amcf’s legal issues update webinar “client data breaches: the latest on managing your risk and...
TRANSCRIPT
AMCF’s Legal Issues Update Webinar
“Client Data Breaches: The Latest on Managing Your Risk
and Legal Exposure”
Audio Login Toll-Free (US & Canada): 866.740.1260Access Code: 2623055
Web Login Meeting URL: http://www.readytalk.com/?ac=2623055
Support:U.S. and Canada: 800.843.9166 or [email protected] Access Code: 2623055
This conference is being recorded.
Questions
Questions will be addressed at the end of the webinar but may be posed at any time. To ask a question, send your questions via chat to the chairperson. Your questions will be answered in the order they are received.
2
AMCF Mission
To promote an environment which fosters the
success of management consulting firms and the
value they deliver to their clients.
3
Alex Zabrosky
4
Alex W. Zabrosky is a business lawyer specializing in corporate and commercial law. He has a diverse international practice that focuses on counseling management consulting and professional services firms on all legal aspects of their businesses. Alex’s clients include firms engaged in management consulting, information technology consulting and implementation, financial and business advisory services, strategy, healthcare, operational improvement, forensics and litigation support, engineering and risk management, among others. His clients range from start-ups to middle market to major global consultancies. He received his law degree from The George Washington University Law School and his Bachelor’s degree from The University of Chicago.
Agenda
Background of cyber liability
Case studies
Cyber liability today
How cyber insurance can help
Other issues
Q&A
5
Kevin Kalinch
6
Kevin Kalinich leads Aon’s national practice to identify exposures and develop insurance solutions related to Technology Errors and Omissions, Miscellaneous Professional Liability, Media Liability, Network Risk and Intellectual Property. Kevin Kalinich has been named an Aon Risk & Insurance “Power Broker” for 2007, 2008, 2009, 2010 and 2011. He joined Aon in September 2000, from Altima Technologies, where he served as Chief Executive Officer and led the successful launch of a Web-enabled software product that provides intelligent visualization of network equipment in the areas of telecommunications, data, cables, and computers. Kevin holds a Juris Doctor from The University of Michigan and received his B.A. degree in Mathematics, Cum Laude, from Yale University
7
Background of Cyber Liability Insurance
2003
20042005
2006
2007
2008
2009
2011
CA S.B. 1386
AR
State Breach Disclosure Law
DEFL
NY
NC
ND
TN TX
USVI
WA
WI RI
PR
PAOK OH
NJ
NV
NEMN
MT
ME
LA
IN
IL
ID
CTCO
AZ
DC
GA
HI
IA
KS
MA
MI
NH
ORUTVT
WY
VAWV
SC
AKHeartland
Major Data Incident
TJX
Choicepoint
HR 2221
Federal Law
HITECH
FACTA Red Flag Rule
HIPAA
MO
DC
MD
Plastic Card Security Act (MN)
Other State Law
Card Industry Standard
PCI DSS
GLBA
Implications: Fines & Penalties Injunctions Oversight/Remediation
requirements Harm to Reputation Criminal Indictments
*Precursor to Civil Liability*
Hannaford
Visa CISP, et al*
*Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program
MA 201 NEV NIST
WA PCI
Epsilon
Sony
Comerica
Amazon
Citigroup
RSA
DigiNotar
WikiLeaks
The Need for Specialized Insurance
Are these risks covered under traditional insurance policies? General Liability: bodily injury & property damage E&O policies: failure of defined services Commercial Property Insurance: tangible property Crime policies: money, securities, or tangible property Kidnap and Ransom: extortion coverage
8
9
“Intangible property” = covered “property” under traditional property and CGL policies? American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc. , No. 99-185
TUC ACM, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000) (“intangible property” covered under Property Policy)
Eyeblaster, Inc. v. Federal Insurance Company, 613 F.3rd 797 (8th Cir. 2010) (“Loss of use” covered under CGL and financial injury covered under E & O unless “intentional” wrongful acts – cookies, flash)
America Online, Inc. v. St. Paul Mercury Insurance Co., 347 F.3rd 89 (2003) (“intangible property” not “tangible property” under CGL)
Personal And Advertising Injury Coverage under General Liability Policy Zurich American Insurance Co. v. Fieldstone Mortgage Co.. No. CCB-06-2055, 2007
WL 3268460 (D. Maryland Oct. 26, 2007)) (“duty to defend” violation of FCRA rt of privacy, but “publication?”)
