Star Wars in the New Millennium: Cyber Liability and
Download
Report
Transcript Star Wars in the New Millennium: Cyber Liability and
Star Wars in the New
Millennium:
Cyber Liability and Data Risk
“Cyber Liability” and “Data
Risk” – Catchy…But What Do
They Mean?
Cyber Liability and Data Risk
Cyber liability refers generally to new
types of liability faced by companies
due to their use of technology.
Data risk is a subset of cyber liability
that refers to a compromise of
sensitive data stored electronically.
Challenges of Cyber Liability
Stupendous growth of electronic data storage
and communication has created new
challenges for business entities.
Arises from our dependence on all things
electronic
1.8 Billion people using the Internet
Text, e-mail, billing systems, payment
systems, business operations, smart phones
(Blackberry, iPhone, etc.)
Increases the risk because information is electronic
and infinitely portable.
Two Challenging Types of
Claims
Data Risk (also known as Data
Breach): Claims arising from a breach
of company data (first and thirdparty)
Cyber-Privacy: Claims arising from a
compromise of employee cyberprivacy
Data Risk will be our focus today.
Response by Insurance Carriers
Carriers recognize that cyber-related claims
require a new approach, including tailored
policies and careful handling.
New Policies are Being Created
Enhanced Privacy Endorsements
Technology and Media Coverage
add-ons
EPL enhancements
Data Risk (Data Breach)
Claims
Data Breach Claims
A data breach can cost millions of
dollars, based on the type and amount
of data effected.
Any entity that stores third-party data
can be at risk, including (but certainly
not limited to):
Retailers
Financial institutions
Health care providers
Law firms
Claim Examples – Data Breach
Online retailer hacked and customer
credit card information is stolen:
regulatory and class actions
Companies unknowingly spread a worm,
facing liability from those parties based
upon lost revenues caused by the virus.
Disgruntled employee deletes the
company’s databases, causing business
interruption
Computer hacker floods a company’s
website, overwhelming the system and
causing it to crash.
More Claim Examples – Data
Breach
Private medical info is stolen or
disclosed, leading to a suit for
defamation and invasion of privacy.
Employee laptop is lost or stolen
Iphone is compromised
Disgruntled employee shares
information on networking site
Claim Examples - Other
Some claims do not fall neatly in the categories of
“employee privacy” or “data breach,” and relate more to
traditional causes of action through new mediums (such
as defamation, copyright infringement, and patent
infringement):
Online publisher allows defamatory postings about a local
public figure, causing the public official to lose his job.
Company is sued for unauthorized use of a person’s photo
on its website.
A small business creates a website and is sued by another
company alleging that their domain name violated
trademark laws.
Compromised Data
285 Million records were
compromised in 2008
25% of Companies With IT Outage
for 2-6 days go bankrupt immediately
Heartland Payment Systems: credit
card numbers of clients
Cost: $12.5 Million in legal fees, costs
and settlements to date
Credit Card Numbers are purchased
by “information gangsters”
Dave & Busters: FTC Complaint
Intruder exploited vulnerabilities in
systems
130,000 unique credit cards stolen
Issuing Banks Claimed over $500,000
in unauthorized charges
Settled
Before TJ Maxx, no recognized private
cause of action for data breach
Judge let three theories survive:
Two theories of negligent
misrepresentation regarding their cyber
security
Lack of security measures amounted to
unfair and deceptive business practice
Settled with banks for $525,000
Total cost over $40 million
Variety of Data Breach Claims
The potential claims are at least as
varied as the potential claimants:
Actual loss (theft) of customer, client or employee
data
Extortion based on a threatened loss of customer,
client or employee data
Monitoring or repairing of credit reports for those
effected by a data breach
Notices issued to those effected by a data breach
Public relations activity necessitated by a data breach
Remediation and repair of systems due to a data
breach
Lost profits caused by a data breach
Data Breach Claims Are on the Rise
Depending on the type of breach, costs can vary significantly, from
$750,000 to $31,000,000 in 2009.
35,000,000
30,000,000
25,000,000
20,000,000
Series1
15,000,000
10,000,000
5,000,000
0
Lowest
Highest
Data Breach Claims Are on the Rise
The average per-customer cost of data-breach claims
has increased over the last year alone.
