Tag Archives: invasion of privacy

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

The Fallout From Ill-Advised Tweets

During the presidential debate on Oct. 3, 2012, a KitchenAid employee used the corporate account to send a tasteless (some would say disparaging and grossly offensive) tweet regarding the president’s grandmother. KitchenAid quickly apologized to the president and his family and explained what happened. In other words, KitchenAid followed the “rules” of reactive reputation management.  

KitchenAid was praised for responding quickly. But the outrage about the tweet was overwhelming, if only for a short period, and underscores that companies need to consider their potential liability from ill-advised tweets.

A bit of background: Libel (written) and slander (spoken), collectively known as “defamation,” which is the general term used internationally, are civil wrongs (sometimes carrying criminal penalties) that harm a reputation, decrease respect, regard or confidence or induce disparaging, hostile or disagreeable opinions or feelings against an individual or entity. If the allegedly defamatory assertion is an expression of opinion rather than a statement of fact, defamation claims usually cannot be brought because opinions are inherently not falsifiable. However, some jurisdictions decline to recognize any legal distinction between fact and opinion. 

Contrary to a general belief that insulting tweets (or comments online through Facebook, online message boards, etc.)  are exempt from libel laws because they are fleeting, libel laws apply to the Internet the same way they do to newspapers, magazines, books, films, etc. The same technology that gives you the power to share your opinion with thousands of people also qualifies you to be a defendant in a lawsuit.    

In considering your legal exposure if an employee may have committed libel, you must consider the country you live in, as well as your exposure to libel laws around the world.

U.S.

The medium for communication is irrelevant; even an email to a single person can be libelous if the sender knew a statement to be false, acted with reckless disregard for the facts or was otherwise irresponsible. To be libelous, the statement must also cause some damage.

United Kingdom 

The basis of British libel law is not substantially different from that in the U.S.: to protect the reputation of an individual from unjustified attack. In British law, a person is defamed if statements in a publication expose a person to hatred or ridicule, cause a person to be shunned, lower a person in the estimation in the minds of “right-thinking” members of society or disparage a person in his work. In the U.K, though, the burden of proof is with the defendant, while in the U.S. the plaintiff must provide the proof. Unlike in the U.S., there is also no provision in the U.K. that makes it harder for public figures to win a judgment–in the U.K., a public figure does not have to prove a statement was made with malice.

Almost all of the rest of the world

There is ever-expanding concern about the use of social media, especially Twitter, to post harassing, offensive and false statements that are defaming or invade another’s privacy. As one judge said: “Twitter as we all know is widely used by individuals and organizations to disseminate and receive information. It is inconceivable that grossly offensive, indecent, obscene or menacing messages sent in this way would not be potentially unlawful.” ([2012] EWHC 2157 (Admin) at {23}. In India, amendments to the Information Technology Act, 2000 (IT ACT) specify that defamation via a computer or communication can lead to a prison term of three years and a fine. (The United Nations Commission on Human Rights ruled in 2012 that the criminalization of libel violates the right to freedom of expression and  is inconsistent with Article 19 of the International Covenant on Civil and Political Rights. The impact of this ruling, if any, is not part of the discussion in this article.) 

Now, let’s consider liability if you or an employee is the “retweeter”:

U.S.

If you retweet a libelous statement in the U.S., you or the company you work for  may be protected from defamation liability based on Section 230 of the Communications Decency Act, which states, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Simply put, this means you cannot be sued for something you retweet, even if the original tweet is libelous, so long as the libelous content was created by a third party. However, if you did have control (it was KitchenAid’s corporate Twitter account)  or you add something defamatory, you could be held responsible. 

United Kingdom

Keir Starmer QC was addressing the London School of Economics about social media in 2012 when he was asked: “Is it an offense to retweet something grossly offensive?” He replied: “You retweet, you commit an offense under the Act.”

The “Act” is the Communications Act, which outlaws sending a tweet that is “grossly offensive or of an indecent, obscene or menacing character.” A person can be prosecuted if he “causes any such message or matter to be so sent.”

