Contract obligations, third parties and cyber insurance

Do you rely on third parties in your organization? Are you a third party to others? And have you signed agreements with these parties?

For many, the answer to all three questions is “yes.”

Do you know what obligations/risks you’ve contractually assumed in those agreements? Or what risks you expect others to take on? Do they know it? Does your insurance coverage “dovetail” with your contractual obligations?

A large part of contracts today is assuming or transferring risk to others. Once you understand the risk-shifting “game” in third party contracts, you can unlock the power to ask the right questions and make better decisions. That’s the focus of this final part of the Leading Security Change on Cyber Insurance series.

The insights come from John Southrey, CIC, CRM, Director of Product Development & Consulting Services for the Texas Medical Liability Trust. John leads the development and marketing of standalone cyber liability and technology errors and omissions liability insurance for hospitals, medical groups, Health Information Exchanges, health IT firms, and law firms. He also administers TMLT’s corporate commercial and cyber insurance, and speaks about cyber insurance to organizations throughout Texas. He is a Certified Insurance Counselor (CIC) and Certified Risk Manager (CRM).

John reads a lot of contracts and has learned how to ask probing questions that help everyone involved. That comes with a quick disclaimer, too: TMLT and John Southrey are not providing legal advice or a legal opinion concerning contract(s). This article is provided for general information purposes only and should not be relied upon by third parties. The reader should seek legal counsel with respects to all contractual matters. Any descriptions of insurance coverage are also subject to the terms of the particular policy and the insurer’s interpretation of coverage, as well as any applicable regulations.

As you might imagine, John and I shared several engaging conversations. We talked about the increase in data breaches overall and specifically breaches of electronic protected health information (ePHI). We acknowledged that breaches are possible for even the best-defended organizations.

John’s experience in exploring the broad – and expanding – landscape of ePHI and reliance on third parties for processing and storing it neatly transfers to anyone working with or acting as a third party. While the examples and insights below derive from HIPAA-related matters, consider how the principles apply to your situation.

What do security leaders need to think about when it comes to the myriad of contracts swirling around?

Under HIPAA, a covered entity that uses the services of an independent contractor/business associate (BA), such as a cloud service provider (CSP), for processing and storing electronic protected health information (ePHI), must enter into a HIPAA-compliant business associate agreement (BAA). The BAA makes the business associate both contractually liable for meeting the terms of the agreement and directly liable for compliance with HIPAA Rules. Covered entities also often sign service-level agreements with a BA that includes other data security responsibilities. These agreements are inevitably wrapped with third party hold harmless andindemnification provisions, which can be the most important part of a contract.

Health care entities should review all contracts for these provisions and have financial contingency planning in place as a financial backstop, as indemnities can fail. An important question for health care entities to review with their counsel—before signing a contract with any BA who handles their ePHI—“Is my organization an Indemnitor or an Indemnitee in this contract?” In other words, who is agreeing to indemnify whom?

The Indemnitor is the party that provides indemnity to another or rather has agreed to assume the tort liability of the Indemnitee, and the Indemnitee is the party that receives the indemnity arising from their liability to a third-party that’s assumed by the Indemnitor. A hold harmless is an agreement to indemnify an Indemnitee, but not a duty to defend them. An indemnity clause is an agreement to answer for or defend a liability that another party incurs, but it does not absolve the Indemnitee from its tort liability to a third party.

Executives should make sure they understand their contractual obligations with regards to any liability assumed under contract. Today’s risk transfer game is for the contracting parties to try to contractually transfer as much risk as possible and to accept as little risk as possible (for themselves). And attempts to contractually transfer all or part of the financial consequences of a third-party loss occurs in a myriad of other contracts too, including website privacy statements, company privacy policies, and Merchant Service Agreements.

A basic indemnity agreement is when the Indemnitor agrees to hold harmless and indemnify the Indemnitee from any claims, penalties, fines, liabilities or damages, and attorney fees incurred by the Indemnitee arising from the Indemnitor’s breach of its obligations relating to its use, disclosure or safeguarding of ePHI. In some cases, the BA is the Indemnitor and the Indemnitee is the client. Conversely, in other agreements, the client could be the Indemnitor and they would be expected to fund any assumed liabilities.

