Transcript FC&S Legal presents: ALL’S FAIR IN LOVE AND CYBER …

FC&S Legal presents:
ALL’S FAIR IN LOVE AND CYBER WARFARE
1
Cosponsored by:
PropertyCasualty360
and
InsideCounsel
The seminar will begin promptly at 2pm EST.
A recording of this session will be made available.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Housekeeping
2
 Phones are muted
 Questions will be answered at end of session
 In right hand corner of screen is a space for you
to type in your questions
 Copy of slides was in your reminder email and a
link to slides and the recording will be in your
follow up email
 A demonstration of FC&S Legal follows today’s
presentation
 Please answer our brief survey at the end of the
session
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Featured Speakers
3
Anjali C. Das, Partner
Wilson Elser Moskowitz Edelman & Dicker, LLP (Chicago)
Wilson Elser Moskowitz Edelman & Dicker, LLP (Chicago)
Coordinating partner for firm’s D&O practice, represents insurers in
professional liability coverage matters involving accounting, finance, other
complex issues. Represents U.S., London and Bermuda based primary and
excess insurers in high exposure claims.
Jerold Oshinsky, Partner
Jenner & Block, LLP (Los Angeles)
Represents policyholders in insurance matters in federal and state courts.
Recipient of “Star” ranking by Chambers USA and is considered the
foremost practitioner at the policyholder Bar. Recognized by Legal 500 as
one of 13 “Leading Lawyers” nationally in its “Insurance: Advice to
Policyholders” category.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Cyberliability Overview
4
 President’s Executive Order on Cybersecurity
 What is a Data Breach?
 Data Breach Statistics and Costs
 Aggressive Government Enforcement (FTC)
 Private Litigation in the News
 SEC Disclosure Guidance
 Boards Still Have Their Heads in the Sand
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Cyberliability
5
 President Obama’s State of the Union Address (2/12/13)
 Presidential Executive Order: Improving Critical Infrastructure
Cybersecurity
 Cyberthreats to U.S. critical infrastructure continue to grow
 Cybersecurity information sharing between public and private sectors
 Foreign government cyber espionage in the news



Growing political tensions between U.S. and China
Mandiant report
Victims include some of nation’s largest tech companies
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
What Is a Data Breach?
6
Organization’s unauthorized or unintentional exposure, disclosure,
or loss of sensitive personal information which can include private
health information (PHI) and other personally identifiable
information (PII) such as:
(1) Social Security number;
(2) Driver’s license number; or
(3) Account, debit or credit card number along with a PIN or
password to access the account.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
What Causes a Data Breach?
7

Hacking,

Employee theft,

Theft of physical equipment, or

Misrepresentation to obtain unauthorized
access to data.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Breach Statistics Vary
8
 60 major data breaches (Q2) v. 49 major data breaches (Q3)
 4.4 million records compromised (Q2) v. 2.259 million (Q3)
 Healthcare entities had the largest percent of breaches, followed by
Government and Corporate
 Avg. number of records per breach: 73,444 (Q2) v. 46,099 (Q3)
 Leading causes of breach: theft (43%), hacking (27%)
Navigant November 2012 Data Breach Report Update
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Costs of a Data Breach
9
 Avg. total cost of a data breach in Q2 was $14.248 million
 Avg. total cost of a data breach in Q3 was $8.943 million
 Avg. total cost of data breach by sector:




