I look forward to seeing so many familiar faces and to meeting some of you for the first time at the upcoming Fall IMGMA show. Please make sure you stop by the TrueNorth booth to say hello and register to win an iPad. If you haven’t used one before they are very slick and if you already have one, you certainly know they are addictive and having a second would be all the better!
We have spent more and more time internally discussing Cyber Breaches and how we are assisting our clients to be sure that in the event of a breach of personally identifiable information (PII) for your patients / employees they have some, if not complete, coverage. This is a very real and very new threat and one that is expanding by the week. It is interesting to note that we have only quoted these policies over the last few years but coverage has significantly changed and is much more inclusive now to attack the heart of the problem.
NOTIFICATION COSTS!
Many early internet security and data policies provided small coverage limits but they failed to address notification costs and were mainly intended for defense costs and / or 1st party liability to help you repair your systems in the event of a breach. Some of the early policies also do not cover physical breaches as well (i.e.: patient paper records or charts stolen or accessed from a recycling or simple error with discarding these records).
We are advising and quoting complete cyber liability and data breach coverage for all of our clients and paying close attention to notification costs. This expense can add up very quickly and often times is required even in the event that we cannot prove a breach has occurred. For example if a laptop is stolen or lost or we left a terminal unprotected overnight. A breach may not have occurred but if we fail to notify our patients and provide the necessary credit and identity protection we open ourselves not only to indemnity costs but also civil, state and federal fines.
Take a look at this example of notification costs from the Ponemon institute:
Top Findings
More organizations favor rapid response to data breaches, and that is significantly costing them: Forty-three percent of companies notified victims within one month of discovering the data breach, up 7 points from 36 percent last year. That growth marks the largest percent increase among data breach response attributes. For the second year in a row, these “quick responders” paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.
For the fifth year in a row, data breach costs have continued to rise: Data breaches continue to cost organizations more every year. Total breach costs have grown every year since 2006. Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year.
Think about that statistic. If you are not carrying a separate data breach policy nor have it as an endorsement on your Executive Liability package and you suffer a breach or potential breach it could cost as much as $214/record. These costs can accumulate very quickly and we are advising all of our clients to at least find out what options are available. Even a small breach of 100 records could result in ~$21,000 of expense that would be out of pocket. These costs include the following:
1. Notifying each patient / record
2. Establishing a crisis management plan and hotline
3. Providing access to identity and credit protection services to re-establish patient / employee confidence
4. Indemnity costs
5. Defense costs
6. Civil fines
Data security breaches and compromises of customer and employee data continue to be reported at a high frequency. When a breach occurs, you and your physicians need to be ready to respond quickly and effectively to mitigate its exposure to brand damage and legal liability. Please swing by the booth and we can discuss further. We can help you determine if you have an exposure and certainly help you identify how to address it. Below are some additional examples of medially related data breaches.
Data Breach Types
Breaches by third-party outsourcers are becoming slightly less common but much more expensive: Third-party mistakes continued their slight decline in 2010 to 39 percent. The cost of such breaches rose significantly, however, up $85 (39 percent) to $302 per record. These figures may indicate that compliance with government and commercial regulations for data protection are dramatically raising breach costs involving outsourced data.
Breaches involving lost or stolen laptop computers or other mobile data-bearing devices remain a consistent and expensive threat: The prevalence of breaches concerning mobile devices holding sensitive data stayed roughly the same at 35 percent this year, down a point. Per-record costs rose $33 (15 percent) to $258 per record. Our research suggests that device-oriented breaches have consistently cost more than many other breach types. This may be because investigations and forensics into lost or stolen devices are more difficult and costly.
Companies are more vigilant about preventing systems failures: The number of breaches caused by systems failures dropped 9 points in 2010 to 27 percent. Breaches from systems failures averaged $210, up $44 (27 percent). The noticeable drop in breaches from systems failures may point to organizations becoming more conscientious in ensuring their systems can help prevent and mitigate breaches (through new security technologies and/or compliance with security policies and regulations).
Negligence remains the most common threat, and an increasingly expensive one: The number of breaches attributed to negligence edged up a point to 41 percent. Breaches from negligence in 2010 averaged $196 per record, up $42 (27 percent) from 2009. The relatively stable incidence of negligence may indicate that ensuring employee and partner compliance remains an ongoing challenge. These figures may reflect the growing prevalence and cost of malicious breaches, as well as organizations’ growing competency in handling breaches from systems failures and negligence.
No comments:
Post a Comment