A large portion of the hundreds of data breaches and thousands of data security incidents that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part of the series discusses whether your organization has (or should have) cyber-insurance to cover the risk of a regulatory investigation.
Only about 50% of companies have purchased insurance specifically designed to cover part, or all, of the costs of a data security breach (“cyber-insurance”). In order to understand why some companies choose to purchase cyber-insurance, while other companies choose not to do so, you have to take a look at what cyber-insurance in general is designed to do, and whether a specific policy that your organization has (or is considering) truly mitigates risk for your organization.
Cyber-insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (i.e., the amount of money that the insured organization is responsible for paying before the policy provides reimbursement). If your organization has a cyber-insurance policy, you should review it carefully before a security incident occurs so that you understand the degree to which the policy protects (and does not protect) your organization from potential HR-incident related costs and liability.
The following checklist provides a guide to evaluating a cyber-insurance policy in connection with how it might apply to a regulatory investigation concerning how your company protected (or failed to protect) employee data.
- Coverage: Does the policy cover regulatory proceedings that may result from a breach? If so, does the coverage extend to legal fees incurred in a regulatory investigation or regulatory proceeding? Does it also cover the fines or civil penalties that may be assessed as a result of a proceeding?
- Exclusions: Does the policy exclude investigations brought by agencies that are likely to investigate your organization? For example, most employers are subject to the jurisdiction of the Federal Trade Commission and their state attorney general when it comes to how they protect their employees’ data. If your policy excludes such investigations, it may be of relatively little value. If you offer a self-funded health insurance plan, you should avoid any policy that excludes coverage for investigations brought by the Department of Health and Human Services.
- Sub-limit: Is the sub-limit proportionate to the average cost of defending a regulatory investigation and/or the average cost of the fines assessed to other organizations in your industry?
- Sub-Retention: Does the policy have a sub-retention (i.e., deductible) for the cost of a regulatory investigation? If so, is the sub-retention well below the average cost of regulatory penalties and fines? If legal fees incurred in a regulatory investigation are covered, is the sub-limit well below the legal fees that you would expect?