computer-codeWe strongly encourage companies possessing or transmitting personally identifiable information (PII), protected health information (PHI), financial or other sensitive data, including trade secrets, to use encryption. Why?  Because, if employed properly, it is both effective and legally defensible.

So what is encryption?

Encryption is a type of information security. It involves the coding and decoding of messages in order to protect private content from third parties. In its earliest form, encryption was essentially letter substitution (e.g., substituting the letter “a” for the letter “p” in a message). Today, encryption is much more complex than that. It usually involves the development of a shared secret key, the application of an encryption algorithm to your data to create a ciphertext, and, in many cases, the use of what is called a nonce (or “IV”), which is introduced into the data exchange to prevent repetitive sequences in the encrypted text (since such repetitions could allow the encryption to be broken).

The two basic forms of encryption are stream ciphers and block ciphers.  Stream ciphers employ a single use key.  The historical “one time pad” and once-trusty RC4 are examples of stream ciphers. This type of encryption is generally used for things like email, since the cipher can only be securely used one time.  Block ciphers, in contrast, employ many use keys. Two of the most common block ciphers used today are 3DES and AES, both of which are approved by NIST.  See here and here.  Block ciphers are used for things like SSL (i.e., Internet packet encryption), since the cipher is created through an iterative process that allows the shared key to be used securely multiple times.

That’s the encryption short tour. For a deeper dive, from an expert, go here.

Why should you use it?

You should use encryption because it gives you legal protection. Few laws specifically require encryption. HIPAA generally doesn’t.  State statutes don’t.  Nor does the Gramm Leach Bliley Act’s Safeguard’s Rule.  Yet if you are not encrypting PII, PHI, or financial data, you are putting yourself at risk. Those laws expect you to take reasonable precautions.  And using encryption, and using it properly, is a reasonable precaution when it comes to dealing with sensitive data.  HIPAA, for example, provides that encryption should be used where “the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability” of the information or else implement an “equivalent alternative measure if reasonable and appropriate,” and document why encryption wasn’t the best choice.

Encryption also helps to avoid costly breaches. The HIPAA breach notification rule is only triggered if the PHI is “unsecured.”  So if the data has been made “unusable, unreadable, or indecipherable to unauthorized individuals” – say, through encryption – then there is no reportable breach.  And almost every state and territory breach notification statute follows this same approach. The thinking is that, since the data is encrypted, it is not feasible for someone to break the encryption to get to the underlying information, so the information is never really exposed. If, however, the incident involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud, then, under most statutes, there will be a breach, and notification will still be required.

The bottom line is that if you’re a company that handles sensitive data – including PII, PHI, financial data, trade secrets, etc. –  you will want to use encryption as one line of your layered defense against cyberattacks, theft, and other information disclosure risks.

Despite a company’s best efforts, data security breaches happen.  Now the federal government is making it a little easier for businesses to manage the aftermath of identity theft and mitigate damages.  If your customers and/or employees are at risk or have fallen victim to identity theft, you can now send them to www.IdentifyTheft.gov.

The website is designed to help victims of identity theft manage the process of recovery.  For example, the website addresses what first steps to take, as well as provides resources like checklists of things a victim should and will want to do in order to limit the amount of damage.  There are even links to other websites, like the credit bureaus and the IRS, that will likely be helpful in navigating the recovery process.

Perhaps one of the website’s best, and most helpful feature, is the nearly dozen or so sample letters.  These are letters a victim may need to send to a credit card company in order to dispute a charge (https://www.identitytheft.gov/sample-letters/dispute-credit-card-charges.html) or a letter that needs to be sent to one of the three credit bureaus in order to request the bureau remove any fraudulent information (https://www.identitytheft.gov/sample-letters/identity-theft-credit-bureau.html).

If the personal information of your customers or employees has been compromised, do not hesitate to make this website part of your response plan.   It could mean the difference between a chaotic experience that could lead to a loss or a smooth recovery process that could lead to a more favorable image of your business.

 

One reason why businesses don’t buy cyber insurance is because they don’t believe the insurance will pay benefits in the event of a loss.  A recent lawsuit following a data breach that was brought by a wholly-owned subsidiary of CNA Insurance against a large California hospital network highlights the old adage “buyers beware.”

