*This is the fifth post in a five-part series on cyber insurance, culminating in a webinar entitled “Insurance Coverage for Privacy and Data Breaches, Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern.
A common question we often hear CEOs, CFOs, and Directors of businesses and public and private institutions ask is “What terms and conditions should I consider when buying cyber insurance?” We have compiled a list of some of the most important terms and conditions to consider. However, you should discuss more nuanced industry and organization specific terms and conditions with your broker and insurance coverage attorney.
1. Crisis Services
Crisis services include the costs for computer forensic investigations to determine the cause of the data breaches, obtaining legal guidance, notifying victims, providing credit monitoring to the victims, and promoting media or public relations campaigns. According to Net Diligence’s 2014 Cyber Claims Study, almost half of the total amount of insurance company payouts from data breaches was for crisis management services. The Ponemon Institute’s 2014 Cost of Data Breach Study: United States also reported unusually high churn rates following news of data breaches. Your organization will want professional assistance to communicate to your customers, regulators, business partners, and vendors that you are taking appropriate and reasonable steps to protect your customers with respect to any loss of data, and that you will take reasonable steps to try and safeguard your customers’ data going forward.
2. Regulatory Defense (including fines and penalties)
Regulatory agencies, such as the Federal Trade Commission and Department of Health & Human Services, actively investigate data breaches within their jurisdictional powers. Examples of corrective actions, penalties, and fines imposed by the Office of Civil Rights on behalf of HHS for HIPAA violations can be found here, including news of the $4.8 million in HIPAA settlements following the data breaches at New York-Presbyterian Hospital and Columbia University. This is especially important to keep in mind if your organization is a healthcare provider (a HIPAA-covered entity) responsible for its patient information or has a self-funded health plan (a separate type of HIPAA “covered entity”) where your organization is ultimately responsible for the security of the plan participants’ data. Many policies have a sublimit for regulatory defense. You may think you have a $10 million policy, only to find out that you have a sublimit for regulatory defense of $500,000, which may leave you woefully underinsured. Net Diligence reported that the average healthcare sector payout in 2014 was $1.3 million, with the median regulatory defense payout being a little over $1 million and the mean regulatory settlement cost being $937,500.
3. Prior Acts Coverage / Retroactive Date
Prior acts coverage provides protection against prior acts that may lead to a claim during the policy period. The “retroactive date” is the date when your coverage begins, and can be subject to negotiation. Although Verizon’s 2015 Data Breach Investigations Report noted that the time from compromise to discovering the compromise is at its smallest deficit ever recorded (days or less 45% of the time), data breaches often take many months to detect. Here is a common example. On January 1, 2015, a particular program offers a patch to mitigate certain security vulnerabilities. A hacker finds that your company failed to install the patch and uses it as a means to enter your network, sets up a program to start filtering and collecting your data, and then installs the patch to prevent detection of the intrusion. You apply for cyber insurance soon thereafter. Just after closing the 2015 Christmas holiday shopping season, the hackers sends your data out, at which point you detect the intrusion. Your insurer subsequently notifies you that it is denying coverage for the claim because of prior acts that occurred before coverage began. This is why you want the broadest “prior acts” coverage possible. You may also want to negotiate an extended reporting period, as a subsequent insurer may claim that the data breach events did not occur during its policy period.
4. Network Business Interruption Coverage
This covers certain losses while your network is interrupted as a result of a data breach. This is especially important if your organization engages in e-commerce. How bad would your organization be damaged in terms of lost net profits if your network was down for several days while law enforcement and your computer forensics consultants investigated the cause of a data breach?
5. Contingent Business Interruption Coverage (resulting from the acts or omissions of third parties)
Many organizations rely on third parties for processing data. For example, many healthcare providers rely on third party billing companies and clearinghouses to process payments, making them “Business Associates,” under HIPAA. Similarly, self-funded health plans frequently contract with third party Business Associates for claims management and other plan administration functions. If the Business Associate suffered a data breach affecting your patients’ (or enrollees’) data, your organization may bear the ultimate responsibility for the breach. Accordingly, your organization will want coverage to offset this potential loss. Your organization may also want to consider negotiating the self-insured retention or deductible in case of a loss so that the third party is responsible to pay for the deductible if it results from the third party’s acts or omissions.
6. Defense Option / Reimbursement of Costs
Some cyber insurance policies require the insurance company to hire consultants and attorneys to defend your organization, while others agree to reimburse reasonable and necessary costs. Using your own consultants and attorneys make sense if they know your system and are familiar with your business so you won’t have to pay for them to come up to speed on your organization. You will want to consider which path you will want to take.
7. Costs of Restoring and Recreating Data
The cost to restore or recreate data if taken or damaged can be extensive. Your organization will need to assess the cost of this coverage and its need.
8. Extortion Coverage
As reported in our last blog post, criminals continue to run phishing scams where a user clicks on a link that serves to encrypt a laptop or other computer. Oftentimes, one laptop or computer can infect others and you’ll want to negotiate this coverage to simply pay for the data to be restored.
We look forward to you participating in our webinar entitled “Insurance Coverage for Data Breaches: Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern.
The author, Bill Wagner, JD, CPCU, CIPP/US, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.