For example: In 2012, the British Broadcasting Corporation settled a libel suit for about $300,000 with a UK politician. (The BBC reported that he was involved in a child sex abuse scandal but should have known the statement was false.) The UK politician then sought libel damages from at least 20 “high profile” people who tweeted and retweeted the report. 

Because tweets cross borders so easily, Twitter users in the U.S. and elsewhere should take the UK law into account.

India

Some legal scholars in India say that even accidentally retweeting an offensive tweet can create liability.

Freedom of Speech?

While freedom of speech in the U.S. is a constitutional right, legal exceptions make that right limited. For example: Speech that involves incitement, false statements of fact, obscenity, child pornography, threats and speech owned by others are all completely exempt from First Amendment protections. The U.S. Supreme Court has ruled that the First Amendment does not require recognition of a privilege for those stating opinions. Therefore, the  position that nothing should stand in the way of unabashed free speech on the Internet is like the ostrich with its head in the sand. Defamation and speech intended to inflict severe emotional distress is not protected.States can and do regulate this type of speech.

So here is the takeaway:

If you or an employee tweets or retweets something defamatory, you may face a libel claim. It doesn't matter how quickly you delete the entry or whether you follow up with a correction or an apology. It also doesn't matter where in the world you are.

Disclaimer: The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter hereof. Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or part of this article.

Social Media And The Insurance Implications

Most marketing and communication departments know all too well that social media and social networking sites are a treasure trove of opportunity for elevating your personal or corporate brand. Employees use social media for personal use, but also use it as a forum to talk about their boss, their company, their products, their problems and whatever else is on their mind. There are 200 plus social media sites in English alone, Facebook recently reached one billion users, and Twitter puts out more than 170 million tweets per day. That is a lot of free advertising!

However, what many businesses fail to remember is that, despite all of the positive aspects social media brings to a firm's marketing, communication, and sales efforts, it's also ripe with opportunity to damage their brand and cause a financial loss. While it's free marketing, it's also a lot of unedited content being published online that could be about your business, about your products, or attributed to you. Could a competitor feel that your employees are slandering their people or products? Could a competitor gain inside information about your organization? Could an employee divulge information that could get them fired? Could you or your employees inadvertently offend prospects and clients? In short, yes. As social media use continues to evolve and grow, it's important to consider this exposure to your organization.

Using Social Media To Generate Business Leads
All of this can be scary, but you can't ignore the great opportunities created by social media. Any organization not taking advantage of social media sites is signaling that it is not evolving with the times, and there is nothing close to matching the immediacy of broadcasting your news through social networking sites. A well-crafted social media strategy can generate a lot of interest in your product or services and drive traffic to your website where more specific information can be provided.

“In time, the proper execution of a focused social media strategy is an efficient means of staying in front of prospects. When the prospect has a business problem, your positioning as a credible, knowledgeable resource can help you get in the door and, hopefully, close the deal,” says Randy Stoloff, Director of Marketing and Social Media at AmWINS Group Benefits in Warwick, Rhode Island.

It is critical to have all content reviewed by someone within your organization that can be responsible for stopping improper content from being released. It's also important to review applicable insurance policies such as a website media policy or cyberliability policy to be sure social media activities are covered.

Using Social Media For Crisis Response
Imagine a time down the road when your best customers follow your social media feed and you need to get news out in a hurry about something that could cause your most prized customers harm. Assuming you have or hire qualified public relations professionals that can help you craft the proper way to phrase the announcement, you can get important news out immediately to show your concern for your customers and for transparency. Social media provides the most immediate way to communicate to your target audience. There are many insurance products currently available that assist with handling the public relations aspect of a crisis response. Having your social media presence established prior to a crisis will help you deal with the crisis in a targeted fashion.

Can Social Media Sites Be A Network Security Risk?
Besides the potential for hackers to use employee information on social media sites to figure out passwords, the sites can also be used to transmit computer viruses and other dangerous malware. As a result, many corporations block employee access to social networking sites. If the corporation has a cyberliability insurance policy in place, be sure it addresses security issues emanating from social media. The coverage may be limited to networks owned or controlled by the corporation.

