CYBER RISKS AND COVERAGE: QUESTIONS TO CONSIDER

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

YBER

R

ISKS

A

ND

C

OVERAGE

:

Q

UESTIONS

T

O

C

ONSIDER

Stephen D. Rosenberg, Esq.

John H. Lacey, Esq.

T

HE

M

C

C

ORMACK

F

IRM

,

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

URRENT

T

RENDS IN

D

ATA

P

ROTECTION

(or lack thereof)

2011 – “Year of the Data Breach”

Every

sector of our economy had their turn:

96%

of

Healthcare

businesses suffered a breach

in the last 2 years :

(Ponemon Institute Survey, Dec. 2011)

US Senate

FTC

Law Enforcement

FBI

CIA

NATO

Sony

Epsilon

RSA

Stratfor

Michaels

Subway

Zappos

Citi . . .

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

URRENT

T

RENDS IN

D

ATA

P

ROTECTION

(or lack thereof)

• 46 different state breach

notification laws

• Still no corresponding Federal law

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

S

TATE

L

AWS

:

Massachusetts

• M.G.L. 93H – 201 CMR 17.00

– 2007 law goes into effect

– 2010 regulations in effect

• Not merely a notification statute

• Requires a WISP and encryption technology

– 2011 A.G. takes action: Over $100K in fines

• Briar Group Restaurants: $100K

• Belmont Saving Bank: $7,500

– 2012 Last elements come into effect

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

S

TATE

L

AWS

:

New York

• N.Y. Gen. Bus. Law § 899-aa

– Notification statute

• Notable Breaches:

– Jan 2012 - New York Utilities Data… 3

_party

unauthorized access – 1.8 million records

– Feb 2011 – NYC Hospitals… 1.7 million records

– Feb 2011 – NASDAQ Director’s Desk hacked

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

S

TATE

L

AWS

:

Texas

• Tex. Bus. & Com. Code § 521.053

• Tex. Bus. & Com. Code Ann. §§ 48.101, 48.102

– Notification Statute recently amended, doesn’t just apply to Texas

resident’s data – all U.S.

• Notable Breaches:

– Sept 2011 - Tricare 4.9 million records

• Lawsuit demands $4.9 Bbbbbbbillion

– March 2011 – Texas comptroller breach 3.5 million records

– One day after Zappos, Texas woman files suit

• The civil negligence lawsuit seeks unspecified millions of dollars in

compensatory and exemplary damages for emotional distress and loss of privacy, along with a court order for the company to pay for customer credit monitoring and identity theft insurance and periodic audits to ensure customer data is secure.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

P

ENDING

F

EDERAL

L

EGISLATION

• House of Representatives:

– H.R. 2577 – Rep. Mary Bono Mack (R) – CA

• SAFE Data Act (Secure and Fortify Electronic Data

Act)

– H.R. 1707 – Rep. Bobby Rush (D) – IL

• Data Accountability and Trust Act

– H.R. 1841 – Rep. Cliff Stearns (R) – FL

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

• United States Senate:

– S. 1511 – Sen. Patrick Leahy (D) – VT

• Personal Data Privacy and Security Act of 2011

– S. 1207 – Sen. Mark Pryor (D) – AR

• Data Security and Breach Notification Act of 2011

– S. 1408 – Sen. Dianne Feinstein (D) – CA

• Data Breach Notification Act of 2011

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

House Bills:

• H.R. 2577 – SAFE Data Act – Bono Mack

– Currently in House Energy and Commerce

Committee

• H.R. 1707 – DATA Act – Bobby Rush

– Currently in House Energy and Commerce

Sub-Committee

• H.R. 1841 – DATA Act of 2011 – Stearns

– Currently in House Energy and Commerce

Sub-Committee

P

ENDING

F

EDERAL

L

EGISLATION

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Senate Bills:

• S. 1151 – Senator Leahy

– Sep 22, 2011: Placed on Senate Legislative Calendar under

General Orders. Calendar No. 181

• S. 1207 – Senator Pryor

– Sep 22, 2011: Placed on Senate Legislative Calendar under

General Orders. Calendar No. 181

• S. 1408 – Senator Feinstein

– Sep 22, 2011: Placed on Senate Legislative Calendar under

General Orders. Calendar No. 181

P

ENDING

F

EDERAL

L

EGISLATION

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

P

ERSONAL

I

NFORMATION

• What is it?

• PI or PII or PHI or SPII or ???

• Inconsistent definitions cause confusion.

• Where is it?

Everywhere.

Paper, electronic, scanner, printers, fax.

