While I respect his opinions regarding cyber insurance underwriters generally, and the Beazley Breach Response offering in particular, I very much disagree with his conclusions in this post.

Mr. Bortnick implies that because my firm, ID Experts, provides data breach solutions to organizations, that our perspective is tainted and that we operate by advising our clients to adopt a data breach response strategy that is more costly than necessary. Honestly, I am offended by this assertion.

We have managed dozens and dozens of data breaches for many of the most prominent national healthcare providers in the US. We pride ourselves on our ability to work in tandem with our clients carefully assessing the unique and specific circumstances of every breach, and advising them in conjunction with their legal counsel on whether notification is warranted, how best to notify the relevant individuals and agencies, and communicate with and provide protection for affected patients. Our solutions are so broadly adopted by healthcare because our focus is to help our clients in managing the financial, legal, and reputational that they face with a privacy breach incident.

The lion’s share of costs in healthcare data breaches are in reputational damage, lost patients, litigation defense costs, and fines and penalties. An organization risks being “penny-wise but pound-foolish” in attempting to cut costs in systems or forensic analysis, or in communicating with and providing protection to their patients, in such instances.

Now on to Mr. Bortnick’s assertion that “Beazley, like other leading cyber insurers, provide a host of alternative offerings, such as credit monitoring, credit restoration services, healthcare record restoration services, legal services, public relations services and computer forensic services.” While I believe many other leading cyber insurers do allow their clients freedom and flexibility in handling data breach incidents, I do not think that is the case for Beazley.

Beazley, uniquely, has vertically integrated themselves by providing data breach services directly. Since my issue regards their fit for healthcare organizations, one way to think of it is that they are more like an HMO, while the other leading insurers use more like a PPO approach.

When a healthcare organization chooses Beazley Breach Response insurance, they relinquish their freedom in choosing advisers and providers that they are most comfortable with and understand their organization and industry best. They must use Beazleys. It is this underlying question of choice, and the related issue of control, that is at the root of this discussion.

When a healthcare organization has a breach, their privacy and compliance officials effectively cede “control” of key decisions to Beazley. There are cases where an organization wanted to provide affected patients with a healthcare-focused monitoring solution that was not offered by Beazley, and such a request was rejected. In our view, most large hospital systems, for instance, have very knowledgeable and capable officials in these roles. And they are steeped in their organizations patient-centric culture. They should have the freedom to select their advisers and service providers, and to ultimately have “control” to determine the most appropriate and effective strategy for addressing each data breach incident. I disagree with Mr. Bortnick that a healthcare privacy officer should effectively relinquish control and decision making for a significant breach response to their insurance company.

The typical data breach is regarded to cost is in excess of $200 per record. it is an open secret that some breach response vendors are taking advantage of these incidents either in the form of $800/hour attorneys or $50,000 forensic consultants. Kudos to the insurers for trying to get a handle on the situation and provide an efficient solution.

Everyone loves to bash the insurance industry. Yet obtaining the “highest quality services for the most reasonable costs” strikes me as exactly what insurance companies should be doing.

http://employease.wordpress.com/2011/07/04/facebook-and-social-media-saving-on-the-cost-of-a-private-investigator/

This leads to the chaos!