• No results found

Cyber and CGL Insurance Coverage for Data Breach Claims

N/A
N/A
Protected

Academic year: 2021

Share "Cyber and CGL Insurance Coverage for Data Breach Claims"

Copied!
10
0
0

Loading.... (view fulltext now)

Full text

(1)

Cyber and CGL Insurance Coverage

for Data Breach Claims

Paula Weseman Theisen, Partner

Data breach overview

Definition of data breach/types

Data breach costs

Data breach legal claims and damages

Cyber-insurance policies

First-party and third-party coverages

Sample provisions/limitations/exclusions

CGL coverage for data-breach claims

(2)

What is a data breach?

A security incident in which private or confidential data is

either lost or accessed/obtained by an unauthorized person

Physical loss of computer

hardware (laptops, backup

tapes, etc.)

System failure that inadvertently

allows a confidential information

to be accessed or viewed

A deliberate attack on a

company’s network by criminal

hackers

Recall Total Information Management, Inc. v. Federal Ins. Co., 83 A.3d 664 (Conn. Ct. App. 2014)

Travelers Indem. Co. of Am. V. Portal Healthcare Solutions, LLC, 2014 WL 3887797 (E.D. Va.)

Zurich Am. Inc. Co. v. Sony Corp. of Am., 3/4/14 So-Ordered Transcript No. 651982/11.

http://iapps.courts.state.ny.us/iscroll, N.Y. Sup. Ct., N.Y. Cty.; Target; Neiman Marcus; etc.

Data-breach costs (first party)

• Forensic expenses

Discovery and scope of breach

Identifying what data was accessed/downloaded

Re-securing the network

(3)

Data-breach claims/damages (third-party)

Consumer Claims

Risk of identity theft

Costs of credit-report

monitoring

Costs of cancelling cards and

loss of use of cards pending

replacement

Unreimbursed fraudulent

charges

Loss of time changing account

numbers, passwords, etc.

Financial Institution Claims

Cost of replacing/mailing

cards

Financial losses from

fraudulent charges

Staff and temporary

employee time to identify

affected accounts, notify

account holders and

respond to inquiries

Third-party claims for data breaches

• Negligence

• Breach of implied contract

• Breach of contract (third-party

beneficiary of PCI contracts)

• Breach of warranty

• Misrepresentation

• Invasion of privacy

Unfair business practices act violations

Violation of notification statutes

(4)

Cyber-Liability Insurance

Limit Retention

A. Information Security and Privacy $15,000,000* $500,000 B. Privacy Breach Response Services $1,000,000** $20,000 C. Regulatory Defense and Penalties $5,000,000* $500,000

D. Website Media Liability $15,000,000* $500,000

E. Crisis Management & PR $250,000* $5,000

F. PCI Fines and Costs $1,000,000* $500,000

G. Cyber Extortion $15,000,000* $500,000

H. Network Business Interruption $15,000,000* $500,000

Information Security and Privacy

Insurer will pay Damages and Claim Expenses in excess of the Retention that the Insured is legally obligated to pay because of any claim first made during the policy period for:

• Theft, loss or unauthorized disclosure of Personally Identifiable Private Information in the care, custody or control of the Ins

ured

• An incident resulting from the failure of Computer Security to prevent a Security Breach involving:

• Failure to prevent transmission of Malicious Code to Third Party Computer Systems;

• Participation by the Computer System in a DOS Attack against a Third Party Computer System

• Failure to timely disclose a Data Breach Incident

• Failure to comply with a Privacy Policy that prohibits or restricts the Insured’s disclosure, sharing or selling of PIPI

(5)

Privacy Breach

Response Services

Costs incurred:

• For a computer security expert to determine the existence and cause of a data breach resulting in actual or reasonably suspected theft, loss or unauthorized disclosure of PIPI which may require the Insured to comply with a Breach Notice Law …

• Up to $50,000 for a CSE to demonstrate the Insured’s ability to prevent a future data breach as required by a Merchant Service Agreement • Attorneys fees to determine the applicability of and actions necessary to

comply with a breach notice law due to reasonably suspected theft, loss or unauthorized disclosure

of PIPI

Limitations/Exclusions

Damages:

Does not include fees, costs or other amounts the Insured is required to pay under a Merchant Services Agreement

Merchant Services Agreement means any agreement between an Insured and a financial institution, credit/debit card company, credit/debit card processor or independent service operator enabling an Insured to accept credit card, debit card, prepaid card, or other payment cards for payments or donations.

