The idea of a data breach is one that’s galling to pretty much anyone in the information technology field, but many of those professionals also recognize that such incidents are unavoidable to some extent. Whether they occur accidentally or as the result of a targeted attack, the fallout can be the same. And when companies do not succeed in making sure all possible protections are in place, they may run into major issues not only as a result of the breach, but also where their insurance companies are concerned.
At this point, any independent IT project managers worth his or her salt is likely going to have a robust tech insurance policy in place to protect them financially in the event of a data breach. But there may be issues that arise which could create other problems for such professionals, according to a report from Health Care IT News. Evidence of this stems from a court case involving a data breach that happened toward the end of 2013.
What happened?
Cottage Health System, a collective comprised of three hospitals in California, suffered a data breach at that time that exposed the medical information of nearly 33,000 people, as a result of a third-party vendor storing unencrypted data on a site that was able to be accessed through a simple web search, the report said. But when it tried to collect on its tech insurance, the company that provided it – which has so far dealt with some $4.13 million in settlement costs – took Cottage to court instead.
It alleged that Cottage, as part of routine tests of data breach risk assessment, provided false positives of more robust security than it actually had, the report said. Further, the insurance deal it signed had an exclusion that precluded coverage in the event of a failure to properly implement security protocols.
IT pros may have significant security protocols in place, but are they compliant with the requirements of their tech insurance policies?
Where does the third party come into this?
Part of the application Cottage filled out when getting its own tech insurance stated that it had done due diligence on the third-party vendor, and would audit its activities once per year, the report said. Further, it was supposed to require that vendor to carry significant tech insurance in its own right, on top of what Cottage itself was obtaining. However, the insurer in this case found that the third party did not have the assets or the insurance to cover the costs arising from this breach.
All of which highlights a major issue for IT professionals of any background: They should have as much of the small business insurance known as tech insurance as is feasible to avoid running afoul of insurers, even if they aren’t the ones that are ultimately responsible for the incident in question. They may also need to do more to ensure that any other parties with access to such data is doing enough on their end to keep things kosher. Any shortfalls here may lead to significant, and potentially unbearable, financial responsibility that would have been taken care of by insurers.
