1 January 1970Analysis

US data protection: under close scrutiny

Captive insurance companies are increasingly being used to insure risks that involve the collection, maintenance, use and transmission of sensitive personal information of claimants and insureds. Many captives issue lines of insurance, such as workers’ compensation and medical malpractice, that involve obtaining personal information. Some captives are now adding ‘cyber’ risk to the lines for which they provide coverage. In taking on such risks, captives are taking on additional exposures of the risk of breaches to their own data as well as those of their insureds.

When it comes to handling the personal information of individuals, Bermuda-based captives are probably accustomed to complying with Bermuda’s Electronic Transactions Act, 1999 (ETA) and even the EU Privacy Directive and EU limitations on cross-border transfer of personal information. When handling personal information pertaining to US citizens or residents, however, whether they be claimants, insureds or even employees, captives must be mindful of the potential applicability and effect of US privacy and data security laws and regulations, both federal and state.

US data protection regulations

Many US states have enacted laws governing the protection of ‘personally identifiable information’ or the personal information (PI) of individuals, and most mandate the steps that a company must take in response to a breach of PI (including notice to individuals whose PI was accessed). While statutes vary somewhat as to what constitutes protected PI, most provide that an individual’s name plus social security number or financial account information are PI, and some include health information as well. Federal regulations mandating the security of PI can also come into play. Regulations of financial institutions can include insurance entities within their scope. Furthermore, when the health information of individuals is involved, federal legislation specifically directed at protecting the health information of individuals imposes very strict requirements on the security, transmission and storage of personal health information (PHI), and on the notification of breaches of that information.

These federal and state laws and regulations can expose even an offshore captive to US regulatory requirements and associated fines and penalties for noncompliance— particularly captives which, while they may not be on US territory, have parents or affiliates located in the US and within the reach of US regulators.

The potential reach of US regulation

A Bermuda captive that processes or stores PI or PHI of US citizens or residents should be aware that US federal and state data security laws and regulations can apply even if it accesses US data only remotely, as well as when the data are physically transferred offshore. Although it is not clear whether US government agencies would have the legal ability to penalise offshore companies for violations, US authorities could pursue an action against a US-based parent or affiliate of an offshore captive that suffers a data breach or otherwise violates US data security or data privacy laws and regulations. Moreover, if the parent of the captive is a US publicly traded corporation, a data breach incident involving the captive may trigger an obligation, under US securities law, to disclose that as a material matter in its public filings.

Protection for health information

Many lines of insurance involve the collection and transmission of individuals’ health information, whether it be workers’ compensation or medical malpractice, or general liability insurance that inevitably includes claims of bodily injury and related medical information. Captives that collect health information of individuals, or that provide cyber risk coverage to entities that collect such information, should be aware of the data security and notice requirements of federal statutes such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its extension by the Health Information Technology for Economic and Clinical Health (HITECH) Act to entities that can include captives.

The US Department of Health and Human Services (HHS) issued a privacy rule governing the use and disclosure of PHI by entities that are subject to HIPAA, and a security rule that sets forth required security standards for protecting PHI that is stored and transmitted electronically. Security standards include having written security procedures and protocols, physical safeguards (limitations on physical access to hardware, media, and software containing PHI), and technical safeguards (protective controls for information systems and networks).

While HIPAA initially applied only to health plans, providers, and health care clearinghouses, in 2009 HITECH extended the requirements of the privacy and security rules to ‘business associates’ of HIPAA-covered entities. The term business associate is broadly defined and includes brokers, agents, third party administrators, and other parties that provide services to a covered entity that entail the use or disclosure of PHI.

HITECH also substantially increased the potential civil and criminal penalties that could be imposed by federal agencies charged with its enforcement, and gave limited enforcement power to the Attorneys General of the individual states. This means that if an offshore captive were to suffer a data breach involving the PHI of residents of a particular state, an affiliate of the captive that is based in that state could be vulnerable to an enforcement action brought by the state, as well as one brought by the federal government.

"Captives may not be aware that many of the lines of insurance they issue may be subject to demands for coverage of claims arising from a data breach sustained by their insureds."

HITECH also mandated that rules be promulgated requiring HIPAAcovered entities and their business associates to notify consumers when the security of their health information has been breached. Under the current rule, covered entities, whether located inside or outside the US, must notify individuals whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed following a breach of that unsecured PHI. Covered entities must also notify the media and HHS by specific means set forth in the rule. The rule also requires that business associates who become aware of a breach must notify the HIPAA-covered entity of the breach.

Federal regulation of insurers as financial institutions

Some insurance entities may be subject to regulations governing ‘financial institutions’, a term that can be broadly applied. Offshore entities should be aware of the potential applicability of the federal Gramm-Leach-Bliley Act (GLBA) and other US financial regulations. GLBA includes both data requirements and security rules as to how individuals’ PI may be used and disclosed, and requires the creation of a written information security plan spelling out how PI is protected.

State regulation

Most US states and territories have data protection laws that require notice to individuals whose personal information has been subject to a data breach, and often also require notice to various regulators and law enforcement. The notice requirements can differ, however, as to content and procedure. Some expressly provide that they apply whenever there is a breach of PI of their residents, regardless of the location of the entity that was breached. For example, the Massachusetts data security regulation applies to any company, regardless of type, size or location, that possesses the PI of Massachusetts residents.

Thus, upon the occurrence of a data breach an initial, and major, task is to identify which jurisdiction or jurisdictions’ requirements apply. A breach often involves residents of many different states, and sometimes of different countries, particularly when the breach is of a large computer database.

The potential costs and financial exposures

The financial costs of a data breach can be substantial. Costs for a single typical breach are generally estimated to exceed $1 million, including the forensic costs to investigate the breach, legal counsel to advise on required responses, notification costs, response to regulatory investigations, defence of third-party claims by individuals and entities adversely affected by the breach and, often, regulatory fines and settlements with claimants. When the indirect costs of loss of reputation and business, lost time addressing the breach, remediation of the breached system, and business disruption are included, the effective costs can be multiplied.

Data breaches that trigger these costs can result from something as simple as a lost laptop or disgruntled employee, or as complex as a sophisticated malware attack generated by an international criminal hacking ring.

The lines of insurance potentially exposed

While captives themselves are subject to data breaches, captives may not be aware that many of the lines of insurance they issue may be subject to demands for coverage of claims arising from a data breach sustained by their insureds. Some captives have issued cyber risk policies expressly designed to insure costs incurred by insureds that have sustained a data breach. However, more traditional lines of insurance have been the subject of requests for coverage of claims asserted against a breached insured, including requests under general liability policies and professional liability policies. While the success of most types of claims has yet to be fully tested in coverage litigation, captives should consider the likelihood of such claims and their response to such requests for coverage in assessing their exposures.

Practical considerations

While the exposure of captives to data breaches of their systems, and that of their insureds, is substantial, most studies of breaches indicate that the risk can be substantially reduced by minimal to moderate security precautions, ranging from electronic systems protection and the training of employees, to reducing the collection, retention and transmission of information that is unnecessary for the functions of the captive.

Thus, to reduce its exposure, a captive insurer that deals with the information of US residents (or provides insurance coverage for data breaches to other entities) should pay attention to its policies and practices (and that of its insureds) for data collection and use. Good data security practices can minimise not only the risk of a breach, but also the risks of regulatory fines and successful third party claims, should a breach occur.

Eric Fader and Laurie Kamaiko are members of the Privacy and Data Protection Group at Edwards Wildman Palmer LLP’s New York office. They can be contacted at: and, respectively.