News stories abound of sensitive information that was lost, stolen, or otherwise compromised. Subsequent stories follow of the dreadful effects these incidents have had on the responsible organizations as well as the affected individuals. As mobile and compact as our data has become, it’s easy to understand why we are seeing frequent and large data breaches. It’s convenient to store thousands of records on a keychain thumb drive, but if this data falls into the wrong hands, there’s no telling what a thief might do with it.
Our Claims Experience
At Physicians Insurance, we’ve seen it. With the relatively new data compromise endorsement provided on most of our professional liability policies, our insureds have begun reporting claims. The number-one cause of loss in our experience—and this matches the national trends—is simple negligence. Examples include missing CDs or other portable devices, and stolen laptops that have been left unattended.
Another area of top concern, according to a recent Ponemon study*, is a system glitch, such as a computer virus or an error caused by software or an operator, which inadvertently leaks data or allows for easy access to the data. The third most common way that breaches can occur, according to the study, are through malicious or criminal attacks.
Increasing Regulation
Many states have enacted laws to protect individuals from identity theft and to hold organizations accountable for privacy violations. Federal regulations hold health care entities to additional rules, namely HIPAA. The latest enforcement rule, known as the HITECH Act, extends certain provisions of HIPAA (Health Insurance Portability and Accountability Act of 1996) to third parties, such as EMR (electronic medical records) vendors and mandates patient notification in the event of a data breach. It also calls for increased criminal and monetary penalties and a recently implemented HIPAA audit pilot program. Health and Human Services posts case examples on its Web site, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html, involving incidences of data breaches, and in some cases, the resulting penalties and resolutions between HHS and the responsible organizations.
The Need for Cyber Liability Insurance
If you don’t have the data compromise endorsement on your professional liability policy with Physicians Insurance, you should consider it as a bare minimum protection. For about $150 annual premium, it gives your practice $50,000 coverage for the cost of responding to many types of accidental data compromises. Coverage includes: 1) the cost of legal and forensic services to determine the extent of a data breach (up to $5,000 of services); 2) the cost of notifying affected individuals; and 3) the cost of services, such as credit monitoring and identity restoration, to support the affected individuals in the event of a data breach.
This coverage is just the tip of the iceberg. You can purchase a more comprehensive cyber liability policy through Physicians Insurance Agency. Cyber liability policies can include additional features besides those offered by the data compromise endorsement, such as third-party liability coverage for claims alleging financial loss due to a network security or privacy breach. Other coverage includes network asset protection to recover and replace damaged, erased, or corrupted data; cyber extortion coverage in the event that a ransom demand threatens the identities entrusted to you; and fines and penalties associated with HIPAA and the HITECH Act (to the extent insurable by law).
If you would like more information or if you are interested in purchasing coverage, contact your account executive or me at (206) 343-7300 or 1-800-962-1399.
* Larry Ponemon, “Five Countries: Cost of Data Breach,” April 19, 2010, accessed on August 29, 2012.