Five Misconceptions about Cyber Liability Exposures

Misconception #1
Cyber breaches are mostly a result of foreign offshore sophisticated hackers who are only targeting large retail and healthcare systems.

In reality, the most common types of breaches are:

  • Lost, stolen or missing electronic assets
  • Improper disposal of data
    • Paper documents not shredded
    • File cabinets with sensitive contents
    • Prescription bottles
    • X-Ray images
    • Electronic assets including computers, smart phones, backup tapes, hard drives, servers, copiers, fax machines, scanners and printers
    • Mishaps due to broken business practices
    • Rogue current or former employees
    • Unsophisticated phishing attacks
    • Network intrusion due to malware viruses or hacking

Misconception #2
All cyber exposures are covered under general liability coverage.

You might think there is coverage under your GL policies but typically no coverage or inadequate coverage exists. Most policies exclude exposures (ISO forms; Recording and Distribution of Material Information in Violation of Law Exclusion; Exclusion – Access or Disclosure of Confidential or Personal Information, or similar endorsements). Some PL policies offer breach notification expense in the event of a breach. Often electronic data restoration, data extortion payment, regulatory fines and penalties and first party interruption and loss of data are not covered. Some policies that do provide a limited amount of these coverages are frequently written on indemnification/reimbursement and they do not provide defense or pay on behalf coverage.

Misconception #3
Using cloud storage service reduces risk and liability.

Not so – cloud storage actually opens a whole new can of worms – the increase use of offsite and outsourced IT/cloud computing generally lowers monthly costs of IT and increases sophistication of system security – but unfortunately, it also adds these additional exposures:

  • Directly responsible for breaches or regulatory compliance failures of the cloud provider. Remember, it’s your patient and employee information and you are responsible for its protection regardless of whether you contract it out or someone outside your organization caused the breach.
  • Many cloud providers insist you use their vendor contract which often contains  the following characteristics:
    • Does not contain an adequate or appropriate indemnification or viable risk  transfer of expenses and liability arising out of the negligence of cloud provider
    • Does not legally require the vendor to notify you promptly in accordance with regulations/statutes which may not allow you adequate to time to investigate, report, remediate or reduce legal risk or comply with direct regulatory obligations.
    • Many cloud providers run their business dynamically (change frequency without notifying you) including cost and resource driven decisions that are constantly changing so that you, as a client, may not know:
      • They subcontract data storage and system maintenance to other third parties whom may not be compliant. (provider to providers)
      • Cloud providers often “co-locate” customer’s data and personal health information (PHI) or another customers PHI may be stored in the same infrastructure.  If their information is breached, it may legally constitute a breach of your PHI and trigger notification requirements and costly resources. Even worse, your cloud provider may choose to not even notify you when it happens which technically leaves you in breach of the law unknowingly.
      • In a co-located infrastructure, even if a data breach is acknowledged and reported to you by a cloud provider, they often deny/limit access to allow proper forensic analysis or ability to identify extent of breach, or mitigate future or growing exposures after the initial breach.
      • Many cloud providers are unaware that HITECH legislation makes them directly responsible for breaches under HIPAA and other healthcare regulations for breaches of Personal Healthcare Information (PHI):
        • Cloud providers often don’t know or want to know the data their clients are storing is subject to specific healthcare industry regulation so they are often intentionally ignorant to regulating and compliance requirements.
  • Many cloud provider contracts limit their indemnity to their customer (in the event of negligence, breach or compromise) to a simple contract dollar value which does not reflect the exposure to the customers.

Misconception #4
We’re too small to be a target for cyber extortion.

Think only larger healthcare organizations have to worry about data breaches? Think again. Small allied healthcare professionals probably do not have a robust data protection plans and systems which makes them vulnerable to cyber criminals. When cyber attackers gain unauthorized access to your system, they hold your system and all the information hostage until you pay them the amount they demand. Victims of this extortion usually end up paying the cyber criminals thinking a few thousand dollars is not worth giving up control of their systems and data. In some cases, the victims do not even report the extortion/breach, which would be considered a violation of federal regulations, such as HIPAA compliance. The settlements or judgments imposed by violating regulatory rules along with legal counsel, credit monitoring services, public relations and notification could reach millions, which would be a financial burden for a small allied healthcare business.

In fact, smaller companies are an increasing target since they typically have primitive security and firewalls easy to breach and are often willing to pay $1000-$2000 to take a key lock off their system in response to an extortion threat.  Paying the fee may unlock the system temporarily but if not investigated and system cleaned, the perpetrator can leave a virus or tracer and come back in several months and perpetuate the extortion event again.

Misconception #5
The cost of a cyber breach is limited to notification expenses and credit monitoring.

Some allied healthcare risks are misled into thinking that if a breach of PHI occurs, the only cost they would have to consider is the notification expenses and associated credit monitoring. Not true. Notification expenses are actually the tip of the iceberg. Once a breach occurs, there may be fines and penalties levied against the entity for violating HIPAA compliance as well as payment card industry standards. There will most likely be expenses related to public relations consultants (to repair or mitigate damage to business reputation), credit monitoring services or forensic technicians to determine how, where and when the breach occurred. Often there will be a need to hire a law firm that understands statutes and compliance requirements of the various agencies with oversight authority. Not to mention the loss of revenue associated with senior managers’ distraction or redirection of operating resources to address and manage the consequences of the breach.

Bottom line – cyber liability exposures are a reality in today’s business environment. In addition to researching and securing adequate insurance coverage, organizations large and small need to get educated on cyber liability and then put in place risk management tools and practices to reduce the risk of a breach and engage an expert to help develop an incidence response plan to deal with a breach when it happens.