Insurers Deny Coverage for Breach Notice Costs (and why companies should consider cyber insurance coverage and why brokers should offer it)
It was recently reported that an insurance carrier (Colorado Casualty Insurance Co.) denied coverage (and filed a lawsuit) for the $3.3 million in costs the University of Utah incurred to provide notice of a security breach involving the records of 1.7 million patients from the University’s hospitals. You can find a copy of Colorado Casualty's declaratory judgment action complaint here. The University also filed its own counter claim, cross-claim and third party claim. As discussed further below, the University's cross-claim is against Perpetual Storage (the service provider that allegedly lost the data) and its third party claim is against Perpetual Storage’s insurance broker (the broker that placed the insurance coverage with Colorado Casualty).
The parenthetical in the title of this blogpost may seem counter-intuitive perhaps, but it appears that this controversy and the pleadings that have been filed paint a picture of what can potentially go wrong when proper cyber or technology errors and omissions coverage is not in place. It will be interesting to see how this case shakes out (and I make no predictions on what will happen because I lack too much information to analyze the issue), but I guarantee that the players involved are probably wishing they purchased explicit cyber or technology errors and omissions coverage (again, it appears that they may not have, but I don’t have all the information to state that definitively). Instead, they will have to litigate with no guarantees of success (and large hurdles for the University). Ironically, the University may ultimately recover from insurance proceeds, but those proceeds may come from the insurer that provides errors and omissions coverage to Perpetual Storage's insurance broker.**
Background
The following background allegations were taken from the original compliant and the University’s complaint.
It appears that Perpetual Storage contracted with the University to provide data storage services. In June 2008, back-up tapes containing personal information of 1.7 million patients were stolen from a Perpetual Storage employee’s car. 1.1 million of the records included social security numbers. This employee allegedly parked his car while working at a second job, and later in his driveway at home overnight. The tapes were allegedly taken in the middle of the night approximately 8 to 12 hours after they had been picked up.
In response to this incident, as of May 25, 2010 the University had incurred about $3.35 million in costs broken down as follows: $2,483,057 related to credit monitoring expenses (one year for each impacted individual whose social security number had been exposed); $646,149 related to printing and mailing costs for notice to each of the 1.7 million impacted individuals; $81,389 related to phone bank costs (to field more than 11,000 phone calls); and an additional $144,158 in miscellaneous costs. In addition, the University allegedly expended 6,232 personnel hours responding to and mitigating the security breach (and it seeks compensation for that lost time as well).
Colorado Casualty appears to have issued two insurance policies to Perpetual Storage, one described as a “commercial package policy” and the other a “commercial liability umbrella policy.” None of the pleadings mention Perpetual Storage or the University having purchased cyber coverage (i.e. data security or privacy coverage) or errors or omissions coverage.
Procedurally, there is a fair amount going on with this case, including a motion to dismiss by Perpetual Motion. Most relevant, however is the University’s activity. It filed an answer and several claims against various players. First, it filed against Colorado Casualty and attempts to assert that coverage is available. It also filed against Perpetual Storage directly for its acts and errors, including allegations that Perpetual breached its contract with the University. Finally, it filed a claim against Perpetual Storage’s insurance broker, United Insurance Services, alleging that United failed to procure the insurance coverage needed by Perpetual.
Observations
This case is interesting for many reasons, some of them outlined below.
Do not rely on a commercial general liability policy or traditional property policy to get coverage for security or privacy breaches.
From experience, unless an endorsement was purchased, it would be unusual for a general commercial liability policy to provide first party coverage for breach notice costs (mailings, call center, credit monitoring) or professional liability coverage (coverage for liability due to an act, error or omission of a professional service provider like Perpetual). In fact, there are several cases that have found that commercial general liability policies and property policies do not cover certain data security and privacy risks. Of course, there may be arguments in favor of coverage under certain general commercial policies or property policies, but it may not be clear cut and it may require expensive litigation to obtain that coverage. It is also possible that these policies had endorsements providing more than the traditional coverage (and ultimately the specific wording is what will matter; for purposes of this blogpost I am assuming that the language is fairly similar to traditional policies I have worked with).
