Biggest Misconceptions about Cyber Security and Data Breaches

Feb 19, 2016

Data Privacy and Network Security is only a problem for large companies. While we are only made aware of large security breaches affecting big companies, data privacy and network security is a concern for any size of organization especially healthcare organizations.

Recently a medical group was infected with a ransomware virus.  Ransomware typically reproduces itself as a trojan, whose payload (in computer security terms, payload refers to the part of malware which performs a malicious action) is disguised as a seemingly legitimate file. The malware encrypts the targeted computer’s files and then will reveal a ransomware note and an address belonging to the extortionist that seeks ransom. The inability to access the files and system paralyze the organization making it difficult or impossible to function until the ransom is paid and the malware author gives the decryption key.

We can afford to self-insure the risk. This is a common misconception.  With greater demands and limited budgets some companies believe mistakenly that if something happens they can cover it. The average cost for a breach in 2013 was $733,000, according to NetDiligence Annual Claims study. Recently in 2015, IBM and Ponemon, reported the average total cost of a data breach for the participating companies increased 23 percent since 2013.  Incident response expenses, notification, monitoring, investigation, and public relations can add up very quickly.

Insurance coverage is expensive and hard to get.  This might have been true years ago, but with increased capacity, claim experience and a larger quantity of buyers, network security and privacy liability insurance coverage is more cost effective and easier to obtain.

Our general liability policy will cover us. General liability insurance typically covers bodily injury and property damage. The courts have consistently ruled that data is not property and is considered intangible. I tell my clients that if they don’t carry additional specific coverage for financial injury arising from a failure of security or a failure to protect confidential information, they’re probably exposed.

We have vendors who handle our billing and claims. If they have a breach it’s their problem. Not necessarily true.  The data owner/originator of the record or information is ultimately responsible for that record or information.  A breach at a trusted contractor still triggers notification duty—the risk cannot be transferred to a contractor or vendor. You can sue the contractor/vendor to recoup your losses but that doesn’t handle the immediate need for action.

We’ve helped many medical groups and health plans obtain cyber/privacy coverage.  The best option is to purchase a separate cyber/privacy policy that not only covers you for the items above, but will also typically provide coverage for regulatory situations.



We have the carriers that can provide the coverage.  Call us to discuss your needs.
Susan Kattoo
McPhee & Associates, Inc.
(818) 541-7900