Businesses at Risk: Protecting Your Valuable Data (Part 3)
Editor's Note: This article is the third in a series that highlights some of the substantial risks associated with the loss of sensitive data and summarizes ways you can protect your organization from such risks.
In our March 2010 article, we provided an overview of the risks associated with maintaining the confidentiality of sensitive data and other valuable information (such as personal health information and financial data), and included some examples of companies that sustained significant losses when the confidentiality of their data was breached. In our April 2010 article, we addressed two legislative attempts designed to protect confidential data and information from unauthorized disclosure: the HITECH Act and the Red Flags Rule. (We remind our readers that the Red Flags Rule goes into effect on June 1, 2010. Please contact your attorney if you have any questions about implementing your Red Flags program.)
This month, we discuss two other approaches to managing privacy and data security risks: contracts and insurance.
Contractual Approaches to Protecting Data
When individuals provide personally identifiable information and other sensitive data to a health care provider or payor, financial institution, airline, retailer or other organization, it is likely that the recipient will subsequently provide the data to a third-party service provider that could allow the data to be lost, destroyed or disclosed to an unauthorized entity. These types of incidents can have serious consequences for the receiving organization, including a requirement to bear the significant costs of recovering the data and notifying affected customers, as well as potential liability under applicable data protection and privacy laws.
There are a variety of contractual protections that an organization can put in place to manage these risks. One set of protections relates to the service provider's compliance with applicable laws. At a minimum, a contract that involves the transfer of sensitive data to a service provider should require the service provider to comply with all applicable privacy and data protection laws, as well as any specific legislation applicable to the data that is being processed, stored or redistributed by the receiving organization and provided to the service provider. A one-size-fits-all clause is never advisable. Accordingly, such a provision should define "laws" in the broadest possible terms and should be tailored to ensure that it meets the specific data protection and privacy needs of your organization and your customers. In addition, any standards that technically are not "laws" throughout the country, but that the receiving organization requires its service providers to adhere to, should be spelled out. For example, an airline, retailer or hotel chain may desire all of its third-party service providers to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), which is currently a legal requirement in only three states.
Periodic audits are one way to monitor whether a service provider has appropriately implemented the required safeguards. A common approach is to have a service provider undergo an annual, independent audit of its data security controls for each facility where your company data is stored. You might also require a service provider to provide a Statement on Auditing Standards No. 70 (SAS 70) Type II report, which addresses the adequacy of a service provider's controls, including whether the controls were suitably designed to protect your organization and its data.
Contractual protections can also be used to require service providers to develop and maintain procedures to reconstruct data that is destroyed, lost or corrupted. For example, a service provider should be required to take appropriate measures to resolve any issues identified in an audit report delivered under the contract. Similarly, a service provider should have an obligation to notify you of any security breach involving release of company data in order to allow your company to comply with its data breach notification obligations under applicable law. Other protections in this category include requiring a service provider to pay for the costs of correcting any destruction of your company data and, more broadly, to indemnify you from claims by the individuals who provided that data if the service provider fails to comply with its contractual obligations relating to the security and privacy of the data.
Finally, service providers should be required to maintain appropriate insurance, which names the receiving organization as an additional insured. The next section discusses insurance in a bit more depth.
Insurance and Data Protection
Insurance presents another opportunity for companies to manage their privacy and data security risks, which fall into two general categories: first-party and third-party losses.
First-party losses refer to a company's own losses from a breach of data security. Examples include the costs associated with the loss of private data, such as notification and credit-monitoring costs; costs to change account numbers; costs to manage negative publicity; loss to business income (such as canceled contracts and lost new business); and data restoration expenses. First-party losses may also include the costs of dealing with hackers who try to extort money out of the company.
Third-party losses encompass the money a company must pay to others whose privacy was compromised. Examples include defense costs, judgments and settlements arising out of lawsuits brought by customers and employees. Such lawsuits might allege, for example, invasion of privacy, damages arising out of identity theft and expenses for lost work time. Additionally, lawsuits may be brought by banks, retail stores and other third parties. There are also costs associated with defending against lawsuits or investigations brought by regulatory agencies.
Although these are obvious business risks, it is prudent to question whether they will actually be covered by the types of insurance that businesses traditionally carry, including commercial general liability (CGL); property; commercial crime or employee dishonesty; directors and officers liability (D&O); and professional liability or errors and omissions (E&O).
