Statutes, codes, and regulations
Arizona Administrative Code
Title 2 - ADMINISTRATIONChapter 10 - DEPARTMENT OF ADMINISTRATION - RISK MANAGEMENT DIVISION
Article 1 - COVERAGE AND CLAIMS PROCEDURE
Section R2-10-110 - [Effective 7/6/2024] Cyber Breach Coverage and Limitations

Ariz. Admin. Code § 2-10-110

Download
PDF
Current through Register Vol. 30, No. 24, June 14, 2024
Section R2-10-110 - [Effective 7/6/2024] Cyber Breach Coverage and Limitations
A. To meet the requirement of A.R.S. § 41-621(A), the Arizona Department of Administration shall provide insurance for all the following:
1. Investigation, response and crisis management for data breaches, security system breaches or security incidents.
2. Data restoration.
3. Business interruption and extra expense.
4. Network security liability.
5. Privacy liability.
6. Regulatory defense and associated fines and penalties if not prohibited by law.
7. Media content liability.
8. Payment Card Industry Data Security Standards defense and associated fines and penalties if not prohibited by law.
9. Investigation of a security incident.
10. Other exposures where insurance may be required to protect this state and its departments, agencies, boards and commissions to the extent it is determined necessary and in the best interest of the state.
B. The Director of the Department of Administration shall determine which agencies will be afforded coverage or limited coverage as prescribed in A.R.S. § 41-621(A). The Director may consider any of the following circumstances in denying or limiting coverage to selected agencies, boards, commissions and any such other insured;
1. An agency, board, or commission specifically requests exclusion from coverage. If the Director of the Department of Administration grants such an exclusion from coverage, then this exclusion shall include an exclusion from any self-insurance provided by ADOA Risk Management and any excess insurance that ADOA Risk Management may have purchased.
2. Securing coverage for a specific agency, board, or commission will prejudice the Department's ability to secure coverage for other state agencies, boards and commissions.
C. Notwithstanding R2-10-106, a deductible shall be applied for each occurrence covered by the Department as provided for in A.R.S. § 41-621(F). For agencies with a total appropriated and non-appropriated budget of less than $2 million, a per occurrence deductible of 5% of the total appropriated and non-appropriated budget shall apply. A deductible of $100,000 per occurrence shall apply to all other agencies. If the Director determines that an agency, board, or commission has one or more of the following circumstances, the deductible as calculated in this section shall be double:
1. For failure to timely report as prescribed in R2-10-102 (A)(4),
2. For failure to produce timely underwriting information when requested by the Department,
3. For failure to act timely on a known security issue,
4. For failure to cooperate with the Arizona Department of Administration information technology security team,
5. For failure to seek Risk Management approval to indemnify or limit a contractor's liability for losses as prescribed in R2-10-301(B), or
6. For any other action or non-action that prejudiced the Department in securing insurance, increased insurance costs, limited insurance coverage, or exposed the state to increased exposure as provided for in A.R.S. § 41-621(F).

Ariz. Admin. Code § R2-10-110

New Section made by final rulemaking at 30 A.A.R. 1941, effective 7/6/2024.