Is Cyber-Liability Insurance Really Necessary?

If your trust fund is the keeper of personal identity or sensitive information on participants and their beneficiaries, the answer is likely, yes. However, when the fund’s service providers are maintaining that information, the question is a bit more complex.

It is critical that trust funds ensure that all of their service providers with access to personal identifiable information have appropriate safeguards in place to protect that information, including cyber-liability insurance. Once that is done, the question becomes, Does the trust fund need to do more? Does the fund need its own policy? Many experts say yes, but the answer might not be that easy.

Weighing the costs of additional insurance

There is no question that your trust fund and its service providers are at risk for a data breach. Whether that breach occurs from a hack or simple negligence on the part of an employee, no entity can guard 100 percent against the possibility of a breach.

A breach potentially brings with it some serious costs, but how much of that is the fund’s liability? How much of that liability is potentially covered by existing insurance? And, while the cost of cyber-liability insurance has come down in recent years, these are the questions trustees must consider in weighing the costs of additional insurance against the protection that insurance offers.

Serious costs come with a data breach

The costs associated with responding to a breach fall in two camps. The first is direct costs. They include the expense of evaluating and managing the breach. These expenses may include hiring a data specialist, if necessary, to assess the scope and nature of the breach. Retaining an outside expert to “patch” any breach, develop new data security protocols, and train employees on those procedures, may be necessary. If a breach occurs within a service provider’s network, these costs most likely belong to that service provider. Whether those costs are to be borne by the provider or shared with the trust fund will depend largely on what the service provider agreement states.

Safeguarding protected health information

In addition, there are the legal and consulting fees the fund will incur to ensure the fund complies with breach notification under state and federal law. Aside from ERISA, the obligation to safeguard data and respond to a data breach arises from multiple sources for health plans. At the federal level, the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act, and related regulations, include detailed rules regarding the safeguarding of “protected health information,” that includes any individually identifiable health information held by medical providers, health plans, and healthcare clearinghouses or their business associates. Federal law assigns the duty to safeguard such data and notify data subjects of a breach, to “covered entities,” a term that includes both the plan itself and those with whom it contracts, referred to as “business associates.”

State law matters

Currently 47 states have their own privacy laws. In the event of a breach, trust funds must be aware of the privacy laws of each state where affected participants and beneficiaries reside so as to comply with that state’s requirements. If a breach occurs within the service provider’s network, state law must be examined to determine whether the trust fund is primarily responsible for the breach notice. Even if the trust fund has no legal requirement to provide its own notice and the service provider is issuing notices, the trust fund will still have to determine whether it wishes to send a separate notice for political or public relations purposes.

Whether the plan is required to provide a breach notice or does so voluntarily, the plan potentially will incur the printing and mailing costs associated with the breach notification. Additionally, in some cases, the plan will need to offer credit or identify theft monitoring services to affected participants and beneficiaries—an additional direct cost to the plan.

Third-party damages

The second camp where costs may arise comes from claims of damages by a third party. In this case, a participant or beneficiary whose private information was released may seek to be “made whole” from the consequences of a breach. Most commonly, these costs result from someone bringing suit against the trust fund and/or its trustees alleging they were harmed by the breach. Costs for such suits involve attorney’s fees, court costs, and potential damages payable to the third party.

What does insurance cover?

A plan’s fiduciary liability policy may offer partial coverage for some costs associated with data breaches. Fiduciary liability insurance offers financial protection of fiduciaries against legal liability arising out of their role as fiduciaries, including the cost of defending those claims that seek to establish such liability. Most fiduciary liability policies cover third-party claims against a trust fund for a data breach where the claim alleges negligence on the part of the trust fund’s fiduciaries. However, they likely do not cover the direct costs to the fund of managing and responding to a data breach.

Who pays the rest?

Unfortunately, that still leaves the costs of investigating, managing, and responding to a data breach as uncovered costs. This is where cyber-liability insurance comes into play. Cyber-liability insurance should cover:

• Crisis management event expenses
• Security breach remediation and notification expenses
• Business interruption and similar expenses
• Network and information security liability
• Communications and media liability
• Regulatory defense expenses, including fines and penalties coverage

Trustees should review current insurance contracts with their service providers to determine where potential liability for a cyber breach lies as well as review current insurance policies to ascertain whether both direct and third-party legal costs are covered. Once a review is complete, trustees will be in a better position to evaluate whether the cost of cyber-liability insurance is justified by the potential liability exposure.

For additional information on any of the above, please contact Joye Blanscett in SMACNA’s Labor Relations Department.

Trustees should not construe these resources as legal advice and are urged to consult with their own fund counsel to determine whether any action is permissible or advisable.