Cyber security and privacy liability policy

The policy covers damages and claims expenses that the university is obligated to pay because of an actual or alleged privacy breach, confidentiality breach, security breach or online media activity.

Privacy and confidentiality breach liability coverage

All damages and claims expenses that the university becomes obliged to pay as a result of any claim made against the university (including a lawsuit or regulatory action) for an alleged:

  • privacy breach; or
  • confidentiality breach.

Security breach liability coverage

All damages and claims expenses that the university becomes obliged to pay as a result of any claim made against the University (including a lawsuit or regulatory action) for an alleged security breach resulting in any covered loss.

Breach notice response services coverage

This may include expenses associated with any of the following:

  • breach notice legal and forensic expenses;
  • breach notice fulfillment services;
  • credit monitoring services;
  • identity restoration services; and/or
  • call center services.
Breach notice legal and forensic expenses may include:
  • fees incurred for the services of a third party computer forensics professional to conduct an investigation to identify whether notification-triggering data containing personally identifiable information was accessed by an unauthorized person as a result of a covered privacy breach; and,
  • attorney fees for outside counsel to determine whether any breach notice laws apply and the obligations of such applicable laws, and assist you to comply with such laws, including but not limited to drafting notice letters to impacted individuals.

Online media liability coverage

Any claim made against the university for an alleged online media activity resulting in a media hazard may be covered.

Conditions of coverage

Coverage is dependent upon the existence and adherence to security protocols outlined in Budget & Finance Bulletin IS-3 - Electronic Information Security (pdf) or any local procedures not in conflict with BFB IS-3 that have been implemented for critical systems.  At a minimum, the following conditions must be in place for coverage to apply:

  1. maintain anti-virus and malware prevention solutions, including for student/ dormitory settings on any computer that is part of  your1 computer system and update the protection at regular intervals but no less than at least once every 30 days;
  2. maintain firewalls on any computer that is part of your1 computer system and connected to the internet;
  3. take reasonable security precautions when processing, storing, or transmitting credit card payment data or personally identifiable information;
  4. maintain, update and enforce written policies for information security, privacy, business continuity/disaster recovery and third party vendors;
  5. employ qualified information technology and network security representatives at each campus who will implement and maintain campus information technology, physical and network security policy;
  6. ensure scan testing is performed on at least a quarterly basis and performed against all  internet facing servers of each campus. Such testing should be provided by NetDiligence or some other provider to be agreed by the University and insuring party;
  7. perform testing for SQL Based Web Applications for the ability to deflect SQL injection exploit issues through secure coding review and/or application-level scanning with AppScan or WebInspect products;
  8. ensure encryption is in place for ‘data at rest’ for at least student personally identifiable information (within production databases, file servers and backup tapes);
  9. ensure laptops are encrypted: any employee laptop with sensitive non-public data has whole disc encryption in place;
  10. mandate encryption and/or enforced prohibition of storage of sensitive PII (personally identifiable information) or PHI (protected health information) on mobile USB devices;
  11. maintain and implement ongoing patch management process  to ensure timely patching of existing network systems and servers, as well as hardening of any new servers that are deployed;
  12. deploy an intrusion detection platform along with the implementation and maintenance of a process to receive real time alerts of suspected intrusions and ensure a process exists to manually review the applicability of the warnings and act upon any warnings in a timely manner;
  13. ensure a change management process is place that periodically reviews access rights and credentials for anyone who is able to logon to campus servers and will terminate rights when needed;
  14. ensure segregation and isolation of PII/PHI servers holding or transmitting personally identifiable information via additional firewalling from the rest of the campus production and student networks;
  15. maintain user account provisioning with strong role-based assignments, password composition and change rules, effective termination procedures and periodic stale account reviews;
  16. maintain an  incident reporting and response program that enables prompt escalation and management response for events reported by students, faculty and staff;
  17. ensure that a computer asset map is maintained that details network operations and assets owned, and underscores which servers house sensitive private data or personally identifiable information for students & alumni. 
An independent third party assessor (e.g., NetDiligence) will review the circumstances surrounding the event and provide:
  • Certification (at inception) of whether the security processes of the campus/department have been adequately implemented, and/or
  • Confirmation (in the event of a loss) that the security processes were still in place and were adequately maintained at the time when the loss occurred.

In the event that the relevant campus/department/agent fails these assessments, insurance cover will either not incept or will be declined or materially reduced.

Duties in the event of an occurrence, claim or suit >