Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Liability: Data, Privacy and the Perils of Social Networking

Similar presentations

Presentation on theme: "Cyber Liability: Data, Privacy and the Perils of Social Networking"— Presentation transcript:

1 Cyber Liability: Data, Privacy and the Perils of Social Networking

2 What Exactly Is Cyber Liability?

3 Challenges of Cyber Liability
Stupendous growth of electronic data storage and communication has created new challenges for business entities. Our Dependence on All Things Electronic 1.8 Billion people using the Internet Text, , Billing Systems, Payment Systems, Business Operations, Blackberry, Smartphones

4 Two Challenging Types of Claims
Cyber-Privacy: Claims arising from a compromise of employee cyber-privacy Data Breach: Claims arising from a breach of company data (first and third-party)

5 Response by Insurance Carriers
Carriers recognize that cyber-related claims require a new approach, including tailored policies and careful handling. New Policies are Being Created Enhanced Privacy Endorsements Technology and Media Coverage add-ons EPL enhancements 5

6 Employee Cyber-Privacy Claims

7 Employee Privacy and Discrimination Claims
Employer makes employment decisions from social networking site Employer accesses private Employer accesses text messages Disparate application of employer policies s and Social Networking— harassment claims

8 Legal Claims From Employees--Negligence claims Employer Action
Discrimination and Retaliation (Title VII, ADEA, etc First Amendment speech Common law torts- privacy ECPA- wiretapping act SCPA- stored communications 8

9 Volatile Mix Leads to Potential Discrimination Claims
Potential employers are increasingly investigating those sites

10 Liability Risks Posed by Social Networking
Traditional EPL Claims: Hiring/Termination Claims--Title VII, ADA, ADEA Disparate Treatment Claims --Inconsistent Application of Social Networking Policies Newer EPL “Social Networking” Claims: Accessing personal , texts, social sites Defamation, Libel, Breach of Privacy, Punitive Damages Due To “Willful” Acts

11 Cyber Privacy Claims City of Ontario v Quon
Does Fourth Amendment Protect Electronic Communications Employer audited City-owned Pager Discovered sexually explicit messages (wife, girlfriend, buddy) All sued city and arch Ninth Circuit—Arch violated SCA and city violated 4th amendment

12 Inquiring Employers…What are Employees Saying ?
Konop v. Hawaiian Airlines Pilot maintained a private website where he criticized employer Manager obtained password from employee who was a member Ct Denied SJ—issue whether employee had authority to authorize mgt to access private website

13 Accessing MySpace Pietrylo v Hillstone Restaurant Group
Employees created password –protected MySpace page to complain No managers allowed Manager got log-in from e’ee Employees fired; then sued NJ Fed Ct: e’ee coerced into giving p’wd Jury: SCA and state law violations Jury Verdict upheld

14 Accessing Private Account Emails
Van Alstyne v. Electronic Scriptorium Ltd. Non-Compete case, e’er accessed private accounts using info left on e’ee’s computer: E’ee counter sued SCA allows for statutory damages in the event any actual damages are proven-E’ee awarded 400k SCA permits punitive damages and attorneys’ fees Statutory damages --proof of actual damages

15 Accessing Personal Email left by Employee
Pure Power Boot Camp v Warrior Fitness Boot Camp Non-compete case, E’er accessed personal on e’er’s computer Handbook: E’ee no right of privacy.. Handbook did not expressly cover employee’s personal accounts E’ee had right of privacy

16 Risk Management— Cyber Privacy Policies
Content of the policy --clear and appropriate Specify all communications (not just work-related) are owned or will be monitored by the Insured Policy should apply to both work accounts and private s and accounts SCA consent authorization Blogging– Restrict Comments about E’er 16

17 Data Breach Claims

18 Claim Examples – Data Breach
Online retailer hacked and customer credit card information is stolen: regulatory and class actions Companies unknowingly spread a worm, facing liability from those parties based upon lost revenues caused by the virus. Disgruntled employee deletes the company’s databases, causing business interruption Computer hacker floods a company’s website, overwhelming the system and causing it to crash. Private medical info is stolen or disclosed, leading to a suit for defamation and invasion of privacy.