The moral of this story is that there is insurance out there, provided by many carriers (and more and more are providing it) that is specifically intended to provide coverage for information security and privacy breaches and technology professional liability. This insurance is specifically designed to provide coverage for damages and defense costs arising out of a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Moreover, coverage now exists for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring. Having purchased coverage for this specific purpose, companies can have a much much higher level of certainty that the type of data breach described in this case will be covered.
Insure your own company directly.
The University in this case does not appear to have its own cyber insurance coverage (if they did, I am assuming they would have tendered their expenses to their own carrier and this controversy would most likely not exist). Instead they are making the difficult argument that they should be the beneficiaries of insurance purchased by their service provider. All of this could have been avoided if the University had purchased a cyber policy directly insuring the University.
Most cyber insurance companies provide coverage for “breach notice costs,” including mailing costs, credit monitoring and call center expenses. In addition, most cyber policies provide coverage if the security breach happens to one of the insured’s service providers. That coverage would have addressed the vast majority of the expenses incurred by the University (most cyber policies, however, probably would not provide any coverage for the personnel hours expended internally to address the breach). The moral of this story is if you are an organization that handles a lot of personal information (or other sensitive information), regardless of how secure you think you are (and by now everybody knows that there is no such thing as perfect security; breaches are a matter of when and how bad at this point), you should seriously consider cyber insurance in your risk management mix.
Brokers beware.
It looks as if the University is exercising all its options to try to get reimbursed for the expenses it incurred to address this security breach – it even sued Perpetual Storage’s insurance broker. However, considering there is no direct contract between the University and that broker it may be difficult to recover. Rather, Perpetual Storage is likely in a better position to sue its own broker for breach of contract and/or negligence.
Nonetheless, there is also a moral here for brokers. Here is the reality in 2010: most companies of all shapes, sizes and wealth profiles use information technology and handle sensitive information including personal information and credit card numbers. That means they face potential direct losses due to a data breach (the biggest risk being having to provide notice under breach notice laws and provide credit monitoring/call centers). It also means that most organizations face potential lawsuits and liability arising out of data security and privacy breaches (e.g. consumer lawsuits, employee lawsuits, lawsuits by banks if credit cards are lost, and regulatory actions).
As such, brokers should be aware of the data security and privacy risk their clients face, understand where and how that risk might be covered. Where appropriate brokers should approach the market to obtain cyber insurance for their customers. Unfortunately, cyber policies (due to their technological nature) are often very complex and brokers dealing with general liability insurance may not have the training or expertise to understand where cyber insurance fits in and how it provides coverage. This problem needs to be overcome or we will see a lot more lawsuits against brokers after security breaches.
Last point to make, assuming the University does not have its own policy, I am wondering whether (or when) the University decides to name its own insurance broker as a defendant. I suppose it will depend on whether that broker raised the issue of cyber insurance, and whether the University turned it down or was unable to obtain coverage.
Conclusion
The bottom line is that practically every company in our modern economy has information security and privacy risk. There is no way to completely eliminate it (and it is not cost-effective in most cases to even try). That leaves residual risk that can either be internalized (like the University did) or transferred. Companies that want to transfer that risk would be well-served to get piece of mind and relative predictability by purchasing a cyber policy actually designed to address the risk. Relying on a general liability or property policy to provide the coverage is no longer a wise choice (if it ever was). Of course this does not mean that cyber insurance is the proper decision for every company, cost is always a factor. Nonetheless, with dozens of carriers now offering the coverage on some level competition is fierce both on price and coverage scope, so now is the right time to explore the market.
Final note, many of my observations and much of my analysis above is based on assumptions I am making concerning the nature of the policy and the facts of this case. Depending on what is in that policy, and what really happened in this matter, some of my predictions could be off or not applicable. If the policies are filed in court, we will revisit this matter and dig a little deeper.
**DISCLOSURE: I have several cyber insurance company clients and have assisted with drafting some of the top-selling forms in the marketplace; independent of those relationships, however, I am a huge proponent of risk transfer when it comes to security, privacy and technology risk, and believe that no data security and privacy risk management process is complete without considering cyber insurance.
