Cloud security law cyber insurance issues phx 2015 06 19 v1

CLOUD SECURITY LAW SERIESCYBER AND PRIVACY INSURANCE ISSUES

MICHAEL KEELING, PE, ESQ.KEELING LAW OFFICES, PC

PHOENIX AND CORONADO

Presented atINTERFACE 2015

June 19, 2015Phoenix, AZ

NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.

“Cyber and Privacy Insurance” Defined(International Risk Management Institute)

“... cyber and privacy policies [cyber-insurance] cover a business's liability for a data breach in which the firm's customers’ … information [PII, PHI, FTI, etc.] …is exposed or stolen by a … criminal who has gained access to the

firm's electronic network.

The policies [can] cover a variety of expenses associated with data breaches, includingnotification costs, credit monitoring, costs to defend claims by state

regulators, fines and penalties, and loss resulting from identity theft.

In addition, the policies [can] cover liability arising from website media content ... property exposures from ... business

interruption, data loss/destruction ... and cyber extortion.”

Massive Money--Spinning $1.4 Billion US Premiums in 2014

Four Main Types Of Cyber Insurance Coverage

Data Breach And Privacy Management Coverage Crisis services—focuses to managing and recovering from data

breaches/leakages—investigating, notifying, credit monitoring, data restore, and associated legal fees

Regulatory defense—federal and state compliance-investigation, legal support, fines, penalties (note sublimits)

Prior-acts coverage—retroactive date for delayed breach-discoveries).Multimedia Liability Coverage Focuses to media, intellectual property rights, and website defacement.

Extortion Liability Coverage Focuses to damages incurred from extortion.

Network Security Liability/Contingent Business Disruption Focuses to network availability and third-party data theft.Third party acts or omissions—indemnification triggers

Cyber insurance policies generally exclude real property damageConversely, many property and terrorism insurance policies exclude real property

damage caused by malicious cyber-attacks.

Net Diligence Cyber Claims Study, almost half of cyber-insurance payouts from data breaches was for crisis management services (2014).

Cyber Insurance Market—Is Maturing50-60 insurers offer first-party and third-party coverageACE, AIG, Aon, Beazley and Hiscox—have written cyber-policies for multiple

years, have large books, and adjudicate claims monthly.

Cyber insurance annual-premium range (per $1 million of coverage)Gartner reports $10K to $35K (2012-2013).Marsh reports $12.5K to $15K—across many sectors (2015)Aon reports Small Companies: $1K to $7.5K (2015)Aon reports Medium Companies: $5K to $25K (2015)Aon reports Large Companies: $10K to $75K (2015)

Increased purchasing of cyber insuranceMarsh reports #-Policies increased about 30% per year since 2012Chubb-reports Average policy-limits increasing at about 20 percent annuallyAON PLC, broker, claimed cyber insurance growing at 38% annually (2014)

Increased purchasing of cyber insurance policiesMarsh reports the No. of Policies increased about 30% per year since 2012

“Stacking” Policies to Create “Towers”• Average policy-limits—per carrier

• Chubb reports $16.8 million across all industries.• Chubb-reports Average policy-limits increasing 20% per year

• Maximum Policy-limits available • $10 million to $50 million from a single carrier• Carriers have limited claims-data

• Difficult to quantify trade secrets and intellectual property losses • Do not support actuarial analysis • Frustrates carriers’ ability to standardize polices• Results in coverage-caps, sublimits, and exclusions based on risks

identifiable in individual policy applications (individualized basis)• Policyholders can “stack” limits of liability—from multiple

carriers—to create • Towers of cyber-insurance up to $350 million.

“Stacking means treating multiple policies that apply to a single loss as cumulative—as a ‘stack’ of coverage—rather than as mutually exclusive.” State v. Continental Ins. Co., 88 Cal. Rptr.3d 288, 302 (Cal. Ct. App. 2009), aff’d, 145 Cal.Rptr.3d 1 (2012).An insured can obtain indemnity for a loss under more than one policy period if the loss exceeds the limits of liability of all of the policies in a single policy period or coverage tower. Stacking treats a single occurrence as multiple occurrences.

