Presentation on theme: "AMCF’s Legal Issues Update Webinar “Client Data Breaches: The Latest on Managing Your Risk and Legal Exposure” Audio Login Toll-Free (US & Canada): 866.740.1260."— Presentation transcript:
AMCF’s Legal Issues Update Webinar “Client Data Breaches: The Latest on Managing Your Risk and Legal Exposure” Audio Login Toll-Free (US & Canada): Access Code: Web Login Meeting URL: /?ac= Support: /?ac= U.S. and Canada: or Access Code: This conference is being recorded.
Questions Questions will be addressed at the end of the webinar but may be posed at any time. To ask a question, send your questions via chat to the chairperson. Your questions will be answered in the order they are received. 2
AMCF Mission To promote an environment which fosters the success of management consulting firms and the value they deliver to their clients. 3
Alex Zabrosky 4 Alex W. Zabrosky is a business lawyer specializing in corporate and commercial law. He has a diverse international practice that focuses on counseling management consulting and professional services firms on all legal aspects of their businesses. Alex’s clients include firms engaged in management consulting, information technology consulting and implementation, financial and business advisory services, strategy, healthcare, operational improvement, forensics and litigation support, engineering and risk management, among others. His clients range from start-ups to middle market to major global consultancies. He received his law degree from The George Washington University Law School and his Bachelor’s degree from The University of Chicago.
Agenda Background of cyber liability Case studies Cyber liability today How cyber insurance can help Other issues Q&A 5
Kevin Kalinch 6 Kevin Kalinich leads Aon’s national practice to identify exposures and develop insurance solutions related to Technology Errors and Omissions, Miscellaneous Professional Liability, Media Liability, Network Risk and Intellectual Property. Kevin Kalinich has been named an Aon Risk & Insurance “Power Broker” for 2007, 2008, 2009, 2010 and He joined Aon in September 2000, from Altima Technologies, where he served as Chief Executive Officer and led the successful launch of a Web-enabled software product that provides intelligent visualization of network equipment in the areas of telecommunications, data, cables, and computers. Kevin holds a Juris Doctor from The University of Michigan and received his B.A. degree in Mathematics, Cum Laude, from Yale University
7 Background of Cyber Liability Insurance CA S.B AR State Breach Disclosure Law DE FL NY NC ND TN TX USVI WA WI RI PR PAOKOH NJ NV NE MN MT ME LA IN IL ID CT CO AZ DC GA HI IA KS MA MI NH OR UT VT WY VA WV SC AK Heartland Major Data Incident TJX Choicepoint HR 2221 Federal Law HITECH FACTA Red Flag Rule HIPAA MO DC MD Plastic Card Security Act (MN) Other State Law Card Industry Standard PCI DSS GLBA Implications: Fines & Penalties Injunctions Oversight/Remediation requirements Harm to Reputation Criminal Indictments *Precursor to Civil Liability* Hannaford Visa CISP, et al* *Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program MA 201 NEV NIST WA PCI Epsilon Sony Comerica Amazon Citigroup RSA DigiNotar WikiLeaks
The Need for Specialized Insurance Are these risks covered under traditional insurance policies? General Liability: bodily injury & property damage E&O policies: failure of defined services Commercial Property Insurance: tangible property Crime policies: money, securities, or tangible property Kidnap and Ransom: extortion coverage 8
9 “Intangible property” = covered “property” under traditional property and CGL policies? American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., No TUC ACM, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000) (“intangible property” covered under Property Policy) Eyeblaster, Inc. v. Federal Insurance Company, 613 F.3 rd 797 (8 th Cir. 2010) (“Loss of use” covered under CGL and financial injury covered under E & O unless “intentional” wrongful acts – cookies, flash) America Online, Inc. v. St. Paul Mercury Insurance Co., 347 F.3 rd 89 (2003) (“intangible property” not “tangible property” under CGL) Personal And Advertising Injury Coverage under General Liability Policy Zurich American Insurance Co. v. Fieldstone Mortgage Co.. No. CCB , 2007 WL (D. Maryland Oct. 26, 2007)) (“duty to defend” violation of FCRA rt of privacy, but “publication?”) Netscape Communications Corp. v. Federal Insurance Co., 343 F. Appendix 271 (9 th Cir. 2009)) (AOL violation of right of privacy covered under CGL) Penzer v. Trans. Ins Co. (Florida Supreme Court: “an advertising injury provision in a commercial liability policy that provides coverage for an oral or written publication of material that violates a person’s right of privacy provides coverage for blast-faxing in violation of TCPA”) Crime Policy Retail Ventures, Inc. v. National Union Fire Insurance Co., No , slip opinion (S.D. Ohio March 30, 2009) (hacking & data breach covered under “Computer Funds & Transfer Fraud” endorsement Background of Cyber Liability Insurance
