A large portion of the hundreds of data breaches and thousands of data security incidents that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part of the series discusses whether your organization has (or should have) cyber-insurance to pay for identify theft related services that you might decide to offer employees after a breach.
Only about 50% of companies have purchased insurance specifically designed to cover part, or all, of the costs of a data security breach (“cyber-insurance”). In order to understand why some companies choose to purchase cyber-insurance, while other companies choose not to do so, you have to take a look at what cyber-insurance in general is designed to do, and whether a specific policy that your organization has (or is considering) truly mitigates risk for your organization.
Cyber-insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (i.e., the amount of money that the insured organization is responsible for paying before the policy provides reimbursement). If your organization has a cyber-insurance policy, you should review it carefully before a security incident occurs so that you understand the degree to which the policy protects (and does not protect) your organization from potential HR-incident related costs and liability.
Coverage: There are a number of different services that employers consider offering to employees following a data breach that involves employee data. These include credit monitoring (i.e., monitoring employees’ credit reports for suspicious activity), identity restoration services (i.e., helping employees restore their credit or helping employees close fraudulently opened accounts), identity-theft insurance (i.e., defending employees if creditors attempt to collect upon fraudulently opened accounts and reimbursing employees for any lost funds), and dark web monitoring (i.e., monitoring the internet and hacker-websites to see if they refer to your employees). For simplicity, we refer to all of these services collectively as “identity theft services.” The first thing to check is whether the cyber-insurance policy offers some, or all, identity theft services in the event of a breach. If so, look for any limitations on when the coverage is triggered.
Exclusions: Some policies exclude identity theft services if providing them is not “required” by law. If your policy contains this exclusion, it is important to note that very few laws formally require that employers offer identity theft services. As a result, consider whether a policy that requires that such a law be triggered is providing anything of real value.
Panel providers: Does the policy require you to use a certain company to provide identity theft services? If so, do you have a relationship with a different provider? Does the provider that is listed on the panel have a history of consumer complaints? Does it have a history of alleged unfair or deceptive trade practices? Must the provider, or the insurer, indemnify you if one of your employees complains about the services offered? It’s important to note that different insurance companies select different panel providers for different reasons, and just because a company is listed on your insurance company’s panel does not necessarily mean that it is the right choice for your organization. For example, some panel providers do not offer the full range of identity theft services. Other panel providers may have a financial interest in making sure that you purchase a particular identity theft service, even if that service is not the best “match” to the type of incident that impacted your employees.
Sub-limit: Does the policy have a sub-limit for the total cost that it provides for identity theft services? If so, is the sub-limit proportionate to the quantity of employees (and former employees) about whom you have information?
Sub-retention: Does the policy have a sub-retention (i.e., a deductible)? Be wary of insurance policies with significant retentions. You may find yourself having to pay an identity theft service provider that you did not choose, at a rate that you did not negotiate, for services that you might not have selected.
Cost Reductions: Organizations that have fewer than 5,000 employees often find that, even if they had an incident that resulted in the loss of all of their current and former employees’ data, the cost of identity theft services is still below the retention and, therefore, insurance provides little, if any, direct benefit. Even if insurance provides no financial coverage, in some situations it may provide an indirect benefit. The retail cost of identity theft services is often exponentially greater than the wholesale cost. However, many identity theft service providers charge fixed minimum amounts (e.g., $10,000) in order to access that wholesale rate. As a result, in a small breach, you may find that it costs the same to offer an identity theft service to 100 employees as it would to offer it to 1,000 employees. Some identity theft service providers may waive that fixed fee for companies that have insurance via one of the provider’s partners. As a result, even if the retention is set so that your insurance does not cover the cost of identity theft services, you may be able to save money if a fixed fee or start-up fee is waived.
Pre-Paid Fees: Many employers now provide their employees with identity theft-related services as part of an employee benefits package. If your organization pre-emptively purchased identity theft services for all of your employees, or purchased the right to provide employees with identity theft services if an incident arises, many insurance companies may refuse to compensate you for those costs by claiming that the fees and expenses that were incurred by your company were part of its normal course of business. As a result, if you already provide these types of benefits and are evaluating the utility of a cyber-insurance policy, you should consider whether coverage for identity theft services has any value to you.