Aon report outlines challenges in providing cyber liability cover for educational institutions

Developing insurance solutions for cyber liability in educational settings is challenging because the exchange of information in such settings is expected to be accessible and yet secure and private, an Aon Professional Risk Services White Paper notes.
“An overriding challenge that educational institutions face when dealing with privacy and security risks continues to be the fundamental conflict between a culture that values an unfettered exchange of ideas, and the security and privacy of sensitive or private information,” says the paper, entitled Cyber Liability & Higher Education.
The paper notes that in 2007, educational institutions were responsible for 25% of all reported data breaches in the United States; in 2008, they accounted for 33% of U.S. data breaches.
In Canada, as reported in the Toronto Sun on Feb. 24, Ryerson University in Toronto recently notified 588 students by letter and e-mail yesterday that an “isolated software error” may have allowed other students to gain access to their name, gender, SIN, date of birth, student number, and mailing and email addresses.
The school installed a software patch to address the matter in January and the school’s privacy co-ordinator is quoted in the Sun as expressing confidence that “no misuse of personal information has happened.”
Aon’s White Paper observes that 30% of all reported breaches are attributable to external partners, consultants, outsourcers and contractors. It is therefore critical to determine the boundaries of liability when information is shared with others for business purposes, the paper says.
Aon notes insurance coverage for data breaches can come from three different forms of policies:
•    security and privacy liability insurance (also known as cyber liability or network risk policies);
•    general liability and property policies (exclusions to these policies are now more common, Aon notes, as many general liability carriers now often standalone security policies); and
•    other insurance policies, which include policies that provide cover for commercial crime, data processing, computer fraud, kidnap and ransom (i.e. threatening to post breached data onto the Internet).
These other insurance policies were not originally intended to cover data security breaches, and so there may be significant coverage gaps in each, Aon cautions.