Protecting your company from a data privacy or cybersecurity breach
1 / 25


  • Uploaded on

PROTECTING YOUR COMPANY FROM A DATA PRIVACY OR CYBERSECURITY BREACH. Robert P. Thavis and Stephen J. Cosentino. Cybersecurity and Privacy. How will the Cybersecurity Framework affect c onsumer p rivacy? Consumer privacy law continues to focus on disclosure

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Protecting your company from a data privacy or cybersecurity breach


Robert P. Thavis and Stephen J. Cosentino

Cybersecurity and privacy
Cybersecurity and Privacy BREACH

  • How will the Cybersecurity Framework affect consumer privacy?

  • Consumer privacy law continues to focus on disclosure

  • Those working in privacy compliance will need to determine whether the disclosure focus should extend to cooperative exchanges of data within the Cybersecurity Framework

Cybersecurity and privacy1
Cybersecurity and Privacy BREACH

  • California Privacy Law Changes for 2014

    • Operators must disclose how they respond to web browser Do Not Track signals

    • Operators must disclose whether third parties collect PII about consumer online activities over time and across networks

    • Intended to target tracking in ad networks like Facebook FBX and Google AdSense

  • The focus is on disclosure and awareness

Cybersecurity and privacy2
Cybersecurity and Privacy BREACH

  • Children’s Online Privacy Protection Act Changes for 2013

    • similar focus on information sharing with third parties

    • close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent

Cybersecurity and privacy3
Cybersecurity and Privacy BREACH

  • Financial industry privacy requirements focus on disclosure and choice

  • Emphasis on distinguishing between the company and third parties

  • Uniformity of the GLB Policy is very important

  • Cybersecurity Framework related disclosures don’t fit well

Cybersecurity and privacy4
Cybersecurity and Privacy BREACH

  • Cybersecurity-related disclosures continue to be broad and vague

  • GLB Model Policy

    • “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law”

  • Typical website disclosures

    • We work to protect your information in transmission using secure socket layers

    • We strive to keep your information safe and secure

    • Obligatory disclaimer

Cybersecurity and privacy5
Cybersecurity and Privacy BREACH

  • COPPA Amendments do address data security

    • covered website operators and online service providers must take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential

    • continues to lack any detail

Hipaa data breach requirement
HIPAA Data Breach Requirement BREACH

  • Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act

  • Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information

Hipaa data breach requirement1
HIPAA Data Breach Requirement BREACH

  • Definition of Breach

    • Impermissible use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual

  • Breach Notification Requirements for CE’s

    • If CE has insufficient or out-of-date contact information for 10 or more individuals, provide substitute individual notice by either posting the notice on the home page of its web site or provide notice in major print or broadcast media where the affected individuals likely reside

Hipaa data breach requirement2
HIPAA Data Breach Requirement BREACH

  • Breach Notification Requirements for CE’s

    • If the CE has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. 

    • The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Iowa data breach requirement
Iowa Data Breach Requirement BREACH

  • Scope of Iowa Law (Iowa Code 715C)

  • First name/initial and last name with unencrypted:

    • SSN/DL#

    • Financial account, credit card number, debit card number + security code that would allow access

    • Unique electronic identifier or routing code + security or access code

    • Unique biometric data (fingerprint, retina image, etc.)

Iowa data breach requirement1
IOWA Data Breach Requirement BREACH

  • Scope of Iowa Law

  • Breach of Security is unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality or integrity of information

  • Exception for good faith acquisition by a person who is not a threat

Iowa data breach requirement2
IOWA Data Breach Requirement BREACH

  • Consumer Notice

    • Made in the most expeditious manner possible without unreasonable delay

    • Consistent with measures necessary to determine the contact info of consumers, scope of breach, and restore integrity, security and confidentiality

    • Does contain exception for law enforcement investigation

    • Some discretion. Notice not required . . .

      • If the entity conducts an appropriate investigation or consultation with law enforcement determines that there is no reasonable likelihood of financial harm to consumers.

