insurance coverage for data security...
TRANSCRIPT
![Page 1: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/1.jpg)
CLICK ON EACH FILE IN THE LEFT HAND COLUMN TO SEE INDIVIDUAL PRESENTATIONS.
If no column is present: click Bookmarks or Pages on the left side of the window.
If no icons are present: Click View, select Navigational Panels, and chose either Bookmarks or Pages.
If you need assistance or to register for the audio portion, please call Strafford customer service at 800-926-7926 ext. 10
Insurance Coverage for Data Security BreachesEvaluating Policy Options, Overcoming Coverage Challenges,
Analyzing Litigation Trendspresents
Today's panel features:Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C.
Joan D'Ambrosio, Partner, Clyde & Co., San FranciscoJoshua Gold, Shareholder, Anderson Kill & Olick, New York
Wednesday, October 21, 2009
The conference begins at:1 pm Eastern12 pm Central
11 am Mountain10 am Pacific
The audio portion of this conference will be accessible by telephone only. Please refer to the dial in instructions emailed to registrants to access the audio portion of the conference.
A Live 90-Minute Teleconference/Webinar with Interactive Q&A
![Page 2: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/2.jpg)
Insurance Coverage for Data Security Breaches
Evaluating Policy Options, Overcoming Coverage Challenges, Analyzing Litigation
TrendsPresenter:
Donna L. Wilson(202) 342-8475
A Live 90-Minute Teleconference Program withInteractive Q&A
Wednesday, October 21, 20091:00 p.m. Eastern Time / 12:00 p.m. Central Time /
11:00 a.m. Mountain Time / 10:00 a.m. Pacific Time
![Page 3: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/3.jpg)
2
General Areas In Which Privacyand Data Security Litigation Erupts
Data Security
Data Use
Data Collection
Privacy Invasion
Property Damage
![Page 4: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/4.jpg)
3
Legal Theories
Common Law
Negligence
Duty, breach, injury, causation
Bailment
Invasion of Privacy
Breach of Contract
Breach of Fiduciary Duty
![Page 5: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/5.jpg)
4
Legal Theories (cont’d)
Statutory (State & Federal) FACTA FCRA Song-Beverly Act (CA) Data breach notification statutes Others – Video Privacy Protection Act, Electronic
Communications Privacy Act, Telephone Consumer Protection Act, etc.
![Page 6: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/6.jpg)
5
Data Security
The Good News To date, most cases have been unsuccessful, especially in class
action context and/or where plaintiffs have suffered no actual damages. See, e.g., Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1 (D.D.C. 2007).
Plaintiffs have been more successful in cases involving actual damages, especially cases involving an individual rather than a class. See, e.g., Kahle v. Litton Loan Serv’g LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007).
![Page 7: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/7.jpg)
6
Data Security (cont’d)
The Bad News Theories are evolving, and arguably courts are beginning to
recognize a duty to provide data security. See, e.g., Cobell v. Norton, 391 F.3d 251 (D.C. Cir. 2004).
Privacy statutes, along with associational standards such as PCI, may make it easier for plaintiffs. Even though such statutes do not provide a private right of action, they arguably provide the standard of care. See, e.g., Desantis v. Sears, Roebuck & Co., No. 08-CH00448, complaint filed (Ill. Cir. Ct., Cook County, Jan. 4, 2008)
![Page 8: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/8.jpg)
7
Data Security (cont’d)
The Bad News (cont’d) Compliance may not shield your company from litigation in the event of a
security breach. See, e.g., Assner v. Hannaford Bros. Co., Case No. 2:08-cv-00095, complaint filed (D. Maine March 25, 2008) (class action against grocery chain who was PCI compliant; alleges credit and debit card numbers and expiration dates were accessed during transmission of card authorization).
Recent settlements in cases involving worst-case scenarios may only embolden plaintiffs’ lawyers.
![Page 9: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/9.jpg)
8
Litigation Trends and Risk Avoidance
Plaintiffs will continue to have difficulties making out a claim, especially in the class action context, except in two situations: (1) in cases of data breach where there is actual identity theft/damages; (2) under statutes that do not require actual damages and provide for civil penalties.
In cases of data breach, expect more ancillary litigation between and among the companies suffering the breach and third parties such as credit card associations, issuers, vendors, etc.
