Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

February 2, 2017

Cybersecurity Insurance - Considerations for Health Care Providers, Higher Education Institutions and their Lenders

Protecting laptop and desktop computers, servers and mobile devices containing information of patients, students and employees from threats of loss, hacking, or theft is an increasing operational, business and legal challenge for health care providers and institutions of higher education.

As both the number and cost of data breaches have risen, health care providers and higher education institutions should be cognizant of the fact that there is a permanent organizational cost to addressing these matters. Proactive steps – including relatively simple steps such as data mapping, conducting data security assessments, establishing incident response teams, creating appropriate policies and practices, and performing employee training – can help decrease these costs in the long run and better prepare your organization for the occurrence of a data breach. This is not a problem that is going away and the more an organization is able to do up front to prepare, the better the chance is that it will be able to manage the financial and other costs of a data breach event.

Cyber liability insurance coverage is one strategy to manage risk associated with a data breach. In the context of claims arising from a data breach event, the majority of courts in the United States addressing this issue have held that such claims generally will not be covered under a standard general liability insurance policy.

Cyber liability insurance has become readily available. Current policies can provide a variety of coverages including emergency response to identify and stop a breach; notification costs to comply with statutes or regulations (based on number of affected persons) and defense costs of regulatory investigations. Insurance coverage can vary widely in terms of what is covered in the event of a data breach, so it is important to ensure that any coverage obtained suits the risks and concerns of each individual organization.

For example, a breach may trigger notice to regulators but also a requirement of notification to the persons whose information was breached and in some instances, notice to all persons whose information is in the possession of the organization. Notification may require hiring consultants. Notification costs can be significant. If an organization has a properly structured cyber liability insurance, the policy may cover some or all of these costs. However, cyber liability policies vary. Some policies may only provide coverage for costs and fees incurred in relation to a regulatory investigation or civil lawsuit, and may not cover costs relating to items such as notification requirements or the response to and investigation of the actual data breach. An organization should assess its operations and procedures and the potential impacts and internal and external costs of a data breach event in order to properly structure insurance coverage.

As the incidence of data breaches becomes more widespread and costs increase, we expect that lenders will give heightened attention to evaluating the data security policies and procedures and the financial and operational wherewithal of their borrowers to prevent, manage and withstand breaches.
If you have any questions about the firm's Cybersecurity service offerings or the Insurance Coverage & Regulation  Practice Area, please feel free to call or e-mail Nicholas DiCesare at 716-566-1524 or or Mark T. Whitford Jr. at 585-295-4449 or

Featured Media


NYS Department of Health Publishes Amended Proposed Cybersecurity Regulations for Hospitals


FTC Noncompete Rule Survives—For Now


New York Trial Court Finds Uber Is Not Vicariously Liable for Driver's Negligence


ERISA Forfeiture Lawsuits: Navigating the Emerging Legal Landscape


EU Leads the Way on Artificial Intelligence Regulation


End of An Era: SCOTUS Overturns Chevron After 40 Years of Deference to Administrative Agencies

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out