Insurance coverage for data breaches, denial-of- service ... · PDF fileInsurance coverage for data breaches, denial-of- ... on topics involving complex case ... to $7.2 million, depending

Insurance coverage for data breaches, denial-of-service attacks, and cybersecurity eventsInsurance coverage for data breaches, denialInsurance coverage for data breaches, denial--ofof--service attacks, and cybersecurity eventsservice attacks, and cybersecurity events

Scott Godes | Richard Bortnick | Jennifer Smith |William Um | Hon. Carl West

Scott Godes | RichardScott Godes | Richard BortnickBortnick | Jennifer Smith || Jennifer Smith |William Um | Hon. Carl WestWilliam Um | Hon. Carl West

Scott N. GodesDickstein Shapiro LLP

1825 I Street, NW

Washington, DC 20006

Tel.: (202) 420-3369

[email protected]

corporateinsuranceblog.com

twitter.com/insurancecvg

linkedin.com/in/scottgodes

Dickstein Shapiro LLP, founded in 1953, is internationally recognized for its work with clients,

from start-ups to Fortune 500 corporations. Dickstein Shapiro is U.S. News & World Report’s “Law

Firm of the Year” for Insurance Law for 2011-2012.

About the Firm

Insurance coverage for data breaches, denial-of-service attacks, and cybersecurity eventsInsurance coverage for data breaches, denial-of-service attacks, and cybersecurity events

Cozen O’Connor, founded in 1970, delivers legal services on an integrated and global basis, with

575 attorneys in 22 cities and two continents. Their lawyers counsel clients on their most

sophisticated legal matters in all areas of corporate and regulatory law as well as litigation.

About the Firm


Richard J. BortnickCozen O’Connor

1900 Market Street

Philadelphia, PA 19103

Tel.: (215) 665-2093

[email protected]

cyberinquirer.com

twitter.com/cyberinquirer

linkedin.com/pub/richard-j-bortnick/1/690/143

Lockton, founded in 1966, is the world’s largest privately owned, independent insurance brokerage

firm. Clients across the globe count on Lockton for risk management, insurance and employee

benefits. Lockton personnel tailor solutions to the unique needs of each company, organization, and

individual just about anywhere. Their long-term relationships with underwriters around the world

allow them to structure and negotiate comprehensive coverage at the best price possible.

About the Firm


Jennifer G. SmithLockton Companies, LLC

Vice President, Senior Client Advisor,

Global Technology & Privacy Practice

1110 Vermont Ave., NW, Suite 700

Washington, DC 20005

Tel: (202) 414-2604

[email protected]

twitter.com/insurancegirldc

linkedin.com/pub/jennifer-g-smith/3/71a/261

Hunton & Williams, founded in 1901, represents clients across the full spectrum of industries that

make up today's global economy, from manufacturers, financial institutions, retailers, healthcare

companies and professional-services providers, to businesses and academic institutions developing

renewable energy resources and new technology solutions.

About the Firm


William T. UmHunton & Williams LLP

550 South Hope Street, Suite 2000

Los Angeles, CA 90071

Tel: (213) 532-2175

[email protected]

linkedin.com/pub/william-um/3/885/780


Hon. Carl J. West (ret.)JAMS

707 Wilshire Blvd., 46th Floor

Los Angeles, CA 90017

Tel: (213) 620-1133

[email protected]

thesedonaconference.org/people/profiles/WestCarl

Judge West started his judicial career as a judge of the Los Angeles Municipal Court (1994-1996).

From April 2002 to February 2012, Judge West was assigned to the Complex Litigation Panel, and

served as the Supervising Judge of the Complex Panel in 2010 and 2011. Judge West is a

frequent panelist and lecturer on topics involving complex case management, electronic discovery,

toxic torts, and various substantive and procedural topics of interest to civil judges and litigators.

About the Judge

7

Presentation OverviewPresentation Overview

1. Exposures to insureds and insurers

2. Regulatory and statutory framework

3. Data breach and privacy class actions

4. Show me the coverage!

Exposures in the areas of technology,cyber security, and privacyExposures in the areas of technology,cyber security, and privacy

• Types of cases

– Data Breach Cases (from TJ Maxx to Sony)

– “Zip Code” Cases (from CA to MA)

– “Cookie” Cases (from Facebook to Google)

– Geo-Location Tracking Cases (from iPhones toAndroids)

– Securities Exposure?

