With the Increase in Data Breaches (and Their Cost), Cyber Insurance Is a Must
Although it has been available for a decade or so, the cyber liability market is still something of the “Wild West,” in the words of Stephen Raptis, a partner in the Washington, D.C., office of Manatt, Phelps & Phillips LLP.
Policy language is rarely standardized and premiums and coverage levels are all over the map. Recently, a California hospital system and a large liability insurer sued each other over the insurer’s refusal to pay the $4 million the system owes to settle a class action suit involving a data breach.
But Raptis doesn’t recommend going without cyber insurance. In fact, he says now is the time to get a policy. And he is not alone. To Jeff Brunken, a covered entity that foregoes a cyber liability policy is like a doctor practicing medicine “bare” without malpractice insurance — it’s just not smart.
Brunken is the CEO and president of the MGIS Companies Inc., a provider of specialty insurance products for physicians, although not cyber insurance (RPP 4/14, p. 7). He says too many physicians wrongly assume the small levels of coverage they can get through their malpractice or property and casualty insurance will be enough.
Brunken, Raptis and his colleague Susan White, a partner in the firm’s Los Angeles office, spoke to RPPabout strategies covered entities (CEs) and their business associates (BAs) can use to avoid being victims of a cyber shootout in the insurance Wild West. Importantly, they agree that CEs must make sure their business partners — be they other CEs, BAs or subcontractors — have their own separate policies.
To begin, it’s probably useful to review the aforementioned case, which Brunken calls a “gut check” about what can go wrong.
According to the May 7 lawsuit that Columbia Casualty Company filed in U.S. District Court for the Central District of California against Cottage Health System, the trouble began when data for 32,500 patients “that were stored electronically on Cottage’s servers were disclosed to the public via the internet” for approximately three months, beginning Oct. 8, 2013.
At that point, Cottage, which has not yet filed its response in court, had a one-year, $10 million “claims-made liability policy” that had been in effect for a week. Called “NetProtect360,” the policy, which was to cover “Privacy Injury Claims and Privacy Regulation Proceedings,” had a $100,000 deductible.
Cottage had learned of the breach on Dec. 2, 2013, “from a third party.” According to Columbia’s suit, the class action complaint “alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (INSYNC), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
As has become routine, a class action suit — Kenneth Rice, et al. v. INSYNC, Cottage Health System, et al.— followed almost immediately, filed on Jan. 27, 2014, in California Superior Court. Nearly a year later the parties agreed to a $4.125 million settlement to be paid to approximately 51,000 individuals, “along with related expenses and attorneys’ fees.”
But Columbia balked at paying on behalf of Cottage, saying coverage was excluded under the policy if there was a “failure to follow minimum required practices.” Specifically, the policy defines this as “any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.”
Overall, Columbia claimed that the data breach “was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.”
Multiple Failures Were Alleged
Columbia’s suit reprints portions of Cottage’s application for the insurance, which included a “Risk Control Self Assessment.” Cottage answered “yes” to seven fairly simple questions, including:
“Do you check for security patches to your systems at least weekly and implement them within 30 days?”
“Do you replace factory default settings to ensure your information security systems are securely configured?”
“Whenever you entrust sensitive information to 3rd parities do you...require them to either have sufficient liquid assets or maintain enough insurance to cover their liability from a breach of privacy or confidentiality.”
However, Columbia asserted that Cottage failed to:
“Replace factory default settings to ensure that its information security systems were securely configured,”
“Regularly check and maintain security patches on its systems,”
“Regularly re-assess its information security exposure and enhance risk controls,”
“Have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers,” and
“Control and track all changes to its network to ensure it remains secure, among other things.”
Notably, INSYNC lacks “sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims” resulting from the breach, Columbia’s suit points out.
Don’t Give ‘Aspirational’ Answers
Brunken told RPP what “stands out” for him is that Cottage’s insurer “was willing to have their name in the headlines, declining a claim.” He considers that surprising, at a time when it would seem carriers want to attract business. But it shows that as more, and more costly, claims are coming in, insurers are taking steps to limit their payments.
The suit reinforces the sense that CEs must accurately respond to any questions a potential insurer asks. Any falsehoods may be detected and a policy cancelled, which he called “certainly one of the hazards” if “someone fills out an application in a way that is more aspirational than actual,” Raptis adds.
Applications for policies may ask “yes” or “no” questions, as Cottage’s shows, but oftentimes they are more complicated. And they may become more so after this suit.
The underwriting process can be “pretty onerous,” Raptis says. “They will ask you to describe the systems you have in place to protect your electronic data, and that’s not always easy to boil down into a narrative form.” Some CEs and BAs may be so turned off by this that they decide not to purchase insurance at all, which he does not recommend.
Often there may be difficulties in having the IT folks at the covered entity be able to accurately describe what they’re doing in a way that is clear to the insurer, especially if that firm is relatively new to health care and cyber insurance.
In recognition of this, some insurers are “trying to streamline the application process, and may even be willing to meet in person with representatives of the CE or BA to review security safeguards,” Raptis says. Or they might sit through a Power Point presentation, he adds.
Some CEs and BAs may also be reticent to provide too much information about their safeguards for fear that it could be lost or fall into the wrong hands. But “the flip side is if you don’t provide enough detail you could find yourself out of coverage,” Raptis says.
CEs should ensure that BAs have their own cyber liability policies and require mutual indemnification. This is important given that “two-thirds of breaches are coming from third parties,” Brunken says.
Smaller CEs and BAs may take some convincing before they agree such policies are needed. They may be “lulled into a false sense of security” by thinking a standalone cyber insurance policy isn’t necessary, that coverage available through a malpractice or property insurance policy may cover them, Brunken says.
Those policies, which Brunken says would range from $50,000 to $100,000, would not quite cover 500 records. The most recent estimate of the cost of a data breach in the United States is $217 per record, based on the Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, which was released May 27 (see brief, p. 11).
The cyber insurance market “could dwindle” as claims increase, if suits like the one against Cottage proliferate and are successful, Brunken says. On the other hand, he hopes that the suit “will create more awareness among those applying” for such coverage.
The standalone policies “are really not expensive” and they are “important to have,” Brunken says. Not only do they limit the policy holder’s liability, but may provide additional benefits through “bundled services,” such as credit monitoring, breach notification and a “breach coach,” he adds.
Check the Fine Print
Until cases like Cottage’s are resolved and there begins to be consistent case law that helps settle what should be standard coverage, the watch phrase is “buyer beware,” the experts say.
The lack of standardization can actually be an advantage, says Raptis. “Until there is a standard, it may be possible to “take some of the language that is vague and either negotiate it out, or make it more clear,” he says.
White, Raptis’ colleague, notes that CEs should review “what triggers the policy.” For example, some will not respond to a request for a claim until there is a lawsuit. This would not help, for example, if a breach hasn’t risen to that level. She recalls a situation where a firm had to contend with removal of malware that she said “was a parting gift” from a disgruntled employee. This kind of remediation can be expensive.
“Some will not cover paper documents” that are the source of a breach, White adds.
“Another thing to look out for is to what extent [the policy covers] business interruption,” such as repairs and “replacing data that are lost,” Raptis says. “Some cover that and some don’t.”
CEs and BAs must not fear pushing back when they think a cyber insurer hasn’t gone far enough — or goes too far, says White. One organization she advised ran into problems because the insurer “hired defense counsel and told [the organization] to accept them,” which the insurer had no authority to do under the policy.
© 2015 by Atlantic Information Services, Inc. All Rights Reserved.