Insurance Coverage for Data Breaches and Privacy Violations: Are Your Corporate Clients Adequately Protected? Evaluating and Determining Coverage Under CGL, D&O, E&O and Specialty Cyber Policies Today’s faculty features: 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10. TUESDAY, MAY 19, 2015 Presenting a live 90-minute webinar with interactive Q&A Roberta D. Anderson, Partner, K&L Gates, Pittsburgh Joshua A. Mooney, Partner, White and Williams, Philadelphia William T. Um, Policyholder Counsel, Hunton & Williams, Los Angeles
92
Embed
Insurance Coverage for Data Breaches and Privacy Violations: Are …media.straffordpub.com/products/insurance-coverage-for... · 2015-05-18 · Continuing Education Credits For CLE
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Insurance Coverage for Data
Breaches and Privacy Violations: Are Your
Corporate Clients Adequately Protected? Evaluating and Determining Coverage Under CGL, D&O, E&O and Specialty Cyber Policies
“We note that your network-security insurance coverage is
subject to a $10 million deductible. Please tell us whether
this coverage has any other significant limitations. In
addition, please describe for us the 'certain other coverage'
that may reduce your exposure to Data Breach losses.”
Target Form 10-K (March 2014)
SEC CYBERSECURITY
21
“We note your disclosure that an unauthorized party was
able to gain access to your computer network 'in a prior
fiscal year.' So that an investor is better able to understand
the materiality of this cybersecurity incident, please revise
your disclosure to identify when the cyber incident occurred
and describe any material costs or consequences to you as
a result of the incident. Please also further describe your
cyber security insurance policy, including any material limits
on coverage.”
Alion Science and Technology Corp. S-1 filing (March 2014)
SEC CYBERSECURITY
22
“Given the significant cyber-attacks that are occurring with
disturbing frequency, and the mounting evidence that
companies of all shapes and sizes are increasingly under a
constant threat of potentially disastrous cyber-attacks,
ensuring the adequacy of a company's cybersecurity
measures needs to be a critical part of a board of director's
risk oversight responsibilities . . . .
Thus, boards that choose to ignore, or minimize, the
importance of cybersecurity oversight responsibility, do so
at their own peril.”
Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014
SEC CYBERSECURITY
23
24
FTC CYBERSECURITY
25
FTC CYBERSECURITY
William T. Um
Hunton & Williams
Joshua Mooney
White and Williams 26
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
Speed of lawsuit filings after breach notification
Plaintiffs’ continuing struggle to allege compensable damages –
standing issues
“Fear of identity theft” as potential damage claim
Class certification issues
Statutory violations as potential damages
New type of claims beyond claims against financial institutions
and retailers
Growth area for lawyers?
27
TARGET – watershed moment for executives
Consumer/Derivative Class Action Lawsuits
Target 2014 Earnings Report
Net Expense: $145 million
Gross Expense: $191 million
Insurance Receivables: $46 million
“I don’t see how they’re getting out of this for under a billion, over
time.”
-- John Kindervag, V.P. and Principal Analyst, Forrester Research
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
28
THE TARGET SETTLEMENTS
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
29
Class Actions Consumers and Employees
Increased Risk of Identity Theft, Credit Monitoring Costs
Loss of Value of PII
Statutes (CCRA, CoMIA), Invasion of Privacy
Negligence, State Unfair Trade Practices Acts
Financial Institutions Target settles with MasterCard for $18 million
Non-Financial Institution/Retailer Actions Theft of trade secrets/intellectual property
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
30
Expanding Regulatory Scrutiny
FTC In re Wyndam Hotels
SEC Materiality for disclosures
FCC In re Terracom, Inc.: FCC exercising its regulatory authority
of telecommunication carrier
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
31
Defense Strategies: Article III Standing
Standing:
A plaintiff must allege an actual injury or one
that is concrete and imminent, i.e., “concrete
and particularized,” and
Causation – traceability of the alleged injury to
the breach
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
32
Actual Injury
Forgiven fraudulent or reimbursed charges are not actual
injuries
Galaria v. Nationwide Mut. Ins. Co.
Threat or increased risk of identity theft are not an actual
injuries
In re Science Applications Int’l Corp.
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
33
Imminent Injury
Increased risk of identity theft is not enough
“[Plaintiffs] claim that they are 9.5 times more likely than the
average person to become victims of identity theft. That
increased risk, they maintain, in and of itself confers standing.
But as Clapper makes clear, that is not true. The degree by which
the risk of harm has increased is irrelevant — instead, the
question is whether the harm is certainly impending.”
-- In re Science Applications Int’l Corp.
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
34
Imminent Injury
Even Risk with “rational” fear is not enough
“[I]t is reasonable to fear the worst in the wake of such a [data]
theft, and it is understandably frustrating to know that the safety
of your most personal information could be in danger. The
Supreme Court, however, has held that an “objectively
reasonable likelihood” of harm is not enough to create standing .
