1 / 31

AMCF’s Legal Issues Update Webinar “Client Data Breaches: The Latest on Managing Your Risk and Legal Exposure ”

AMCF’s Legal Issues Update Webinar “Client Data Breaches: The Latest on Managing Your Risk and Legal Exposure ”. Audio Login Toll-Free (US & Canada): 866.740.1260 Access Code: 2623055 Web Login Meeting URL: http://www.readytalk.com/?ac=2623055 Support: U.S. and Canada:

xue
Download Presentation

AMCF’s Legal Issues Update Webinar “Client Data Breaches: The Latest on Managing Your Risk and Legal Exposure ”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AMCF’s Legal Issues Update Webinar“Client Data Breaches: The Latest on Managing Your Risk and Legal Exposure” Audio Login Toll-Free (US & Canada): 866.740.1260Access Code: 2623055 Web Login Meeting URL: http://www.readytalk.com/?ac=2623055 Support: U.S. and Canada: 800.843.9166 or help@readytalk.comAccess Code: 2623055 This conference is being recorded.

  2. Questions Questions will be addressed at the end of the webinar but may be posed at any time. To ask a question, send your questions via chat to the chairperson. Your questions will be answered in the order they are received.

  3. AMCF Mission To promote an environment which fosters the success of management consulting firms and the value they deliver to their clients.

  4. Alex Zabrosky Alex W. Zabrosky is a business lawyer specializing in corporate and commercial law. He has a diverse international practice that focuses on counseling management consulting and professional services firms on all legal aspects of their businesses. Alex’s clients include firms engaged in management consulting, information technology consulting and implementation, financial and business advisory services, strategy, healthcare, operational improvement, forensics and litigation support, engineering and risk management, among others. His clients range from start-ups to middle market to major global consultancies. He received his law degree from The George Washington University Law School and his Bachelor’s degree from The University of Chicago.

  5. Agenda • Background of cyber liability • Case studies • Cyber liability today • How cyber insurance can help • Other issues • Q&A

  6. Kevin Kalinch Kevin Kalinich leads Aon’s national practice to identify exposures and develop insurance solutions related to Technology Errors and Omissions, Miscellaneous Professional Liability, Media Liability, Network Risk and Intellectual Property. Kevin Kalinich has been named an Aon Risk & Insurance “Power Broker” for 2007, 2008, 2009, 2010 and 2011. He joined Aon in September 2000, from Altima Technologies, where he served as Chief Executive Officer and led the successful launch of a Web-enabled software product that provides intelligent visualization of network equipment in the areas of telecommunications, data, cables, and computers. Kevin holds a Juris Doctor from The University of Michigan and received his B.A. degree in Mathematics, Cum Laude, from Yale University

  7. Background of Cyber Liability Insurance GLBA HIPAA State Breach Disclosure Law Visa CISP, et al* 2003 Major Data Incident CA S.B. 1386 PCI DSS 2004 Federal Law TN TX AZ AR 2005 Other State Law WA Choicepoint IL LA NV Card Industry Standard USVI ND WI NJ DC NY 2006 RI FL PR MT TJX NC DE OK OH PA UT RSA VT OR ME 2007 ID MN Plastic Card Security Act (MN) • Implications: • Fines & Penalties • Injunctions • Oversight/Remediation requirements • Harm to Reputation • Criminal Indictments *Precursor to Civil Liability* NE Citigroup CO CT WV VA 2008 KS IN GA Amazon MD Hannaford NH IA FACTA Red Flag Rule MA 2009 Epsilon Heartland AK HR 2221 MI HI HITECH MO MA 201 NEV NIST Sony DC WA PCI WY SC 2011 *Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program Comerica DigiNotar WikiLeaks

  8. The Need for Specialized Insurance Are these risks covered under traditional insurance policies? General Liability: bodily injury & property damage E&O policies: failure of defined services Commercial Property Insurance: tangible property Crime policies: money, securities, or tangible property Kidnap and Ransom: extortion coverage

