Aon | Professional Services Practice
Release Date: June 2022
How Many Records Do We Have?
Professional Service Firms and PII / PHI Records
Why Insurers Want to Know About PII Record Counts
Insurers are increasingly asking for Personally Identifiable Information (PII) and Personal Health Information (PHI) record counts as part of the underwriting process and it is important for insureds to have made a good faith effort to identify the number of records and provide a reasoned and defensible estimate of the exposure.
Insurers want to understand the record count from the perspective of the costs that will be incurred (and that they will be reimbursing) as the result of a breach. This means providing a count not only of employee data, but of PII and PHI records entrusted to the firm by clients.
Costs per record for statutory notifications and associated services are substantial, so it is an exposure and potential cost that insurers need to understand, given the large number of records typically held by professional service firms.
For insurance purposes the exposure is primarily driven by statutory requirements, the costs of which are increased by the impact of complying with specific obligations in multiple states and foreign jurisdictions, plus the legal advice required to handle those appropriately. There is also the possibility of fines and penalties from the regulators in those jurisdictions, Health Insurance Portability and Accountability Act (HIPAA) fines and penalties for a breach of PHI and litigation from individuals whose data was breached.
The costs associated with breaches of PII and PHI are increasing as data privacy legislation and regulatory attention focuses on the issue with increasingly onerous obligations and the potential for fines, penalties and litigation from the individuals whose data was compromised.
Definition of PII / PHI
There is no single, uniform definition of what constitutes a PII “record” as the interpretation will depend on the laws in the applicable jurisdictions. Among the broader statutory definitions are those of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Furthermore, regulatory definitions are not static. For example, the CCPA exemption for employee information is set to expire January 1, 2023, and if not extended, employee data will become subject to California’s statutory damages for a subject data breach.
The definition of PHI in the USA is governed by HIPAA, specifically the HIPAA Privacy Rule.
Typical Costs Associated with Breaches of PII/PHI
There is very little public information that identifies the specific costs associated with breaches of PII. Certain public entities have reported costs and have broken down the different elements relating to this exposure, which does provide some insight.
Using figures in the public domain (for instance those reported by municipalities) major incidents involving loss of large quantities of PII cost in the region of $5 - $10 per record not including ransom payments and loss of revenue.
An accurate count of the number of PII/PHI records held in computer systems is challenging. A single document may contain zero PII records and a single spreadsheet may contain thousands, so a document count alone is not going to provide an accurate number.
Employees will be a source of both PII and PHI (the latter arising from the administration of Health & Benefits plans). Employee PHI may relate to employees and their dependents / family members in the health plan, plus historical records.
Employee data is relatively easy to count as it is structured for tracking and compliance purposes. Nonetheless, it is important to recognize that the count includes not just active employees as records may be retained on many others, including:
- Past employees / retirees & family members
- Job applicants
- Temporary and contract workers
Many of these individuals will migrate to other jurisdictions over time, adding to the complications and cost of tracking and complying with all the applicable statutory requirements, as well as opening the door to multiple regulatory investigations.
Establishing an estimate of the number of individual records is considerably more challenging for PII acquired through the firm’s business.
Professional service firm practice areas that typically show high PII counts include:
- M&A and restructuring
- Trusts & Estates
- Mass Tort Litigation
The records associated with certain types of client or specific projects can add substantially to the total while adding variability over short time periods (eDiscovery projects associated with M&A / restructuring or litigation for example, in which individual engagements can involve very large PII/PHI counts).
A project to determine a precise count of PII records solely for insurance purposes is hard to justify from a return on investment perspective, but there are benefits to conducting such an exercise; not least the increasing cadence of clients requiring that their professional advisers have a data classification protocol in place.
For firms that are not contemplating a major data classification exercise, there are options to calculate a reasonable approximation for insurance purposes, with data that may be more accessible.
Firms can derive an understanding of PII/PHI counts by adopting a multi-pronged approach that leverages the management and policy elements of a GDPR/CCPA analysis, coupled with the use of available automated tools to both validate findings and uncover unexpected sources of PII.
Investigation should span practices, geographical locations, and roles from senior management down to line-level employees to provide a true perspective of all data locations, not just those in active use.
Data discovery tools can search unstructured information sources such as share drives, email repositories, and collaborative tools for sources of PII/PHI even if the user or relevant workgroups are unaware of their existence. The tools can be deployed in a limited “sampling” fashion and expanded to refine the investigation.
With these data mappings and workflows in hand, the organization is better positioned both to assess its PII counts based on actual inventories and data sampling from user files, enterprise applications, and repositories. Furthermore, the firm will then be prepared to remediate any issues by classifying data, enforcing rules and policies, dispositioning obsolete data, and appropriately protecting data that is found to be in incorrect or unauthorized locations.
An Important Issue for Insurers
There is no easy solution to the challenge of declaring an accurate record count to insurers. It is incumbent on the insured to represent to insurers as accurately as possible the extent of the exposure so that underwriters can rate for it accordingly.
It is important to recognize that a material understatement of the number of records could allow the insurer to invoke policy terms that might limit or deny payment of a claim.
Achieving an accurate count of PII/PHI records is unquestionably a substantial challenge, particularly as the intake and removal of records (for instance with M&A, restructuring or mass tort litigation projects) may lead to substantial variations in record count from one month to the next.
The goal is to develop a reasoned and rational basis for estimating the number of records for insurers; as suggested above this may involve data sampling and making weighted estimates based on practice areas, record retention and the cadence of matters that give rise to large record counts. This will enable the firm to show insurers that good faith due diligence has been undertaken to present a reasonable representation of the exposure for rating purposes. It will also allow the firm to assess the impact that the exposure might have on the limit of indemnity and adjust accordingly.