Companies Under-Insure Cyber Risks• Target Corp. reported $252 million in expenses related to

its 2013 data breach, offset by only $90 million in insurance• January 2015 10-K securities filing

• 2015 Global Cyber Impact Report, noted that 80% of companies are likely to suffer a data breach within a 12-month period and while in most cases, the cost will be less than $1 million, there’s a 5% chance of a material loss of $20 million or more.

• For comparison, the probability of a fire causing a material loss is less than 1%.

Cyber Insurance Risk Is Difficult To Measure, Model, And Price

Sparse data to model, price, or hedge cyber risk.No standardized assessment of cyber risks.No public disclosure of ways and means for underwriters to measure risk and price policies.Difficult for insurers to: Assess effectiveness of various prevention schemes Hedge their assumed-riskEstablish required reserves.

BitSight has a security ratings service for cyber insurers based on its Security Ratings Platform. Its scoring model is similar to consumer credit ratings. Willis Re, a re‐insurance broker, announced a tool (PRISM‐Re) for accessing insurance company portfolios’ exposure to cybersecurity risks.

Why Cyber-Policies Do Not Pay-OutDelaying notice is a potential claims killer

Once a breach is detected, don't wait too long to notify your insurer of the issue. Not paying retroactively.

Given that breaches can be discovered months or even years after they begin or end, organizations should carefully consider when coverage starts.

Contractual liability exclusions Vendor contractual relationships, e.g., credit card companies, and banks act may void coverage if a

breach.Terrorism/act of foreign enemy exclusions.

Many cyber attacks originate from outside a country's borders, and many of them are believed to be state sponsored.

Insurance policies only cover theft of data Many policies include language that makes them only cover losses from theft of data.

No coverage for negligence. If an employee loses a laptop with sensitive data, some policies won't cover it.

Failure of insured to adhere to minimum required practices Insured did not continuously implement procedures and risk controls as identified in the Insured’s

application. Data breach a result of file transfer protocol settings on Cottage's 3rd PARTY Internet servers that

permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google Inc.'s Internet search engine.

Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights Then, Columbia sued Cottage Health System (Columbia Casualty v. Cottage Health System, U.S.

District Court for Middle District of California (2:15-cv-03432-DDP-AGR))

Important Lesson“Failure to Follow Minimum Required Practices”

Cottage Health System obtained cyber-insurance from Columbia, in-part based on an application asking: Do you check for security patches on your systems at least weekly and implement them within 30 days? Do you replace factory default settings to ensure your information security systems are securely

configured? Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance

your risk controls in response to changes? Do you outsource your information security management to a qualified firm specializing in security or

have staff responsible for and trained in information security? Do you have a way to detect unauthorized access or attempts to access sensitive information? Do you control and track all changes to your network to ensure it remains secure? Whenever you entrust sensitive information to third parties do you

contractually require all such third parties to protect your information with safeguards at least as good as your own perform due diligence on each such third party to ensure that their safeguards for protecting sensitive information meet your standards audit all such third parties at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information require them to have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or

confidentiality? A data leak occurred via Cottage’s IT vendor, left data unencrypted for two months—accessible by the

Internet Suits ensued—and Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete

reservation of rights Then—Columbia alleged it had no duty to defend or indemnify the policyholder because policyholder:

failed to follow minimum required practices, including failing to continuously implement appropriate procedures and risk controls identified in the application submitted with the application. failed to regularly check and maintain security patches; failed to regularly re-assess its information security exposure and enhance risk controls; failed to have system in place to detect unauthorized access or attempts to access sensitive information on its servers; and failed to control and track all changes to its network to ensure it remained secure.

Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR)

Secondary Benefits of Cyber-InsuranceInsurer as partnerBest practices both before and after breach event/noticeNegotiated rates for post-breach vendors instead of getting gouged

Access to expert HelpCarrier staff and outsourced resources Attorneys, proactive security experts, breach-response experts, credit

monitoring services, etc.

But—be wary of insurer-communications after a breach Non-lawyer communications are not note privileged—are

discoverableCommunications can determine a covered versus an uncovered claimBe watchful of email/IM with insurance companies/brokers or consultants

Getting Started …Categorize Your Exposures—In Your LanguageBusiness interruptionCredit monitoringCyber extortionData loss/destruction Defend 3rd-party/class-action claims Defend claims by state and federal regulatorsFines and penaltiesIdentity theft related lossesNotificationWebsite media content related losses

Be Inclusive—think of every related risk exposure

Map Your Exposures into Coverage Terms Exposure Exposure/Claim Language

Regulatory proceeding

Costs incurred to defend organization for failure to disclose an event to governmental authorities when required by any security breach notice law

Security and privacy liability

Cost to defend organization from allegations of privacy violation including costs of settlement or judgment

Digital asset loss Cost to replace lost/damaged e-files

Event breach costs

Cost incurred by organization arising out of (1) forensic investigation of breach; (2) use of public relations, crisis management firms, law firms; (3) notifications costs (i.e., printing, advertising, and mailing); (4) cost of identity theft call centers, credit file monitoring, and similar costs; (5) other costs as may be approved by the insurer

Network interruption

Loss of income from material interruption of organization computer systems due to security/breach event and costs incurred as a result of the network interruption. Depending on the organization, this may not be a significant exposure and may not need to be insured.

Cyber extortion Costs incurred when insurer approves extortion payment(s) made to hacker or other criminal party to stop a planned event from occurring. Coverage also can include costs to conduct an investigation after the fact into the act of extortion.

Internet media liability

Cost to defend organization from allegations of privacy violation from unauthorized website changes, including costs of settlement or judgment

Source: Adapted from International Risk Management Institute.

Defined Terms—Are Maturing (http://www.irmi.com/online/insurance-glossary/default.aspx)

Computer system Hard/software owned, operated, control of organization or hosted by 3rd party.

Cyber extortion Expenses and monies for threat or extortion act.

Defense within limit Overall limit applies to all coverages including defense costs.

Digital asset loss Cost to replace loss of e-data.

Event/breach management cost Forensic investigation, credit reports, PR, notification, etc.

Media liability Insured’s liability for website content.

Network interruption Loss of net income/increased operating costs from material interruption.

Privacy event Failure to protect confidential info (i.e., e/data or other-paper)

Regulatory proceeding Request for info, civil investigation, etc. brought by government agency.

Security/privacy liability Organization liability for damages from breach of confidential information.

Request and Evaluate CompleteCyber-Insurance Exposure Proposals

Request complete proposalsContract terms/conditions, limits, deductibles, premiumsSpecimen policy All endorsements.

Evaluate each proposal and sample policy Become familiar with how policies address cyber/privacy eventsMap limitations/conditions/exclusions

Compare Contract terms, general conditions, limits, deductiblesPre-conditions ConditionsSpecimen policiesEndorsementsPremiums

Policy Analysis and ComparisonGENERAL CONSIDERATIONS

Coverage—Last Line of Defense When Technology FailsInsure cyber-risks not eliminated through available security measuresInsure cyber-risks that Commercial General Liability (CGL) policies do

not coverNegotiate cyber-insurance policy provisions to cover your particular cyber threats/riskswhile avoiding exclusions that limit coverage

Coverage TypeData breach/leakage and privacy management coverageMultimedia liability coverageExtortion liability coverageNetwork security liability coverage

Retro dateLook-back period, before policy start-date

Policy Analysis and ComparisonPRE-CONDITIONS

Required “Base-line” levels and Governance of Data privacy/Data securityAccess governance, encryption and segmentation

Application security Role-based access controls and access logging

Network securityAdvanced authentication

3rd Party/Supply chain practicesRequired Compliance (annual audit, etc.) based onNIST Framework/Executive Order 13636

ISO/IEC 27xxxPCI/DSSHIPAA/HITECHSEC Blueprint

Beazley plc, predicts next targets for hackers include … entities having patchworks of systems and security practices plus "treasure troves" of data—such as health information exchange organizations (large volumes of data), electronic health record systems at hospitals (provide easy access to clinicians) and integrated healthcare delivery systems.

