what you need to know about defending cyber related class ...€¦ · 14 see coming to a cgl policy...

What You Need to Know about Defending Cyber Related Class Action Litigations Additional Materials

January 15, 2015

Retailers Face A Blizzard of Breaches: Are You Covered?By Roberta D. Anderson

Dairy Queen is one of the latest in a growing number of companies to report a potential data security breach that apparently resulted from hacker use of point-of-sale (PoS) malware called “Backoff,” which is believed to have been employed in many of the recent high-profile retail data breaches, including Target Corp.’s massive data breach.

According to an alert released by the U.S. Department of Homeland Security, “[r]eportingcontinues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.”1

Unfortunately, those affected business may face many negative consequences and expenses. As the DHS’ alert points out:

The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts.2

Although the DHS states that “[i]t is critical to safeguard … corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now,” the DHS also notes that “the variants of the ‘Backoff’ malware family are largely undetected by anti-virus (AV) vendors.”3

That underscores a critical point: Even the best, most sophisticated network security will fail. And when network security fails and malware prevails, the negative impact upon business can be dramatic. For a single data breach, a recent Ponemon Institute study reports that the average U.S. organizational cost is more than $5.85 million — with $509,237 spent on post-breach notification alone.4

In addition, the Ponemon Institute study does “do not include data breaches of more than approximately 100,000 compromised records” because “these are not typical of the breaches most organizations experience.”5 Yet breaches are, in fact, getting bigger and mega breaches such are increasingly common. One commentator recently noted that the top five breaches all involve more than 100 million personal records, and four of those top five occurred within the past year and a half — from 2013 to the present.6

The costs associated with breaches and sources of potential liability are also increasing. In addition to crisis management expenses, such as notification to potentially impacted individuals, forensics, credit monitoring and public relations efforts and consumer class actions, retailers can and do face very significant liability arising from claims by payment card brands, such as Visa and MasterCard, and banks and other financial institutions that either issue credit and debit cards to consumers or that process a merchant's credit card and debit card transactions (respectively referred to as “issuing” and “acquiring” financial institutions),

15 September 2014

Practice Group:Insurance Coverage

This article was first published by Law360 onSeptember 2, 2014.

Retailers Face A Blizzard of Breaches: Are You Covered?

2

in addition to potential fines and penalties for noncompliance with the Payment Card Industry Data Security Standards (PCI DSS).

A number of financial institutions are pursuing Target, for example, for reimbursement of their costs for issuing replacement credit and debit cards, and reimbursing fraudulent purchases.7 In addition, executives increasingly face shareholder litigation. In the wake of its high-profile data breach Target’s directors and officers were hit with a shareholder derivative action alleging that “Target … has suffered considerable damage from breach.”8

In addition to ensuring that adequate network security processes are in place, companies are well advised to consider whether they have insurance coverage for data breaches and other cyber security threats. Insurance can play a critical role in an organization’s efforts to address and mitigate cyber risk.

As of now, there may be significant potential coverage for cybersecurity data breaches under “Coverage B” of a company’s commercial general liability policy, which states, under the April 2013 standard form, that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”9

The key definition of “personal and advertising injury” is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”10 Courts have appropriately upheld coverage for data breaches and other claims alleging violation of various privacy rights in a variety of settings, including for data breaches.11

Considering the key term “publication” in a very recent decision, for example, the federal district court in Travelers Indemnity Company of America v. Portal Healthcare Solutions LLC12 held that the making of medical records accessible triggered the policy coverage, even though no third party was alleged to have viewed the information, because, according to the court, “[p]ublication occurs when information is ‘placed before the public’ not when a member of the public reads the information placed before it.”13

In response to decisions upholding coverage for data breaches, however, the insurance industry has issued a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. A series of these exclusions, which became effective in May 2014, exclude, among other things, damages “arising out of any access to or disclosure of any person’s or organization's confidential or personal information … even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.”14

The exclusions already are showing up at insurance policy renewals. But even where these newer exclusions are not included in a company’s coverage, insurers routinely take the position that data breaches are not covered under CGL and other “traditional” policies, as illustrated by the Sony massive 2011 PlayStation data breach coverage litigation.15

For these reasons, given the pervasiveness of data breaches, and their increasing costs, companies should consider the role of cybersecurity and data privacy insurance as part of their overall strategy to address and mitigate cyber risk. Cybersecurity insurance can be extremely valuable. However, organizations are advised to keep in mind that selecting and negotiating the right cybersecurity insurance policy presents unique and significant challenges.


3

There is a vast array of cybersecurity products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from policy to policy. Retailers that face data breaches resulting from “Backoff” PoS malware, or other threats, are advised to confirm, among other things, that their insurance policy would cover liability arising out of the acts of their vendors, fines or penalties for alleged noncompliance with PCI DSS, and contractual liability that they may have to merchant financial institutions.