Avg. Cost per Customer
205
204
204
203
Avg. Cost per Customer
203
202
202
201
2008
2009
Data Breach Claims Are on the Rise
The increased per-customer cost translates to large increases in
costs per breach.
Avg. Cost per Breach
6,760,000
6,740,000
6,720,000
6,700,000
Avg. Cost per Breach
6,680,000
6,660,000
6,640,000
6,620,000
6,600,000
2008
2009
Data Breach –
Sources of Loss
What are the sources of potential loss to the insured?
While the most common (and most elusive) source of loss is
a civil action by the individual effected by the breach, there
are other sources of potential liability for the insured:
Violation of “Red Flag Rules” (requiring entities to implement an
identity theft prevention program) under the Fair and Accurate Credit
Transactions Act, enforced by the Federal Trade Commission (“FTC”)
Health Information Technology for Economic and Clinical Health Act
(“HITECH”), enforced by the FTC and the Department of Health and
Human Services and includes breach notification provisions
Children’s Online Privacy Protection Act
CAN-SPAM Act
Gramm-Leach-Bliley Act
Fair Credit Reporting Act
Computer Fraud and Abuse Act
Federal Privacy Act
State breach notification laws
State attorney general actions and consumer protection laws
Data Breach –
Potential Damages
What are the potential damages to which the
insured could be exposed?
Depending on governmental involvement, the
strategy of the claimant, and the approach of the
Insured, multiple damages are possible:
Compensatory damages (although difficult to prove)
Consequential damages
Punitive damages
Fines and fees (imposed by regulatory agencies)
Remediation of hardware and software
Lost profits and goodwill
Notification of effected individuals/entities
Monitoring of effected individuals/entities
Federal “Red Flags” Rules
The “Red Flags Rules,” were
promulgated under the Fair and
Accurate Credit Transactions Report
Act. 16 CFR 681.1.
Any company holding credit data could
be subject
Requires a Written Identify Theft
Prevention Program
December 31, 2010 Implementation
Red Flag Rules
Requires “creditors” and “financial institutions” (“covered
entities”) to conduct risk assessments to determine if
they have “covered accounts,” which include consumertype accounts or other accounts for which there is a
reasonable risk of identity theft
“Creditor” “means any person who regularly extends,
renews, or continues credit; any person who regularly
arranges for the extension, renewal, or continuation of
credit; or any assignee of an original creditor who
participates in the decision to extend, renew, or continue
credit.” 15 USC § 1691a(e) (emphasis added).
“Credit,” as used within the statute, “means the right
granted by a creditor to a debtor to defer payment of
debt or to incur debts and defer its payment or to
purchase property or services and defer payment
therefor.” 15 USC § 1691a(d) (emphasis added).
Insurance For Cyber
Claims
Gaps in Traditional
Insurance Policies
Property Insurance policies – “Property” : Tangible vs.
Intangible
D&O: Property exclusion; Professional services exclusion;
not covered by insuring clauses
Crime/Fidelity policies –Tangible Property
CGL: Exclusions for losses associated with unauthorized
access by third parties.
Errors & Omissions policies – Generally exclude security
breaches or damages arising from unauthorized access.
EPL policies – Not covered by Insuring Clauses.
Cyber Liability –
Covered Risks
Generally, cyber liability policies address
two types of risks:
First Party: losses suffered directly by the
Insured
Third Party: losses associated with the Insured’s
liability for damages suffered by a third party
First Party Losses
Business interruption costs
Crisis management and public relations
costs
Privacy notifications and credit monitoring
costs
Costs associated with theft or vandalism of
a company’s network or systems
Upgrades in network security
Third Party Losses
Disclosure Injuries: unauthorized access to or
dissemination of a third party’s private information
Content Injuries: copyright, trademark, trade secrets or
other intellectual property claims
Reputation Injuries: libel, slander, defamation, invasion
of privacy claims
System Injuries: security failures or virus transmissions
that harm the computer systems of third parties
Impaired Access Injuries: customers cannot access
their accounts or information
First Party Losses in
Third Party Claims
Often a third party liability claim will
involve direct losses by the Insured
A third party cyber liability policy may
provide coverage for certain direct losses
associated with a claim (or a potential
claim) by a third party. These may
include:
Security breach notifications
Credit monitoring costs
Crisis management consultation
6 Separate Insuring Clauses!
1) Technology Security Wrongful Act
2) Privacy Wrongful Act
3) Private Information Breach
4) Web Media Services Wrongful Act
5) Extortion Loss from Technology
Threat
6) Data Restoration Loss from Breach
Cyber Liability Coverage by
Endorsement
Insurers have customized traditional
Policies to provide additional coverage for
specific cyber risks by endorsements.