  9. “Intangible property” = covered “property” under traditional property and CGL policies? American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc. , No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000) (“intangible property” covered under Property Policy) Eyeblaster, Inc. v. Federal Insurance Company, 613 F.3rd 797 (8th Cir. 2010) (“Loss of use” covered under CGL and financial injury covered under E & O unless “intentional” wrongful acts – cookies, flash) America Online, Inc. v. St. Paul Mercury Insurance Co., 347 F.3rd 89 (2003) (“intangible property” not “tangible property” under CGL) Personal And Advertising Injury Coverage under General Liability Policy Zurich American Insurance Co. v. Fieldstone Mortgage Co.. No. CCB-06-2055, 2007 WL 3268460 (D. Maryland Oct. 26, 2007)) (“duty to defend” violation of FCRA rt of privacy, but “publication?”) Netscape Communications Corp. v. Federal Insurance Co., 343 F. Appendix 271 (9th Cir. 2009)) (AOL violation of right of privacy covered under CGL) Penzer v. Trans. Ins Co. (Florida Supreme Court: “an advertising injury provision in a commercial liability policy that provides coverage for an oral or written publication of material that violates a person’s right of privacy provides coverage for blast-faxing in violation of TCPA”) Crime Policy Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip opinion (S.D. Ohio March 30, 2009) (hacking & data breach covered under “Computer Funds & Transfer Fraud” endorsement Background of Cyber Liability Insurance

  10. Insurance Services Organization (“ISO”) Response: ISO Data Exclusion: “For the purposes of this insurance, electronic data is not tangible property.” Electronic Data Liability Endorsement: provides coverage for loss and loss of use of electronic data resulting from physical injury to tangible property Subsequent cases: State Auto Property & Casualty Ins. Co. v. Midwest Computers & More, 147 F.Supp2d 1113 (W.D. Okla. 2001):Courts now generally find that PII data does not amount to “tangible property” because computer information lacks physical substance Stellenwork v. TriWest Healthcare Alliance, No. 03-0185 (D. Ariz., June 10, 2008) (No commonality of class interests) Background of Cyber Liability Insurance

  11. TJX Breach • July 2005 - December 2006 Incident Occurred • January 12, 2007 Incident Discovered • January 17, 2009 TJX Reports Breach • January 29, 2009 First lawsuit filed • $256,000,000 in total costs to date • T.J. X. reached a $40.9 Million settlement agreement with banks that processed credit card transactions. This represented only a fraction of the $256 million+ cost of the breach. • “BUT WE HAD LOCKS.”Carol Meyerowitz, TJX CEO, June 6, 2007 94,000,000 affected records

  12. Heartland Payment Systems Breach • May 15, 2008 Incident Occurred • January 12, 2009 Incident Discovered • January 20, 2009 Heartland Reports Breach • January 27, 2009 First lawsuit filed • $143,000,000 in known costs, including settlements with consumers, Visa ($60 MM), Mastercard ($41.4 MM), Discover ($2.5 MM) and American Express ($3.6 MM) • Affected over 250,000 merchants and 500+ financial institutions. Fourteen lawsuits have been filed against Heartland • “I JUST CAN’T BELIEVE IT HAPPENED TO US, OF ALL COMPANIES.” -- Bob Carr, CEO 130,000,000 affected records

  13. Sony Playstation Breach • April 14, 2011 – April 19, 2011First Incident Occurred • April 26, 2011 Sony reports incident • April 27, 2011 Sony mails notifications • April 27, 2011 First lawsuit filed • Citing among other allegations “on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information” • $180,000,000+ projected cost 77,000,000 affected records

  14. Hypothetical Breach Scenario – 150,000 Records Varies by claim, but typically 30% - 65% is uncoveredreputation damage, lost business, brand damage

  15. Cyber Liability Insurance Today • 90% of 583 U.S. entities surveyed suffered a reported data breach within past 12 months (50%+ suffered 2 or more)(Ponemon Research/Juniper Networks) • 80% of breaches = total covered insurance claims< $1,000,000 • 15% of breaches = total covered insurance $1,000,000-$20,000,000 • 5% of breaches = total covered insurance > $20,000,000 • Damages difficult to prove for individual consumers, even if Article III standing satisfied: • Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007) • Hammond v. The Bank of New York Mellon Corp. (June 25, 2010) • Ruiz v. Gap, Inc. (May 28, 2010) • Krottner v. Starbucks Corporation, No. 09-35823 (9th Cir. December 14, 2010) • Paul v. Providence Health System-Oregon, 237 Ore. App. 584 (App. Ct. Ore. 2010) • But See, T. D. Ameritrade Settlement for $2.5 MM -- $6.5 MM (January 2011); Claridge v. RockYou declination to dismiss, C 09-6032 PJH (N.D. Cal. April 11, 2010); AOL LLC California Consumer Legal Remedy Act litigation, 719 F.Supp.2d 1102 (N.D. Cal 2010); and Hannaford Brothers Co., 613 F.Supp.2d 108 (D. Maine 2009) on appeal to 1st Cir. Ct. of Appeals (argued Sept. 8, 2011)

  16. Cyber Liability Insurance Today Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) Negligence suit against insurance broker for not placing proper coverage Zurich v. SonyDeclaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages (Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?) Direct costs to companies impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, “are basic costs we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a result.” Hartford v. Crate & Barrel and Children’s retail Stores(Declaratory Judgment Action with respect to GL Policy): Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal. 2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act) Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23, 2011); (possible suits coming in New York, Delaware, Washington DC, Georgia, Kansas, Maryland, Minnesota, Nevada, New Jersey, Ohio, Oregon, Pennsylvania, Rhode Island, Wisconsin).

