Transcript Data Security and Cyber-Liability Issues: The Legal Landscape

Cyber Liability
Food for Thought
Moderator:
Michael D. Horvath
Senior Vice President, Risk Management of Simon Property Group
Chairman of the RIMS Real Estate Committee
Presenters:
Mary T. Pipino, CPCU
CEO & President of Donald P. Pipino Company, LTD
Kenneth K. Dort Esq.
Partner, Intellectual Property Practice Group of Drinker Biddle & Reath LLP
Recording of this session via any media type is strictly prohibited.
Page 1
Cyber Liability
“Food for Thought”
for
Proactive Planning in Anticipation of the
Need for Reactive Execution
Recording of this session via any media type is strictly prohibited.
Page 2
Q1: Why Do I Need Cyber Liability
Coverage?
Recording of this session via any media type is strictly prohibited.
Page 3
A1
Cyber Liability Coverage
•
Covers the compromising of confidential or personal information in your care,
custody and control
•
Coverage may be limited or excluded from other policies including Commercial
General Liability, Employment Practices Liability, Crime, Directors and Officers
•
The U.S. Securities and Exchange Commission requires all publicly-traded
companies to report any hacking incidents
•
Key to remember, if you are responsible for the breach, you are subject to follow
the remediation laws set forth by each state in which an affected consumer
resides.
•
•
National legislation is pending for the regulation of reporting data breaches
International laws are vastly different than those for the US.
Recording of this session via any media type is strictly prohibited.
Page 4
A1
State Notification Statutes
• 47 of 50 states have adopted some form of security and data breach
notification laws – most are similar with slight variation
• Kentucky – new member to the club (last month!)
• Still Not Alabama, New Mexico, South Dakota
• All require prompt notification, and some establish penalties and rights of
action.
• Statutes typically define “data breach,” the types of protected information,
and some set thresholds for the notice requirement, i.e., a reasonable
basis to believe the breach will result in harm.
Recording of this session via any media type is strictly prohibited.
Page 5
A1
Poneman Institute – 2013 Study
 Breach Causes
 Malicious/Criminal Attacks – 41 Percent
 Employee Mistake/Negligence – 33 Percent
 System Glitches – 26 Percent
 Costs By Cause
 Malicious/Criminal Attacks – $277 Per Record
 Employee Mistake/Negligence – $159 Per Record
 System Glitches – $177 Per Record
Recording of this session via any media type is strictly prohibited.
Page
Page 6
6
A1
U.S. Privacy Laws
Federal Statutes: A “Sectoral” Approach
Financial Industry: Financial Services Modernization Act, a/k/a the
Gramm-Leach-Bliley Act (GLBA)

Applies to financial institutions

Imposes security controls

Requires notification
Recording of this session via any media type is strictly prohibited.
Page 7
A1
U.S. Privacy Laws
Federal Statutes: A “Sectoral” Approach
• Sarbanes-Oxley Act (“SarBox”)
 Applies to U.S. publicly traded companies
 Section 302
 Imposes “internal procedures” to ensure accurate financial disclosures
 Signing officers must certify effectiveness of control procedures and that they
have been evaluated within 90 days prior to report
 External auditors must issue opinion as to whether effective control procedures
have been implemented
 Penalties
 Civil – same as violations of SEC Act
 Criminal – up to $1M in fines/10 years in prison
Recording of this session via any media type is strictly prohibited.
Page 8
A1
U.S. Privacy Laws
Federal Statutes: A “Sectoral” Approach
• Sarbanes-Oxley Act
 Section 404 -- Applies to U.S. publicly traded companies
 Requires generation of an “internal control report” as part of each
report filed with SEC
 Report must contain assessment of control procedures as of most
recent fiscal year
 Wide discretion to management
 Management must be knowledgeable about the design and operating
effectiveness of the IT control procedures, understand data flows so as
to understand points of risk, perform fraud risk assessments, scale any
assessments based on the size and complexity of the company
Recording of this session via any media type is strictly prohibited.
