches Which Costs does Security/Privacy Insurance Address? Legal liability to others for computer security breaches Legal liability to others for privacy breaches Breach response costs Regulatory actions Loss or damage to own data / information Loss of revenue due to a computer attack Cyber-extortion Cyber-terrorism Marsh—Leadership, Knowledge, Solutions…Worldwide. 34

Actual Paid Claims Wrongful disclosure of information by employee of credit union who sold Actual Paid Claims Wrongful disclosure of information by employee of credit union who sold information to outsiders. ú Amount paid by insurer for liability claim and first party loss: $1, 800, 000. Third party computer hacker stole credit card information. ú Amount paid by insurer for liability claim: $5, 000. (note that this was the primary policy limit. Claim eroded excess limits as well) Third party computer hacker stole passwords by electronic means and used those passwords to gain access to personal information. ú Amount paid by insurer for liability claim (class action): $8, 000+. Employee sold customer data to others. ú Amount paid by insurer for liability claim: $9. 1 M. Employee stole and sold information to identity theft ring. ú Amount paid by insurer for notice and liability claim: $2. 6 M. Source: Chartis Marsh—Leadership, Knowledge, Solutions…Worldwide. 35

Actual Paid Claims Rogue employee at medical provider stole and sold over 40, 000 Actual Paid Claims Rogue employee at medical provider stole and sold over 40, 000 patient records containing Personally Identifiable Information. ú Amount paid by insurer notification costs: $675, 000. Insured lost tapes containing medical insurance information and SSNs. ú Amount paid by insurer for call center services and credit monitoring costs: $400, 000 + other pending costs. Rogue employee stole and sold customer data of over 3, 000 customers to others. ú Amount paid by insurer for liability claim and notification / credit monitoring: $7. 1 M. Hotel network was hacked, gaining access to personally identifiable information. ú Amount paid by insurer for notification costs, forensic investigation, crisis management, and credit monitoring: $420, 000 + other pending costs. Insured accidentally published non-public student information on their website. ú Amount paid by insurer for notification and credit monitoring costs: $100, 000+. Source: Chartis Marsh—Leadership, Knowledge, Solutions…Worldwide. 36

Typical Exclusions Violations of certain types of intellectual property rights Violation of anti-spam, blast-fax, Typical Exclusions Violations of certain types of intellectual property rights Violation of anti-spam, blast-fax, collection practices and similar laws Misappropriation of trade secrets by or with the active assistance of current or former senior employees Infrastructure failure, unless caused by the negligence of insured Inability to use, performance, development, expiration, or withdrawal of support of certain technology products or software Marsh—Leadership, Knowledge, Solutions…Worldwide. 37

Breach Notification Costs Traditional – Sublimits – Freedom to use vendors. Breach Response – Breach Notification Costs Traditional – Sublimits – Freedom to use vendors. Breach Response – Beazley and Chartis – Number for affected individuals – Must use insurer’s panel of vendors for – Forensic and investigation services – Legal advice – Notification – Credit monitoring – Call center services Marsh—Leadership, Knowledge, Solutions…Worldwide. 38

Benchmarking: Limits and Retention Program Limit Retention Smallest $1, 000 $50, 000 Mean $5, Benchmarking: Limits and Retention Program Limit Retention Smallest $1, 000 $50, 000 Mean $5, 750, 000 $325, 000 Median $5, 000 $250, 000 Largest Peer Group: 58 hospital with revenues of greater than $500 M in annual revenue $15, 000 $1, 000 Marsh—Leadership, Knowledge, Solutions…Worldwide. 39

Underwriting Process for E-Business Insurance Quote process: Application Security self-assessment: – Security ISO 27001/2 Underwriting Process for E-Business Insurance Quote process: Application Security self-assessment: – Security ISO 27001/2 Approach to underwriting is different by insurer Principal primary markets include: – ACE – CNA – Catlin – Philadelphia – AXIS – Chubb – Allied World – Travelers – Beazley – Hiscox – Hartford – Chartis – KILN – Zurich Market capacity: over $400 million Marsh—Leadership, Knowledge, Solutions…Worldwide. 40