  17. Basic Coverages Third-Party Coverages Network Security & Privacy Coverage: This covers loss resulting from breaches in network security or unauthorized access events. Privacy Regulatory Proceeding Coverage: This coverage is generally provided as a sub-limited part of the Privacy Liability coverage, and it covers costs resulting from a civil, administrative, or regulatory proceeding that alleges the violation of a privacy law. Media Liability Coverage: This coverage extends to media content produced by the Entity to be disseminated online or offline. First-Party Coverages Event Management Coverage (Also called Public Relations Expense Fund or Notification & Credit Monitoring Fund): This coverage will pay monies to help the Entity recover from a covered claim or failure of security. Cyber Extortion: This covers extortion threats to commit an intentional computer attack against the Entity. Information Asset: This covers damage to or theft of the Entity’s information assets due to a security failure.

  18. Markets & Capacity ACE Arch Aspen AWAC/Darwin Axis Beazley Brit Catlin Chartis CNA Chubb Endurance Evanston Everest Re Factory Mutual Great American Hartford Hiscox Hudson Ironshore Kiln Liberty Navigators Novae One Beacon Pembroke RLI RSUI Scor Re Seneca Specialty Global Swiss Re Travelers USLI Valiant XL Zurich +

  19. Breach Management Framework • Identify stakeholders • Establish analysis & communication protocols • Evaluate Vendor Needs • Remediation and recovery considerations • Stress test plan • Communication • Breach Containment • Harm Determination • Legal Analysis • Analyze Requirements • Consider Alternative Notice Methods • Notify in compliance with laws • Consider third party vendors for notification • Stagger Notification • Loss Trending • Loss Benchmarking • Limit Benchmarking • Retention Benchmarking • Exposure Modeling • Peer Loss Survey • E&O • CGL • Umbrella • Crime • EPLI • D&O • Privacy

  20. Multimedia Liability Vendor Risk Professional Services Network and Privacy Cyber Liability Insurance Today • World’s data will grow by 50X in next decade (IDC Digital Universe study) • IT security underwriting differentiates pricing, coverage & exclusions • Risk identification -- Type of information and quantity of electronic records • Loss Control Analysis • Exposure quantification • Insurance Gap Analysis and Design • Enhanced review of contractual risk management • Contractual allocation of liability with suppliers, partners, and customers • Increased scrutiny of vendor management and outsourcing • Cloud Computing • Social Networking Sites (Facebook, Twitter, LinkedIn) • Portable Wireless -- Technology Convergence • IT Security of outsourced IT vendors • Greater focus on Entity’s breach response plan • Past Loss/Incident history

  21. Cyber Liability Insurance Today: Companies Buying? “We have a firewall, so we are protected.” “We have antivirus protection, so we are not at risk.” “We have the best IT department.” “Why would our organization be a target?” “We don’t have an e-commerce website, so we are not at risk.” “We are compliant with PCI, HIPAA, GLBA, etc., so we are not at risk.” “No one else is buying this coverage… why should we?” “Privacy and Security exposures apply solely to retailers, healthcare, education, consulting, data processors, data storage, hospitality, entertainment/gaming and financial institutions.” “Our discretionary budget has been eliminated in this down economy.”

  22. Mark Camillo Mark Camillo is Vice President in the Executive Liability Professional Liability Division of Chartis and is responsible for the Technology and Security/Privacy suite of products. Prior to this role, Mark was responsible for the Personal Identity Coverage (PIC) and Payment Fraud Products. Mark joined Chartis in 2001 and has held positions of increasing management responsibility in various parts of the organization including eBusiness Risk Solutions, Affinity Group, A&H, Professional Liability, and the Fidelity team. Prior to Chartis, Mark worked in sales, marketing, and product development for Dun & Bradstreet (D&B) and SITEL Corporation. Mark has a Masters of Business Administration from SUNY Buffalo and a B.S. from the University of Wyoming.