Page 9
A1
U.S. Privacy Laws
Federal Statutes: A “Sectoral” Approach
• Sarbanes-Oxley Act
 Ramifications as to data security??
 Questions as to System Security
Undermine certifications of officers
 Undermine reliability of financial reports

 Same Issues – Private Companies
Questionable Data Security Systems Undermine Reliability of
Financial Reports
“Garbage-In-Garbage-Out”
Same Results w/o Federal Overtones
Recording of this session via any media type is strictly prohibited.
Page 10
A1
Federal Regulatory Agencies
• Federal Trade Commission (FTC)
•
In re TJX Cos., Inc., FTC File No. 072-3055 (requiring TJX to implement a
comprehensive security program to protect personally identifiable
information)
• Consumer Financial Protection Bureau (CFPB)
• Federal Communications Commission (FCC)
• Department of Health and Human Services (HHS)
Recording of this session via any media type is strictly prohibited.
Page 11
A1
Non-Governmental Regulatory Action
• Financial Industry Regulatory Authority (FINRA)
• Payment Card Industry Council
• Designed to establish common security guidelines
• PCI - DSS
Recording of this session via any media type is strictly prohibited.
Page 12
Q2: What are the Initial Steps to
Determining Your Organization’s
Vulnerability to Cyber Related Losses?
Recording of this session via any media type is strictly prohibited.
Page 13
A2
Evaluation of Risk
•
•
Theft of Data from a Lost or Stolen Device:
• Laptops
• Smart Phones
• Portable Data Drives & USB Storage Devices
Disposal of Data
• Shred
• Torn
• Placed in Trash Receptacle
Recording of this session via any media type is strictly prohibited.
Page 14
A2
Evaluation of Risk
•
Social Media
• The WOW!
• Information or Comments Posted by Employees
in Their Personal Social Media Communications:
• Facebook
• Twitter
• LinkedIn
Recording of this session via any media type is strictly prohibited.
Page 15
A2
Evaluation of Risk
•
•
•
Consumer Data
• Names, Addresses
• Credit Card Information
• Financial History
• Health Information
Human Resource Records
• Compensation
• Social Security Numbers
• Health Records
Financial Data
• Sales Figures
• Purchasing Costs
• Inventory Levels
• Related Data Tracked Into Financial Reports
Recording of this session via any media type is strictly prohibited.
Page 16
Q3: What Makes Companies Most
Vulnerable to Cyber Threats?
Recording of this session via any media type is strictly prohibited.
Page 17
A3
Sources of Cyber Threats
• Third Party Vendor Transactions:
• Credit/ Debit Card Transactions
• On-line payment processing including PayPal and Bank Card Services.
• WiFi Hotspots which are Data Transmission
• “Hacking” both domestic and foreign
• Consequential damages from a tenant’s breach such as loss of
revenue/income
• Retail Tenant
• Medical Tenant
Recording of this session via any media type is strictly prohibited.
Page 18
Q4: What Management Disciplines
Should be Active in Determining the
Potential Scope of Your Company’s Cyber
Exposures?
Recording of this session via any media type is strictly prohibited.
Page 19
A4
Evaluating the Risks for Your Firm is an
Interdisciplinary Process that Should Involve
Many Departments Including:
•
•
•
•
•
•
•
•
Risk Management
Legal
Information Technology
Security
Human Resources
Finance
Audit
Marketing, Sales and Social Media
Recording of this session via any media type is strictly prohibited.
Page 20
A4
Key Points
• Pre Loss Safety and Loss Control Plan
• Pre-Loss Crisis Management Plan
• Contractual Language in Legal Agreements
Addressing Responsibility for Compliant Procedures
to Prevent a Breach and Who is Responsible Should a
Breach Occur
Recording of this session via any media type is strictly prohibited.
