While recent high-profile data breaches seem to have focused on multinational retailers like Home Depot, Michaels, and Target, healthcare providers and payers have been—and continue to be—on the front lines of cyber risk. Of the 142 data breaches publicly reported during the last six months of 2014, 47, or approximately one-third, involved the disclosure of personal health information from a public or private healthcare provider or payer. Large-scale data breaches in the healthcare industry have been reported annually since late 2009.
Because of the pervasive and long-term nature of cyber risk, many healthcare providers have already obtained dedicated network and privacy liability or “cyber” insurance coverage. Those risk managers that have gone through the process of negotiating “cyber” coverage know that a crowded field of insurers offering widely varying policy terms and conditions awaits any new entrant to the cyber risk pool. For new or renewing policyholders still uncomfortable with the sometimes-confusing litany of insuring agreements, exclusions and other conditions to be considered in purchasing cyber coverage, here are seven tips for maximizing coverage under your healthcare network/privacy liability policy.
- Insuring Agreements. Cyber policies are often structured “a la carte,” with separate insuring agreements for any number of different coverages, including business interruption, privacy notification, credit monitoring, reputational response, cyber extortion, forensics and regulatory investigation response. When negotiating coverage, consider whether a single, broadly worded insuring clause may not be preferable (both in terms of premium and the insured’s burden to establish coverage) than a series of narrowly focused insuring clauses. Depending on the specific risk profile of the insured, less may be more.
- Who is insured? Defining carefully who is insured may impact not only the individuals or entities entitled to obtain coverage but also the scope of the conduct that is covered. To the extent that network/IT processes are outsourced to third-parties, make sure that (1) the appropriate parties are insured on your policy or a third-party’s coverage; and (2) contractual risk transfers are in place (supported by insurance) with appropriate waivers of subrogation.
- What is the “trigger” of coverage? While generally captioned as “claims made” policies, depending on the insuring agreement, coverage under network and privacy liability policies may be tied to an “incident,” “event,” or “injury,” as opposed to a “claim.” When coverage is subject to sublimits, retentions, deductibles and notification obligations, how the “injury,” “event” or “incident” is defined may determine when notice is required, the policy and period that will respond to a claim, and the amount of coverage (in terms of retentions, deductibles or policy limits) available to the policyholder. Given the difficulty inherent in discovering and documenting the date when a breach occurred or the number of exfiltrations that may have taken place over time, policyholders and insurers should be very deliberate in addressing the policy’s “trigger” of coverage.
- What constitutes a “Claim”? In many network/privacy liability policies, the “claim” insured does not include regulatory investigations. Given the particular regulatory risk that exists for healthcare providers in the event of a loss of personal health information, policyholders should request terms that would include regulatory investigations of an insured person or organization, including subpoenas or informal demands for documents, testimony or other information. As appropriate to the insured’s risk profile, policyholders should also consider adding language to the “claim” definition that would include requests to enter into a tolling agreement and demands for mediation, arbitration or other alternative dispute resolution processes.
- Coverage for “fines” and “penalties.” Covered “loss” or “damages” should include amounts paid as defense costs, settlements, judgments, pre- and post-judgment interest. “Damages” should also include fee awards. Most policies exclude fines and penalties from covered “loss” or “damages”; although, penalties ordered to be paid under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, the Gramm-Leach-Bliley Act (“GLBA”), state privacy laws or similar laws, rules and regulations should be included, to the extent insurable under applicable law that most favors coverage for such damages.
- Selection of Counsel. Some policies contractually cede responsibility for the insured’s defense to the policyholder itself. Others provide for the insurer’s “right and duty to defend.” If the latter, in order to take advantage of the prevailing law in many states entitling the insured to select independent defense counsel in the event of a conflict of interest between the insurer and insured, policyholders should not contractually waive the right to select independent counsel. In the event that a policy form requires the insured to select from an approved list of panel counsel firms to defend a particular type of claim, the insured should request the inclusion of its preferred defense counsel on the list of approved firms.
Like every policy, each policyholder is unique. Not all of the above-referenced recommendations are possible or even advisable for every insured organization. Market conditions change over time. Policy forms evolve. But by being attuned to these and similar issues during the underwriting and negotiation process, policyholders ideally will maximize their recovery and minimize disputes in the event of a claim.
Micah Skidmore is a partner in the Insurance Coverage Group at Haynes and Boone, LLP. Micah represents corporate policyholders in significant insurance coverage disputes, including assistance in recovering defense costs, settlements, judgments and other losses under various types of insurance policies.