Corporate: $8.88 million (Q2) v. $25.935 million (Q3);
Education: $17.67 million (Q2) v. $2.58 million (Q3);
Healthcare: $3.9 million (Q2) v. $2.68 million (Q3)
Government: $36.89 million (Q2) v. $15.21 million (Q3)
Navigant November 2012 Data Breach Report Update
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
FTC: The Nation’s Privacy Watchdog
10
•
FTC is dedicated to enforcing consumer privacy and
ensuring that companies provide reasonable security for
consumer data
•
FTC may bring an enforcement action against a company
that fails to appropriately protect the consumer ’s personal
information
•
FTC may bring such actions under Section 5 of the FTC
Act, the Fair Credit Report Act, and Graham -Leach Bliley
Act
•
FTC has taken an aggressive stance on privacy and data
breaches affecting consumers
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
FTC: The Nation’s Privacy Watchdog
11
 Facebook: Company settled charges by the FTC that Facebook
deceived users to believe that their personal information would be kept
private. The FTC settlement bars Facebook from making further
deceptive privacy claims. In addition, Facebook was required to
establish a maintain a comprehensive privacy program subject to audits
for up to 20 years.
 Google: Company agreed to pay a record $22.5 million civil penalty to
settle FTC charges that Google misrepresented the use of tracking
cookies on users’ computers.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Data Breaches in the Headlines
12
 Sony (70 million records)
 Global Payment (1.5 million records)
 eHarmony (1.5 million passwords)
 LinkedIn (6.5 million passwords)
 Texas AG’s Office (6.6 million records)
And the list continues to grow . . . .
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Private Litigation
13
Sony Data Breach Litigation
 Hackers attacked Sony’s Playstation network and stole 70 million users’
account and credit card information
 58 class actions filed against Sony for violation of various consumer
protection statutes and failing to comply with industry-standard
protocols to safeguard customer information.
 Sony reportedly incurred > $171 million to respond to the breach
 Any settlements, damages, or judgments from the civil litigation would
be on top of these costs
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Private Litigation
14
Sony Coverage Litigation
 Sony is seeking coverage under its CGL and commercial
umbrella policies for the hacking incident
 Zurich Ins. Co. filed a dec action seeking to avoid coverage
under its CGL policy for the network breach on the basis that
unauthorized access to and theft of personal identification and
financial information are not claims for “bodily injury,” “property
damage,” or “personal and advertising injury”
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
SEC Sounds Off on Cyber Risks
15
S E C D i s c l o s u r e G u i d a n c e : To p i c N o . 2 –
Cybersecurity
Disclosure of Cyber Risk Factors :
1.
Aspects of registrant’s business that give rise to material
cyber risks and potential costs and consequences
2.
Outsourced functions that have material cyber risks
3.
M a t e r i a l c y b e r i n c i d e n t s e x p e r i e n c e d b y t h e c o m p a n y,
including costs and other consequences
4.
Risks related to cyber incidents that may remain
undetected for an extended period
5.
Description of relevant insurance coverage
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Lack of Board Oversight of Cyber Risk
16
 “Only a few executive officers understand security and the rest are
clueless”
 “Boards are not actively addressing cyber risk management”
 82% of companies surveyed did not have a Chief Privacy Officer
 More than half of boards surveyed did not review their insurance
policies for cyber risk coverage
 On a global basis, North American boards lag behind their European
and Asian counterparts with respect to privacy and security
governance
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
What Coverage Might Apply?
17
• First- and third-party coverage
• Pre-2001 Standard policies
•
Is there property damage?
•
Property damage requires injury to tangible property
•
Is computer damage tangible? Is virtual loss “tangible?”
• Post-2001 ISO policy language covering technology liabilities
•
Coverage will depend on the facts of the claim and the policy
language
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
ISO Pre-2001 Policies
18
Property damage has historically been defined in standard
CGL policies as either:
a) physical injury to tangible property, including all resulting
loss of use of that property, or
b) loss of use of tangible property that is not physically
injured.
Thus, the first question that needs to be addressed is whether