For example:
EPLI Policies – coverage for employee related theft or
third party unauthorized access to private
information.
E&O Policies – coverage for e-commerce activities,
security breaches, and unauthorized access
Property & Crime Policies – coverage for “intangible”
property like data
Breaking Down a Data Risk
Claim
Data Breach –
Cause of the Breach
What was the cause of the breach?
The cause of the breach can effect both
potential liability and coverage:
External hacking
Wrongdoing internal to the insured
Failure of controls or preventative measures
Failure of hardware or software
Wrongdoing or failure of a vendor or other
related third-party entity
Data Breach – Data Involved
What type of data was involved?
Personally Identifiable Information (PII)
is the most common, and will be the
focus here:
First name or initial combined with a social
security number, driver’s license number,
state ID number, or account number with
access code or password
Other sources of potential concern
include proprietary data of a vendor or
internal proprietary data.
Data Breach –
Risk Mitigation
What needs to be done to mitigate
the effect of a data breach?
Once a breach has occurred, the insured has
multiple options for mitigating the breach
(some of which may impact coverage).
Incident analysis (internal communication,
containment, harm determination)
Incident disclosure (notice to effected
individuals, vendors, regulatory agencies)
Loss mitigation (trending, benchmarking,
remediation)
Evaluating a Data Breach
When a data breach occurs,
immediate and decisive action is
required:
Evaluate the potential scope of the loss,
in terms of individuals effected
Identify the governmental and regulatory
agencies with whom communication is
necessary
Understand how mitigation strategies
effect costs and coverage
Handling a Data Breach Claim
Pro-Active: Hiring Counsel and Waiting for 90
day Report May Cost Insurer Millions
Immediate Retention of IT or Privacy Expert
Boots on the Ground Approach May be More
Effective
E-Discovery costs may be driving force in
litigation
Data Breach Actions in the Courts –
The Good
Hammond v. The Bank of New York, 08 Civ. 6060
(RMB)(RLE), 2010 WL 2643307 (S.D.N.Y June 25, 2010)
action arose from loss from armored truck of 6 to 10 unencrypted
backup tapes and loss of storage tape containing check images
and other payment documents on a separate occasion
Claims included common law negligence, negligence per se, breach
of implied contract, breach of implied duty, and statutory claims
under the laws of NY, California, NJ, Michigan, Illinois
Class action
Relief sought included actual damages, equitable relief including
credit monitoring program, fees, costs and expenses
Court noted that approximately 30 prior cases had been brought
for damages for loss of personal identification information
All had been disposed of by way Rule 12(b)(6) or 56
Reasons for dismissals include lack of “injury in fact” and loss of
identity information is not cognizable claim
Court granted summary judgment because inter alia lack of
standing because no plaintiff could establish actual harm
Also held that could not establish damages because increase loss
of risk is insufficient to support substantive claims
Data Breach Actions in the Courts –
the Good
Amburgy v. Express Scripts, Inc., 671
F.Supp.2d 1046 (E.D.Mo. 2009)
Court held increased risk of future
identity theft was insufficient to confer
standing
Data Breach Actions in the Courts –
the Flipside
In re: Countrywide Financial Corp. Customer
Data Security Breach Litigation, 3:08-MD01998, 2009 WL 5184352 (W.D.Ky. 2009)
Class of 17 million
10.1 million will receive direct notice of settlement
Remaining 41% receive notice by publication in
Parade, USA Weekend and American Publication to
be inserted in over 2200 local Sunday papers
Two classes of settlement but included paid credit
monitoring for two years, and $25,000 in identity
theft insurance
Conclusion
Cyber Liability and Data Risk Claims
are Coming Your Way!
The key may be to recognize the nontraditional costs associated with these
claims, and how to mitigate those costs.