Companies Should Not Rely on Traditional Insurance Policies to Cover Data Breach Investigation, Notification or Liability Costs

by Leonardo M. Tamburello

According to the Ponemon Institute’s 2013 Cost of Data Breach Study, the average total organizational cost of a data breach is over $5.4 million.   These costs include:

  • forensic investigation to determine what happened;
  • loss mitigation to minimize damages;
  • breach notification to government agencies and affected individuals;
  • defense costs associated with subsequent State and/or Federal regulatory investigations;
  • settlement/resolution costs resulting from government investigation, including the costs associated with multi-year integrity programs, call centers, incident response teams, and credit monitoring services;
  • civil litigation defense and settlement or trial costs;
  • public outreach and image/brand rehabilitation efforts;
  • revised internal policies, procedures and employee retraining.

In 2013, the Insurance Services Office (ISO) added a new data breach claim exclusion for “[a]ny access to or disclosure of any person’s or organization’s confidential or personal information.”

Considering similar exclusion language, in April 2014, the Eleventh Circuit Court of Appeals denied coverage under a standard commercial general liability (CGL) policy in a case where Interline Brands, Inc. was sued for sending “junk faxes” in violation of the Telephone Consumer Protection Act.  See Interline Brands v. Chartis Specialty Insurance, Co., — F.3d —, 2014 WL 1424432 (11th Cir. 2014).  It is likely that this court would view a data breach exclusion like that recently proposed by ISO in the same manner.  This opens the door for other jurisdictions to do the same.

As data breaches will continue to occur to even the best prepared entities, costs will continue to escalate.  This is particularly true in the healthcare sector where the Office of Civil Rights (OCR) on May 7, 2014 announced a $4.8 million settlement with two major metropolitan health care organizations for potential HIPAA violations related to the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.  In addition, OCR’s investigation found that neither entity made efforts prior to the breach to insure that the server containing the ePHI was secure and that it contained appropriate software protections.  OCR also determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access the other’s ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  One entity also failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

These settlements come in the wake of two earlier data breach settlements related to stolen laptops resulting in total settlements of over $1.9 million.

Particularly in light of the broadened reach of regulatory authorities under HITECH and ONC’s warnings of increased compliance and enforcement actions in 2014, it is absolutely imperative for companies that handle PHI, ePHI and other forms of protected information to purchase technology or data breach insurance with sufficient limits that specifically covers them in the event of a security incident or actual breach.  It would be foolish to assume that “standard” CGL policies will provide any coverage.  Such assumptions create unnecessary risks that coverage will not be provided when a claim is submitted, and nobody should wait until that time to learn that their carrier will not provide a defense or liability coverage.