Privacy Insurance. Avoiding the HMO Experience. cyber. More Differences. By Toby Merrill

Transcription

1 Privacy Insurance Avoiding the HMO Experience By Toby Merrill Privacy, as it relates to an individual s personally identifiable information, such as Social Security numbers, credit card and healthcare data, has become a cause célèbre of federal and state regulators. Increases in the scope of privacy laws continue to fuel a rise in publicly reported corporate data breach incidents. A company that suffers a significant data breach not only confronts the possibility of great financial loss, it may also suffer irreversible reputational damage fueling a need for privacy insurance. Data breach incidents typically arise from the theft or loss of customers and employees personally identifiable information, either in an organization s care and custody or in the custody of its third-party affiliates, vendors or business partners. For the past 15 years, insurance carriers have marketed privacy insurance (also called network security or insurance) to cover the financial losses arising from a data breach. In addition to this risk transfer is a hidden treasure in some privacy policies access to expert advice and services. Not all privacy insurance products are created equal, however. While most policies and endorsements address both first-party and third-party exposures, there are often wide differences in coverage terms, conditions, exclusions and financial limits. More Differences Many policies, for instance, may highlight large limits of insurance coverage for statutory notification to the affected parties of a breach and the monitoring of their credit, but fail to provide adequate financial limits or choice among the vendors providing assistance in the aftermath of a data breach. 47 June 2012 ADVISEN.COM

2 If the carrier requires prior written consent before incurring costs to remediate a data breach event, then the buyer experience is similar to that for someone participating in an HMO. The services of computer forensic specialists, law firms and public relations firms are essential to ferret out the facts, verify the cause and extent of the damage, determine the organization s legal duty to notify and, through public relations, manage the organization s reputation, as well as any affected individuals sentiments towards it. Buyers need to carefully weigh the limitations of each covered expense in the policy. While the provision of victim notification and credit-monitoring services is vital for many organizations, it might not be relevant to a healthcare company that experiences a large breach of medical records. The rationale is that credit monitoring provides alerts when someone tries to open up a line of credit, such as a bank loan or credit card, which would require a Social security number, name, address, or other personally identifiable information. However, if someone steals an individual s medical information, they can perform medical identity theft (purport to be another for medical services, insurance fraud, or prescription drugs). Credit monitoring does not detect this type of theft and therefore, will not alert you of this activity. Another important coverage consideration is whether or not the carrier requires prior written consent before incurring costs to remediate a data breach event. If the policy does have this requirement, the buyer experience would be similar to someone participating in a health management organization (HMO), where the primary care physician serves as a gatekeeper to the covered services. In both cases, failure to obtain prior written approval may result in a denial of coverage. While coverage may seem comprehensive when analyzing the affirmative grants of a policy, it is important to review the coverage exclusions in full detail, given the possibility of significant limitations. Take, for instance, exclusions for losses arising out of non-encrypted data. Encryption technology is a great tool to protect data, but even well-managed organizations that can afford the cost and time for software maintenance rarely achieve 100 percent implementation due to human error. If 99 of 100 employee laptops are properly encrypted, there is always the risk that the one that isn t encrypted will be lost or stolen. In this age of BYOD bring-yourown-device excluding encryption from coverage is unacceptable. Another interesting parallel with an HMO is that some privacy policies require the use of a dedicated service provider, leaving the buyer with either 48 June 2012 ADVISEN.COM

3 One-size-fits-all may be appropriate for some baseball hats not privacy insurance. no choice or very limited choice as to which providers will handle the data breach response. In other words, the policy stipulates which law firm, credit-monitoring firm, PR firm, and so on, has been explicitly selected for the respective service by the carrier. This absence of choice and control may seem acceptable when making the purchasing decision, but in the context of a data breach could mean the difference between a well-managed response with minimal financial impact and favorable customer interactions, and significant legal expenses with potentially long-lasting reputational damage. (See page 41, Six-Figure Savings Possible On Breach Costs, for another perspective.) Unfortunately, many first-time buyers of privacy insurance are unaware of these and other important distinctions from one privacy policy to the next. Consequently, they may be losing out on valuable coverage and advice from experts who can help reduce the threat of a data breach, minimize its impact on the bottom line, and protect the organization s most valuable asset its reputation. More Than Just Insurance Unlike other types of insurance, privacy insurance is more than mere risk transfer it combines insurance protection with expert resources to help policyholders prevent a data breach, provide immediate assistance in the event of a breach, and develop a strong defense against possible, ensuing regulatory or legal actions. Insurance carriers that have provided privacy insurance since its infancy possess a plethora of -related claims data, providing rare insight into company data and network vulnerabilities, which in turn shed light on optimum risk mitigation tactics. Consequently, such specialized insurers typically provide risk management programs in addition to a risk-transfer mechanism. These programs include loss mitigation portals, network security assessments and access to a data breach coach or team to assist policyholders in the event of a data breach. For midsize and smaller companies lacking sophisticated security risk management, the programs often serve as a de facto Chief Information Security Officer. 49 June 2012 ADVISEN.COM

