In the Shadows

Like a shadow, you may have noticed the phrase at the left following you more and more with every contract/negotiation that takes place with clients and prospects alike. And with each contract signed or agreement amended, your business continues to cast a larger shadow of liability.

Whether or not you have seen this language as of yet, you need to be prepared, because the way you do business has changed and others have begun to expect you to accept this provision. By not addressing this now, you can imagine that one of two things will happen: You may be denied the business and find your competition eating your lunch or, should you accept, you will only continue to adversely add to your shadow.

How important is it to address this now? Well, thanks to the revision of several state and federal laws and acts, the issues of privacy liability and accountability have been forced into the spotlight, which now feels more like an interrogation light shining on your company. With your clients counting on you for your valuable document management services (be it storage, shredding, imaging, consulting, etc.), you can rest assured that they too will be holding you liable should a problem occur.

Does all of this professional and privacy liability talk have you confused, concerned, aggravated or all of the above? If so, fear not, as there is important information to know and a way you can protect yourself from a potentially devastating fallout from a professional liability claim or privacy breach.

First, it helps to wade through the legal jargon to establish your role, and effectively, your liability, in all of this. In the recent months, the most commonly used term has been "business associate" (BA). With the HITECH (Health Information Technology for Economic and Clinical Health) Act’s revision and expansion of the HIPAA (Health Insurance Portability and Accountability Act) guidelines and penalties now including BAs and not just the "covered entity" (CE), your liability, should you be providing services to a CE in the medical industry, has increased as well (up to $1.5 million in civil fines). While that change is alarming enough, the consequent stream of privacy related liabilities expanded by way of legislation and enforcement provisions contained therein, has only added fuel to the fire.

The way this is shaping up, whether you are signing BA addendums or officially establishing the CE-BA relationship with your clients, your liability exists. We strongly caution our clients and prospects to look at the big picture. The most dangerous thing you can do is to assume you have no liability because it is nowhere in writing. From case law review and our involvement with liability related claims across many industries and many insurance liability policies, the most dangerous thing you can do is assume. Taking the proverbial ostrich maneuver and sticking your head in the sand is setting your company up for disaster.

At this point, whether you are servicing the medical sector, financial sector, legal sector or any other business or industry where the documents you are managing contain personally identifiable information, you have liability exposure, both professionally and privacy related. What is the difference between the two?

Professional liability is meant to encompass any number of evils, but in the document management arena, there are several examples. Keep in mind, this coverage is meant to provide protection, including legal defense—a key element—should there be any error or omission in the professional services as defined in the policy form. The policy definition of covered professional services is critical. The most common claims come from lost or damaged records or destruction related malfeasance (untimely destruction, lack of destruction, misleading consulting for destruction cycles, etc.). These claims may or may not involve privacy related issues, but they often do, so it is critical to include the privacy breach coverage element in a professional liability policy.

Privacy liability is a provision in an insurance policy that expands coverage to include an error or omission resulting in a privacy breach or violation of privacy law/regulation. Again, this is a critical component and it requires further scrutiny to be sure the coverage is structured properly because the devil is in the details. With privacy liability policies, you want to be absolutely sure that you have coverage included for notification and credit monitoring. These safety protocols are laid out in the enforcement section of just about every piece of legislation with a privacy element. If personally identifiable information is released, the regulations demand notification and monitoring. Pre-HITECH, this would have fallen on the CE, but now, as a BA, you’re just as responsible as the CE in the case of a breach.

We would argue, regardless of the HITECH Act, you were and are responsible. Let’s be honest: If there was a breach, and the CE had to pay for the notification and monitoring, it would have done so but likely would have sued you for third-party damages. Regardless of the verdict, you would have been forced to pay for your defense out of pocket, so it was a potential lose-lose situation. Now, with the clarification, this liability is clearly on the CE and BA. All the CEs are looking to do with the BA addendum is to further clarify the shift in liability to you, the BA.

The major sticking point on the shift is that, until recently, you weren’t able to procure insurance coverage with first-party notification and credit monitoring included in it. That meant that even if you were responsible and accepted that responsibility, your coverage, assuming you bought it, couldn’t be enacted until a claim for third-party damages was levied against you. The CE would have to pay for the notification and monitoring and then bring a claim against you for reimbursement, potentially exacerbating the entire situation. Having first-party coverage allows you to trigger the policy coverage in the event of a breach leading to the need for notification and monitoring, which will help you rectify the situation as you are required to do, hopefully for much less money than the third-party route (assuming an unhappy CE will affix some additional dollars to the claim just for the aggravation of having to pay first).

Admittedly, for years, the insurance industry has been unable to wrap its arms around the exposures you face and provide an intelligent way to protect you, mainly because few insurance carriers understood the risks. This basically left you to educate your broker or agent and spend considerable time learning insurance so you could read policy language and double check the broker’s or agent’s work.

Throughout the years, many document management firms have sought to purchase protection by way of professional liability insurance, A.K.A. errors and omissions. Think of this as malpractice coverage for the professional services you provide to clients. The major hurdle almost everyone faced was that because few insurance carriers understood your business, you were being sold a miscellaneous professional liability policy with no customization, which excluded several key coverage provisions you need for protection. Add to this situation the wild fire that is privacy liability and you’re facing posssibly a terrible claim scenario with little or no coverage.

Within the past year, since all of these legislative expansions, a few insurance carriers now can provide you with the coverage you need for your exposure. The policies should include professional and privacy liability as well as notification and monitoring coverage and also should have the ability to provide high enough limits. Further, additional issues, such as coverage for regulatory and civil fines and penalties, rogue employees, crisis management/public relations expenses, bodily injury/property damage, how the carrier defends you and how the "hammer" clause is structured, require attention.

While businesses and government on various levels are all concerned with the privacy liability issue, one thing seems certain: It is here to stay. Given the nature of the documents you are managing for customers, you have liability exposure whether you like it or not. Now more than ever, it’s important for you to take a look at your shadow and see just how big it truly is.

You can be certain that your customers will continue to try to remove themselves from the chain of liability and shift the majority of it to you, so it’s important for you to protect yourself with the right insurance policy.