hacking into coverage - the center for american and ... · pdf filehacking into coverage ......
TRANSCRIPT
© 2015 Haynes and Boone, LLP
Micah SkidmoreHaynes and Boone, LLP
What Every Lawyer Should Know About Cyber InsuranceHACKING INTO COVERAGE
© 2015 Haynes and Boone, LLP
• Cyber Risks and Liabilities
• Traditional Policies
• Network Security/Privacy
Liability Insurance
Cyber Insurance Issues
© 2015 Haynes and Boone, LLP
Cyber Risks & Liabilities
• Avg. Cost/Record: $221
• Avg. Breached Records: 29,611
• Avg. Total Organization Cost: $7.0 million
• 7-19% Increase over 2014
© 2015 Haynes and Boone, LLP
Cyber Risks & Liabilities
• Third-Party Liability • Consumer/employee PII
• Notification
• Credit monitoring
• Regulatory Investigations
• Loss and Damage to Property• Physical injury to property
• Business interruption
• Intellectual Property loss
© 2015 Haynes and Boone, LLP
Traditional Insurance: CGL Coverage
• Liability for:
• Bodily Injury & Property Damage
• Personal and Advertising Injury
• “Personal and advertising injury” means injury,
including consequential “bodily injury”, arising out
of one or more of the following offenses:
***
e. Oral or written publication, in any
manner, of material that violates a
person’s right of privacy;
© 2015 Haynes and Boone, LLP
Traditional Insurance: CGL Coverage
• Travelers Indem. Co. of Am. v. Portal
Healthcare Solutions, LLC (4th Cir. 2016)
• Duty to defend data breach class action
potentially alleging “publication”
• Recall Total Information Mgmt., Inc. v.
Federal Ins. Co. (Conn. 2015)
• Loss of back-up tapes with PII for 500,000
IBM employees
• No evidence of “publication” by anyone
© 2015 Haynes and Boone, LLP
Traditional Insurance: CGL Coverage• Sony Corp. of America v. Zurich American Ins. Co.
• Theft of confidential PlayStation user data
“published” by hackers, but not Sony
• Settled prior to appellate ruling
• Hartford Cas. Ins. Co. v. Corcino & Associates
• Class action suits sought damages under
California law for hospital data breach involving
20,000 records
• Exclusion for injury arising out of violation of
privacy right created by state or federal act
• Privacy rights under common law and Constitution
© 2015 Haynes and Boone, LLP
Traditional Insurance: CGL Coverage• Exclusion (CG 21 06 05 14)
• Damages arising out of “[a]ny access to or
disclosure of any person’s or organization’s
confidential or personal information, including
patents, trade secrets, processing methods,
customer lists, financial information, credit card
information, health information or any other type
of nonpublic information.”
• Damages “claimed for notification costs, credit
monitoring expenses, forensic expenses, public
relations expenses or any other loss, cost or
expense incurred by you or others.”
© 2015 Haynes and Boone, LLP
Traditional Insurance: CGL Coverage
• Underwriting
• Avoid broad data breach exclusions
• “[O]ral or written publication includes
publication as a result of unauthorized
distribution of material, such as caused by
hacking or other unauthorized access, into
your computer network or website”
• Claims
• Review all potentially applicable forms
• Bodily injury or property damage unrelated to
loss of intellectual property or PII not excluded
© 2015 Haynes and Boone, LLP
Traditional Insurance: D&O/E&O
• D&O
• Loss resulting from claims first made during the
policy period for a wrongful act
• May be limited to “securities claims” for public
companies
• E&O
• Loss resulting from claims first made during the
policy period for wrongful act in the performance
of professional services
• Loss may not include fines and penalties; exclusion
for breach of contract
© 2015 Haynes and Boone, LLP
Traditional Insurance: D&O/E&O
• In re Target Corp. Customer Data Security Breach
Litigation
• Duty of care owed by merchant to issuing banks
• Lone Star Nat’l Bank v. Heartland Payment
Systems, Inc.
• Issuing banks’ claims not barred by economic loss
doctrine
• Alternative basis for liability may avoid contractual
liability exclusions
© 2015 Haynes and Boone, LLP
Traditional Insurance: D&O/E&O
• First Commonwealth Bank v. St. Paul Mercury
Ins. Co.
