We have recently experienced many inquiries about client records liability and the risks arising from breached client records. We have published TIPs about Cyber Liability in the past, but it is vital to provide some highlights because of today’s environment. Understandably the COVID-19 situation has caused increased focus in this area, primarily because we use third-party information resources more frequently. Examples include cloud, data warehouses, remote servers, and even paper storage providers.
According to a 2017 insurance industry claims history study by Hanover Research/ Market Insight Center, “Cyber Liability Insurance Market Trends: Survey,” the top four cyber-related insurance claims comprise most of the 75% of all cyber liability insurance claims are:
- 25% Hacker
- 12% Stolen Laptop/Device
- 10% Staff Mistake Records Disclosure
- 9% Paper Records Breached
These four categories of incidents impact YOU. The NASW Risk Retention Group insurance products cover these perils with no deductibles.
Our insurance claims experience in all 50 states indicates that social workers and behavioral health practitioners, in general, are more susceptible to records breach risks and related insurance losses than to extortion risks or other cyber risks. While these losses may not be substantial cash losses, there are HIPAA (45 CFR Part 160 HIPAA HITECH Law), consequences and fines involved that will undoubtedly cost the practitioner much money, and depending on the size of the breach, could bankrupt the practice.
For example, a simple and innocent “First-Party” client records breach mistake could be a misdirected fax originating from the practitioner containing client records using the wrong telephone number. “First-Party” is the insured practitioner, who, in this example, caused the accidental breach. Under the NASW RRG professional Liability policy, we cover this accidental breach, unlike other competitors’ policies.
The NASW Risk Retention Group’s Cyber Liability insurance suite covers the major cyber liability perils specified under the 45 CFR Part 160 HIPAA HITECH Law. These are “Third-Party” liability records breach incidents. These perils include legal defense, state and federal fines and penalties, damages to clients, the required security breach audit, client notification costs, and the required ID theft protection subscriptions for victims. Professional Liability policies do not cover these “Third-Party” perils.
However, the NASW Risk Retention Group offers a Cyber Liability suite of insurance policies covering these perils at premium rates as low as $59 per year, and with a zero-deductible included.
Virtually all cyber liability insurance claims require an attorney for the practitioner’s legal defense. What does that mean to you? About $300 to $850 per hour, plus an advance retainer of $5,000 or more.
The importance of Cyber Liability and Breach of Patient Privacy heightened in September 2013, when 45 CFR Part 160 HIPAA HITECH Law launched. Ultimately, the responsibility lies with the practitioner for protecting client information no matter where the data resides. Including third-party movers handling your files, and data network cloud providers. In the event of a breach, this law requires the practitioner, YOU, to do the following:
- Pay for a one-year identity theft subscription for each victim; (this costs more than the annual premium for an NASW RRG cyber liability policy);
- Notify by letter every client affected by the breach described, costing YOU more than $1.00 each;
- Pay for a mandated security audit by a recognized computer system auditing company, starting at $3,000 or possibly $5,000;
- Pay all state and federal fines and penalties;
- Pay for your legal defense fees;
- Pay for damages sustained by your client(s); and
- Pay, or serve civil and criminal penalties that include $100 to $25,000 per occurrence and up to $1.5 million for willful neglect. The criminal penalties range from 1 year in prison to 10 years in prison.
It makes sense to buy an NASW Risk Retention Group Cyber Liability policy, and the product suite to choose from includes an array of 6 policy limits up to $25,000 per occurrence/$25,000 aggregate. A Cyber Liability policy Endorsement is also available to cover office workers.
Thank you for all that you do as first responders and as ongoing behavioral health and social work providers. It is truly a noble profession needed now more than ever. Good luck, and stay healthy!