Presented at:

Ctuit Software and Lathrop & Gage LLPFood & Hospitality Roundtable

San Francisco, CA April 29, 2013

Presented by:Leib Dodell, Esq.

INSURANCE IMPLICATIONS OF SOCIAL MEDIA, DATA SECURITY AND OTHER “NEW MEDIA”

EXPOSURES

Starting Point – Advances in Technology Have Fundamentally Changed Commercial Business Practices

Media and technology have become central to commercial life. Virtually all businesses – regardless of size or class of business – engage in many forms of “new media” communications.

All businesses collect and store vast mounts of data about employees, customers, vendors and others.

Standard commercial insurance packages were not designed to address these modern uses of technology and have not kept pace with these changes in business practices or exposures – indeed, have excluded many of them

“Traditional”Media/TechCompanies

“Main Street”Commercial Marketplace

Specialized “Media Liability”

or “Tech E&O” Policies

“Advertising Injury” Coverage in GL

GL Policy( exclusion for companies “in

the business of” publishing,

broadcasting, etc.)

Old Paradigm – “Media/Technology Companies” and “Standard Commercial” Businesses Such As Restaurants Were Treated As Discrete Industry Segments

2

Social MediaViral Videos

In-House PublishingData Collection

Behavioral AdvertisingBlogsEtc.

What is the insurance solution?

Media Companies

Restaurants and other Commercial

Enterprises

New Paradigm – “Convergence” Due to Rapid Advances in Technology

3

The “Advertising Injury” Coverage Grant“Advertising Injury” was added to the GL policy in 1976. The standard ISO CGL policy now provides coverage for four distinct offenses:

(a) Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products, or services;

(b) Oral or written publication of material that violates a person's right of privacy;

(c) The use of another’s advertising idea in your advertising; or (d) Infringing upon another’s copyright, trade dress or slogan in

your advertisement

8

Problems With This Language As Respects IP/Data Security Claims First, understand that this is a “throw-in” coverage. Generally

the GL carriers aren’t equipped to underwrite these new media exposures and they don’t fully understand them.

No mention of “trademark” in the coverage grant. But it is mentioned in a key exclusion: No coverage for claims “arising out of copyright, patent, trademark, trade secret or other intellectual property rights.”

But . . . This exclusion does not apply to “infringement, in your advertisement, of copyright, trade dress or slogan.”

What constitutes “advertising”? With respect to websites, only “that part” of site that is “about your goods, products or services.”

8

CGL Problems continued

Right of publicity claims are not addressedClaims arising out of bulletin boards and chat rooms

are expressly excludedAs to coverage for data security, many of the same

issues:

Is a data breach “publication of material that violates a person's right of privacy”?

On the property side, Is a data breach the result of “physical loss or damage” to “tangible property”?

9

Potential Insurance Solutions “Cyber” insurance – refers generally to insurance for the

consequences of a breach of security leading to the release or compromise of data. Sometimes called “data security coverage” or “privacy” coverage.

Still a relatively new product, developed within the last 10 years. Very little standardization in wording, pricing, coverage, etc.

Highly competitive insurance marketplace, pricing has been steadily declining in recent years.

11

Two Components to Most “Cyber” Policies

“Third Party” Coverage (also referred to as “Liability” Coverage) for claims against an insured resulting from a breach of data security. Examples include:• Class actions for damages by employees or consumers as a result of

breach of Personally Identifiable Information (PII)• Claims by banks or other impacted businesses to recover their losses

resulting from a breach (for example, a bank might need to cancel and re-issue a large number of credit cards if there is a large security breach)

• Regulatory claims by government agencies (such as the FTC or a state Attorney General) charged with enforcing privacy laws

“First Party” Coverage for costs incurred by the insured organization itself as a result of a breach of data security. There are a number of different components of first party coverage, which are discussed on the following slides.

14

First Party Coverages

Notification costs. Coverage for the costs to notify customers that a breach has occurred, in compliance with state laws. This includes the costs of preparing, printing and mailing the letters, and setting up a call response center.

Credit Monitoring. Coverage for costs incurred by the insured to provide credit monitoring services to individuals impacted by the breach.

Crisis Management. Coverage for costs associated with retaining a public relations firm to manage the impact of the breach on the organization’s brand and reputation.

Cyber Investigation. Coverage for costs incurred by the Insured in determining the cause of the breach and taking corrective action.

Data Restoration. Coverage for costs incurred by the Insured to restore any data lost or destroyed in connection with the security breach.

Cyber Extortion. Coverage for costs incurred by the Insured in connection with responding to a threat of a security breach or cyber attack (including payment of ransom demands).

15

Important Cyber Coverage Considerations Does the Policy cover all forms of data – i.e., not limited to electronic

data and not limited to PII? Will the Policy respond in the event of a voluntary notification – i.e.,

where notification is not strictly required by state law? Does the Policy cover data maintained by the Insured as well as data

maintained by third parties on the Insured’s behalf? This is critical given the prominence of cloud computing and other outsourcing of data management.

Does the Policy cover claims by employees in the event employee data is lost (and make appropriate modification of the Insured vs. Insured exclusion)?

Does the Policy cover regulatory claims as well as private actions, and does the definition of damages include civil fines and penalties (including PCI fines/penalties)?

Does the policy cover media/IP claims as well as data breaches? If not, consider Media Liability policy as well.

21

Reference Websites and Other Resources

www.ponemon.org – Research center dedicated to privacy, data protection and information security policy.

www.privacyrights.org and www.datalossdb.org – Contains detailed chronological listings of all data breaches. Excellent sources of Loss examples.

www.sans.org – Contains information on security training & offers several free resources that may benefit your clients.

www.fbi.gov/about-us/investigate/cyber/cyber FBI’s Cyber Crime Website. Keep up to date E-scams and warnings. Also, report Internet crimes on this site.

www.net-security.org -- Tips for security, updates on latest security threats, summary of state notification laws, etc.

22

QUESTIONS?