Page 21
A4
Contingency Plans
• Foregoing Efforts Should Be Laid Out In Contingency
Plans
•
•
•
•
Identify Types of Data That Could Be Targeted
Identify Each Permutation of Company Personnel To Involve
Lay Out Team Roles
Identify Third Parties For Contact
• Possible Legal Responses
• Anticipate Relevant Jurisdictions
• Identify Contact Points
Recording of this session via any media type is strictly prohibited.
Page 22
Q5: Can You Review Recent Cyber Attacks
on Business and Lessons Learned?
Recording of this session via any media type is strictly prohibited.
Page 23
A5
Poneman Institute – 2013 Study
• 2012
•
Macro Cost of Breach – $5.4 million
•
Per Record Cost of Breach – $188 ($128 For Indirect Costs Such As Customer Churn)
• 2011
•
Macro Cost of Breach – $5.5 million
•
Per Record Cost of Breach – $194 ($135 For Indirect Costs Such As Customer Churn)
• 2010
•
Macro Cost of Breach – $7.24 million
•
Per Record Cost of Breach – $214
Recording of this session via any media type is strictly prohibited.
Page 24
A5
Fallout From Data Breaches
Data Breach
Investigation
Notification
Recording of this session via any media type is strictly prohibited.
Page 25
A5
Class Actions
 Reilly v. Ceridan Corp., 66 F.3d 38 (3d Cir. 2011)
(plaintiffs sued on behalf of “customers whose
sensitive information was stored on the stolen
laptops and a subclass of individuals whose identities
have been stolen since the laptop theft”)
 Zurich Amer. Ins. Co. v. Sony Corp. of Amer., et al.,
Index No. 651982/2011, Supreme Court of New York,
New York County (Over 65 class actions filed
nationwide implicating over 70 million subscribers)
Recording of this session via any media type is strictly prohibited.
Page 26
Q6: Cyber Liability Coverage:
•Who’s Buying?
•What Limits are They Buying?
•How is the Product Priced?
Recording of this session via any media type is strictly prohibited.
Page 27
A6
Buying Cyber Liability Insurance
• Every business has a need
• Increased claim activity and rapid
advancements in technological communications
is rapidly increasing the purchase of cyber
liability insurance
Recording of this session via any media type is strictly prohibited.
Page 28
A6
Cyber-Liability Insurance
• Products Becoming More Comprehensive
• Know Your Needs
• Address Both Short- and Long-Term Costs
• Make Sure Outsourcing Processors Are Covered
• Review Insurer Tool Kits
• Do They Provide Access to Necessary Responsive Expertise?
• Do They Provide Pro-Active Input To Minimize Risks?
• Coverage Amounts
• Responsive Costs
• Overall Damage $$$ and Legal Fee -- Class Actions
Recording of this session via any media type is strictly prohibited.
Page 29
A6
Exposure/Costs
• Immediate Response Actions
•
•
•
•
•
Forensic Investigations
Identify Breach Cause
Address Breach Gap – Fill the Hole ASAP
Public Relations Efforts – Control the Message and Stay Ahead of the Curve
Contact Law Enforcement Authorities
• Legal Responses
•
•
•
•
•
Identify Notification Obligations
Affected Persons
Legal Authorities
Credit Monitoring
Reporting – Law Enforcement, Regulatory
Recording of this session via any media type is strictly prohibited.
Page 30
A6
Cyber Liability Limits to Buy
Review various deductibles, limits and premiums for your
particular risk and evaluate the cost benefit for your risk
profile.
Robust market with a strong market capacity
Increase in loss activity will create ongoing changes in the
marketplace.
•
Adjustments will occur due to loss activity
•
The marketplace will evolve and adapt to the loss
•
Keep abreast of the market in your particular industry
Recording of this session via any media type is strictly prohibited.
Page 31
A6
Key Factors When Pricing Cyber Liability
• Well Organized Submission
• A Well Thought Out and Communicated Crisis
Management Plan
• Claims Experience for the Specific Industry
• Pre-Loss Control Services
Recording of this session via any media type is strictly prohibited.