19 Compromised Data 285 Million records were compromised in 2008
25% of Companies With IT Outage for 2-6 days go bankrupt immediately

20 Heartland Payment Systems: credit card numbers of clients
Cost: $12.5 Million in legal fees, costs and settlements Credit Card Numbers are purchased by “information gangsters”

21 Dave & Busters: FTC Complaint
Intruder exploited vulnerabilities in systems 130,000 unique credit cards stolen Issuing Banks Claimed over $500,000 in unauthorized charges Settled

22 Before TJ Maxx, no recognized private cause of action for data breach
Judge let three theories survive: Two theories of negligent misrepresentation regarding their cyber security Lack of security measures amounted to Unfair and Deceptive Business Practice Settled with Banks for $525,000 Total Cost over $40 million

23 Data Breach Claims The potential claims are at least as varied as the potential claimants: Actual loss (theft) of customer, client or employee data Extortion based on a threatened loss of customer, client or employee data Monitoring or repairing of credit reports for those effected by a data breach Notices issued to those effected by a data breach Public relations activity necessitated by a data breach Remediation and repair of systems due to a data breach Lost profits caused by a data breach 23

24 Data Breach Claims Are on the Rise
Depending on the type of breach, costs can vary significantly, from $750,000 to $31,000,000 in 2009.

25 Data Breach Claims Are on the Rise
The average per-customer cost of data-breach claims has increased over the last year alone.

26 Data Breach Claims Are on the Rise
The increased per-customer cost translates to large increases in costs per breach.

27 Data Breach – Sources of Loss
What are the sources of potential loss to the insured? While the most common (and most elusive) source of loss is a civil action by the individual effected by the breach, there are other sources of potential liability for the insured: Violation of “Red Flag Rules” (requiring entities to implement an identity theft prevention program) under the Fair and Accurate Credit Transactions Act, enforced by the Federal Trade Commission (“FTC”) Health Information Technology for Economic and Clinical Health Act, enforced by the FTC and the Department of Health and Human Services Children’s Online Privacy Protection Act CAN-SPAM Act Gramm-Leach-Bliley Act Fair Credit Reporting Act Computer Fraud and Abuse Act Federal Privacy Act State attorney general actions and consumer protection laws 27

28 Data Breach – Potential Damages
What are the potential damages to which the insured could be exposed? Depending on governmental involvement, the strategy of the claimant, and the approach of the Insured, multiple damages are possible: Compensatory damages (although difficult to prove) Consequential damages Punitive damages Fines and fees (imposed by regulatory agencies) Remediation of hardware and software Lost profits and goodwill Notification of effected individuals/entities Monitoring of effected individuals/entities 28

29 Federal “Red Flags” Rules
The “Red Flags Rules,” were promulgated under the Fair and Accurate Credit Transactions Report Act. 16 CFR Any company holding credit data could be subject Requires a Written Identify Theft Prevention Program June 1, 2010 Implementation

30 Insurance For Cyber Claims

31 Gaps in Traditional Insurance Policies
Property Insurance policies – “Property” : Tangible vs. Intangible D&O: Property exclusion; Professional services exclusion; not covered by insuring clauses Crime/Fidelity policies –Tangible Property CGL: Exclusions for losses associated with unauthorized access by third parties. Errors & Omissions policies – Generally exclude security breaches or damages arising from unauthorized access. EPL policies – Not covered by Insuring Clauses.

32 Cyber Liability – Covered Risks
Generally, cyber liability policies address two types of risks: First Party: losses suffered directly by the Insured Third Party: losses associated with the Insured’s liability for damages suffered by a third party

33 First Party Losses Business interruption costs
Crisis management and public relations costs Privacy notifications and credit monitoring costs Costs associated with theft or vandalism of a company’s network or systems Upgrades in network security

34 Third Party Losses Disclosure Injuries: unauthorized access to or dissemination of a third party’s private information Content Injuries: copyright, trademark, trade secrets or other intellectual property claims Reputation Injuries: libel, slander, defamation, invasion of privacy claims System Injuries: security failures or virus transmissions that harm the computer systems of third parties Impaired Access Injuries: customers cannot access their accounts or information

