AMCF’s Legal Issues Update Webinar

“Client Data Breaches: The Latest on Managing Your Risk

and Legal Exposure”

Audio Login Toll-Free (US & Canada): 866.740.1260Access Code: 2623055

Web Login Meeting URL: http://www.readytalk.com/?ac=2623055

    Support:U.S. and Canada: 800.843.9166 or help@readytalk.com Access Code: 2623055

This conference is being recorded.

Questions

Questions will be addressed at the end of the webinar but may be posed at any time. To ask a question, send your questions via chat to the chairperson. Your questions will be answered in the order they are received.

2

AMCF Mission

To promote an environment which fosters the

success of management consulting firms and the

value they deliver to their clients.

3

Alex Zabrosky

4

Alex W. Zabrosky is a business lawyer specializing in corporate and commercial law. He has a diverse international practice that focuses on counseling management consulting and professional services firms on all legal aspects of their businesses. Alex’s clients include firms engaged in management consulting, information technology consulting and implementation, financial and business advisory services, strategy, healthcare, operational improvement, forensics and litigation support, engineering and risk management, among others. His clients range from start-ups to middle market to major global consultancies. He received his law degree from The George Washington University Law School and his Bachelor’s degree from The University of Chicago.

Agenda

Background of cyber liability

Case studies

Cyber liability today

How cyber insurance can help

Other issues

Q&A

5

Kevin Kalinch

6

Kevin Kalinich leads Aon’s national practice to identify exposures and develop insurance solutions related to Technology Errors and Omissions, Miscellaneous Professional Liability, Media Liability, Network Risk and Intellectual Property. Kevin Kalinich has been named an Aon Risk & Insurance “Power Broker” for 2007, 2008, 2009, 2010 and 2011. He joined Aon in September 2000, from Altima Technologies, where he served as Chief Executive Officer and led the successful launch of a Web-enabled software product that provides intelligent visualization of network equipment in the areas of telecommunications, data, cables, and computers. Kevin holds a Juris Doctor from The University of Michigan and received his B.A. degree in Mathematics, Cum Laude, from Yale University

7

Background of Cyber Liability Insurance

2003

20042005

2006

2007

2008

2009

2011

CA S.B. 1386

AR

State Breach Disclosure Law

DEFL

NY

NC

ND

TN TX

USVI

WA

WI RI

PR

PAOK OH

NJ

NV

NEMN

MT

ME

LA

IN

IL

ID

CTCO

AZ

DC

GA

HI

IA

KS

MA

MI

NH

ORUTVT

WY

VAWV

SC

AKHeartland

Major Data Incident

TJX

Choicepoint

HR 2221

Federal Law

HITECH

FACTA Red Flag Rule

HIPAA

MO

DC

MD

Plastic Card Security Act (MN)

Other State Law

Card Industry Standard

PCI DSS

GLBA

Implications: Fines & Penalties Injunctions Oversight/Remediation

requirements Harm to Reputation Criminal Indictments

*Precursor to Civil Liability*

Hannaford

Visa CISP, et al*

*Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program

MA 201 NEV NIST

WA PCI

Epsilon

Sony

Comerica

Amazon

Citigroup

RSA

DigiNotar

WikiLeaks

The Need for Specialized Insurance

Are these risks covered under traditional insurance policies? General Liability: bodily injury & property damage E&O policies: failure of defined services Commercial Property Insurance: tangible property Crime policies: money, securities, or tangible property Kidnap and Ransom: extortion coverage

8

9

“Intangible property” = covered “property” under traditional property and CGL policies? American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc. , No. 99-185

TUC ACM, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000) (“intangible property” covered under Property Policy)

Eyeblaster, Inc. v. Federal Insurance Company, 613 F.3rd 797 (8th Cir. 2010) (“Loss of use” covered under CGL and financial injury covered under E & O unless “intentional” wrongful acts – cookies, flash)

America Online, Inc. v. St. Paul Mercury Insurance Co., 347 F.3rd 89 (2003) (“intangible property” not “tangible property” under CGL)

Personal And Advertising Injury Coverage under General Liability Policy Zurich American Insurance Co. v. Fieldstone Mortgage Co.. No. CCB-06-2055, 2007

WL 3268460 (D. Maryland Oct. 26, 2007)) (“duty to defend” violation of FCRA rt of privacy, but “publication?”)