4 While the provision of victim notification and credit-monitoring services is vital for many organizations, it might not be relevant to a healthcare company that experiences a large breach of medical records. Just like privacy insurance policies differ, so do each insurer s loss mitigation programs. A carrier s data breach team panel should be scrutinized in areas such as: Experience. The panel of vendors should be well established and be able to demonstrate extensive experience in handling data breaches. Quality. The firms on the panel should be well regarded in the industry. Choice. There should be an adequate number of vendors for the policyholder to choose from in each category. Services. The services offered by the vendors should not be limited in scope. For example, one insurer may only offer credit monitoring, while another may have additional services available, such as fraud consultation and identity theft restoration. Independence. Each of the data breach team vendors should be separate and distinct from the carrier. Any decision regarding the data breach response plan should be designed to be in the best interest of the policyholder, not the carrier. Legal Privilege. Communications with the carrier s data breach coach or team should be protected by legal privilege. More Or Less There are other potential areas of conflict that buyers should consider. For instance, a panel that comprises a data breach notification service provider charging significantly reduced rates should raise a red flag, as the firm may be hoping to up-sell more expensive credit monitoring services to the affected individuals. Rather than manage the insured s risk, the provider may be seeking to capitalize on additional business down the line. Another critical component of a loss mitigation program is flexibility the ability to choose different policy structures. As mentioned earlier, small companies typically lack the resources for a dedicated IT security staff or don t have the time and expertise to build a formal data breach response plan. In such cases, the company may rely on a privacy insurer s turnkey solution. Large companies with dedicated information security departments, on the other hand, typically will have robust data breach response plans, which may include a complete list of vendors. 50 June 2012 ADVISEN.COM

5 Each situation is different hence the need for the buyer and its broker to ensure the purchase of a privacy insurance policy that expressly suits the need. One-size-fits-all may be appropriate for some baseball hats not privacy insurance. Toby Merrill is Vice President, ACE Professional Risk, where he serves as the national product manager of ACE s network security, privacy, and technology products. Reach Toby at toby.merrill@acegroup.com. Finding the right combination of risk transfer and loss mitigation services is critical when choosing a privacy insurance policy and carrier. Consider filtering out carriers that impose restrictions or prior written approval and adhere to stringent vendor selection. If the carrier does offer a data breach team panel, be sure to ask whether use of the panel is a condition to coverage and ensure that coverage will still exist if the policyholder chooses a vendor that is out of network. Seek carriers offering different coverage options and the flexibility to design a privacy policy and loss mitigation program addressing the risk profile of your organization. As always, give deep consideration to the carriers underwriting and claims experience. When structuring sophisticated policy language and settling complex claims, experience counts. Buyers should seek underwriters that understand the nuances of privacy insurance and can present a range of appropriate, cost-effective approaches suiting the organization s needs. Buyers should also make sure the carrier s claims will be handled by experienced claims managers that specialize in handling privacy claims. Data breaches have become all-too-common today, their risk an ongoing concern for all risk managers. Obviously, it is critical that buyers of privacy insurance know what they re buying. In an environment in which no two policies are alike, the onus is on risk managers and their brokers to ensure a solution that presents a choice when it comes to selecting expert assistance. Just as you would want to maintain control in selecting the best physician for you and your family, you should also want the same choice when selecting vendors to handle the delicate, time-sensitive response to a data breach. Your organization s bottom line and reputation may depend on it. n 51 June 2012 ADVISEN.COM