Insurance Coverage for Data

Breaches and Privacy Violations: Are Your

Corporate Clients Adequately Protected? Evaluating and Determining Coverage Under CGL, D&O, E&O and Specialty Cyber Policies

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, MAY 19, 2015

Presenting a live 90-minute webinar with interactive Q&A

Roberta D. Anderson, Partner, K&L Gates, Pittsburgh

Joshua A. Mooney, Partner, White and Williams, Philadelphia

William T. Um, Policyholder Counsel, Hunton & Williams, Los Angeles

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-927-5568 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

In order for us to process your CLE, you must confirm your participation by

completing and submitting an Official Record of Attendance (CLE Form) to

Strafford within 10 days following the program.

The CLE form is included in your dial in instructions email and in a thank you

email that you will receive at the end of this program.

Strafford will send your CLE credit confirmation within approximately 30 days of

receiving the completed CLE form.

For additional information about CLE credit processing call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Insurance Coverage for

Data Breaches and

Privacy Violations: Are

Your Corporate Clients

Adequately Protected?

May 19, 2015

STRAFFORD LIVE CLE WEBINAR

Presenters:

Roberta D. Anderson

Joshua A. Mooney

William T. Um

William T. Um

Insurance Recovery Counsel

Hunton & Williams LLP

wum@hunton.com

Roberta D. Anderson

Insurance Coverage &

Cybersecurity Partner

K&L Gates LLP

roberta.anderson@klgates.com

Joshua A. Mooney

Insurance Coverage &

Cyber Law Partner

White and Williams LLP

mooneyj@whiteandwilliams.com

rdardardarrrrr

rdardardarrrrr

rdardardarrrrr

rdardardarrrrr

INTRODUCTIONS

6

AGENDA Spectrum of Cyber Risk & Its Legal/Regulatory Framework

Trends in Data Breach Litigation and Liabilities

Target to Sony Pictures, & Expanding Regulatory Scrutiny

Defense Strategies

The Target Settlement

Potential Coverage Under “Legacy” Policies

Property Damage, Privacy, and Publication

The Sony Settlement

Specialty “Cyber” Policies

Third-Party Cyber Risks

First-Party Cyber Risks

Coverage Issues

Hypothetical Situations

Audience Q&A

7

Roberta Anderson

K&L Gates

8

• Malicious Attacks

– Advanced Persistent Threats

– Social Engineering

– Viruses, Trojans, DDoS attacks

• Data Breach/Unauthorized Access

• Software Vulnerability

(HeartBleed)

• System Glitches

• Employee Mobility

• Lost or Stolen Mobile and Other

Portable Devices

• Vendors/Outsourcing

(Function, Not the Liability)

• The Internet Of Things

• Human Error

“[T]here are only two types of companies: those that have been

hacked and those that will be. And even they are converging

into one category: companies that have been hacked and will be

hacked again.” - Robert S. Mueller, III

Director, FBI

SPECTRUM OF CYBER RISK

9

K L G A T E S . C O M 10

11

Source: Ponemon Institute 2014 Cost of Data Breach

Study – Global

PRACTICAL RISK AND EXPOSURE

12

Source:

Ponemon Institute LLC

Cost of Data Breach Study:

Global Analysis

(May 2014)

13

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 14

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 15

LATEST LEGAL AND REGULATORY DEVELOPMENTS

• Federal Cybersecurity/Data Privacy Laws

– HIPAA/HITECH

– GLBA

– FTC Act

• State Cybersecurity/Data Privacy Laws/Consumer Protection

Statutes

– 47 States, D.C., & U.S. Territories Breach Notification Laws

– State Security Standards (MA, CA, CT, RI, OR, MD, NV)

• NIST Cybersecurity Framework

• Industry Standards, e.g., PCI DSS

• SEC Cybersecurity Risk Factor Guidance

– FCC Act

– FCRA/FACTA

16

NIST Cybersecurity Framework—provides a common taxonomy and

mechanism for organizations to:

Describe their current cybersecurity posture;

Describe their target state for cybersecurity;

Identify and prioritize opportunities for improvement within the context of a

continuous and repeatable process;

Assess progress toward the target state;

Communicate among internal and external stakeholders about cybersecurity

risk.

