Any person or business, who in the ordinary course of business functions, owns, licenses, or maintains personal information on employees, clients or other third parties is subject to various regulatory and contractual requirements. If you or your business collects, transfers and/or transacts private personal information, you are required to protect those individuals' personal identifiable information (PII) and protected health information (PHI).
PII, as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. This may include a first or last name in combination with: ·
- Social Security number
- Driver’s license number
- Financial account number
- Credit, debit, or payment card coupled with an access code or password
PHI is any information, whether oral or recorded in any form or medium that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse.
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Data breaches are an increasingly common event and pose a tremendous risk in light of a company’s exposure to PII and PHI. Therefore, depending on the size of a data breach and the particular state notification requirements, a breach can result in costly litigation and can require a public relations or crisis management firm to manage the situation. Depending on the size of the breach, notification expenses may include cost of letterhead, postage, call centers and expenses to monitor breached individuals’ credit records. There is also risk from regulatory fines and penalties.
What can you do in the meantime? Encrypt all confidential data, be sure your company is in compliance with all federal and state privacy laws, and contact Fox/Everett about insurance protection against this exposure. Privacy/Cyber Liability coverage is available, which can provide coverage for both third-party liability (including regulatory fines, penalties, and defense costs), and first party expenses.