Netscape Communications Corp. v. Federal Insurance Co., 343 F. Appendix 271 (9th Cir. 2009)) (AOL violation of right of privacy covered under CGL)

Penzer v. Trans. Ins Co. (Florida Supreme Court: “an advertising injury provision in a commercial liability policy that provides coverage for an oral or written publication of material that violates a person’s right of privacy provides coverage for blast-faxing in violation of TCPA”)

Crime Policy Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip opinion

(S.D. Ohio March 30, 2009) (hacking & data breach covered under “Computer Funds & Transfer Fraud” endorsement

Background of Cyber Liability Insurance

10

Insurance Services Organization (“ISO”) Response:

ISO Data Exclusion: “For the purposes of this insurance, electronic data is not tangible property.”

Electronic Data Liability Endorsement: provides coverage for loss and loss of use of electronic data resulting from physical injury to tangible property

Subsequent cases: State Auto Property & Casualty Ins. Co. v. Midwest Computers & More, 147 F.Supp2d 1113 (W.D. Okla. 2001): Courts now generally find that PII data does not amount to “tangible property” because computer information lacks physical substance

Stellenwork v. TriWest Healthcare Alliance, No. 03-0185 (D. Ariz., June 10, 2008) (No commonality of class interests)

Background of Cyber Liability Insurance

11

TJX Breach

July 2005 - December 2006 Incident Occurred

January 12, 2007 Incident Discovered

January 17, 2009 TJX Reports Breach

January 29, 2009 First lawsuit filed

$256,000,000 in total costs to date T.J. X. reached a $40.9 Million settlement

agreement with banks that processed credit card transactions. This represented only a fraction of the $256 million+ cost of the breach.

“BUT WE HAD LOCKS.” Carol Meyerowitz, TJX CEO, June 6, 200794,000,000 affected records

12

Heartland Payment Systems Breach

May 15, 2008 Incident Occurred

January 12, 2009 Incident Discovered

January 20, 2009 Heartland Reports Breach

January 27, 2009 First lawsuit filed $143,000,000 in known costs, including

settlements with consumers, Visa ($60 MM), Mastercard ($41.4 MM), Discover ($2.5 MM) and American Express ($3.6 MM)

Affected over 250,000 merchants and 500+ financial institutions. Fourteen lawsuits have been filed against Heartland

“I JUST CAN’T BELIEVE IT HAPPENED TO US, OF ALL COMPANIES.” -- Bob Carr, CEO130,000,000 affected records

13

Sony Playstation Breach

April 14, 2011 – April 19, 2011 First Incident Occurred

April 26, 2011 Sony reports incident

April 27, 2011 Sony mails notifications

April 27, 2011 First lawsuit filed

Citing among other allegations “on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information”

$180,000,000+ projected cost

77,000,000 affected records

14

Hypothetical Breach Scenario – 150,000 Records

Response Step/Event Estimated Cost Insurable?

First-Party Data Loss Damages

Business interruption or suspension of network, including business income and extra expense – value to client of data lost

Subject to large retention and per hour loss limit (i.e., $250K/hour)

Yes, but few claims paid and difficult to prove. Does not cover future lost business.