Page 32
Q7: What Advantage Does a Cyber
Liability Policy Provide Beyond Risk
Transfer?
Recording of this session via any media type is strictly prohibited.
Page 33
A7
Advantages of Cyber Liability Beyond Risk
Transfer
• Loss Prevention Services
• Training
• Compliance
• IT Security Assessment
• Responding to a Breach
•
•
•
•
•
Legal
Forensic
Notification
Crisis Communication
Experienced Claims Personnel
Recording of this session via any media type is strictly prohibited.
Page 34
A7
Data Security Policies
• Identify Key Data and Protect It
• Internal Operations
• Outsourced Processing
• Segregate Systems on “Need To Know” Basis
• Customer Data
• HR Data
• Business Financial Data
• Address Usage of Various Hardware
• PCs/Laptops
• Smart Phones/Tablets/Flash Drives
• Remote Wiping
• Encryption of Data
• Storage
• Transit
Recording of this session via any media type is strictly prohibited.
Page 35
A7
Costs – Immediate/Near-Term
• Internal IT Evaluations
• Reviews of Third-Party Processors
• External Forensic Reviews
• System “Fix” Resolution
• Industry Regulation – PCI-DSS
• Audits
• Law Enforcement Notifications
• Affected Person Notifications
• Credit Monitoring Services
Recording of this session via any media type is strictly prohibited.
Page 36
A7
Costs – Long-Term
• Legal Fees – Third Party Actions
• Expert Reviews/Evaluations – Third Party Actions
• Damages
• Identity Theft (Customers)
• Fraudulent Credit Card Charges (Customers)
• Credit Card Changes (Banks)
• Settlement Costs/Payments
• Penalties/Fines
• Industry Standards – Card Brands, PCI-DSS
• Legal Authorities – SEC, HHS, FTC, State AGs
Recording of this session via any media type is strictly prohibited.
Page 37
Q8: What are the Initial Steps Companies
Should Take When They Confirm a
Breach?
Recording of this session via any media type is strictly prohibited.
Page 38
A8
Initial Steps a Company Should Take When
They Discover a Breach
• Implement Predesigned Crisis Management Plan
• Engage Cyber Experts to Work with You on:
•
•
•
•
•
Investigating
Remediation
Notifications
Public Relations
Response to Inquiries
*Cyber Liability Coverage often includes access to cyber experts in these
respective areas.
Recording of this session via any media type is strictly prohibited.
Page 39
Q9: What Litigation has Surfaced from
Breaches and What is the Plaintiff’s
Theory of Negligence?
Recording of this session via any media type is strictly prohibited.
Page 40
A9
Civil Exposure -- Data Breaches
Civil Lawsuits
• State Attorneys General
• Lawsuits by consumers, businesses, banks, or
other private entities affected by breach
Recording of this session via any media type is strictly prohibited.
Page 41
A9
Civil Action Considerations
Civil Lawsuits
• Standing
•“The complainant must allege an injury to himself that is
‘distinct and palpable,’ as distinguished from merely ‘abstract,’
and the alleged harm must be actual or imminent, not
‘conjectural’ or ‘hypothetical.’”
Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) cert.
denied, 132 S. Ct. 2395, 182 L. Ed. 2d 1021 (U.S. 2012)
Recording of this session via any media type is strictly prohibited.
Page 42
A9
Civil Action Considerations
Civil Lawsuits
• Standing
• Cases continue to be
dismissed for lack of
standing.
No Standing
• Reilly v. Ceridian Corp., 664 F.3d 38, 41 (3d
Cir. 2011) cert. denied, 132 S. Ct. 2395, 182
L. Ed. 2d 1021 (2012)
• Key v. DSW, Inc., 454 F. Supp. 2d 684, 688
(S.D. Ohio 2006)
• Amburgy v. Express Scripts, Inc., 671 F.
