Insurance Coverage for Data Security Breaches
Evaluating Policy Options, Overcoming Coverage Challenges, Analyzing Litigation Trends
presents
Today's panel features:
Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C. Joan D'Ambrosio, Partner, Clyde & Co., San Francisco
Joshua Gold, Shareholder, Anderson Kill & Olick, New York
Wednesday, October 21, 2009
The conference begins at:
1 pm Eastern 12 pm Central 11 am Mountain
10 am Pacific
Insurance Coverage for Data Security
Breaches
Evaluating Policy Options, Overcoming
Coverage Challenges, Analyzing Litigation
Trends
Presenter: Donna L. Wilson
(202) 342-8475 [email protected]
General Areas In Which Privacy
and Data Security Litigation Erupts
Data Security
Data Use
Data Collection
Privacy Invasion
Legal Theories
Common Law
Negligence
Duty, breach, injury, causation
Bailment
Invasion of Privacy
Breach of Contract
Legal Theories (cont’d)
Statutory (State & Federal)
FACTA
FCRA
Song-Beverly Act (CA)
Data breach notification statutes
Others – Video Privacy Protection Act, Electronic
Data Security
The Good News
To date, most cases have been unsuccessful, especially in class
action context and/or where plaintiffs have suffered no actual
damages. See, e.g., Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1 (D.D.C. 2007).
Plaintiffs have been more successful in cases involving actual
damages, especially cases involving an individual rather than a class. See, e.g., Kahle v. Litton Loan Serv’g LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007).
Data Security (cont’d)
The Bad News
Theories are evolving, and arguably courts are beginning to
recognize a duty to provide data security. See, e.g., Cobell v.
Norton, 391 F.3d 251 (D.C. Cir. 2004).
Privacy statutes, along with associational standards such as PCI,
may make it easier for plaintiffs. Even though such statutes do not provide a private right of action, they arguably provide the standard
Data Security (cont’d)
The Bad News (cont’d)
Compliance may not shield your company from litigation in the event of a security breach. See, e.g., Assner v. Hannaford Bros. Co., Case No. 2:08-cv-00095, complaint filed (D. Maine March 25, 2008) (class action against grocery chain who was PCI compliant; alleges credit and debit card
numbers and expiration dates were accessed during transmission of card authorization).
Recent settlements in cases involving worst-case scenarios may only embolden plaintiffs’ lawyers.
Litigation Trends and Risk Avoidance
Plaintiffs will continue to have difficulties making out a claim,
especially in the class action context, except in two situations: (1) in cases of data breach where there is actual identity theft/damages; (2) under statutes that do not require actual damages and provide for civil penalties.
In cases of data breach, expect more ancillary litigation between and
among the companies suffering the breach and third parties such as credit card associations, issuers, vendors, etc.
Litigation Trends and Risk Avoidance
As privacy-related statutes proliferate, especially on the state level,
exercise care. Consult regularly with counsel to keep up to date with the latest developments, and better yet, work with your trade association and other organizations to ensure that your interests are safeguarded when well-intentioned but ultimately misdirected legislation is introduced.
Types of Coverage
Comprehensive General Liability (“CGL”)
Errors and Omissions (“E&O”)
“Cyber-risk” (e.g. Network Security &
Case Law
Third-party “personal information” cases
American Family Mutual Ins. Cp. v. C.M.A. Mortgage
Inc., No. 06-1044, 2008 U.S. Dist. LEXIS 30233 (S.D.
Ind. Mar. 31, 2008).
Netscape Comm. Corp. v. Federal Ins. Co., No.
C06-00198, 2007 WL 2972924 (N.D. Cal. Oct. 10, 2007).
Zurich American Ins. Co. v. Fieldstone Mortgage Co.,
No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md.
Oct. 26, 2007).
Whole Enchilada Inc. v. Travelers Property & Cas. Co.,
Case Law (cont’d)
Third-party “Invasion of Privacy” Claims
See Am. States Ins. Co. v. Capital, 392 F.3d 939 (7th
Cir. 2004).