the data breach or technology-related loss involves damage
to “tangible property.” (ISO form CG 00 01 01 96, Commercial
General Liability Form).
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
ISO Post-2001 Policies
19
In 2001, ISO amended the definition of “property damage” in the
standard CGL policy (form CG 0001 10 01) to expressly state that
“electronic data is not tangible property.” The term “electronic
data” is further defined as:
 [I]nformation, facts, or programs stored as or on, created or
used on, or transmitted to or from computer software,
including systems and applications software, hard or floppy
disks, CD-ROMS, tapes, drives, cells, data processing
devices or any other media which are used with
electronically controlled equipment.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
ISO Post-2001 Exclusion
20
Then in 2004, ISO created a new exclusion for electronic data (ISO
Form CG 00 01 12 04). Exclusion p states:
 p. Electronic Data: Damages arising out of the loss of, loss of
use of, damage to, corruption of, inability to access or inability
to manipulate electronic data.
As used in this exclusion, electronic data means information, facts, or
programs stored as or on, created or used on, or transmitted to or
from computer software, including systems and application software,
hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing
devices or any other media which are used with electronically
controlled equipment.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Providing Coverage
for Electronic Data
21
Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W. 3d 16,
25-26 (Tex. App. 2003)
 Policyholder’s computer server, software, and data stored on server were
“physical” where hacker invaded computer system and installed virus that
rendered server useless
 Court avoided abstract issue of whether electronic data and software can
constitute “tangible property,” instead focused on language of policy
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Providing Coverage
for Electronic Data
22
Landmark Am. Ins. Co. v. Gulf Coast Analytical Labs., Inc., No. 10809, 2012 WL 1094761, at *4 (M.D. La. Mar. 30, 2012)
 Electronic data could “[make] physical things happen,” and was “corporeal
and moveable in nature,” and therefore a loss of electronic data due to hard
drive malfunction was covered under insured’s policy.
Nationwide Ins. Co. v. Hentz, 2012 WL 734193, at *4 (S.D. Ill. Mar. 6, 2012)
• Loss of electronic data gave rise to property injury because medium of
storage had been physically taken
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Providing Coverage
for Electronic Data
23
Am. Guar. & Liab. Ins. v. Ingram Micro, Inc., No. 99-185, 2000 WL
726789, at *3 (D. Ariz. 2000)
 “physical loss or damage” in a first-party all-risk policy “is not restricted to the
physical destruction or harm of computer circuitry but includes loss of access,
loss of use, and loss functionality”
 Court interpreted “physical loss or damage” broadly, noted that “[a]t a time when
computer technology dominates our professional as well as personal lives, the
Court must side with Ingram’s broader definition of ‘physical damage.’”
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Providing Coverage
for Electronic Data
24
Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., Ltd., 439 F. Supp. 2d 831,
837-38 (W.D. Tenn. 2006)
• “‘physical damage’ could include loss of functionality even if the affected
machinery remained intact
Wakefern Food Corp. v. Liberty Mut. Fire Ins. Co., 968 A.2d 724, 736
(N.J. Super. Ct. App. Div. 2009)
 Concluded there was no reason to require that damage to malfunctioning
machinery be permanent, and that the definition of “physical damage” could be
extended to include temporary loss of use
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Providing Coverage
for Electronic Data
25
Retail Systems, Inc. v. CNA Ins. Co., 469 N.W. 2d 737 (Minn. Ct. App.
1991)
 Computer tape and electronic information in tape were “tangible property” within
meaning of third-party liability policy covering physical injury or destruction of
tangible property
 Data on tape was of permanent value and was integrated completely with
physical property of the tape
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Providing Coverage for
Electronic Data
26
Computer Corner v. Fireman’s Fund Ins. Co., 46 P. 3d 1264,
1266 (N.M. Ct. App. 2002)
 Lost data on hard-drive “was physical, had an actual physical location,
occupied space and was capable of being physically damaged or
destroyed” and therefore covered under a CGL policy
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Providing Coverage
for Electronic Data
27
Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010)

