Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CLICK ON EACH FILE IN THE LEFT HAND COLUMN TO SEE INDIVIDUAL PRESENTATIONS.
If no column is present: click Bookmarks or Pages on the left side of the window.
If no icons are present: Click View, select Navigational Panels, and chose either Bookmarks or Pages.
If you need assistance or to register for the audio portion, please call Strafford customer service at 800-926-7926 ext. 10
Insurance Coverage for Data Security BreachesEvaluating Policy Options, Overcoming Coverage Challenges,
Analyzing Litigation Trendspresents
Today's panel features:Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C.
Joan D'Ambrosio, Partner, Clyde & Co., San FranciscoJoshua Gold, Shareholder, Anderson Kill & Olick, New York
Wednesday, October 21, 2009
The conference begins at:1 pm Eastern12 pm Central
11 am Mountain10 am Pacific
The audio portion of this conference will be accessible by telephone only. Please refer to the dial in instructions emailed to registrants to access the audio portion of the conference.
A Live 90-Minute Teleconference/Webinar with Interactive Q&A
Insurance Coverage for Data Security Breaches
Evaluating Policy Options, Overcoming Coverage Challenges, Analyzing Litigation
TrendsPresenter:
Donna L. Wilson(202) 342-8475
A Live 90-Minute Teleconference Program withInteractive Q&A
Wednesday, October 21, 20091:00 p.m. Eastern Time / 12:00 p.m. Central Time /
11:00 a.m. Mountain Time / 10:00 a.m. Pacific Time
2
General Areas In Which Privacyand Data Security Litigation Erupts
Data Security
Data Use
Data Collection
Privacy Invasion
Property Damage
3
Legal Theories
Common Law
Negligence
Duty, breach, injury, causation
Bailment
Invasion of Privacy
Breach of Contract
Breach of Fiduciary Duty
4
Legal Theories (cont’d)
Statutory (State & Federal) FACTA FCRA Song-Beverly Act (CA) Data breach notification statutes Others – Video Privacy Protection Act, Electronic
Communications Privacy Act, Telephone Consumer Protection Act, etc.
5
Data Security
The Good News To date, most cases have been unsuccessful, especially in class
action context and/or where plaintiffs have suffered no actual damages. See, e.g., Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1 (D.D.C. 2007).
Plaintiffs have been more successful in cases involving actual damages, especially cases involving an individual rather than a class. See, e.g., Kahle v. Litton Loan Serv’g LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007).
6
Data Security (cont’d)
The Bad News Theories are evolving, and arguably courts are beginning to
recognize a duty to provide data security. See, e.g., Cobell v. Norton, 391 F.3d 251 (D.C. Cir. 2004).
Privacy statutes, along with associational standards such as PCI, may make it easier for plaintiffs. Even though such statutes do not provide a private right of action, they arguably provide the standard of care. See, e.g., Desantis v. Sears, Roebuck & Co., No. 08-CH00448, complaint filed (Ill. Cir. Ct., Cook County, Jan. 4, 2008)
7
Data Security (cont’d)
The Bad News (cont’d) Compliance may not shield your company from litigation in the event of a
security breach. See, e.g., Assner v. Hannaford Bros. Co., Case No. 2:08-cv-00095, complaint filed (D. Maine March 25, 2008) (class action against grocery chain who was PCI compliant; alleges credit and debit card numbers and expiration dates were accessed during transmission of card authorization).
Recent settlements in cases involving worst-case scenarios may only embolden plaintiffs’ lawyers.
8
Litigation Trends and Risk Avoidance
Plaintiffs will continue to have difficulties making out a claim, especially in the class action context, except in two situations: (1) in cases of data breach where there is actual identity theft/damages; (2) under statutes that do not require actual damages and provide for civil penalties.
In cases of data breach, expect more ancillary litigation between and among the companies suffering the breach and third parties such as credit card associations, issuers, vendors, etc.
9
Litigation Trends and Risk Avoidance
As privacy-related statutes proliferate, especially on the state level, exercise care. Consult regularly with counsel to keep up to date with the latest developments, and better yet, work with your trade association and other organizations to ensure that your interests are safeguarded when well-intentioned but ultimately misdirected legislation is introduced.
But don’t forget insurance….
10
Types of Coverage
Comprehensive General Liability (“CGL”) Errors and Omissions (“E&O”) “Cyber-risk” (e.g. Network Security &
Privacy, Cyber Terrorism, etc.)
11
Case Law
Third-party “personal information” cases American Family Mutual Ins. Cp. v. C.M.A. Mortgage
Inc., No. 06-1044, 2008 U.S. Dist. LEXIS 30233 (S.D. Ind. Mar. 31, 2008).
Netscape Comm. Corp. v. Federal Ins. Co., No. C06-00198, 2007 WL 2972924 (N.D. Cal. Oct. 10, 2007).
Zurich American Ins. Co. v. Fieldstone Mortgage Co., No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007).
Whole Enchilada Inc. v. Travelers Property & Cas. Co., No 07-1533, slip op. (W.D. Pa. Sept. 29, 2008).
12
Case Law (cont’d)
Third-party “Invasion of Privacy” Claims See Am. States Ins. Co. v. Capital, 392 F.3d 939 (7th
Cir. 2004). Resource Bankshares Corp. v. St. Paul Mercury, 407
F.3d 631 (4th Cir. 2005). Park Univ. v. Am. Cas. Co. of Reading, 442 F.3d 1239
(10th Cir. 2006). Valley Forge Ins. Co. v. Swiderski Elecs., Inc., 834
N.E.2d 562 (Ill. App. Ct. 2005).
