LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Records management insurance
From:	Jim Booth <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Wed, 17 Sep 2014 19:45:20 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (35 lines)

Friends: Just wanted to clarify a few things about insurance since some interesting and potentially confusing points have been raised.

1. In order to actually provide insurance you have to be licensed to sell it. It is highly regulated. Any comparisons to the concept of insurance are fine as far as metaphors go, but it would be a mistake to assume that any vendor is "offering insurance" since it is unlikely that they are licensed to sell it.

2. In most data breach cases that I am familiar with, there are all sorts of unexpected things that occur. The United States is very litigious and other countries are headed in that direction. Many regulatory entities provide enforcement concerning data breaches including Health and Human Services, the Federal Trade Commission and most states. Privacy regulations also exist in Canada, Australia, the European Union, Singapore, India, Mexico, etc. Each of these laws have differing requirements but a generally they share a common theme: if there is a release of confidential information to someone who is not authorized to receive it, there is an obligation to inform the person whose information was released and provide an explanation of the circumstances that contributed to the release. Depending on the law this obligation may be incumbent on the records owner or on the entity responsible for the breach. Who can say what kind of lawsuit may come as a result? Perhaps there are some definitions of the conditions under which the notification takes place or more clarifications that may be present elsewhere such as contracts, or contract addenda like the "Schedule A", Business Associate Agreement, Gramm Leach Bliley Addendum, etc. Certainly there would not be much room for explanation on an invoice.

3. As has been stated already general liability coverage may explicitly exclude data breaches or cyber liability. Some clients provide required insurance limits to RIM service providers for this type of coverage. Because of expenses related to breach notification and the potential for litigation, these limits have grown over time. In working with or observing policies of this type, limits typically exceed $1 million in the United States. These policies typically do not discriminate between paper and electronic records. As Fred mentioned, special types of coverage are available for commercial RIM operators storing records. The best crafted policy forms include broad coverage, including but not limited to, E&O, Cyber, and Privacy liability - where risks related to data breach and other related hazards can most succinctly be addressed at the time of loss/claim.

Regarding the follow-up question on the source for data breach costs, The Ponemon Institute is generally the source for these types of statistics. Here is the link to the 2014 report:
http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

Best wishes,

Jim

Jim Booth
Records & Information Management Practice Leader

Brightstone Insurance Services, LLC
Direct - 919.323.3266
Direct Fax - 914.636.0802
Main - 877.862.4755 x 3266
[log in to unmask]
www.brightstoneins.com

Please Note: Coverage cannot be placed, bound or altered without confirmation from a Brightstone Representative.

Confidentiality Notice: This e-mail (including any file attachments) is for the sole use of the intended recipients - not necessarily the addressees, and may contain confidential and/or privileged material. You are hereby notified that dissemination, disclosure, distribution, duplication, or other use of this transmission by someone other than an intended recipient or an intended recipient's designated agent is strictly prohibited. If you are not an intended recipient or believe you have received this transmission in error, please return this e-mail using a reply command and then delete all copies. Also please notify the sender by calling 877-862-4755. Thank you.

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US