![Page 10: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/10.jpg)
9
Litigation Trends and Risk Avoidance
As privacy-related statutes proliferate, especially on the state level, exercise care. Consult regularly with counsel to keep up to date with the latest developments, and better yet, work with your trade association and other organizations to ensure that your interests are safeguarded when well-intentioned but ultimately misdirected legislation is introduced.
But don’t forget insurance….
![Page 11: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/11.jpg)
10
Types of Coverage
Comprehensive General Liability (“CGL”) Errors and Omissions (“E&O”) “Cyber-risk” (e.g. Network Security &
Privacy, Cyber Terrorism, etc.)
![Page 12: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/12.jpg)
11
Case Law
Third-party “personal information” cases American Family Mutual Ins. Cp. v. C.M.A. Mortgage
Inc., No. 06-1044, 2008 U.S. Dist. LEXIS 30233 (S.D. Ind. Mar. 31, 2008).
Netscape Comm. Corp. v. Federal Ins. Co., No. C06-00198, 2007 WL 2972924 (N.D. Cal. Oct. 10, 2007).
Zurich American Ins. Co. v. Fieldstone Mortgage Co., No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007).
Whole Enchilada Inc. v. Travelers Property & Cas. Co., No 07-1533, slip op. (W.D. Pa. Sept. 29, 2008).
![Page 13: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/13.jpg)
12
Case Law (cont’d)
Third-party “Invasion of Privacy” Claims See Am. States Ins. Co. v. Capital, 392 F.3d 939 (7th
Cir. 2004). Resource Bankshares Corp. v. St. Paul Mercury, 407
F.3d 631 (4th Cir. 2005). Park Univ. v. Am. Cas. Co. of Reading, 442 F.3d 1239
(10th Cir. 2006). Valley Forge Ins. Co. v. Swiderski Elecs., Inc., 834
N.E.2d 562 (Ill. App. Ct. 2005).
![Page 14: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/14.jpg)
13
Case Law (cont’d)
Third-party “property damage” claims America Online v. St. Paul Mercury, 347 F.3d 89 (4th
Cir. 2003). State Auto Property & Casualty v. Midwest Computers &
More, 147 F. Supp. 2d 1113 (W.D. Okl. 2001). Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46
P.3d 1264 (N.M. Ct. App. 2002).
![Page 15: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/15.jpg)
14
How Can Corporate Policyholders Protect Themselves? Comprehensively evaluate the risk your company faces. Read and understand policies before paying the premium. Do not accept conventional wisdom, or what insurers or
brokers say regarding coverage – “underwriting at the point of claim.”
Examine all policies for potential coverage. Satisfy all obligations placed on the policyholder, e.g. provide
proper and timely notice, cooperate with insurer regarding defense, etc.
When in doubt, submit the claim.
![Page 17: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/17.jpg)
October 21, 2009
Insurance Coverage for Data Breaches
Joan N. D’AmbrosioClyde & Co US LLP
![Page 18: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/18.jpg)
Insurance Coverage for Data Breaches
Insurance Coverage for Data Breaches
l Increasing sophistication and complexity of breaches
l Available coverage�First party privacy notification costs�Crisis management�Business information �Business interruption�Regulatory proceedings�Third party claims�Cyber extortion
l Common exclusionsl Policy requirements re business
practices
2
![Page 19: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/19.jpg)
Increasing Sophistication and Complexity of Breaches
Increasing Sophistication and Complexity of Breaches
l Increasing instances of �More sophisticated breaches
� Lawsuits
�State Attorney General involvement
� Larger numbers of affected individuals
l Coverage is evolving to adapt
3
![Page 20: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/20.jpg)
First Party Privacy Notification Costs
First Party Privacy Notification Costs
l What is involved?�Requirements regarding notification to
affected individuals
�Requirements regarding notification to governmental authorities
l What is covered?�Depends on policy
�Forensic investigation
�Cost to provide notice required by law
�Attorney fees to determine required response under law
�Public relations consultant
�Credit monitoring
�Sublimits, retentions and co-insurance
4
![Page 21: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/21.jpg)
Crisis ManagementCrisis Management
l Public relations feesl Mitigation of reputational damage
l Some policies include notification costs under crisis management cover
5
![Page 22: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/22.jpg)
Business InformationBusiness Information
l Lost company data�First party
�Customer lists, account information
�Not necessarily PII
6
![Page 23: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/23.jpg)
