Data breaches can be the result of criminal attacks, employee negligence, or the negligent act of other parties. Breaches occur when personally identifiable information (PII) or protected health information (PHI) that has been collected by an entity, is accessed or disclosed without authorization. Data breach notification laws require breached entities to notify those affected that their personal information is at risk. These laws are meant to protect the affected individuals from the identity theft, fraud and reputational harm that may result.

Entities that suffer breaches must quickly navigate through forensic investigations, statutory notification, compliance, regulator communications, public relations, client credit protection offerings, contractual analysis and pre-litigation issues. Specialized insurance policies are available to cover the often high costs of breach response and litigation. Entities that collect PII and PHI, such as commercial entities, financial institutions, educational institutions, governmental entities, healthcare entities, and others, have overlapping as well as unique privacy and data security compliance requirements. Breaches often lead to regulatory actions and/or litigation, adding exposures to multi-million dollar fines, settlements and defense costs.

Privacy and data security also includes issues related to data use compliance, policies and best practices in the absence of a breach. Other aspects are related to social media use, social engineering, internet and other media publication, cloud computing and sub-contracted data service providers, indemnification and cyber extortion. Data breaches and the issues raised by these other areas can lead to various first and third party claims as well as the coverage questions that often accompany them. 

Nelson Levine Resources

Cyber Space Invaders, Best's Review, December 2011

Up and Coming: New Interpretations of the Identity Theft Enforcement and Restitution Act Could Present Risk for Insurers, Best's Review, August 2010

White House's Cyber Security Proposal Recommends National Breach Reporting Standard, May 18, 2011

Health and Human Services Steps Up Enforcement of HIPAA, March 7, 2011

California Court Rules Zip Codes Are Personal Data, March 1, 2011

Upcoming Events

Philadelphia I-Day: Finding Advantage in a World of Change

• Date: March 22, 2012
• Speaker: John F. Mullen
• Location: Philadelphia, PA
• Topic: Privacy and Data Security Risks Under the Insurance Umbrella
• Program Website