1. Cyber Liability: What Are The Risks To My Business Professional Liability Defense Federation Fifth Annual Meeting September 18, 2014 The Westin Georgetown, Washington, DC Richard J. Monahan, Head of XL Select Professional Claims richard.monahan@xlgroup.com Jeremy Gittler, Assistant Vice President, XL Group jeremy.gittler@xlgroup.com Kenneth M. Labbate, Partner, Mound Cotton Wollan & Greengrass klabbate@moundcotton.com

2. Two types of Companies in Today’s Market Those who have been breached and know it And...

3. Those who have been breached and just haven’t figured it out yet!

4. All businesses are exposed – A single exposure can result in: corporate embarrassment; PR headaches; loss of business; interruption of operations; litigation; potential liability to others; regulatory and government investigations; significant costs and expenses, and; significant loss of revenue

5. Currently, 95% of data breaches are caused by a combination of: Hacktavists Employees Loss/Theft of Equipment –Malware/Viruses Data Breach Risks

6. Factors Driving Exposure More data stored electronically now then ever before and trend is towards “paperless” ‘Human Element” continues to impact – genius can be used for good or evil!

7. Verizon 2014 Data Breach Report Breaches between 2004 and 2013 analyzed 63,437 confirmed security incidents (a security event that compromises the integrity, confidentiality or availability of an information asset). 1,367 confirmed data breaches (an incident that results in disclosure or potential exposure of data). In 2013, there were 243 security incidents with a confirmed data loss by the victim industry involving an organization with fewer than 1000 employees. There were 144 incidents with a confirmed data loss of organizations with more than 1000 employees. Estimated cost per breach $3.5 million (See, Ponemon Institute 2014 Cost of Data Breach a Global Analysis)

8. Laws, Regulations and Guidelines

9. Laws and Regulations requiring data protection measures Individual State Laws: most states have enacted data breach notification laws – California’s Song Beverly Act restricts businesses from requesting personal identification information (“PII”) as a condition of accepting credit card payments. – Massachusetts Written Information Security Program (“WISP”) requires the development, implementation, maintenance, and monitoring of a WISP applicable to all records containing the personal information of Massachusetts residents. – Delaware recently enacted legislation similar to Massachusetts which may have broad implications based upon number of companies incorporated under Delaware law

10. “Chaos” Breach notification laws are presently state by state. No Federal law which provides “standard” “generally accepted” response. Result?

11. Laws and Regulations require data protection measures Many laws require that businesses adopt “reasonable, appropriate, and necessary” measures to protect the confidentiality, integrity, and availability of data, while also avoiding the unauthorized access, disclosure, or alterations to systems and data as well as accidental loss or destruction of such data. – But these laws do not tell companies what is meant by “reasonable, appropriate, and necessary.”

12. Cyber Information Sharing Act (CISA) In July 2014, U.S. Senate Committee on Intelligence approved CISA (formerly CISPA, which failed to pass Senate) Aims to prevent cyberattacks in the private sector. Provides liability protection to the private sector to promote voluntary real-time data sharing between companies and the federal government. Increases data sharing from federal government to private sector to give companies information that could aid them in investigating cyberattacks and securing computer systems. Authorizes private sector, with customer consent, to implement computer monitoring and other cyberattack countermeasures.

13. National Cybersecurity and Critical Infrastructure Protection Act On July 28, 2014, the House of Representatives approved the NCCIP. The NCCIP establishes a partnership between the Department of Homeland Security and the private sector to ensure the distribution of cyber threat information. In addition to passing the NCCIP, the House passed the Critical Infrastructure Research and Development Advancement Act and the Homeland Security Cybersecurity Boots-on-the- Ground. – The Critical Infrastructure Research and Development Advancement Act was passed to make certain improvements in the laws relating to the advancement of security technologies for critical infrastructure protection. – The Homeland Security Cybersecurity Boots-on-the-Ground was designed to recruit, hire, and train a cyber work force.

