A recently discovered “hidden” disclaimer in the Federal Health Insurance Exchange website will have licensed insurance agents thinking twice about writing business on any federal or state-run exchange…

In a recent article published by The Weekly Standard, it has been discovered that hidden in the federal exchange website’s source code lays a privacy threat disclaimer, which is not visible in the site’s Terms and Conditions page. It is only if the user views the web page’s source code that the privacy disclaimer can be seen. The disclaimer reads as follows:

“You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system. At any time, and for any lawful Government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system. Any communication or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose.”

Combined with the fact that the Department of Health requires all licensed insurance agents to electronically sign “hold harmless” agreements between the broker and the federal (or state-run) exchange, this creates a new exposure for licensed insurance producers wanting to write health insurance business through government-run exchanges: Cyber Liability. Meaning in theory, if an insurance agent were to write a health policy for a consumer through a government-run exchange website, and sensitive information about the applicant is compromised through an exchange website’s vulnerability, or as part of a willful act by the US government (as indicated by the hidden exchange disclaimer), the agent could be (in part) held liable for the data compromise per HIPAA 2.0 laws.

While many insurance agents already have general liability (G/L) policies in force, many do not…especially those that operate in a sole proprietor capacity. In addition, those that DO have G/L policies in force may not have endorsed “Cyber Liability” coverage on the policy, which protects the agent against data theft. It is important to understand that Errors & Omissions (E&O) insurance will not respond to losses involving data theft claims against the agent.

Logically, one would “think” that an insurance agent could not possibly be held liable for data theft claims due to an exchange website flaw in a court of law. But when you consider the US government grants the NSA access to any data that passes through an exchange website, or that gets stored in a government-controlled database, it’s quite possible the only protection an insurance agent will have against data theft losses is to have the proper cyber liability coverage in force.

Life & Health insurance agents seeking to protect themselves against data theft exposures should contact a P&C insurance broker, who can help them establish general liability insurance with the proper cyber liability coverage endorsement.