Netscape Communications Corp. v. Federal Insurance Co., 343 F. Appendix 271 (9th Cir. 2009)) (AOL violation of right of privacy covered under CGL)
Penzer v. Trans. Ins Co. (Florida Supreme Court: “an advertising injury provision in a commercial liability policy that provides coverage for an oral or written publication of material that violates a person’s right of privacy provides coverage for blast-faxing in violation of TCPA”)
Crime Policy Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip opinion
(S.D. Ohio March 30, 2009) (hacking & data breach covered under “Computer Funds & Transfer Fraud” endorsement
Background of Cyber Liability Insurance
10
Insurance Services Organization (“ISO”) Response:
ISO Data Exclusion: “For the purposes of this insurance, electronic data is not tangible property.”
Electronic Data Liability Endorsement: provides coverage for loss and loss of use of electronic data resulting from physical injury to tangible property
Subsequent cases: State Auto Property & Casualty Ins. Co. v. Midwest Computers & More, 147 F.Supp2d 1113 (W.D. Okla. 2001): Courts now generally find that PII data does not amount to “tangible property” because computer information lacks physical substance
Stellenwork v. TriWest Healthcare Alliance, No. 03-0185 (D. Ariz., June 10, 2008) (No commonality of class interests)
Background of Cyber Liability Insurance
11
TJX Breach
July 2005 - December 2006 Incident Occurred
January 12, 2007 Incident Discovered
January 17, 2009 TJX Reports Breach
January 29, 2009 First lawsuit filed
$256,000,000 in total costs to date T.J. X. reached a $40.9 Million settlement
agreement with banks that processed credit card transactions. This represented only a fraction of the $256 million+ cost of the breach.
“BUT WE HAD LOCKS.” Carol Meyerowitz, TJX CEO, June 6, 200794,000,000 affected records
12
Heartland Payment Systems Breach
May 15, 2008 Incident Occurred
January 12, 2009 Incident Discovered
January 20, 2009 Heartland Reports Breach
January 27, 2009 First lawsuit filed $143,000,000 in known costs, including
settlements with consumers, Visa ($60 MM), Mastercard ($41.4 MM), Discover ($2.5 MM) and American Express ($3.6 MM)
Affected over 250,000 merchants and 500+ financial institutions. Fourteen lawsuits have been filed against Heartland
“I JUST CAN’T BELIEVE IT HAPPENED TO US, OF ALL COMPANIES.” -- Bob Carr, CEO130,000,000 affected records
13
Sony Playstation Breach
April 14, 2011 – April 19, 2011 First Incident Occurred
April 26, 2011 Sony reports incident
April 27, 2011 Sony mails notifications
April 27, 2011 First lawsuit filed
Citing among other allegations “on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information”
$180,000,000+ projected cost
77,000,000 affected records
14
Hypothetical Breach Scenario – 150,000 Records
Response Step/Event Estimated Cost Insurable?
First-Party Data Loss Damages
Business interruption or suspension of network, including business income and extra expense – value to client of data lost
Subject to large retention and per hour loss limit (i.e., $250K/hour)
Yes, but few claims paid and difficult to prove. Does not cover future lost business.
