Cyber-insurance and Employee Data Breaches: Part 4

BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

A large portion of the hundreds of data breaches and thousands of data security incidents that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.

Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.   This part of the series discusses whether your organization has (or should have) cyber-insurance to cover the risk of a regulatory investigation.

Only about 50% of companies have purchased insurance specifically designed to cover part, or all, of the costs of a data security breach (“cyber-insurance”).   In order to understand why some companies choose to purchase cyber-insurance, while other companies choose not to do so, you have to take a look at what cyber-insurance in general is designed to do, and whether a specific policy that your organization has (or is considering) truly mitigates risk for your organization.

Cyber-insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (i.e., the amount of money that the insured organization is responsible for paying before the policy provides reimbursement). If your organization has a cyber-insurance policy, you should review it carefully before a security incident occurs so that you understand the degree to which the policy protects (and does not protect) your organization from potential HR-incident related costs and liability.  

The following checklist provides a guide to evaluating a cyber-insurance policy in connection with how it might apply to a regulatory investigation concerning how your company protected (or failed to protect) employee data. 

Regulatory Proceedings

  • Coverage:  Does the policy cover regulatory proceedings that may result from a breach?  If so, does the coverage extend to legal fees incurred in a regulatory investigation or regulatory proceeding? Does it also cover the fines or civil penalties that may be assessed as a result of a proceeding?
  • Exclusions:  Does the policy exclude investigations brought by agencies that are likely to investigate your organization?  For example, most employers are subject to the jurisdiction of the Federal Trade Commission and their state attorney general when it comes to how they protect their employees’ data.  If your policy excludes such investigations, it may be of relatively little value.  If you offer a self-funded health insurance plan, you should avoid any policy that excludes coverage for investigations brought by the Department of Health and Human Services.
  • Sub-limit:  Is the sub-limit proportionate to the average cost of defending a regulatory investigation and/or the average cost of the fines assessed to other organizations in your industry? 
  • Sub-Retention:  Does the policy have a sub-retention (i.e., deductible) for the cost of a regulatory investigation?  If so, is the sub-retention well below the average cost of regulatory penalties and fines?  If legal fees incurred in a regulatory investigation are covered, is the sub-limit well below the legal fees that you would expect?

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide