A large portion of the hundreds of data breaches and thousands of data security incidents that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part of the series discusses whether your organization has (or should have) cyber-insurance to cover the risk of a breach that impacts one of your HR service providers.
Only about 50% of companies have purchased insurance specifically designed to cover part, or all, of the costs of a data security breach (“cyber-insurance”). In order to understand why some companies choose to purchase cyber-insurance, while other companies choose not to do so, you have to take a look at what cyber-insurance in general is designed to do, and whether a specific policy that your organization has (or is considering) truly mitigates risk for your organization.
Cyber-insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (i.e., the amount of money that the insured organization is responsible for paying before the policy provides reimbursement). If your organization has a cyber-insurance policy, you should review it carefully before a security incident occurs so that you understand the degree to which the policy protects (and does not protect) your organization from potential HR-incident related costs and liability.
The following checklist provides a guide to evaluating a cyber-insurance policy in connection with how it might apply to a breach involving a HR service provide.
Service Provider Incidents
- Coverage: Most companies provide employee-related data to health insurance providers, third-party administrators, payroll processors, tax preparers, and/or disability insurers. Some, but not all, insurance policies are drafted to cover security incidents that impact data that is in your possession, or is in the possession of one of your service providers.
- Exclusions: If your policy does not state that it covers your employees’ data while in the possession of a service provider, confirm whether the policy excludes data security incidents that occur to third parties holding your employees’ data. Some policies don’t include an express exclusion, but when you look at the definitions of “personal information,” “security systems” or “information technology,” it makes clear that the policy only applies to data that is physically under your organization’s control.
- Responsibilities: Although some policies do not expressly state that they cover breaches that occur while data resides with your service provider, they are triggered anytime your organization has a statutory duty to investigate or respond to a security incident. Most state data breach notification statutes require that the “owner” of data issue data breach notifications and that a licensee of data only notify the owner. Because most employers are the “owners” of the data that they collect about their employees, if a service provider informs you of a data incident, you may be able to trigger your insurance coverage based upon your statutory obligation to investigate the incident and to notify the employee and/or government agencies.