Star Wars in the New Millennium: Cyber Liability and Data Risk

“Cyber Liability” and “Data Risk” – Catchy…But What Do They Mean?

Cyber Liability and Data Risk

Cyber liability refers generally to new types of liability faced by companies due to their use of technology.

Data risk is a subset of cyber liability that refers to a compromise of sensitive data stored electronically.

Challenges of Cyber Liability

Stupendous growth of electronic data storage and communication has created new challenges for business entities.

Arises from our dependence on all things electronic

1.8 Billion people using the Internet Text, e-mail, billing systems, payment systems,

business operations, smart phones (Blackberry, iPhone, etc.) Increases the risk because information is electronic

and infinitely portable.

Two Challenging Types of Claims

Data Risk (also known as Data Breach): Claims arising from a breach of company data (first and third-party)

Cyber-Privacy: Claims arising from a compromise of employee cyber-privacy

Data Risk will be our focus today.

Response by Insurance Carriers

Carriers recognize that cyber-related claims require a new approach, including tailored policies and careful handling.

New Policies are Being Created Enhanced Privacy Endorsements Technology and Media Coverage

add-ons EPL enhancements

Data Risk (Data Breach) Claims

Data Breach Claims

A data breach can cost millions of dollars, based on the type and amount of data effected.

Any entity that stores third-party data can be at risk, including (but certainly not limited to): Retailers Financial institutions Health care providers Law firms

Claim Examples – Data Breach

Online retailer hacked and customer credit card information is stolen: regulatory and class actions

Companies unknowingly spread a worm, facing liability from those parties based upon lost revenues caused by the virus.

Disgruntled employee deletes the company’s databases, causing business interruption

Computer hacker floods a company’s website, overwhelming the system and causing it to crash.

More Claim Examples – Data Breach

Private medical info is stolen or disclosed, leading to a suit for defamation and invasion of privacy.

Employee laptop is lost or stolen Iphone is compromised Disgruntled employee shares

information on networking site

Claim Examples - Other Some claims do not fall neatly in the categories of

“employee privacy” or “data breach,” and relate more to traditional causes of action through new mediums (such as defamation, copyright infringement, and patent infringement): Online publisher allows defamatory postings about a local

public figure, causing the public official to lose his job. Company is sued for unauthorized use of a person’s photo

on its website. A small business creates a website and is sued by another

company alleging that their domain name violated trademark laws.

Compromised Data

285 Million records were compromised in 2008

25% of Companies With IT Outage for 2-6 days go bankrupt immediately

Heartland Payment Systems: credit card numbers of clients

Cost: $12.5 Million in legal fees, costs and settlements to date

Credit Card Numbers are purchased by “information gangsters”

Dave & Busters: FTC Complaint Intruder exploited vulnerabilities in

systems 130,000 unique credit cards stolen Issuing Banks Claimed over $500,000

in unauthorized charges Settled

Before TJ Maxx, no recognized private

cause of action for data breach Judge let three theories survive:

Two theories of negligent misrepresentation regarding their cyber security

Lack of security measures amounted to unfair and deceptive business practice

Settled with banks for $525,000 Total cost over $40 million

Variety of Data Breach Claims

The potential claims are at least as varied as the potential claimants: Actual loss (theft) of customer, client or employee data Extortion based on a threatened loss of customer, client

or employee data Monitoring or repairing of credit reports for those

effected by a data breach Notices issued to those effected by a data breach Public relations activity necessitated by a data breach Remediation and repair of systems due to a data breach Lost profits caused by a data breach

Data Breach Claims Are on the Rise

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

Lowest Highest

Series1

Depending on the type of breach, costs can vary significantly, from $750,000 to $31,000,000 in 2009.

Data Breach Claims Are on the Rise

Avg. Cost per Customer

201

202

202

203

203

204

204

205

2008 2009

Avg. Cost per Customer

The average per-customer cost of data-breach claims has increased over the last year alone.

Data Breach Claims Are on the Rise

6,600,000

6,620,000

6,640,000

6,660,000

6,680,000

6,700,000

6,720,000

6,740,000

6,760,000

2008 2009

Avg. Cost per Breach

Avg. Cost per Breach

The increased per-customer cost translates to large increases in costs per breach.

Data Breach – Sources of Loss

What are the sources of potential loss to the insured? While the most common (and most elusive) source of loss is a civil

action by the individual effected by the breach, there are other sources of potential liability for the insured: Violation of “Red Flag Rules” (requiring entities to implement an identity theft

prevention program) under the Fair and Accurate Credit Transactions Act, enforced by the Federal Trade Commission (“FTC”)

Health Information Technology for Economic and Clinical Health Act (“HITECH”), enforced by the FTC and the Department of Health and Human Services and includes breach notification provisions

Children’s Online Privacy Protection Act CAN-SPAM Act Gramm-Leach-Bliley Act Fair Credit Reporting Act Computer Fraud and Abuse Act Federal Privacy Act State breach notification laws State attorney general actions and consumer protection laws

Data Breach – Potential Damages

What are the potential damages to which the insured could be exposed? Depending on governmental involvement, the

strategy of the claimant, and the approach of the Insured, multiple damages are possible: Compensatory damages (although difficult to prove) Consequential damages Punitive damages Fines and fees (imposed by regulatory agencies) Remediation of hardware and software Lost profits and goodwill Notification of effected individuals/entities Monitoring of effected individuals/entities

Federal “Red Flags” Rules The “Red Flags Rules,” were

promulgated under the Fair and Accurate Credit Transactions Report Act. 16 CFR 681.1.