The Framework is voluntary (for now)

NIST CYBERSECURITY FRAMEWORK

17

NIST Unveils Cybersecurity Framework,

http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/

85% of security

budgets

currently go here

According to

Gartner:

By 2020, 75% of

security budgets will

go towards detection

and response

18

NIST CYBERSECURITY FRAMEWORK

“PCI DSS provides a baseline of technical and operational

requirements designed to protect cardholder data.”

19

PCI DSS

“[A]ppropriate disclosures may include”:

“Discussion of aspects of the registrant's business or operations that give rise to

material cybersecurity risks and the potential costs and consequences”;

“To the extent the registrant outsources functions that have material cybersecurity

risks, description of those functions and how the registrant addresses those risks”;

“Description of cyber incidents experienced by the registrant that are individually, or

in the aggregate, material, including a description of the costs and other

consequences”;

“Risks related to cyber incidents that may remain undetected for an extended

period”; and

“Description of relevant insurance coverage.”

SEC CYBERSECURITY

Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,

http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

20

“We note that your network-security insurance coverage is

subject to a $10 million deductible. Please tell us whether

this coverage has any other significant limitations. In

addition, please describe for us the 'certain other coverage'

that may reduce your exposure to Data Breach losses.”

Target Form 10-K (March 2014)

SEC CYBERSECURITY

21

“We note your disclosure that an unauthorized party was

able to gain access to your computer network 'in a prior

fiscal year.' So that an investor is better able to understand

the materiality of this cybersecurity incident, please revise

your disclosure to identify when the cyber incident occurred

and describe any material costs or consequences to you as

a result of the incident. Please also further describe your

cyber security insurance policy, including any material limits

on coverage.”

Alion Science and Technology Corp. S-1 filing (March 2014)

SEC CYBERSECURITY

22

“Given the significant cyber-attacks that are occurring with

disturbing frequency, and the mounting evidence that

companies of all shapes and sizes are increasingly under a

constant threat of potentially disastrous cyber-attacks,

ensuring the adequacy of a company's cybersecurity

measures needs to be a critical part of a board of director's

risk oversight responsibilities . . . .

Thus, boards that choose to ignore, or minimize, the

importance of cybersecurity oversight responsibility, do so

at their own peril.”

Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014

SEC CYBERSECURITY

23

24

FTC CYBERSECURITY

25

FTC CYBERSECURITY

William T. Um

Hunton & Williams

Joshua Mooney

White and Williams 26

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

Speed of lawsuit filings after breach notification

Plaintiffs’ continuing struggle to allege compensable damages –

standing issues

“Fear of identity theft” as potential damage claim

Class certification issues

Statutory violations as potential damages

New type of claims beyond claims against financial institutions

and retailers

Growth area for lawyers?

27

TARGET – watershed moment for executives

Consumer/Derivative Class Action Lawsuits

Target 2014 Earnings Report

Net Expense: $145 million

Gross Expense: $191 million

Insurance Receivables: $46 million

“I don’t see how they’re getting out of this for under a billion, over

time.”

-- John Kindervag, V.P. and Principal Analyst, Forrester Research

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

28

THE TARGET SETTLEMENTS

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

29

Class Actions Consumers and Employees

Increased Risk of Identity Theft, Credit Monitoring Costs

Loss of Value of PII

Statutes (CCRA, CoMIA), Invasion of Privacy

Negligence, State Unfair Trade Practices Acts

Financial Institutions Target settles with MasterCard for $18 million

Non-Financial Institution/Retailer Actions Theft of trade secrets/intellectual property

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

30

Expanding Regulatory Scrutiny

FTC In re Wyndam Hotels

SEC Materiality for disclosures

FCC In re Terracom, Inc.: FCC exercising its regulatory authority

of telecommunication carrier

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

31

Defense Strategies: Article III Standing

Standing:

A plaintiff must allege an actual injury or one

that is concrete and imminent, i.e., “concrete

and particularized,” and

Causation – traceability of the alleged injury to

the breach

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

32

Actual Injury

Forgiven fraudulent or reimbursed charges are not actual

injuries

Galaria v. Nationwide Mut. Ins. Co.