Crisis Management

Investigate, forensics, audit and plan breach response (includes legal and/or public relations expenses) $50,000 - $8,250,000

Yes, up to $1,000,000 maximum in most cases

Notify customers in compliance with state data breach notice laws (likely able to use alternative notification provision) $4,500 - $4,000,000

Yes, up to $1,000,000 maximum in most cases

Offer credit monitoring services to affected individuals (cost could increase significantly depending on breadth of package and # of activations) $540,000

Yes, up to $1,000,000 maximum in most cases

Damages

Damages sought by banks for card re-issuance expenses $750,000 – $125,000,000 Yes

Damages sought in consumer class action lawsuit Yes

Damages sought in lawsuit brought by victims of identity theft (fraudulent use of information case – pain and suffering)

Difficult to prove damages, but defense

costs > $4,000,000Yes

Regulatory defense Defense expenses related to regulatory investigations $100,000 – $2,000,000

Yes, up to $1,000,000 maximum in most cases

Regulatory fines/penalties Resolution/Settlement Agreement executed with regulatory authorities $100,000 – $15,000,000 Possibly Consumer

Redress

Varies by claim, but typically 30% - 65% is uncoveredreputation damage, lost business, brand damage

15

Cyber Liability Insurance Today

90% of 583 U.S. entities surveyed suffered a reported data breach within past 12 months (50%+ suffered 2 or more)(Ponemon Research/Juniper Networks)

80% of breaches = total covered insurance claims< $1,000,000

15% of breaches = total covered insurance $1,000,000-$20,000,000

5% of breaches = total covered insurance > $20,000,000

• Damages difficult to prove for individual consumers, even if Article III standing satisfied:

• Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007)• Hammond v. The Bank of New York Mellon Corp. (June 25, 2010)• Ruiz v. Gap, Inc. (May 28, 2010)• Krottner v. Starbucks Corporation, No. 09-35823 (9th Cir.

December 14, 2010)• Paul v. Providence Health System-Oregon, 237 Ore. App. 584 (App.

Ct. Ore. 2010)• But See, T. D. Ameritrade Settlement for $2.5 MM -- $6.5 MM

(January 2011); Claridge v. RockYou declination to dismiss, C 09-6032 PJH (N.D. Cal. April 11, 2010); AOL LLC California Consumer Legal Remedy Act litigation, 719 F.Supp.2d 1102 (N.D. Cal 2010); and Hannaford Brothers Co., 613 F.Supp.2d 108 (D. Maine 2009) on appeal to 1st Cir. Ct. of Appeals (argued Sept. 8, 2011)

16

Cyber Liability Insurance Today

Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) Negligence suit against insurance broker for not placing proper

coverage Zurich v. Sony Declaratory Judgment Action: Over 55 class action

lawsuits alleging billions of dollars in damages (Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?) Direct costs to companies impacted by cyber breaches, such as

forensics, notification, credit monitoring and public relations costs, “are basic costs we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a result.”

Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy): Over 125 Class Actions in California, lead by: Pineda v. Williams

Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal. 2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act)

Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23, 2011); (possible suits coming in New York, Delaware, Washington DC, Georgia, Kansas, Maryland, Minnesota, Nevada, New Jersey, Ohio, Oregon, Pennsylvania, Rhode Island, Wisconsin).

Basic Coverages

Third-Party Coverages Network Security & Privacy Coverage: This covers loss resulting from

breaches in network security or unauthorized access events. Privacy Regulatory Proceeding Coverage: This coverage is generally

provided as a sub-limited part of the Privacy Liability coverage, and it covers costs resulting from a civil, administrative, or regulatory proceeding that alleges the violation of a privacy law.

Media Liability Coverage: This coverage extends to media content produced by the Entity to be disseminated online or offline.

First-Party Coverages Event Management Coverage (Also called Public Relations Expense Fund or

Notification & Credit Monitoring Fund): This coverage will pay monies to help the Entity recover from a covered claim or failure of security.

Cyber Extortion: This covers extortion threats to commit an intentional computer attack against the Entity.

Information Asset: This covers damage to or theft of the Entity’s information assets due to a security failure.