10 Insurance Services Organization (“ISO”) Response: ISO Data Exclusion: “For the purposes of this insurance, electronic data is not tangible property.” Electronic Data Liability Endorsement: provides coverage for loss and loss of use of electronic data resulting from physical injury to tangible property Subsequent cases: State Auto Property & Casualty Ins. Co. v. Midwest Computers & More, 147 F.Supp2d 1113 (W.D. Okla. 2001): Courts now generally find that PII data does not amount to “tangible property” because computer information lacks physical substance Stellenwork v. TriWest Healthcare Alliance, No (D. Ariz., June 10, 2008) (No commonality of class interests) Background of Cyber Liability Insurance
11 TJX Breach July December 2006Incident Occurred January 12, 2007Incident Discovered January 17, 2009TJX Reports Breach January 29, 2009First lawsuit filed $256,000,000 in total costs to date T.J. X. reached a $40.9 Million settlement agreement with banks that processed credit card transactions. This represented only a fraction of the $256 million+ cost of the breach. “BUT WE HAD LOCKS.” Carol Meyerowitz, TJX CEO, June 6, ,000,000affected records
12 Heartland Payment Systems Breach May 15, 2008Incident Occurred January 12, 2009Incident Discovered January 20, 2009Heartland Reports Breach January 27, 2009First lawsuit filed $143,000,000 in known costs, including settlements with consumers, Visa ($60 MM), Mastercard ($41.4 MM), Discover ($2.5 MM) and American Express ($3.6 MM) Affected over 250,000 merchants and 500+ financial institutions. Fourteen lawsuits have been filed against Heartland “I JUST CAN’T BELIEVE IT HAPPENED TO US, OF ALL COMPANIES.” -- Bob Carr, CEO 130,000,000affected records
13 Sony Playstation Breach April 14, 2011 – April 19, 2011First Incident Occurred April 26, 2011Sony reports incident April 27, 2011Sony mails notifications April 27, 2011First lawsuit filed Citing among other allegations “on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information” $180,000,000+ projected cost 77,000,000affected records
14 Hypothetical Breach Scenario – 150,000 Records Response Step/EventEstimated CostInsurable? First-Party Data Loss Damages Business interruption or suspension of network, including business income and extra expense – value to client of data lost Subject to large retention and per hour loss limit (i.e., $250K/hour) Yes, but few claims paid and difficult to prove. Does not cover future lost business. Crisis Management Investigate, forensics, audit and plan breach response (includes legal and/or public relations expenses) $50,000 - $8,250,000 Yes, up to $1,000,000 maximum in most cases Notify customers in compliance with state data breach notice laws (likely able to use alternative notification provision) $4,500 - $4,000,000 Yes, up to $1,000,000 maximum in most cases Offer credit monitoring services to affected individuals (cost could increase significantly depending on breadth of package and # of activations) $540,000 Yes, up to $1,000,000 maximum in most cases Damages Damages sought by banks for card re-issuance expenses$750,000 – $125,000,000Yes Damages sought in consumer class action lawsuitYes Damages sought in lawsuit brought by victims of identity theft (fraudulent use of information case – pain and suffering) Difficult to prove damages, but defense costs > $4,000,000 Yes Regulatory defense Defense expenses related to regulatory investigations$100,000 – $2,000,000 Yes, up to $1,000,000 maximum in most cases Regulatory fines/penalties Resolution/Settlement Agreement executed with regulatory authorities$100,000 – $15,000,000 Possibly Consumer Redress Varies by claim, but typically 30% - 65% is uncovered reputation damage, lost business, brand damage
15 Cyber Liability Insurance Today 90% of 583 U.S. entities surveyed suffered a reported data breach within past 12 months (50%+ suffered 2 or more)(Ponemon Research/Juniper Networks) 80% of breaches = total covered insurance claims< $1,000,000 15%of breaches = total covered insurance$1,000,000-$20,000,000 5%of breaches = total covered insurance > $20,000,000 Damages difficult to prove for individual consumers, even if Article III standing satisfied: Pisciotta v. Old National Bancorp, 499 F.3d 629 (7 th Cir. 2007) Hammond v. The Bank of New York Mellon Corp. (June 25, 2010) Ruiz v. Gap, Inc. (May 28, 2010) Krottner v. Starbucks Corporation, No (9 th Cir. December 14, 2010) Paul v. Providence Health System-Oregon, 237 Ore. App. 584 (App. Ct. Ore. 2010) But See, T. D. Ameritrade Settlement for $2.5 MM -- $6.5 MM (January 2011); Claridge v. RockYou declination to dismiss, C PJH (N.D. Cal. April 11, 2010); AOL LLC California Consumer Legal Remedy Act litigation, 719 F.Supp.2d 1102 (N.D. Cal 2010); and Hannaford Brothers Co., 613 F.Supp.2d 108 (D. Maine 2009) on appeal to 1 st Cir. Ct. of Appeals (argued Sept. 8, 2011)
16 Cyber Liability Insurance Today Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) Negligence suit against insurance broker for not placing proper coverage Zurich v. Sony Declaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages (Sept new service agreement enforceable: mandatory arbitration and no class action?) Direct costs to companies impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, “are basic costs we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a result.” Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy): Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4 th 524, 246 P.3 rd 612 (Cal. 2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act) Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv WGY (D. Mass. Filed May 23, 2011); (possible suits coming in New York, Delaware, Washington DC, Georgia, Kansas, Maryland, Minnesota, Nevada, New Jersey, Ohio, Oregon, Pennsylvania, Rhode Island, Wisconsin).