Should I Address Social Media In My Employee Handbook?
This is a topic that requires legal counsel with experience in employment law as well as social media. It makes sense as a business owner to establish a guideline on what social media activities are permissible for employees, but it must be carefully worded. The National Labor Relations Board has published guidelines that may help. Most companies work very hard to establish a professional image and reputation. Employees often mistakenly think that commenting in social networking sites is somehow exempt from personal responsibility. The press is full of examples of disgruntled employees commenting on working conditions, complaining about their managers or coworkers, or commenting on confidential internal activities. Employees have been terminated for their conduct and they've sued for wrongful termination. You are likely to find coverage for the wrongful termination claims on your employment practices liability (EPL) insurance policy. Working with a professional is critical for navigating this minefield. You may not be able to avoid the litigation, but you can lay the groundwork for an effective defense.

Do I Need A Social Media Component In My Employment Contracts For My Executives?
Your top executives can also make mistakes using social media. Sensitive information can be leaked out accidentally by people who see the most sensitive information. Similar to non-executive employees, managers who have been terminated due to their social media activities have sued their employers for wrongful termination. Again, look to an EPL policy for coverage for that type of claim.

Should I Review The Social Media Content Posted By Job Applicants?
Many states have enacted laws barring employers from requesting full access to an applicant's social media profile. We have all heard stories about a prospective employer seeing improper pictures or comments by the applicant which influence the decision to hire or not hire them. Some employers have taken it one step further and requested login credentials from job applicants in order to see all the content they have posted. It seems like an obvious invasion of privacy, so laws are being written to protect the rights of job seekers. The claims that can arise from this scenario could have coverage apply under the “wrongful failure to hire” coverage on an employment practices policy, as well as an “invasion of privacy” policy as part of a cyberliability policy.

Scared Yet?
There are reasons to be concerned, but the opportunities need to be investigated with a proper foundation of preparation. It is also important to remember that there are insurance products available to help protect you after missteps. If you have an employment practices liability policy, you likely have some protection from wrongful termination claims and invasion of privacy claims brought by your employees. If you have an internet media or cyberliability policy, you could have remedies for allegations of libel, slander, defamation and invasion of privacy claims brought by other parties. A strong cyberliability policy will have protection from breach of security claims if hackers use social media to access your computer network for malicious purposes. It's possible that other insurance products can offer assistance as well. AmWINS represents multiple insurers with all of these insurance products and can help you select the proper coverage for you and your clients.

Privacy Enforcement In The Healthcare Arena​

The Exposure
Organizations that deal with private health information (PHI) should know how to properly handle such data in absence of a breach as well as how to respond after a breach occurs. According to the 2011 Computer Security Institute Crime and Security Survey, 97% of organizations report using anti-virus software, 95% use firewalls, 85% use anti-spyware software, 66% use data encryption and 62% use intrusion detection systems.

The Open Security Foundation’s website, www.datalossdb.org, shows that despite taking meaningful steps to prevent security breaches, healthcare organizations accounted for 18% of the 1,032 data breaches reported in 2011 and 15% of all time. Further, according to the Ponemon Institute’s 2011 Cost of Breach Study, the per capita costs of a breach for healthcare organizations average around $240 per record. When compared to retail, which averages $174 per record, education which averages $142 per record, and an average of $194 per record for all industries, healthcare organizations clearly have cause to be concerned about breach response expenses.

A healthcare organization or business associate1 should also be aware of the increased standards that have been imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Privacy Rule and the Security Rule. One aspect of the Health Information Technology for Economic and Clinical Health Act act that may surprise many is the potential for the Office of Civil Rights (OCR) to fine an organization in absence of a breach.

In 2012, the Office of Civil Rights will conduct 150 audits of Covered Entities. If material security weaknesses are reported, a formal compliance review will follow. If that review uncovers blatant security violations, civil monetary fines could follow. Enforcement action around data breaches has been on the rise, and fines and penalties are being levied more frequently than in the past. The Department of Health & Human Services (DHHS) posts examples of resolutions including fines on their website. These initial audits are likely only the beginning of expanding regulatory oversight related to private health information.