Coverage Part A of the typical CGL policy covers amounts the insured becomes legally obligated to pay to third parties for their "property damage" or "bodily injury" due to an "occurrence" (usually defined as an "accident"). Coverage Part B covers "personal and advertising injury," which includes "oral and written publication...of material that violates a person's right to privacy." Courts have been reluctant to find that loss of or damage to "data" satisfies the CGL policy's definition of "property damage" to "tangible physical property." Similarly, because claims for emotional distress arising out of the loss of private, personal information rarely (if ever) allege physical bodily harm (another CGL policy requirement), courts have been equally reluctant to find coverage for such claims. Likewise, courts seem to be unwilling to hold that "loss" of electronic data is the equivalent of "oral or written publication of material." Accordingly, most standard CGL policies, absent a specialized endorsement, are not likely to respond to such claims.
The typical commercial property policy suffers from a similar problem. Because "data" usually does not satisfy the definition of "physical property," insurers argue that these policies do not cover first-party loss of data or private information. Some commercial property policies now come with a computer fraud endorsement, but coverage still may be quite limited.
Commercial crime or employee dishonesty policies cover losses resulting from various types of fraud committed upon the insured business, but typically exclude loss caused (directly or indirectly) by theft of confidential information; indirect or consequential loss of any kind; and "potential" or "future" income. Clearly, these are just the sort of losses for which a company would want coverage. While most financial institutions carry a policy commonly known as a financial institution bond that sometimes covers theft of confidential customer information, other types of companies do not typically purchase policies like this.
D&O insurance typically covers claims and suits brought by third parties alleging wrongful acts committed in the course of managing a business, as well as certain types of regulatory actions. They do not, however, cover first-party losses of any kind. Most D&O policies specifically exclude coverage for claims arising out of "invasion of privacy" and "violations of any right of privacy." Such exclusions represent common obstacles to coverage for data and privacy claims.
E&O insurance responds to claims arising out of wrongful acts allegedly committed by the company or its employees in the course of the insured's "professional services." Like D&O insurance, these policies do not respond to first-party losses of any kind.
Fortunately, the insurance industry has recognized the need to offer coverage for the risks associated with data security and privacy. Because the resulting policies are new, however, it is essential that companies assemble a team of experienced professionals—including an insurance broker, an attorney and an IT professional—to source and negotiate the right combination of terms and conditions.
Although every situation is different, below are some general guidelines regarding what to look for in such an insurance policy:
First-party coverage, which should include
- Extra expense and business income loss from denials of service
- Extortion-related losses and expenses
- Corruption or destruction of data
Third-party coverage, which should include
- Defense expenses
- Damages from settlements and judgments
- Notification expenses
- Crisis management expenses
Depending on your particular situation, it is important to ask certain questions, including whether the policy covers unauthorized access to (1) information residing on an "outsourced" system; (2) information in a non-electronic form; and (3) information breached or impaired by means other than over the Internet. You will want to make sure that all of your "information assets" are covered, such as personal identifiable information (including customers, employees and other at-risk constituents); personal health information; customer lists; financial information; marketing information; and trade secrets. Will the policy cover notification expenses, whether required by law or incurred voluntarily (with the insurer's approval)? Will the policy cover credit-monitoring expenses and, if so, what type and for how long? Will it cover the cost of hiring a crisis management consultant to limit the damage to your company's reputation?
Finally, it will be helpful to you and your insurance team to know as much about your company's data security situation as possible. At a minimum, you should be able to answer the following questions:
- What confidential information does your company possess (for example, credit card or other financial data; drivers license or other state identification numbers; social security numbers)?
- Where is that information stored?
- What firewall and other technical configurations does your company employ to maintain data security?
- What are your company's internal policies and procedures with respect to security, and how often are they audited or evaluated?
The Bottom Line
There are an increasing number of state and federal regulations mandating that companies pay more attention to data security. The risks of violating those rules are costly. Even without these new laws, a breach of data security is just plain expensive. Add to that the cost and aggravation of lawsuits, and the need for contractual and insurance protection becomes very clear.
What should smart companies do to navigate these complex and uncharted waters? Because this is a developing area in the law, assembling the right team of professionals will help you mitigate risk and could pay substantial dividends down the road.