As more companies outsource the processing of sensitive personal information, insurance brokers and their clients need to be better educated about protecting customer and employee privacy, and about data security, panelists told attendees at the recent Professional Liability Underwriting Society (PLUS) E&O Symposium.
“The liability issues involving outsourcing lie at the intersection between privacy law and physical and electronic security,” explained Donald A. Cohn, a corporate counsel at E.I. Dupont De Nemours, and one of three panelists. “The Internet has made it possible to build a global economy based on the processing of information. This brings risks, as well as benefits,” he said.
Cohn suggested that in the future, to do business in a multi-jurisdictional world where laws are often incompatible with one another, new protocols will have to be developed for managing and securing data bases.
Francoise Gilbert, founder of the IT Law Group, said that it was important to remember the human element. “Disclosures of information generally stem from employee actions,” Gilbert said, noting that the people who process data are often part-time workers, temporary personnel from agencies or subcontractors. “Companies may not be as careful in examining the credentials of these kinds of workers as they would be for permanent employees, yet they give them the same rights of access to information,” she observed.
Panelists recommended visiting the workplace before hiring a vendor to get a sense of “the culture of the employees” and how procedures are being implemented. Pay scales are also something to look at, Gilbert said, noting it is easier to bribe poorly paid workers.
Brad Gow, vice president of ACE USA Professional Risks, said underwriters must understand that cost savings drive outsourcing. “Outsourcing jobs will go to the low-cost provider, so there’s no guarantee that privacy or security standards will be in place,” he warned.
However, Gow said, companies that collect data are fully liable for what happens to that data, regardless of whether data processing was outsourced and what protections were in place. “Increasingly, individuals will seek compensation from companies that chose to entrust sensitive data to third parties,” he said.
On the subject of standards, Cohn stressed that companies must comply with highest legal standards wherever they do business. In the European Union, for example, if personal identifier information is stored in an EU country, even if the information pertains to non-EU citizens, companies are subject to the EU Directive on the subject, he said.
In the United States, there is no comprehensive privacy law, the panelists said. Instead, there are different requirements for different kinds of personal information, such as medical data. Federal and state agencies oversee implementation of the laws, they said.
Gilbert said that companies used to feel they were protected where there were no specific regulations, but increasingly, no matter what the industry, there now are laws that apply to privacy.
California’s SB 1386, which took effect in 2003, is the first of what could now become a torrent of privacy breach laws, the panelists indicated. The law requires vendors of personal information and others to notify affected individuals of security breaches.
Legislatures in more than 20 other states are considering similar laws, and Congress has held hearings. One bill would require notification if there was a possibility that the security of a person’s personal identity information had been compromised.
Pointing to a long list of well-known firms that have recently found and announced lapses in their data security systems, panelists cited possible adverse effects, including civil lawsuits and significant damage to reputations. If security breaches continue, restrictions on outsourcing sensitive consumer data may be ahead, the panelists suggested.
Due diligence is the key to managing these risks. Contractual remedies offer little protection, panelists warned. Companies should require vendors to purchase data protection–security and privacy–liability insurance where it is available.
The panel discussion, “Privacy and Security Liability Risks–Protecting Information in an Outsourced World,” was moderated by Emily Freeman of Jardine Lloyd Thompson LLC, who specializes in technology-related liability risks. Turning specifically to the subject of insurance, she noted that traditional insurance policies offer little protection. For example, traditional crime policies cover stolen things, not information. Policy forms have to be rewritten to carve out these new data security risks, which involve intangible, rather than tangible, property, she said.
Until recently, Freeman said, the take-up rate on the new cyber-risk policies had been slow. Several things have change that recently, she said, including implementation of the Sarbanes-Oxley Act, which places liability for what happens at the CEO and CFO level, and the ChoicePoint privacy breach, where the company was forced to notify potential victims of identity theft under California law.
Panelists stressed the need to buy coverage that specifically addresses the risks involved in outsourcing. Vendor insurance, a technology E&O, and cyber-risk liability policy must cover financial loss due, among other things, to unauthorized access and unauthorized use, they said.
Additionally, the definition of wrongful acts must include breaches of privacy. Because E&O forms vary by insurer, companies and their brokers need to understand the exposures that must be covered and choose appropriate forms.
For more information about the PLUS E&O seminar, contact the Professional Liability Underwriting Society by calling (800) 845-0778 or (952) 746-2580. Or, visit Web site www.plusweb.org.
Was this article valuable?
Here are more articles you may enjoy.