As data protection liabilities steadily raise due to ongoing changes in the regulatory landscape, indemnification for such liabilities is increasingly becoming an acute concern. As a result, organizations under such regulatory pressure are gradually showing more concern about the qualifications of their data-related service providers and the ability of those vendors to be financially responsible for any data security breaches they could potentially cause. Unfortunately, the issue of proper data protection indemnification is fraught with challenges and misconceptions, which could lead to anything from the loss of a few customers up to the loss of a major law suit.
There are all kinds of data-related services subject to this new level of scrutiny. Included among the most obvious are bill collectors, imaging services, records storage companies and data destruction services. Essentially, any service provider that takes possession of information originally entrusted to another organization is considered to be a data processing vendor. In regulatory parlance, such services are known as business associates.
IT asset recovery firms, reverse logistics services and e-scrap recyclers also qualify as business associates. They routinely accept responsibility for protecting the data on customers’ retired IT assets. This data protection function is usually among the most critical aspects of the customer and service provider relationship and serves as the primary reason for which the service provider was hired.
By accepting the obligation to protect the information on retired electronic information, essentially, an IT asset management company is fulfilling the customer’s legal requirement to do so. However, while it is perfectly acceptable for the customer to outsource any data protection function, no customer can effectively delegate his/her legal obligation to protect the data or the inherent liability of any potential data security breach.
Logically, regulators have no choice. They must insist that data custodians be ultimately responsible for the security of service provider hired to fulfill their data protection obligations. By maintaining that responsibility at level of the primary data custodian, regulators promote the hiring of vendors who are properly qualified. If accountability were not maintained with the primary custodian, there would be little reason to verify vendors’ qualifications.
Professional liability for data protection liabilities first surfaced as an issue in the early 2000s. At the time, health care and financial institutions were approaching respective compliance deadlines of Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB). Suddenly, those organizations found themselves in the process of negotiating data protection contracts with business associates, as required by the new regulations, while at the same time facing unknown enforcement consequences.
As a result of the uncertainty, a relatively small number of these organizations used the negotiating process as a platform to introduce language making their data-related vendors liable for any financial damages they suffered because of security breaches they caused.
It quickly became apparent to those facing these new customer demands that professional liability insurance was the appropriate indemnification product for this new vendor liability. However, virtually all such policies excluded the most likely causes for a claim. For instance, claims resulting from the intentional acts of employees, claims resulting from the violations of privacy and claims resulting from violation of federal regulations were almost universally excluded.
With no specialized professional liability coverage available, service providers were left to take one of two uncomfortable courses of action: they either accepted the new liability with no corresponding indemnification in place or purchased a miscellaneous professional liability product that provided no real protection for them or their clients.
Obviously, both alternatives leave the service provider and their customers exposed to the liability and each alternative amounts to a deceptive practice.
If there was any silver lining to this conundrum, it was that the liability transfer issue was relatively isolated and enforcement of the new regulations was virtually non-existent.
HITECH Additions Renew Liability Concerns
On Feb. 17, 2009, President Obama signed the American Recovery and Revitalization Act (ARRA) into law. Included among the ARRA stimulus initiatives, the Health Information Technology for Clinical and Economic Health (HITECH) Act promoted the development of a universal electronic medical records system by providing a number of economic incentives to doctors and health care organizations.
In effect, HITECH amended HIPAA, which was introduced 13 years prior for the same purpose. However, not only did HITECH bolster HIPAA with the new economic incentives, it also bolstered the data security provisions dramatically. Over the years, HIPAA has been criticized including the late Senator Ted Kennedy (D-MA), one of the laws original sponsors, decrying the lack of enforcement. As a result, HITECH was developed to address those criticisms.
HITECH includes provisions for a national health data breach notification process, a mandatory fines structure, a fine increase from $25,000 to $1.5 million, the deputizing of state attorneys general to augment HIPAA enforcement efforts, and a requirement to create new business associate agreements with all data-related vendors. Further, and of particular importance to service providers, the amendment included a provision that made any downstream data processors subject to the law regardless of whether or not the client considered them to be a business associate. In other words, any service provider that came in contact with health care records was required to comply with law, regardless of whether the client identified the service provider as a business associate.