Policy Analysis and ComparisonPOLICY CONDITIONS

POLICY CONDITIONS Example ConditionsPolicy Form Review Review for completenessClaim Conditions Claims-made and reportedAdditional Conditions Insurer specificAdvance notice of cancellation Only if premium not paidERP/Tail-auto (extend reporting) 125% Annual Premium for 1-year; 200% for 2-years Territory Worldwide/USNI may waive right of recovery No release allowed/Prior to loss in writing

Definition of Insured NI (named insured), D&O, Employee, written-AI (additional insured)

Confidential info: paper/e-data Personal info, "any form"Definition of PII, PHI, FTI, etc. Broad/narrow3rd party contractor negligence Yes: "Information Holder"Event management Costs from security/privacy eventCovered loss PR, 3rd party notice, credit reports, e-data restoreEvent costs No time limitation to report costsSource: Adapted from International Risk Management Institute.

Policy Analysis and ComparisonNETWORK INTERRUPTION

Exposure Limits Assign to 3rd party responsiblefor your network

Network OutageLoss of profitsIncurred expensesConsequential damages


Policy Analysis and ComparisonCYBER EXTORTION

Cyber Extortion Funds for security/privacy threat

Security Threat Threat/attack Employee own/used computers

Privacy Threat Threat to release confidential info

Terrorism Included or Excluded

Professional Services Included or Excluded

Extended Reporting Period/Tail Included or Excluded


Policy Analysis and Comparison SECURITY FAILURE/PRIVACY EVENTS

SECURITY FAILURE/PRIVACY EVENTS Example Responses

Security failure/Privacy event Failure to protect confidential info

Legal Defense Duty and right to defendHammer clause (allows insurer to compel insured to settle)

50% (cap on amount of indemnification that InsurCo will provide)

Settlement authority Insurer with consent of Insured

Attorney chosen by insurer No, subject to insurer consent

Loss include punitive, exemplary Yes, unless prohibited by law

Regulatory Proceeding Gov't proceeding, etc.


Policy Analysis and ComparisonWhen is an Event a Claim?

Cyber-policies define the term “claim”“Claim” is a key trigger term; insureds mustConvert generalized “claim” definitions to specific “claims”Provide timely notice to insurer. Broad definitions of “claim” often result in late notice that forecloses

coverage.

Cyber-policies are claims-made policies Policies that provide coverage during period in which the insurer

receives a claim. Insured forfeits coverage if notice is provided after A short period of days within a policy period, orEnd of the policy period.

Security Failure Or Data BreachExample Cyber-Claim Cost-Categories

Example first-party costsBusiness interruption--Loss of profits and extra expense Customers-credit monitoringForensic breach-investigationIntellectual property infringementLegal advice to determine your notification and regulatory obligations.Notification costs of communicating the breachPrivacy liabilityPublic relations expensesTort liability (negligence, slander, libel, defamation and related torts)

Example third-party costsLegal defenseLiability to 3rd parties, e.g., banks for re-issuing credit cards, data leakageRegulatory inquiriesRegulatory fines/penalties (including Payment Card Industry fines)Settlements, damages and judgments related to the breach

Policy Analysis and ComparisonQuantifying Costs of a Cyber-Breach Event

Source: $195 per record is from Ponemon Institute in its "2015 Research Report" based on calendar 2014 data. This, per-record cost has substantially increased.

No formula to set reasonable coverage or policy limits Insufficient credible public settlement informationCaselaw damages still developing.

