Cyber Insurance is a relatively new type of coverage designed to help protect businesses and individual users from risks related to information technology infrastructure and activities. But what does this mean? More importantly, do
you need it?
Let me begin by admitting that my knowledge of Cyber Insurance was once quite limited. This was also true of most physicians I spoke to: few seemed to understand what Cyber Insurance is, or why it might be necessary.
In order to advise members on their potential need for Cyber Insurance, I had to understand it better myself. So I did some research and asked lots of questions. The results were revealing.
Generally speaking, any individual or business entity that collects any type of electronic data about people should seriously consider buying Cyber Insurance — it is likely one of the biggest gaps in insurance coverage today.
“ Any individual or business entity that collects any type of electronic data about people should seriously consider buying Cyber Insurance.
But the decision as to whether you or your practice/clinic have some sort of potential liability exposure comes down to one simple question:
Are you ever responsible for collecting or recording a patient's personal, financial, family or medical information in an electronic format? If the answer is yes, then you have a cyber liability exposure, and you should think about adding Cyber Insurance to your commercial property and liability insurance for your clinic or practice.
Over the past two years, health care, retail, and financial services industries around the world have been targets of massive attacks by cyber criminals.1 In 2014, medical records accounted for 43% of all data stolen in the United States alone.2
Although health care is one of the leading sources of cyber claims, hacking, identity theft, and breach of privacy information in North America, you may feel you have little reason to be concerned. For instance:
While these statements are partially valid and may imply a sense of security, you are only protected as long as:
It is important to note that, according to the various privacy laws under which we all operate, an unintentional disclosure of private information can have many of the same consequences as a deliberate disclosure or computer hack.
“ An unintentional disclosure of private information can have many of the same consequences as a deliberate disclosure or computer hack.
Cyber Insurance is a relatively new type of coverage designed to help protect businesses and individual users from risks related to information technology infrastructure and activities. But what does this mean? More importantly, do you need it?
The good news is that damages and claims from outside parties against physicians as a result of cyber attacks or data breaches have not yet amounted to any significant losses in Canada. But there's also some bad news:
Costs and damages are more likely to increase than to decrease. At the recent NetDiligence Forum on Cyber Risk and Privacy Liability, held in Toronto, attendees were told that the "dark web" (that part of the Internet that is not accessible via conventional search engines, and often acts as a conduit for illegal activities) is so full of stolen Canadian identities that they're sold at a discount. Hacking and computer breaches are reported to have exceeded drug distribution as the largest criminal business (ranked by dollars) in the world. These are indications of growing criminal activity that is starting to cost the economy increasing sums of money.3 Moreover, it is likely that those entities found to have been fully or partially responsible for allowing the hacking to have occurred will be made to pay for some of the costs.
Like most small businesses, the real cost of a privacy breach in a medical clinic or practice is the negative affect it can have on your personal reputation, which may in turn result in lost patients and less growth in the future. There is, of course, also a financial cost: you must notify all your patients that their information may have been compromised, and you have to do it quickly. Once you factor in staff time, forensic investigation expenses, and loss-of-business costs, the notification process may end up costing you several dollars per patient file, which can translate to a substantial financial hit.
While hacking still accounts for just under 30% of cyber incidents, the sub-contractors hired to safeguard your computer system — whether they be security experts or network managers — account for 15% of claims, while "employee negligence" and "insider theft" each account for about 10% of claims.1
Clearly, you do not have to be found ultimately at fault to incur real costs and reputational damage as a result of a cyber breach: simply being accused can hurt you both professionally and financially. This is why you should consider getting Cyber Insurance.
“ Simply being accused [of a cyber breach] can hurt you both professionally and financially.
In addition to "third party" coverage (e.g., network security liability, privacy liability, and electronic media liability), cyber liability covers:
It also covers cyber extortion and crisis management expenses — both of which help you deal with circumstances beyond your control or expertise.
A key part of both these services is that insurers will typically contract legal representation for you, meaning that anything you discuss is protected by lawyer-client confidentiality, and will be kept private.
Cyber Insurance is a dynamic coverage that will evolve over time to address the way we manage our communications and data storage.
Traditional liability coverage both excludes electronic data and records and fails to provide access to the important services that make Cyber Insurance a great option to address a growing insurance gap.
you need it? To answer that question, stop and consider how you, your patients, and your clinic or practice would be affected in the event of a cyber breach. If you're still not sure and want some advice, contact OMA Insurance — we're here to help.
The OMA Insurance Office & Clinic program includes an option to add cyber liability coverage for about $100, and Hub International also offers an expanded version of the policy for less than $300. The staff at HUB are available to discuss your situation in more detail. Hub can be reached directly at 1.855.662.0500, or through their special OMA website at http://oma.hubinternational.com/commercial-insurance/