35 6 Separate Insuring Clauses!
1) Technology Security Wrongful Act 2) Privacy Wrongful Act 3) Private Information Breach 4) Web Media Services Wrongful Act 5) Extortion Loss from Technology Threat 6) Data Restoration Loss from Breach Tech Security Wrongful Act= intrusion or malicious code Privacy Wrongful Act= Violation of a Privacy Act or negligence etc. in Private Information Breach Web Media Services Wrongful Act: in the provision of web based services any defamation, privacy breach etc. Private Information Breach: unauthorized disclosure of private information both electronically and NOT ELECTRONICALLY Extortion Loss: payment to 3d parties who extort money by threatening technology of the insured; rewards; investigation etc. Data Restoration Loss: remediation; recovery; improvement; market value of lost data

36 Cyber Liability Coverage by Endorsement
Insurers have customized traditional Policies to provide additional coverage for specific cyber risks by endorsements. For example: EPLI Policies – coverage for employee related theft or third party unauthorized access to private information. E&O Policies – coverage for e-commerce activities, security breaches, and unauthorized access Property & Crime Policies – coverage for “intangible” property like data

37 Data Breach – Cause of the Breach
What was the cause of the breach? The cause of the breach can effect both potential liability and coverage: External hacking Wrongdoing internal to the insured Failure of controls or preventative measures Failure of hardware or software Wrongdoing or failure of a vendor or other related third-party entity 37

38 Data Breach – Data Involved
What type of data was involved? Personally Identifiable Information (PII) is the most common, and will be the focus here: First name or initial combined with a social security number, driver’s license number, state ID number, or account number with access code or password Other sources of potential concern include proprietary data of a vendor or internal proprietary data. 38

39 Data Breach – Risk Mitigation
What needs to be done to mitigate the effect of a data breach? Once a breach has occurred, the insured has multiple options for mitigating the breach (some of which may impact coverage). Incident analysis (internal communication, containment, harm determination) Incident disclosure (notice to effected individuals, vendors, regulatory agencies) Loss mitigation (trending, benchmarking, remediation) 39

40 Evaluating a Data Breach
When a data breach occurs, immediate and decisive action is required: Evaluate the potential scope of the loss, in terms of individuals effected Identify the governmental and regulatory agencies with whom communication is necessary Understand how mitigation strategies effect costs and coverage 40

41 Handling a Data Breach Claim
Pro-Active: Hiring Counsel and Waiting for 90 day Report May Cost Insurer Millions Immediate Retention of IT or Privacy Expert Boots on the Ground Approach May be More Effective 41

42 Conclusion Privacy and Data Breach Claims are Coming Your Way!

43 First Party Losses in Third Party Claims
Often a third party liability claim will involve direct losses by the Insured A third party cyber liability policy may provide coverage for certain direct losses associated with a claim (or a potential claim) by a third party. These may include: Security breach notifications Credit monitoring costs Crisis management consultation

44 Data Breach Claims A data breach can cost millions of dollars, based on the type and amount of data effected. Any entity that stores third-party data can be at risk, including (but certainly not limited to): Retailers Financial institutions Health care providers 44

45 Data Breach Claims While Employment Practices claims present a distinct challenge to Insured employers - and therefore Insurers - the loss, compromise, or misuse of electronic data presents a more nuanced, and potentially more severe, risk. 45

46 Cyber Privacy – What Is Simple?
Most employers would likely agree that the Facebook employee was rightly fired, with cause. However, they (and we) need to think about the response. It was not necessary for the manager to respond in a public forum. The mix of a public forum and use of profane, disparaging phrases could create liability, even though the employee “clearly” asked for it. It is never again going to be simple…

47 Claim Examples - Other Some claims do not fall neatly in the categories of “employee privacy” or “data breach,” and relate more to traditional causes of action through new mediums (such as defamation, copyright infringement, and patent infringement): Online publisher allows defamatory postings about a local public figure, causing the public official to lose his job. Company is sued for unauthorized use of a person’s photo on its website. A small business creates a website and is sued by another company alleging that their domain name violated trademark laws.

Download ppt "Cyber Liability: Data, Privacy and the Perils of Social Networking"

Similar presentations

Ads by Google