In addition to confirming that the policy contains sufficiently broad coverage for a data breach event, companies are advised to confirm that the policy does not contain exclusions that would undermine the coverage. In addition, considering that advanced attackers go undetected for a median of 229 days, and that only a third of organizations identify breaches on their own,16 it is important to ensure that the insurance policy contains adequate retroactive coverage to cover cybersecurity incidents that have occurred, but that are not yet known to the company, at insurance placement.

Author:Roberta D. [email protected]+1.412.355.6222

Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt

Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris

Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane

Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington

K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five continents. The firm represents leading multinational corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com.

This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.

© 2014 K&L Gates LLP. All Rights Reserved.

1 US-CERT Alert (TA14-212A), Backoff Point-of-Sale Malware (July 31, 2014, revised Aug. 22, 2014).2 Id.3 Id.4 Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis, at 6, 15 (May 2014).5 Id. at 3.6 Daniel Solove, 10 Biggest Data Breaches: Facts and Lessons (Aug. 27, 2014).7 See, e.g., Trustmark National Bank, et al. v. Target Corporation et al, No. 1:14-cv-02069 (N.D. Ill.) (filed Mar. 24, 2014), at ¶2 (“As a direct and proximate result of the Data Breach, the Banks and members of the Class have incurred (and will continue to incur) damages to their businesses and property in the form of, inter alia, expenses to cancel and reissue the compromised Payment Cards, absorption of fraudulent


4

charges made on the compromised Payment Cards, business destruction, lost profits and/or lost business opportunities.”).8 Collier v. Steinhafel, et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶76.9 ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.10 Id. §14.e.11 See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013) (upholding coverage in a data breach case for statutory damages of $1000 per person under the CMIA and statutory damages of up to $10,000 per person under the California Lanterman-Petris-Short Act under a policy that covered damages that the insured was “legally obligated to pay as damages because of ... electronic publication of material that violates a person’s right of privacy”).12 2014 WL 3887797 (E.D. Va. Aug. 7, 2014).13 Id. at *5 (quoting Webster's Third New International Dictionary).14 See Coming To A CGL Policy Near You: Data Breach Exclusions, Law360, April 23, 2014.15 See 5 Reasons The Sony Data Breach Coverage Denial Is Wrong, Law360, Feb. 28, 2014.16 See Mandiant M-Trends® 2014: Beyond the Breach, at 1 (2014).

Tips For Navigating U.S. and International Data BreachesBy Roberta D. Anderson and Michael Bruemmer, Vice President, Experian Data Breach Resolution

Navigating today’s complex legal and regulatory framework surrounding data breaches can be a daunting process for even the most sophisticated organization. In the United States, there is not currently a national uniform data breach notification law. Instead, organizations experiencing a data breach face a patchwork of 47 different potentially applicable state laws to-date, in addition to industry-specific federal laws such as Gramm-Leach-Bliley.

Adding to the complexity, more data is being stored in the “cloud,” thereby allowing potentially sensitive information to move more seamlessly across country borders, and requiring organizations to be familiar and compliant with international laws and regulations.

Understanding the various and changing state, federal and international laws and regulations will be increasingly important for organizations moving forward. In addition to keeping pace with evolving state, federal and international laws, organizations will need to ensure that effective data breach and cybersecurity incident response plans are in place to address breach incidents — whether they are local or global in nature.

Federal and Foreign Standards — A Renewed Focus on Data Breach Regulation

With the recent rise of highly publicized breaches top of mind, several efforts have been made by congressional committees aimed at forging a comprehensive federal data breach notification law. Although lack of consensus on specific issues related to the preemption of state laws has halted this progress in the past, federal legislation is once again a top priority for lawmakers.[1] Legislators in several states are also considering expanding existing breach notification laws by being more prescriptive about what information must be included in a notice. This may include such information as the time of the breach and the type of data affected.

On an international level, stricter data breach notification requirements are already underway. The European Union implemented new data breach requirements last August, requiring telecommunication operators and Internet service providers to notify national data protection authorities within 24 hours of detection of a theft, loss or unauthorized access to customer data, including emails, calling data and IP addresses. The EU is now also considering expanding this requirement to all commercial sectors.

Data Breach Preparedness — Going Beyond the Regulatory Checklist

The number of data breaches is anticipated to continue to increase throughout the year, both

1 July 2014

Practice Groups:Cyber Law and CybersecurityPrivacy, Data Protection and Information ManagementTelecom, Media and Technology

This article was first published in Law360 on June 20, 2014

Tips For Navigating U.S. and International Data Breaches

2

within the U.S. and across the globe. Between January and March of 2014 alone, nearly 200 million data records were stolen, the equivalent of approximately 93,000 records stolen every hour. This is an increase of 233 percent over the same period of time last year.[2] These facts, together with the specter of more — and more stringent — laws and regulations present organizations with increasingly important and complex data breach response issues.

