This is the first in a small series on some key reasons why written policy and procedure documentation is important to your small business or medical or dental practice, no matter how small you may be.
Later posts in this little (and somewhat randomly scheduled) series will focus on more obvious non-compliance reasons for writing down your full operating policies and procedures. But hopefully we can come at even those subjects from a slightly different angle than you might normally see.
For this first “But why?” post, we wanted to focus on a reason that wouldn’t normally rank among the top factors that motivate a busy entrepreneur or healthcare professional to write everything down, but one that is just starting to become “a thing” where even small businesses are concerned: cyber insurance (also known by a number of potentially confusing and sometimes misused terms including “cybersecurity insurance”, “privacy insurance”, “cyber liability insurance”, or “data breach insurance”).
For simplicity and to use the broadest general term, we will mostly use “cyber insurance” here for the rest of this post. But just know that cyber insurance can come in lots of flavors. The International Risk Management Institute (IRMI) has this glossary of insurance terms entry that can be a good start to looking at the differences.
Not many of the smallest businesses that I commonly work with have yet to purchase this insurance but it's becoming more popular, quickly, especially with data-intensive businesses and those facing clear and strong information protection rules such as HIPAA-regulated healthcare entities and even their business associates.
Using Your Small Business Policies and Procedures to Influence CostsFor most insurance you may be able to influence premiums a bit by having good policies and procedures, whether written down or not. In cybersecurity insurance, premiums tend to be high, but your influence over costs can be more significant—at least for now. As the National Association of Insurance Commissioners (NAIC) indicates:
Most businesses are familiar with their commercial insurance policies providing general liability coverage to protect the business from injury or property damage. However, most standard commercial lines policies do not cover many of the cyber risks mentioned above. To cover these unique cyber risks through insurance requires the purchase of a special cyber liability policy. However, cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data. Insurers compensate by relying on qualitative assessments of an applicant’s risk management procedures and risk culture.
There are lots of sources for insurance and risk management guides that can help you with lots of tips and best practices that relate your business operations to these kinds of risk management procedures and thus help define what your risk culture is. The NAIC has great information that you can find from the link provided above.
When you look at such guides and consider using the risk management tips and tools they describe, it’s not hard to see how much easier it would be to execute those business tips and manage those tools if you document what you expect your people to do and how you expect them to behave where your risks are concerned.
You might do this through an employee handbook. And many of the tools and tips that don’t explicitly mention writing anything down (such as recommendations to have an employee compliance training program) only really work by using some form of documentation to direct the work and to keep track of the work that is being done. If you approach that kind of policy and procedure writing correctly, it also means you have the documents available for other purposes in your business.
Knowing Your Business’s Compliance TerrainFor whatever business you’re in, you probably already know the biggest regulations that govern what a business like yours is supposed to do. Right?
If you're a dentist or mental health counselor or home health care agency, you know already that HIPAA requires you to have written security policies and procedures and to do a regular risk assessment of not only your technology systems but your business. Among many other things. If you handle credit cards, you know that the PCI DSS (the Payment Card Industry Data Security Standard) requires that you have a specific compliance program to govern what you do with the personal and payment information that flows through your business. And in both cases, you have to have documentation to show what your policies and procedures are and prove that you run your compliance program as you should do and as you say you do.
Now consider a less obvious use case: If you are a daycare provider, you probably know what your state and local rules are for delivering that care and conducting your business so that the state judges you to be safe. But you may not have a lot of knowledge about other areas that also can impact your business (like the state data breach laws that apply to you or how CAN-SPAM regulates your email marketing). And though most daycare centers aren’t going to be on the leading edge of buying cyber insurance right now, there is likely to be a time in the not-too-distant future when it’s a more routine consideration. And this time will come sooner for those daycare providers that like to use technology to enhance their caregiving services (such as parent portals and online monitoring services, online payment processing, and text-messaging communications). But for more data- and technology-intensive businesses, such insurance is already becoming more common.
What If You Don’t Have Written Policies and Procedures?When it comes time to purchase cybersecurity insurance, odds are that you will be expected to have a defined compliance program that includes comprehensive written privacy and security policies and procedures.
What happens when you don't have them written down? With some insurers you might not qualify for the insurance policy you’re seeking. And if you were simply asked on the application whether you have written policies and procedures and the insurer doesn't require you to produce documentation up front, and you do get a policy based on checking a box, if you ever seek coverage for an incident, you may have to produce the documentation and do so immediately. Right in the middle of your ransomware attack. Or data breach. Or flooded out offices with ruined computers. Or some other time like those when you will REALLY NOT have the time to deal with the documentation.
Here’s a perfect, recent healthcare example from a Lexology article written by Vandeventer Black attorney, Jonathan Gallo:
In a case still pending, Columbia Casualty Co. v. Cottage Health System No. 2:16-cv-03759 (C.D. Cal. Complaint Filed May 31, 2016), an insurer (Columbia) filed suit seeking to deny coverage under the cyber liability policy it issued to Cottage Health System (Cottage). Cottage, which operates a network of hospitals, suffered a data breach in 2013 in which the confidential electronic medical records of approximately 32,500 of its patients stored on its servers were made available to the public on the Internet.Columbia argues, among other things, that coverage is barred based on the policy’s “Failure to Follow Minimum Required Practices” exclusion that precludes coverage for the “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application...” as well as the policy’s “Minimum Required Practices” condition which provides that, as a condition precedent to coverage, Cottage warranted that it would “maintain all risk controls” identified in its application. Columbia also claims that the policy should be rescinded because Cottage’s responses to its application contained misrepresentations and/or omissions of material fact upon which Columbia relied when issuing the policy.
