This material is presented for informational purposes only and is not intended to constitute legal advice.©Reed Smith LLP 2011.

DATA SECURITY AND PRIVACY INSURANCE RECOVERY:

A SAFETY NET FOR THE NETALL INDUSTRY DAY

“PUTTING IT ALL TOGETHER”

GREATER KANSAS CITY CHAPTER

NOVEMBER 11, 2011J. Andrew MossInsurance Recovery GroupChicago, Illinois

Today’s Discussion: Data Security Risks

What Laws and Rules Apply?

Insurance Options and Solutions

Risk Management

Questions and Answers

What Do Companies Want (Need) to Protect?

Private customer data

Website user data

Employee information

Confidential business information

Intellectual property

Reputation

The Ability to do business

How Data and Security Breaches Occur Technology failure (firewall or server compromised)

Intentional criminal action by outsider (hacker, laptop theft, tablet or smartphone hacking/theft/cloning)

Employee misconduct (data/financial embezzlement, unauthorized disclosures, curiosity, retaliation)

Human error (lost laptop/smartphone/tablet, misdirected fax or email, improper configuration of computer security systems, improper trash disposal)

Vendor error (misdirected packages and mail)

Acts of God (papers blowing from site of disaster)

Some Data Breaches Reported in 2011: Law firm lost portable hard drive containing information about case including 161 patients

suing doctor; data included names, addresses, Social Security Numbers, DoB, and insurance information.

Veterans’ paper records removed improperly from Florida VA hospital; included names and SSNs. Information was used to open debit accounts, and possibly involved in credit card scams. Perpetrators caught with paper records in motel room.

Personal credit rating information of 420,000 vehicle loan customers of Hyundai Capital plus 13,000 security passwords acquired by hackers.

Personal and protected health information of 93,500 patients of Hartford Hospital on lost hard drive.

Source: http://www.databreachwatch.org/data-breach-alerts

Some Representative Cases: TJX - $107,000,000 reserve fund for theft of credit card numbers in hacking attack

Countrywide – theft of Social Security Numbers by rogue employee resulted in 40+ class actions and regulatory actions, $6,500,000 in reimbursement

Blue Cross/Blue Shield of Tennessee -- $7,000,000 in insured loss for theft of computer hard drives containing personal information

Massachusetts General Hospital --$1,000,000 for losing patient records

Citigroup – unauthorized access to customer information in 1% of its North American credit card accounts

TD Ameritrade: agreement to pay $2,500,000 to $6,500,000 to computer breach victims who received SPAM

Theft or Loss of Confidential Information

Science Applications International Corp. (SAIC):

military contractor that transports the data for the U.S. military’s health care provider, Tricare

Computer tapes stolen from SAIC employee’s car containing highly sensitive information approximately 5 million beneficiaries (servicemen, veterans, civil service and their families) in 10 states, including lab test results

Multiple class actions filed against SAIC, other contractors and agencies of the U.S. government

$4.9 billion in damages alleged

Tricare ordered SAIC to offer 1 year of free credit monitoring to the approximately 5 million beneficiaries potentially affected by the breach

Note that the stolen tapes would require sophisticated equipment to decode, so the risk of further disclosure may be small

Loss of Confidential Customer InformationHealth Net: Health Net was sued by Connecticut AG for failing to secure

medical records and not promptly notifying consumers of a massive security breach. A portable disk drive containing millions of pages of claims information and medical records for 1.5 million members disappeared from a Health Net office in May 2009.

In July 2010, HealthNet settled for $250,000 (in addition to the $7,000,000 it had already spent) and promised to: Implement a “corrective action plan.” Pay $500,000 more to Connecticut if the personal

information is actually accessed. Provide 2 years of free credit monitoring services, $1 million

in identity theft insurance and enrollment in fraud resolution services for 2 years, if needed.

Provide extra protection against cases of identity theft occurring between May 2009 and the date the credit monitoring service program takes effect.