  23. How Cyber Coverage Can Help • Comprehensive Third & First Party Coverage • Security & Privacy Liability (3rd Party) • Event Management (1st Party) • Cyber Extortion (1st Party) • Network Interruption (1st Party) • Flexible ‘Coverage Section’ Approach Allows Insured’s to Customize Coverage Components Coverage Can Be Combined with E&0, Media, and Corporate Counsel Coverages or Offered Standalone Flexible Coverage Sublimits to Meet the Specific Needs of an Individual Insured

  24. Security & Privacy • Security & Privacy Insurance responds to important third party liability for claims arising from: • A failure of the insured’s network security • A failure to protect personally identifiable information including disclosures as a result of social engineering attacks (e.g., phishing) • Violation of any federal, state or local privacy statute alleged in connection with failure to protect confidential information • Duty-to-Defend coverage • Broad definition of “confidential information” and “computer system” • Coverage extends to information held by “Information Holders” • Endorsement available for regulatory fines/penalties and PCI assessments

  25. Event Management • Responds to the costs to retain services to assist in managing and mitigating a covered privacy or network security incident • Includes costs to notify consumers of a release of private information • Costs of credit-monitoring or other remediation services to help minimize damages. Credit monitoring not limited to 12 months • Forensic Investigation Coverage • Public Relations/Legal Assistance Expense Coverage • Call Center Services • Goodwill notification – not limited to state notification or legal requirements • Can be offered on a Monetary (Insured uses own vendors) or Number of Affected Persons (Insurer handles) basis • Includes costs associated with losses to information assets such as customer databases

  26. Cyber Extortion and Network Interruption • Cyber Extortion Insurance pays to settle network security related extortion demands made against the insured. • Triggers when there is a threat to commit a computer attack against the insured and a demand for money to terminate the threat • Includes the costs of investigations to determine the cause of the security threat and to settle the extortion demand • Network Business Interruption Insurance responds to an insured’s loss of income and operating expenses when business operations are interrupted or suspended due to a failure of network security • Broad definition of loss includes lost business income, normal operation expenses (including ––payroll) and those costs that would not have been incurred but for the interruption • System Failure can be added by endorsement • Limited coverage for outsource provider - $100,000 • Waiting hour period applies

  27. E&O vs. Security and Privacy • E&O does not include first party coverages • Event Management/Crisis Response • Information Asset • Cyber Extortion • Network Interruption/System Failure • S&P includes coverage for regulatory actions • - Defense Costs • Regulatory fines/penalties • S&P has option to cover PCI fines/assessments • E&O triggered by “wrongful act” vs. S&P “failure to protect” or “security failure” • - S&P covers rogue employee

  28. Other Issues • Requests for Project Specific Insurance • Aggregation/Capacity Issues • Insurer needs to reserve capacity for additional limits • Tie-In of Limits • Fronting Arrangements • Additional Insured • any entity which a Company is required by contract to add as an Insured under this SPL Coverage Section, but only for the Wrongful Acts of a Company

  29. Other Issues (cont) • Notice of Cancellation • In consideration of the premium charged, it is hereby understood and agreed that in the event this policy is canceled by the Insurer in accordance with paragraph (b) of Clause 8. CANCELLATION, the Insurer will use its best efforts to deliver to the entity listed below written notice stating when, not less than thirty (30) days thereafter (ten (10) days in the event of cancellation by the Insurer for non-payment of premium), the cancellation shall be effective: • [NAME AND ADDRESS FOR NOTICE] • Provided, however, that any failure to notify such entity shall not impair or delay the effectiveness of any such cancellation.

  30. Questions To ask a question, type your questions via chat and send to the chairperson. Your questions will be answered in the order they are received. If we do not have time to address your question you may submit questions via email to: info@amcf.org.

  31. Contact Information AMCF 370 Lexington Ave. Suite 2209 New York, NY 10017 (212) 262-3055 info@amcf.org Kevin P. Kalinich, J.D.  Financial Services Group National Managing Director, Professional Risk Solutions A Division of Aon Risk Services Central, Inc. P: 312.381.4203 kevin.kalinich@aon.com Alex W. Zabrosky Drinker Biddle & Reath LLP191 North Wacker Drive Suite 3700 Chicago, Illinois 60606-1698 Phone:  (312) 569-1144 Email: alex.zabrosky@dbr.com • Mark Camillo • Vice President Professional LiabilityChartis Insurance212-458-1355 • Mark.Camillo@chartisinsurance.com

More Related