When the government knocks, will your privacy insurance answer?
Most experts predict that 2011 will bring a significant increase in regulatory proceedings and fines against companies that suffer privacy breaches. The mushrooming number of privacy-related laws at the federal, state, local and foreign levels provides fertile ground for investigations and enforcement actions. Potential regulatory protagonists may come from the federal Department of Health and Human Services, the FTC, the SEC, FINRA, State Attorneys General, the EU, or other sources.
The July 2010 settlement by Health Net of a HIPAA enforcement action by the Connecticut Attorney General provides a window to the potential near-term future. In settlement of an action resulting from its loss of a portable hard drive containing unencrypted patient records, Health Net paid a $250,000 fine, agreed to an additional contingent payment of up to $500,000, agreed to take several corrective steps – and spent more than $7,000,000 dealing with the breach. Click here for a blog item on the Health Net settlement.
With the likelihood of more frequent investigations and enforcement actions looming, companies may want to consider transferring some of the substantial financial risk to insurance policies. Unfortunately, it is not always easy to do so. Many of the most common privacy/information security policy forms have at least three or four separate provisions that can serve as the basis for coverage denials in many or all regulatory investigations or proceedings. Some of the provisions present obvious coverage problems, but others seem perfectly innocuous — until there is a claim. In order to maximize insurance coverage for these very costly situations, companies and their advisors need to scrutinize insurance policy terms, carefully consider the potential implications and scope of policy language, and negotiate properly tailored endorsements to clarify and correct ambiguous or unfavorable provisions.
Doing business in Massachusetts?
Companies holding personally identifiable information about Massachusetts residents have special reason for concern. Massachusetts’ three-pronged approach to data security imposes several obligations on companies that own or license personally identifiable information. One prong is Massachusetts’ “breach notice” law (MGL 93H), which is comparable to the breach notice laws passed in almost all other states at this point. A second prong is reflected in the Commonwealth’s law (MGL93I) regulating the disposal of records containing personal information. The third prong consists of Massachusetts’ Data Security Regulations (201 CMR 17), which impose perhaps the nation’s most stringent “cradle to grave” data security obligations. These regulations apply to all entities that own or license specified personal information of Massachusetts residents – whether or not the entity is located in Massachusetts.
There has been much speculation about how Massachusetts’ data security regulations will be interpreted and enforced. A recent panel discussion provided some guidance. Representatives of the Massachusetts Attorney General’s Office and the of Office of Consumer Affairs and Business Regulation discussed their investigations into potential breaches of the data security regulations and their touchstones for determining whether to pursue enforcement actions against companies. A very useful blog post about the panel discussion has been written by Ellen Giblin of Littler Mendelson P.C.
A representative from the Massachusetts Attorney General’s office noted that the office has been receiving an average of three to four notices of breach each day. The AG’s office examines each situation. It will conduct a more detailed investigation if its review suggests that the breached entity may have violated the data security regulations. What factors spur the AG’s office to investigate further? The AG’s office has no fixed formula for determining when to undertake an extensive (and doubtless costly, to the target) investigation, but some ominous facts include the following:
- The company was aware of the breach but failed to notify affected individuals as required by the notification law.
- The company did not have a Written Information Security Plan (WISP) in place.
- If the company did have a WISP, the WISP was inadequate because the company wasn’t properly diligent in assessing and addressing the risks of breach.
- The company did not exercise “reasonable” security as required by the regulations in storing or maintaining the compromised data.
- The company was deceptive or unfair in articulating the purpose for which the compromised data was collected in the first place.
- The company did not disclose to consumers that it was collecting private information from them.
- The company failed to disclose to consumers how it uses the personal information.
Even if a company is not sued by anyone whose personal information has been breached, it is manifestly clear that the company can expect to spend massive amounts of money on such items as forensics (determining the source and scope of the breach, as well as the specific information that was compromised), notices to the affected individuals, credit monitoring services, call centers, public relations advisors, and of course lawyers. Carefully negotiated insurance policies can cover much or all of this financial exposure.
Unfortunately, many privacy/data security insurance policies have three or even more separate and independent provisions that insurers can try to use as grounds for denying coverage for investigations or enforcement actions under the Massachusetts Data Security Regulations. Companies need to make sure that these potential tripwires are deactivated in order to secure the financial protection that well-negotiated insurance coverage can offer.
Connect with John Doernberg on LinkedIn.