Theodore Kobus III of Baker & Hostetler LLP, one of the national leaders of their Privacy, Security and Social Media Practice, advises the following regarding the current regulatory environment:

Data security extends beyond breach response and we are seeing an increasing number of regulatory investigations and fines stemming from how an organization responds to changes in its risks. A big part of being prepared includes understanding the nature and scope of the information you hold and how that data needs to be protected as risks in the organization evolve. For example, if you store data in an area that was once monitored by a security guard, but that area is now unoccupied, you may want to consider implementing other security measures.

Reducing The Exposure
In a previous article regarding lost laptops, we provided basic tips for handling a privacy breach.

With the type and volume of private health information that organizations in the healthcare arena touch, they are expected to take even more comprehensive steps to anticipate, prevent, respond to, and survive a breach. While many organizations are large enough to have entire departments dedicated to this issue, the complexity of the privacy laws means that, regardless of the organization’s ability to dedicate resources, it is important to work with legal counsel that is solely focused on privacy related issues. Similarly, healthcare providers should also seek out specialized network security risk management providers who can help answer important questions like:

  • Am I prepared to show that I took the proper steps before a data breach occurred?
  • Do I have an effective incident response plan in place when there is a problem?
  • Am I protecting digital records as well as paper records under the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
  • Are my vendors and business associates also in compliance with the proper standards?

Many insurers have existing relationships with computer forensic firms, notification vendors, credit monitoring providers, legal forensic firms, public relations firms and others to help navigate the huge distractions following a data breach. To this end, we have seen insureds purchase cyberliability coverage solely for the value-added services provided by the insurer. Many of these buyers feel that they can afford a security breach, but that they don’t have the time to line up all the necessary critical response vendors if a breach occurs.

Neeraj Sahni of Kroll Advisory Solutions points out:

The ease of access to electronic data, anywhere-anytime, makes security a challenge as negligence leads to recurring data breaches. Preventive preparation is the most important loss control mechanism for any organization that has sensitive data. Thus waiting for a breach to occur is reactive and may incur more liability for any company. An incident response plan potentially helps lessen the impact of a breach. Also note, being compliant with security and privacy regulations does not provide assurance to an organization against a data breach.

Contractual Risk Transfer May Not Be Enough
Contracts with business associates and other trading partners may be part of the solution, but not the whole solution, as observed by Theodore Kobus III:

Many organizations think that a contract shifting liability to a third party is all that you need to protect the organization in the event that a vendor causes a breach. This type of protection is good, but it does not solve all of the organization’s issues. Notwithstanding the public relations issues the organization may face after a breach by a vendor, laws such as HITECH and various state laws still hold the organization who owns the data ultimately responsible for the breach. Another consideration about shifting all responsibility for a breach to the vendor is the lack of control about the messaging after a breach occurs. Remember, even though the vendor may have caused the breach, these are still your customers and your reputation is at risk.

Mr. Kobus brings up a dangerous situation. If a healthcare provider has fully shifted post-breach responsibilities to a vendor that caused the breach, the treatment of its customers or patients is in the hands of the vendor. To shift financial responsibility is one thing, but the provision of post-breach services such as call centers and identity/credit services should remain in the healthcare provider’s control. When it comes to the handling of an organization’s reputation, the preferred approach is to proactively protect its reputation rather than scramble to restore it after a poorly handled data breach.

The Right Insurance To Survive A Breach
Healthcare providers and business associates should have their own policy to protect their organization. The company’s own employees are a significant cause of data breaches, as are external hacks. The organization will not be able to unfailingly transfer that risk to other parties.

Organizations should also ensure their vendors have the financial assets or insurance to back up their contractual promises. If an entity is going to rely on a third party vendor to hold on to private health information for which they are responsible, they should be reviewing the vendor’s professional liability insurance rather than just asking if they have a policy.

