A large portion of the hundreds of data breaches and thousands of data security incidents that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part discusses whether your organization has (or should have) cyber-insurance to pay for a forensic investigation.
Only about 50% of companies have purchased insurance specifically designed to cover part, or all, of the costs of a data security breach (“cyber-insurance”)1. In order to understand why some companies choose to purchase cyber-insurance, while other companies choose not to, you have to take a look at what cyber-insurance in general is designed to do, and whether a specific policy that your organization has (or is considering) truly mitigates risk for your organization.
Cyber-insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (i.e., the amount of money that the insured organization is responsible for paying before the policy provides reimbursement). If your organization has a cyber-insurance policy, you should review it carefully before a security incident occurs so that you understand the degree to which the policy protects (or does not protect) your organization from potential HR incident-related costs and liabilities. If you are not used to reading an insurance policy, or are not familiar with cyber-related risks, consider asking others within your organization who may have more experience with interpreting insurance policies to review the policy with you. In some cases this may be your risk manager, your legal department, or your organization’s outside counsel. Policies may also obligate your organization to take specific actions, such as notifying the insurer or using pre-approved data incident response resources (e.g., investigators, credit monitoring, mailing services, public relations firms, or outside counsel). Because data security law is rapidly evolving and changing, you should try to review the policy annually to ensure that its protections continue to align with changes in the legal landscape, coverage trends, and your organization’s operations.
The following checklist provides a guide to evaluating a cyber-insurance policy in connection with how it might apply to a HR data-related incident. The points to consider are broken down by type of issue/service for which you might seek insurance reimbursement or guidance. Before completing the checklist, it is important to determine whether your organization’s goal in purchasing insurance is to help it handle typical data security incidents, to help it cope with catastrophic data security breaches, or both.
- Coverage: Does the policy cover the cost of retaining a forensic investigator? Restrictions on which forensic investigators can be used can be important. Forensic investigation is not a commodity, and there can be significant differences between investigators. While some insurance companies may focus on unit price (e.g. billable rates) when selecting the panel of providers that they prefer, many organizations prefer to focus on overall price, reputation, or the ability of an investigator to work well with the organization’s HR, IT, or legal departments.
- Sub-limit: Does the policy have a sub-limit for forensic investigation costs? A sub-limit refers to a cap on the amount of money that the insurer is willing to pay, which may be less than the policy’s overall limit. Is the sub-limit proportionate to the average cost of retaining a forensic consultant to investigate a data security incident?
- Sub-Retention: Does the policy have a sub-retention when hiring an investigator (i.e., a deductible)? A sub-retention refers to the amount that your organization must pay before insurance will begin reimbursing you. In the context of HR-related data security incidents, the amount of the sub-retention may be the most significant factor when considering whether cyber-insurance is likely to help defray the cost of a forensic investigation. While the costs incurred by a forensic investigator can vary greatly, the highest cost investigations are often in situations in which the investigator must investigate hundreds (or sometimes thousands) of computer systems. Those types of investigations are extremely rare in the context of HR-related incidents where incidents often involve a single file, a single computer, or a single server. As a result, if there is a significant retention that must be met before the cost of a forensic investigator will be covered by the insurer, the insurance may have limited benefit. Indeed, sometimes a cyber-insurance policy can do more harm than good. For small incidents that will more than likely be below your retention, the organization may feel compelled to retain the insurer’s choice for a forensic investigator while there is an extremely small likelihood that the insurer will cover any of the costs. In some situations, this means that the insurer gets to make the decision about which vendors your organization hires, but you have to bear the cost and consequences of their work performance.