CLICK ON EACH FILE IN THE LEFT HAND COLUMN TO SEE INDIVIDUAL PRESENTATIONS.

If no column is present: click Bookmarks or Pages on the left side of the window.

If no icons are present: Click View, select Navigational Panels, and chose either Bookmarks or Pages.

If you need assistance or to register for the audio portion, please call Strafford customer service at 800-926-7926 ext. 10

Insurance Coverage for Data Security BreachesEvaluating Policy Options, Overcoming Coverage Challenges,

Analyzing Litigation Trendspresents

Today's panel features:Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C.

Joan D'Ambrosio, Partner, Clyde & Co., San FranciscoJoshua Gold, Shareholder, Anderson Kill & Olick, New York

Wednesday, October 21, 2009

The conference begins at:1 pm Eastern12 pm Central

11 am Mountain10 am Pacific

The audio portion of this conference will be accessible by telephone only. Please refer to the dial in instructions emailed to registrants to access the audio portion of the conference.

A Live 90-Minute Teleconference/Webinar with Interactive Q&A

Insurance Coverage for Data Security Breaches

Evaluating Policy Options, Overcoming Coverage Challenges, Analyzing Litigation

TrendsPresenter:

Donna L. Wilson(202) 342-8475

dwilson@kelleydrye.com

A Live 90-Minute Teleconference Program withInteractive Q&A

Wednesday, October 21, 20091:00 p.m. Eastern Time / 12:00 p.m. Central Time /

11:00 a.m. Mountain Time / 10:00 a.m. Pacific Time

2

General Areas In Which Privacyand Data Security Litigation Erupts

Data Security

Data Use

Data Collection

Privacy Invasion

Property Damage

3

Legal Theories

Common Law

Negligence

Duty, breach, injury, causation

Bailment

Invasion of Privacy

Breach of Contract

Breach of Fiduciary Duty

4

Legal Theories (cont’d)

Statutory (State & Federal) FACTA FCRA Song-Beverly Act (CA) Data breach notification statutes Others – Video Privacy Protection Act, Electronic

Communications Privacy Act, Telephone Consumer Protection Act, etc.

5

Data Security

The Good News To date, most cases have been unsuccessful, especially in class

action context and/or where plaintiffs have suffered no actual damages. See, e.g., Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1 (D.D.C. 2007).

Plaintiffs have been more successful in cases involving actual damages, especially cases involving an individual rather than a class. See, e.g., Kahle v. Litton Loan Serv’g LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007).

6

Data Security (cont’d)

The Bad News Theories are evolving, and arguably courts are beginning to

recognize a duty to provide data security. See, e.g., Cobell v. Norton, 391 F.3d 251 (D.C. Cir. 2004).

Privacy statutes, along with associational standards such as PCI, may make it easier for plaintiffs. Even though such statutes do not provide a private right of action, they arguably provide the standard of care. See, e.g., Desantis v. Sears, Roebuck & Co., No. 08-CH00448, complaint filed (Ill. Cir. Ct., Cook County, Jan. 4, 2008)

7

Data Security (cont’d)

The Bad News (cont’d) Compliance may not shield your company from litigation in the event of a

security breach. See, e.g., Assner v. Hannaford Bros. Co., Case No. 2:08-cv-00095, complaint filed (D. Maine March 25, 2008) (class action against grocery chain who was PCI compliant; alleges credit and debit card numbers and expiration dates were accessed during transmission of card authorization).

Recent settlements in cases involving worst-case scenarios may only embolden plaintiffs’ lawyers.

8

Litigation Trends and Risk Avoidance

Plaintiffs will continue to have difficulties making out a claim, especially in the class action context, except in two situations: (1) in cases of data breach where there is actual identity theft/damages; (2) under statutes that do not require actual damages and provide for civil penalties.

In cases of data breach, expect more ancillary litigation between and among the companies suffering the breach and third parties such as credit card associations, issuers, vendors, etc.