Could you imagine buying car liability insurance where you promised to continuously obey the rules of the road, so that if you were even partially at fault for an accident, there would be no coverage?  Sounds illusory, doesn’t it?

Now imagine that you are the CFO of a large hospital network where an IT vendor, hired to store 32,500 patient records on a system accessible via the internet, made a mistake and left the data unencrypted for two months so that it was accessible to anyone surfing the internet.

You might initially find comfort in the fact that you bought a $10 million cyber insurance policy called “NetProtect360” from Columbia Casualty Company, a wholly-owned subsidiary of CNA. This particular cyber insurance policy provides coverage for Privacy Injury Claims and Privacy Regulatory Proceedings.  But, after you turn the resulting class action lawsuit and notice of a California Department of Justice investigation (for HIPPA violations) over to your insurer in order to defend your company, and after the insurer agreed to pay the class action settlement ($4.125 million), you are stunned when the insurer turns around and sues your company in federal district court.

In the lawsuit, the insurer alleges that it does not owe a duty to defend or indemnify you from either case.  And, instead, you should be required to reimburse the insurer for the settlement funds and any and all attorney’s fees or related costs or expenses the insurer has paid or will pay as a result.  The insurer says you should be obligated to pay it damages because you lied on your application and you failed to continuously follow the minimum required security practices you agreed to.  This CFO’s nightmare is the lawsuit entitled Columbia Casualty Company v. Cottage Health System, Case No. 2:15-cv-3432, filed May 7, 2015 in the United States District Court for Central District of California.

So what did the policy provide?  This particular cyber insurance policy had several exclusions, including one for “Failure to Follow Minimum Required Practices.”  That is, the policy states that the insurer has no obligation “to pay any loss based upon, directly or indirectly arising out of, or in any way involving any failure of an insured to continuously implement the procedures and risk controls identified in the insured’s application.”

Moreover, in the application, the policyholder had to represent and “warrant, as a condition precedent to coverage…, that it shall: follow the Minimum Required Practices … and maintain all risk controls.”  In the application, the hospital network was asked the following questions, which it answered affirmatively.  These answers constituted the minimum required practices:

  •  Do you check for security patches on your systems at least weekly and implement them within 30 days?
  •  Do you replace factory default settings to ensure your information security systems are securely configured?
  •  Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?
  •  Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?
  •  Whenever you entrust sensitive information to third parties do you…

a. contractually require all such third parties to protect your information with safeguards at least as good as your own,

b. perform due diligence on each such third party to ensure that their safeguards for protecting sensitive information meet your standards (e.g., conduct security/privacy audits or review findings of independent security/privacy audits),

c. audit all such third parties at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information,

d. require them to have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality?

  •  Do you have a way to detect unauthorized access or attempts to access sensitive information?
  •  Do you control and track all changes to your network to ensure it remains secure?

Based upon the data breach and in light of hospital network’s representations in the policy application, Columbia alleged it had no duty to defend or indemnify the policyholder because, among other things, the policyholder:

  •  failed to follow the minimum required practices, including failing to continuously implement the appropriate procedures and risk controls identified in the application and materials submitted with the application;
  •  failed to regularly check and maintain security patches;
  •  failed to regularly re-assess its information security exposure and enhance risk controls;
  •  failed to have a system in place to detect unauthorized access or attempts to access sensitive information on its servers; and
  •  failed to control and track all changes to its network to ensure it remained secure.

By analogy, anyone familiar with Verizon’s 2015 PCI Compliance Report knows that over the past decade, not a single company that suffered a data breach was fully compliant with the Payment Card Industry Data Security Standard (PCI-DSS) at the time of breach.  So in 100% of the data breaches, the victim was not in compliance with what might be termed the minimum required practices.  So what was the insurance intended to protect against if not unintentional and accidental errors and omissions?

We’ll keep an eye on this case as it progresses to see whether the policyholder is eventually required to pay the insurer for the loss. In the meantime, we cannot stress enough the importance of working with your broker and coverage counsel to run table top exercises to see how an insurance policy might respond to a data breach before you choose one policy over another.  It’s better to know how a policy might respond ahead of time so that you can determine whether the policy is worth the price or just offering illusory coverage.

The author, Bill Wagner, JD, CPCU, CIPP/US, CIPP/G, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.

One way to protect your business from financial loss, reputational damage, and the expense of regulatory scrutiny in the event of a data breach is to require your vendors, with access to your customer and employee personally identifiable information, to carry cyber insurance.

