hacking into coverage - the center for american and ... · pdf filehacking into coverage ......

© 2015 Haynes and Boone, LLP

Micah SkidmoreHaynes and Boone, LLP

What Every Lawyer Should Know About Cyber InsuranceHACKING INTO COVERAGE


• Cyber Risks and Liabilities

• Traditional Policies

• Network Security/Privacy

Liability Insurance

Cyber Insurance Issues


Cyber Risks & Liabilities



• Avg. Cost/Record: $221

• Avg. Breached Records: 29,611

• Avg. Total Organization Cost: $7.0 million

• 7-19% Increase over 2014



• Third-Party Liability • Consumer/employee PII

• Notification

• Credit monitoring

• Regulatory Investigations

• Loss and Damage to Property• Physical injury to property

• Business interruption

• Intellectual Property loss


Traditional Insurance: CGL Coverage

• Liability for:

• Bodily Injury & Property Damage

• Personal and Advertising Injury

• “Personal and advertising injury” means injury,

including consequential “bodily injury”, arising out

of one or more of the following offenses:

***

e. Oral or written publication, in any

manner, of material that violates a

person’s right of privacy;



• Travelers Indem. Co. of Am. v. Portal

Healthcare Solutions, LLC (4th Cir. 2016)

• Duty to defend data breach class action

potentially alleging “publication”

• Recall Total Information Mgmt., Inc. v.

Federal Ins. Co. (Conn. 2015)

• Loss of back-up tapes with PII for 500,000

IBM employees

• No evidence of “publication” by anyone


Traditional Insurance: CGL Coverage• Sony Corp. of America v. Zurich American Ins. Co.

• Theft of confidential PlayStation user data

“published” by hackers, but not Sony

• Settled prior to appellate ruling

• Hartford Cas. Ins. Co. v. Corcino & Associates

• Class action suits sought damages under

California law for hospital data breach involving

20,000 records

• Exclusion for injury arising out of violation of

privacy right created by state or federal act

• Privacy rights under common law and Constitution


Traditional Insurance: CGL Coverage• Exclusion (CG 21 06 05 14)

• Damages arising out of “[a]ny access to or

disclosure of any person’s or organization’s

confidential or personal information, including

patents, trade secrets, processing methods,

customer lists, financial information, credit card

information, health information or any other type

of nonpublic information.”

• Damages “claimed for notification costs, credit

monitoring expenses, forensic expenses, public

relations expenses or any other loss, cost or

expense incurred by you or others.”



• Underwriting

• Avoid broad data breach exclusions

• “[O]ral or written publication includes

publication as a result of unauthorized

distribution of material, such as caused by

hacking or other unauthorized access, into

your computer network or website”

• Claims

• Review all potentially applicable forms

• Bodily injury or property damage unrelated to

loss of intellectual property or PII not excluded


Traditional Insurance: D&O/E&O

• D&O

• Loss resulting from claims first made during the

policy period for a wrongful act

• May be limited to “securities claims” for public

companies

• E&O

• Loss resulting from claims first made during the

policy period for wrongful act in the performance

of professional services

• Loss may not include fines and penalties; exclusion

for breach of contract



• In re Target Corp. Customer Data Security Breach

Litigation

• Duty of care owed by merchant to issuing banks

• Lone Star Nat’l Bank v. Heartland Payment

Systems, Inc.

• Issuing banks’ claims not barred by economic loss

doctrine

• Alternative basis for liability may avoid contractual

liability exclusions



• First Commonwealth Bank v. St. Paul Mercury

Ins. Co.

• Malware attack led to transfers from customer

accounts totaling $3.5 million

• Reimbursement to customers allegedly

constituted “voluntary payment” excluded

without consent

• Payments mandatory under PA law, not

voluntary



• D&O/E&O

• Provide timely notice of claims and

circumstances

• Review and modify terms defining “loss”

• Watch for breach related exclusions

• May afford coverage for defense costs,

settlements, judgments arising out of a

data breach, subject to policy limits


Traditional Insurance: Commercial Property

• Property Damage: All risks of physical loss or

damage to tangible property, unless otherwise

excluded

• Business personal property coverage

• Computer equipment

• Loss of electronic data

• Cost to remove computer virus

• Business Interruption

• Lost revenues minus avoided expenses

resulting from covered physical loss or

damage



• Lambrecht & Assoc., Inc. v. State Farm Lloyds

• Employment agency computers compromised with

loss of server, data and revenue

• Claim challenged as (1) not “accidental”; and (2)

lacking “physical loss”

