CYBER CORNER

Healthcare organizations have recently become a frequent target for cyberattacks, resulting in breaches of patients’ health information and other personally identifiable information. Earlier this month, a major hospital system was hit by a cyber breach that disrupted its clinical operations and prompted notification to the system’s business partners to disconnect from its network.

The hospital system quickly employed the services of a leading cyber security firm to investigate the breach and determine what information may have been leaked because of the attack. As the investigation continues, the hospital system and its employees have limited access to computer records, including but not limited to, labs, medical records, and order requests. Despite being trained for this type of system outage, employees are required to process medical records on paper, making the entire process more cumbersome and negatively impacting patient care. While still accepting patients, the hospital system has been diverting those in non-critical conditions to other hospitals due to this network outage. 

As these healthcare organizations continue to become affected by these cyberattacks, it is important they are equipped to deal with such contingencies. Potential business partners of these major hospital systems should revisit their cyber insurance coverage and see if they have “dependent” or “contingent” business interruption coverage for events like this, where business partners are required to disconnect from networks and are unable to conduct their day-to-day operations properly or efficiently.

Applying Arkansas law, a federal court determined a cyber carrier correctly offset expenses paid when calculating the business interruption loss stemming from a ransomware attack against its insured. The attack disrupted the telemarketer’s business for months and the company sought recovery for lost profits during the interruption, as well as ongoing overhead expenses, payroll, and administrative costs. 

The cyber policy provided coverage for “Business Income Loss and Extra Expenses incurred during the Interruption Period directly as a result of the total, or partial, or intermittent interruption or degradation in service. . . .”  Business Income Loss included "the net profit before income taxes that the Insured is prevented from earning during the Interruption Period” and "normal operating expenses incurred by the Insured (including payroll), but solely to the extent that such operating expenses must continue during the Interruption Period and would have been incurred had there been no interruption or degradation in service." Extra Expenses included “extra costs incurred by the Insured to temporarily continue as nearly normal as practicable in the conduct of the Insured's business during the Interruption Period, less any value remaining at the end of the Interruption Period for property or services obtained in connection with such costs.”

Under Arkansas law, net profit was defined as the profit left after payment of necessary expenses and, therefore, the policy covered “any lost profit incurred during the Interruption Period resulting from a covered loss as if the loss had not occurred” and that were lost due to the attack. In Arkansas, business interruption insurance protects prospective earnings; however, the coverage was not intended to place the insured in a better position than if no loss or interruption of the business had occurred.

The court determined that the correct methodology for determining covered Business Income Loss was to subtract from covered “normal operating expenses” those that the company was able to pay from revenue, however limited, it received during the Interruption Period. “To the extent the company was able to pay these expenses, they did not constitute a loss,” the court reasoned. “Therefore, to recover for them would place the company in a better position than it would have been had there been no interruption in business.”

The Colorado Artificial Intelligence Act (CAIA), signed into law on May 17, 2024, is a landmark piece of legislation in the United States. It establishes the first comprehensive legal framework for governing artificial intelligence (AI) systems. The CAIA focuses on preventing algorithmic discrimination, a growing concern, as AI is increasingly used in critical decision-making processes like loan approvals, employment screening, and healthcare. The CAIA outlines specific requirements for developers and deployers of high-risk AI systems, mandating them to implement measures to mitigate potential biases and ensure fairness in their algorithms. Some key aspects of the CAIA include:

• Duty to Avoid Algorithmic Discrimination: The CAIA imposes a duty on developers and deployers of high-risk AI to take reasonable steps to prevent algorithmic discrimination including bias detection in training data and algorithms and ensuring fair and transparent decision-making processes.
• Risk Management and Transparency: The CAIA requires developers to provide deployers with information about the AI system, including its capabilities and limitations, to enable proper risk assessment and mitigation strategies.
• Impact Assessment: Deployers are responsible for conducting impact assessments to evaluate potential biases in the AI system before deploying it.
• Enforcement and Compliance: The CAIA empowers the Colorado Attorney General to investigate potential violations and enforce CAIA’s provisions.

The CAIA sets a benchmark for other states and the federal government to consider when crafting similar legislation. While critics have raised concerns about the potential burdens on businesses, the CAIA has sparked a national conversation about the need for AI regulation and the importance of building trust in AI technologies.

Insurance Implications: Because the use of artificial intelligence creates risks that go beyond the scope of Cyber insurance, other forms of coverage may come into play as well. This is clear from the drafting of the CAIA, which places such an emphasis on discrimination. Employment Practices Liability policies frequently offer coverage for non-employment related actions in which the civil rights of third parties are alleged to have been violated. These types of actions typically involve aggrieved customers, but they can involve complaints from vendors as well. This is important because claims of discrimination are typically excluded from Cyber insurance policies.

Less apparent is the professional liability, or E&O, exposure that could arise from this statute. The CAIA requires that the developers of AI provide disclosures to their end users around the intended use of the model, what data was used to train it, and the known and foreseeable risks of deploying it. It’s easy to imagine a claim in which the end user goes back to the developer and alleges that the disclosures provided were inadequate and led to some financial loss or liability on the part of the end user. As of now, only the Colorado AG can bring an action under the CAIA, but its requirements could establish a standard of care that plaintiffs could use in the future.