17

Markets & Capacity

ACE Arch Aspen AWAC/

Darwin Axis Beazley Brit Catlin Chartis CNA Chubb Endurance Evanston Everest Re Factory

Mutual Great

American Hartford Hiscox

Hudson Ironshore Kiln Liberty Navigators Novae One Beacon Pembroke RLI RSUI Scor Re Seneca Specialty

Global Swiss Re Travelers USLI Valiant XL Zurich

3rd

Party

Liability

1st P

arty

Net

work Risk

s

Crisis

Man

agem

ent

0

50

100

150

200

250

300

350

400

450

any one risk total+

18

Breach Management Framework

Pre–Breach Response Planning

Incident Analysis

Incident Disclosure Loss Mitigation Communication

and Remediation

Analyze Requirements

Consider Alternative Notice Methods

Notify in compliance with laws

Consider third party vendors for notification

Stagger Notification

Identify stakeholders

Establish analysis & communication protocols

Evaluate Vendor Needs

Remediation and recovery considerations

Stress test plan

Communication Breach

Containment Harm

Determination Legal Analysis

Loss Trending Loss

Benchmarking Limit

Benchmarking Retention

Benchmarking Exposure

Modeling Peer Loss

Survey

E&O CGL Umbrella Crime EPLI D&O Privacy

19

20

Cyber Liability Insurance Today

World’s data will grow by 50X in next decade (IDC Digital Universe study) IT security underwriting differentiates pricing, coverage & exclusions

1. Risk identification -- Type of information and quantity of electronic records

2. Loss Control Analysis3. Exposure quantification4. Insurance Gap Analysis and Design

Enhanced review of contractual risk management Contractual allocation of liability with suppliers, partners, and

customers Increased scrutiny of vendor management and outsourcing

Cloud Computing Social Networking Sites (Facebook, Twitter, LinkedIn) Portable Wireless -- Technology Convergence IT Security of outsourced IT vendors

Greater focus on Entity’s breach response plan Past Loss/Incident history

Vendor Risk

MultimediaLiability

Professional Services

Network and Privacy

Cyber Liability Insurance Today: Companies Buying?

“We have a firewall, so we are protected.” “We have antivirus protection, so we are not at risk.” “We have the best IT department.” “Why would our organization be a target?” “We don’t have an e-commerce website, so we are not at risk.” “We are compliant with PCI, HIPAA, GLBA, etc., so we are not at

risk.” “No one else is buying this coverage… why should we?” “Privacy and Security exposures apply solely to retailers,

healthcare, education, consulting, data processors, data storage, hospitality, entertainment/gaming and financial institutions.”

“Our discretionary budget has been eliminated in this down economy.”

21

Mark Camillo

22

Mark Camillo is Vice President in the Executive Liability Professional Liability Division of Chartis and is responsible for the Technology and Security/Privacy suite of products. Prior to this role, Mark was responsible for the Personal Identity Coverage (PIC) and Payment Fraud Products. Mark joined Chartis in 2001 and has held positions of increasing management responsibility in various parts of the organization including eBusiness Risk Solutions, Affinity Group, A&H, Professional Liability, and the Fidelity team. Prior to Chartis, Mark worked in sales, marketing, and product development for Dun & Bradstreet (D&B) and SITEL Corporation.

Mark has a Masters of Business Administration from SUNY Buffalo and a B.S. from the University of Wyoming.

23

How Cyber Coverage Can Help

• Comprehensive Third & First Party Coverage Security & Privacy Liability (3rd Party) Event Management (1st Party) Cyber Extortion (1st Party) Network Interruption (1st Party)

• Flexible ‘Coverage Section’ ApproachAllows Insured’s to Customize Coverage ComponentsCoverage Can Be Combined with E&0, Media, and

