Contributors: Lisa W. Clark, Esq. JD’89 and Rachel Neufeld, Esq.
To learn more about Lisa and Rachel click here.
Healthcare entities are particularly vulnerable to cyberattacks given the value of healthcare data: if your credit card is hacked, you can get a new one, but health records are permanent. Consequently, sophisticated hackers are increasingly targeting healthcare providers and their vendors. The Anthem Blue Cross breach affected as many as 80 million consumers. Several hospitals were the targets of ransom attacks that threatened to shut down their electronic health records systems if ransoms were not paid (and some did pay). The FBI is reaching out to healthcare providers, IT vendors, and others to work collaboratively on real or threatened breaches. In a time when data breaches and hacks are daily news, and the average total cost paid by an organization as a result of a data breach has reached $6.5 million, it is even more important for every company to take the steps it can to prevent such breaches and hacks. Obtaining specialized cyberinsurance, in addition to general insurance, is such a step and can provide relief in an area where technology changes so fast that security protocols working one day are obsolete the next.
It is becoming clearer that general commercial liability policies and general errors and omissions policies for healthcare entities (and other businesses) may not provide coverage for cyber incidents. Courts have given inconsistent rulings when addressing this issue.
Of the four main cases on this issue, one case settled outside of court; one case held that the insurance company did have a duty to defend because there had been publication of the data (two patients’ medical records were available on Google because of inadequate firewalls); one case held that the insurance company did not have a duty to defend because there was no publication of the data (computer tapes fell out of a truck and were taken from the side of the road, but no evidence anyone accessed the information on the tapes); and the fourth case involved a “data-held-for-ransom” set of facts that was ultimately determined to not be covered under the company’s errors and omissions policy.
This inconsistent case law offers at best a “maybe” level of protection for healthcare entities that only have general policies. In addition, the insurance industry is pushing hard to foreclose coverage for data security breaches by including broad cyber exclusions in such general policies. Thus, companies should look at specialized cyberinsurance policies to fill in coverage gaps and provide them with more certainty.
But cyberinsurance policies are not all one and the same. Each company’s cyber risk is different, and a cyberinsurance policy should be tailored to these risks. It is important to involve risk management, information technology, and legal departments to assess cyber risks, analyze a particular cyberinsurance policy, and complete the application. Companies should be careful in their application to not overstate its current security practices, because application statements are often incorporated as conditions, and coverage might be denied if your security practice in real life does not match up with what was previously stated. For example, stating that you have “reasonable security practices” may be accurate at the time the policy is purchased but coverage may be denied later when that security practice is no longer “reasonable” as technology develops or becomes obsolete.
Companies tend to trip up because cyberinsurance policies are new and there are not yet any clear industry standards or way to determine what is a “good” cyberinsurance policy. These policies are all over the map from cheap to expensive, and vary widely in what is covered. Here are some important points to consider when selecting your cyberinsurance policy:
- Know the limits and sublimits in the policy. Some elements of a data breach response can be much more expensive than others (e.g., call centers), so be aware of what the limits are so you are not surprised by sublimits. Also, some policies may not cover government fines, such as fines under HIPAA.
- Pay attention to definitions. Data security and privacy is a developing area, and every state has its own set of different laws and requirements that may not match up with the definitions in the policy. For example, the definition of “personal information” as it relates to a data breach varies by state, and you don’t want to be limited in coverage if the breach happens in a state where the definition is different from that of your policy. As another example, some cyber policies condition business interruption coverage on “network disruption,” but business interruptions may happen without the network itself being harmed (ex: extra expense, lost business, slowdowns) and you don’t want to be limited in this way either.
- Try for early retroactive date. Some cyber policies restrict coverage to breaches or losses that happen after a certain date, which can typically be the date the policy is signed. However, the nature of data breaches is that they often go undetected for months or even years, so it is in your best interest to negotiate for an earlier retroactive date.
- Expand the geographic reach. It’s typically the nature of a data breach or a cyber attack that it is not limited by traditional geographic boundaries. Make sure your policy does not limit you to a particular geographic area.
Choose the scope of coverage you need. Make sure you know what your policy covers. Some important coverages include:
- Coverage for the costs to notify those affected by a cyber incident. Such notification is required by law in almost every state.
- Business interruption coverage, for lost income and related costs where a company is unable to conduct business due to a cyber incident or data loss.
- Forensic services coverage, for investigating the cyber incident, assessing the impact of the incident, and stopping an attack.
- Coverage for credit monitoring services to customers affected by the cyber incident, and for public relations after the cyber incident.
- Coverage for physical damage to computer systems or loss/destruction of data, including costs to restore data and replace or upgrade a computer system that was breached.
Liability coverage for costs associated with civil lawsuits, judgments, settlements, regulatory actions or penalties resulting from a cyber incident.
Cyber insurance is not a cure-all for all problems resulting from a data breach. It shouldn’t be the only thing a company has to protect against data breaches, but rather should be part of a cyber incident protection repertoire that should also include creating an appropriate incident response plan, utilizing extensive encryption, involving your company’s business continuity management and board, defining CISO leadership, and properly training employees.