Crisis Management
Investigate, forensics, audit and plan breach response (includes legal and/or public relations expenses) $50,000 - $8,250,000
Yes, up to $1,000,000 maximum in most cases
Notify customers in compliance with state data breach notice laws (likely able to use alternative notification provision) $4,500 - $4,000,000
Yes, up to $1,000,000 maximum in most cases
Offer credit monitoring services to affected individuals (cost could increase significantly depending on breadth of package and # of activations) $540,000
Yes, up to $1,000,000 maximum in most cases
Damages
Damages sought by banks for card re-issuance expenses $750,000 – $125,000,000 Yes
Damages sought in consumer class action lawsuit Yes
Damages sought in lawsuit brought by victims of identity theft (fraudulent use of information case – pain and suffering)
Difficult to prove damages, but defense
costs > $4,000,000Yes
Regulatory defense Defense expenses related to regulatory investigations $100,000 – $2,000,000
Yes, up to $1,000,000 maximum in most cases
Regulatory fines/penalties Resolution/Settlement Agreement executed with regulatory authorities $100,000 – $15,000,000 Possibly Consumer
Redress
Varies by claim, but typically 30% - 65% is uncoveredreputation damage, lost business, brand damage
15
Cyber Liability Insurance Today
90% of 583 U.S. entities surveyed suffered a reported data breach within past 12 months (50%+ suffered 2 or more)(Ponemon Research/Juniper Networks)
80% of breaches = total covered insurance claims< $1,000,000
15% of breaches = total covered insurance $1,000,000-$20,000,000
5% of breaches = total covered insurance > $20,000,000
• Damages difficult to prove for individual consumers, even if Article III standing satisfied:
• Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007)• Hammond v. The Bank of New York Mellon Corp. (June 25, 2010)• Ruiz v. Gap, Inc. (May 28, 2010)• Krottner v. Starbucks Corporation, No. 09-35823 (9th Cir.
December 14, 2010)• Paul v. Providence Health System-Oregon, 237 Ore. App. 584 (App.
Ct. Ore. 2010)• But See, T. D. Ameritrade Settlement for $2.5 MM -- $6.5 MM
(January 2011); Claridge v. RockYou declination to dismiss, C 09-6032 PJH (N.D. Cal. April 11, 2010); AOL LLC California Consumer Legal Remedy Act litigation, 719 F.Supp.2d 1102 (N.D. Cal 2010); and Hannaford Brothers Co., 613 F.Supp.2d 108 (D. Maine 2009) on appeal to 1st Cir. Ct. of Appeals (argued Sept. 8, 2011)
16
Cyber Liability Insurance Today
Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) Negligence suit against insurance broker for not placing proper
coverage Zurich v. Sony Declaratory Judgment Action: Over 55 class action
lawsuits alleging billions of dollars in damages (Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?) Direct costs to companies impacted by cyber breaches, such as
forensics, notification, credit monitoring and public relations costs, “are basic costs we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a result.”
Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy): Over 125 Class Actions in California, lead by: Pineda v. Williams
Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal. 2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act)
Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23, 2011); (possible suits coming in New York, Delaware, Washington DC, Georgia, Kansas, Maryland, Minnesota, Nevada, New Jersey, Ohio, Oregon, Pennsylvania, Rhode Island, Wisconsin).
Basic Coverages
Third-Party Coverages Network Security & Privacy Coverage: This covers loss resulting from
breaches in network security or unauthorized access events. Privacy Regulatory Proceeding Coverage: This coverage is generally
provided as a sub-limited part of the Privacy Liability coverage, and it covers costs resulting from a civil, administrative, or regulatory proceeding that alleges the violation of a privacy law.
Media Liability Coverage: This coverage extends to media content produced by the Entity to be disseminated online or offline.
First-Party Coverages Event Management Coverage (Also called Public Relations Expense Fund or
Notification & Credit Monitoring Fund): This coverage will pay monies to help the Entity recover from a covered claim or failure of security.
Cyber Extortion: This covers extortion threats to commit an intentional computer attack against the Entity.
Information Asset: This covers damage to or theft of the Entity’s information assets due to a security failure.
