Breach of Privacy and Breach of Security coverage provides protection for wrongful acts or claims resulting from unauthorized disclosure of personal and confidential information either as a result of your actions or the actions of another, such as a hacker. Most insurance agents and brokers E&O policies have not been updated to reflect the modern day exposures of conducting business electronically and fail to adequately cover such exposures.
Policy Form Exclusions
E&O policy forms often contain specific exclusions for claims "related to, arising from, or in any way attributable to a breach of privacy or a breach of security." If your errors and omissions policy contains such exclusions, there is little doubt that a claim for Breach of Security or Breach of Privacy would be denied. Other E&O policy forms are entirely "silent" on this issue. That is, they lack a specific exclusion for such claims, but they also lack a specific coverage grant as well. In most cases it is our opinion that "silent" is subject to interpretation. When an insurance policy is "silent," it is difficult to predict just how that policy would or would not respond. We recommend, when possible, that such coverage be specifically added to the policy language.
Breach of Privacy Risks
Insurance agencies collect, maintain and distribute confidential information from clients and others. Information such as tax ID, social security and driver's license numbers, home addresses, financial and income information and even medical information protected by HIPAA. This information is entrusted to your care for use in procuring insurance. Typically this information is stored as an electronic file on a computer, laptop or a server. We see risks in several ways:
1. The unintentional disclosure through sending an email or through other electronic means such as a fax.
2. The unintentional disclosure through a lost or stolen laptop or disc.
3. The introduction of viruses/trojans that can disseminate confidential information to unintended parties.
4. The unintended consequences of a hacker.
These would each be considered a breach of privacy and/or a breach of security exposure and excluded under most E&O policies.
What can you do?
Review your own E&O policy or engage an expert to insure that you have adequate coverage. A thorough review of your policy will reveal whether you have sufficient coverage relating to this risk.