Liability Issues

A number of high-profile data breaches have made the news in recent years. In 2011 alone, the Privacy Rights Clearinghouse, San Diego, tracked 535 breaches involving 30.4 million sensitive records as of mid-December. Among the breached data were 101.6 million records, including 12 million unencrypted credit card numbers, from Sony customers when its PlayStation Network and Qriocity service were hacked. Also in the last year, a breach at Epsilon affected 250 million email addresses. Since 2005, according to the Privacy Rights Clearinghouse, 543 million records have been breached in the U.S.

“This is a conservative number,” Privacy Rights Clearinghouse Director Beth Givens says in a news release regarding the data breaches. “We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our chronology is only a sampling.”

All this talk of breaches can put records and information management (RIM) companies on edge, especially in light of the interim HITECH (Information Technology for Economic and Clinical Health) Act data breach notification final rule developed by the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS). The regulations require health care providers and other HIPAA (Health Insurance Portability and Accountability Act) covered entities, and business associates of covered entities, to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary annually.

At the time regulation was introduced in 2009, Robinsue Frohboese, then acting director and principal deputy director of OCR, said: “This new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care.”

These new regulations have increased the risk to providers of information destruction and records management services.
 

Up For Review
“Intensified HIPAA liabilities have certainly put service providers at higher risk, and they should be paying particular attention to how their policies protect them,” says Bob Johnson, CEO of the National Association for Information Destruction (NAID), based in Phoenix.

He adds, “For better or worse, professional liability insurance coverage will likely be one of the most significant vendor qualifications in the marketplace. Service providers with an understanding of the issue and with superior coverage will have the advantage.”

NAID has recently introduced Downstream Data Coverage (DDC), a professional liability insurance product that is designed to address the breach liability issues HITECH raises and the deficiencies that NAID members saw in existing liability insurance.

“Virtually all data-related service providers who obtained ‘off-the-shelf’ professional liability insurance are inadequately covered,” Johnson says. “These policies exclude coverage for many of the most vulnerable risks and they usually provide no coverage for data breach notification.”

Johnson adds that policies marketed to data-related service providers may not provide data breach coverage to the full limit of the policy or they may not extend to the client’s breach notification.

“Therefore, DDC simply and clearly states that it will pay any client data breach notification costs caused by the service provider and pay them to the full limit of the policy,” he says.

DDC differs from other professional liability policies in three ways, Johnson says. “First, the policy better protects the service provider and their customers by more accurately and clearly addressing the evolving risks. Second, coverage is limited to service providers who are NAID certified. And, third, it will be converted to a customer-owned, captive insurance program in three years.

“Over time, as data-related professional liability coverage becomes a market requisite, other policies will inevitably follow DDC’s lead,” he continues. “The one thing they cannot replicate, however, is the fact that DDC will be a member-owned, self-insurance program backed by NAID certification.”

DDC limits it coverage to professional liability for now, Johnson says.
 

Additional Benefits
While DDC was designed to address risks to service providers, Johnson says creating the policy in this way has resulted in better protection for clients of data-protection firms, as well.

In addition to data breach coverage, DDC is designed to offer a range of features to data-protection firms. “DDC eliminates the need for cybercoverage endorsement with language that provides coverage for damages resulting from unauthorized access to electronic media accepted for destruction to the full limit of the policy,” Johnson says.

“DDC is also the first to provide a default deductible of $5,000 for legal defense, even when the policy deductible is significantly higher,” he continues. “Therefore, policy holders can receive a premium based on a higher deductible while remaining protected by a lower deductible when defending themselves against potential false claims.”

DDC is limited to NAID certified companies as a loss-control measure, Johnson says. “One of the benefits of being a member-owned policy is the ability to set rates as low as possible. How low those rates can go is dependent upon the claims history of the group.” He adds, “By restricting the coverage to companies subject to NAID’s announced and unannounced audits, members will have access to far superior coverage at significantly lower rates.

“The alternative is to leave members at the mercy of the insurance companies,” he continues. “Further, with other programs, members will remain subject to rates based on the experience of the entire population of data-related service providers, many of which have a high claims history.”
 

First Things First
Johnson says the response to DDC has been in keeping with his expectations. “There has been a lot of interest, with only a few taking action.” He points out that the response was similar when NAID first introduced its certification program.

As of early January, six companies have acquired the DDC policy. “For most, it is the first time they have obtained such coverage,” Johnson says.

Colorado Document Security (CDS), Palisade, Colo., is among the companies who have purchased Downstream Data Coverage. CDS Vice President Scott Fasken, who is president-elect of NAID and a long-time member of association, says he worked to help develop the coverage and was the first to purchase it.

Fasken says the cost of his DDC policy is similar to the cost of new tires for one of his company’s shred trucks. CDS landed a contract with a local casino because its liability coverage was a selling point with the casino’s chief financial officer, he adds. The first purge job CDS did for the casino paid for the coverage.

Fasken says his company’s clients have been “excited” to learn about the protection extended to them through DDC. “They are impressed we are adding to their risk management protection and not asking them more money for it,” he says.

In addition to a new sales tool, Fasken says Downstream Data Coverage allows him to safeguard his business, family and future retirement in the case of a data breach because it does not have the exclusions, such as claims arising from intentional acts by employees or violations of federal regulations, that can be common in other business liability policies.

Johnson says NAID did not heavily promote DDC when it was first introduced to the industry. “Because professional liability coverage is a new issue (and new expense) for most NAID members, the plan was to give them a chance to learn about the issue before intensifying marketing efforts,” Johnson says.

Before DDC is converted to a member-owned captive insurance program, he says it needs to prove its viability. “Prior to that conversion, it is handled just like any other insurance product and requires the involvement of an appropriately licensed broker,” Johnson says.

That role is currently being filled by AIM (Association Insurance Management), based in Dallas. Johnson says the company was selected because of its “successful track record and their commitment to support the conversion to a captive.”

He adds, “In the future, NAID members may decide it is best for the association to bring the administration and distribution of the product in house. They may just as well decide to outsource that administration and distribution to AIM or to another third party. The point is that the members will decide through their elected officials.”

The author is editor of SDB and can be contacted at dtoto@gie.net.