• Evolution of underlying cases

– Establishing “damages”

– Credit monitoring costs

– Class action exposure

Types of First-Party LossTypes of First-Party Loss

• Hardware or SoftwareMalfunction

• Data Corruption

• Denial of Service Attack

• Extortion

Types of Third-Party Claims andLiabilitiesTypes of Third-Party Claims andLiabilities

• Copyright/Trademark Infringement

• Data Privacy Breach

• Internet Media Liability (e.g.,Defamation)

• UnauthorizedAccess/Unauthorized Use (e.g.,Third Party Data Corruption, Denialof Service Attack)

• Statutory Liability (Federal andState Privacy Laws)

What Is Personal IdentifiableInformation?What Is Personal IdentifiableInformation?

• Depends on law at issue.

• May include any combination of the following:

– Name; address; telephone number; electronicmail address; fingerprints; photographs orcomputerized images; a password; an officialstate or government-issued driver's license oridentification card number; a governmentpassport number; biometric data; an employer,student, or military identification number; dateof birth; medical information; financialinformation; tax information; disabilityinformation; and zip codes.

Costs of a Data BreachCosts of a Data Breach

• 2010 average total cost per incident (amongsurveyed companies) = $2.4 million to $7.2million, depending on whose study you read

• 2010 per record cost (among surveyedcompanies) = $160.00 to $320.00, dependingon the cause and impact

Sources: Ponemon Institute and NetDiligence survey

Notable Cyber Risks and Events –TricareNotable Cyber Risks and Events –Tricare

Notable Cyber Risks and Events –SonyNotable Cyber Risks and Events –Sony

Notable Cyber Risks and Events –Attacks against small firmsNotable Cyber Risks and Events –Attacks against small firms

Regulatory and statutoryframeworkRegulatory and statutoryframework

• SEC Guidelines, published October 13, 2011

• Federal and state laws require businesses tomaintain adequate data security and destroydata with Personal Identifiable Information orPersonal Health Information

• Notification statutes require disclosure incertain circumstances where PersonalIdentifiable Information or Personal HealthInformation has been obtained by anunauthorized third party

SEC CF Disclosure Guidance:Topic No. 2: CYBERSECURITYSEC CF Disclosure Guidance:Topic No. 2: CYBERSECURITY

“appropriate disclosures may include: . . .Description of relevant insurance coverage.”

Tidal Wave of Class ActionsTidal Wave of Class Actions

• Evolving causes of action and theories of recovery

• Balancing insurance and liability concerns

• Settlements and coverage issues– Risk of liability and reasonableness?

– Payment of plaintiffs’ attorneys’ fees

– Covered and non-covered claims

– Bodily injury, property damage, or personal andadvertising injury?

– Credit monitoring?

• Herding cats– Multiple plaintiffs’ firms

– Multiple actions, forums

– Multiple insurers

Data Breach and Privacy Class ActionIssuesData Breach and Privacy Class ActionIssues

• Standing

– Actual case or controversy?

– Injury?

• Damages

– Actual damages?

– Theoretical damages?

– Credit monitoring and future expenses?

– Evolving theories?

• Certification

– Commonality?

– Typicality?

Frequent Allegations In a PrivacyBreach (Class Action) LawsuitFrequent Allegations In a PrivacyBreach (Class Action) Lawsuit

• Failure to protect customer information/privacy

• Reduction in value of claimants’ PII

• Failure to notify/timely notification

• Cost to reissue payment cards/open newaccounts

• Cost of fraudulent purchases

• Cost to inspect and repair computing devices

• Consumer Redress: credit monitoring/identitytheft insurance

• Regulatory Actions: fines and penalties

Notable Recent Underlying CasesNotable Recent Underlying Cases

•• Defenses ErodingDefenses Eroding–– StollenwerkStollenwerk v. Tri Westv. Tri West –– alleged ID theftalleged ID theft

–– ITERAITERA (Identity Theft Enforcement and(Identity Theft Enforcement andRestitution Act)Restitution Act)

–– ““pay an amount equal to the value of the timepay an amount equal to the value of the timereasonably spent to remediate intended orreasonably spent to remediate intended oractual harmactual harm””

–– In re Hannaford Bros. Data Security BreachIn re Hannaford Bros. Data Security BreachLitigationLitigation –– does time equal money?does time equal money?

