3 Challenges of Cyber Liability Stupendous growth of electronic data storage and communication has created new challenges for business entities.Our Dependence on All Things Electronic1.8 Billion people using the InternetText, , Billing Systems, Payment Systems, Business Operations, Blackberry, Smartphones
4 Two Challenging Types of Claims Cyber-Privacy: Claims arising from a compromise of employee cyber-privacyData Breach: Claims arising from a breach of company data (first and third-party)
5 Response by Insurance Carriers Carriers recognize that cyber-related claims require a new approach, including tailored policies and careful handling.New Policies are Being CreatedEnhanced Privacy EndorsementsTechnology and Media Coverage add-onsEPL enhancements5
7 Employee Privacy and Discrimination Claims Employer makes employment decisions from social networking siteEmployer accesses privateEmployer accesses text messagesDisparate application of employer policiess and Social Networking— harassment claims
8 Legal Claims From Employees--Negligence claims Employer Action Discrimination and Retaliation (Title VII, ADEA, etcFirst Amendment speechCommon law torts- privacyECPA- wiretapping actSCPA- stored communications8
9 Volatile Mix Leads to Potential Discrimination Claims Potential employers are increasingly investigating those sites
10 Liability Risks Posed by Social Networking Traditional EPL Claims:Hiring/Termination Claims--Title VII, ADA, ADEA Disparate Treatment Claims --Inconsistent Application of Social Networking PoliciesNewer EPL “Social Networking” Claims: Accessing personal , texts, social sitesDefamation, Libel, Breach of Privacy,Punitive Damages Due To “Willful” Acts
11 Cyber Privacy Claims City of Ontario v Quon Does Fourth Amendment Protect Electronic CommunicationsEmployer audited City-owned PagerDiscovered sexually explicit messages (wife, girlfriend, buddy)All sued city and archNinth Circuit—Arch violated SCA and city violated 4th amendment
12 Inquiring Employers…What are Employees Saying ? Konop v. Hawaiian AirlinesPilot maintained a private website where he criticized employerManager obtained password from employee who was a memberCt Denied SJ—issue whether employee had authority to authorize mgt to access private website
13 Accessing MySpace Pietrylo v Hillstone Restaurant Group Employees created password –protected MySpace page to complainNo managers allowedManager got log-in from e’eeEmployees fired; then suedNJ Fed Ct: e’ee coerced into giving p’wdJury: SCA and state law violationsJury Verdict upheld
14 Accessing Private Account Emails Van Alstyne v. Electronic Scriptorium Ltd.Non-Compete case, e’er accessed private accounts using info left on e’ee’s computer: E’ee counter suedSCA allows for statutory damages in the event any actual damages are proven-E’ee awarded 400kSCA permits punitive damages and attorneys’ feesStatutory damages --proof of actual damages
15 Accessing Personal Email left by Employee Pure Power Boot Camp v Warrior Fitness Boot CampNon-compete case, E’er accessed personal on e’er’s computerHandbook: E’ee no right of privacy..Handbook did not expressly cover employee’s personal accountsE’ee had right of privacy
16 Risk Management— Cyber Privacy Policies Content of the policy --clear and appropriateSpecify all communications (not just work-related) are owned or will be monitored by the InsuredPolicy should apply to both work accounts and private s and accountsSCA consent authorizationBlogging– Restrict Comments about E’er16
18 Claim Examples – Data Breach Online retailer hacked and customer credit card information is stolen: regulatory and class actionsCompanies unknowingly spread a worm, facing liability from those parties based upon lost revenues caused by the virus.Disgruntled employee deletes the company’s databases, causing business interruptionComputer hacker floods a company’s website, overwhelming the system and causing it to crash.Private medical info is stolen or disclosed, leading to a suit for defamation and invasion of privacy.