Information Security Clauses and Certifications - Part 1
Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment.
What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?
With heightened liability and compliance risks associated with handling protected categories of data, it is becoming more common to see contractual requirements holding vendors accountable for information security or requiring them to conform to a specified information security standard. Formerly, certification requirements were largely confined to contracts procuring data processing services for government agencies, financial services firms, and healthcare providers. Now, such provisions are appearing in a wide variety of outsourcing, cloud computing, software as a service (SaaS), infrastructure as a service (IaaS), and consulting contracts where the vendor will be processing or storing Social Security Numbers (SSNs), payment card or bank account details, medical information, or virtually any personal data from Europe, Canada, or other jurisdictions with more comprehensive data protection laws.
Often, the contract requires a self-certification of conformance with a particular set of information security safeguards and control procedures, such as the Payment Card Industry Digital Security Standard (PCI DSS) for credit and debit card data, ISO 27001/27002 (formerly ISO 17799), or the US government’s NIST 800 series of Federal Information Processing Standards (FIPS). But many contracts go beyond representations, warranties, or conditions concerning information security and require the vendor to submit a third-party expert assessment or audit of the vendor’s security practices.
Security audits can be costly and time-consuming, and an audit requirement may or may not be reasonable given the type and amount of data at issue. On the other hand, a neglected or casually performed self-assessment can result in contract termination, denial of insurance claims, or the shifting of liability following a security breach incident.
How well do lawyers drafting or vetting contracts know what their clients need, or what they are committing to, when it comes to the clauses or annexes detailing the parties’ information security obligations? Despite the sometimes mind-numbing acronyms and technical content, lawyers and business managers need to have a basic understanding of what is entailed with the more common forms of information security clauses and certifications. This will also help them determine which are the most useful and appropriate standards, representations, and certifications for a particular services contract.
Common Information Security Clauses
Confidentiality and nondisclosure provisions typically include a definition of “Confidential Information” accompanied by nondisclosure obligations. The definition usually amounts to “proprietary,” nonpublic information that could be legally protected as trade secrets or confidential commercial information. Sometimes the definition specifically includes “personal information” shared between the parties, such as customer and employee data or marketing lists, which may be both proprietary and protected by privacy laws. Typically, the clause obliges the parties to protect each other’s Confidential Information in the same manner that they customarily protect their own Confidential Information (“the same care and discretion” is a common formulation).
A simple, reciprocal confidentiality obligation works well where the parties have similar interests and capabilities in information protection. However, if one of the parties is relatively inexperienced or lacks sufficient resources or motivation, it may not be satisfactory to rely on such a provision without naming (or attaching) any special security requirements that apply to some of the data, or referring contractually to a widely accepted security standard.
Personal Information Security Clauses
Many contracts involving the sharing of protected categories of nonpublic personal information now also include a Personal Information or Personal Data provision. This is typically designed to help ensure compliance with any applicable privacy laws or standards, such as the federal HIPAA and HITECH acts governing medical data in the US, state personal information security and breach notice laws, and data protection legislation outside the US. The clause will often require the parties to implement “reasonable and appropriate” security measures to protect either defined categories of personal data or, more broadly, any personally identified or identifiable information (“PII”) furnished in connection with contract fulfillment.
The clause may refer generally to compliance with “any applicable laws and standards,” but it is prudent to add a specific reference to any particular information security regimes that are known to apply, such as PCI DSS (payment cards), HIPAA and HITECH (medical records), GLBA (financial accounts), FCRA (consumer reports), national laws based on the EU Data Protection Directive, or the Massachusetts personal information security requirements contained in Massachusetts M.G.L. c. 93H and 201 CMR §§ 17.00-17.05. This helps ensure that the parties understand the operational security requirements and avoids disputes about precisely what was required of the vendor.