Supp. 2d 1046, 1053 (E.D. Mo. 2009)
• Hammond v. The Bank of New York Mellon
Corp., 08 CIV. 6060 RMB RLE, 2010 WL
2643307 (S.D.N.Y. June 25, 2010)
• Randolph v. ING Life Ins. & Annuity Co., 486
F. Supp. 2d 1, 8 (D.D.C. 2007)
• Worix v. MedAssets, Inc., 857 F. Supp. 2d
699, 705 reconsideration denied, 869 F.
Supp. 2d 893 (N.D. Ill. 2012)
Recording of this session via any media type is strictly prohibited.
Page 43
A9
Civil Action Considerations
Civil Lawsuits
• Standing
• However, trend among
appellate courts towards
finding standing, particularly
where stolen data is actually
misused or hackers were
sophisticated, indicating
increased risk of harm.
Standing
• Resnick v. AvMed, Inc., 693 F.3d 1317,
1324 (11th Cir. 2012)
• Krottner v. Starbucks Corp., 628 F.3d
1139, 1143 (9th Cir. 2010)
• Ruiz v. Gap, Inc., 380 F. App'x 689, 691
(9th Cir. 2010)
• Pisciotta v. Old Nat. Bancorp, 499 F.3d
629, 634 (7th Cir. 2007)
• Lambert v. Hartman, 517 F.3d 433,
438 (6th Cir. 2008)
Recording of this session via any media type is strictly prohibited.
Page 44
A9
Civil Action Considerations
Civil Lawsuits
• Causes of Action
• Significant issue regarding
whether there is cognizable
injury, risk of harm, or
reasonably foreseeable damage
Causes of Action
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 45
A9
Civil Action – Legal Theories
Civil Lawsuits
•
Requirements:
(1) the existence of a duty to exercise due care, (2)
Causes of Action
breach of that duty, (3) causation, and (4) damages.
Ruiz v. Gap, Inc., 380 F. App'x 689, 691 (9th Cir. 2010) • Negligence
•
Economic Loss Doctrine
“Massachusetts, which is not alone, holds that
purely economic losses are unrecoverable in tort and
strict liability actions in the absence of personal
injury or property damage.” In re TJX Companies
Retail Sec. Breach Litig., 564 F.3d 489, 498 (1st Cir.
2009); see also Sovereign Bank v. BJ's Wholesale
Club, Inc., 533 F.3d 162, 175 (3d Cir. 2008)
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 46
A9
Civil Action – Legal Theories
Civil Lawsuits
Causes of Action
• Causation
• Did the defendant’s alleged harm cause plaintiff’s alleged
damages?
• Did the failure to secure information cause the
loss/identify theft?
• Allegation: “Plausible”, not “merely possible.” Resnick v.
AvMed.
• Nexus between the breach and the loss/identity theft –
beyond time and sequence. (Resnick: sensitive info on
stolen laptops was same info used to steal plaintiff’s
identity.)
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 47
A9
Civil Action – Legal Theories
Civil Lawsuits
Causes of Action
• Hypothetical Damages
Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 639 (7th Cir.
2007) - “Without more than allegations of increased risk
of future identity theft, the plaintiffs have not suffered a
harm that the law is prepared to remedy.”
• “Real” Damages
Anderson v. Hannaford Bros. Co., 659 F.3d 151, 164, 167
(1st Cir. 2011) – “The data was used to run up thousands
of improper charges across the globe to the customers'
accounts. The card owners were not merely exposed to a
hypothetical risk, but to a real risk of misuse . . . Plaintiffs’
claims for identity theft insurance and replacement card
fees involve actual financial losses from credit and debit
card misuse.”