Types Of Risk Transfer Vehicles
Cyberliability is the generic description of the type of policy healthcare organizations will need. In a prior article, we went into some detail about what is available. Here are some of the typical insuring agreements in a Cyberliability policy:

  • 1st Party Business Interruption — Covers lost business income in the event a virus infection or hacker shuts down your network.
  • 1st Party Data Asset — Covers the expense to recover lost data and other expenses.
  • Cyberextortion — Covers expenses and ransom if a hacker threatens your network or data.
  • 3rd Party Network Security — Covers your liability when hackers use your system to inflict damage on others.
  • 1st Party Privacy
    • Notification Expenses — When data is lost, you must notify all potential victims within a very brief period of time and in accordance with the state laws where the potential victims reside.
    • Forensic Expenses — The insurer will cover the expenses associated with bringing in computer experts to determine the cause of a breach and list of potential victims. Some insurers also cover legal forensic experts.
    • Credit Monitoring — The insurer may cover one to two years of credit monitoring services for those exposed.
    • Credit or Identity Repair Services — The insurer will cover the expenses for up to one year to restore compromised identities and repair a victim’s credit rating following an actual identity theft.
    • Crisis Management — Public Relations expense coverage to protect the image of the organization.
  • Regulatory Defense and Expenses — Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage and in many cases cover fines, penalties and restitution funds levied by a regulatory body, where insurable. This coverage is designed to help healthcare organizations respond to actions brought by state agencies, state attorneys general, the Department of Health and Human Services, the Office of Civil Rights and other regulatory agencies.

There are now more than 30 different insurers with dedicated cyberliability policies, and no two insuring agreements are the same. It is important to be diligent in making sure the coverage sought is the coverage bought.

Conclusion
The current regulatory oversight and monetary implications surrounding a loss of private health information means that firms in the healthcare arena should be more aware than most of privacy enforcement and how to protect their clients, constituents, reputation, and organization.

1 A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. (For more information, see hhs.gov.)

The Insurance Implications Of Social Networking Websites, Part 2

This is the second part of a six part series of articles discussing insurance coverage for claims that can be brought against individuals or companies because of the use of Social Media websites. Additional articles in this series can be found here: Part 1 and Part 3.This article discusses coverages potentially triggered under Coverage B — Personal and Advertising Injury and any applicable exclusions.

Personal Injury Offenses Covered In Commercial General Liability And Homeowners Policies
Most Commercial General Liability policies contain Coverage Part B that provides coverage for personal and advertising injury. Some homeowner and renters policies, but not all, provide coverage for personal injury. Carefully review the policy to determine if it does provide personal injury coverage. If not, then coverage must still be analyzed under Coverage Part A for bodily injury coverage, which will be discussed in part three of this series.

The definition of “personal injury” is typically:

13. “Personal and advertising injury” means injury including consequential “bodily injury” arising out of one or more of the following offenses:

a. False arrest, detention or imprisonment;

b. Malicious prosecution;

c. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies committed by or on behalf of an owner, landlord, or lessor;

d. Oral or written publication, in any manner, of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;

e. Oral or written publication, in any manner, of material that violates a person's right of privacy;

f. The use of another's advertising idea in your “advertisement” or

g. Infringing upon another's copyright, trade dress, or slogan in your “advertisement.”

The policy may contain additional offenses or endorsement that modifies the definition of “personal injury.” However, typically only subsections d (libel/slander) and e (invasion of privacy) are typically implicated when a claim is presented for claims related to social media.

To trigger “personal injury” coverage, the complaint must arguably allege a claim that constitutes at least one of the offenses listed in the policy. The policy does not provide coverage for other torts alleged in the complaint that do not constitute specifically enumerated offenses contained in the definition of “personal injury,” but that may bear some similarity to those offenses listed in the policy. There is no coverage if the complaint does not allege or the plaintiff does not recover for an enumerated offense.

There may still be coverage under the policy for a claim asserted in the Complaint that alleges a non-enumerated offense so long as it occurred during the course of an enumerated offense.

In Western Cas. & Sur. Co. v. International Spas of Ariz., 130 Ariz.76, 634 P.2d 3 (1981), for example, the insured had leased a portion of its premises for the operation of a beverage service. The insured had terminated the lease and excluded the lessee from the premises. The lessee sued the insured for breach of the lease, conversion of personal property, conspiracy to interfere with business and contractual relationships, and imposition of a constructive trust. The insured sought “personal injury” coverage under a Commercial General Liability policy, arguing that the lawsuit alleged a wrongful eviction even though no such claim was asserted.