Threat or increased risk of identity theft are not an actual

injuries

In re Science Applications Int’l Corp.

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

33

Imminent Injury

Increased risk of identity theft is not enough

“[Plaintiffs] claim that they are 9.5 times more likely than the

average person to become victims of identity theft. That

increased risk, they maintain, in and of itself confers standing.

But as Clapper makes clear, that is not true. The degree by which

the risk of harm has increased is irrelevant — instead, the

question is whether the harm is certainly impending.”

-- In re Science Applications Int’l Corp.

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

34

Imminent Injury

Even Risk with “rational” fear is not enough

“[I]t is reasonable to fear the worst in the wake of such a [data]

theft, and it is understandably frustrating to know that the safety

of your most personal information could be in danger. The

Supreme Court, however, has held that an “objectively

reasonable likelihood” of harm is not enough to create standing .

. . Plaintiffs thus do not have standing based on risk alone, even

if their fears are rational.”

-- In re Science Applications Int’l Corp.

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

35

Imminent Injury

Costs of credit-monitoring services, alone, is not enough

“The cost of guarding against a risk is an injury sufficient to

confer standing only if the underlying harm the plaintiff is

seeking to avoid is itself a cognizable Article III injury.”

-- Remijas v. The Nieman Marcus Group LLC

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

36

Imminent Injury

Concrete and Particularized Injury

-- Was the PII targeted?

“Not only did the hackers deliberately target Adobe's servers, but

Plaintiffs allege that the hackers used Adobe's own systems to

decrypt customer credit card numbers. ... Indeed, the threatened

injury here could be more imminent only if Plaintiffs could allege

that their stolen personal information had already been

misused.”

-- In re Adobe Sys Inc. Privacy Litig.

TRENDS IN DATA BREACH

LITIGATION AND LIABILITIES

37

Joshua Mooney

White and Williams

Roberta Anderson

K&L Gates 38

COVERAGE A: “PROPERTY

DAMAGE” a. Physical injury to tangible property, including all resulting

loss of use of that property. All such loss of use shall be

deemed to occur at the time of the physical injury that

caused it; or

b. Loss of use of tangible property that is not physically

injured. All such loss of use shall be deemed to occur at the

time of the “occurrence” that caused it.

Financial Institution Litigation:

Does the loss of use of credit/debit cards and the need to

replacement them constitute “property damage” under

CGL policies?

39

COVERAGE B: “PERSONAL

AND ADVERTISING INJURY”

Coverage B provides coverage for damages because of

“personal and advertising injury”

Personal and Advertising Injury” is defined in part as injury

arising out of “[o]ral or written publication, in any manner, of

material that violates a person’s right of privacy

40

COVERAGE B: “A PERSON’S

RIGHT OF PRIVACY”

Some courts hold that “privacy” means both the right of secrecy

(publicity to private life) and the right to be left alone (intrusion

upon seclusion)

Some courts hold that “privacy” only means the right of secrecy

and does not include the right to be left alone

41

Courts Interpret “Publication” Differently.

Some require dissemination to the public at large

Some merely require dissemination to a third party

Some do not require dissemination at all

COVERAGE B: “PUBLICATION”

42

Recall Total Information v. Federal Ins. Co.

“Regardless of the precise definition of publication, we believe that

access is a necessary prerequisite to the communication or

disclosure of personal information. In this regard, the plaintiffs have

failed to provide a factual basis that the information on the tapes was

ever accessed by anyone.”

