Liability from exposure of private information is NOT covered by a General Liability policy. Specialized coverage must be secured through a Cyber Liability policy - or possibly endorsed onto an Errors & Omissions (E&O) or Directors & Officers (D&O) policy.
Thanks to the specialists at Professional Risk Solutions (http://www.prsbrokers.com/) for sending this information out to agents.
More states might follow suit in the future.
New Massachusetts ‘Personal Information and Privacy’ Law: 201 CMR 17.00
Effective March 1, 2010
Any company who maintains private, personal or confidential information on residents of
For any company that maintains records on residents of Massachusetts, we urge you to review:
· data security procedures and practices to make sure they comply with the new law
· insurance coverages and limits, including Cyber Liability and D&O
What the law says
Starting March 1, the new law requires that any company that holds personal information on Massachusetts residents, must abide by certain standards and practices to protect and store that information, and prevent it from ‘leaking out’ or being exposed to unauthorized persons.
The law apparently applies independently of other data security regulations. So even if a company complies with HIPAA regulations, for example, the new Massachusetts requirements still apply.
It doesn’t matter whether the company or organization is based in Massachusetts or not - - only that they hold personal or private information on residents of Massachusetts.
What’s the insurance and liability issue?
If a company failed to follow these established standards and security practices -- and customer records were ever exposed, whether maliciously or accidentally -- the company could possible be liable for action by the Massachusetts Attorney General. Or, consumers whose records or information were compromised could sue for damages. Having a stringent law ‘on the books’ about safeguards could conceivably strengthen their cases.
Kathleen O. Zortman
Professional Risk Solutions