What are some common – and perhaps not so common – questions to explore about your potential loss from a breach?

Each breach requires a unique response depending upon the circumstances. In many cases, we’ve found executives unaware of the spectrum of direct and indirect costs that can arise from a data breach. The direct costs can include legal fees; IT forensic fees to determine the causation of the breach and if any data was exfiltrated and for data restoration; and breach notification and response costs including legal fees, public relations support, hiring a call center and providing credit monitoring and identity theft restoration services. The indirect costs can include the loss of income and diminished patient goodwill and reputational damage.

Recently, a TMLT policyholder reported one of our largest cyber liability claims to date. It was a ransomware attack that resulted in a data breach of over 270,000 patient records. The claim reserve for the breach notification expenses alone are in the six figures. The insured didn’t pay the ransom demand, but in their endeavor to repair the ransomware damage, they wiped clean from their server all of the forensic evidence that could have proven “a low probability of compromise” to their ePHI. If the insured had simply reported the incident to TMLT’s claims department immediately, a forensic investigation would have been initiated quickly to determine if any data had been exfiltrated.

Contacting your cyber liability insurer immediately and preserving evidence should be the two main goals for any organization after a ransomware attack. A determination can then be made whether a forensic investigation would be appropriate.

After assessing possible loss, how do you use that information to guide questions about cyber liability insurance?

Among the most important third party coverages is the security and privacy liability coverage. It includes a duty-to-defend for third party claims alleging liability resulting from a security or privacy breach, including the failure to safeguard confidential information or to prevent unauthorized access to a computer system containing private information; to safeguard online or offline information; to prevent a denial of service attack; or to prevent the transmission of malicious code from infecting the computer system of a third party.

Among the most important first party coverages is the breach notification and response coverage. It includes the expenses incurred as a result of a privacy or security breach or adverse media report, as well as coverage for breach support expenses to notify affected parties or on behalf of a party for whom the Named Insured is vicariously liable, including legal fees; credit monitoring; IT forensic costs; call center costs; and advertising and postage expenses. It may also cover the cost to employ a PR consultant to avert reputational harm. 

It’s important to know if the insurance policy will cover liability assumed under contract for damages resulting from certain wrongful acts — such as a multimedia wrongful act and security breach or privacy breach — where such liability has been assumed in the form of a written hold-harmless or indemnity agreement. This coverage can help to secure the insured’s indemnity obligation in a service contract with a third party and provide direct liability coverage for the third party.

Some policies exclude any coverage for liability assumed under contract or for any kind of indemnity or hold harmless agreement. Other coverage pitfalls can include exclusions relating to the insured’s failure to maintain the security of its network or computer system in accordance with industry standards or regulations and no coverage for unencrypted mobile devices. Those types of exclusions actually defeat the purpose of the cyber insurance.

Depending upon the covered wrongful acts, some policies include coverage for damages arising from an “unintentional breach of contract” related to technology services being provided to others for a fee. (This is an E&O exposure not typically covered in most cyber liability policies, unless endorsed otherwise.) For example, if the services don’t conform with written specifications or performance standards; were negligently performed or contained a material defect; or failed to comply with legal and statutory requirements or applicable standards; failed to comply with any warranty or representation that the services did not violate another’s intellectual property rights (except for patent or trade dress infringement); or resulted in a breach of an exclusivity or confidentiality agreement.

What do security leaders need to understand about the ability of a third party to “handle” a breach?

There can be challenges with trying to shift statutory breach responsibilities to someone else or in seeking indemnification through contractual risk transfer. I often hear health care clients stating the service agreements they’ve signed with various BAs alleviate them of their data breach responsibilities, which often is not the case. Typically, the client — who is the owner of the records — will have to respond in the event of an impermissible data breach. The Office for Civil Rights would likely look first at the client’s data security management and obligations in any investigation.