Any company holding credit data could be subject

Requires a Written Identify Theft Prevention Program

December 31, 2010 Implementation

Red Flag Rules Requires “creditors” and “financial institutions”

(“covered entities”) to conduct risk assessments to determine if they have “covered accounts,” which include consumer-type accounts or other accounts for which there is a reasonable risk of identity theft

“Creditor” “means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” 15 USC § 1691a(e) (emphasis added).

“Credit,” as used within the statute, “means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” 15 USC § 1691a(d) (emphasis added).

Insurance For Cyber Claims

Gaps in Traditional Insurance Policies

Property Insurance policies – “Property” : Tangible vs. Intangible

D&O: Property exclusion; Professional services exclusion; not covered by insuring clauses

Crime/Fidelity policies –Tangible Property

CGL: Exclusions for losses associated with unauthorized access by third parties.

Errors & Omissions policies – Generally exclude security breaches or damages arising from unauthorized access.

EPL policies – Not covered by Insuring Clauses.

Cyber Liability – Covered Risks

Generally, cyber liability policies address two types of risks:

First Party: losses suffered directly by the Insured Third Party: losses associated with the Insured’s

liability for damages suffered by a third party

First Party Losses

Business interruption costs Crisis management and public relations

costs Privacy notifications and credit monitoring

costs Costs associated with theft or vandalism of

a company’s network or systems Upgrades in network security

Third Party Losses

Disclosure Injuries: unauthorized access to or dissemination of a third party’s private information

Content Injuries: copyright, trademark, trade secrets or other intellectual property claims

Reputation Injuries: libel, slander, defamation, invasion of privacy claims

System Injuries: security failures or virus transmissions that harm the computer systems of third parties

Impaired Access Injuries: customers cannot access their accounts or information

First Party Losses inThird Party Claims

Often a third party liability claim will involve direct losses by the Insured A third party cyber liability policy may

provide coverage for certain direct losses associated with a claim (or a potential claim) by a third party. These may include: Security breach notifications Credit monitoring costs Crisis management consultation

6 Separate Insuring Clauses!

1) Technology Security Wrongful Act 2) Privacy Wrongful Act 3) Private Information Breach 4) Web Media Services Wrongful Act 5) Extortion Loss from Technology

Threat 6) Data Restoration Loss from Breach

Cyber Liability Coverage by Endorsement Insurers have customized traditional

Policies to provide additional coverage for specific cyber risks by endorsements. For example: EPLI Policies – coverage for employee related theft or

third party unauthorized access to private information.

E&O Policies – coverage for e-commerce activities, security breaches, and unauthorized access

Property & Crime Policies – coverage for “intangible” property like data

Breaking Down a Data Risk Claim

Data Breach – Cause of the Breach What was the cause of the breach?

The cause of the breach can effect both potential liability and coverage: External hacking Wrongdoing internal to the insured Failure of controls or preventative measures Failure of hardware or software Wrongdoing or failure of a vendor or other

related third-party entity

Data Breach – Data Involved

What type of data was involved? Personally Identifiable Information (PII) is

the most common, and will be the focus here: First name or initial combined with a social

security number, driver’s license number, state ID number, or account number with access code or password

Other sources of potential concern include proprietary data of a vendor or internal proprietary data.

Data Breach – Risk Mitigation

What needs to be done to mitigate the effect of a data breach? Once a breach has occurred, the insured has

multiple options for mitigating the breach (some of which may impact coverage). Incident analysis (internal communication,

containment, harm determination) Incident disclosure (notice to effected

individuals, vendors, regulatory agencies) Loss mitigation (trending, benchmarking,

remediation)

Evaluating a Data Breach

When a data breach occurs, immediate and decisive action is required: Evaluate the potential scope of the loss, in

terms of individuals effected Identify the governmental and regulatory

agencies with whom communication is necessary

Understand how mitigation strategies effect costs and coverage

Handling a Data Breach Claim

Pro-Active: Hiring Counsel and Waiting for 90 day Report May Cost Insurer Millions

Immediate Retention of IT or Privacy Expert

Boots on the Ground Approach May be More Effective

E-Discovery costs may be driving force in litigation

Data Breach Actions in the Courts –The Good Hammond v. The Bank of New York, 08 Civ. 6060 (RMB)

(RLE), 2010 WL 2643307 (S.D.N.Y June 25, 2010) action arose from loss from armored truck of 6 to 10 unencrypted

backup tapes and loss of storage tape containing check images and other payment documents on a separate occasion

Claims included common law negligence, negligence per se, breach of implied contract, breach of implied duty, and statutory claims under the laws of NY, California, NJ, Michigan, Illinois

Class action Relief sought included actual damages, equitable relief including

credit monitoring program, fees, costs and expenses Court noted that approximately 30 prior cases had been brought

for damages for loss of personal identification information All had been disposed of by way Rule 12(b)(6) or 56 Reasons for dismissals include lack of “injury in fact” and loss of

identity information is not cognizable claim Court granted summary judgment because inter alia lack of

standing because no plaintiff could establish actual harm Also held that could not establish damages because increase loss

of risk is insufficient to support substantive claims

Data Breach Actions in the Courts – the Good

Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046 (E.D.Mo. 2009) Court held increased risk of future

identity theft was insufficient to confer standing

Data Breach Actions in the Courts – the Flipside

In re: Countrywide Financial Corp. Customer Data Security Breach Litigation, 3:08-MD-01998, 2009 WL 5184352 (W.D.Ky. 2009) Class of 17 million

10.1 million will receive direct notice of settlement Remaining 41% receive notice by publication in

Parade, USA Weekend and American Publication to be inserted in over 2200 local Sunday papers

Two classes of settlement but included paid credit monitoring for two years, and $25,000 in identity theft insurance

Conclusion

Cyber Liability and Data Risk Claims are Coming Your Way! The key may be to recognize the non-

traditional costs associated with these claims, and how to mitigate those costs.