Headquartered in Rock Hill, New York, program administrator and ProgramBusiness.com storefront Irwin Siegel Agency, Inc. (ISA), has been providing innovative and competitive insurance solutions for nearly 40 years to niche markets that include social service, developmental disability, addiction treatment, behavioral/mental healthcare, and youth development service providers.
We recently spoke with Dawn Martin, AVP of Underwriting, and Brad Storey, Director of Risk Management, at ISA, about the cyber issues that the social service industry faces. Like any other industry, data breaches have become an increased exposure for this sector. Dawn and Brad provided us with insight as to what types of cyber issues affect the human services industry and measures to help stem the risks involved. They also discussed the coverages they provide specifically designed for social services.
Brad has played a significant role in broadening risk management resource offerings for ISA insured organizations. In addition, he has developed a national network of consultants and specialty partner services that provide consultation on specific human service exposures. He has presented at a multitude of State and National conferences on the topics of organizational safety, risk management, and proactive risk assessments. In 2010, Mr. Storey was elected to the Board of Directors of a National Association, dedicated to advancing the practice of Psychiatric Rehabilitation. He served the Board and finance committee until 2011.
Dawn oversees a Region of Underwriters skilled in the administration of ISA’s Specialty Package Program for Non Profit Social Service Risks. She is also directly responsible for the supervision of a Specialty Lines Unit that facilitates the issuance of all Directors & Officers policies, Workers’ Compensation policies and other ancillary products that compliment ISA’s Social Service Program. Dawn has been instrumental in the research of new product lines and assists in the development of new programs by working with the new companies in building policies forms that include industry specific coverage enhancements.
Annie George (AG): What type of exposures do social service organizations face in terms of data breaches, unauthorized use of personal data, etc.?
Brad Storey (BS): “There have been many technology and other changes throughout the social service industry that make it vulnerable to data security issues. You have personal data stored on laptops and small media devices such as thumb drives and iPhones that are easily lost or stolen. Without proper encryption included on these devices, an organization can be greatly exposed.
“You have case managers, for example, who don’t report to an office. They’ll visit their caseloads, go back to their homes and input the information, including personal health information, on their laptop and save it on their thumb drive. If you have many caseworkers with many caseloads, you can see how this exposure increases exponentially.
“Furthermore, different organizations do things differently with some more sophisticated than others. Some are still working with pen and paper while others are working with electronic hand-held devices that will send data in a real time. There’s a wide gamut when it comes to technology in the human services industry.”
Social media and blogging is another area of concern with more people in the human service industry engaging on these platforms, Brad explained. “In an effort for an organization to get their name out to the public and promote their services, some may get ahead of themselves and not have the proper policies and protocols in place governing what type of information can be shared through social media and blogging. The last thing you need is to inadvertently reveal information about a particular individual you served at your organization or facility through a social media site or through any of your blogging efforts. You need to make sure you have the right policies in place.”
Brad also explained that with the advent of electronic health records, there are a slew of technology vendors offering services to assist the human service industry in the implementation of these records. “When you go to a tradeshow today, 60% of the exhibitors are technology vendors,” said Brad. “It’s important that the proper vetting process takes place from a security aspect. Just like every other industry you have some providers that are better than others. You need to be sure you vet out your electronic health record vendor – this can’t be understated.”
Another area of privacy vulnerability for human service organizations involves those serving the Medicare and Medicaid population. “The ID numbers associated with Medicare and Medicaid are valuable to people looking to commit fraud by using the numbers for medical identity theft, prescription drug abuse, etc.,” said Brad. “It’s important that all organizations, even smaller social service operations, understand that they can be a target for these fraudulent rings.”
Dawn also explained that a whole new exposure has developed with document shredding services. “There is data in these documents belonging to third parties that can include credit card info, bank information, health records, etc. This exposes an organization to the risk of this information landing in the wrong hands and being used improperly,” said Dawn.
AG: Let’s discuss some of the ramifications of the High Tech Act and potential exposures to social service organization.
BS: “As part of the Affordable Care Act, The Health Information Technology for Economic and Clinical Health Act (HITECH) Act was implemented. This affects social services organization in two ways: First, the Department of Health & Human Services is now working with a third-party administrator to conduct pilot HIPPA audits on a random basis to verify that healthcare providers, health plans and their business associates adhere to HIPAA privacy and security standards.