• Malware attack led to transfers from customer
accounts totaling $3.5 million
• Reimbursement to customers allegedly
constituted “voluntary payment” excluded
without consent
• Payments mandatory under PA law, not
voluntary
© 2015 Haynes and Boone, LLP
Traditional Insurance: D&O/E&O
• D&O/E&O
• Provide timely notice of claims and
circumstances
• Review and modify terms defining “loss”
• Watch for breach related exclusions
• May afford coverage for defense costs,
settlements, judgments arising out of a
data breach, subject to policy limits
© 2015 Haynes and Boone, LLP
Traditional Insurance: Commercial Property
• Property Damage: All risks of physical loss or
damage to tangible property, unless otherwise
excluded
• Business personal property coverage
• Computer equipment
• Loss of electronic data
• Cost to remove computer virus
• Business Interruption
• Lost revenues minus avoided expenses
resulting from covered physical loss or
damage
© 2015 Haynes and Boone, LLP
Traditional Insurance: Commercial Property
• Lambrecht & Assoc., Inc. v. State Farm Lloyds
• Employment agency computers compromised with
loss of server, data and revenue
• Claim challenged as (1) not “accidental”; and (2)
lacking “physical loss”
• Losses accidental from the standpoint of the
insured; loss of server is a loss of tangible property
© 2015 Haynes and Boone, LLP
Traditional Insurance: Commercial Property
• Commercial Property Coverage
• Be aware of coverage for physical “loss” as well
as “damage”
• Seek out appropriate terms for cyber-related
property damage
• Document cost and business interruption
• Comply with policy conditions regarding notice,
proof of loss and contractual limitations
© 2015 Haynes and Boone, LLP
Traditional Insurance: Crime/Fidelity• Crime/Fidelity Coverage
• Employee theft: loss of covered property resulting
directly from employee theft
• Computer fraud
• Loss of money, securities, other property
resulting directly from use of computers to
fraudulently transfer property from inside
premises or banking premises
• Funds transfer fraud
• Loss of “funds” resulting directly from a
fraudulent instruction to pay from a transfer
account
© 2015 Haynes and Boone, LLP
Traditional Insurance: Crime/Fidelity
• Apache Corp. v. Great Am. Ins. Co. (5th Cir. 2016)
• Phishing scheme perpetrated by telephone and
• Vendor lost payments of $7 million
• Insuring clause required loss “resulting directly
from the use of any computer” to cause a
fraudulent transfer
• Email was incidental to the transfer
© 2015 Haynes and Boone, LLP
Traditional Insurance: Crime/Fidelity
• State Bank of Bellingham v. BancInsure, Inc. (8th
Cir. 2016)
• Violations of employee security procedures
• Two fraudulent wire transfers totaling $485,000
• “Employee-caused” Loss Exclusions
• Overriding cause of loss: criminal activity
• Illegal wire transfer not a foreseeable
consequence of security violations
© 2015 Haynes and Boone, LLP
Traditional Insurance: Crime/Fidelity• Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co.
• Computer fraud rider covering “loss which the
insured shall sustain resulting directly from . . . the
theft of any insured property by computer fraud”
• Data breach resulted in the loss of PII for 1.4
million DSW Shoes customers
• Insureds losses were proximately caused by theft
through computer fraud
• Exclusion for loss of “proprietary information”
inapplicable
© 2015 Haynes and Boone, LLP
Traditional Insurance: Crime/Fidelity
• Crime/Fidelity Coverage
• Fact specific claims and unique policy
terms
• Provide notice upon discovery where
appropriate
• Coverage may be available where you
least expect it
© 2015 Haynes and Boone, LLP
Network Security/Privacy Liability• Cyber Insurance
• Underwriting and placement
• Claims developments and strategies
© 2015 Haynes and Boone, LLP
Network Security/Privacy Liability
• Growing market for “cyber” insurance
• Significant claims payouts and litigation -
$100mm on Target alone
• Industry sensitive – retail and healthcare
• Expanded underwriting
© 2015 Haynes and Boone, LLP
Network Security/Privacy Liability
• P.F. Chang’s China Bistro, Inc. v. Federal
Ins. Co. (D. Ariz. 2016)
• Assessments and processor demand for
breach involving 60,000 cardholders
• No “privacy injury” sustained by BAMS
without compromise of BAMS’s records
• Coverage precluded by “assumption of
liability” exclusions
© 2015 Haynes and Boone, LLP
Network Security/Privacy Liability
• Columbia Cas. Co. v. Cottage Health System
• Breach of medical records on unencrypted server
• Class action lawsuit; $4.1 million settlement
• Exclusion for “failure to follow minimum required
practices”
• Must “continuously implement the procedures and
risk controls identified in the Insured’s application”
• Dismissed without prejudice to pursue ADR
© 2015 Haynes and Boone, LLP
Network Security/Privacy Liability
• Travelers Prop. Cas. Co. of Am. v. Federal
Recovery Services, Inc.
• Allegations that FRS withheld customer data
pending receipt of compensation
• No “negligence”; no duty to defend
© 2015 Haynes and Boone, LLP
Cyber Risks & Liabilities
• Remijas v. Neiman Marcus Group, LLC
• Dismissal of consumer class action complaint
reversed
• Risk of fraudulent charges and identity theft &
mitigation expenses sufficient injury-in-fact
• Burden on defendant to show breach not a “but
for” cause of harm
• Galaria v. Nationwide Mut. Ins. Co. (6th Cir. 2016)
• Lewert v. P.F. Chang’s China Bistro, Inc. (7th Cir.
2016)
© 2015 Haynes and Boone, LLP
Network Security/Privacy Liability
• Cyber Insurance: Underwriting Issues• Insuring agreements
• Who is insured?
• Trigger of coverage/retention
• Claim, event, occurrence, injury?
• Definition of “claim”
• Definition of “loss”
• Exclusions
• Bad conduct
• War
• Intellectual property
• Breach of contract
© 2015 Haynes and Boone, LLP
Network Security/Privacy Liability
• Third-Party IT Provider
• Insurance requirements
• Additional insured status
• Primary and non-
contributory
• Limitation on damages
• Waiver of subrogation
© 2015 Haynes and Boone, LLP
Summary/Conclusion
• “Cyber” Insurance
• Increasingly essential part of corporate risk
management strategy
• Residual variability in policy terms and
claims practices