19 Compromised Data 285 Million records were compromised in 2008 25% of Companies With IT Outage for 2-6 days go bankrupt immediately
20 Heartland Payment Systems: credit card numbers of clients Cost: $12.5 Million in legal fees, costs and settlementsCredit Card Numbers are purchased by “information gangsters”
21 Dave & Busters: FTC Complaint Intruder exploited vulnerabilities in systems130,000 unique credit cards stolenIssuing Banks Claimed over $500,000 in unauthorized chargesSettled
22 Before TJ Maxx, no recognized private cause of action for data breach Judge let three theories survive:Two theories of negligent misrepresentation regarding their cyber securityLack of security measures amounted to Unfair and Deceptive Business PracticeSettled with Banks for $525,000Total Cost over $40 million
23 Data Breach ClaimsThe potential claims are at least as varied as the potential claimants:Actual loss (theft) of customer, client or employee dataExtortion based on a threatened loss of customer, client or employee dataMonitoring or repairing of credit reports for those effected by a data breachNotices issued to those effected by a data breachPublic relations activity necessitated by a data breachRemediation and repair of systems due to a data breachLost profits caused by a data breach23
24 Data Breach Claims Are on the Rise Depending on the type of breach, costs can vary significantly, from $750,000 to $31,000,000 in 2009.
25 Data Breach Claims Are on the Rise The average per-customer cost of data-breach claims has increased over the last year alone.
26 Data Breach Claims Are on the Rise The increased per-customer cost translates to large increases in costs per breach.
27 Data Breach – Sources of Loss What are the sources of potential loss to the insured?While the most common (and most elusive) source of loss is a civil action by the individual effected by the breach, there are other sources of potential liability for the insured:Violation of “Red Flag Rules” (requiring entities to implement an identity theft prevention program) under the Fair and Accurate Credit Transactions Act, enforced by the Federal Trade Commission (“FTC”)Health Information Technology for Economic and Clinical Health Act, enforced by the FTC and the Department of Health and Human ServicesChildren’s Online Privacy Protection ActCAN-SPAM ActGramm-Leach-Bliley ActFair Credit Reporting ActComputer Fraud and Abuse ActFederal Privacy ActState attorney general actions and consumer protection laws27
28 Data Breach – Potential Damages What are the potential damages to which the insured could be exposed?Depending on governmental involvement, the strategy of the claimant, and the approach of the Insured, multiple damages are possible:Compensatory damages (although difficult to prove)Consequential damagesPunitive damagesFines and fees (imposed by regulatory agencies)Remediation of hardware and softwareLost profits and goodwillNotification of effected individuals/entitiesMonitoring of effected individuals/entities28
29 Federal “Red Flags” Rules The “Red Flags Rules,” were promulgated under the Fair and Accurate Credit Transactions Report Act. 16 CFRAny company holding credit data could be subjectRequires a Written Identify Theft Prevention ProgramJune 1, 2010 Implementation
31 Gaps in Traditional Insurance Policies Property Insurance policies – “Property” : Tangible vs. IntangibleD&O: Property exclusion; Professional services exclusion; not covered by insuring clausesCrime/Fidelity policies –Tangible PropertyCGL: Exclusions for losses associated with unauthorized access by third parties.Errors & Omissions policies – Generally exclude security breaches or damages arising from unauthorized access.EPL policies – Not covered by Insuring Clauses.