Plaintiff’s allegations of direct injury to operation of computer were insufficient to
allege damage to tangible property, and that he would instead have had to have
alleged claim for physical injury to hardware itself

Loss of use of a computer (“tangible property”) due to data corruption constituted
covered property damage
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Declining Coverage
for Electronic Data
28
Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 7 Cal. Rptr.
3d 844, 851 (Cal. Ct. App. 2003)

Policyholder’s loss of information in database not covered under first-party policy
because loss was not “direct physical loss”

No “direct physical loss” because electronic data did not have “material
existence” and was not “perceptible to the senses”
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Declining Coverage
for Electronic Data
29
Recall Total Information Mgmt., Inc. v. Fed. Ins. Co., 2012 WL
469988, at *5 (Conn. Super. Ct. Jan. 17, 2012)
 Loss of several electronic tapes containing personal information did not
constitute physical injury within meaning of the insured’s policy
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Declining Coverage
for Electronic Data
30
State Auto Property and Casualty Ins. Co. v. Midwest Computers &
More, 147 F. Supp. 2d 1113, 1115-16 (W.D. Okla. 2001)

Insurance company argued it was not obligated to defend and indemnify
computer repair company which had negligently caused loss of data of its client

Court held that computer was not damaged, data stored on computer disk was
not tangible property

Loss of use of computer would have been covered because computer clearly
tangible property but for applicable policy exception
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Declining Coverage
for Electronic Data
31
Compaq Computer Corp. v. St. Paul Fire and Marine Ins. Co.,
2003 WL 22039551 (Minn. Ct. App. Sept. 2, 2003)

“data are not tangible property,” even when communicated by electronic
means such as a fax machine, telephone, telegram or computer

No valid claim (thus no coverage) for property damage that existed after
Compaq’s allegedly faulty floppy diskettes and microcodes caused
corruption and destruction of users’ data
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Declining Coverage
for Electronic Data
32
America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th
Cir. 2003)
 No duty to defend under CGL policy because computer data, software
and systems not tangible
 Computers’ operating systems and software incapable of perception by
the senses, were merely abstract ideas that did not permanently alter
tangible computer hardware
 Decision issued only six months after different Fourth Circuit panel held
data destroyed hacker was “direct physical loss” under the policy…
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Declining Coverage
for Electronic Data
33
NMS Servs. Inc. v. Hartford, 62 Fed. App’x 511 (4th Cir. 2003)
 Concurring opinion explained loss of electronic data constituted
“physical loss” because “a computer stores information by
rearrangement of the atoms or molecules of a disc or tape to effect
the formation of a particular order of magnetic impulses, and a
‘meaningful sequence of magnetic impulses cannot float in space’”
 America Online dissent agreed with NMS Court, concluding
software bugs changed physical structure of computer hardware,
should have been viewed as “physical damage to computer itself
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Decisions Declining Coverage
for Electronic Data
34
Cincinnati Insurance Company v. Professional Data Services, Inc.,
2003 WL 22102138 (D. Kan. July 18, 2003)
 Relied on America Online and State Auto to find allegations of loss of use of
software and corruption of data therein, without allegations of resulting loss
of use of hardware, were insufficient to assert a claim resulting from injury
to, or loss of use of “tangible property”
 court reasoned that neither software nor data incorporated therein
constituted tangible property because neither had any physical substance
nor were perceptible to the senses
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Growing Demand for Cyber Coverage
35





Rise in cyber risk and hack attacks
Business and litigation costs to address breach
events
SEC disclosure requirement re cyber insurance
Denials and exclusions from coverage under
traditional CGL and other liability policies
Increased availability of cyber insurance
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Comprehensive Cyber Coverage
36


Network security/privacy/data loss coverage
Third-party liability coverage



First-party coverage


3P claims arising from data breach
Government and regulatory claims
Crisis management, breach notification, remediation costs
Other bells and whistles


Immediate access to forensic and legal experts
Loss and risk mitigation tools and technology
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Payments Under Cyber Policies
37
 Avg. cost per incident $3.7 million
 Avg. cost per record $3.94
 Avg. defense costs $582,000
 Avg. legal settlement $2.1 million
 Avg. cost for crisis services $983,000
NetDiligence Oct 2012 Cyber Liability & Data Breach Insurance Claims Survey
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Conclusions and Takeaways
38
 Increase in cyber risks for all companies
 Rise in private class actions and government enforcement
 Differing state, federal and international laws governing privacy
and data breaches
 Sizeable business and legal costs to respond to breach
 Board accountability for failure to obtain cyber coverage
 Traditional policies may deny or exclude coverage for cyber
 More insurers offering comprehensive cyber liability coverage
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
39
Q&A
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
Stay with us…
A Demonstration of FC&S Legal
follows.
40
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved
FC&S Legal:
The Insurance Coverage Law Information Center
Visit www.fcandslegal.com for your 14-Day FREE Trial!
41
To purchase FC&S Legal, call 1.800.543.0874.
Brought to you by The National Underwriter Company, publishers of FC&S Legal
© 2013. All Rights Reserved