As health care organizations become aware of these changes, they are reassessing their data-related vendors’ abilities to indemnify them from the financial consequences caused by the vendors. Again, since the health care provider is ultimately responsible for the compliance of their vendors, it is the health care provider that bears that cost. The best they can to do protect themselves is to make sure the vendor can pay for the damages by making that a contract provision. And, since a new business associate contract is required by the HITECH amendment, it provides the perfect opportunity for health care clients to impose those indemnification provisions.
Finding Professional Liability Coverage
For the last decade, primary data custodians have increasing sought indemnification to protect themselves from the data protection liabilities. After all, they are directly in the line of fire. The challenge of finding the effective professional liability coverage was exacerbated by the new data breach notification provisions described earlier.
To be fair, as a need for specialized professional liability indemnification became increasingly obvious, underwriters have been attempting to address the issue. Insurance providers saw the opportunity of a new growing market and responded. Unfortunately, most efforts to date fail to recognize the subtleties of the regulations as well as the different needs between primary data custodians and their business associates.
Now, insurers use the same data protection policies they developed for the primary data custodians. Because neither the insurer nor the service provider understands how the laws apply them, they simply turn to the existing product. There are many examples of how this misunderstanding is apparent in these misaimed coverages. For instance, most data breach notification coverages are underinsured in a sublimited endorsement providing coverage for the insured’s data breach notification costs. In the case of the service provider, which technically is the insured, there is no data breach notification exposure related to unauthorized access to client data. That exposure is, legally speaking, always the client’s. The service provider’s only legal responsibility is to notify the client. The client is responsible for the notification. That obligation cannot be passed on to the vendor. The financial cost can but not the notification. The service provider (the insured) does not need data breach notification coverage for their exposure. They need coverage for their client’s data breach notification cost incurred by the vendor’s actions.
Other Cyber Coverage
Typical cyber coverage liabilities are another area where attempts to misapply data protection liability coverage show up. Unless a service provider intends to upload client data on their own computers or post it to their website, it is typically useless.
A professional liability policy should simply and clearly state that financial damages due to the client because of data breach notification requirements or unauthorized access to data and that are caused by the service provider are covered to the full limit of the policy.
Misapplication of a data protection professional liability policy is actually only a small part of the current problem. The biggest industry challenge remains the fact that most service providers are either accepting contractual liability with no indemnification in place or they purchase a miscellaneous professional liability policy that would be useless if ever needed. These practices only work because clients are not aware of the problem. If and when that awareness increases, those practices could lead to more than a few uncomfortable conversations.
And finally, further complicating an already complex challenge, service providers are often not prepared to defend themselves against unreasonable demands for professional liability from service providers, and they are often unaware of basic, inexpensive, operational practices that can reduce their data protection liability.
Toward a Solution
There is some good news.
First, as mentioned, there are things service providers can do to reduce their liability footprint. These are simple steps such as modifying their practices, providing employee and customer training and maintaining certain documentation that reduce the likelihood of a data security breach and mitigate the consequences of a security breach should it happen.
And, on the professional liability front, there are favorable developments too. An increasing number of insurers have recognized that the data-related service provider market is a distinct opportunity and worth pursuing with a dedicated product.
The National Association for Information Destruction (NAID), the non-profit trade association for the secure destruction industry has recently helped create an insurance product for NAID Certified members with provisions specifically designed for the unique exposures of data-related service providers. In all likelihood, insurance companies will soon follow in NAID’s footsteps, eventually offering similar solutions.
At present, there is no reason to panic. The pressure for appropriate data protection liability coverage is more likely to come from competitors using their coverage as marketing leverage than from savvy risk managers demanding it.
That will change. Eventually proper professional liability coverage will become a requisite for any IT asset management firm that touches equipment containing customer data. This is as certain as the sunrise.
Most privacy and data protection policy watchers see HITECH as a trial balloon for what will eventually be a national data protection law. All states but three already have their own data breach notification laws and three states have recently created health data protection laws stronger than HIPAA/HITECH.
The marketing dynamics of such trends should not escape the attention of IT asset management services providers. They will be much better served by leading the trend and acting while the window to use it for marketing leverage is still open.