Unfortunately, most U.S.-based organizations do not appear to be sufficiently prepared to deal with an impending data breach incident. Even after experiencing a breach, a surprising 39 percent of companies surveyed last year indicated they still have not developed a formal data breach response plan.[3] And since 2001, the Federal Trade Commission has brought more than 50 cases alleging that organizations failed to protect consumers’ personal information. Generally, settlements with the FTC require companies to implement a comprehensive information security program and undergo evaluation every two years by a certified third-party.

Facing increased regulatory scrutiny, organizations are advised to work closely with legal counsel to ensure that they are prepared to comply with state, federal and international laws and regulations and otherwise are best positioned to mitigate the fallout of a breach incident — both financial and reputational.

1. Develop a Diverse Response Plan

According to research from the Ponemon Institute, having an up-to-date response plan can save a business nearly 25 percent per compromised record.[4] The average cost of a breach in the U.S. last year was $188 per record, with each breach reportedly exposing an average of 23,647 records. At that rate, a 25 percent reduction could save a company $1.1 million per breach.

Organizations are advised to have a diverse response plan in place that clearly outlines protocols and a response team for security incidents, with scenarios mapped out for both the U.S. and abroad. Just as data breach regulations evolve, so should a data breach response plan. It is important for an organization to regularly audit and adjust its preparedness plan in order to include new technologies and address changes in the legal, regulatory and security landscapes.

2. Engage Outside Legal Counsel

Many law firms have attorneys that are dedicated to assisting organizations in developing effective breach incident response plans, including a protocol for who to call within the organization. Additionally the protocol should identify which law firm “breach coach” to notify, in addition to other responders (which are preapproved by the organization, its outside counsel, and preferably by the organization’s insurance carrier) that will undertake critical crisis management functions, such as notification to persons whose personally identifiable information or protected health information may have been compromised, credit monitoring, call center services, forensics, and public relations efforts. Effective incident response and crisis management planning can greatly mitigate an organization’s financial and reputational fallout following a data breach incident.


3

In addition to formulating an effective breach response plan, the engagement of outside counsel first in the wake of a breach incident, before other breach responders, will preserve, to the extent possible, the attorney-client privilege and the work-product doctrine.

3. Communicate With Customers

Part of an effective response plan is ensuring quick, clear communication with potentially impacted individuals and providing guidance and next steps on how they can protect themselves. Open communication following a breach can help maintain trust and preserve brand reputation — arguably an organization’s most valuable asset.

It is also important to note cultural and language differences may impact a customer’s response to a data breach, and notification materials. When managing an international breach, it can be beneficial to seek counsel on how to mitigate any issues that may arise due to these different standards, and communicate effectively.

Regardless of the legislative environment, data breaches present a substantial business risk to organizations both in the U.S. and across country borders. Creating a diverse security incident response plan and proactively engaging with legal counsel, local authorities and forensics experts will enable companies to better handle an incident when it occurs.

[1] Experian Data Breach Resolution Legislative White Paper, “Policymakers Renew Focus on Data Breach Laws,” 2014

[2] SafeNet, “Breach Level Index (BLI),” April 2014

[3] Data Breach Response Guide, April 2013 http://www.experian.com/data-breach/response-guide.html

[4] Ponemon Institute, “Cost of a Data Breach Study: Global Analysis,” 2013

Author:Roberta D. [email protected]+1.412.355.6222



Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane



4

K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the Middle East and South America and represents leading global corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com.



Cybersecurity Risk Factors:Five Tips to Consider When Any Public CompanyMight be The Next TargetBy Roberta D. Anderson, Katherine J. Blair

The Risk of Cybersecurity AttacksWith annual reporting season underway, C-suite executives wake to another day and another data breach. Target, Michael’s, Snapchat, Facebook, Twitter, Adobe -- the list goes on and on. By now, all companies should appreciate that, notwithstanding the most robust and sophisticated network security, any company is a vulnerable next “Target” for a serious cybersecurity incident, together with the range of negative consequences that typically follows, including negative publicity, reputational damage that adversely affects customer and investor confidence, lost market capitalization, claims and legal disputes, regulatory investigations -- and falling stock prices. In the wake of its high-profile data breach, Target’s directors and officers were recently hit on January 29, 2014 with a shareholder derivative action alleging that “Target shares were trading above $63.50 on December 18, 2013 before the news of the data breach and have fallen over 10.5% to $57.60” and that “Target … has suffered considerable damage from breach.”1

In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity incidents in general, companies are well advised to consider whether their current cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk factor disclosures may assist a company in avoiding a Securities and Exchange Commission (SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action litigation and shareholder derivative litigation in the wake of a cybersecurity incident that negatively impacts the company’s stock price -- or, at a minimum, may mitigate a company’s potential exposure in the event of such litigation.