Unwitting Loss of Confidential Customer InformationStanford Hospital:

The New York Times reported on September 8, 2011 that private medical data for nearly 20,000 emergency room patients at Stanford Hospital (affiliated with Stanford University) was exposed to public view for a year due to the negligence of a billing contractor and unknowing conduct of a job applicant

Contractor (a sole practitioner) sent a spreadsheet containing the information to a job applicant, who unwittingly posted it online on a career tutoring website

Lawsuit seeking $20,000,000 in damages filed against hospital and several contractors in California court in Los Angeles.

2010 U.S. Cost of a Data Breach StudyPonemon Institute• Data breach incidents cost U.S. companies Data breach incidents cost U.S. companies $204$204 per compromised customer per compromised customer

record record in 2009, compared to $202 in 2008in 2009, compared to $202 in 2008• The The average total cost per incident increased to $6.75Maverage total cost per incident increased to $6.75M, up from $6.65M in the , up from $6.65M in the

previous yearprevious year• Malicious attacks were more costly and severeMalicious attacks were more costly and severe• Negligent insider breaches have decreased due to awareness and training on Negligent insider breaches have decreased due to awareness and training on

protecting private information – 58% have expanded their use of encryptionprotecting private information – 58% have expanded their use of encryption• Third party organizations accounted for 42% of all breach cases Third party organizations accounted for 42% of all breach cases – these – these

remain the most costly due to additional investigation and consulting feesremain the most costly due to additional investigation and consulting fees• The most expensive case in the study cost nearly The most expensive case in the study cost nearly $31,000,000$31,000,000 to resolve, the least to resolve, the least

was $750,000was $750,000• The study was comprised of 45 breaches with a range of 5,000 to 101,000 The study was comprised of 45 breaches with a range of 5,000 to 101,000

compromised recordscompromised records

SURVEY: Data Security at Work*22. Does your employer have a formal policy for you to use the Internet at work?

Yes 38% No 19% Not sure 44%

23. Have you had any training on how to keep your computer safe and secure?

Yes 43% No 55% Not sure 3%

24. Do you ever bring your work laptop home and connect to your home network?

Yes 24% No 75% Not sure 2%

25. Does your employer allow access from your home computer to the company systems files or other types of data normally available to you at the office?

Yes 29% No 28% Not sure 43% *2010 Online Safety Study by National Cyber Security Alliance, Norton by Symantec & Zogby International (Oct 2010)

Performance Art?

‘Dead Drops’ is an anonymous, offline, peer to peer file-sharing network in public space. I am ‘injecting’ USB flash drives into walls, buildings and curbs accessible to anybody in public space. You are invited to go to these places (so far 5 in NYC) to drop or find files on a dead drop. Plug your laptop to a wall, house or pole to share your favorite files and data. Each dead drop contains a readme.txt file explaining the project. http://datenform.de/blog/dead-drops-preview/

What Laws and Rules May Apply? Federal:

Financial data (Gramm-Leach-Bliley Act) Website data and “red flag” rules (FTC) Government data (Privacy Act) Children’s information (COPPA, FTC) Educational information (FERPA) Medical information (HIPAA) Health Information Technology for

Economic and Clinical Health Act (HITECH) Computer Fraud and Abuse Act (CFAA) Driver’s Privacy Protection Act (DPPA) Personal Privacy and Security Act of 2011;

Data Breach Notification Act; Personal Data Protection and Breach Accountability Act of 2011 all recently introduced)

What Laws and Rules May Apply? State Laws:

Security Breach Notification statutes (46 states plus DC, PR and VI) http://www.ncsl.org/Default.aspx?TabId=13489

HITECH Act lets state attorneys general enforce the health data protection provisions of HIPAA “Proscriptive” statutes requiring encryption or other methods to secure data (at least 6 states,

including CA, CT, MA, NY, NJ, NV) Notification of State Attorneys’ General statutes (CA, TX)

Contractual: Business Associate Agreements under HIPAA Standard purchase orders Payment Card Industry Data Security Standards Outsourced data

What Laws and Rules Apply?

