Cybersecurity
Insurance
Considering Coverage for Data Breaches
By Barry S. Herrin, CHPS, JD, FACHE, and Frankie T. Jones, Jr., JD
IN 2009 THE average cost per incident of a data breach in the United States was $6.75 million. 1 Mark Bregman, executive vice president and chief technology officer at Symantec Corpora- tion, cited this statistic during his testimony before the Senate Subcommittee on Consumer Protection, Product Safety, and Insurance concerning the Data Security and Breach Notifica- tion Act of 2010. Introduced in August 2010 by Senator Mark Pryor (D-AR), the bill aims to protect data containing personal information and address the growing problem of data security breaches across all sectors. It echoes provisions in the HITECH Act that increase the penalties for breaches of protected health information.
With the number of reported breaches rising, federal scrutiny
intensifying, and penalties increasing, healthcare providers may
want to explore cybersecurity insurance as part of their overall
strategy to prevent and manage data breaches.
Security Breaches on the Rise
According to Verizon, more electronic records were breached
in 2008 than in the previous four years combined. In fact, since
2005, more than 365 million records containing personal information have been exposed by electronic security breaches. 2 The
number of electronic records containing personal information
exposed by hackers increased from 35 million records in 2008 to
220 million in 2009.
In addition, electronic data breaches of records containing
personal information are becoming more expensive. From 2005
to 2008, the average cost of a data breach rose by $2.25 million.
Beyond the direct costs incurred in resolving such breaches,
organizations also suffer reputational damage and loss of customer confidence. In 2008 organizations that experienced data
breaches averaged $4.6 million in lost business as a result of the
breach. 3
Concerns over data breaches are particularly pertinent in the
healthcare sector. In 2009 healthcare ranked second only to the
education sector in terms of known data breaches that could
lead to identity theft. 4 The pervasiveness of data breaches is
even more important given the requirements and penalties imposed by HIPAA as amended and amplified by the HITECH Act.
The HIPAA privacy rule establishes the national standards for
use and disclosure of an individual’s health information and
sets civil money penalties for noncompliance. Initially civil penalties were limited to no more than $100 per violation and were
capped at $25,000 per calendar year. However, the HITECH Act
significantly increased the civil penalties that healthcare entities may face.
Pursuant to the HITECH Act, civil penalties under HIPAA now
range from $100 to $50,000 or more per violation and have a
much higher cap of $1.5 million per calendar year. In addition,
in the event of certain types of breaches of unsecured protected
health information, healthcare organizations are required to
notify each individual whose unsecured protected health information has been accessed, acquired, or disclosed as a result of
such a breach, as well as the government and—in breaches of
500 or more records—the local media.
The Data Security and Breach Notification Act of 2010 would
require all organizations that own or possess data containing
personal information to establish and implement policies and
procedures to protect such personal information, similar to
HIPAA requirements. Organizations that have suffered an electronic data security breach also would be required to notify persons whose records were compromised, again similar to HIPAA.