      • However, the entity must maintain documentation supporting this determination for five years.

Iowa data breach requirement3
IOWA Data Breach Requirement BREACH

  • Notice

    • Methods for Notice.

      • Written notice or electronic notice if the person’s customary method of communication is electronic or as consistent with ESIGN Act.

      • Substitute notice if cost would exceed $250,000 or the class is more than 350,000 people or insufficient contact information

        • email, posting on the entity's website, or notice to major statewide media.

      • If breach impacts more than 500 Iowa residents at one time, notice must be provided to the State AG office within 5 days of notice.

      • Violations are an unlawful practice under Iowa’s Consumer Fraud Statute subject to a fine of up to $40,000 per violation.

Coverage for cyber risks

  • Cyber-related risks are perhaps both the most likely, and the most significant, risks to develop over the past 25 years

  • One of the most difficult risks to manage:

    • Difficult to anticipate what insurer will agree is covered

      • Every case sets a precedent

      • Good rule of thumb — big losses not covered

    • Difficult to anticipate what will be found covered under existing policies

      • Not much case law

      • Early case law muddled

First party cyber coverage

  • Property/Casualty Coverage

    • Physical injury to tangible property

      • Compromised equipment (heat, water exposure, warranty)?

    • Hacking/attacks covered?

      • Strangers only, or are disgruntled employees’ acts covered?

      • Definition of insured/insured v. insured exclusion

      • Military action/EMP exclusion?

  • Business Interruption

    • Is it covered?

    • Source of shutdown covered? Power, water

    • Slow-down versus shut-down/working from home?

    • Limits and proof of loss

First party cyber coverage1

  • Valuable Papers/Data Restoration

    • Do you have it/limits

    • Backup required?

  • Crime

    • One from Column A not enough

    • Remote access excluded or required?

    • Theft by employees/versus outsiders?

  • Ultimately, Need Express Cyber Language

Cyber liability coverage

  • General Liability Coverage

    • Physical damage to tangible property

      • DOS, data loss, exclusivity of data lost, data corrupted — perhaps not covered

    • Loss of use of tangible property not physically damaged

      • Impact on computers and computer-run equipment/operations

        • Slow-down versus shut-down

    • Personal injury

      • Defamation

      • Loss of privacy

Cyber coverage
Cyber coverage BREACH

  • Errors &Omissions Coverage

    • Tailoring required — “professional services” definition is heart of coverage

    • Nothing is certain — Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (2010)

      • “Arising out of” contract

      • Intended act versus intended injury

      • Every case sets a precedent

Cyber coverage1
Cyber coverage BREACH

  • Directors &Officers (and Entity) Coverage

    • Any significant company event, including breach, can give rise to shareholder class suits, derivative suits, consumer class suits, competitor suits and regulatory actions

    • Disclosure obligations

      • SEC’s Division of Corporate Finance Disclosure Guidelines (October 13, 2011)

        • Disclosures from private companies?

    • Entity coverage and Side A protections

Cyber liability coverage1

  • Regulatory Aftermath

    • Historically most data breaches in financial and healthcare industries

    • Data breaches trigger enforcement actions under FCRA, HIPAA, numerous other consumer protection statutes

    • Regulatory actions can, but may not, be covered

      • Violation of statutes

      • Claim for “damages”

Cyber coverage2
Cyber coverage BREACH

  • Specialty Cyber Policies

    • Different Historical Antecedents and Approaches

      • Replacements for advertising injury coverage

      • Specialized E&O coverage

      • Utilities approach

      • Crime/fraud approach

      • Terrorism/extortion coverage

    • Reason for piecemeal approach is no insurer willing to provide blanket coverage

      • Can’t gauge risks today

      • Cyber risks have short half-life; certainly can’t predict risks tomorrow

    • Caveat Emptor/do your homework — No standardization until market matures


Robert P. Thavis

Stephen J. Cosentino