A large portion of the hundreds of data breaches and thousands of data security incidents that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part of the series discusses whether your organization has (or should have) cyber-insurance to pay for notices that may need to be sent to employees about a breach.
Only about 50% of companies have purchased insurance specifically designed to cover part, or all, of the costs of a data security breach (“cyber-insurance”). In order to understand why some companies choose to purchase cyber-insurance, while other companies choose not to do so, you have to take a look at what cyber-insurance in general is designed to do, and whether a specific policy that your organization has (or is considering) truly mitigates risk for your organization.
Cyber-insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (i.e., the amount of money that the insured organization is responsible for paying before the policy provides reimbursement). If your organization has a cyber-insurance policy, you should review it carefully before a security incident occurs so that you understand the degree to which the policy protects (and does not protect) your organization from potential HR-incident related costs and liability.
The following checklist provides a guide to evaluating a cyber-insurance policy in connection with how it might apply to notifications that an organization needs to send to employees following a HR-data related incident.
- Coverage: Does the policy cover the cost of issuing notices to employees? If so, does the coverage give the organization the right to control how those notices are provided (e.g., in paper format versus in electronic format)? Does it require that the organization avail itself of “substitute notice” when permitted by statute? Substitute notice refers to a process, permitted by most states, where an organization can publicize a breach via its website and/or state-wide media. If you make a substitute notice, you may not be required to send individualized letters to impacted employees. Many organizations – particularly in situations in which a breach involves only HR-related data – prefer not to publicize an incident (which may impact the overall reputation of the organization and result in clients or consumers mistakenly believing that their data was impacted). As a result, it is important to make sure that your insurer cannot refuse to pay for printing and mailing notification letters if your organization decides that issuing notifications in that manner is necessary to help protect the organization’s reputation and brand.
- Exclusions: Does the policy exclude notifications that are not expressly required under a state data breach notification statute (e.g., “voluntary” notifications)? If so, are there situations in which your organization might decide to issue voluntary notices in order to limit reputational damage or decrease the likelihood of a class action filing? Make sure that you understand if these notices will not be covered under the policy.
- Sub-limit: Does the policy have a sub-limit for the total cost of issuing employee notifications or the total number of employee notices for which the policy will provide reimbursement? If so, is the sub-limit proportionate to the quantity of employees about whom the organization maintains personal information?
- Sub-retention: Does the policy have a sub-retention (i.e., a deductible) for either the cost of issuing employee notifications, or the number of employee notices that must be paid for by the organization before insurance coverage kicks in? In the context of HR-related data security incidents the amount of the sub-retention may be the most significant factor to look for when considering whether cyber-insurance is likely to provide a benefit. Specifically, organizations that have fewer than 5,000 employees often find that even if they had an incident that resulted in the loss of all of their current and former employees, notification costs still fall below the retention and, therefore, insurance provides little, if any, benefit.