The Form 10-Ks that public companies are preparing to file in the coming weeks present a significant opportunity for companies to review and strengthen their cybersecurity risk factor disclosures, and below we offer five tips that companies may wish to consider in reviewing the adequacy of their existing cybersecurity disclosures.

SEC Disclosure GuidanceBy way of background, companies must keep in mind that, although existing disclosure requirements do not (yet) expressly reference “cybersecurity,” the SEC’s Division of Corporation Finance (SEC staff) has emphasized the importance of appropriate cybersecurity disclosures. In the wake of what it termed “more frequent and severe cyber

1 Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶ 76.

11 February 2014

Practice Groups: Capital MarketsInsurance Coverage

The text of this article was first published by Law360 on February 10, 2014.

Cybersecurity Risk Factors:

Five Tips to Consider When Any Public Company Might be The Next Target

2

incidents,” the SEC issued cybersecurity disclosure guidance,2 which advises companies to review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.3

While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the SEC’s guidance stresses that existing requirements oblige companies to make appropriate cybersecurity disclosures. The guidance states in this regard that a number of disclosure requirements may impose an obligation on registrants to disclose cybersecurity risks and incidents. In addition, the guidance explains that material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.

SEC Chairwoman Mary Jo White reaffirmed a company’s current cybersecurity disclosure obligations in response to an April 9, 2013 letter received from Senate Commerce Chairman Jay Rockefeller.4 In his letter, Chairman Rockefeller urged the SEC to “elevate [its] guidance,” noting that “[i]nvestors deserve to know whether companies are effectively addressing their cybersecurity risks.” In response, Chairwoman White emphasized that “[e]xisting disclosure requirements … impose an obligation on public companies to disclose risks and events that a reasonable investor would consider material” and that “cybersecurity risks are among the factors a public company would consider in evaluating its disclosure obligations.”5 Chairwoman White also highlighted that cybersecurity risk “is a very important issue that is of increasing concern” and stated that the SEC “continues both to prioritize this important matter in its review of public company disclosures and to issue comments concerning cybersecurity.”

In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such that the disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the company. The guidance proceeds to advise that appropriate disclosures may include the following:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;

• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;

• Risks related to cyber incidents that may remain undetected for an extended period; and

2 The guidance defines “cybersecurity” as “body of technologies, processes and practices designed to protect networks,

systems, computers, programs and data from attack, damage or unauthorized access.” 3 SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm4The April 9, 2013 letter is available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-

4bbd-8d64-8c15ba0e4e515Chairman White’s May 1, 2013 letter is available at

http://articles.law360.s3.amazonaws.com/0441000/441415/512013%20Letter%20from%20SEC%20Chair%20White.pdf



3

• Description of relevant insurance coverage.6

Although the guidance does not create new cybersecurity disclosure obligations, it is abundantly clear that failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that negatively impacts a company’s stock price.

The Five TipsThe following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC’s disclosure guidance as well as comments issued to approximately 55 companies over the last two years.

1. Perform A Cybersecurity Risk Assessment. The SEC staff states in its guidance that it expects companies to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents as well as the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware. To facilitate adequate disclosures, companies should consider engaging in a thorough assessment concerning their current cybersecurity risk profile and the impact that a cybersecurity breach may have on the company’s business. In addition to positioning the company to provide adequate cybersecurity risk factor disclosures, the undertaking of a risk assessment is consistent with the National Institute of Standards and Technology’s recently released Preliminary Cybersecurity Framework,7 which, at a high level, provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices and to identify gaps that should be addressed in order to progress towards a desired “target” state of cybersecurity risk management.8Although the Cybersecurity Framework is voluntary, organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Cybersecurity Framework provides a de facto standard for cybersecurity and risk management.

2. Consider Disclosing Prior -- And Potential -- Breaches. To the extent a company or one of its subsidiaries has suffered a reported or known cybersecurity event, the company should anticipate that the SEC may issue a comment letter if the event is not disclosed. The following comments are typical of what a company might expect to see:

• We note that [your subsidiary] announced on its website that a cyber attack occurred during which millions of user accounts were compromised. Please tell us what consideration you gave to including expanded disclosure consistent with

6 While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be

appropriate in other areas of a company’s filings, including management’s discussion and analysis “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”

7 The Cybersecurity Framework, available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf.8 Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013),

available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/



4

the guidance provided by the Division of Corporation Finance's Disclosure Guidance Topic No. 2.

