Most cyber policies provide robust cover for losses and costs associated with data breaches.
This usually means a hack or malware attack resulting in the loss, theft or corruption of business-sensitive information or personal data.
If organizations collect data without getting the appropriate consent, they may be collecting it wrongfully.
If they use data for a purpose that wasn’t intended, that may be misuse.
Unlike a typical data breach, no one hacks into an IT system or holds a company to ransom.
Wrongful collection or misuse of data usually results from the organisation’s own practices, or those of its data-sharing partners.
Cyber policies typically respond well to privacy events resulting from hacks and introduction of malware.
“Cyber policies typically respond well to privacy events resulting from hacks and introduction of malware.”
Robert Barberi | Director, FINEX Cybersecurity and Professional Risk, WTW
However, some policies will require a clear, affirmative coverage extension to cover wrongful use or wrongful collection of data.
In the current hard market, insurers are tending to pull back from such broad wordings, and are more likely to adopt a conservative approach to new areas of cover rather than innovate.
The pandemic has accelerated the digitalisation of care.
Leading data jurisdictions, such as the EU and California, already have strict rules governing how data is collected, shared and used.
While others have weaker protections, public pressure is growing as a result of recent scandals and whistleblower revelations.
People are often willing for their health data to be shared for medical research, but may be less inclined to give their permission if they believe that companies are likely to make a profit from the work.
Other potential concerns include:
The General Data Privacy Regulation (GDPR)1, which came into force in 2018, imposes strict duties on organizations to gather personal data legally, with express consent, and protect it from misuse and exploitation.
The California Consumer Privacy Act (2018)2 creates the strictest data protection regime in the U.S.; data can only be collected for strictly limited purposes, with informed consent.
Brazil’s Lei Geral de Proteção de Dados3, which came into effect in 2020, is Latin America’s first major data protection law; people must be informed of the purpose their data is collected for.
Have you got the appropriate consent?
Providers should engage with patients transparently and explain what patients are consenting to, how their data will be used, and how it will flow through systems and on to partner organizations.
“Providers should engage with patients transparently and explain what patients are consenting to, how their data will be used, and how it will flow through systems and on to partner organizations.”
Kirsten Beasley | Head of Healthcare Broking, North America
WTW
Don’t dodge this because the consequences can be severe if people find their data is being used for purposes they didn’t understand.
Explaining things properly can also have a positive effect in helping patients understand the benefits they may receive as a result of the data use.
The GDPR standards of consent provide a good framework to consider. Article 4 of GDPR4 defines consent as:
Could the data be re-identified?
In many jurisdictions, express consent is not required for data sharing if the data is de-identified.
“There is increasing concern that some data can be re-identified by cross-checking with other data sources.”
Robert Barberi | Director, FINEX Cybersecurity and Professional Risk, WTW
However, there is increasing concern that some data can be re-identified by cross-checking with other data sources, including some that are publicly-available.
The legality of re-identification is not yet clear, which reinforces the need to avoid exposure to the risk by getting express, transparent consent as described above.
What governance measures do you have in place?
Some organizations may be unaware of potential wrongful collection or misuse.
For example, they might have obtained consent but it might not be adequate for the purpose or they may not fully understand how their partners plan to use patient data.
It’s important that organizations get on top of this and make sure they have strong controls and checks in place.
With the increasing digitalization of healthcare, we’re likely to see greater interest from regulators and the public in potential wrongful collection and misuse of patient data.
High profile cases have shown the potential for large-scale privacy infringements and claims.
But there’s a gap between the risks and the cover offered by most cyber insurance.
We need cyber policies that can respond and offer some protection to healthcare providers engaged in the collection, processing and sharing of data.
Given the pronounced losses that could result from claims alleging wrongful collection or wrongful use of data, it’s imperative that healthcare organizations pursue the broadest possible wording on their cyber policies.
WTW offers insurance-related services through its appropriately licensed and authorised companies in each country in which WTW operates. For further authorisation and regulatory details about our WTW legal entities, operating in your country, please refer to our WTW website. It is a regulatory requirement for us to consider our local licensing requirements.
Willis Towers Watson Insurances (Ireland) Limited, trading as Willis Towers Watson is regulated by the Central Bank of Ireland. Registered in Ireland number 78812.
1 General Data Protection Regulation (GDPR) Compliance Guidelines
2 California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General
3 ANPD — Português (Brasil)
4 Article 4 GDPR. Definitions