• If you have information, then you have

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

P

OSSIBLE

P

ITFALLS

• Lost laptop – what was on it?

• Lost USB memory stick – what was on it?

• Misdirected email with attachment

• Improper disposal: paper, old computers

and printers

• Malicious insider – can be profitable to steal

• Government doesn’t care if it was a mistake

• Watch your third-party record holders

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

A

WARENESS AND

P

REPARATION

• Take a mental note of the places you keep information.

• Ask yourself… If I lost it, what would I do next?

– Would you know what you lost?

– Who to tell?

– Does your company have internal controls for

reporting a data breach, even a suspected one?

• Everyone uses hindsight to analyze a data breach –

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

L

ITIGATION

• “Trolls” – Blunderbuss Approach by Plaintiffs

• Numerous class actions filed against breaching

entities immediately after media reports

• Most dismissed – lack of cognizable harm

• Some settled –

BIG

numbers

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

T

HE

D

OWNSIDE TO

L

OSING

I

NFORMATION

• Response costs - $214 per record

(Ponemon)

• Brand damage – stock price damage

• Fines

• Lawsuits

• Individuals suffering identity theft

• Credit Card industry fines

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

And now, a short story. . .

• Ramnicu Valcea, Romania

• Population 120,000

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Ramnicu Valcea, Romania

A Mercedez-Benz dealership.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Ramnicu Valcea, Romania

24 Western Union locations.

In a four block area?

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Y

OUR

I

NSUREDS

• Who are they? What industry?

• What information do they have?

• Do they have sufficient internal controls?

• What is their exposure?

• What is

your

exposure?

• What does the policy cover? – Are you

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Part Two

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

OUNTLESS

S

CENARIOS

• There are a broad range of cyber crimes: some directed

at customers, while some attempt to disable a

company’s operations

• A disgruntled employee, for example, may introduce a

virus that shuts down a company computer system

• Hackers may steal intellectual property or customer’s

identities

• Even accidental data releases can lead to substantial

liability

• Multiple sources of insurance coverage for such cyber

crimes

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

W

HAT

T

YPES OF

P

OLICIES

M

AY BE

T

RIGGERED

BY A

C

YBER

R

ISK

?

• Dedicated cyber risk policies and/or

endorsements:

LexCyberSecure

Specialty Risk Protector

NetAdvantage

• CGL policies

• Professional Liability

• D&O

• Crime & Fidelity

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

YBER

R

ISK

P

OLICIES

• What risks are actually covered?

• Chartis Specialty Risk Protector Coverage:

“Privacy Event”:

• Failure to protect Confidential Information,

including identity theft

• Failure to disclose a breach of Confidential

Information in violation of any Security Breach

Notice Law

• Violation of any state or federal privacy statute in

connection with a Claim for damages

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

YBER

R

ISK

P

OLICIES

Definition of covered “Loss”:

• Compensatory damages, judgments,

settlements, pre/post-judgment interest and

Defense Costs

• Money the insured is required by law or has

agreed to by settlement to deposit into a

consumer redress fund

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

N

ON

-C

YBER

P

OLICIES

M

AY

A

PPLY

Although many insurers now offer

cyber-coverage, coverage may still lie

under other existing common policies

and provisions, such as:

• Personal or Advertising injury clause

in CGL policies,

• D&O policies, and

• E&O policies

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

• Most companies have first-party property

insurance and/or CGL policy to cover third party

losses.

• Both types of policies cover “property damage”,

traditionally defined as “physical injury to

tangible property.”

• The critical question for such properties is

whether technology losses fall within this

definition.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

A C

OURT

’

S

V

IEW

Courts have been consistent in holding that

hardware defects that cause physical injury to

computer components are covered.

See, e.g.:

 Retail Sys., Inc. v. CAN Ins. Co., 469 N.W. 2d

735 (Minn. Ct. App. 1991);

 Lambrect & Associates, Inc. v. State Farm

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

CGL P

OLICIES AND A

Q

UESTION

Is data considered to be

tangible property that is subject to

covered damage under a standard

CGL policy?

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

OURT

’

S

V

IEW

Courts are split on whether an insurer is liable if the

damage occurs to software or electronic data

Some court have held electronic data are NOT tangible,

and thus loss of data is NOT property damage.

America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F. 3d 89

(4

_{Cir. 2003) (no duty to defend under CGL policy}

because computer data and software not “tangible.”);

Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797, 801 (8

_Cir.