9

Litigation Trends and Risk Avoidance

As privacy-related statutes proliferate, especially on the state level, exercise care. Consult regularly with counsel to keep up to date with the latest developments, and better yet, work with your trade association and other organizations to ensure that your interests are safeguarded when well-intentioned but ultimately misdirected legislation is introduced.

But don’t forget insurance….

10

Types of Coverage

Comprehensive General Liability (“CGL”) Errors and Omissions (“E&O”) “Cyber-risk” (e.g. Network Security &

Privacy, Cyber Terrorism, etc.)

11

Case Law

Third-party “personal information” cases American Family Mutual Ins. Cp. v. C.M.A. Mortgage

Inc., No. 06-1044, 2008 U.S. Dist. LEXIS 30233 (S.D. Ind. Mar. 31, 2008).

Netscape Comm. Corp. v. Federal Ins. Co., No. C06-00198, 2007 WL 2972924 (N.D. Cal. Oct. 10, 2007).

Zurich American Ins. Co. v. Fieldstone Mortgage Co., No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007).

Whole Enchilada Inc. v. Travelers Property & Cas. Co., No 07-1533, slip op. (W.D. Pa. Sept. 29, 2008).

12

Case Law (cont’d)

Third-party “Invasion of Privacy” Claims See Am. States Ins. Co. v. Capital, 392 F.3d 939 (7th

Cir. 2004). Resource Bankshares Corp. v. St. Paul Mercury, 407

F.3d 631 (4th Cir. 2005). Park Univ. v. Am. Cas. Co. of Reading, 442 F.3d 1239

(10th Cir. 2006). Valley Forge Ins. Co. v. Swiderski Elecs., Inc., 834

N.E.2d 562 (Ill. App. Ct. 2005).

13

Case Law (cont’d)

Third-party “property damage” claims America Online v. St. Paul Mercury, 347 F.3d 89 (4th

Cir. 2003). State Auto Property & Casualty v. Midwest Computers &

More, 147 F. Supp. 2d 1113 (W.D. Okl. 2001). Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46

P.3d 1264 (N.M. Ct. App. 2002).

14

How Can Corporate Policyholders Protect Themselves? Comprehensively evaluate the risk your company faces. Read and understand policies before paying the premium. Do not accept conventional wisdom, or what insurers or

brokers say regarding coverage – “underwriting at the point of claim.”

Examine all policies for potential coverage. Satisfy all obligations placed on the policyholder, e.g. provide

proper and timely notice, cooperate with insurer regarding defense, etc.

When in doubt, submit the claim.

15

Donna L. Wilson, Esq.DWilson@KelleyDrye.com(202) 342-8475

October 21, 2009

Insurance Coverage for Data Breaches

Joan N. D’AmbrosioClyde & Co US LLP

Insurance Coverage for Data Breaches

Insurance Coverage for Data Breaches

l Increasing sophistication and complexity of breaches

l Available coverage�First party privacy notification costs�Crisis management�Business information �Business interruption�Regulatory proceedings�Third party claims�Cyber extortion