International Law: EU Data Protection Directive and EU member country

privacy laws are more strict than the US with respect to private consumer information.

“Article 29 Working Party” – panel of European privacy commissioners from each EU member collaborate to issue opinions and resolutions on matters involving privacy and personal data protection.

Opinions of Article 29 Working Party: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm

What Do You Need to Consider When Faced With a Security Breach or Data Loss or Claim?

Are any insurers owed notice and/or cooperation?

Is notice owed to the persons whose information was or may have been compromised?

Which government authorities should be contacted?

Considerations When Faced With a Security Breach or Data Loss or Claim

Response Steps:

• Receive initial report and determine responsibilities

• Initial investigation

• Initial communications

• Investigation

• Determine nature and extent of the incident

• Containment, control, and correction

• Notifications: who, when, where, how, and what (and insurance)

• Conclude investigation and prepare incident report

• Retain report

Insurance Recovery Considerations in the Face of a Security Breach or Data Loss: Timely notice of claim (claims made and

reported?) Consent to incur prudent or necessary

expenses may be required: costs of crisis stage or legal compliance

such as breach notification letters, credit monitoring, call center, forensics (up to $30 or more per customer)

defense expenses (private claims; governmental/regulatory claims)

Insurance Recovery Considerations in the Face of a Security Breach or Data Loss

Communications with insurers: presumably are not privileged law enforcement considerations,

e.g., requests to maintain secrecy during investigation

Check Traditional Forms of Insurance for Coverage

Review Company Policies With a Data Privacy and Information Security Lens Directors’ and Officers’ Liability (D&O) Professional Liability/Media (E&O) Comprehensive General Liability (CGL) Property Damage/Business Interruption Fidelity/Financial Institution Bond/Crime

Policy Fiduciary Liability Employment Practices Liability (EPL)

Consider Newer Products:

“Cyberliability” Policies

Data Privacy and Security Policies – a number of new and revamped products on the market Stand-alone policies Endorsement and “package policies”

Consider Newer Products (con’t):

Policies are negotiable and should be compared and tailored where possible.

Check the financial health of all potential insurers.

Security and Data Privacy Insurance May Cover Liability Based On: misappropriation of private information from the

company or a third party unintentional disclosure of private information that

results in identity theft failure to protect confidential information from

disclosure or misappropriation failure to disclose or notify victims of actual or potential

identity theft negligent transmission of viruses, worms, logic bombs

or trojan horses violations of federal, state, local or foreign laws or

regulations governing privacy, including certain regulatory actions

Security and Data Privacy and Cyberliability Insurance Also May Cover: Defense expenses, notice costs, claims

administration Business interruption loss for interruption to

computer systems due to security failures (unauthorized access, malware or denial of service attacks)

Expenses for providing notice of security failures to consumers and/or hiring public relations professionals for the purpose of maintaining goodwill, reputation

Costs to restore or replace destroyed, disrupted, damaged or deleted electronic information

Extortion payments Criminal rewards

Further Considerations for Security and Data Privacy and Cyberliability Insurance Coverage:

Insurer’s Right to Investigate?

Insurer’s Duty to Defend?

“Cookie cutter” response?

Security and Privacy Liability Coverage Overview:

Electronic Media Liability: Electronic Media Liability: display of display of electronic content on your websites.electronic content on your websites.

Network Security Liability: Network Security Liability: destruction, destruction, deletion, or corruption of a 3deletion, or corruption of a 3rdrd party’s party’s electronic data.electronic data.

Privacy Liability: Privacy Liability: failure to properly failure to properly handle, manage, store or otherwise handle, manage, store or otherwise control personally identifiable control personally identifiable information.information.

Regulatory Actions: Regulatory Actions: investigative investigative demand or civil proceeding regarding demand or civil proceeding regarding actual or alleged violation of privacy actual or alleged violation of privacy laws.laws.