• We have read several reports of various cyber attacks directed at the company. If, in fact, you have experienced cyber attacks, security breaches, or other similar events in the past, please state that fact in order to provide the proper context for your risk factor disclosure.

Notably, the guidance states that appropriate disclosures may include a description of cybersecurity incidents that are material individually or in the aggregate. And the comments issued to date indicate that where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company’s risk factor disclosure be expanded to state generally that the company has been the victim of hacking -- regardless of the fact that prior events were immaterial. A few of the SEC comments to date include (in summary form):

• We note your response that the incident did not have a material impact on the company’s business. In order to place the risks described in this risk factor in appropriate context, in future filings please expand this risk factor to disclose that you have experienced cyber attacks and breaches.

• You state that you have not experienced a material breach of cybersecurity. Your response does not appear to address whether you are experiencing any potential current business risks concerning cybersecurity. For example, despite the fact you believe you have not experienced a material breach of your cybersecurity, are you currently experiencing attacks or threats to your systems? If you have experienced attacks in the past, please expand your risk factor in the future to state that.

• We note that your response suggests that you have, in fact, experienced third-party breaches of your computer systems that did not have a material adverse effect on the Company’s operations. In order to place the risks described in your current risk factor in appropriate context, in future filings please expand your disclosure to state that you have experienced cyber attacks and breaches.

In addition, the SEC’s guidance advises that companies may need to disclose known orthreatened cyber incidents together with known and potential costs and other consequences. Companies in targeted industries that have not yet suffered a cybersecurity incident (or are not yet aware that they have suffered an incident) should consider disclosing how the company might be impacted by a cybersecurity incident -- even if no specific threat has been made against the company. Below are sample summary comments received by companies based on their particular industry or peer disclosures:

• We note press reports that hotels and resorts are increasingly becoming a target of cyber attacks. Please provide risk factor disclosure describing the cybersecurity risks that you face. If you have experienced any cyber attacks in the past, please state that fact in the new risk factor in order to provide the proper context.

• Given that other companies in your industry have actually encountered such risks from cyber attacks, such as attempts by third parties to gain access to your systems for purposes of acquiring your confidential information or intellectual



5

property, including personally identifiable information that may be in your possession, or to interrupt your systems or otherwise try to cause harm to your business and operations and have disclosed that such risks may be material to their business and operations, please tell us what consideration you gave to including disclosure related to cybersecurity risks or cyber incidents.

• We note that the incidences of cyber attacks, including upon financial institution or their service providers, have increased over the past year. In future filings, please provide risk factor disclosure describing the cybersecurity risks that you face. In addition, please tell us whether you have experienced cyber attacks in the past. If so, please also disclose that you have experienced such cyber attacks in order to provide the proper context for your risk factor disclosure.

3. Be Specific. The SEC staff has advised that companies should avoid boilerplate language and vague statements of general applicability. In particular, the guidance states that companies should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure. In addition, the guidance states that companies should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure. Companies that offer generally applicable statements may expect to receive comments such as the following:

• You state that “Like other companies, our information technology systems may be vulnerable to a variety of interruptions, as a result of updating our SAP platform or due to events beyond our control, including, but not limited to, natural disasters, terrorist attacks, telecommunications failures, computer viruses, hackers, and other security issues.” Please tell us whether any such events relating to your cybersecurity have occurred in the past and, if so, whether disclosure of that fact would provide the proper context for your risk factor disclosure.

• We note that you disclose that you may be vulnerable to breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events. Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, whether disclosure of that fact would provide the proper context for your risk factor disclosures.

4. Remember That A Vulnerability “Road Map” Is Not Required. Although the SEC seeks disclosures that are sufficient to allow investors to appreciate the nature of the risks faced by a company, it has made clear that the SEC does not seek information that would create a road map or otherwise compromise a company’s cybersecurity. At the outset of its guidance, the SEC staff states that it is mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “road map” for those who seek to infiltrate a company’s network security -- and that disclosures of that nature are not required under the federal securities laws. The SEC guidance later reiterates that the federal securities laws do not require disclosure that itself would compromise a company’s cybersecurity.



