This page contains a Flash digital edition of a book.
current rule, covered entities, whether located inside or outside the US, must notify individuals whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed following a breach of that unsecured PHI. Covered entities must also notify the media and HHS by specific means set forth in the rule. The rule also requires that business associates who become aware of a breach must notify the HIPAA-covered entity of the breach.


Federal regulation of insurers as financial institutions


Some insurance entities may be subject to regulations governing ‘financial institutions’, a term that can be broadly applied. Offshore entities should be aware of the potential applicability of the federal Gramm-Leach-Bliley Act (GLBA) and other US financial regulations. GLBA includes both data requirements and security rules as to how individuals’ PI may be used and disclosed, and requires the creation of a written information security plan spelling out how PI is protected.


State regulation


Most US states and territories have data protection laws that require notice to individuals whose personal information has been subject to a data breach, and often also require notice to various regulators and law enforcement. The notice requirements can differ, however, as to content and procedure. Some expressly provide that they apply whenever there is a breach of PI of their residents, regardless of the location of the entity that was breached. For example, the Massachusetts data security regulation applies to any company, regardless of type, size or location, that possesses the PI of Massachusetts residents.


Thus, upon the occurrence of a data breach an initial, and major,


task is to identify which jurisdiction or jurisdictions’ requirements apply. A breach often involves residents of many different states, and sometimes of different countries, particularly when the breach is of a large computer database.


The potential costs and financial exposures The financial costs of a data breach can be substantial. Costs for


a single typical breach are generally estimated to exceed $1 million, including the forensic costs to investigate the breach, legal counsel to advise on required responses, notification costs, response to regulatory investigations, defence of third-party claims by individuals and entities adversely affected by the breach and, often, regulatory fines and settlements with claimants. When the indirect costs of loss of reputation and business, lost time addressing the breach, remediation of the breached system, and business disruption are included, the effective costs can be multiplied.


Data breaches that trigger these costs can result from something as simple as a lost laptop or disgruntled employee, or as complex as a sophisticated malware attack generated by an international criminal hacking ring.


The lines of insurance potentially exposed While captives themselves are subject to data breaches, captives


may not be aware that many of the lines of insurance they issue may


be subject to demands for coverage of claims arising from a data breach sustained by their insureds. Some captives have issued cyber risk policies expressly designed to insure costs incurred by insureds that have sustained a data breach. However, more traditional lines of insurance have been the subject of requests for coverage of claims asserted against a breached insured, including requests under general liability policies and professional liability policies. While the success of most types of claims has yet to be fully tested in coverage litigation, captives should consider the likelihood of such claims and their response to such requests for coverage in assessing their exposures.


Practical considerations While the exposure of captives to data breaches of their systems, and


that of their insureds, is substantial, most studies of breaches indicate that the risk can be substantially reduced by minimal to moderate security precautions, ranging from electronic systems protection and the training of employees, to reducing the collection, retention and transmission of information that is unnecessary for the functions of the captive.


Thus, to reduce its exposure, a captive insurer that deals with the information of US residents (or provides insurance coverage for data breaches to other entities) should pay attention to its policies and practices (and that of its insureds) for data collection and use. Good data security practices can minimise not only the risk of a breach, but also the risks of regulatory fines and successful third party claims, should a breach occur. l


Eric Fader and Laurie Kamaiko are members of the Privacy and Data Protection Group at Edwards Wildman Palmer LLP’s New York office. They can be contacted at: efader@edwardswildman.com and lkamaiko@edwardswildman.com, respectively.


“CAPTIVES MAY NOT BE AWARE THAT MANY OF THE LINES OF INSURANCE THEY ISSUE MAY BE SUBJECT TO DEMANDS FOR COVERAGE OF CLAIMS ARISING FROM A DATA BREACH SUSTAINED BY THEIR INSUREDS.”


64 bermuda captive 2012


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68