Related provisions that may appear in this clause or separately include those relating to indemnification in the event of a security breach or abuse of personal information, insurance to cover such events, notice obligations in the event of a suspected breach of security, and a duty to cooperate in the investigation and resolution of security incidents involving protected personal information. Depending on the sensitivity of their consumer, employee, or government relations, some customers insist on a provision that allows them, or their designated experts, to control the investigation and any notifications to affected individuals or to law enforcement or regulatory bodies, even if the vendor is responsible for some or all of the related costs. Occasionally, the personal information clause will expressly deny any intent to create third-party beneficiary rights for the individuals who are the subjects of the data. This is not possible, however, in the case of European personal data transferred abroad under EU-approved standard contract clauses, as mentioned below.
The personal information clause may also include reference to a specified information security standard and possibly to a required third-party certification. The more common forms of these will be discussed in the next posts in this series.
Clearly, the personal information provisions of the contract can involve substantial risks and costs. The vendor should be careful to understand the requirements and not commit to more than it can perform (or afford). The Customer needs to exercise due diligence in ascertaining that the vendor has the technical and financial capability to perform as required, since the customer may be held accountable in any event by courts, regulators, and the public.
Transborder Personal Data Transfer Agreements
Personal data from the European Union, European Economic Area (the EU plus Norway, Iceland, and Liechtenstein), and other jurisdictions (such as Switzerland and Russia) with laws based on the EU Data Protection Directive are usually covered as well by a transborder data transfer clause. This may refer to the receiving party’s obligations as a data “controller” under laws based on the EU Directive, including obligations to provide notice and access and to secure the data with appropriate “technical and organizational” measures proportionate to the privacy risks inherent in handling the data at issue. If the receiving party is a mere “processor” under EU law, it is mandatory for the contract to include an “Article 17” clause (usually under the heading “Personal Data” or “Data Protection”) to the effect that (a) the processor will handle the data only according to instructions from the data controller and (b) the processor will employ “technical and organizational” security measures equivalent to those required of controllers. (Note that Article 17 clauses are required in contracts between controllers and processors even if the personal data remain in the EU / EEA.)
Whether a party receiving European personal data outside the EU / EEA is a controller or a processor, it must have a legal basis for receiving the data. The data may be received in any of the handful of countries deemed by the EU to afford an “adequate” level of protection, such as Switzerland and Canada (to the extent that the data are protected by the Canadian federal PIPEDA act). Data from EU / EEA countries, Switzerland, and Israel may also be received lawfully in the United States by a company that participates in the International Safe Harbor program. Otherwise, the transfer of such data must be covered by informed consent or another of the accepted “derogations” under Article 26 of the EU Directive. The most common of these are EU-approved standard contract clauses (or “model contracts”) and, more recently, nationally approved binding corporate rules (BCRs).
The EU standard contract clauses typically appear in a separate document or annex, with mandatory terms and a description of the data transfers according to EU requirements. There are only a few approved options in the terms themselves, but the descriptive annex must be carefully drafted to cover all of the contemplated data categories, uses, and recipients. The current sets of EU-approved standard contract clauses do not require a detailed description of security measures, but they do require reference to any special measures that must be taken to safeguard “sensitive” data. (In the EU context, sensitive data refers to information concerning race or ethnicity, health or sex life, religious beliefs, political or trade union activity, and, depending on the country, criminal history, national ID numbers, civil judgments, and any other categories of data deemed especially risky under national law or regulations). In some countries, such as France and the Netherlands, the data transfer agreement and descriptive annex must be submitted for review by a national data protection authority (DPA). DPAs have been known in some instances to request more information about the security measures to be employed (such as encryption), particularly where sensitive data are involved, and they may require that these be included in the data transfer agreement. This information is not made public, however, lest it compromise the security measures.
Several other jurisdictions with comprehensive data protection laws (such as Argentina, Australia, Canada, Dubai, Israel, and Japan) require “reasonable” or “appropriate” security measures proportionate to the risks; they also require or recommend contractual safeguards when transferring personal data to the US, India, and other jurisdictions lacking similar data privacy laws. So far, these countries have not specified security standards or detailed requirements that must be reflected in the data transfer agreement.
***
In the following posts in this series, we will look at the more common information security standards and certifications that may be included in service contracts.