The carrier argued that the policy only provided coverage for wrongful evictions of patrons to the insured's facilities and not the wrongful eviction of its customers (i.e., lessees). The Arizona Supreme Court rejected this contention and stated that the policy contained no such restriction limiting liability. Instead, the Supreme Court held that the carrier had an initial duty to defend because two of the counts (conversion and interference with business relations) alleged torts committed during the course of the alleged wrongful eviction.

In the social media context, a complaint may not specifically allege an invasion of privacy or a defamation claim, but alleges that the defendant intentionally or negligently inflicted emotional distress when it published defamatory comments about the plaintiff. Under those circumstances, the policy may provide coverage because the emotional distress claim, although not an enumerated offense, occurred during the course of an enumerated offense; namely, defamation or invasion of privacy. A similar analysis would apply if the complaint alleges an intentional interference with business relationships claim that arose out of the publication of defamatory materials or material that invades the privacy of an individual.

Some policies contain the enumerated offense “outrageous conduct,” but may not define what constitutes the offense of “outrageous conduct.” A savvy insured's attorney may argue that because the term “outrageous conduct” is undefined, it is ambiguous and should be construed against the carrier to provide coverage for the social media claim; more specifically, that the conduct of posting any comments, pictures, videos, or other items on the Internet is outrageous. Some jurisdictions have held that the lack of a definition of an operative term in a policy does not necessarily render the term ambiguous. In determining whether a policy term is ambiguous, a court may first examine the purpose of the term or phrase, public policy considerations, and the purpose of the transaction as a whole and also construe the policy's provisions according to their plain and ordinary meaning.

The term “outrageous conduct” is defined by Black's Law Dictionary as “Conduct so extreme that it exceeds all reasonable bounds of human decency. See EMOTIONAL DISTRESS.” Black's Law Dictionary also defines “emotional distress” as follows:

A highly unpleasant mental reaction (such as anguish, grief, fright, humiliation, or fury) that results from another person's conduct; emotional pain and suffering. Emotional distress, when severe enough, can form a basis for the recovery of tort damages. — Also termed emotional harm; mental anguish; mental distress; mental suffering. See INTENTIONAL INFLICTION OF EMOTIONAL DISTRESS; NEGLIGENT INFLICTION OF EMOTIONAL DISTRESS. Cf. mental cruelty under CRUELTY. [Cases: Damages 48-56.20. C.J.S. Damages §§ 94-104; Parent and Child § 344; Torts §§ 66-83.]

Thus, the offense of “outrageous conduct” involves the infliction of mental distress. Indeed, the term “outrageous conduct” is a legal term of art that refers to a claim typified by the Restatement (Second) of Torts § 46. Various courts have concluded such, albeit in the non-social media context. See, e.g., Hines v. Hills Dept. Stores, Inc., 454 S.E.2d 385, 390 (W. Va. 1994) (“Our review of the case law discussing the tort of outrageous conduct illustrates that it is a difficult fact pattern to prove. A certain level of outrageousness is required, as explained in the Restatement (Second) of Torts….”); Kelly v. Resource Housing of Am., Inc., 615 A.2d 423, 426 (Pa. Super. 1992)(“The tort of outrageous conduct causing severe emotional distress is outlined at the Restatement (Second) of Torts, § 46….”); LaBrier v. Anheuser Ford, Inc., 612 S.W.2d 790, 793 (Mo. Ct. App. 1981)(“Missouri has recognized the tort of outrageous conduct as defined by § 46 of the Restatement (Second) of Torts”).

Whether posting inappropriate comments, pictures, videos, etc. constitutes outrageous conduct is probably a factual issue that will not be addressed in this article. Suffice it to say that in reviewing policies, attorneys, adjusters, and insureds should be careful to review the actual offenses listed, review the relevant case law addressing those enumerated offenses, and any legal or common dictionaries that may define such phrases before making a determination whether the social media claim may be covered by the policy.