Many businesses routinely require their vendors to promise to indemnify them from any loss or expense arising out of the vendor’s goods or services. They also routinely require their vendors to maintain certain types and amounts of insurance coverage, have their business named as an additional insured under the vendor’s insurance policies, and provide proof of the insurance coverage as conditions to their contracts.

But the types of losses, damages, and expenses that arise from a data breach are often not covered by the standard insurance policies listed in most vendor contracts. An instructive case to businesses on this issue is Recall Total Information Management, Inc. v. Federal Insurance Co.,  which was recently affirmed by the Connecticut Supreme Court.

In that case, IBM entered into a contract with Recall to transport and store various IBM electronic media. IBM also required Recall to indemnify it from any loss or expense arising out of Recall’s services. Later, Recall entered into a subcontract with Executive Logistics, Inc. for transportation services. Under the subcontract, Executive Logistics was required to maintain various insurance policies, including a $2 million commercial general liability policy and a $5 million umbrella liability policy, all naming Recall as an additional insured.

Unfortunately, during one of the transports, a cart containing 130 IBM computer tapes fell out of an Executive Logistics’ van as it was exiting a highway ramp. The tapes contained personally identifiable information, such as names, social security numbers, birth dates, and contact information, for some 500,000 past and present IBM employees. Some unknown person retrieved the tapes, but the tapes were never properly recovered. Luckily, the tapes were encrypted and required specialized equipment for access to read the data on the tapes.

As you may know from our other blog posts, there is a patchwork of various state laws governing the types of notice that must be given to affected individuals, state attorneys general, and others in the event of a data breach. While some states do not require notification of a data breach to affected individuals where the information was encrypted, the encryption key remains safe, and the risk of disclosure is miniscule, other states require notification if there is simply any disclosure of personally identifiable information regardless of whether it is encrypted.

IBM took a cautious approach following the data breach of its employees’ information. IBM spent $6.2 million in total to respond to the data breach. This included $2.5 million to notify the past and present employees of the breach, $600,000 to maintain a call center to answer their questions and concerns, and $3.1 million for credit monitoring services. IBM demanded that Recall indemnify it from these losses and expense, which Recall paid. Recall then made a demand to Executive Logistics and the insurers for reimbursement.

To make a long story short, the insurers denied Recall’s claims on several grounds, including that there was no evidence that the personally identifiable information had been published, or was made known, to a third person. The Connecticut Court of Appeals and Supreme Court held that without evidence of a publication of private information, the policies’ coverage had not been triggered.

In hindsight, Recall should have required its subcontractor (Executive Logistics) to maintain cyber insurance. Cyber insurance policies, among other things, typically cover the cost for computer and data loss restoration, notification costs, credit monitoring, and liability to third parties from your failure to handle, manage, store, and control personally identifiably information belonging to others. Recall and Executive Logistics could have also tried to limit their liability by capping their indemnity obligations to the amount of the contract, their existing insurance policy limits, or in other ways.

But the valuable lesson is that anytime a vendor has access to your customer or employee personally identifiable information, you need to have a discussion about sharing or transferring the risk of loss if there is a data breach, including through the use of cyber insurance.

For more information about cyber insurance, check out our previous blog posts:

Cyber Insurance: What Terms and Conditions Should I Consider When Buying?
Cyber Insurance: How Do I Determine My Coverage Needs?
Cyber Insurance: What do Cyber Insurance Policies Cover and Cost?
Cyber Insurance: Why Can’t I Just Rely on My Agent for the Best Policy at the Lowest Cost?
Cyber Insurance: Do I Really Need It?

About the Author
Bill Wagner, JD, CPCU, CIPP/US, CIPP/G, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.

Taft Privacy and Data Security attorneys Matthew D. Lawless and Beth A. Bryan will share strategies on how to proactively address downsizing data at the ACC Southwest Ohio CLE program on May 14. The session, “Defensibly Downsizing Your Data: Using Records Retention and Deletion Best Practices to Reduce Your Litigation Costs and Data Security Risks,” will be held at the Taft Center in Cincinnati from 11:30 a.m. – 1:00 p.m. Taft Litigation group chair Russell S. Sayre will welcome the attendees.