COVERAGE B: “PUBLICATION”

43

Travelers Indem. v. Portal Healthcare Solutions

“Publication occurs when information is ‘placed before the

public,’ not when a member of the public reads the information

placed before it. By Travelers’ logic, a book that is bound and

placed on the shelves of Barnes & Noble is not ‘published’ until a

customer takes the book off the shelf and reads it. . . . [This] does

not comport with the term’s plain meaning, and the medical

records were published the moment they became accessible to

the public via an online search. ”

COVERAGE B: “PUBLICATION”

44

Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011

(N.Y. Supr. Ct. Feb. 21, 2014)

Must the Insured do the Publishing

Publication is akin to “Pandora’s Box”

Phrase “in any manner” does not alter meaning of

“publication”

SONY CORP

45

POTENTIAL LIMITATIONS

46

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

POTENTIAL LIMITATIONS

47

48

POTENTIAL LIMITATIONS

Directors' and Officers' (D&O)

Errors and Omissions (E&O)/Professional Liability

Employment Practices Liability (EPL)

Fiduciary Liability

Crime

Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821

(6th Cir. 2012) (DSW covered for expenses for customer communications, public

relations, lawsuits, regulatory defense costs, and fines imposed by Visa and

Mastercard under the computer fraud rider of its blanket crime policy)

Property

Commercial General Liability (CGL)

COVERAGE UNDER OTHER

“LEGACY” POLICIES

49

Roberta Anderson

K&L Gates

50

KLG ATES .COM back

REMEMBER THE

SNOWFLAKE

• Privacy and Network Security

– Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to

Protect Confidential, Protected Information, as well as Liability Arising from Security

Threats to Networks, e.g., Transmission of Malicious Code

– Questions:

– Coverage for the Acts, Errors, Omissions of Third Parties, e.g., Vendors?

– Coverage for Data in the Care, Custody, Control of Third Parties, e.g., Cloud Providers?

– Coverage for Proliferating and Expanding Privacy Laws/Regulations?

– Coverage for Data in Any Form, e.g., Paper Records?

– Coverage for Confidential Corporate Data, e.g., Third-Party Trade Secrets?

– Coverage for “Rogue” Employees?

– Coverage for Wrongful Collection of Data?

– Coverage for TCPA Violations?

THIRD-PARTY COVERAGE

52

• Regulatory Liability

– Generally Covers Amounts Payable in Connection with Administrative or Regulatory

Investigations

– Questions:

– Coverage for Fines and Penalties?

– Coverage for Consumer Redress Funds?

– Regulatory Exclusion Carve Backs?

– Sufficient Sublimit?

• PCI-DSS Liability

– Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,

Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data

Security Standards

THIRD-PARTY COVERAGE

53

• Media Liability

– Generally Covers Third-Party Liability Arising from Infringement of Copyright and Other

Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising

from the Insured's Media Activities, e.g., Broadcasting and Advertising

– Questions:

– Coverage for “Rogue” Employees?

– Coverage for Media Content in Any Form, e.g., Printed Publications, or Limited to Digital

Media Content?

– Coverage Limited to Certain Locations of Media Content Display, e.g., on the Insured's

Website or Social Media Sites?

– Coverage for Liability Arising out of the Insured's Own Advertising Activities?

– “Occurrence”-Based or Claims Made Coverage?

– Appropriate for Media Companies?

THIRD-PARTY COVERAGE

54

• Third-Party Bodily Injury and Property Damage ~$100M [T]his policy will drop down and pay Loss caused by a Security Failure [a failure or

violation of the security of a Computer System that: (A) results in, facilitates or fails

to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii)

receipt, transmission or behavior of a malicious code] that would have been covered

within an Underlying Policy, as of the inception date of this policy, had one or more

of the following not applied:

A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying

Policy expressly concerning, in whole or in part, the security of a Computer

System (including Electronic Data stored within that Computer System)];

and/or

B. a Negligent Act Requirement [a requirement in an Underlying Policy that

the event, action or conduct triggering coverage under such Underlying

Policy result from a negligent act, error or omission].

