A recent settlement filed by the Federal Trade Commission (FTC) and GoodRx may merit a review of your cyber insurance coverages. Earlier this month, the FTC took enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug provider, GoodRx, for failing to notify consumers of its unauthorized disclosures of personal health information.
As detailed in a February 27 Hunton client alert, the Health Breach Notification Rule generally requires that vendors not covered by the Health Insurance Portability and Accountability Act (HIPAA) of personal health records give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of personal health records.
According to the FTC complaint, GoodRx is subject to the Rule as a vendor of personal health records and GoodRx—a provider of services that allegedly allows individuals to compare prescription pricing at nearby pharmacies on its mobile application or on its website—“integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App,” which collected and sent personal data to third parties for “advertising, data analytics, or other business services.” In a proposed order filed by the Department of Justice on behalf of the FTC, GoodRx will pay a $1.5 million civil penalty for its violation and be prohibited from sharing user health data with third parties for advertising purposes. GoodRx denies any wrongdoing and stated that it agreed to the settlement to avoid a costly legal battle.
Hunton partner Phyllis Marcus, who works on FTC compliance cases, commented that, “While some have said they would have wanted a higher penalty, this cost sets the bar for future [FTC] actions.” But, the FTC’s unprecedented use of the Health Breach Notification Rule also highlights the need for policyholders who gather personal information for consumer transactions, marketing purposes or as part of their core business model to ensure that their risk management plan includes a cyber policy that covers regulatory investigations and actions such as the one initiated against GoodRx.
With regulators such as the FTC increasing cybersecurity enforcement, regulatory defense coverage is increasingly important. Enforcement actions can result from security failures to protect data (including employee information), improper data collection practices, failure to disclose a data breach or deceptive privacy practices. A comprehensive cyber policy covers attorneys’ fees and costs associated with formal regulatory or administrative investigations, including any resulting in penalties or fines. However, policyholders should be aware of the terms of their policies.
For example, not all policies expressly cover regulatory fines that federal or state regulators may impose for a company’s violation of a privacy statute where no underlying cyber incident occurred. Instead, some policies link reimbursement to the existence of a breach and its documentation. With the adoption of more federal and state laws on cybersecurity, however, some insurers are starting to offer cyber coverage that includes a “compliance” element. This is important because regulatory fines could present significant costs for a policyholder.
As another example, some cyber insurance policies exclude coverage for claims arising out of unauthorized data collection practices or alleging violations of collection, use and disclosure practices not reflected in the company’s privacy policy. Ensuring that the company’s privacy policies and opt-in and opt-out practices are accurate and transparent can be challenging. Companies collecting consumer data information must understand the technologies used on their websites and in their mobile applications and ensure that their privacy policies accurately reflect their collection, use and disclosure of such information using those technologies, or risk an insurance coverage denial. According to the FTC’s complaint, GoodRx shared sensitive personal health information for years with advertising companies, contrary to the promises made in GoodRx’s privacy policies. Among other violations, the FTC alleged that GoodRx failed to report the unauthorized disclosures which is required under the Health Breach Notification Rule. The failure to properly disclose information sharing practices in a privacy policy could not only violate the FTC Act and lead to an investigation and enforcement action, but also preclude coverage under a cyber insurance policy for regulatory investigations and third-party claims.
Today, the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for businesses of all sizes. All cyber insurance policies are not created equal, so having experienced coverage counsel to help you find a policy that suits your business needs when the policy is negotiated, and understand your obligations under the policy to maximize insurance recovery, can help you avoid issues after a claim arises.