. . Plaintiffs thus do not have standing based on risk alone, even
if their fears are rational.”
-- In re Science Applications Int’l Corp.
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
35
Imminent Injury
Costs of credit-monitoring services, alone, is not enough
“The cost of guarding against a risk is an injury sufficient to
confer standing only if the underlying harm the plaintiff is
seeking to avoid is itself a cognizable Article III injury.”
-- Remijas v. The Nieman Marcus Group LLC
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
36
Imminent Injury
Concrete and Particularized Injury
-- Was the PII targeted?
“Not only did the hackers deliberately target Adobe's servers, but
Plaintiffs allege that the hackers used Adobe's own systems to
decrypt customer credit card numbers. ... Indeed, the threatened
injury here could be more imminent only if Plaintiffs could allege
that their stolen personal information had already been
misused.”
-- In re Adobe Sys Inc. Privacy Litig.
TRENDS IN DATA BREACH
LITIGATION AND LIABILITIES
37
Joshua Mooney
White and Williams
Roberta Anderson
K&L Gates 38
COVERAGE A: “PROPERTY
DAMAGE” a. Physical injury to tangible property, including all resulting
loss of use of that property. All such loss of use shall be
deemed to occur at the time of the physical injury that
caused it; or
b. Loss of use of tangible property that is not physically
injured. All such loss of use shall be deemed to occur at the
time of the “occurrence” that caused it.
Financial Institution Litigation:
Does the loss of use of credit/debit cards and the need to
replacement them constitute “property damage” under
CGL policies?
39
COVERAGE B: “PERSONAL
AND ADVERTISING INJURY”
Coverage B provides coverage for damages because of
“personal and advertising injury”
Personal and Advertising Injury” is defined in part as injury
arising out of “[o]ral or written publication, in any manner, of
material that violates a person’s right of privacy
40
COVERAGE B: “A PERSON’S
RIGHT OF PRIVACY”
Some courts hold that “privacy” means both the right of secrecy
(publicity to private life) and the right to be left alone (intrusion
upon seclusion)
Some courts hold that “privacy” only means the right of secrecy
and does not include the right to be left alone
41
Courts Interpret “Publication” Differently.
Some require dissemination to the public at large
Some merely require dissemination to a third party
Some do not require dissemination at all
COVERAGE B: “PUBLICATION”
42
Recall Total Information v. Federal Ins. Co.
“Regardless of the precise definition of publication, we believe that
access is a necessary prerequisite to the communication or
disclosure of personal information. In this regard, the plaintiffs have
failed to provide a factual basis that the information on the tapes was
ever accessed by anyone.”
COVERAGE B: “PUBLICATION”
43
Travelers Indem. v. Portal Healthcare Solutions
“Publication occurs when information is ‘placed before the
public,’ not when a member of the public reads the information
placed before it. By Travelers’ logic, a book that is bound and
placed on the shelves of Barnes & Noble is not ‘published’ until a
customer takes the book off the shelf and reads it. . . . [This] does
not comport with the term’s plain meaning, and the medical
records were published the moment they became accessible to
the public via an online search. ”
COVERAGE B: “PUBLICATION”
44
Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011
(N.Y. Supr. Ct. Feb. 21, 2014)
Must the Insured do the Publishing
Publication is akin to “Pandora’s Box”
Phrase “in any manner” does not alter meaning of
“publication”
SONY CORP
45
POTENTIAL LIMITATIONS
46
ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
POTENTIAL LIMITATIONS
47
48
POTENTIAL LIMITATIONS
Directors' and Officers' (D&O)
Errors and Omissions (E&O)/Professional Liability
Employment Practices Liability (EPL)
Fiduciary Liability
Crime
Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821
(6th Cir. 2012) (DSW covered for expenses for customer communications, public
relations, lawsuits, regulatory defense costs, and fines imposed by Visa and
Mastercard under the computer fraud rider of its blanket crime policy)
Property
Commercial General Liability (CGL)
COVERAGE UNDER OTHER
“LEGACY” POLICIES
49
Roberta Anderson
K&L Gates
50
KLG ATES .COM back
REMEMBER THE
SNOWFLAKE
• Privacy and Network Security
– Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to
Protect Confidential, Protected Information, as well as Liability Arising from Security
Threats to Networks, e.g., Transmission of Malicious Code
– Questions:
– Coverage for the Acts, Errors, Omissions of Third Parties, e.g., Vendors?
– Coverage for Data in the Care, Custody, Control of Third Parties, e.g., Cloud Providers?
– Coverage for Proliferating and Expanding Privacy Laws/Regulations?
– Coverage for Data in Any Form, e.g., Paper Records?
– Coverage for Confidential Corporate Data, e.g., Third-Party Trade Secrets?
– Coverage for “Rogue” Employees?