Depending upon the circumstances, the client and/or their BA will be faced with dealing with some of the following obligations:

• Who has the responsibility to notify the affected individuals, state and federal regulatory authorities, and the media? (The non-owner of the data may only have an obligation to notify the data owner, but not the affected individuals.)
• Who pays for the press releases or legal notices about the incident?
• Who conducts or pays for the forensics investigation to determine the causation of the breach and what, if any, PHI was compromised?
• Who pays for the credit monitoring and identity theft restoration services for the affected individuals?
• Whose professional liability/cyber liability insurance is going to pay for these costs, including any potential loss of income due to a business interruption?

Do the client and the BA both have insurance coverage for liability assumed under contract?

Even if the notification obligation or indemnification is placed on the BA’s back as the Indemnitor, it still brings up the question of how can the client/Indemnitee be sure the BA will comply with a contractual indemnification requirement? Does the BA have cyber liability coverage to pay for breach response costs or for third-party damages and if so, do they have adequate limits and will it cover all of the incurred breach response expenses?

Indemnity agreements are not insurance. Insurance is a separate agreement not governed by other contracts, as an indemnity agreement and an insurance policy impose separate and independent duties.  So Importantly, a contractual requirement imposed upon an Indemnitor to provide liability insurance to cover an Indemnitee doesn’t effectuate coverage for them. The Indemnitor’s insurer is not bound by a contract executed between their insured and the client—unless the Indemnitee is actually defined or added as an insured in the policy or the agreement is considered to be an “insured contract” by the insurer, which is typically defined in liability policies as tort liabilities the insured has assumed in specified contracts.

In some liability policies, the definition of Who Is Insured automatically includes other types of insureds, such as an agent or independent contractor while acting on behalf of the Named Insured. (Note this typically will not cover the agent or independent contractor’s sole negligence, which is why they need their own insurance policy in their name.) It may also include, as an insured, any person or legal entity the Named Insured is required by written contract to provide such coverage. That’s why, if an Indemnitee is looking for defense and liability protection from an Indemnitor’s insurer, they should obtain documentation that the required coverage for the Indemnitee was actually obtained.

Even if the Indemnitor’s contractually-assumed tort liability is accepted by the Indemnitor’s insurer, the insurer is not going to start issuing payments for breach expenses without investigating their insured’s responsibility for the breach and the reasonableness of those expenses.

How can security leaders tell if the broker or agent they are talking with has a grasp on the nuance of cyber liability insurance?

One way of knowing if an insurance agent/broker is familiar with the ins and outs of cyber insurance is to ask them directly. Specifically, do they understand the various coverage grants and “Who Is Insured” in these policies because cyber insurance coverage forms are not standardized—making it difficult for both the client and agents/brokers to differentiate them.

Another good indicator is if the agent addresses the importance of having both cyber risk management and cyber liability coverage, the latter as a financial backstop should a covered loss event occur.

Additionally, you want an agent who asks for copies of your contracts to look for any stipulated insurance requirements and indemnification provisions. Some contracts stipulate insurance requirements such as maintaining “professional liability insurance” (a generic term that can include an array of coverage forms) including naming a party/Indemnitee as an Additional Insured to the insurance policy. This latter requirement may provide a financial “safety net” for the Indemnitee in case the hold harmless agreement is deemed unenforceable.

In such cases, you should ask your insurance agent/broker to determine if you have the appropriate coverage in place. Agents can’t provide legal advice or opinions, unless they’re a licensed attorney. But they do need to know if their client’s coverage comports with their contractual risk transfer obligations and to look for potential coverage issues, as well as to determine if the client is adequately protected. So an agent’s contract review will be limited to whether the client’s proposed or current insurance program addresses the types and amounts of insurance coverage referenced, if any, and to evaluate the client’s ability to transfer and retain risk.

There will be uncertainties in some situations about the role insurance may play in supporting contractual risk transfer. Depending upon the coverage provisions, it may provide the funding of liabilities assumed by contract, but perhaps not all of them. There is always some retained risk.