Direct "event breach” costs for US data breaches Estimated to be $195 per recordForensic experts, outsourced hotline support, free credit monitoring subscriptions, and

discounts for future products and servicesCosts become staggering as number of breached records increases. $1-Million Coverage = 5000 Records (Direct Costs—No Defense Costs).1-Million Records = $195-Million Coverage

Indirect "event breach” costsThird-party-related defenseSettlement/judgment costs for damages claimed by injured partiesGovernment-induced costs.

Policy Analysis and ComparisonCross-Walk Claim-Costs to Policy Limits

POLICY LIMITS Example LimitsOverall Limit $10,000,000 shared/aggregateDefense Costs inside/outside limit InsideRegulatory Proceeding $10,000,000 Security/Privacy liability $10,000,000 Digital asset loss $10,000,000 Event/breach mgmt costs $10,000,000 Network Interruption $10,000,000 Cyber extortion $10,000,000 Internet media liability $10,000,000 Retention-unless stated $500,000 Regulatory Proceeding $500,000 Network Interruption 24 hours/$500,000

Adapted from International Risk Management Institute.Many cyber insurance policies also impose sublimits, such as for crisis‐management expenses, notification costs and regulatory investigations. These sublimits can be negotiated.

Policy Analysis and ComparisonPremiums and Other Costs

Annual Premium—Large CompaniesAverage cost for $1 million of coverage $12,500 and $15,000 across

various industry sectors including healthcare; transportation; retail/wholesale; financial institutions; communications, media and technology; education; and power and utilities. (See Testimony-Beshar-2015-01-28 of Peter J. Beshar, Executive Vice

President and General Counsel, Marsh & McLennan Companies, before United States Senate Committee on Homeland Security & Governmental Affairs, Jan. 28, 2015).

Gartner reports—cyber insurance premiums range from $10,000 to $35,000 for $1 million in coverage (2012-2013).

Cost of compliance Is a strict condition-precedent for many cyber-security policiesVaries widely by industry and by cyber-insurance underwriter required

standards/frameworks.Purging unnecessary dataIn EHRs/etc., administrative, billing, and other legacy systems

throughout your ecosystem.

Director Liability Arising From Data BreachPalkonv. Holmes, No. 14-cv-01234 (D.N.J.), Wyndham SHssued D&O’s, claiming their failure to implement adequate information-security policies allowed 3 data breaches

Shareholder derivative actions Plaintiff is not required to prove damages resulting from theft of PII.

Directors owe Duties Of Care (BJR) and Loyalty—including Duty of Oversight (No BJR) Did not implement reporting or information system controls; or Implemented controls, BUT “consciously failed to monitor or oversee its operations.” Stone.

After a data breach, claims against board probably will be Breach of Duty of Care and Breach of Duty Loyalty/Oversight

Court “look[s] for evidence of whether a board has acted in a deliberate and knowledgeable way identifying and exploring alternatives.” Citron v. Fairchild Camera

Directors may rely on reports prepared by others, BUT MUST TAKE an active and direct role Board that fails to manage and monitor cybersecurity probably breaches its duties of care and oversight

Protect Against Liability Board must become well-informed Board should appoint a committee responsible for privacy and security Recruit and hire at least one tech-savvy member Follow best industry practices

Indemnification and Insurance Articles of incorporation—provision eliminating director personal-liability for monetary damages for breach of the

Duty of Care/Loyalty. D & O Policy—WITHOUT exclusions to liability resulting from a privacy breach Example Problem Exclusion: Insurer shall not be liable for Loss relating to a Claim made against an Insured:

“for emotional distress of any person, or for injury from libel, slander, defamation or disparagement, or for injury from a violation of a person’s right of privacy.”

QUESTIONSCYBER AND PRIVACY INSURANCE ISSUES

Cloud Security Law SeriesMichael Keeling, PE, Esq.

Keeling Law Offices, PCPhoenix and Coronado

www.keelinglawoffices.com

NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.