6

5. Consider Insurance. Network security alone cannot entirely address the issue of cybersecurity risk; no firewall is unbreachable, and no security system is impenetrable. Insurance can play a vital role in a company’s overall strategy to address, mitigate, and maximize protection against cybersecurity risk. Reflecting this reality, the SEC guidance advises that appropriate disclosures may include a description of relevant insurance coverage that a company has in place to cover cybersecurity risks. The SEC’s guidance provides another compelling reason for companies to carefully evaluate their current insurance program and consider purchasing “cyber” and data privacy-related insurance products, which can be extremely valuable.9 In the wake of a data breach such as the recent Target breach, for example, a solid “cyber” insurance policy may cover not only liability arising out of potential litigation, such as defense costs, settlements, and judgments, but also breach notification costs and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers, and public relations efforts as well as potential regulatory investigations, fines, and penalties. Recent SEC comments have requested information regarding both whether the company has obtained relevant insurance coverage as well as the amount of the company’s cyber liability insurance.

Considering these five tips may assist companies in minimalizing the likelihood of receiving an SEC comment letter (and possibly multiple rounds of comments) and, even more importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a cybersecurity incident.

9 Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert (Jan. 16, 2014), available at http://www.klgates.com/before-becoming-the-next-target--recent-case-highlights-the-need-to-consider-insurance-for-data-breaches-01-16-2014/



7

Authors: Roberta D. Anderson [email protected]+1.412.355.6222

Katherine J. Blair [email protected] +1.310.552.5017







©2014 K&L Gates LLP. All Rights Reserved.

NIST Unveils Cybersecurity FrameworkBy Roberta Anderson

On February 12th, the National Institute of Standards and Technology (NIST) released its long-anticipated Framework for Improving Critical Infrastructure Cybersecurity1 together with a companion Roadmap for Improving Critical Infrastructure Cybersecurity.2 The Framework is issued in accordance with President Obama’s February 19 Executive Order 13636, Improving Critical Infrastructure Cybersecurity Version 1.0., 3 which tasked NIST with developing a cost-effective Framework “to reduce cyber risks to critical infrastructure.”4 The companion Roadmap discusses NIST’s next steps with the Framework and identifies key areas of development, alignment of cybersecurity standards and practices within the U.S. and globally and collaboration with private and public sector organizations and standards-developing organizations.

The Framework applies to organizations in critical infrastructure. 5 But, given the pervasiveness of cybersecurity incidents, and the ever-present, increasing, and evolving cyber risk threat, all organizations should consider whether their current cybersecurity risk management practices would pass muster under the Framework. In addition, although the Framework is “voluntary”—at least so far—organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Framework provides a “de facto” standard for cybersecurity and risk management even for non critical infrastructure organizations. One thing that companies should consider as they review the Framework is what “Tier” of cybersecurity risk management they wish to achieve. The Tiers—which range from “informal, reactive” responses to “agile and risk-informed” are addressed below, together with an overview of the Framework and additional detail regarding certain of its key aspects.

OverviewAt a high level, as its name indicates, the Framework provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices, to identify gaps that should be addressed in order to progress towards a desired “target” state of cybersecurity risk management, and to internally and externally communicate efficiently about cybersecurity and risk management.

1The Cybersecurity Framework is available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.NIST developed the Framework based on information gathered over the past year, including a Request for Information published inthe Federal Register and a series of four open public workshops held at various locations throughout the United States. See Roberta Anderson, NIST Unveils Preliminary Cybersecurity Framework, K&L Gates Cybersecurity Alert (Nov. 25. 2013), available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/2The Roadmap is available at http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf378 FED. REG. 11737 (2013). The Executive Order is available at http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.4Executive Order, Section 7(a). 5“Critical infrastructure” organizations include those in the chemical, communications, critical manufacturing, defense, financialservices, energy, healthcare, and information technology sectors, among others. The Presidential Policy Directive/PPD 21, Critical Infrastructure Security and Resilience, (Feb. 12, 2013), available at http://www.fas.org/irp/offdocs/ppd/index.html (reference “PPD 21”), identifies 16 critical infrastructure sectors.

February 2014

Practice Group(s): Cyber Law and Cybersecurity Insurance Coverage

NIST Unveils Cybersecurity Framework

2

Building from global standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to:

1. Describe their current cybersecurity posture;

2. Describe their target state for cybersecurity;

3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;

4. Assess progress toward the target state;

5. Communicate among internal and external stakeholders about cybersecurity risk.

NIST has emphasized that the Framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.”6 In addition, NIST properly notes that the Framework “is not a one-size-fits-all approach” to managing cybersecurity risk, given that organizations “have unique risks—different threats, different vulnerabilities, different risk tolerances.7

In releasing the Framework, NIST explained that it provides a structure that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs and “a common language to address and manage cyber risk in a cost-effective way” based on business needs, without placing additional regulatory requirements on businesses.”8 NIST also notes that organizations can use the framework “to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity.” 9 Moreover, because it references globally recognized standards for cybersecurity, the Framework can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.

Although applying to organizations in critical infrastructure, the Framework may be used by any organization as part of its effort to assess cybersecurity practices and manage cybersecurity risk.