–– ChoicePointChoicePoint Data Breach SettlementData Breach Settlement –– FTC:FTC:ChoicePointChoicePoint paid forpaid for ““time they may havetime they may havespent monitoring their credit or taking otherspent monitoring their credit or taking othersteps in responsesteps in response””

Notable Recent Underlying CasesNotable Recent Underlying Cases

•• ClaridgeClaridge v.v. RockYouRockYou, Inc., Inc.““breach of hisbreach of his PIIPII has caused him to lose somehas caused him to lose someascertainable but unidentifiedascertainable but unidentified ‘‘valuevalue’’ and/orand/orproperty right inherentproperty right inherent in thein the PIIPII..””

•• KrottnerKrottner v. Starbucks Corp.v. Starbucks Corp.increased risk of identity theft constitutes an injuryincreased risk of identity theft constitutes an injury--inin--factfact

Show Me the Coverage!Show Me the Coverage!

• Coverage under CGL policies?

– Bodily injury, property damage, or personal andadvertising injury?

– Credit monitoring?

• Other policies?

– Crime

– First party

– EPLI

– E&O, D&O, K/R/E, others?

• “Cyberinsurance”?

Coverage Under “Traditional”PoliciesCoverage Under “Traditional”Policies

http://www.zurichna.com/internet/zna/SiteCollectionDocuments/en/media/whitepapers/DOCold2DataSecurity082609.pdf

Coverage Under “Traditional”PoliciesCoverage Under “Traditional”Policies

• Property Damage Coverage

• Personal and Advertising Injury Coverage

• Relevant Endorsements

– Bodily injury extension?

– Data coverage?

Commercial General Liability Policies

Commercial General LiabilityPoliciesCommercial General LiabilityPolicies

• In the late 1990s and early 2000s, courts splitover whether computer data damageconstituted property damage.

Property Damage Coverage


• Some courts decided that lost computer datawas “physical” with “an actual physical location. . . capable of being physically damaged anddestroyed.”

Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266(N.M. Ct. App. 2002); see NMS Servs., Inc. v. Hartford, 62 F. App’x. 511(4th Cir. 2003) (data erased by hacker was “direct physical loss” underinsurance policy; concurring opinion explaining why data is physical);Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16, 23-25(Tex. App. 2003) (rejecting argument that data is not physical).

Property Damage Coverage – PRO


• Like-minded courts construed “physicaldamage” beyond “harm of computer circuitry”to encompass “loss of access, loss of use, andloss of functionality.”

Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM,2000 WL 726789, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18,2000); see Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d831, 837 (W.D. Tenn. 2006) (finding coverage under business interruptionpolicy for computer corruption).



• Alleged computer freezes, pop-up ads,hijacked browser, random error messages,slowed performance and crashes, and adsbased on past surfing habits constitute loss ofuse.


Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).


• Other courts have disagreed that data istangible camp.

See Am. Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir.2003).

Property Damage Coverage – CON


• Certain denial-of-service attacks cause physicaldestruction or alteration of network components.– CERT, Denial of Service Attacks,

http://www.cert.org/tech_tips/denial_of_service.html;CERT, About CERT, http://www.cert.org/meet_cert/ .

• Allegations of damage to hardware, or actual evidenceof such damage, should trigger property damagecoverage, as the claim does not implicate softwareand data alone.

Property Damage Coverage – Fact Specific

See, e.g., Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797, 801(8th Cir. 2010)

Commercial General LiabilityPolicyCommercial General LiabilityPolicy

• No property damage requirement.

Personal and Advertising Injury Coverage

Accord, e.g., Pipefitters Welfare Educ. Fund v. Westchester Fire Ins. Co.,976 F.2d 1037 (7th Cir. 1992) (policy provision for property damage didnot apply to personal and advertising injury coverage, unless writtenspecifically to encompass both coverages); Titan Holdings Syndicate, Inc.v. City of Keene, 898 F.2d 265, 270 (1st Cir. 1990) (same).


• Usually does not have an “occurrence”requirement and usually covers intentionalconduct.