14. Safety Act 2002 A subdivision of the Homeland Security Act of 2002 The Support Anti-Terrorism by Fostering Effective Technologies Act of 2002, effective July 10, 2006. Provides incentives for development and deployment of anti-terrorist technologies. Secretary of the Department of Homeland Security in charge of “designations” and “certification” of “qualified anti-terrorist technology.”

15. Safety Act 2002 If “designated” entitled to – exclusive federal court jurisdiction – limitation of liability to insurance proposed and accepted as reasonable for technology submitted – prohibition on joint and several liability for non- economic damages – complete bar to punitive damages and pre- judgment interest – reduction of a plaintiff’s recovery by collateral sources received or eligible to be received

16. Safety Act 2002 If “certified” entitled to further protection of “government contractor defense” – federal preemption of liability for technology so certified While Act contemplates immunity for products manufactured for federal government and non-federal government customers, courts are divided on the extent of immunity in non-federal government cases.

17. Safety Act 2002 Examples: – Boeing – July 17, 2014 – Certification received for its aviation security services which included “software and data” involved in the Boeing Security Program for deliveries destined for U.S. terminals – General Growth Properties – July 11, 2014 – Designation granted for centralized corporate program designed to: (1) identify and promulgate security practices inclusive of anti-terrorism capabilities across GGP’s properties, (2) track and enforce compliance with those measures, and (3) develop and implement a program for responding to emergencies at GGP’s properties. – New Meadowlands Stadium – December 20, 2013 – Certified technology - integrated security program composed of physical and electronic security measures, policies and procedures, and personnel, designed to detect, deter, prevent, respond to, and mitigate Acts of Terrorism for use exclusively at Met Life Stadium, inclusive of the Stadium and parking lots, during National Football League (“NFL”) Game Days, Non-Game Days, and Special Events. Can protection be relied upon if approved technology breached? What about for exposure presented by post-breach activities?

18. Risks

19. Risks Presented by the Internet 10 years ago how much information was on the internet? Very little. Today, massive amount of information How much more will be on the internet 10 years from now? Are employees permitted access to the internet at work? On company supplied equipment? Are employees allowed to download material from the internet? Can they connect their personal mobile devices to the company network?

20. Lost/Stolen Devices Stolen or lost laptops with personal information of hundreds of thousands of patients Attorney who loses USB drive containing personal information and data of hundreds of class action clients All data stored on laptops and mobile devices should be encrypted

21. Example: Target Breach System was accessed through a contractor that connected remotely to the retailer’s system to do online billing. Personal data of as many as 110 million shoppers was stolen. Hackers target low-level victims to get credentials allowing them to access a bigger company’s network. However, since the Target breach story broke, businesses outside the information technology sector have been less likely to seek cyber liability insurance. Before the Target breach, 9% of non-IT applicants requested cyber coverage. Post Target breach, only 5% have. The trend suggests that applicants are being misled by the fact that the media only reports large company hackings into believing that small businesses are less likely to be hacked.

22. Cloud Based Exposure – What Are the Risks Sharing Space with Others Presents Risks if Breach Occurs – Corporate Data could be lost, stolen or shared with others on Cloud (competitors) Cloud service provider goes down or closes, what happens to your data? How do you retrieve it?

23. Risks to Professionals

24. These service providers may maintain: – Client’s personal data – Social security numbers – Tax IDs – Medical records – Financial records – Tax records – Attorney client privileged materials – Client confidential or proprietary data Risk to Attorneys, Accountants, Other Professionals

25. With tightening profit margins and increased cost of real estate rental, firms are pressured to turn to electronically stored data. Some risks include: – Data breach – Hackers – Careless disposal of records – Loss/theft of laptops and mobile devices – Misuse of internal controls – Picking up and transmitting malware from employee’s internet use Risk to Attorneys, Accountants, Other Professionals

26. Sensitive client data Is data storage covered within definition of professional services? Can loss/theft of client data amount to malpractice? Is failure to maintain software updates a deviation from the requisite standard of care?

27. Cloud Based Storage of Client Documents – Risk to Attorney/Client Privilege Have you breached privilege? Attorney-Client? Can Cloud Provider Access your data? Is space on cloud shared space? Do you need to disclose to clients that confidential information will be stored in the Cloud?