17
Markets & Capacity
ACE Arch Aspen AWAC/
Darwin Axis Beazley Brit Catlin Chartis CNA Chubb Endurance Evanston Everest Re Factory
Mutual Great
American Hartford Hiscox
Hudson Ironshore Kiln Liberty Navigators Novae One Beacon Pembroke RLI RSUI Scor Re Seneca Specialty
Global Swiss Re Travelers USLI Valiant XL Zurich
3rd
Party
Liability
1st P
arty
Net
work Risk
s
Crisis
Man
agem
ent
0
50
100
150
200
250
300
350
400
450
any one risk total+
18
Breach Management Framework
Pre–Breach Response Planning
Incident Analysis
Incident Disclosure Loss Mitigation Communication
and Remediation
Analyze Requirements
Consider Alternative Notice Methods
Notify in compliance with laws
Consider third party vendors for notification
Stagger Notification
Identify stakeholders
Establish analysis & communication protocols
Evaluate Vendor Needs
Remediation and recovery considerations
Stress test plan
Communication Breach
Containment Harm
Determination Legal Analysis
Loss Trending Loss
Benchmarking Limit
Benchmarking Retention
Benchmarking Exposure
Modeling Peer Loss
Survey
E&O CGL Umbrella Crime EPLI D&O Privacy
19
20
Cyber Liability Insurance Today
World’s data will grow by 50X in next decade (IDC Digital Universe study) IT security underwriting differentiates pricing, coverage & exclusions
1. Risk identification -- Type of information and quantity of electronic records
2. Loss Control Analysis3. Exposure quantification4. Insurance Gap Analysis and Design
Enhanced review of contractual risk management Contractual allocation of liability with suppliers, partners, and
customers Increased scrutiny of vendor management and outsourcing
Cloud Computing Social Networking Sites (Facebook, Twitter, LinkedIn) Portable Wireless -- Technology Convergence IT Security of outsourced IT vendors
Greater focus on Entity’s breach response plan Past Loss/Incident history
Vendor Risk
MultimediaLiability
Professional Services
Network and Privacy
Cyber Liability Insurance Today: Companies Buying?
“We have a firewall, so we are protected.” “We have antivirus protection, so we are not at risk.” “We have the best IT department.” “Why would our organization be a target?” “We don’t have an e-commerce website, so we are not at risk.” “We are compliant with PCI, HIPAA, GLBA, etc., so we are not at
risk.” “No one else is buying this coverage… why should we?” “Privacy and Security exposures apply solely to retailers,
healthcare, education, consulting, data processors, data storage, hospitality, entertainment/gaming and financial institutions.”
“Our discretionary budget has been eliminated in this down economy.”
21
Mark Camillo
22
Mark Camillo is Vice President in the Executive Liability Professional Liability Division of Chartis and is responsible for the Technology and Security/Privacy suite of products. Prior to this role, Mark was responsible for the Personal Identity Coverage (PIC) and Payment Fraud Products. Mark joined Chartis in 2001 and has held positions of increasing management responsibility in various parts of the organization including eBusiness Risk Solutions, Affinity Group, A&H, Professional Liability, and the Fidelity team. Prior to Chartis, Mark worked in sales, marketing, and product development for Dun & Bradstreet (D&B) and SITEL Corporation.
Mark has a Masters of Business Administration from SUNY Buffalo and a B.S. from the University of Wyoming.