Three-Part ApproachThe Framework adopts a risk-based approach composed of three parts: the Framework Core, Framework Profile, and Framework Implementation Tiers.

Framework Core The Framework relies upon existing global cybersecurity standards, guidelines, and practices as a basis to build or enhance an organization’s cybersecurity risk management practices.

6Framework, at 4.7Id. at 2.8NIST Releases Cybersecurity Framework Version 1.0 (Feb. 12, 2014), available at http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm.9Id.


3

The Framework Core presents five high-level “Functions,” which, as stated by NIST, “organize basic cybersecurity activities at their highest level.” 10 The five Functions are: (1) Identify,11 (2) Protect,12 (3) Detect,13 (4) Respond, 14 and (5) Recover.15 NIST explains that these five high-level Functions “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk”16 and will provide “a concise way for senior executives and others to distill the fundamental concepts of cybersecurity risk so that they can assess how identified risks are managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines, and practices.”17

For each of the five Functions, the Framework Core identifies underlying key “Categories” and “Subcategories” of cybersecurity outcomes, and then matches those outcomes with “Informative References” that will assist organizations in achieving the outcomes, such as existing cybersecurity standards, guidelines, and practices. By way of example, Categories within the “Protect” Function include Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology. 18

Subcategories under the “Access Control” Category within the Protect Function include (but are not limited to) “[i]dentities and credentials are managed for authorized devices and users” and “[n]etwork integrity is protected, incorporating network segregation where appropriate.”19

“Informative References” for “[i]dentities and credentials are managed for authorized devices and users” include the following:

• CCS CSC 16

• COBIT 5 DSS05.04, DSS06.03

• ISA 62443-2-1:2009 4.3.3.5.1

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9

• ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3

• NIST SP 800-53 Rev. 4 AC-2, IA Family20

The following Figure 1 (Framework Core Structure) from the Framework depicts the Framework Core:

10Framework, at 7.11This is to “[d]evelop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.” Id. at 8. 12This is to “[d]evelop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.” Id.13This is to “[d]evelop and implement the appropriate activities to identify the occurrence of a cybersecurity event.” Id.14This is to “[d]evelop a and implement the appropriate activities to take action regarding a detected cybersecurity event.” Id.15This is to “[d]evelop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.” Id. at 9. 16Id. at 4.17Id. at 13.18Id.at 19 (Appendix A).19Id.at 23-24 (Appendix A).20Id.at 23 (Appendix A). Additional supporting material relating to the Framework can be found on the NIST website at http://www.nist.gov/cyberframework/.


4

NIST explains that the Core “presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.”21

Implementation Tiers The Framework Implementation Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and “the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.” 22 By way of example, considering the risk management aspect, at Tier 1 “[o]rganizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.”23 At Tier 2, “[r]isk management practices are approved by management but may not be established as organizational-wide policy.”24 At Tier 3, “[t]he organization’s risk management practices are formally approved and expressed as policy” and “[o]rganizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.”25 At Tier 4, “[t]he organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities” and “[t]hrough a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.”26

21Id.at 4.22Id. at 9.23Id. at 10.24Id.25Id.26Id. at 11.


5

ProfileIn essence, the Framework Profile assists organizations to progress from a current level of cybersecurity sophistication to a target improved state that meets the organization’s business needs. As stated by NIST, a Profile is used to “identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state).” 27 Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be addressed to meet cybersecurity risk management objectives. NIST states that the Framework Profile “can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.”28

Framework ImplementationThe Framework is voluntary—at least for now. NIST also has explained that the Framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.”29 Organizations can use the Framework as a reference to establish a cybersecurity program, or leverage the Framework to “identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.”30 The Framework recognizes that “[o]rganizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services.”31

Importantly, the Framework can be used as a means to communicate an organization’s required cybersecurity standards to business partners. As stated by NIST, “[t]he Framework provides a common language to communicate requirements among interdependent stakeholders responsible for the delivery of essential critical infrastructure services.,” such as, for example, the utilization of a “Target” Profile “express cybersecurity risk management requirements to an external service provider (e.g., a cloud provider to which it is exporting data).”32 This is significant, because the cybersecurity shortcomings of “cloud” and other providers can have a profound impact on supply chains. As noted by NIST in the Roadmap:

All organizations are part of, and dependent upon, product and service supply chains. Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management programs. Although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing, and trust mechanisms remain a challenge. Organizations can struggle to identify their risks and prioritize their actions—leaving the weakest links susceptible to penetration and disruption. Supply chain risk management, especially product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge, and fragmented standards and best practices.33

27Id.28Id. at 5.29Id. at 4.30Id.31Id. at 5.32Id. at 12.33Roadmap at 8.