See, e.g., Town of Stoddard v. No. Sec. Ins. Co., 718 F. Supp. 1062, 1065n.3 (D.N.H. 1989) (no occurrence requirement); Vargas v. Hudson CountyBd. of Elections, 949 F.2d 665, 672 (3d Cir. 1991) (coverage is “notconfined to negligent or inadvertent actions.”); Sarrio v. McDowell, 1987U.S. Dist. LEXIS 12370, 42 (E.D. La. Dec. 23, 1987) (“It is clear from thelanguage of the policy that the parties intended to insure against liabilityfor certain acts which ‘necessarily imply deliberateness and malice.’”);Zurich Ins. Co. v. Peterson, 188 Cal. App. 3d 438, 232 Cal. Rptr. 807(1986) (coverage for malicious prosecution).


• One privacy-related claim in a cyber securityor data breach-based complaint could trigger aduty to defend, and may even requirecoverage of the entire lawsuit.


See, e.g., Donnelly v. Transport. Ins. Co., 589 F.2d 761, 767 (4th Cir.1978) (finding that one ground of liability arguably covered by the policytriggers a duty to defend all claims); Canal Ins. Co. v. Sherman, 430 F.Supp. 2d 478, 491 (E.D. Pa. 2006) (applying same rule under WestVirginia law).


Zurich American v. Fieldstone Mortgage• Basis of dispute: Underlying complaint alleged that

consumer credit report was accessed without claimant’sconsent or permissible purpose under FCRA. Underlyingcomplaint sought seeks statutory damages, injunctive relief,attorney's fees, litigation expenses, and cost of suit, basedupon Fieldstone’s “willful[ ]” violation of FCRA.


Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., No. CCB-06-2055, 2007WL 3268460 (D. Md. Oct. 26, 2007).


Zurich American v. Fieldstone Mortgage• Fieldstone and Zurich disputed whether the Personal and

advertising injury coverage in commercial general liabilitypolicies applied to the claim. “Personal and advertisinginjury” included injury “arising out of one or more” offenses,including “[o]ral or written publication, in any manner, ofmaterial that violates a person’s right of privacy.”


Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., No. CCB-06-2055, 2007WL 3268460 (D. Md. Oct. 26, 2007).


Zurich American v. Fieldstone Mortgage• “Zurich argues that in order to constitute a publication,

the information that violates the right to privacymust be divulged to a third party.” But “the majority[of courts] have found that the publication need not be toa third party.”

Consider Zurich’s argument in the context of a hackingincident or data breach by a third party.


Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., No. CCB-06-2055, 2007WL 3268460 (D. Md. Oct. 26, 2007) (emphasis added).


Netscape v. Federal Insurance (Chubb)• Personal and advertising injury coverage applied to “claims alleging

that AOL had made known to any person or organization materialthat violated a person’s right of privacy.”

• “Although the underlying claims against AOL were nottraditional breach of privacy claims, given that coverageprovisions are broadly construed, . . . the underlying complaintssufficiently alleged that AOL had intercepted and internallydisseminated private online communications.”


Netscape Communications Corp. v. Federal Insurance Co., 343 F. App’x271, 272 (9th Cir. 2009).


Check your policy!

• When analyzing the scope of bodily injury coverage inthe context of cyber risks, consider whether thedefinition of “bodily injury” has been expanded toinclude mental anguish, mental injury, shock, fright, orsimilar terms.– One of the class action complaints filed against Sony

alleges that “plaintiff and the Class have suffereddamages, including, but not limited to, . . . fear andapprehension of fraud . . . .”

• Johns v. Sony Corp., No. 3:11-cv-02063-RS, Complaint ¶101 (N.D. Cal. Apr. 27, 2011).

Endorsements


Check your policy!

• Notwithstanding the property damage case law, yourCGL policy may provide coverage for data losses.The Insurance Services Office, which drafts standardform CGL policies, created an “Electronic DataLiability” endorsement that provides coverage forloss and loss of use of electronic data resulting fromphysical injury to tangible property.

Endorsements

Claire Wilkinson, Is Your Company Prepared for a Data Breach?,Insurance Information Institute (Mar. 2006), at 20.


• Is credit monitoring covered under CGL policies?

