Organizations face a plethora of regulations regarding IT and data storage practices. In a constantly changing regulatory environment, it is often difficult for organizations to keep up with new guidelines. When regulators find that organizations have violated one of these rules, they can assess large fees that can severely impact corporate balance sheets. Regulatory liability coverage steps in to soften the blow and cover the expenses, including any required legal fees.

Trends in Cyber Regulation

Government bodies at both the federal and state levels have started rolling out stringent regulations regarding cybersecurity practices, especially pertaining to data storage. We expect the pace at which this kind of regulation is introduced to increase  as regulators take a more active role in protecting citizens online.

At the federal level, regulatory agencies like the Occupational Safety and Health Administration (OSHA) and the Federal Trade Commission have publicly stated that they intend to make cyber security compliance a priority in their examinations. At the state level, states have begun introducing data security provisions to protect their citizens. For example, California introduced the California Consumer Privacy Act (CCPA) -- one of the most extensive data protection regulations in the country.

Even internationally, governments are taking notice. Just a few years ago, the European Union introduced the General Data Protection Regulation (GDPR) and China has started cracking down on corporate data practices domestically. As the regulatory environment gets more complex, regulatory liability coverage is becoming more important.

Case Study: A Deep Dive into HIPAA

Most people have heard of HIPAA: the set of laws surrounding personally identifiable healthcare data to protect privacy and prevent financial exploitation. Among other things, it requires specific entities (health insurance providers, healthcare clearinghouses, hospitals, etc.) to:

1. Secure Protected Health Information (PHI)

2. Ensure that all disclosures of PHI are only to their intended recipients

HIPAA is enforced by both the Office for Civil Rights (OCR) and the Department of Justice (DOJ). There are four levels of penalties that can be applied per breach depending on the level of culpability as determined by the OCR.

Tier 1: Unaware of the HIPAA violation

$100 - 50,000 per violation

$25,000 Maximum per year

Tier 2: Appearance that the covered entity knew about or should have known about the HIPAA violation.

$1,000 - $50,000 per violation

$100,000 Maximum per year

Tier 3: Willful neglect of HIPAA rules with corrective action taking place within 30 days of discovery

$10,000 - 50,000 per violation

$250,000 Maximum per year

Tier 4: Willful neglect of HIPAA rules and no corrective action taking place within 30 days of discovery

$50,000 per violation

$1,500,000 Maximum per year

Note: The exact costs are adjusted annually and are defined in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR reports that they are currently investigating 838 potential HIPAA violations from within the last 24 months. Walgreens, for example, is under investigation for five separate documented breaches since 2019, totaling 105,111 individual patients. If the maximum penalty is applied for each year, this could cost Walgreens over five million dollars.

How does Regulatory Liability Coverage Differ from Privacy Liability?

The primary difference between regulatory liability and privacy liability coverage is the nature of the plaintiff. For regulatory liability to apply, the plaintiff must be a government body. For privacy liability, the plaintiff is typically a private person or entity. Both coverages are extremely important given that data breaches can result in claims from both private parties and agencies of the government. For example, in the event of a HIPAA violation, a medical facility would likely both need to pay damages to affected patients and cover a fine assessed by the DOJ.

Example Regulatory Liability Claim

HIPAA violation: A doctor’s office fails to provide the mandatory HIPAA disclosure paperwork to its patients for a year after hiring a new administrator. During that time, the team at the office was regularly sharing patient information with health insurance providers and pharmacies. After a brief investigation, OCR and DOJ assessed a $35,000 fine for a Tier 1 failure to comply. Luckily, the office was covered by a cyber policy. After its $2,500 retention (deductible) the insurance carrier stepped in and covered the rest of the bill.

Regulatory Incidents in the News

EHR snooping leads to criminal HIPAA violation charges in New York

WhatsApp updates privacy policy after record €225m fine

FTC warns health apps must notify users about data breaches or face fines

Have any questions? Email us at Otherwise, if you’re ready get some quotes click here to get started.