Write Now. While They’re Working the Kinks Out. And While Things Are “Quiet” for You.Lack of actuarial data from the short lifespan of cybersecurity insurance and the difficulty with understanding the constantly changing nature of technology and the evolving nature of the cybersecurity threats businesses face all will impact these kinds of insurance products for several years to come. The subjectivity involved in pricing means you may influence your insurance premium costs now and for at least a few years. But the newness and untested nature of the products can also mean you might face challenges when making a claim (such as deeper demands for information and greater demands for your time) even if you’ve done everything right, just because there may be a legitimate lack of full understanding and agreement about what happens to trigger the claim.
Here’s a related example, that involves “cyber” activities but also involves a longstanding form of insurance coverage. Rather than seeking coverage under a cyber insurance policy, this company tried to make a claim under the “computer fraud” section of its “traditional crime policy”:
The U.S. Court of Appeals for the Sixth Circuit will consider the issue of whether computer fraud coverage under a traditional crime policy extends to a loss sustained by a manufacturer that was tricked into wiring payments to email fraudsters posing as one of the manufacturer’s overseas vendors.ATC filed a claim under its Travelers crime policy, which provided computer fraud coverage for any “direct loss” that was “directly caused” by “Computer Fraud” — defined in part as “[t]he use of any computer to fraudulently cause a transfer.”Travelers countered that ATC’s loss did not constitute computer fraud because a computer was not used to fraudulently cause the transfers. In order to trigger the policy’s computer fraud coverage, Travelers wrote, “a computer must fraudulently cause the transfer. It is not sufficient to simply use a computer and have a transfer that is fraudulent.” In the present scenario, a computer did not fraudulently cause any transfer. “ATC simply received an email communication that provided it with false information. Rather than use a computer to fraudulently cause a transfer, the third party merely used a computer to provide ATC with false information more quickly than it could through the United States mail.” Further, Travelers argued, even if there was computer fraud, it did not directly cause any loss in light of “the numerous intervening events” between the allegedly fraudulent emails and the wire transfers.
Though this example isn’t showing a fault in cyber insurance products, it does help show how technology changes faster than other things that are designed to deal with technology risks (whether that’s insurance or regulations). When that insurance policy was written to cover crime, it seems the biggest technology concern was the actual act of someone hacking in from outside and making your computer system directly send your money to them. “Social engineering” in the context of “spoofing”, “phishing”, and “business email fraud” schemes probably wasn’t yet a thing. And at the time, I doubt that either the insurer or the insured had ever heard of “ransomware”.
The other thing this case points out is that this company is probably going to be buying an actual cyber insurance policy or three now, no matter which way this case goes in the end. And I imagine they will be investing some money in their employee training program and developing some detailed employee policies to prevent falling victim to phishing, spoofing, and other social engineering risks before they do.
Beyond the Policy – Protecting Your Business in Other WaysYour cyber insurance company more than likely will require you to have a working, written information security and data protection program and affirm that you do before they issue you a policy. And if you already have any kind of cyber security or cyber liability insurance policy, you have probably already said that you do. By having your own risks managed as best you can, by having clear a clear operations manual, employee handbook, and/or other policies and procedures document(s), and by being able to give your insurer documents that tell them how you do things and make it clear to them that your people understand your policies and how to do things as well, you will also be doing yourself and your business a favor in the long run.
As this type of insurance has become more common over the last ten years or so, I commonly hear people in larger institutions say “We’re not worried about a data breach. We have data breach insurance. And it covers identity theft and credit monitoring for customers.” Larger corporations and healthcare systems probably have a very precise risk management function that works its magic (or is it voodoo?) to give them that sense of ease (and of course they also have some kind of compliance policies and procedures written down). I won’t get into what I think of that approach (again, now, here) except to say that it’s a key part of why Cover Compliance exists, and for that I am at least thankful for my experience in large multinational corporate data protection and compliance programs.
Many cyber insurance products may try to address “reputation risk” but can it really? For a very small business, where you tend to see your customers face-to-face? Even if you buy the type of cyber insurance policy that covers loss of business, having a good operations manual and, even better, a real business continuity/disaster recovery plan as a part of that manual can help you avoid risks in the first place. But on the back end of post-incident response, a business continuity plan may be a critical kind of documentation that can save your business by helping you get back to some semblance of normal operations before it’s too late to recover.
Always Helping You See Things DifferentlyAcross the Cover Compliance web site, you’ll find our constant emphasis on the importance of policies and procedures in written form as the foundation of your compliance program, even in the smallest businesses and healthcare practices.
We will always emphasize this idea, but as you encounter newer content here and more of our opinions and tips on LinkedIn and other social media, you will also find that we resist the urge to preach the obvious: That you should do XYZ because you are supposed to comply with HIPAA or the PCI DSS, or because you’re supposed to comply with some other more mundane state law or local ordinance that applies to your business, whether you are a salon, restaurant, or even a food truck. When we do focus explicitly on “you must comply with…” evangelism, we’ll try to keep it brief. And that focus will be to point out specific areas that tend to be overlooked (such as how even very small retail businesses are expected to comply with the PCI DSS).
Our goal IS to help you with developing policies and procedures for your small business to keep you out of trouble with whoever your regulators are, but our goal is also to get you to want to do this work by helping you see all the other ways that your compliance manual can help you run your business more effectively and maybe even put you ahead of your competition. If you ever have questions about our content or concerns about how well we are doing in that effort, please connect with us and let us know: