Protecting Institutions From Cyber Risks

Recently, an email glitch at Florida State University resulted in the accidental emailing of alleged misconduct and housing violations to more than 13,000 current and former students. The emails may have revealed the personal information of multiple students and may have disclosed confidentially reported information relating to harassment and alleged sexual assaults. The emails were not sent by anyone on campus but were the result of a technical glitch in the university’s database. The glitch left students confused and, in some cases, frightened and concerned for personal safety. University personnel, including FSU’s Title IX Coordinator, moved quickly to address student concerns, but the proverbial cat was already out of the bag. It will likely be some time before the full consequences of the breach will be known or what the final outcomes will be. In the wake of FSU’s inadvertent disclosure crisis, a review of the privacy procedures in place at an institutional level may be in order to prevent these types of unintended disclosures in the future. It is also important to review the indemnity agreements between the university and third-party service providers such as the database administrator or software provider. Finally, it is important to review how cyber liability insurance may respond in the event of a data breach. Data Privacy Protocols When discussing data privacy protocols, there are three primary areas of concerns. They are how to protect:

1. Information (e.g., personally identifiable data stored on a server)
2. Mechanisms/systems that make up the physical housing for the information (e.g., the server itself)
3. Users accessing the information

A breach of confidential information or data loss can occur at any of the three levels in any number of ways. It is impossible to quantify or evaluate every single manner in which a breach may occur—or how data may be lost. What is important is establishing a protocol that takes into consideration all three areas where a breach may occur. In most cases, it is easy to focus on external threats and user misconduct but overlook the potential for data breach arising from internal system failures or glitches. See Also: How Colleges Can Work With Insurers In developing data security protocols, it is important to engage in a comprehensive threat assessment that includes evaluation of user-based or external potential breach areas as well as the possibility of an equipment failure/glitch. A few areas to consider when reviewing internal data breach/data loss response protocols:

1. Who is the architect of the protocols? (Are the foxes guarding the hen house?)
2. Does your protocol comply with statutory requirements and contractual requirements such as PCI compliance, Title IX, HIPAA or other state and federal laws?
3. Does the protocol specifically address each element of concern identified above? (protection of information, protection of systems, protection of users)
4. Is there a progressive (tree) notification process? (Do the participants understand where they are in the tree? Does the process include notification to external stakeholders such as legal authorities, insurers, external legal counsel, and crisis management or PR firm?)
5. Is there strong leadership/executive level buy-in of the protocol?
6. Is there a training element? (Does it include tabletop or scenario-based practice?)
7. Is there periodic review of systems and processes to identify and change obsolete protocols and replace key stakeholders in the event of turnover?

Indemnity/Hold Harmless/Limitation of Liability Agreements Vendor service agreements, user license agreements and even software agreements typically include indemnity terms. In most cases, these terms are one-sided, in favor of the seller or service provider. Essentially, the purpose of an indemnity agreement is to contractually shift responsibility for loss/damage from one party (seller) to another party (buyer). These types of agreements vary in scope, strength and enforceability but, in most cases, involve a release or limitation of buyer’s claims or potential claims against the seller. In some cases, the buyer may assume full responsibility for any loss, including an affirmative responsibility to protect and defend the seller in the event of third-party claims. There may also be a limitation on the type and extent of damages a buyer may seek against the seller or service provider—in some cases, the recovery may be limited to the value of contract or agreement. Your institution’s risk management and legal teams should carefully review indemnity terms to fully understand the extent of risk assumed by the institution in executing an agreement with a third party. As part of a comprehensive risk management process, consider limiting acceptance of comprehensive indemnification terms in a contract. This is especially important where the institution is being asked to waive its legal rights or outright indemnify a vendor for the vendor's own negligence, misconduct or product/service failure. A few areas to consider in reviewing contract terms: Indemnity/Hold-Harmless Terms

1. Who is the indemnitee (recipient of the indemnity) and who is the indemnitor (provider of the indemnity)?
2. Does the indemnity agreement require one party to indemnify for the other party’s own negligence or misconduct?
3. Does the indemnity agreement include an obligation to affirmatively defend the indemnitee? Is there is a time limit to accept or reject the defense?
4. Who is responsible for counsel selection?
5. Is approval needed to settle claims?

Limitation of Liability

6. Is there a limitation of liability?
7. Does the limitation favor the institution or vendor?
8. Is the limitation reasonable in light of the potential for loss or damage or the nature of the service provided? (Limiting liability to the contract value may not be reasonable if the contract value is low and the risk of loss is high.)
9. Are there carveouts for negligence or misconduct, or is the limitation of liability intended as the sole remedy?
10. Does the limitation of liability conflict with the indemnity terms? 

Cyber Liability Insurance In the past few years, cyber liability insurance has gained significant attention among insurance brokers and clients. Cyber insurance refers to a suite of related insurance products that provide various types and levels of protection to insureds that may suffer from data loss or data breach. There are three major components of cyber liability insurance:

1. First-party coverage for loss or damage to or interruption of the institution’s electronic equipment and electronic services
2. Third-party coverage for the liability imposed upon the institution for loss or exposure of third-party data; coverage for third parties may include costs for notification, credit monitoring and credit restoration services
3. Coverage for regulatory requirements as well as for fines and penalties assessed against the institution as part of a covered loss

Unlike some property and casualty insurance products such as general liability or auto insurance, cyber liability insurance is not standardized. Instead, each insurance company issues a customized policy. These policies may vary greatly from insurer to insurer and can often include a la carte coverages that may significantly affect the breadth and scope of coverage. A careful review of institutional and vendor policies is strongly recommended to ensure that the coverage purchased addresses the actual risks of the institution. Some questions to consider when reviewing your cyber liability policy:  See Also: A Better Way to Assess Cyber Risks? First-Party Coverage

1. How does the policy respond to loss or damage to the institution’s own computer equipment, servers or other hardware components?
2. How does the policy define a physical loss? (does it include loss of Internet-based platforms such as web portals or only loss to physical components)
3. Is there a waiting period for business or data interruption? 

Third-Party Coverage

4. How does the policy respond to breach of confidential or personally identifiable information?
5. Is coverage provided based on a total number of affected persons or provided on a blanket limit basis?
6. Is there a minimum/maximum affected person limit?
7. How is a third-party loss defined? Does it include accidental loss, computer glitches or loss of non-electronic information? (e.g., is there coverage if a laptop containing personally identifiable information is lost? Or if physical records are removed or destroyed?)
8. Is the coverage triggered only when there is a statutory or governmental notification requirement, or does it cover voluntary notification?

Fines/Penalties

9. Does the policy include coverage for fines/penalties including payment card industry (PCI) data security standards noncompliance?
10. Is there a sublimit for the coverage?
11. Are punitive or exemplary damages included? 

Conclusion It is important to take a thoughtful approach to securing data in all its various forms. An individual protocol alone is not enough to fully secure your institution in the event of a data breach. It is also important to review vendor service agreements, user agreements and software licenses to ensure an understanding of the indemnity/hold-harmless and limitation of liability provisions, which may be present in a current agreement—and which may open up the institution to unintended liability due to the negligence or misconduct of a third party. Finally, it is important to review and understand the types and scope of the institution’s cyber liability coverage—or to consider purchasing this coverage if the institution does not currently maintain coverage.