• Will insurers argue that they are not damages“because of” bodily injury, property damage, orpersonal and advertising injury?– Consider coverage for analogous concepts, such as

medical monitoring. See, e.g., Baughman v. U.S. Liab. Ins.Co., 662 F. Supp. 2d 386, 394-95 (D.N.J. 2009) (medicalmonitoring costs are damages because of bodily injury).

Credit Monitoring Coverage?

Other Sources of CoverageOther Sources of Coverage

• Broadly crafted agreements may coverhacking, data breaches, and consumer datatheft.

• Check for endorsements forcomputer fraud, computertheft, or other data breaches.

Crime Policy


• Computer Funds & Transfer FraudEndorsement in AIG Crime Policy found tocover hacking and data breach to DSW.

Crime Policy

Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., No. 06-443, slip op. (S.D.Ohio Mar. 30, 2009) (document 167 on PACER docket).


• Coverage for “hack, pump, and dump” schemesought under Computer Systems FraudRider/Endorsement to Travelers FinancialInstitutions Bond.

• Settlement after policyholder won motion tocompel.

Crime Policy

Scottrade, Inc. v. St. Paul Mercury Ins. Co., No. 4:09-cv-01855-SNLJ(E.D. Mo.).


• May provide coverage fordata damage, businessinterruption, and contingentbusiness interruptions due todenial-of-service attacks anddata breaches.

All Risk/First-Party Property Policies

See WMS Indus., Inc. v. Fed. Ins. Co., No. 09-60661, slip op. (5th Cir.June 29, 2010); WMS Indus., Inc. v. Fed. Ins. Co., 588 F. Supp. 2d 730(S.D. Miss. 2008).


• May provide coverage forloss under “valuable papersand records” section.

All Risk/First-Party Property Policies

See, e.g., NMS Servs. Inc. v. The Hartford, 62 F. App’x 511 (4th Cir.2003).


• May provide coverage for third-party claims by or on behalfof “Employees” alleging “invasion of privacy” for theunauthorized disclosure of confidential “Employee”information resulting from a data breach or cyber attack.

• Certain EPLI policies provide coverage for “wrongfulemployment acts,” defined terms that may expresslyinclude “employment-related torts” such as “invasion ofprivacy” for the unauthorized disclosure of personallyidentifiable information under HIPAA, credit informationunder FCRA, criminal records, and other confidential data.

EPLI policies


• Consider how broadly the types of “injury” and“wrongful act” are defined.

– “Sefton alleges that Eyeblaster installedtracking cookies, Flash technology, andJavaScript on his computer, all of which areintentional acts. However, Federal can point tono evidence that doing so is intentionallywrongful.”

E&O Coverage

Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).


• Study the allegations against the company andother defendants, to determine whether D&Ocoverage applies.

– How broadly is Entity Claim defined?

• Depending on the facts, kidnap and ransompolicies, Employment Related Practices, orData Processing policies may supplycoverage.

D&O and Other Coverages


• Review agreements with vendors andcontracting partners to determine whetherthere are indemnity agreements.

• Determine whether your company may becovered as an additional insured underanother company’s policy.

Indemnity Agreements, Additional Insureds

Network Security / Data RiskNetwork Security / Data Risk

• What Data do you collect?

– Personally Identifiable Info. (PII)

– Protected Health Info. (PHI)

– Credit Card Numbers

• Where is it?

• How well is it protected?

• How long do you keep it?

• What is a Breach?

– Unauthorized disclosure

– Unauthorized acquisition

– Data compromised

Typical First-Party CoveragesTypical First-Party Coverages

• Digital Asset Expenses

• Business Interruption Income Loss andDependent Business Interruption Income LossCoverage

• Network Extortion Threat and RewardPayments Coverage

Typical Third-Party CoveragesTypical Third-Party Coverages

• Network Security Liability Coverage

• Privacy Liability Coverage

• Media Liability Coverage

• Technology Liability Coverage

• Miscellaneous Professional Liability Coverage

Personal and Advertising InjuryCoveragePersonal and Advertising InjuryCoverage

• Cyber privacy claims may implicate personaland advertising injury coverage

– Right to Privacy

– Defamation

– Scope of Publication

– Social Media

– Copyright and Trademark Issues

www.poweredtemplates.com