Resource Bankshares Corp. v. St. Paul Mercury, 407
F.3d 631 (4th Cir. 2005).
Park Univ. v. Am. Cas. Co. of Reading, 442 F.3d 1239
(10th Cir. 2006).
Case Law (cont’d)
Third-party “property damage” claims
America Online v. St. Paul Mercury, 347 F.3d 89 (4th
Cir. 2003).
State Auto Property & Casualty v. Midwest Computers &
More, 147 F. Supp. 2d 1113 (W.D. Okl. 2001).
Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46
How Can Corporate Policyholders Protect
Themselves?
Comprehensively evaluate the risk your company faces.
Read and understand policies before paying the premium.
Do not accept conventional wisdom, or what insurers or
brokers say regarding coverage – “underwriting at the point
of claim.”
Examine all policies for potential coverage.
Satisfy all obligations placed on the policyholder, e.g. provide
October 21, 2009
Insurance Coverage for Data Breaches
Joan N. D’Ambrosio Clyde & Co US LLP
Insurance
Coverage
for Data
Breaches
Insurance
Coverage
for Data
Breaches
l
Increasing sophistication and
complexity of breaches
l
Available coverage
Ÿ
First party privacy notification costsŸ
Crisis managementŸ
Business informationŸ
Business interruptionŸ
Regulatory proceedingsŸ
Third party claimsŸ
Cyber extortionl
Common exclusions
l
Policy requirements re business
Increasing
Sophistication
and
Complexity of
Breaches
Increasing
Sophistication
and
Complexity of
Breaches
lIncreasing instances of
Ÿ
More sophisticated breachesŸ
LawsuitsŸ
State Attorney General involvementŸ
Larger numbers of affected individualsFirst Party
Privacy
Notification
Costs
First Party
Privacy
Notification
Costs
lWhat is involved?
Ÿ
Requirements regarding notification to affected individualsŸ
Requirements regarding notification to governmental authoritiesl
What is covered?
Ÿ
Depends on policyŸ
Forensic investigationŸ
Cost to provide notice required by lawŸ
Attorney fees to determine requiredresponse under law
Ÿ
Public relations consultantŸ
Credit monitoringCrisis
Management
Crisis
Management
l
Public relations fees
l
Mitigation of reputational damage
l
Some policies include notification costs
Business
Information
Business
Information
l
Lost company data
Ÿ
First partyŸ
Customer lists, account informationŸ
Not necessarily PIIBusiness
Interruption
Loss
Business
Interruption
Loss
l
First party income loss
Ÿ
Required data for proof of lossŸ
SublimitsRegulatory
Proceedings
Regulatory
Proceedings
l
State attorney general investigations
lFTC investigations
l
FCC investigations
lSEC investigations
lDOJ investigations
l
Other governmental investigations – US,
EU, Japan, China…
l
Sometimes covered, sometimes
Cyber
Extortion
Cyber
Extortion
l
Extortion payments
l
Security consultant fees to prevent or
Third Party
Claims
Third Party
Claims
l
Theft of PII/PHI
Ÿ
Standing issues continue to evolve- Actual vs. fear of identity theft
- Whether time/effort spent addressing breach is enough
l
Violations of privacy laws
Ÿ
State lawsŸ
HIPAA Violations- Health Information Technology for Economic and Clinical Health Act (HITECH)
Ÿ
Fair Credit Reporting Act/Fair And Accurate Credit Transactions ActŸ
Gramm-Leach-Bliley ActCommon
Exclusions
Common
Exclusions
l
Consumer protection laws
lContractual obligations
lUnlawful collection of PII
l
Failure to comply with required security
procedures
l
Unprotected data
l
Failure to maintain privacy policy
lPrior knowledge
l
Retroactive date
Common
Policy
Requirements
Re Business
Practices
Common
Policy
Requirements
Re Business
Practices
lComputer security
Ÿ
SoftwareŸ
Network hardwareŸ
Antivirus and intrusion detectionŸ
FirewallsŸ
Information security policies and proceduresl
Laptops
l
Privacy policy
Presenter: Joshua Gold