• Losses accidental from the standpoint of the

insured; loss of server is a loss of tangible property



• Commercial Property Coverage

• Be aware of coverage for physical “loss” as well

as “damage”

• Seek out appropriate terms for cyber-related

property damage

• Document cost and business interruption

• Comply with policy conditions regarding notice,

proof of loss and contractual limitations


Traditional Insurance: Crime/Fidelity• Crime/Fidelity Coverage

• Employee theft: loss of covered property resulting

directly from employee theft

• Computer fraud

• Loss of money, securities, other property

resulting directly from use of computers to

fraudulently transfer property from inside

premises or banking premises

• Funds transfer fraud

• Loss of “funds” resulting directly from a

fraudulent instruction to pay from a transfer

account


Traditional Insurance: Crime/Fidelity

• Apache Corp. v. Great Am. Ins. Co. (5th Cir. 2016)

• Phishing scheme perpetrated by telephone and

email

• Vendor lost payments of $7 million

• Insuring clause required loss “resulting directly

from the use of any computer” to cause a

fraudulent transfer

• Email was incidental to the transfer



• State Bank of Bellingham v. BancInsure, Inc. (8th

Cir. 2016)

• Violations of employee security procedures

• Two fraudulent wire transfers totaling $485,000

• “Employee-caused” Loss Exclusions

• Overriding cause of loss: criminal activity

• Illegal wire transfer not a foreseeable

consequence of security violations


Traditional Insurance: Crime/Fidelity• Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co.

• Computer fraud rider covering “loss which the

insured shall sustain resulting directly from . . . the

theft of any insured property by computer fraud”

• Data breach resulted in the loss of PII for 1.4

million DSW Shoes customers

• Insureds losses were proximately caused by theft

through computer fraud

• Exclusion for loss of “proprietary information”

inapplicable



• Crime/Fidelity Coverage

• Fact specific claims and unique policy

terms

• Provide notice upon discovery where

appropriate

• Coverage may be available where you

least expect it


Network Security/Privacy Liability• Cyber Insurance

• Underwriting and placement

• Claims developments and strategies


Network Security/Privacy Liability

• Growing market for “cyber” insurance

• Significant claims payouts and litigation -

$100mm on Target alone

• Industry sensitive – retail and healthcare

• Expanded underwriting



• P.F. Chang’s China Bistro, Inc. v. Federal

Ins. Co. (D. Ariz. 2016)

• Assessments and processor demand for

breach involving 60,000 cardholders

• No “privacy injury” sustained by BAMS

without compromise of BAMS’s records

• Coverage precluded by “assumption of

liability” exclusions



• Columbia Cas. Co. v. Cottage Health System

• Breach of medical records on unencrypted server

• Class action lawsuit; $4.1 million settlement

• Exclusion for “failure to follow minimum required

practices”

• Must “continuously implement the procedures and

risk controls identified in the Insured’s application”

• Dismissed without prejudice to pursue ADR



• Travelers Prop. Cas. Co. of Am. v. Federal

Recovery Services, Inc.

• Allegations that FRS withheld customer data

pending receipt of compensation

• No “negligence”; no duty to defend



• Remijas v. Neiman Marcus Group, LLC

• Dismissal of consumer class action complaint

reversed

• Risk of fraudulent charges and identity theft &

mitigation expenses sufficient injury-in-fact

• Burden on defendant to show breach not a “but

for” cause of harm

• Galaria v. Nationwide Mut. Ins. Co. (6th Cir. 2016)

• Lewert v. P.F. Chang’s China Bistro, Inc. (7th Cir.

2016)



• Cyber Insurance: Underwriting Issues• Insuring agreements

• Who is insured?

• Trigger of coverage/retention

• Claim, event, occurrence, injury?

• Definition of “claim”

• Definition of “loss”

• Exclusions

• Bad conduct

• War

• Intellectual property

• Breach of contract



• Third-Party IT Provider

• Insurance requirements

• Additional insured status

• Primary and non-

contributory

• Limitation on damages

• Waiver of subrogation


Summary/Conclusion

• “Cyber” Insurance

• Increasingly essential part of corporate risk

management strategy

• Residual variability in policy terms and

claims practices


www.haynesboone.com

Confidential Settlement Communication – Subject to T.R.E. 408

hacking into coverage - the center for american and ... · pdf filehacking into coverage ......

Documents