Business Interruption Loss
Business Interruption Loss
l First party income loss�Required data for proof of loss
�Sublimits
l Forensic expenses
7
![Page 24: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/24.jpg)
Regulatory ProceedingsRegulatory Proceedings
l State attorney general investigationsl FTC investigations
l FCC investigationsl SEC investigations
l DOJ investigations
l Other governmental investigations – US, EU, Japan, China…
l Sometimes covered, sometimes excluded
8
![Page 25: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/25.jpg)
Cyber ExtortionCyber Extortion
l Extortion payments l Security consultant fees to prevent or
terminate extortion threats
9
![Page 26: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/26.jpg)
Third Party ClaimsThird Party Claims
l Theft of PII/PHI�Standing issues continue to evolve
- Actual vs. fear of identity theft
- Whether time/effort spent addressing breach is enough
l Violations of privacy laws�State laws
�HIPAA Violations- Health Information Technology for Economic and
Clinical Health Act (HITECH)
�Fair Credit Reporting Act/Fair And Accurate Credit Transactions Act
�Gramm-Leach-Bliley Act
l Privacy policy violations
10
![Page 27: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/27.jpg)
Common ExclusionsCommon Exclusions
l Consumer protection lawsl Contractual obligations
l Unlawful collection of PIIl Failure to comply with required security
procedures
l Unprotected data
l Failure to maintain privacy policyl Prior knowledge
l Retroactive date
l Criminal/dishonest actl FTC/FCC/governmental actions
11
![Page 28: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/28.jpg)
Common Policy Requirements Re Business Practices
Common Policy Requirements Re Business Practices
l Computer security �Software
�Network hardware
�Antivirus and intrusion detection
�Firewalls
� Information security policies and procedures
l Laptopsl Privacy policy
l Insurance is not the only answer
12
![Page 29: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/29.jpg)
A Live 90-Minute Teleconference Program with Interactive Q&A
Wednesday, October 21, 20091:00 p.m. Eastern Time / 12:00 p.m. Central Time /
11:00 a.m. Mountain Time / 10:00 a.m. Pacific Time
Presenter:Joshua Gold
(212) [email protected]
Insurance Coverage for Data Security BreachesEvaluating Policy Options, Overcoming Coverage
Challenges, Analyzing Litigation Trends
![Page 30: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/30.jpg)
2 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Policies Covering Loss
• Take Inventory of Policies• GL, D&O, E&O, Crime, All Risk
Property, Cyber Policies• 1st Party, 3rd Party, Hybrid Coverage
Issues
![Page 31: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/31.jpg)
3 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Hard-Fought Claims
• U/Ws Don’t Like These Claims• Existing Policies In Flux• Stand Alone Policies In Flux• Some Insurance Companies Will Honor
Coverage, Others...
![Page 32: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/32.jpg)
4 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Coverage Fights
• U/W Intent and Policyholder Expectations
• Other Insurance• Allocation
![Page 33: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/33.jpg)
5 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Coverage Terms
• Virus Coverage or Exclusions• Virus Defined in a Manner that Might
Affect Hacker Coverage• “Confidential” Information vs. Trade
Secrets vs. Customer Information• Coverage for Regulatory Matters
(e.g., FTC)
![Page 34: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/34.jpg)
6 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
More Coverage Issues
• Data Security Efforts and Policyholder Protective Measures
• Coverage for Network Computers Only?• What about Laptops?• Insured Property / Locations / Premises• Where are Servers / Computers
Housed?
![Page 35: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/35.jpg)
7 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Time Sensitive Provisions
• Fear of Reporting Claims?• Timely Notice• Proofs of Loss• Suit Limitation Clauses
![Page 36: Insurance Coverage for Data Security Breachesmedia.straffordpub.com/products/insurance-coverage... · 10/21/2009 · Donna L. Wilson, Partner, Kelley Drye & Warren, Washington, D.C](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f82780f41558729f3424377/html5/thumbnails/36.jpg)
8 931808v1©2009 Anderson Kill & Olick, P.C.
All Rights Reserved.
Litigation Issues
• Not a Ton of Precedent• What Exists is Not Uniform• Careful What Gets Disclosed During
Discovery:– E.g., Sensitive Data, Customer Information,
Network Security Blueprints