Basic Coverages Third-Party Coverages Network Security & Privacy Coverage: This covers loss resulting from breaches in network security or unauthorized access events. Privacy Regulatory Proceeding Coverage: This coverage is generally provided as a sub-limited part of the Privacy Liability coverage, and it covers costs resulting from a civil, administrative, or regulatory proceeding that alleges the violation of a privacy law. Media Liability Coverage: This coverage extends to media content produced by the Entity to be disseminated online or offline. First-Party Coverages Event Management Coverage (Also called Public Relations Expense Fund or Notification & Credit Monitoring Fund): This coverage will pay monies to help the Entity recover from a covered claim or failure of security. Cyber Extortion: This covers extortion threats to commit an intentional computer attack against the Entity. Information Asset: This covers damage to or theft of the Entity’s information assets due to a security failure. 17
Markets & Capacity ACE Arch Aspen AWAC/Darwin Axis Beazley Brit Catlin Chartis CNA Chubb Endurance Evanston Everest Re Factory Mutual Great American Hartford Hiscox Hudson Ironshore Kiln Liberty Navigators Novae One Beacon Pembroke RLI RSUI Scor Re Seneca Specialty Global Swiss Re Travelers USLI Valiant XL Zurich + 18
Breach Management Framework Pre–Breach Response Planning Incident Analysis Incident Disclosure Loss Mitigation Communication and Remediation Analyze Requirements Consider Alternative Notice Methods Notify in compliance with laws Consider third party vendors for notification Stagger Notification Identify stakeholders Establish analysis & communication protocols Evaluate Vendor Needs Remediation and recovery considerations Stress test plan Communication Breach Containment Harm Determination Legal Analysis Loss Trending Loss Benchmarking Limit Benchmarking Retention Benchmarking Exposure Modeling Peer Loss Survey E&O CGL Umbrella Crime EPLI D&O Privacy 19
20 Cyber Liability Insurance Today World’s data will grow by 50X in next decade (IDC Digital Universe study) IT security underwriting differentiates pricing, coverage & exclusions 1.Risk identification -- Type of information and quantity of electronic records 2.Loss Control Analysis 3.Exposure quantification 4.Insurance Gap Analysis and Design Enhanced review of contractual risk management Contractual allocation of liability with suppliers, partners, and customers Increased scrutiny of vendor management and outsourcing Cloud Computing Social Networking Sites (Facebook, Twitter, LinkedIn) Portable Wireless -- Technology Convergence IT Security of outsourced IT vendors Greater focus on Entity’s breach response plan Past Loss/Incident history Vendor Risk Multimedia Liability Professional Services Network and Privacy
Cyber Liability Insurance Today: Companies Buying? “We have a firewall, so we are protected.” “We have antivirus protection, so we are not at risk.” “We have the best IT department.” “Why would our organization be a target?” “We don’t have an e-commerce website, so we are not at risk.” “We are compliant with PCI, HIPAA, GLBA, etc., so we are not at risk.” “No one else is buying this coverage… why should we?” “Privacy and Security exposures apply solely to retailers, healthcare, education, consulting, data processors, data storage, hospitality, entertainment/gaming and financial institutions.” “Our discretionary budget has been eliminated in this down economy.” 21
Mark Camillo 22 Mark Camillo is Vice President in the Executive Liability Professional Liability Division of Chartis and is responsible for the Technology and Security/Privacy suite of products. Prior to this role, Mark was responsible for the Personal Identity Coverage (PIC) and Payment Fraud Products. Mark joined Chartis in 2001 and has held positions of increasing management responsibility in various parts of the organization including eBusiness Risk Solutions, Affinity Group, A&H, Professional Liability, and the Fidelity team. Prior to Chartis, Mark worked in sales, marketing, and product development for Dun & Bradstreet (D&B) and SITEL Corporation. Mark has a Masters of Business Administration from SUNY Buffalo and a B.S. from the University of Wyoming.
