1

NetDiligence®

Cyber Risk & PrivacyLiability Forum October 8-9, 2014

2

Drafting Vendor ContractsFor Data Security & Privacy Issues

October 8, 2014

3

SPEAKERS

Nick Economidis, Beazley, moderator

James Giszczak, McDonald Hopkins

David Lewison, AmWINS

Rebecca Pearson, Wells Fargo Insurance

4

(6) Cyber-risk Insurance with minimum per-incident and aggregate limits of $3,000,000, to include Third-Party Security, Privacy Liability, Privacy Breach Response, Customer Notification, Crisis Management, Data Recovery, Business Income, and Cyber Extortion coverage.

Cyber / Privacy Liability – covering network security / privacy liability, privacy regulatory proceedings (including fines and penalties), privacy event expenses (mandatory/voluntary notification costs, credit monitoring, call center services, forensics, and any other fees, costs, or expenses necessary to comply with any Security Breach Notification Law that may be applicable), and cyber extortion payments.

5

• Vendor will maintain for such length of time as necessary to cover

any and all claims the following insurance requirements:

• Cyber Liability insurance with limits of not less than $10,000,000 for

each occurrence and an annual aggregate of $10,000,000 covering

claims involving privacy violations, information theft, damage to or

destruction of electronic information, intentional and/or unintentional

release of private information, alteration of electronic information,

extortion and network security.

6

The Provider shall maintain insurance for all claims, suits, actions, liabilities, damages, losses, costs and expenses (including attorney’s fees) of any nature to which the Company may be subjected as a result from the Provider’s access to, use, handling, storage, transmission, or disposal of any data/information (including paper records), regardless of whether or not expected and intended, and shall include, but not be limited to:

1) Losses resulting from a data breach (an intentional or unintentional release of

secure information to an untrusted environment.)

2) Response costs associated with post-data breach remediation, including notification

requirements, credit monitoring, call centers, public relations efforts, forensics and

crisis management

3) Regulatory investigations, fines and penalties

7

4) Losses resulting from misappropriation of intellectual property or confidential

business information

5) Losses resulting from the misappropriation, embezzlement, theft, misdirection or

fraud of Company funds

6) Losses resulting from the receipt or transmission of malicious code, denial of third-

party access to Company network, and other security threats

7) Costs to restore or recover data that is lost or damaged

8) Extortion demands from cyber attackers who have the data breach data

8

9) Failure to prevent identity theft or credit/debit card fraud

10) Physical breaches such as the loss of cell phones, laptops, USB drives, media cards,

tablets; in addition to the use of unsecure hard-wired or wireless internet connections.

In addition to the above (where applicable), losses with respect to the Personal

Identifiable Information (PII)

11) Failing to maintain the privacy and security of individually identifiable information,

Failing to follow and implement the required policies, procedures and guidelines of the

applicable states and jurisdictions having authority, or the breach of any of the

provisions of the Agreement.

9

In addition to the above (where applicable), losses with respect to the Health Insurance Portability and Accountability Act (HIPAA), Failing to maintain the privacy and security of individually identifiable health information, Failing to follow and implement the required policies, procedures and guidelines of the Act, or The breach of any of the provisions of the Agreement.

10

11

12

13

DIRECT DAMAGES FOR SECURITY BREACH

A security breach is defined as the unauthorized access to, acquisition of, disclosure of, and/or use of Personal Data (as defined in subsection b. of this Section 17, as a result of CONSULTANT’s or CONSULTANT’s subcontractor’s: (i) violation of applicable state, provincial, or federal data privacy laws or regulations in performing this Agreement; (ii) performance of Consulting Services under this Agreement; or (iii) breach of this Agreement (“Security Breach”). In the case of a Security Breach, the CONSULTANT shall be obligated to pay, as direct damages, the total cost of:

14

DIRECT DAMAGES FOR SECURITY BREACH

1. Breach notification under applicable data privacy laws;

2. Credit monitoring, credit reporting, and identity theft insurance, each as deemed reasonably necessary and appropriate by STATE FARM;

3. All fines and penalties imposed by a governmental or regulatory authority upon STATE FARM as a result of such Security Breach;

4. Reasonable call center support for affected individuals for a period not to exceed thirty (30) days; and

5. All other direct damages resulting from such Security Breach.

15

DIRECT DAMAGES FOR SECURITY BREACH“Personal Data” means data or Information that is owned or controlled by STATE FARM, and that names or identifies or is about a natural person, such as: (i) data that is explicitly defined as a regulated category of data under any data privacy laws applicable to STATE FARM; (ii) non-public personal information (NPI) or personal information (PI), such as national identification number, passport number, social security number, social insurance number, or driver’s license number; (iii) health or medical information, such as insurance information, medical prognosis, diagnosis information or genetic information; (iv) financial information, such as a policy number, credit card number and/or bank account number; (v) biometric information; and/or (vi) sensitive personal data, such as race, religion, marital status, disability, sexuality, and mother's maiden name.