Joining Lawless and Bryan as panelists are:

  • Robert Fowler, CIPP/US, Director, Professional Services, Jordan Lawrence
  • Kristen Safier, Counsel and Corporate Compliance Officer, Cincinnati Children’s Center
  • Megan Frient, Senior Counsel, Global Litigation & Dispute Resolution, Procter and Gamble

The session will cover:

  • Evaluating the legal and business issues caused by retaining too much information.
  • Best practices for developing a retention policy for all records and information.
  • Cleaning up the mess and developing an ongoing strategy for new data.
  • Overcoming the cultural challenges.
  • Selling sound information governance within your business organization.

For more information, ACC members may contact ACC Administrator Michelle Moeller at (513) 722-4942.

Taft partner Bruce J.L. Lowe will welcome attendees to the British-American Business Counsel (“BABC”) annual two-day session on May 13, to be held at the Thomson Reuters headquarters building in Times Square, New York City. The BABC brings members from all chapters from both sides of the Atlantic together once a year at its Annual Transatlantic Business Conference to share business insights and develop new business relationships through a high-level program of panel discussions and business networking. Lowe serves as the BABC Midwestern U.S. Regional Representative and concentrates his practice in business bankruptcy, creditor rights law and commercial litigation.

Taft Privacy and Data Security co-leader Diane D. Reynolds will participate on May 14 as a panelist on “Cyber Security and Litigation – The Latest Legal Practice Explosion,” which will address what transatlantic businesses must do to protect themselves, their work force, executives and boards from cyber security issues. Reynolds holds the Certified Information Privacy Professional/United States (“CIPP/US”) credential, the global standard in privacy certification, through the International Association of Privacy Professionals (“IAPP”) and is a member of Taft’s Business and Finance group.

The Department of Justice Cybersecurity Unit recently issued its “best practices” for cybersecurity incidents, while the SEC recently circulated a cybersecurity “guidance update.”  These publications recommend that companies institute certain policies and procedures for cybersecurity based on each agency’s experience in the area.

The agencies’ suggestions are good ones.  More importantly, like NIST’s Cybersecurity Framework, such recommendations may become de facto standards that regulators, courts, and juries look to when they assess whether your company’s conduct in securing data and responding to a data security incident is reasonable or not, negligent or not, or a violation of securities laws or not.  So it’s worth paying attention.

Here’s what you need to know:

Department of Justice Cybersecurity Unit’s “Best Practices”

DOJ advises that you should:

  1. figure out what your most critical data is;
  2. have a plan for containing intrusions, mitigating the harm, and collecting and preserving information necessary to assess the nature and scope of the damage and source of the threat;
  3. have technology in place for off-site data back-up, intrusion detection, data loss prevention, traffic  filtering or scrubbing, and real-time network monitoring; and
  4. engage qualified legal counsel before an incident occurs because “[a]n organization  faced  with  decisions about  how  it  interacts  with  government  agents, the  types  of  preventative  technologies  it  can lawfully  use, its obligation to report the loss of customer information, and its potential liability  for  taking  specific  remedial  measures (or  failing  to do  so ) will benefit  from obtaining  legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws.”

Securities and Exchange Commission’s “Cybersecurity Guidance”

SEC advises that you should:

  1. conduct periodic assessments of your data, threats and vulnerabilities, security controls and processes, the impact of incidents, and the effectiveness of management structures;
  2. create a strategy that is designed to prevent, detect and respond to cybersecurity threats; and
  3. implement the strategy through written policies and procedures and training.

Together, the DOJ and SEC guidance shows an increased legal and regulatory focus on cybersecurity.  If you have not analyzed your data, assessed your risks, and instituted policies, procedures, training, and plans to secure that data and mitigate your risk, you should be doing so as soon as possible.

For more reading on implementing cybersecurity best practices, check out our previous blog posts:
Data Breach Security: The Five Best Questions Every Organization Should Answer
Anthem Lessons: Why You Need a CyberIncident Response Plan for Data Breaches Now
Threat Intelligence – What You Should Be Doing

Threat Intelligence is, very simply, network defense techniques that leverage knowledge (i.e. intelligence and counter intelligence) about adversaries so that organizations can build a superior information base which decreases the chances of an attacker compromising their networks. Gartner more specifically defines it as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to the menace or hazard.”