13
Case Law (cont’d)
Third-party “property damage” claims America Online v. St. Paul Mercury, 347 F.3d 89 (4th
Cir. 2003). State Auto Property & Casualty v. Midwest Computers &
More, 147 F. Supp. 2d 1113 (W.D. Okl. 2001). Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46
P.3d 1264 (N.M. Ct. App. 2002).
14
How Can Corporate Policyholders Protect Themselves? Comprehensively evaluate the risk your company faces. Read and understand policies before paying the premium. Do not accept conventional wisdom, or what insurers or
brokers say regarding coverage – “underwriting at the point of claim.”
Examine all policies for potential coverage. Satisfy all obligations placed on the policyholder, e.g. provide
proper and timely notice, cooperate with insurer regarding defense, etc.
When in doubt, submit the claim.
15
Donna L. Wilson, [email protected](202) 342-8475
October 21, 2009
Insurance Coverage for Data Breaches
Joan N. D’AmbrosioClyde & Co US LLP
Insurance Coverage for Data Breaches
Insurance Coverage for Data Breaches
l Increasing sophistication and complexity of breaches
l Available coverage�First party privacy notification costs�Crisis management�Business information �Business interruption�Regulatory proceedings�Third party claims�Cyber extortion
l Common exclusionsl Policy requirements re business
practices
2
Increasing Sophistication and Complexity of Breaches
Increasing Sophistication and Complexity of Breaches
l Increasing instances of �More sophisticated breaches
� Lawsuits
�State Attorney General involvement
� Larger numbers of affected individuals
l Coverage is evolving to adapt
3
First Party Privacy Notification Costs
First Party Privacy Notification Costs
l What is involved?�Requirements regarding notification to
affected individuals
�Requirements regarding notification to governmental authorities
l What is covered?�Depends on policy
�Forensic investigation
�Cost to provide notice required by law
�Attorney fees to determine required response under law
�Public relations consultant
�Credit monitoring
�Sublimits, retentions and co-insurance
4
Crisis ManagementCrisis Management
l Public relations feesl Mitigation of reputational damage
l Some policies include notification costs under crisis management cover
5
Business InformationBusiness Information
l Lost company data�First party
�Customer lists, account information
�Not necessarily PII
6
Business Interruption Loss
Business Interruption Loss
l First party income loss�Required data for proof of loss
�Sublimits
l Forensic expenses
7
Regulatory ProceedingsRegulatory Proceedings
l State attorney general investigationsl FTC investigations
l FCC investigationsl SEC investigations
l DOJ investigations
l Other governmental investigations – US, EU, Japan, China…
l Sometimes covered, sometimes excluded
8
Cyber ExtortionCyber Extortion
l Extortion payments l Security consultant fees to prevent or
terminate extortion threats
9
Third Party ClaimsThird Party Claims
l Theft of PII/PHI�Standing issues continue to evolve
- Actual vs. fear of identity theft
- Whether time/effort spent addressing breach is enough
l Violations of privacy laws�State laws
�HIPAA Violations- Health Information Technology for Economic and
Clinical Health Act (HITECH)
�Fair Credit Reporting Act/Fair And Accurate Credit Transactions Act
�Gramm-Leach-Bliley Act
l Privacy policy violations
10
Common ExclusionsCommon Exclusions
l Consumer protection lawsl Contractual obligations
l Unlawful collection of PIIl Failure to comply with required security
procedures
l Unprotected data
l Failure to maintain privacy policyl Prior knowledge
l Retroactive date
l Criminal/dishonest actl FTC/FCC/governmental actions
11
Common Policy Requirements Re Business Practices
Common Policy Requirements Re Business Practices
l Computer security �Software
�Network hardware
�Antivirus and intrusion detection
�Firewalls
� Information security policies and procedures
l Laptopsl Privacy policy
l Insurance is not the only answer
12
A Live 90-Minute Teleconference Program with Interactive Q&A
Wednesday, October 21, 20091:00 p.m. Eastern Time / 12:00 p.m. Central Time /
11:00 a.m. Mountain Time / 10:00 a.m. Pacific Time
Presenter:Joshua Gold
(212) [email protected]
Insurance Coverage for Data Security BreachesEvaluating Policy Options, Overcoming Coverage
Challenges, Analyzing Litigation Trends
2 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Policies Covering Loss
• Take Inventory of Policies• GL, D&O, E&O, Crime, All Risk
Property, Cyber Policies• 1st Party, 3rd Party, Hybrid Coverage
Issues
3 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Hard-Fought Claims
• U/Ws Don’t Like These Claims• Existing Policies In Flux• Stand Alone Policies In Flux• Some Insurance Companies Will Honor
Coverage, Others...
4 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Coverage Fights
• U/W Intent and Policyholder Expectations
• Other Insurance• Allocation
5 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Coverage Terms
• Virus Coverage or Exclusions• Virus Defined in a Manner that Might
Affect Hacker Coverage• “Confidential” Information vs. Trade
Secrets vs. Customer Information• Coverage for Regulatory Matters
(e.g., FTC)
6 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
More Coverage Issues
• Data Security Efforts and Policyholder Protective Measures
• Coverage for Network Computers Only?• What about Laptops?• Insured Property / Locations / Premises• Where are Servers / Computers
Housed?
7 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Time Sensitive Provisions
• Fear of Reporting Claims?• Timely Notice• Proofs of Loss• Suit Limitation Clauses
8 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Litigation Issues
• Not a Ton of Precedent• What Exists is Not Uniform• Careful What Gets Disclosed During
Discovery:– E.g., Sensitive Data, Customer Information,
Network Security Blueprints