In today’s challenging economy, it is hard to turn away new business, whether from a client who provides a law firm with steady work, or a broker who contracts for investment services or a health care organization that contracts with a nursing registry. But what happens when the new client demands that as part of the deal, the vendor undertake security measures, including indemnification for cyber breaches? In some of these transactions, the vendor accepts the consequences not only for its own breaches but also for the breached data of another.
Business contracts that include the use of PII may require the following from vendors:
- written information security program;
- requirements for notifying the business partner of breaches;
- restrictions to the vendor’s network on a need-to-know basis;
- data encryption, password, user ID’s and biometric requirements;
- annual review of technical vulnerabilities;
- data destruction policies.
The contract may also require the vendor to indemnify the business partner for claims, damages, costs and attorney fees arising from allegations that a privacy breach was caused by the vendor or even a third-party to whom the vendor gave PII.
To some businesses faced with these contractual burdens the answer is privacy insurance. If the vendor is alleged to have breached a security contract or otherwise contributed to a breach, then it wants to shift costs of those consequences to the insurer.
But do all insurers realize that extending cyber coverage to one company may mean assuming the obligations of another? To avoid any such unwelcome surprises, the insurance application should ask about these other contractual arrangements, the underwriting guidelines should contemplate them, and above all, the brokers and underwriters should review these contractual terms so they understand the scope of the risks. Although this could involve a substantial number of hours, time spent on the front end of the process can save money on the back end.