Vulnerability Defense Tools Reduced Effectiveness
To date, the approach taken by most corporate IT departments has been to focus on the vulnerability aspects of the network with defense tools such as intrusion detection systems and anti-virus software, or the implementation of an incident response plan/methodology which assumes a successful intrusion. However, the progression of a number of inter-connected factors (i.e. the increasing amount of data available, the increasing capacity to store that data, and the increasing value of that data to create synthetic identities, or simply to study business processes or trade secrets) and the development of shared techniques and knowledge among attackers, has greatly reduced the ability of these traditional methods to adequately “defend the perimeter.”

The 2015 Verizon Data Breach Report states that in 60% of cases, attackers are able to compromise an organization within minutes. This statistic would seem to liken intrusion detection systems and anti-virus software to the Maginot Line that give organizations a false sense of security. The average time that adversaries are present on the network (“dwell time”) is 224 days before their intrusion efforts are identified or their presence is recognized, according to recent surveys. Well-armed adversaries achieve their objectives using advanced tools and techniques specifically designed to evade most established network defense processes.

Decrease Successful Attacks with Knowledge Leveraging
Leveraging knowledge about these adversaries can help establish a state of information superiority which decreases the likelihood of a successful attack. This knowledge should include information that is:

  • Aggregated from reliable sources and correlated
  • Tailored to the environment
  • Evaluated and interpreted by experts
  • Accurate, timely and actionable

Threat intelligence is a critical component of an organization’s security program and can provide an organization with a global perspective on adversarial intrusion methodology, as opposed to a localized perspective of what is happening on its proprietary network.

The marquee breaches that have occurred recently (i.e. Anthem, Home Depot, Morgan Stanley, Target, Linked In, and Sony) have helped U.S. Fortune 1000 companies understand that data security must be taken seriously.  Not only must companies invest in their data security, but they must proactively manage and protect it.  Previously, large corporations generally considered hacking attacks and general security breaches as “Force Majeure” events in that they were both unpredictable and unpreventable.  Therefore, many of the Fortune 1000 purchased cyber insurance, rather than increasing capital investment in data security technology. See Philip Lieberman’s insightful article.

However, with the rising regularity of data breaches and the consequential lawsuits, insurers are no longer covering these events as readily as they did in the recent past, since they are not in the business of making capital investments into their customers’ businesses.  This has forced the Fortune 1000 to begin making the necessary capital investments and to begin sharing information about their data breaches, not only with the government, but also with each other.  This trend towards proactive management and information sharing will only increase with the White House’s recent proposal of the Cyber Threat Sharing Act of 2015.

As the Fortune 1000 strengthen their collective defenses, this reduces the amount of “low hanging fruit” available to cyber criminals, forcing them to target small and medium sized companies who often have weak defenses.  Currently 31% of hacks occur at companies with less than 250 employees.  That percentage will increase as criminals shift their focus to what may be perceived as “softer” targets.  Only 20% of small/medium companies have formal written information security plans that are barely more than “check the box” plans.  Complicating this picture for small and medium sized companies: the plaintiff’s bar, having cut their teeth on earlier data breach class action law suits against the Fortune 1000, are improving their techniques.  Future lawsuits may not be dismissed as readily for lack of damages as more and more complaints shift from alleging “data breach” to alleging “identity theft”.

The takeaway is that small and medium sized companies need to better understand the risks associated with the personal information that they collect, use, share, and store, and they have to be proactive in securing it.  Start with a privacy impact assessment, put the right policies and technologies in place, train your employees, and have a response plan.  You do not want to be low hanging fruit.

*This is the fifth post in a five-part series on cyber insurance, culminating in a webinar entitled “Insurance Coverage for Privacy and Data Breaches, Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern. 

A common question we often hear CEOs, CFOs, and Directors of businesses and public and private institutions ask is “What terms and conditions should I consider when buying cyber insurance?” We have compiled a list of some of the most important terms and conditions to consider. However, you should discuss more nuanced industry and organization specific terms and conditions with your broker and insurance coverage attorney.

1. Crisis Services
Crisis services include the costs for computer forensic investigations to determine the cause of the data breaches, obtaining legal guidance, notifying victims, providing credit monitoring to the victims, and promoting media or public relations campaigns. According to Net Diligence’s 2014 Cyber Claims Study, almost half of the total amount of insurance company payouts from data breaches was for crisis management services. The Ponemon Institute’s 2014 Cost of Data Breach Study: United States also reported unusually high churn rates following news of data breaches. Your organization will want professional assistance to communicate to your customers, regulators, business partners, and vendors that you are taking appropriate and reasonable steps to protect your customers with respect to any loss of data, and that you will take reasonable steps to try and safeguard your customers’ data going forward.