“Second, there is now a provision stipulating that business associates of organizations that transmit protected health information are responsible on a primary basis for any data breaches. The penalties and fines that have always been levied against health care organizations for data breaches are also transferred to the business associate. For example, let’s look at the exposure Dawn mentioned when it comes to documentation shredding services. In the past, a hospital using such a service would be responsible for a data breach that occurred as result of work done by the shredding company. The High Tech Act now allows individuals to hold the documentation shredding company accountable as a third-party vendor. This is a good risk transfer mechanism for health care organizations.”
AG: There was a study done recently revealing that a large percentage of small businesses don’t carry Cyber Liability/Privacy coverage. They don’t feel they have a real exposure, which is certainly not the case. Do most organizations in the social service sector carry Cyber Liability insurance? If not, why don’t they carry coverage?
Dawn Martin (DM): “A good majority of organizations don’t have cyber coverage, as they don’t understand the exposures they have. You hear cyber liability and identity theft and you think of electronic breaches, or security issues over the Internet. But, breaches can occur within the organization on their in-house systems; and as we discussed, they can have breaches with shredding operations in addition to exposures from paper documents. A lot of your smaller organizations may not have electronic records at the moment and still have everything on paper. If something is taken, that’s an exposure as well.
“Another reason for not buying the coverage is the cost. Yet, there is a wide range of products out there – from those with small premiums to policies with rather large premiums, depending on the coverage you want. Smaller organizations shy away from the cost, but they need to be educated. The cost to notify everyone that came into contact with your system after a breach can be substantial compared to a small-premium policy. There are 45 states that require notification following a breach. The average notification cost per record is $120 per record. If you have 500 records, that’s $60,000 to the organization compared to, let’s say, a $4,000-premium insurance policy.”
AG: What risk-mitigation, loss-control protocols should social service organizations have in place?
BS: “Encryption is key – making sure that the information is encrypted so that if someone picks up a thumb drive or an iPhone, they can’t get to the data. Also, ensure that policies and procedures are in line with current legislation and privacy rules. Technology changes frequently, and it’s important that people understand that have to keep in step with these changes. There once wasn’t an iPhone, and here we are 5 years later and we’re on version 5. It’s important that organizations keep up with the technology and all the legislation and rules that govern the exposures. An organization also must ensure that policies are enforced and followed. If they’re not followed, additional liability will be created for the organization.
“Also, an ongoing assessment of all technologies and new platforms is critical. Is the organization blogging, tweeting, etc. and ensuring that information is not going out there, that there are tight controls? Also, make sure business associate agreements are in place and signed, allowing for risk transfer.
What’s more, if there is a data breach, the company is accountable for everyone that’s been breached. So you want to make sure that what you’re monitoring is appropriate. If there is health care information or insurance information that has been breached, that’s not necessarily going to be caught within a credit monitoring report. Be sure you are monitoring the proper avenues.”
AG: What cyber products does ISA offer in the social service space?
DM: “We have Cyber Liability and Identity Theft tied to our NetProtect product, available through A-rated carriers. We have two types of policies: One is a scaled-down, basic policy that covers liability claims for security breaches resulting in identity theft or network damage, and some third-party liability if the insured’s system is penetrated with a virus and they happen to link to other people’s websites. It also covers the resulting damage, and the cost to comply with applicable state laws that require you to notify customers.
“Our broader coverage includes all of the above, in addition to your flash drive, paper files; the cost to hire experts to investigate and minimize the damage; and the ongoing electronic theft. First-party coverage is also available if needed.
“Coverages are available a la carte – so you can select what you need. What’s more, there is true worldwide coverage. A majority of policies offer worldwide coverage but the suit has to be brought in the U.S. Our policies provide worldwide coverage no matter where the suit is brought. The policy is also silent on Cloud exposures – third-party vendors that the insured may entrust to store the information. Other policies specifically exclude this exposure.
“Insureds need to understand that within the GL policy for a loss to be covered physical damage must occur to tangible property. Information is not tangible property so there is a gap in coverage. This is another area on which we have to educate clients…that the GL will not pick up coverage for breaches of information.”