Many companies assume that if they hire professionals to manage their website, there is no need to buy their own Cyber policy. This is an incorrect assumption. Multiple laws, both federal and state, define who is responsible for notifying persons affected by the breach. Usually these responsibilities do not fall to the IT service provider, but to the customer of the IT professional. We frequently see contractual wording that assigns responsibility to another party. However, many statutory laws impose liability that cannot be shifted solely by a contract. Statutory liability has expanded recently regarding HIPAA-protected information. For example, a new class of healthcare entity is known as a Business Associate. This has expanded liability for statutory violations to include these trading partners of healthcare entities. Many other types of companies hold HIPAA protected information, not just those involved with health matters. Other types of information are also protected by various laws.
Customers and trading partners continue to try to interject more sweeping indemnification into contracts wording. The existence of a contract with your trading partner or IT professional may not relieve you of your own legal obligations, but it may provide you with subrogation opportunities. Naturally, you should word your contracts with the most favorable wording from your perspective. What about the flip situation where you are the party promising indemnification? Without your own policy, you may be unable to fund this indemnification. Most Cloud Providers are notorious for shifting liability to their clients. It would be unusual to find any indemnity for the client in a Cloud Provider contract. What about when your company is the vendor? Increasingly, large corporations are shifting liability to their vendors for the safeguarding of information. Not only might you be responsible for your own information breach expenses, but your contracts might make you responsible for notifications expenses for your client’s breaches. Early forms of Technology policies responded only in situations where the insured was found legally liable for negligence. Today it is common for customer contracts to simply state that the vendor will assume costs of notification. The preferred insurance policies mirror the contractual language to provide coverage for obligations imposed by contract. This treatment of contractual liability, by Cyber policies, is unique among professional policies. This is in marked contrast to the usual treatment of contractual liability in other types of professional liability policies, which exclude contractual liability.
You may find your company vulnerable in several areas:
Your own vendors may use contractual wording that absolves them of blame.
You may owe your customers an obligation to fund your customer’s notification expenses.
The last element of vulnerability may be your own insurance carrier. Some Cyber policies contain limiting exclusion wording. If you are found non-compliant with the insurance carrier’s minimum required practices, your insurance carrier may subrogate against you to recoup the insurance claim payments.
In May, Columbia Casualty Company filed a lawsuit denying coverage for a privacy class action under a cyber policy. The matter involved Cottage Health System. According to the complaint, Cottage Health System or its vendor allowed access to 32,500 medical records. The carrier paid $4.125 million to settle the class action that followed the breach. Certain policy exclusions eliminated coverage if the insured failed to implement minimum cyber security requirements.
Policies vary tremendously. Often exclusions can be negotiated out of a policy. It is critical that policies be carefully reviewed for shortcomings and strengths. Each insured must be evaluated for its own risk profile. No one policy fits all. We can help you determine the best policy for your needs.
Call the Specialist !! Debbie Klisch 719-329-4441 debbie [at] scicteam [dot] com