2. Regulatory Defense (including fines and penalties)
Regulatory agencies, such as the Federal Trade Commission and Department of Health & Human Services, actively investigate data breaches within their jurisdictional powers. Examples of corrective actions, penalties, and fines imposed by the Office of Civil Rights on behalf of HHS for HIPAA violations can be found here, including news of the $4.8 million in HIPAA settlements following the data breaches at New York-Presbyterian Hospital and Columbia University. This is especially important to keep in mind if your organization is a healthcare provider (a HIPAA-covered entity) responsible for its patient information or has a self-funded health plan (a separate type of HIPAA “covered entity”) where your organization is ultimately responsible for the security of the plan participants’ data. Many policies have a sublimit for regulatory defense. You may think you have a $10 million policy, only to find out that you have a sublimit for regulatory defense of $500,000, which may leave you woefully underinsured. Net Diligence reported that the average healthcare sector payout in 2014 was $1.3 million, with the median regulatory defense payout being a little over $1 million and the mean regulatory settlement cost being $937,500.

3. Prior Acts Coverage / Retroactive Date
Prior acts coverage provides protection against prior acts that may lead to a claim during the policy period. The “retroactive date” is the date when your coverage begins, and can be subject to negotiation. Although Verizon’s 2015 Data Breach Investigations Report noted that the time from compromise to discovering the compromise is at its smallest deficit ever recorded (days or less 45% of the time), data breaches often take many months to detect. Here is a common example. On January 1, 2015, a particular program offers a patch to mitigate certain security vulnerabilities. A hacker finds that your company failed to install the patch and uses it as a means to enter your network, sets up a program to start filtering and collecting your data, and then installs the patch to prevent detection of the intrusion. You apply for cyber insurance soon thereafter. Just after closing the 2015 Christmas holiday shopping season, the hackers sends your data out, at which point you detect the intrusion. Your insurer subsequently notifies you that it is denying coverage for the claim because of prior acts that occurred before coverage began. This is why you want the broadest “prior acts” coverage possible. You may also want to negotiate an extended reporting period, as a subsequent insurer may claim that the data breach events did not occur during its policy period.

4. Network Business Interruption Coverage
This covers certain losses while your network is interrupted as a result of a data breach. This is especially important if your organization engages in e-commerce. How bad would your organization be damaged in terms of lost net profits if your network was down for several days while law enforcement and your computer forensics consultants investigated the cause of a data breach?

5. Contingent Business Interruption Coverage (resulting from the acts or omissions of third parties)
Many organizations rely on third parties for processing data. For example, many healthcare providers rely on third party billing companies and clearinghouses to process payments, making them “Business Associates,” under HIPAA. Similarly, self-funded health plans frequently contract with third party Business Associates for claims management and other plan administration functions. If the Business Associate suffered a data breach affecting your patients’ (or enrollees’) data, your organization may bear the ultimate responsibility for the breach. Accordingly, your organization will want coverage to offset this potential loss. Your organization may also want to consider negotiating the self-insured retention or deductible in case of a loss so that the third party is responsible to pay for the deductible if it results from the third party’s acts or omissions.

6. Defense Option / Reimbursement of Costs
Some cyber insurance policies require the insurance company to hire consultants and attorneys to defend your organization, while others agree to reimburse reasonable and necessary costs. Using your own consultants and attorneys make sense if they know your system and are familiar with your business so you won’t have to pay for them to come up to speed on your organization. You will want to consider which path you will want to take.

7. Costs of Restoring and Recreating Data
The cost to restore or recreate data if taken or damaged can be extensive. Your organization will need to assess the cost of this coverage and its need.

8. Extortion Coverage
As reported in our last blog post, criminals continue to run phishing scams where a user clicks on a link that serves to encrypt a laptop or other computer. Oftentimes, one laptop or computer can infect others and you’ll want to negotiate this coverage to simply pay for the data to be restored.

We look forward to you participating in our webinar entitled “Insurance Coverage for Data Breaches: Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern.

The author, Bill Wagner, JD, CPCU, CIPP/US, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.