23
How Cyber Coverage Can Help
• Comprehensive Third & First Party Coverage Security & Privacy Liability (3rd Party) Event Management (1st Party) Cyber Extortion (1st Party) Network Interruption (1st Party)
• Flexible ‘Coverage Section’ ApproachAllows Insured’s to Customize Coverage ComponentsCoverage Can Be Combined with E&0, Media, and
Corporate Counsel Coverages or Offered StandaloneFlexible Coverage Sublimits to Meet the Specific Needs of
an Individual Insured
24
• Security & Privacy Insurance responds to important third party liability for claims arising from:• A failure of the insured’s network security• A failure to protect personally identifiable information including
disclosures as a result of social engineering attacks (e.g., phishing)• Violation of any federal, state or local privacy statute alleged in
connection with failure to protect confidential information
• Duty-to-Defend coverage
• Broad definition of “confidential information” and “computer system”
• Coverage extends to information held by “Information Holders”
• Endorsement available for regulatory fines/penalties and PCI assessments
Security & Privacy
25
• Responds to the costs to retain services to assist in managing and mitigating a covered privacy or network security incident• Includes costs to notify consumers of a release of private information• Costs of credit-monitoring or other remediation services to help
minimize damages. Credit monitoring not limited to 12 months• Forensic Investigation Coverage• Public Relations/Legal Assistance Expense Coverage• Call Center Services
• Goodwill notification – not limited to state notification or legal requirements
• Can be offered on a Monetary (Insured uses own vendors) or Number of Affected Persons (Insurer handles) basis
• Includes costs associated with losses to information assets such as customer databases
Event Management
26
• Cyber Extortion Insurance pays to settle network security related extortion demands made against the insured.• Triggers when there is a threat to commit a computer attack against
the insured and a demand for money to terminate the threat• Includes the costs of investigations to determine the cause of the
security threat and to settle the extortion demand
• Network Business Interruption Insurance responds to an insured’s loss of income and operating expenses when business operations are interrupted or suspended due to a failure of network security• Broad definition of loss includes lost business income, normal
operation expenses (including ––payroll) and those costs that would not have been incurred but for the interruption
• System Failure can be added by endorsement• Limited coverage for outsource provider - $100,000• Waiting hour period applies
Cyber Extortion and Network Interruption
27
E&O vs. Security and Privacy
• E&O does not include first party coverages- Event Management/Crisis Response- Information Asset- Cyber Extortion- Network Interruption/System Failure
• S&P includes coverage for regulatory actions• - Defense Costs - Regulatory fines/penalties
• S&P has option to cover PCI fines/assessments
• E&O triggered by “wrongful act” vs. S&P “failure to protect” or “security failure”
• - S&P covers rogue employee
28
Other Issues
• Requests for Project Specific Insurance- Aggregation/Capacity Issues- Insurer needs to reserve capacity for additional limits- Tie-In of Limits- Fronting Arrangements
• Additional Insured- any entity which a Company is required by contract to add as an
Insured under this SPL Coverage Section, but only for the Wrongful Acts of a Company
29
Other Issues (cont)
• Notice of Cancellation- In consideration of the premium charged, it is hereby
understood and agreed that in the event this policy is canceled by the Insurer in accordance with paragraph (b) of Clause 8. CANCELLATION, the Insurer will use its best efforts to deliver to the entity listed below written notice stating when, not less than thirty (30) days thereafter (ten (10) days in the event of cancellation by the Insurer for non-payment of premium), the cancellation shall be effective:
- [NAME AND ADDRESS FOR NOTICE]
- Provided, however, that any failure to notify such entity shall not impair or delay the effectiveness of any such cancellation.
Questions
To ask a question, type your questions via chat and send to the chairperson. Your questions will be answered in the order they are received.
If we do not have time to address your question you may submit questions via email to: [email protected].
30
Contact Information
AMCF370 Lexington Ave.Suite 2209New York, NY 10017(212) [email protected]
Mark CamilloVice President
Professional LiabilityChartis Insurance212-458-1355
Kevin P. Kalinich, J.D. Financial Services Group National Managing Director, Professional Risk Solutions A Division of Aon Risk Services Central, Inc. P: 312.381.4203 [email protected]
Alex W. Zabrosky Drinker Biddle & Reath LLP191 North Wacker Drive Suite 3700 Chicago, Illinois 60606-1698 Phone: (312) 569-1144 Email: [email protected]
31