DIC COVERAGE

55

KLG ATES .COM

AVOID THE TRAPS

56

57

POLICY EXAMPLE 1

58

POLICY EXAMPLE 2

59

POLICY EXAMPLE 2

60

61

62

POLICY EXAMPLE 1

63

POLICY EXAMPLE 1

64

POLICY EXAMPLE 2

65

POLICY EXAMPLE 2

66

POLICY EXAMPLE 3

67

POLICY EXAMPLE 3

68

69

POLICY EXAMPLE 1

70

POLICY EXAMPLE 1

71

POLICY EXAMPLE 2

72

POLICY EXAMPLE 2

73

Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC

74

POLICY EXAMPLE

76

POLICY EXAMPLE 1

77

POLICY EXAMPLE 2

78

POLICY EXAMPLE 3

Request a “Retroactive Date”

of at Least a Year

79

BEWARE THE

FINE

PRINT

REMEMBER THE DEVIL IS IN THE DETAILS

80

EXPOSURE.

YOUR.

UNDERSTAND AND COMMUNICATE.

81

William T. Um

Hunton & Williams

82

SPECIALTY “CYBER” POLICIES

– FIRST PARTY Information Asset Coverage

Coverage for damage to or theft of the insured’s own systems and

hardware, and may cover the cost of restoring or recreating stolen or

corrupted data.

Legal Fees – notification

Network Interruption And Extra Expense (and CBI)

Coverage for business interruption and extra expense caused by

malicious code , DDoS attacks, unauthorized access to, or theft of,

information, and other security threats to networks.

83

Extortion Coverage for losses resulting from extortion (payments of an

extortionist’s demand to prevent network loss or implementation of a

threat)

Crisis Management/Public Relations

Costs to retain PR/Crisis Mgmt firm to protect and to restore

policyholder’s reputation

Credit Monitoring/call center expenses

84

SPECIALTY “CYBER” POLICIES

– FIRST PARTY

Each legacy policy has its own coverage issues

Different products in the market

New insurance products can fill gaps

Need to evaluate the nature of risks for which coverage is needed

Need to tailor policies to actual cyber operations and dependencies

Need to make it part of an entire insurance

program

85

TIPS FOR A SUCCESSFUL

PLACEMENT

86

FIRST COVERAGE DISPUTE

INVOLVING CYBER POLICY? Travelers Property v. Federal Recovery Services, Inc.

District Court for the District of Utah (May 11, 2015)

“CyberFirst” Policy

No duty to defend policyholder

Precedent setting?

Sign of things to come?

87

OTHER EMERGING COVERAGE

ISSUES Appointment of Defense Counsel/Forensics Panel

The Duty to Cooperate

Misrepresentation/Concealment in the Underwriting

Retroactive date

Reimbursement of Defense Costs

Other Insurance

Fraudulent or stretched claims

88

HYPOTHETICAL #1

A Company with third-party cyber insurance, but not

first-party insurance, suffers a data breach. The GC

does not want to hire counsel or ascertain its notification

requirements, believing notification = litigation.

89

HYPOTHETICAL #2

Company obtains cyber insurance, providing during the

application and underwriting process evidence of

security protocols, DPPs with employees and DPAs with

vendors. The company suffers a data breach. While

providing crisis management response coverage, the

insurer learns that data and security protocols were

openly ignored or did not exist.

90

HYPOTHETICAL #3

A Company has its computer systems seized receives a

ransom demand to wire $20,000 within 5 hours or else

its data will be deleted.

The Company pays within the hour, but prior to

reporting to the Insurer

The Company has no coverage, refuses, and the data

is lost, shutting down its business.

91

HYPOTHETICAL #4

Company’s website publishes unflattering content and

the company is sued for defamation. The insured has

both media coverage under cyber insurance and a CGL

policy issued by another carrier.

92