POSTED IN GUEST POSTS
This
article courtesy of guest blogger Alfonso Nardi, a student at Roger
Williams University School of Law
Commercial General Liability policies (CGL) typically
do not include data protection loss coverage, although some insurers offer
additional data protection endorsements. Normally those additional endorsements
only cover data losses caused by physical damage. That means, if your employee
damages a server that stores client or patient data, that could trigger
coverage.
It would not, however, cover the same employee accidentally releasing
client/ patient data, or loss from ransomware or other malware. In a recent
case., the parties were in dispute whether the insurance company had a duty to
defend the insured against class-action allegations that the insured posted
patient data on the internet. In April, a federal appeals court in Virginia
upheld a lower court ruling that a CGL policy may cover the underlying data breach. This
opposes two State court cases in New York and Connecticut which held that CGL
policies generally do not require a duty to defend in the
instance of cyber-attacks.
Cyber insurance policies (CIP) don’t guarantee
coverage for data breaches either. CIP underwriting requires risk management
professionals to have a plan, method, and an understanding of what coverage is
needed for the organization. Although it varies by company, most CIPs require this
analysis be provided with an organizations own privacy policy in its
application for insurance, and bind it with the coverage. This was the case inColumbia
Cas. Co. v. Cottage Health Sys., where Columbia issued its’ CIP to
Cottage Health Systems. After a breach resulted in the loss of 32,500 patients’
information by Cottage Health, Columbia denied coverage when it found that the
insured misrepresented its information privacy practices and security in 10
instances on its application.
The message should be clear: don’t rely on insurance for data breach
protection. It is important that an entity has a privacy policy and security
measures in place and in-force.
No comments:
Post a Comment