State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.

The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.

Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.

The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.

So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.

Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).

Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.

Source: David Perkins, September 7, 2009 www.insurancejournal.com

If I give you my information, why can’t you give me my Professional Liability quote over the phone? 

The answer is simple- We want to make sure that we are not wasting your time or ours by having to clear up misunderstandings or perhaps missing some information.  Although it seems simple that you can just give us the information over the phone, our online system thoroughly goes through the questions in a few simple steps to make sure we have every thing that we in order to get you the best quote possible. Many of our carriers will not accept an application that has been filled out by anyone other than the insured. 

By saving time on the phone, we are able to save the company as well as the insureds money in the long run by providing you with the best coverage at the most reasonable rates.

At  $202 per comprised customer, U.S. companies have felt the brunt of data breaches.  Companies that have suffered the most from data breaches are healthcare and financial services type businesses. 

In 2008, the average cost for these incidents was $6.65 million.  And the most damaging effect is lost business averaging $4.59 million or $139 per record compromised.

Surprisingly, 49% of companies who responded to a current study stated that most breaches actually came from the theft or loss of paper documents, not electronic generated documents.

Source: S. H. Smith & Company, Inc.

Why do tech firms need coverage for “personal injury”? First of all “personal injury” coverage may be needed to protect a tech firm against an allegation of slander, libel, or oral or written publication that violates a person’s right of privacy. It is not too difficult to see how a tech firm could get sued under these circumstances.

In addition, coverage may also needed for “advertising injury” in the event of an allegation of the taking of another’s idea in your advertisement or infringement of copyright, trade dress, or slogan in your advertisement.

The key word is “advertisement”. There is no coverage for infringement of copyright, trade mark, trade dress, or slogan unless they occur in your advertisement.

An exclusion in the policy form eliminates coverage for injury arising out of electronic chat rooms or bulletin boards that the insured hosts, owns, or excercises control over. In addition, there is another exclusion arising out of the unauthorized use of another’s name or product in your email address, domain name, meta tag, or similar tactic used to mislead the potential customers of another.

It is obvious that the standard General Liability form does not adequately protect tech companies or IT professionals against these imporant exposures. As a result, coverage can be sought as part of a Professional Liability or Errors & Omissions policy form.

These policies can add back essential coverages such as for those tech firms in the business of advertising or publishing, violation of a person’s right of privacy or undue publicity, intellectual property infringements, etc.

It is strongly recommended that tech companies or IT professionals deal with a tech insurance specialist to make sure that their coverage needs are addressed.

Most service or contracting businesses could cause property damage that results in loss of or damage to a third party’s electonic data that is housed on their computer system. This exposure is not limited to IT firms.

Standard General Liability forms provide coverage for liability arising out of “property damage”. “Property Damage” is defined as a) physical injury to tangible property including loss of use thereof and b) loss of use of tangible property that is not injured…. As used in this definition, “electronic data” is not tangible property.

“Electronic data” is defined as information, facts, or programs: a) stored as or on, b) created or used on: or c) transmitted to or from: computer software…..hard or floppy discs, CD-ROMS, tapes, drives, cells, data processing devices, or any other media which are used with electronically controlled equipment.

This problem can be solved by the addition of various endorsements to add back coverage for property damage to electronic data. The cost is usually minimal.

However, some General Liability carriers that cater to IT firms will not add back this coverage. As a result, IT firms may need to verify that their Professional Liability (Errors & Omissions Liability) policy picks up this exposure. The key is to locate the definition of “tangible property” and find out if electronic data is included.

Most tech firms and regular businesses with exposure don’t have insurance to cover this exensive peril. Liability for the following categories of expenses are common in these breaches of security:

*Class action lawsuits

*Regulatory fines, fees, penalties

*Statutory notification expenses

Tech companies that collect confidential information or assist clients that do the same must make sure that their Professional Liability / Errors & Omissions policy is specially endorsed to respond to breach of security lawsuits. Non tech companies with exposure must make sure that their Cyber Liability policy does the same.

Source: S.H. Smith & Company, Inc. E Bulletin, 10-19-08

1. Bodily Injury And Property Damage Liability (General Liability)

2. Personal Injury And Advertising Injury Liability (General Liability or Errors & Omissions Liability)

3. Negligent Acts, Errors, Omissions In Performance Of Professional Services Resulting In Economic Damages (Errors & Omissions Liability)

4. Intellectual Property Infringements such as copyright, trademark, etc. (Media Liability)

5. Breach Of Security (Unauthorized Access, Computer Virus, Denial Of Service)

Any carrier providing a limit approaching $10,000,000 will be wary of why the project owner would require such a high limit in the first place. This is likely to be a red flag that the type of work is high risk and as a result the underwriters will closely scrutinize such a submission.