(

16

DIRECT DAMAGES FOR SECURITY BREACH

(iii) Network Liability (privacy) insurance in an amount of not less than U.S. $25,000,000 per claim to cover claims and losses with respect to network risks (such as data breaches, unauthorized access/use, ID theft, invasion of privacy, damage/loss/theft of data, degradation, downtime, etc.) and intellectual property infringement, such as copyrights, trademarks, service marks and trade dress, including civil, regulatory and statutory damages as a result of actual or alleged breach, violation or infringement of right to privacy, consumer data protection law, confidentiality or other legal protection for personal information;

17

Insurance. Business Associate shall maintain at its own expense insurance covering Business Associate for claims, losses, liabilities, judgments, settlements, lawsuits and other damages arising out of its performance under this Addendum, and any negligent or otherwise wrongful acts or omissions by Business Associate or any employee or agent of Business Associate, including by way of example and not limitation, any HIPAA Breach and/or State Breach experienced by Business Associate involving ePHI and/or electronic Individually Identifiable Information, with Covered Entity listed as an additional insured. Such policy or policies of insurance shall together provide limits of liability in the minimum amount of twenty-five million dollars ($25,000,000) in the annual aggregate for cyber liability and $1/3m in errors and omissions insurance. Upon Covered Entity’s request, Business Associate or Business Associate’s agent shall provide Covered Entity with a copy of all certificates of insurance evidencing the existence of all coverage required hereunder. Business Associate shall require its insurance carriers or agents to provide Covered Entity, and Business Associate shall also provide Covered Entity, with not less than ninety (90) days prior written notice of a material change in the liability policies of Business Associate.

18

Individually Identifiable Information and PHI to Remain in United States. Business Associate represents and warrants that in no event shall Individually Identifiable Information or PHI be stored or otherwise maintained by Business Associate or its Subcontractors outside the United States and its territories (the “U.S.”). Business Associate further agrees to use commercially reasonable efforts to prevent the transmission of Individually Identifiable Information and/or PHI via a method or through use of a medium that is likely to result in such information being sent outside the U.S., regardless of the length of time (or lack thereof) such information may be outside the U.S.

19

COMMON ISSUES WITH INSURANCE REQUIREMENTS

Unrealistic policy limits

Insurance requirements require inappropriate coverageNotification costs coverageFirst Party Business InterruptionMedia liabilityBodily injury and property damage to tangible property

Insurance requirements require coverage that is unattainablePatent infringementOccurrenceFraud or fraudulent acts

20

COMMON ISSUES WITH INSURANCE REQUIREMENTS

Insurance requirements provide unclear coverage specifications“Cyber Liability” or “Privacy Liability”

SilenceThe contract contains no specific insurance requirements,and fails to address data breach liability issues.

21

THE BENEFIT OF INSURANCE REQUIREMENTS

Financial Security

Ensuing that the vendor has funds to pay claims

resulting from the acts, errors or omissions of the

vendor, or the vendor’s subcontractors.

Due diligence of the underwriter

22

THE PITFALLS OF INSURANCE REQUIREMENTS

• The customer/service/vendor contract is a separate contract from an

insurance policy

• The purpose of insurance is not to backstop contracts.

• Enforceability of indemnification provisions is a separate issue

23

ALTERNATIVE LANGUAGE

The Vendor shall maintain liability insurance for the duration of the Contract and/or for the period of time in which Vendor (or its Subcontractor(s)) maintains, possesses, stores or has access to Company data, whichever is longer, with limits of not less than $_______ for each claim and an annual aggregate of $______ covering the Vendor’s liability for a loss, theft, unauthorized disclosure, access or use of Company data (which may include, but is not limited to, Personally Identifiable Information (“PII”), Payment Card Data and Protected Health Information (“PHI”).

24

Drafting and Assisting Clients WithInsurance Requirements in Contracts

What do you want to accomplish in your contract?Do want to shift breach response responsibilities to your vendor? With that we can talk about how it saves you some money, but will they do what’s best for you and your company?Do you want the policy to be there so you have something there when you sue your vendor? If you are an additional insured, will that prevent coverage from responding the way you expect?Should you include a requirement for the vendor’s forensic investigator to talk to yours and work together?

25

Drafting and Assisting Clients WithInsurance Requirements in Contracts

Limits should be realistic, proportional and commercial feasible

Link coverage to the issues of concern

For what circumstances is financial security desired?

Avoid nebulous terms like “cyber,” “privacy” and “network security.”

Describe the appropriate coverage in terms consistent with common policy

language.

Avoid reaching for ‘ideal’ coverage

26

Questions?

27

Thank You!