l Common exclusionsl Policy requirements re business

practices

2

Increasing Sophistication and Complexity of Breaches

Increasing Sophistication and Complexity of Breaches

l Increasing instances of �More sophisticated breaches

� Lawsuits

�State Attorney General involvement

� Larger numbers of affected individuals

l Coverage is evolving to adapt

3

First Party Privacy Notification Costs

First Party Privacy Notification Costs

l What is involved?�Requirements regarding notification to

affected individuals

�Requirements regarding notification to governmental authorities

l What is covered?�Depends on policy

�Forensic investigation

�Cost to provide notice required by law

�Attorney fees to determine required response under law

�Public relations consultant

�Credit monitoring

�Sublimits, retentions and co-insurance

4

Crisis ManagementCrisis Management

l Public relations feesl Mitigation of reputational damage

l Some policies include notification costs under crisis management cover

5

Business InformationBusiness Information

l Lost company data�First party

�Customer lists, account information

�Not necessarily PII

6

Business Interruption Loss

Business Interruption Loss

l First party income loss�Required data for proof of loss

�Sublimits

l Forensic expenses

7

Regulatory ProceedingsRegulatory Proceedings

l State attorney general investigationsl FTC investigations

l FCC investigationsl SEC investigations

l DOJ investigations

l Other governmental investigations – US, EU, Japan, China…

l Sometimes covered, sometimes excluded

8

Cyber ExtortionCyber Extortion

l Extortion payments l Security consultant fees to prevent or

terminate extortion threats

9

Third Party ClaimsThird Party Claims

l Theft of PII/PHI�Standing issues continue to evolve

- Actual vs. fear of identity theft

- Whether time/effort spent addressing breach is enough

l Violations of privacy laws�State laws

�HIPAA Violations- Health Information Technology for Economic and

Clinical Health Act (HITECH)

�Fair Credit Reporting Act/Fair And Accurate Credit Transactions Act

�Gramm-Leach-Bliley Act

l Privacy policy violations

10

Common ExclusionsCommon Exclusions

l Consumer protection lawsl Contractual obligations

l Unlawful collection of PIIl Failure to comply with required security

procedures

l Unprotected data

l Failure to maintain privacy policyl Prior knowledge

l Retroactive date

l Criminal/dishonest actl FTC/FCC/governmental actions

11

Common Policy Requirements Re Business Practices

Common Policy Requirements Re Business Practices

l Computer security �Software

�Network hardware

�Antivirus and intrusion detection

�Firewalls

� Information security policies and procedures

l Laptopsl Privacy policy

l Insurance is not the only answer

12

A Live 90-Minute Teleconference Program with Interactive Q&A

Wednesday, October 21, 20091:00 p.m. Eastern Time / 12:00 p.m. Central Time /

11:00 a.m. Mountain Time / 10:00 a.m. Pacific Time

Presenter:Joshua Gold

(212) 278-1886jgold@andersonkill.com

Insurance Coverage for Data Security BreachesEvaluating Policy Options, Overcoming Coverage

Challenges, Analyzing Litigation Trends

2 931808v1©2009 Anderson Kill & Olick, P.C.

All Rights Reserved.

Policies Covering Loss

• Take Inventory of Policies• GL, D&O, E&O, Crime, All Risk

Property, Cyber Policies• 1st Party, 3rd Party, Hybrid Coverage

Issues

3 931808v1©2009 Anderson Kill & Olick, P.C.

All Rights Reserved.

Hard-Fought Claims

• U/Ws Don’t Like These Claims• Existing Policies In Flux• Stand Alone Policies In Flux• Some Insurance Companies Will Honor

Coverage, Others...

4 931808v1©2009 Anderson Kill & Olick, P.C.

All Rights Reserved.

Coverage Fights

• U/W Intent and Policyholder Expectations

• Other Insurance• Allocation

5 931808v1©2009 Anderson Kill & Olick, P.C.

All Rights Reserved.

Coverage Terms

• Virus Coverage or Exclusions• Virus Defined in a Manner that Might

Affect Hacker Coverage• “Confidential” Information vs. Trade

Secrets vs. Customer Information• Coverage for Regulatory Matters

(e.g., FTC)

6 931808v1©2009 Anderson Kill & Olick, P.C.

All Rights Reserved.

More Coverage Issues

• Data Security Efforts and Policyholder Protective Measures

• Coverage for Network Computers Only?• What about Laptops?• Insured Property / Locations / Premises• Where are Servers / Computers

Housed?

7 931808v1©2009 Anderson Kill & Olick, P.C.

All Rights Reserved.

Time Sensitive Provisions

• Fear of Reporting Claims?• Timely Notice• Proofs of Loss• Suit Limitation Clauses

8 931808v1©2009 Anderson Kill & Olick, P.C.

All Rights Reserved.

Litigation Issues

• Not a Ton of Precedent• What Exists is Not Uniform• Careful What Gets Disclosed During

Discovery:– E.g., Sensitive Data, Customer Information,

Network Security Blueprints