Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

As companies struggle with the risks and exposures related to data breaches, insurance can be an important part of an overall risk management strategy – so long as it is the right insurance.

Insurance carriers are offering products that purport to address this type of risk. Such insurance can be particularly important to businesses for which the handling of personal information or protected health information, such as some HIPAA “business associates,” is their lifeblood. However, as an ongoing litigation in a Utah federal district court makes clear, it is critical for businesses to be cautious and thorough when assessing insurance coverage, if only to avoid litigation about the scope of the coverage.

Court filings show that Perpetual Storage, a data storage company, had purchased certain insurance coverage through Colorado Casualty Insurance. One of Perpetual’s clients, University of Utah Hospitals and Clinics, stores significant amounts of its data with Perpetual, including personal information and protected health information. The University experienced a data breach on June 1, 2008, when storage disks were stolen from the car of a Perpetual employee who had picked up the disks from the University. The University claims the breach affected 1.7 million people. Claims expenses totaling approximately $3,354,753 were incurred in the course of responding to the breach. The specific costs alleged are $2,483,057 for credit monitoring expenses, $646,149 in printing and mailing costs, $81,389 in phone bank costs, and $144,158 in additional miscellaneous costs.

Naturally, the University is looking to Perpetual to reimburse it for these costs. In turn, Perpetual is looking to its insurance carrier, Colorado Casualty, to back it up. The insurer, however, has denied coverage. Colorado Casualty seems to be asserting that the claims do not constitute certain “bodily damages” or “property damages” as those terms are defined in the applicable policy. The insurer also claims that a number of policy exclusions support its decision to deny coverage.
At the same time, the University is seeking in its lawsuit to bring its insurance broker and adviser into the litigation, alleging they were "careless, negligent, and made various negligent misrepresentations about Perpetual's insurance coverage from Colorado Casualty."

A ruling in favor of Colorado Casualty likely would make it more difficult to seek reimbursement under commercial liability policies in connection with data breaches. Such a ruling also should be a wake-up call to businesses relying on their current commercial liability policies to deal with data breach issues.

The moral of the story for businesses - review your coverage with your insurance brokers or other insurance advisers to ensure appropriate coverage.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It’s been around for a while, but could new products in the “cyber-insurance” market help companies focus on this emerging threat known as “information risk”?

The National Journal reports that for many companies online security is not a priority. Tom Risen’s article cites to a Verizon study conducted between 2004 and 2008 (pdf) that determined

75 percent of breaches were not discovered by the victimized organization, and that 87 percent could have been prevented with reasonable online protection.

Mr. Risen reports that historically cyber-insurance covered “hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” However, with the explosion of data breaches over the last 10 years or so, new, broader policies have emerged, covering costs related to responding to a data breach, such as sending notices, providing credit monitoring services, engaging legal counsel, employing a call center, and defense of claims by affected individuals and federal and state officials. Some companies in this space include Beazley, Chartis, Travelers, Chubb and others.

It may be, as Robert Parisi of Marsh suggested to Mr. Risen, that federal legislation might encourage more awareness of these issues, something we raised as well. Certainly, we are beginning to see greater attention to these issues as businesses are beginning to focus on the Massachusetts data security/identity theft regulations, which become effective March 1, 2010.

Whatever the driving force, businesses need to drill down on their data security needs and address their information risk. Preventive measures – in the form of a written information security program – are certainly necessary and appropriate. But it may not be enough. As anyone who drives knows, for example, it is not enough to drive carefully and wear a seat belt. Insurance can play a critical role in addressing risks that even the best safeguards can’t. For this reason, cyber-insurance should be considered as a part of any business’ comprehensive approach to information risk. 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link