Data Hosting: A New Venture with New Risks
Hospitals and health care organizations are more frequently hosting data or back-up data at off-site data locations. While segregating data by hosting data off site is generally an advisable risk management strategy, hospitals have also entered arrangements to host data for third parties (including other hospitals). This practice may leave the hosting hospital exposed to unanticipated liability if the third-parties’ data is breached, lost or destroyed.
There are many different types of data “hosting” arrangements, including the following:
- The hosting site leases space at its location to the third party (similar to any other landlord-tenant relationship); the third-party is responsible for securing and maintaining the data stored in the leased space and purchasing and maintaining all equipment.
- The hosting site leases both the space and the equipment to the third party; there is no co-mingling of data and the third party is responsible for securing and maintaining the data stored in the leased space and maintaining the equipment.
- The hosting site provides space, equipment and IT consultation to the third party; however data remains independent.
- The hosting site provides complete managed data hosting, including space, equipment and consultation; data may reside on the same servers or in the same space. All of the above.
When hospitals or other organizations enter any type of hosting arrangement, they need to carefully consider the agreement language and closely examine their insurance policies. First, the parties entering such agreements should spell out the responsibilities of each party in detail. Next, the parties need to consider who is liable if something were to go wrong. For example, what happens if a server goes down or there is a utility interruption? What if a virus spreads from the hosting site’s data to the third-party data? Who is responsible for backup/recovery services? Last, the parties need to manage these exposures and, when possible, insure against their effects. Accordingly, the agreements should specify how exposures will be managed and the type(s) of insurance each party is obligated to carry.
While the hosting hospital may have cyber liability coverage, generally such cyber coverage will only cover the hospital for loss of its own data. Depending on the nature of the hosting arrangement, the hosting hospital may need to purchase additional technology business insurance, such as a Technology Errors and Omissions (E&O) policy. Technology E&O professional liability insurance protects an organization if the third-party storing data alleges the hosting site is responsible for technological errors, or fails to perform as stated in the agreement.
Technology E&O insurance is often confused with cyber insurance or privacy insurance. While this type of professional liability insurance has previously been reserved for IT companies, when a non-IT company such as a hospital takes on responsibilities such as data hosting, they now become a target for IT related claims. Most general commercial policies or traditional cyber insurance policies will not cover programming errors, security breach of third-party information, or third-party data loss. Technology E&O policies generally cover liability and property loss to a third-party resulting from (1) an act or omission committed in the course of the insureds’ performance of services for the third-party or (2) failure of an insured’s product to perform as intended or expected. Note that many of these policies will contain stipulations that minimum level of risk controls be in place. Hosting data may provide additional revenue to the organization; however the risk control obligations can create significant challenges to an organization that does not typically perform this type of service.
Not all risks can be covered by insurance. It is important to understand the definitions of products and services in the policy and any exclusions. Exclusions in these types of policies are many and varied, so each party needs to understand both coverage and exclusions. The scope of many insurance agents are unfamiliar with advising insureds about this emerging risk. The parties should seek out expert advisors who will identify the risk issues and knowledgeably compare coverage optims.
Torri Criger, JD