New regulations are increasing at a rapid rate and it is vital that business owners and Chief Information Officers (CIO) become familiar with current regulations and compliance dates.
State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.
The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.
Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.
The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.
So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.
Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).
Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.
Source: David Perkins, September 7, 2009 www.insurancejournal.com
