A recent settlement filed by the Federal Trade Commission (FTC) and GoodRx may merit a review of your cyber insurance coverages. Earlier this month, the FTC took enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug provider, GoodRx, for failing to notify consumers of its unauthorized disclosures of personal health information.
As detailed in a February 27 Hunton client alert, the Health Breach Notification Rule generally requires that vendors not covered by the Health Insurance Portability and Accountability Act (HIPAA) of personal health records give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of personal health records.
According to the FTC complaint, GoodRx is subject to the Rule as a vendor of personal health records and GoodRx—a provider of services that allegedly allows individuals to compare prescription pricing at nearby pharmacies on its mobile application or on its website—“integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App,” which collected and sent personal data to third parties for “advertising, data analytics, or other business services.” In a proposed order filed by the Department of Justice on behalf of the FTC, GoodRx will pay a $1.5 million civil penalty for its violation and be prohibited from sharing user health data with third parties for advertising purposes. GoodRx denies any wrongdoing and stated that it agreed to the settlement to avoid a costly legal battle.
Hunton partner Phyllis Marcus, who works on FTC compliance cases, commented that, “While some have said they would have wanted a higher penalty, this cost sets the bar for future [FTC] actions.” But, the FTC’s unprecedented use of the Health Breach Notification Rule also highlights the need for policyholders who gather personal information for consumer transactions, marketing purposes or as part of their core business model to ensure that their risk management plan includes a cyber policy that covers regulatory investigations and actions such as the one initiated against GoodRx.
With regulators such as the FTC increasing cybersecurity enforcement, regulatory defense coverage is increasingly important. Enforcement actions can result from security failures to protect data (including employee information), improper data collection practices, failure to disclose a data breach or deceptive privacy practices. A comprehensive cyber policy covers attorneys’ fees and costs associated with formal regulatory or administrative investigations, including any resulting in penalties or fines. However, policyholders should be aware of the terms of their policies.
For example, not all policies expressly cover regulatory fines that federal or state regulators may impose for a company’s violation of a privacy statute where no underlying cyber incident occurred. Instead, some policies link reimbursement to the existence of a breach and its documentation. With the adoption of more federal and state laws on cybersecurity, however, some insurers are starting to offer cyber coverage that includes a “compliance” element. This is important because regulatory fines could present significant costs for a policyholder.
Today, the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for businesses of all sizes. All cyber insurance policies are not created equal, so having experienced coverage counsel to help you find a policy that suits your business needs when the policy is negotiated, and understand your obligations under the policy to maximize insurance recovery, can help you avoid issues after a claim arises.