23 How Cyber Coverage Can Help Comprehensive Third & First Party Coverage Security & Privacy Liability (3 rd Party) Event Management (1 st Party) Cyber Extortion (1 st Party) Network Interruption (1 st Party) Flexible ‘Coverage Section’ Approach Allows Insured’s to Customize Coverage Components Coverage Can Be Combined with E&0, Media, and Corporate Counsel Coverages or Offered Standalone Flexible Coverage Sublimits to Meet the Specific Needs of an Individual Insured
24 Security & Privacy Insurance responds to important third party liability for claims arising from: A failure of the insured’s network security A failure to protect personally identifiable information including disclosures as a result of social engineering attacks (e.g., phishing) Violation of any federal, state or local privacy statute alleged in connection with failure to protect confidential information Duty-to-Defend coverage Broad definition of “confidential information” and “computer system” Coverage extends to information held by “Information Holders” Endorsement available for regulatory fines/penalties and PCI assessments Security & Privacy
25 Responds to the costs to retain services to assist in managing and mitigating a covered privacy or network security incident Includes costs to notify consumers of a release of private information Costs of credit-monitoring or other remediation services to help minimize damages. Credit monitoring not limited to 12 months Forensic Investigation Coverage Public Relations/Legal Assistance Expense Coverage Call Center Services Goodwill notification – not limited to state notification or legal requirements Can be offered on a Monetary (Insured uses own vendors) or Number of Affected Persons (Insurer handles) basis Includes costs associated with losses to information assets such as customer databases Event Management
26 Cyber Extortion Insurance pays to settle network security related extortion demands made against the insured. Triggers when there is a threat to commit a computer attack against the insured and a demand for money to terminate the threat Includes the costs of investigations to determine the cause of the security threat and to settle the extortion demand Network Business Interruption Insurance responds to an insured’s loss of income and operating expenses when business operations are interrupted or suspended due to a failure of network security Broad definition of loss includes lost business income, normal operation expenses (including ––payroll) and those costs that would not have been incurred but for the interruption System Failure can be added by endorsement Limited coverage for outsource provider - $100,000 Waiting hour period applies Cyber Extortion and Network Interruption
27 E&O vs. Security and Privacy E&O does not include first party coverages -Event Management/Crisis Response -Information Asset -Cyber Extortion -Network Interruption/System Failure S&P includes coverage for regulatory actions -Defense Costs -Regulatory fines/penalties S&P has option to cover PCI fines/assessments E&O triggered by “wrongful act” vs. S&P “failure to protect” or “security failure” -S&P covers rogue employee
28 Other Issues Requests for Project Specific Insurance -Aggregation/Capacity Issues -Insurer needs to reserve capacity for additional limits -Tie-In of Limits -Fronting Arrangements Additional Insured -any entity which a Company is required by contract to add as an Insured under this SPL Coverage Section, but only for the Wrongful Acts of a Company
29 Other Issues (cont) Notice of Cancellation -In consideration of the premium charged, it is hereby understood and agreed that in the event this policy is canceled by the Insurer in accordance with paragraph (b) of Clause 8. CANCELLATION, the Insurer will use its best efforts to deliver to the entity listed below written notice stating when, not less than thirty (30) days thereafter (ten (10) days in the event of cancellation by the Insurer for non-payment of premium), the cancellation shall be effective: -[NAME AND ADDRESS FOR NOTICE] -Provided, however, that any failure to notify such entity shall not impair or delay the effectiveness of any such cancellation.
Questions To ask a question, type your questions via chat and send to the chairperson. Your questions will be answered in the order they are received. If we do not have time to address your question you may submit questions via to: 30
Contact Information AMCF 370 Lexington Ave. Suite 2209 New York, NY (212) Mark Camillo Vice President Professional Liability Chartis Insurance Kevin P. Kalinich, J.D. Financial Services Group National Managing Director, Professional Risk Solutions A Division of Aon Risk Services Central, Inc. P: Alex W. Zabrosky Drinker Biddle & Reath LLP 191 North Wacker Drive Suite 3700 Chicago, Illinois Phone: (312)