Protecting laptop and desktop computers, servers and mobile devices containing information of patients, students and employees from threats of loss, hacking, or theft is an increasing operational, business and legal challenge for health care providers and institutions of higher education.
As both the number and cost of data breaches have risen, health care providers and higher education institutions should be cognizant of the fact that there is a permanent organizational cost to addressing these matters. Proactive steps – including relatively simple steps such as data mapping, conducting data security assessments, establishing incident response teams, creating appropriate policies and practices, and performing employee training – can help decrease these costs in the long run and better prepare your organization for the occurrence of a data breach. This is not a problem that is going away and the more an organization is able to do up front to prepare, the better the chance is that it will be able to manage the financial and other costs of a data breach event.
Cyber liability insurance coverage is one strategy to manage risk associated with a data breach. In the context of claims arising from a data breach event, the majority of courts in the United States addressing this issue have held that such claims generally will not be covered under a standard general liability insurance policy.
Cyber liability insurance has become readily available. Current policies can provide a variety of coverages including emergency response to identify and stop a breach; notification costs to comply with statutes or regulations (based on number of affected persons) and defense costs of regulatory investigations. Insurance coverage can vary widely in terms of what is covered in the event of a data breach, so it is important to ensure that any coverage obtained suits the risks and concerns of each individual organization.
For example, a breach may trigger notice to regulators but also a requirement of notification to the persons whose information was breached and in some instances, notice to all persons whose information is in the possession of the organization. Notification may require hiring consultants. Notification costs can be significant. If an organization has a properly structured cyber liability insurance, the policy may cover some or all of these costs. However, cyber liability policies vary. Some policies may only provide coverage for costs and fees incurred in relation to a regulatory investigation or civil lawsuit, and may not cover costs relating to items such as notification requirements or the response to and investigation of the actual data breach. An organization should assess its operations and procedures and the potential impacts and internal and external costs of a data breach event in order to properly structure insurance coverage.
As the incidence of data breaches becomes more widespread and costs increase, we expect that lenders will give heightened attention to evaluating the data security policies and procedures and the financial and operational wherewithal of their borrowers to prevent, manage and withstand breaches.
If you have any questions about the firm's Cybersecurity service offerings or the Insurance Coverage & Regulation Practice Area, please feel free to call or e-mail Nicholas DiCesare at 716-566-1524 or ndicesare@barclaydamon.com or Mark T. Whitford Jr. at 585-295-4449 or mwhitford@barclaydamon.com.