Marsh Privacy Solution: Assessment Placement of coverage is the last step in the process Marsh Privacy Solution: Assessment Placement of coverage is the last step in the process Insurance is never a valid alternative to good risk management Similarly, relying upon technology as some mythical “silver bullet” that will defend against all risks is to turn a blind eye to major risks facing every commercial entity – Privacy and information security assessment – Risk mapping – Benchmarking – Modeling – Coverage gap analysis Marsh—Leadership, Knowledge, Solutions…Worldwide. 41

The Data Threat Is Not Going Away Risk management is at the heart of The Data Threat Is Not Going Away Risk management is at the heart of a cross-functional response Get the Board engaged Check/establish the breach response plan Call on Legal, IT and HR Review existing coverages and consider specific insurance Questions? Marsh—Leadership, Knowledge, Solutions…Worldwide. 42

Thank you Trevor Weyland Senior Vice President Marsh FINPRO – Healthcare Practice trevor. weyland@marsh. Thank you Trevor Weyland Senior Vice President Marsh FINPRO – Healthcare Practice trevor. [email protected] com 213 346 5855 Marsh—Leadership, Knowledge, Solutions…Worldwide. 43

Marsh’s Network, Cyber, Information Security, and Privacy Risk Group Recognized experts with deep technical Marsh’s Network, Cyber, Information Security, and Privacy Risk Group Recognized experts with deep technical skills: – Insurance industry thought leaders on cyber and privacy risk having drafted and / or consulted in the creation of all forms in the marketplace – Over two dozen professionals globally with experience in privacy and cyber risk – Combined team experience in addition to several decades of broking experience: two decades of law firm practice, nearly 50 years of underwriting Industry and product specialization: – Marsh’s FINPRO team works with the industry practices to stay abreast of the unique concerns of specific industries – Marsh has lead the market in placement of complex privacy and cyber coverage for Communications, Media, Technology, Internet, Financial Institution, Higher Education, Retail, and Health Care industry clients Strategic and transactional capabilities: – Access to domestic and foreign insurers as well as specialty excess markets – Coverage prioritization for all major insurers’ policies – Deep bench strength in handling of accounts with brokers who have been placing these lines of coverage – Risk profiling and information assessment tools and services – Coverage gap analysis – Benchmarking tools that are adapted to size, industry, and nature of the risk / client Leading market relationships: – Marsh’s practice leaders previously held management roles at most of the major insurers – Marsh places more cyber and privacy with more markets than any other broker Marsh—Leadership, Knowledge, Solutions…Worldwide. 44

Legal Disclaimer This information is not intended to be taken as advice regarding any Legal Disclaimer This information is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Statements concerning tax, accounting and/or legal matters are general observations based solely on our experience as insurance brokers and risk consultants and should not be relied on as legal, tax or accounting advice. You should contact your legal, accounting, tax and other advisors regarding specific coverage and other issues. The information contained in this publication is based on sources we believe reliable but we make no representation or warranty as to its accuracy. All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Marsh makes no representations or warranties, expressed or implied, concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. The hypothetical case studies contained herein are for illustrative purposes only and should not be relied upon as governing any specific facts or circumstances. All policy terms, conditions, limits, and exclusions are subject to individual underwriting review and are subject to change. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. The hypothetical claims scenarios contained herein are for illustrative purposes only and should not be relied upon as governing any specific facts or circumstances. Actual claims are governed by the specific policy terms, conditions, limits, and exclusions and are subject to individual claims review by applicable insurer representatives. This document or any portion of the information it contains may not be copied or reproduced in any form without the permission of Marsh Inc. , except that clients of any of the companies of Marsh & Mc. Lennan Companies need not obtain such permission when using this report for their internal purposes so long as this page is included with all such copies or reproductions. Marsh is part of the family of Marsh & Mc. Lennan Companies, including Guy Carpenter, Mercer, and the Oliver Wyman Group (including Lippincott and NERA Economic Consulting). Copyright 2011 Marsh Inc. All rights reserved. Marsh—Leadership, Knowledge, Solutions…Worldwide. 45