2010);

Ward General Ins. Services v. Employer’s Fire Ins. Co., 114

Cal. App. 4

_{548 (Under first party property policy}

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

OURT

’

S

V

IEW

Other courts, however, have found electronic

data to constitute tangible property, such that

its loss constitutes property damage.

 Computer Corner v. Fireman’s Fund Ins. Co.,

46 P. 3d 1264 (N.M. Ct. App. 2002)(CGL

policy);

 American Guar. & Liab. Ins. V. Ingram Micro,

Inc., 2000 WL 726789 (D. Ariz. 2000) (First

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

D

EFINITION

• Recent court decisions have caused insurers to

change standard language to exclude electronic

data from the definition of tangible property.

• Post-2001 changes to standard ISO CGL policy

form specify that electronic data are not

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Personal and Advertising Injury.

Some courts have found data breaches to

implicate a person’s right to privacy, thereby

triggering a duty to defend.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

P

ROFESSIONAL

L

IABILITY

I

NSURANCE

• Architects & Engineers

• Accounting Professionals

• Technology Professionals

E.g.:

A network designer who creates a

flawed network which results in data

loss, or that has inadequate data

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

D

IRECTORS

& O

FFICERS

L

IABILITY

I

NSURANCE

Failure to Disclose Data Breach

• In re Heartland Payment Systems, Inc.

Securities Litigation, (Civ. No. 09-1043, U.S.

District Court, District of New Jersey,

December 7, 2009)

• Negligent failure to disclose data breach,

resulting in a significant loss of value of

shares, can trigger coverage for a derivative

suit.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

O

THER

P

OLICIES

• Crime & Fidelity

• First Party Property Insurance

e.g., security breach that results in

damage to physical equipment, by

a malicious virus or other malware

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

S

COPE

O

F

C

OVERAGE

U

NDER

C

YBER

R

ISK

P

OLICIES

•Response costs

Notification of Consumers

Data Recovery

•Data as damages

•Loss of use of data

•Economic Loss

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

C

ASE

S

TUDIES

• TJX

• Zurich v. Fieldstone

• Eyeblaster v. Federal Ins.

• Zurich v. Sony

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

TJX S

OME

D

ETAILS

• TJX – 2007 Alberto Gonzalez hacked into their retail

system and obtained over 45 million customer credit

card numbers and PI.

• In its SEC filing, TJX disclosed they reserved $118 million

to cover response costs.

• 41 State Attorneys General, banks and shareholders

filed suits. FTC investigated.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

• One court, at least, has held that data releases are

implicated in covered “advertising activities.”

– Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007

U.S. Dist. LEXIS 81570 (D. Md. 2007)

• E&O

coverage

insures

losses

resulting

from

negligence, omissions, mistakes and errors made in

course of providing “professional services.”

• Depending on factual circumstances and specific

policy wording, coverage may be available for

technology-related losses under such policies.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

E

YEBLASTER V

F

EDERAL

I

NS

.

Eyeblaster, Inc. v. Federal Insurance Company, 613

F.3d 797 (8

_{Cir. 2010). Online marketing campaign}

company allegedly infected a user’s computer with a

spyware program, causing lost data and temporary loss

of use of his computer. Eyeblaster was sued for

trespass and invasion of privacy.

Although software, data and other electronic information

were excluded under the definition of tangible property,

the court found a duty to defend, since the complaint

alleged loss of use of tangible property (the computer)

that is not physically injured.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Z

URICH V

S

ONY

Hackers compromised over 100,000,000 customer

accounts connected to

Sony’s Playstation, causing

over $173,000,000 in response costs by Sony

Sony seeks defense and indemnity for class action

lawsuits and claims

Zurich asserts no duty to defend under CGL

policies since there was no bodily injury or

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

N

ETSCAPE V

F

EDERAL

I

NS

.

Netscape Communications Corp. v. Federal Insurance

Company, 2009 WL 2634945 (9th Cir. 2009) --

“data

mining” lawsuits against AOL. Duty to defend arose

under the CGL

policy’s Personal Injury provisions – “oral

or written publication, in any manner, of material that

violates a

person’s right of privacy.”

Internal distribution of collected information violates

“a

person’s right of privacy” and is a “publication” because

AOL

allegedly

had

intercepted

and

internally

disseminated private online communications.

w

w

w

.mc

c

o

rma

c

kfi

rm.

c

o

m

Stephen Rosenberg

[email protected]

Author of Boston ERISA and

Insurance Litigation Blog

www.bostonerisalaw.com

John H. Lacey

[email protected]

Author of Massachusetts Data

Privacy Law Blog