Cyber Security and Agency Agreements

About this time last year I wrote a couple of posts on the perils and opportunities presented to insurance agencies by the increased hacking of computer systems that was taking place.  Since then, things have only gotten worse, with perhaps the most high-profile hacking being that of the Democratic National Committee, the repercussions of which are still unfolding.

If the prospect of paying significant sums of money or facing regulatory actions for the failure to properly protect an agency’s customers’ private data are not enough incentive, the contents of an agency’s agreements with its insurance carriers provide even more incentive to take action.  Two insurance consultants have prepared a white paper that explains in detail the obligations imposed on most agencies in the area of data protection by their agreements with their insurance carriers.

If an agency’s owners haven’t reviewed those agreements in a while, now is the time to do so.  The consultant’s review of over 100 different agency/carrier agreements revealed that almost all of them contained language that require the agency to comply with all applicable laws and regulations regarding the protection of the private data of their customers.  Such laws and regulations include the Gramm-Leach-Bliley Act (“GLBA”), which imposes privacy notice requirements on all insurance agencies, and the Health Insurance Technology for Economic and Clinical Health Act (“HITECH”), which imposes specific data protection requirements on any insurance agency that sells life, health, or disability insurance.  These are two of the more than 30 federal laws and regulations that address data privacy.  In addition, 47 states have enacted laws and regulations that impose data privacy and notice obligations on companies that have suffered a data breach.  An agency must be aware of these laws in each state in which its customers are located and be able to comply with their requirements with respect to those customers.

In addition to requiring compliance with all applicable laws and regulations, agency/carrier agreements require that the agency indemnify the carrier against any liability it may incur due to the failure of the agency to satisfy the requirements of those laws.  Thus, an agency will not only have to pay its costs in dealing with a data breach, it will have to pay any costs incurred by the affected carrier or carriers due to such a breach.  Since this obligation is a contractual one, an agency’s E&O and general liability insurance will not cover these costs.  Hence, the need for cyber insurance coverage, if an agency wants to survive a data breach.

For those agencies that want to know where they stand with their data protection policies and practices, NetGen Consulting has a survey that can be taken to show if and where extra work is required.  For those agencies who may not have done much yet in this area, the Center for Internet Security has developed a Critical Security Controls document and associated working aids to get you started on the development of good data protection policies and practices.

Given the ever increasing threat posed by hackers, the costs involved in a data breach, and the indemnity obligations imposed on agencies by their insurance carrier agreements, I don’t think it’s an overstatement to say that good data protection policies and practices, along with a good cyber insurance policy, are essential to the survival of an agency in today’s world.