How to Buy Data Breach Insurance for Your Practice
We recently reported on an article from Becker’s Hospital Review about data breach insurance. Today, we would like to dig a little deeper into that data breach article. Specifically, it discussed what to look for when purchasing a data breach insurance policy. They consider three things: 1. coverage, sub-limit options, 2. premiums and deductibles, and 3. vendor options. Let’s recap them one-by-one.
1. Coverage, sub-limit options. With data breach policies, three types of exposure are typically covered. They are: regulatory fines and penalties, class action lawsuits and response costs. The level of coverage for each can vary from policy to policy. (As we always say, it is important to know your policy, what is covered and at what level.)
Regulatory fines and penalties can be incurred on a federal, state or local level. HHS’ Office of Civil Rights could find HIPAA violations or negelct and impose a fine after an investigation. To the extent allowed by law, the data breach insurance can cover such fines up to the policy limit. It is important to know that fines may exceed the policy limit. Fines can also be incurred via the HITECH Act, among others. With the HITECH Act, there are four categories of violations with four tiers of penalties. The fines range from $100-$25,000 for each violation for the first level, up to 50,000 to $1.5 million for each violation for the fourth level. (See the original article for more detail.)
Under the claims and lawsuits coverage, this typically covers claims and lawsuits filed by individuals whose privacy was violated, again up to the limit. And, finally, response costs often cover three areas (but again can vary with the policy): 1. forensic analysis to investigate the data breach, 2. communication and notification costs to notify regulatory authorities and affected individuals, 3. credit and identity monitoring for affected individuals.
2. Premiums and deductibles. As with any insurance policy, data breach insurance premiums and deductibles depend on the terms and company selected.
3. Vendor options. This relates to the response to a data breach. Often, hospitals or practices choose a vendor for their security tools and, often, these companies are asked to respond to data breaches by the insurance companies. If you would like to work with a specific company in response to a data breach (like your own data security company), you should check with your data breach insurance carrier if they are an approved response company.