Corporate Counsel Coverages or Offered StandaloneFlexible Coverage Sublimits to Meet the Specific Needs of

an Individual Insured

24

• Security & Privacy Insurance responds to important third party liability for claims arising from:• A failure of the insured’s network security• A failure to protect personally identifiable information including

disclosures as a result of social engineering attacks (e.g., phishing)• Violation of any federal, state or local privacy statute alleged in

connection with failure to protect confidential information

• Duty-to-Defend coverage

• Broad definition of “confidential information” and “computer system”

• Coverage extends to information held by “Information Holders”

• Endorsement available for regulatory fines/penalties and PCI assessments

Security & Privacy

25

• Responds to the costs to retain services to assist in managing and mitigating a covered privacy or network security incident• Includes costs to notify consumers of a release of private information• Costs of credit-monitoring or other remediation services to help

minimize damages. Credit monitoring not limited to 12 months• Forensic Investigation Coverage• Public Relations/Legal Assistance Expense Coverage• Call Center Services

• Goodwill notification – not limited to state notification or legal requirements

• Can be offered on a Monetary (Insured uses own vendors) or Number of Affected Persons (Insurer handles) basis

• Includes costs associated with losses to information assets such as customer databases

Event Management

26

• Cyber Extortion Insurance pays to settle network security related extortion demands made against the insured.• Triggers when there is a threat to commit a computer attack against

the insured and a demand for money to terminate the threat• Includes the costs of investigations to determine the cause of the

security threat and to settle the extortion demand

• Network Business Interruption Insurance responds to an insured’s loss of income and operating expenses when business operations are interrupted or suspended due to a failure of network security• Broad definition of loss includes lost business income, normal

operation expenses (including ––payroll) and those costs that would not have been incurred but for the interruption

• System Failure can be added by endorsement• Limited coverage for outsource provider - $100,000• Waiting hour period applies

Cyber Extortion and Network Interruption

27

E&O vs. Security and Privacy

• E&O does not include first party coverages- Event Management/Crisis Response- Information Asset- Cyber Extortion- Network Interruption/System Failure

• S&P includes coverage for regulatory actions• - Defense Costs - Regulatory fines/penalties

• S&P has option to cover PCI fines/assessments

• E&O triggered by “wrongful act” vs. S&P “failure to protect” or “security failure”

• - S&P covers rogue employee

28

Other Issues

• Requests for Project Specific Insurance- Aggregation/Capacity Issues- Insurer needs to reserve capacity for additional limits- Tie-In of Limits- Fronting Arrangements

• Additional Insured- any entity which a Company is required by contract to add as an

Insured under this SPL Coverage Section, but only for the Wrongful Acts of a Company

29

Other Issues (cont)

• Notice of Cancellation- In consideration of the premium charged, it is hereby

understood and agreed that in the event this policy is canceled by the Insurer in accordance with paragraph (b) of Clause 8. CANCELLATION, the Insurer will use its best efforts to deliver to the entity listed below written notice stating when, not less than thirty (30) days thereafter (ten (10) days in the event of cancellation by the Insurer for non-payment of premium), the cancellation shall be effective:

- [NAME AND ADDRESS FOR NOTICE]

- Provided, however, that any failure to notify such entity shall not impair or delay the effectiveness of any such cancellation.

Questions

To ask a question, type your questions via chat and send to the chairperson. Your questions will be answered in the order they are received.

If we do not have time to address your question you may submit questions via email to: info@amcf.org.

30

Contact Information

AMCF370 Lexington Ave.Suite 2209New York, NY 10017(212) 262-3055info@amcf.org

Mark CamilloVice President

Professional LiabilityChartis Insurance212-458-1355

Mark.Camillo@chartisinsurance.com

Kevin P. Kalinich, J.D. Financial Services Group National Managing Director, Professional Risk Solutions A Division of Aon Risk Services Central, Inc. P: 312.381.4203 kevin.kalinich@aon.com

Alex W. Zabrosky Drinker Biddle & Reath LLP191 North Wacker Drive Suite 3700 Chicago, Illinois 60606-1698 Phone:  (312) 569-1144 Email: alex.zabrosky@dbr.com

31