Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
A couple of words can mean the difference between being covered for a certain event and not being covered.
Living in Houston, I have become too aware of the nuances in the language of various types of insurance policies. For example, homeowners insurance does not often cover flood damage or hurricane damage (these are separate policies). All too often, many people do not realize the parameters of their insurance policies until it is necessary to utilize them.
This notion of being aware of insurance policy provisions holds equally as true for cybersecurity insurance policies. Like most types of insurance, there are different levels of coverage and different costs associated with those levels. Recently, a U.S. District Court issued a ruling related to a cybersecurity insurance policy.
Travelers Property Casualty Co. of America et al. v. Federal Recovery Services Inc. et al. held that Travelers did not have a duty to defend Federal Recovery Services (FRS). The memorandum decision said in part:
"Federal Recovery Services, Inc. ("FRS") and Federal Recovery Acceptance, Inc. ("FRA") dba Paramount Acceptance ("Paramount") (collectively, "Defendants") are in the business of providing processing, storage, transmission, and other handling of electronic data for its customers. Travelers issued a CyberFirst Policy to Defendants and Defendants are the named insureds under the Policy. …
"On October 10, 2012, Global Fitness Holdings, LLC ("Global Fitness") brought suit against FRS. The following allegations are contained in the Complaint filed by Global Fitness.
Global Fitness owns and operates fitness centers in several states. As part of its operations, Global Fitness had numerous members. Those members would provide either credit card or bank account information through which Global Fitness could bill the members ("Member Accounts Data.")."
Specifically, FRS was trying to recover from Global Fitness Holdings, LLC, in relation to an asset purchase agreement, which required the transfer of the members' account data. Because there was no breach, error, omission, or negligent act, which fit the policy's coverage parameters, Travelers was not required to cover the cost of the defense.
"While the policy covers errors, omissions, and negligent acts, Global's claims against Defendants allege far different justifications for the data to be withheld." Here, there was no issue that FRS purchased a policy covering "errors and omissions wrongful act," [which] "means any error, omission, or negligent act." What FRS was seeking coverage for extended beyond these types of actions.
The Court's ruling can be analogized to having homeowners insurance and seeking recovery for flood damage, which is not covered under the general policy. This underscores the importance of reading the terms and asking questions before purchasing the policy. Equally as important is looking for terms that are missing from the policy, as well as asking for clarification about the express terms. Hence, underscoring the importance of paying attention to details.
For physicians and hospitals alike, here are a few take-aways:
1. If you require that your business associates or subcontractors have cybersecurity policies, be certain that you read what they have to make sure that it is adequate;
2. Review the policies and procedures to ascertain whether the level of coverage is adequate for your organization's risk tolerance; and
3. Compare policies from different companies to see what rates and terms are the most beneficial to the organization.