• BI/PD

• Contractual liability/breach of contract

• Unlawful collection or retention of PIPI

• Intentional breach or violation of privacy law (defense costs) • Except for Privacy Breach

(6)

Do CGL policies cover data-breach liability?

Most business still do not purchase cyber-coverage

Understanding of risk/exposure

Cost

» $25-50,000 per million (larger policyholders)

» $15-20,000 per million (smaller insureds)

http://resources.infosecinstitute.com/cyber-insurance/

The cyber-insurance limits were inadequate, the right

coverages were not purchased or there is a coverage

defense

CGL Insuring Provisions

Coverage A: Property damage

Damages the insured is legally

obligated to pay because of property

damage (during the policy period

caused by an occurrence).

1. Physical damage to tangible

property;

2. Loss of use of tangible property

that was not physically damaged

Insuring

(7)

Property Damage Definition:

Electronic Data ≠ Tangible Property

Electronic data is not tangible property. “Electronic data”

means information, facts or programs stored as or on, created

or used on, or transmitted to or from, computer software,

including systems and applications software, hard or floppy

disks, CD-ROMS, tapes, drives, cells, data processing devices

or any other media which are used with electronically

controlled equipment.

Data vs. media distinction

Loss of use of credit/debit card

Electronic data exclusion

• Damages arising out of the loss of, loss of use of

damage to, corruption or inability to access, or

inability to manipulate electronic data.

(8)

Other Coverage A Exclusions

• Any "property damage" to … personal property in the care,

custody or control of any "Insured," loaned to any "Insured," or

used … by any "Insured," or as to which any "Insured" is for any

purpose exercising physical control.

Liability arising out of a violation of the [TCPA, Can_SPAM Act]

or “any act that violates any other statute, ordinance or

regulation of any federal, [or] state … government that

prohibits or limits the sending, transmitting or

communicating of material or information.

Property Damage Caselaw

Pennsylvania State Employees Credit Union v. Fifth Third Bank, No.

1:CV-04-1554, 2005 WL 1154594 (M.D. Pa.), aff’d in pertinent part Sovereign Bank v.

BJ's Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008).

[T]he credit and debit cards are tangible personal property. …[T]hey are palpable, can be touched, [are] capable of ownership, and endowed with intrinsic value. The intrinsic value of each card is probably not very much, whatever the cost of a blank card is, but it nonetheless has intrinsic value.” Id. (emphasis added).

(9)

Recall Total Info. Mgmt. Inc. v.

Federal Ins. Co.

No. X07CV095031734S, 2012 WL 469988 (Conn. Super. Ct.), aff’d 83 A.3d 664 (Conn. Ct. App. 2014).

Recall argued, “somewhat hesitantly,” that the loss or theft of the

tapes themselves constituted property damage.

IBM did not claim damages for the cost of the lost tapes or the cart on which they were

contained. Instead, the claims for damages related to preventive measures IBM took due to the theft or loss of use of the data on the tapes, not the tapes themselves. This, the court held, “is not damage to tangible property.”

Coverage B: Personal Injury

“Personal and advertising injury" means injury, including

consequential "bodily injury", arising out of one or more of

the following offenses:

Damages the insured is legally obligated to

pay because of “personal and advertising

injury.”

e.

Oral or written publication, in any manner, of

material that violates a person's right of privacy.

(10)

P

AULA

W

ESEMAN

T

HEISEN

, P

ARTNER

Meagher & Geer PLLP

33 South 6

th

Street, Suite 4400

Minneapolis, MN 55402

612/337-9653

References

Related documents

Also, using advanced layout, the initial FFT places the 1025 complex value A-lines into an array with 2049 complex values per A-line as shown in Figure 4.6 Looking at the array on

We compare the use of the classic estimator for the sample mean and SCM to the FP estimator for the clustering of the Indian Pines scene using the Hotelling’s T 2.. statistic (4)

Section 5 Characters of Reality registration system in contemporary China · 13 Chapter 3 Comparative study on Reality registration system ··· 15. Subchapter 1 Contents

When a major security incident involving a high volume of sensitive personal information occurs, legal counsel has a central role to play in coordinating the response to

American School of Doha - Doha, Qatar United World College of Southeast Asia - Singapore.. Escuela

at Lynn , and would like to thank the production team for their love for and dedication to Celebration of the Arts.. TRAVIS EDWARDS is 20 a n d a dancer from Brooklyn who

According to Meredith Schnur, Vice President, Professional Risk Group, Wells Fargo Insurance Services, “In the last six months, we’ve had six to ten data breach claims reported