Like
you, I cringe each time I read about another computer data breach. How
can the government require me to secure sensitive electronic data when
the U.S. Department of Defense can't measure up to the job? It hardly
seems fair that the Defense Department gets off with a bit of bad
publicity while a small dental office or law firm gets jammed up for
millions of dollars when the computer mafia strikes. To protect
ourselves from liability, many of us purchase insurance coverage. But
is that coverage worthless?
A
few years ago, IBM hired a company to transport and store computer
tapes containing personal information of IBM employees. The data fell
off the truck transporting it and was stolen. There is no evidence that
the thieves have used the data. IBM notified its employees and paid for
identity theft protection services. It then went after the data
transporting company to recoup its $6 million in expenses. That was when
the data company learned that its insurance company would not cover the
loss. The insurance company argued, among other things, that it only
covered "personal injury" losses. Because there was no proof that the
data had been used, it claimed that there was no personal injury. Sadly,
the court agreed. As for me, I would consider the loss of $6 million to
be a significant personal injury.
In
another case, a California hospital system suffered a data breach
affecting 32,500 patients. It settled the patients' claims for over $4
million. Afterwards the hospitals' insurance company argued in court
that the hospitals' failure to follow reasonable data protection
standards invalidated the insurance policy. To me this sounds like a car
insurance company refusing to pay a claim because its insured was
driving carelessly. Unfortunately, the court agreed with the insurer.
The hospitals ended up paying huge premiums for useless insurance
coverage, even more money in attorney fees and court costs in its case
against the insurance company, millions to settle the patients'
lawsuits, and a fortune to defend themselves against prosecution from
state and federal privacy regulators. Ultimately, their patients will
bear these losses in the form of more expensive health care.
Other
cyber liability insurance policies exclude coverage for hacks
perpetrated by foreign governments. Also, they do not cover data
breaches resulting from failing to update software or failing to
properly encrypt data. Things become even more complicated when your
data is stored on the "cloud" and thieves get your data by hacking the
cloud. Will your insurance policy step in on your behalf? Will the
"cloud" company protect you?
In
one of the largest publicized data hacks, the Sony Corporation faced 58
class action lawsuits after criminals stole data of 77 million
customers. Zurich American, Sony's insurer, initially refused coverage.
Only after much litigation and expense were the parties able to settle
the case.
One
lesson from these and other similar cases is that you must have your
attorney carefully review any cyber-liability policy before you sign on
the dotted line. Another lesson may be that you absolutely must have a
skilled IT consultant who is familiar with federal privacy standards. As
for me, I'm reverting to paper documentation whenever possible. The
real lesson from these cases is that there's no way to win this battle.