Identity Theft Response Fund: Identity Theft Response Fund: communication to and credit monitoring communication to and credit monitoring services for affected individuals. services for affected individuals.

Electronic Media Liability: Electronic Media Liability: display of display of electronic content on your websites.electronic content on your websites.

Network Security Liability: Network Security Liability: destruction, destruction, deletion, or corruption of a 3deletion, or corruption of a 3rdrd party’s party’s electronic data.electronic data.

Privacy Liability: Privacy Liability: failure to properly failure to properly handle, manage, store or otherwise handle, manage, store or otherwise control personally identifiable control personally identifiable information.information.

Regulatory Actions: Regulatory Actions: investigative investigative demand or civil proceeding regarding demand or civil proceeding regarding actual or alleged violation of privacy actual or alleged violation of privacy laws.laws.

Identity Theft Response Fund: Identity Theft Response Fund: communication to and credit monitoring communication to and credit monitoring services for affected individuals. services for affected individuals.

First Party Security and Privacy Coverages:

Network Business Interruption: Network Business Interruption: loss of loss of income or extra expense due to a failure income or extra expense due to a failure of network security.of network security.

Data Asset Protection: Data Asset Protection: costs and costs and expenses incurred to restore, recreate, expenses incurred to restore, recreate, or regain access to any software or or regain access to any software or electronic data. electronic data.

Cyber Extortion: Cyber Extortion: ransom or investigative ransom or investigative expenses associated with a threat expenses associated with a threat directed at the company to release, directed at the company to release, divulge, disseminate, destroy, steal, or divulge, disseminate, destroy, steal, or use the confidential information or use the confidential information or damage the company's computer damage the company's computer system.system.

Network Business Interruption: Network Business Interruption: loss of loss of income or extra expense due to a failure income or extra expense due to a failure of network security.of network security.

Data Asset Protection: Data Asset Protection: costs and costs and expenses incurred to restore, recreate, expenses incurred to restore, recreate, or regain access to any software or or regain access to any software or electronic data. electronic data.

Cyber Extortion: Cyber Extortion: ransom or investigative ransom or investigative expenses associated with a threat expenses associated with a threat directed at the company to release, directed at the company to release, divulge, disseminate, destroy, steal, or divulge, disseminate, destroy, steal, or use the confidential information or use the confidential information or damage the company's computer damage the company's computer system.system.

Typical Exclusions: violations of intellectual property rights products liability, violations of guarantees or warranties,

false advertising violation of anti-spam, blast-fax and similar laws misappropriation of trade secrets by or with the active

assistance of current or former employees misconduct of senior management infrastructure failures, e.g., blackouts, unless caused by

the negligence of the insured inability to use, performance of, development of,

expiration of or withdrawal of support of certain technology products or software

content created by third parties for posting and storage on the insured’s websites

Beware! Inaccurate applications can void

coverage severability will only take you so far review carefully (with

counsel) before submitting applications to insurers

Trigger traps retro dates claims made and reported interrelated wrongful acts and claims

Maximizing Potential Insurance Recovery Gather and review all potentially relevant policies or

indemnity agreements Provide timely notice of breaches, claims or potential

claims to all primary and excess insurers Obtain consent to defense arrangements and

advancement/reimbursement of defense expenses (may differ if insurer defends)

Adhere to cooperation obligations and respond to reasonable requests for information (caution: beware of privilege issues)

Respond to asserted coverage defenses Obtain consent to settlement or payment of judgment Resolve coverage disputes (check policy language

first!)

Consider Lessons Learned for Purchase/Renewal

Terms, conditions, and exclusions may be negotiable

Insurance applications may be discoverable in litigation with third parties

As the distance between Retroactive Date and Inception Date lengthens, policies become more valuable

Stay up on trends and coverage options to remain at or above market standard

Other Options?

Risk Mitigation Through Technology upfront, costly to do it right, and back end, costly to do it wrong.

Consider going through privacy policy application process in order to educate yourself (and your board, senior management) on best practices that your company may not be practicing.

Any Questions?