Cyber and CGL Insurance Coverage
for Data Breach Claims
Paula Weseman Theisen, Partner
Data breach overview
Definition of data breach/types
Data breach costs
Data breach legal claims and damages
Cyber-insurance policies
First-party and third-party coverages
Sample provisions/limitations/exclusions
CGL coverage for data-breach claims
What is a data breach?
A security incident in which private or confidential data is
either lost or accessed/obtained by an unauthorized person
Physical loss of computer
hardware (laptops, backup
tapes, etc.)
System failure that inadvertently
allows a confidential information
to be accessed or viewed
A deliberate attack on a
company’s network by criminal
hackers
Recall Total Information Management, Inc. v. Federal Ins. Co., 83 A.3d 664 (Conn. Ct. App. 2014)
Travelers Indem. Co. of Am. V. Portal Healthcare Solutions, LLC, 2014 WL 3887797 (E.D. Va.)
Zurich Am. Inc. Co. v. Sony Corp. of Am., 3/4/14 So-Ordered Transcript No. 651982/11.
http://iapps.courts.state.ny.us/iscroll, N.Y. Sup. Ct., N.Y. Cty.; Target; Neiman Marcus; etc.
Data-breach costs (first party)
• Forensic expenses
Discovery and scope of breach
Identifying what data was accessed/downloaded
Re-securing the network
Data-breach claims/damages (third-party)
Consumer Claims
Risk of identity theft
Costs of credit-report
monitoring
Costs of cancelling cards and
loss of use of cards pending
replacement
Unreimbursed fraudulent
charges
Loss of time changing account
numbers, passwords, etc.
Financial Institution Claims
Cost of replacing/mailing
cards
Financial losses from
fraudulent charges
Staff and temporary
employee time to identify
affected accounts, notify
account holders and
respond to inquiries
Third-party claims for data breaches
• Negligence
• Breach of implied contract
• Breach of contract (third-party
beneficiary of PCI contracts)
• Breach of warranty
• Misrepresentation
• Invasion of privacy
•
Unfair business practices act violations
•
Violation of notification statutes
Cyber-Liability Insurance
Limit Retention
A. Information Security and Privacy $15,000,000* $500,000 B. Privacy Breach Response Services $1,000,000** $20,000 C. Regulatory Defense and Penalties $5,000,000* $500,000
D. Website Media Liability $15,000,000* $500,000
E. Crisis Management & PR $250,000* $5,000
F. PCI Fines and Costs $1,000,000* $500,000
G. Cyber Extortion $15,000,000* $500,000
H. Network Business Interruption $15,000,000* $500,000
Information Security and Privacy
Insurer will pay Damages and Claim Expenses in excess of the Retention that the Insured is legally obligated to pay because of any claim first made during the policy period for:
• Theft, loss or unauthorized disclosure of Personally Identifiable Private Information in the care, custody or control of the Ins
ured
• An incident resulting from the failure of Computer Security to prevent a Security Breach involving:
• Failure to prevent transmission of Malicious Code to Third Party Computer Systems;
• Participation by the Computer System in a DOS Attack against a Third Party Computer System
• Failure to timely disclose a Data Breach Incident
• Failure to comply with a Privacy Policy that prohibits or restricts the Insured’s disclosure, sharing or selling of PIPI
Privacy Breach
Response Services
Costs incurred:
• For a computer security expert to determine the existence and cause of a data breach resulting in actual or reasonably suspected theft, loss or unauthorized disclosure of PIPI which may require the Insured to comply with a Breach Notice Law …
• Up to $50,000 for a CSE to demonstrate the Insured’s ability to prevent a future data breach as required by a Merchant Service Agreement • Attorneys fees to determine the applicability of and actions necessary to
comply with a breach notice law due to reasonably suspected theft, loss or unauthorized disclosure
of PIPI
Limitations/Exclusions
Damages:
Does not include fees, costs or other amounts the Insured is required to pay under a Merchant Services Agreement
Merchant Services Agreement means any agreement between an Insured and a financial institution, credit/debit card company, credit/debit card processor or independent service operator enabling an Insured to accept credit card, debit card, prepaid card, or other payment cards for payments or donations.
• BI/PD
• Contractual liability/breach of contract
• Unlawful collection or retention of PIPI
• Intentional breach or violation of privacy law (defense costs) • Except for Privacy Breach
Do CGL policies cover data-breach liability?
Most business still do not purchase cyber-coverage
Understanding of risk/exposure
Cost
» $25-50,000 per million (larger policyholders)
» $15-20,000 per million (smaller insureds)
http://resources.infosecinstitute.com/cyber-insurance/
The cyber-insurance limits were inadequate, the right
coverages were not purchased or there is a coverage
defense
CGL Insuring Provisions
Coverage A: Property damage
Damages the insured is legally
obligated to pay because of property
damage (during the policy period
caused by an occurrence).
1. Physical damage to tangible
property;
2. Loss of use of tangible property
that was not physically damaged
Insuring
Property Damage Definition:
Electronic Data ≠ Tangible Property
Electronic data is not tangible property. “Electronic data”
means information, facts or programs stored as or on, created
or used on, or transmitted to or from, computer software,
including systems and applications software, hard or floppy
disks, CD-ROMS, tapes, drives, cells, data processing devices
or any other media which are used with electronically
controlled equipment.
•
Data vs. media distinction
•
Loss of use of credit/debit card
Electronic data exclusion
• Damages arising out of the loss of, loss of use of
damage to, corruption or inability to access, or
inability to manipulate electronic data.
Other Coverage A Exclusions
• Any "property damage" to … personal property in the care,
custody or control of any "Insured," loaned to any "Insured," or
used … by any "Insured," or as to which any "Insured" is for any
purpose exercising physical control.
•
Liability arising out of a violation of the [TCPA, Can_SPAM Act]
or “any act that violates any other statute, ordinance or
regulation of any federal, [or] state … government that
prohibits or limits the sending, transmitting or
communicating of material or information.
Property Damage Caselaw
Pennsylvania State Employees Credit Union v. Fifth Third Bank, No.
1:CV-04-1554, 2005 WL 1154594 (M.D. Pa.), aff’d in pertinent part Sovereign Bank v.
BJ's Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008).
“
[T]he credit and debit cards are tangible personal property. …[T]hey are palpable, can be touched, [are] capable of ownership, and endowed with intrinsic value. The intrinsic value of each card is probably not very much, whatever the cost of a blank card is, but it nonetheless has intrinsic value.” Id. (emphasis added).Recall Total Info. Mgmt. Inc. v.
Federal Ins. Co.
No. X07CV095031734S, 2012 WL 469988 (Conn. Super. Ct.), aff’d 83 A.3d 664 (Conn. Ct. App. 2014).
Recall argued, “somewhat hesitantly,” that the loss or theft of the
tapes themselves constituted property damage.
IBM did not claim damages for the cost of the lost tapes or the cart on which they were
contained. Instead, the claims for damages related to preventive measures IBM took due to the theft or loss of use of the data on the tapes, not the tapes themselves. This, the court held, “is not damage to tangible property.”