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 48
A9
Civil Action – Legal Theories
Civil Lawsuits
• Requirements
Requires (1) a contract between the plaintiff and the
defendant; (2) rights of the plaintiff and obligations of the
defendant under the contract; (3) breach of the contract
by the defendant; and (4) damages suffered by the
plaintiff. Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d
1046, 1055 (E.D. Mo. 2009)
• Implied Contract
“[A] jury could reasonably find an implied contract
between Hannaford and its customers that Hannaford
would not use the credit card data for other people's
purchases, would not sell the data to others, and would
take reasonable measures to protect the information.”
Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st
Cir. 2011)
Causes of Action
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 49
A9
Civil Action – Legal Theories
Civil Lawsuits
• Requirements
1) the plaintiff conferred a benefit on the defendant; 2)
the defendant has knowledge of the benefit; 3) the
defendant accepted or retained the benefit conferred;
and 4) the circumstances are such that it would be
inequitable for the defendant to retain the benefit
without paying fair value for it. Resnick v. AvMed, Inc.,
693 F.3d 1317, 1328 (11th Cir. 2012)
• Unjust Enrichment Permitted
Plaintiffs claimed that their premium payments were
partially in exchange for keeping their information secure,
and that defendant should not be permitted to retain the
money because it failed to protect plaintiffs’ information.
The Eleventh Circuit permitted the claim to proceed.
Resnick, at 1328
Causes of Action
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 50
A9
Civil Action – Legal Theories
Civil Lawsuits
• Requirements
“One who . . . in any [] transaction in which he has a
pecuniary interest, supplies false information for the
guidance of others in their business transactions, is
subject to liability for pecuniary loss caused to them by
their justifiable reliance upon the information, if he fails
to exercise reasonable care or competence in obtaining or
communicating the information.” In re TJX Companies
Retail Sec. Breach Litig., 564 F.3d 489, 494 (1st Cir. 2009)
•
Misrepresentation Claim (Barely) Permitted:
Plaintiffs alleged that doing business as a credit card
company misrepresented that the defendant complied
with security requirements; the court was skeptical, but
ultimate found that claim “survives, but on life support.”
In re TJX, at 495
Causes of Action
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 51
A9
Civil Action – Legal Theories
Where are the Courts going…?
• Resnick v. AvMed (Feb. 2014)
• Negligence, Breach of Contract & Unjust Enrichment claims
survive MTD.
• Court approved $3 million dollar settlement.
• Settlement Terms:
o Individuals on laptops, but no identity theft = $10 for
each year paid for coverage (max $30). Intended to
compensate for premiums paid relating to security.
o Actual losses from ID theft “more likely than not”
stemming from breach – deferred resolution to
mediator.
o Internal policy/training requirements.
o Attorneys’ Fees
Causes of Action
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 52
A9
Civil Action – Legal Theories
Civil Lawsuits
• Any number of state or federal statutes may be
applicable in every case.
•
•
•
•
•
FTC Act
SEC
HIPAA
Graham-Leach-Bliley
State Unfair Trade Practice Acts
Causes of Action
• Negligence
• Breach of Contract
• Unjust Enrichment
• Negligent
Misrepresentation
• Statutory
Recording of this session via any media type is strictly prohibited.
Page 53
Take-Aways
•
•
•
•
•
Legal Landscape Is Much More Precarious
Obligations Are More Pervasive and Rigid
Legal Authorities Are More Strict and Demanding
Business Associations Are More Strict
Courts Are Becoming More Accepting of Plaintiffs’
Claims/Theories
• No Difference Between Internal Systems and
Outsourced Processing As To Liability
• Exposures Are Increasing
Recording of this session via any media type is strictly prohibited.
Page 54
Q&A
Moderator:
Michael D. Horvath
Senior Vice President, Risk Management, Simon Property Group
Chairman of the RIMS Real Estate Committee
Presenters:
Mary T. Pipino CPCU, CEO & President of Donald P. Pipino Company
[email protected]
(330) 629-2992
Kenneth K. Dort Esq., Partner Intellectual Property Practice Group,
Drinker Biddle & Reath LLP
[email protected]
(312) 569-1458
Recording of this session via any media type is strictly prohibited.
Page 55