28. Insurance Agents and Brokers – Additional Issues Exposure to insurance agents – Failure to advise – Scope of coverage – Coverage limits – Aggregate policy limits Agent must understand client’s potential risk scenarios and knowledge of coverages available in the insurance market

29. D&O Exposure Can a cyber attack affect stock prices? Attacks themselves have become so commonplace that the initial attack appears to have little impact on stock prices But the effect of the attack, company response, and available insurance can affect stock prices Directors and officers need to be careful to identify risks and have in place and follow a plan to avoid exposing the company to D&O claims

30. D&O Exposure Relates to failure to take reasonable steps to prevent data breach Exposure also arises for post-breach handling of events. Exposure is aggravated by: – Failure to provide reasonable notice to client/customers – Releasing statements that create false sense of security.

31. Coverage

32. Types of Coverage Implicated Commercial General Liability Professional Liability Technology Errors & Omissions Liability Employment Practices Liability D&O and Executive Liability Cyber Liability

33. First Party Cyber Liability Exposure Data breach notice Credit monitoring Forensics Public relations Business interruption Call centers Restore/replace electronic data Hardware replacement/restoration Cyber extortion Regulatory fines penalties

34. Contingent Business Interruption Contingent Business Interruption Coverage – Losses including lost earnings as a result of damage not to insured’s own property but the property of insured’s supplier, customer or other business partner For instance, a partner working through the cloud and the cloud shuts down

35. Third Party Cyber Liability Exposure Coverage for suits by clients whose networks were compromised Website publishers face defamation, copyright infringement, privacy violation lawsuits Liability for not maintaining adequate security which allows virus to be transmitted

36. Cyber War – Most policies exclude losses arising from war and cyber war – There are attacks on companies by bad actors in other countries, possibly sponsored by foreign governments – It is very difficult to prove that the act is a war-like act making it difficult for insurers to deny claims – It is unclear how the insurance industry will respond since it is not in the business of insuring against war- like acts

37. CGL Policies Operative provisions – “Personal and advertising injury” – Does data breach constitute “publication” of information by the insured which violates the right to privacy?

38. Hartford v. Corcino Current industry standard-form CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury.’” The key definition, “personal and advertising injury” is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” The Hartford court upheld coverage in a data breach case under a policy that covered damages that the insured was “legally obligated to pay as damages because of... electronic publication of material that violates the right to privacy.” No. 2:13-cv-3728, Minutes (in Chambers) Order Re: Motion to Dismiss (Cal. Central Dist. Oct. 7, 2013)

39. Hackers attacked three networks operated by Sony for benefit of Playstation owners. Stole personal information of 100 million users including financial information. Sony was sued in multiple actions due to injury for publication of personal information and failure to notify. Sony sought coverage under “personal and advertising injury coverage” for “oral and written publication.” Zurich court held that Zurich did not need to cover the breach, because third-party hacking did not constitute “oral or written publication... of the material that violates a person’s right of privacy” under the personal and advertising injury coverage under the CGL policy. Lessons learned from Sony: – Industry working to exclude exposure under CGL policies – Purchase cyber policies – Purchase sufficient limits – Sony had exhausted cyber coverage and was seeking additional coverage under CGL But see, e.g., Zurich v. Sony No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014)

40. The Bottom Line CGL coverage is unpredictable and is impacted by state law interpretation. Carriers and industry are pushing coverage into cyber policies and away from CGL. Businesses can no longer rely on transitional CGL policies to adequately protect their interests.

41. Cyber Security – Next Wave Concerns Started with the theft & possible disclosure of personal information Moving towards theft of confidential & proprietary information

42. Traditional coverage is only the tip of the iceberg. We are moving rapidly towards becoming a paperless society and focus is shifting towards information that can be monetized. Product designs/ formulas Terms and conditions of service contracts Where are we going?

43. Challenge to Underwriters The risks are always increasing – Attackers are becoming more sophisticated – Companies are storing more information and more valuable information online Past data breaches do not necessarily predict future exposures