32 Cyber Liability – Covered Risks Generally, cyber liability policies address two types of risks:First Party: losses suffered directly by the InsuredThird Party: losses associated with the Insured’s liability for damages suffered by a third party
33 First Party Losses Business interruption costs Crisis management and public relations costsPrivacy notifications and credit monitoring costsCosts associated with theft or vandalism of a company’s network or systemsUpgrades in network security
34 Third Party LossesDisclosure Injuries: unauthorized access to or dissemination of a third party’s private informationContent Injuries: copyright, trademark, trade secrets or other intellectual property claimsReputation Injuries: libel, slander, defamation, invasion of privacy claimsSystem Injuries: security failures or virus transmissions that harm the computer systems of third partiesImpaired Access Injuries: customers cannot access their accounts or information
35 6 Separate Insuring Clauses! 1) Technology Security Wrongful Act2) Privacy Wrongful Act3) Private Information Breach4) Web Media Services Wrongful Act5) Extortion Loss from Technology Threat6) Data Restoration Loss from BreachTech Security Wrongful Act= intrusion or malicious codePrivacy Wrongful Act= Violation of a Privacy Act or negligence etc. in Private Information BreachWeb Media Services Wrongful Act: in the provision of web based services any defamation, privacy breach etc.Private Information Breach: unauthorized disclosure of private information both electronically and NOT ELECTRONICALLYExtortion Loss: payment to 3d parties who extort money by threatening technology of the insured; rewards; investigation etc.Data Restoration Loss: remediation; recovery; improvement; market value of lost data
36 Cyber Liability Coverage by Endorsement Insurers have customized traditional Policies to provide additional coverage for specific cyber risks by endorsements.For example:EPLI Policies – coverage for employee related theft or third party unauthorized access to private information.E&O Policies – coverage for e-commerce activities, security breaches, and unauthorized accessProperty & Crime Policies – coverage for “intangible” property like data
37 Data Breach – Cause of the Breach What was the cause of the breach?The cause of the breach can effect both potential liability and coverage:External hackingWrongdoing internal to the insuredFailure of controls or preventative measuresFailure of hardware or softwareWrongdoing or failure of a vendor or other related third-party entity37
38 Data Breach – Data Involved What type of data was involved?Personally Identifiable Information (PII) is the most common, and will be the focus here:First name or initial combined with a social security number, driver’s license number, state ID number, or account number with access code or passwordOther sources of potential concern include proprietary data of a vendor or internal proprietary data.38
39 Data Breach – Risk Mitigation What needs to be done to mitigate the effect of a data breach?Once a breach has occurred, the insured has multiple options for mitigating the breach (some of which may impact coverage).Incident analysis (internal communication, containment, harm determination)Incident disclosure (notice to effected individuals, vendors, regulatory agencies)Loss mitigation (trending, benchmarking, remediation)39
40 Evaluating a Data Breach When a data breach occurs, immediate and decisive action is required:Evaluate the potential scope of the loss, in terms of individuals effectedIdentify the governmental and regulatory agencies with whom communication is necessaryUnderstand how mitigation strategies effect costs and coverage40
41 Handling a Data Breach Claim Pro-Active: Hiring Counsel and Waiting for 90 day Report May Cost Insurer MillionsImmediate Retention of IT or Privacy ExpertBoots on the Ground Approach May be More Effective41
42 ConclusionPrivacy and Data Breach Claims are Coming Your Way!
43 First Party Losses in Third Party Claims Often a third party liability claim will involve direct losses by the InsuredA third party cyber liability policy may provide coverage for certain direct losses associated with a claim (or a potential claim) by a third party. These may include:Security breach notificationsCredit monitoring costsCrisis management consultation
44 Data Breach ClaimsA data breach can cost millions of dollars, based on the type and amount of data effected.Any entity that stores third-party data can be at risk, including (but certainly not limited to):RetailersFinancial institutionsHealth care providers44
45 Data Breach ClaimsWhile Employment Practices claims present a distinct challenge to Insured employers - and therefore Insurers - the loss, compromise, or misuse of electronic data presents a more nuanced, and potentially more severe, risk.45
46 Cyber Privacy – What Is Simple? Most employers would likely agree that the Facebook employee was rightly fired, with cause.However, they (and we) need to think about the response.It was not necessary for the manager to respond in a public forum.The mix of a public forum and use of profane, disparaging phrases could create liability, even though the employee “clearly” asked for it.It is never again going to be simple…
47 Claim Examples - OtherSome claims do not fall neatly in the categories of “employee privacy” or “data breach,” and relate more to traditional causes of action through new mediums (such as defamation, copyright infringement, and patent infringement):Online publisher allows defamatory postings about a local public figure, causing the public official to lose his job.Company is sued for unauthorized use of a person’s photo on its website.A small business creates a website and is sued by another company alleging that their domain name violated trademark laws.