Health Service providers and data breaches – How Cyber Insurance can benefit you
You may feel you can manage the potential business and crime risk to your organisation of a cyber related incident, but have you contemplated the risk if you don’t comply with new legislation?
From the 23rd February 2018 amendments to the Privacy Act become law and from this date Mandatory data breach reporting applies. The breach must be assessed, notified and reviewed. Both the individuals at likely risk of harm due to the breach and the Australian Information Commissioner must be notified of the breach in accordance with the legislation. This can take time and money! If entities don’t comply civil penalties may apply, up to $360,000 for Directors and $1.8m for Companies. At risk is also your business reputation.
Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. A data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the laptop that holds the company database on the train). These are known as ‘Eligible Data breaches’ under the Notifiable Data Breach scheme. This scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million. Businesses that are smaller than $3 million in size but have a mandatory reporting obligation and come under the scheme include health service providers. This is because health information is regarded as the most sensitive type of personal information.
Data can be accessed by anyone anywhere in the world, which puts the issue of cyber security ‘front and centre’ for many organisations. As workplace rehabilitation providers you would hold patient / customer records on a central data base. An increase in data breaches highlight the sophistication and ability of cyber attackers to penetrate systems. Health service providers are in the top 5 categories of data breaches. Sensitive data may be accessed by many people, whether it is a hacker or a rouge employee who breaches the privacy of the information held.
Along with ensuring you have suitable systems and security in place, Cyber Insurance is important to ensure you have point of contact for immediate assistance including legal advice and notification costs which may involve setting up a call centre to advise your data base of the breach and rectification costs.
Unfortunately many clients see out suitable coverage after they have had a loss. We recommend arranging Cyber Insurance now so that you have coverage in place, then remember you have insurance to assist you later if your data is breached as it may save your business. Cyber Insurance can help you manage your cyber risk in the event of an incident and assist customers to maintain confidence in your business and protect your reputation.
Aside from the benefits of coverage following a privacy breach, a Cyber policy has various other coverage benefits including the following:
Rectification costs following malicious damage and ransomware to your own system
Online Business Interruption following a cyber event, such as Hacking and ransomware
Costs associated with identity theft such as any unauthorised EFT, theft from your bank account or credit cards by electronic means. This is another important benefit of this type of insurance as there has been a rise in claims where a person pretends to be or impersonates someone else and convinces them to incorrectly transfer money causing a loss to the insured.
This advice and comments are provided in the capacity as your insurance broker and should not be construed as legal advice. Separate legal advice relating to the interpretation and implication of this article for your individual circumstances should be obtained.
A disgruntled customer hacked into ‘Great Physio & Osteo’s’ database, stole the information and posted the names, addresses and medical information of its clients online. The database contained the information of 2000 past and current clients. As ‘Great Physio and Osteo’s’ are a health service provider then this incident would be a Mandatory report as an Eligible Data Breach under the Notifiable Data breach scheme. Fortunately ‘Great Physio & Osteo’ had purchased an annual Cyber Insurance policy on the recommendation of their Insurance Broker the previous year.
The Insurer provided the following services to cover the Costs of the Data breach:
Incident Response Costs
– Access to a 24/7 Response Hotline, Management and Initial Remote support on initial detection of the breach;
Legal and Regulatory Costs – Obtain legal advice, draft notification letters, notifying relevant bodies, responding to and defending any regulatory action;
IT security and Forensic costs
– Engaging with external IT Security to identify the event, scope the potential loss, do a forensic investigation, remove any viruses / security threats;
– Professional Advice for public communication to the clients affected by the breach;
Privacy Breach Management
– Ongoing credit monitoring services, identity theft management, telephone response centre for calls.
In this example the cost per client was $200 each to fully rectify the breach as outlined by the above services. With a customer base of 2000 clients that were affected, the total cost to the Insurer was $400,000. A cost that ‘Great Physio & Osteo’ didn’t have to forgo themselves and they were able to tap into the expertise provided through the Insurer. The Insurer also paid an additional $25,000 of Business income losses until 60 days after business activities resumed to pre-breach level. The total costs associated with the event were $425,000.