– Coverage for Wrongful Collection of Data?
– Coverage for TCPA Violations?
THIRD-PARTY COVERAGE
52
• Regulatory Liability
– Generally Covers Amounts Payable in Connection with Administrative or Regulatory
Investigations
– Questions:
– Coverage for Fines and Penalties?
– Coverage for Consumer Redress Funds?
– Regulatory Exclusion Carve Backs?
– Sufficient Sublimit?
• PCI-DSS Liability
– Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,
Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data
Security Standards
THIRD-PARTY COVERAGE
53
• Media Liability
– Generally Covers Third-Party Liability Arising from Infringement of Copyright and Other
Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising
from the Insured's Media Activities, e.g., Broadcasting and Advertising
– Questions:
– Coverage for “Rogue” Employees?
– Coverage for Media Content in Any Form, e.g., Printed Publications, or Limited to Digital
Media Content?
– Coverage Limited to Certain Locations of Media Content Display, e.g., on the Insured's
Website or Social Media Sites?
– Coverage for Liability Arising out of the Insured's Own Advertising Activities?
– “Occurrence”-Based or Claims Made Coverage?
– Appropriate for Media Companies?
THIRD-PARTY COVERAGE
54
• Third-Party Bodily Injury and Property Damage ~$100M [T]his policy will drop down and pay Loss caused by a Security Failure [a failure or
violation of the security of a Computer System that: (A) results in, facilitates or fails
to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii)
receipt, transmission or behavior of a malicious code] that would have been covered
within an Underlying Policy, as of the inception date of this policy, had one or more
of the following not applied:
A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying
Policy expressly concerning, in whole or in part, the security of a Computer
System (including Electronic Data stored within that Computer System)];
and/or
B. a Negligent Act Requirement [a requirement in an Underlying Policy that
the event, action or conduct triggering coverage under such Underlying
Policy result from a negligent act, error or omission].
DIC COVERAGE
55
KLG ATES .COM
AVOID THE TRAPS
56
57
POLICY EXAMPLE 1
58
POLICY EXAMPLE 2
59
POLICY EXAMPLE 2
60
61
62
POLICY EXAMPLE 1
63
POLICY EXAMPLE 1
64
POLICY EXAMPLE 2
65
POLICY EXAMPLE 2
66
POLICY EXAMPLE 3
67
POLICY EXAMPLE 3
68
69
POLICY EXAMPLE 1
70
POLICY EXAMPLE 1
71
POLICY EXAMPLE 2
72
POLICY EXAMPLE 2
73
Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC
74
POLICY EXAMPLE
76
POLICY EXAMPLE 1
77
POLICY EXAMPLE 2
78
POLICY EXAMPLE 3
Request a “Retroactive Date”
of at Least a Year
79
BEWARE THE
FINE
PRINT
REMEMBER THE DEVIL IS IN THE DETAILS
80
EXPOSURE.
YOUR.
UNDERSTAND AND COMMUNICATE.
81
William T. Um
Hunton & Williams
82
SPECIALTY “CYBER” POLICIES
– FIRST PARTY Information Asset Coverage
Coverage for damage to or theft of the insured’s own systems and
hardware, and may cover the cost of restoring or recreating stolen or
corrupted data.
Legal Fees – notification
Network Interruption And Extra Expense (and CBI)
Coverage for business interruption and extra expense caused by
malicious code , DDoS attacks, unauthorized access to, or theft of,
information, and other security threats to networks.
83
Extortion Coverage for losses resulting from extortion (payments of an
extortionist’s demand to prevent network loss or implementation of a
threat)
Crisis Management/Public Relations
Costs to retain PR/Crisis Mgmt firm to protect and to restore
policyholder’s reputation
Credit Monitoring/call center expenses
84
SPECIALTY “CYBER” POLICIES
– FIRST PARTY
Each legacy policy has its own coverage issues
Different products in the market
New insurance products can fill gaps
Need to evaluate the nature of risks for which coverage is needed
Need to tailor policies to actual cyber operations and dependencies
Need to make it part of an entire insurance
program
85
TIPS FOR A SUCCESSFUL
PLACEMENT
86
FIRST COVERAGE DISPUTE
INVOLVING CYBER POLICY? Travelers Property v. Federal Recovery Services, Inc.
District Court for the District of Utah (May 11, 2015)
“CyberFirst” Policy
No duty to defend policyholder
Precedent setting?
Sign of things to come?
87
OTHER EMERGING COVERAGE
ISSUES Appointment of Defense Counsel/Forensics Panel
The Duty to Cooperate
Misrepresentation/Concealment in the Underwriting
Retroactive date
Reimbursement of Defense Costs
Other Insurance
Fraudulent or stretched claims
88
HYPOTHETICAL #1
A Company with third-party cyber insurance, but not
first-party insurance, suffers a data breach. The GC
does not want to hire counsel or ascertain its notification