6

Incentive—and Cybersecurity InsuranceAs of yet unspecified governmental incentives will be offered to organizations that adopt the Framework. The Executive Order directs the Secretary of Homeland Security, in coordination with sector-specific agencies, to “establish a voluntary program to support the adoption of the Framework by owners and operators of critical infrastructure and any other interested entities,” called the “Program,” and to “coordinate establishment of a set of incentives designed to promote participation in the Program.”34

On August 6, 2013, the White House previewed a list of possible incentives, including “Cybersecurity Insurance” at the top of the list.35 If Cybersecurity Insurance is adopted as an incentive, organizations that participate in the Program may, for example, enjoy more streamlined underwriting and reduced cyber insurance premiums. As stated by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, agencies have “suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program” and that “[t]he goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”36 Mr. Daniel states that NIST “is taking steps to engage the insurance industry in further discussion on the Framework.”37

The placement of “Cybersecurity Insurance” at the top of a list of possible incentives underscores the important role that insurance can play in an organization’s overall strategy to manage and mitigate cybersecurity risk, including supply chain disruption. 38 Adam Sedgewick, Senior Information Technology Policy Advisor at NIST, stated that NIST views “the insurance industry as a major stakeholder [in] helping organizations manage their cyber risk.”39 All of this is consistent with the SEC’s guidance on cybersecurity disclosures under the federal securities laws, which advises that “appropriate disclosures may include,” among other things, a “[d]escription of relevant insurance coverage” for cybersecurity risks.40

Going ForwardThe Framework is a “living document,” which states that it “will continue to be updated and improved as industry provides feedback on implementation.” 41 As the Framework is put into practice, lessons learned will be integrated into future versions to ensure it is “meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions.” 42 NIST will receive and consider 34Executive Order, Section 8(a, d). 35Michael Daniel, Incentives to Support Adoption of the Cybersecurity Framework, The White House Blog (Aug. 6, 2013), available at http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework. 36Id. Other potentially significant incentives include leveraging federal grant programs, limitations on liability, including “reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosurerequirements,” and optional public recognition for participants in the Program and their vendors. Id.37Id.38See Roberta D. Anderson, Insurance Coverage for Cyber Attacks, THE INSURANCE COVERAGE LAW BULLETIN, Vol. 12, Nos. 4 & 5 (May-June 2013). 39See Janet Aschkenasy, NIST to engage insurance as tool to manage cyber risk, Advisen (Oct 28, 2013 ) (quoting Mr. Sedgewick). 40SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available athttp://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.41Framework, at 2.42Id.


7

comments about the Framework informally until it issues a formal notice of revision to version 1.0, at which point it will specify a focus for comments and specific deadlines that will allow it to develop and publish proposed revisions. In addition, NIST intends to hold at least one workshop within the next six months to provide a forum for stakeholders to share experiences in using the Framework, and will hold one or more workshops and focused meetings on specific areas for development, alignment, and collaboration. Therefore, organizations will continue to have the opportunity to potentially shape the final Framework.

* * * * *

Our Cybersecurity Practice Group is uniquely positioned to assist our clients in all aspects of addressing and mitigating cyber risks, including assisting our clients to understand the scope, impact, applicability, and implications of the President’s Executive Order, Presidential Policy Directive 21, and the developing Cybersecurity Framework and Program incentives.

Contacts: Roberta D. Anderson [email protected] +1.412.355.6222

David A. Bateman [email protected] +1.206.370.6682

Bruce J. Heiman [email protected] +1.202.661.3935








How to Purchase “Cyber” InsuranceBy Roberta D. Anderson

“Cyber” insurance can be an extremely valuable asset in an organization’s strategy to address and

mitigate cyber security, data privacy, and other risks. But selecting and negotiating the right insurance

product can present a significant challenge given, among other things, the lack of standardized policy

language and the fact that many “off the shelf” policies do not adequately match the organization’s

risk profile. The following five tips will help to facilitate a successful cyber policy placement.

#1. Get a Grasp on Risk Profile and ToleranceA successful cyber placement is facilitated by having a thorough understanding of an organization’s risk profile,

including the scope and type of personally identifiable information and confidential corporate data maintained

by the company and the manner in which (and by whom) such data is used, transmitted, and stored. A complete

understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and

assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also

consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other

factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data

breach or network security incident. When an organization has a grasp on its risk profile, potential exposure, and risk

tolerance, it is well positioned to consider the type and amount of insurance coverage that it needs in order to adequately

respond to identified risks and exposure.

#2. Look at Existing Coverage The California federal district court’s recent October 7th decision in Hartford Casualty Insurance Company v.

Corcino & Associates et al.[i] – upholding coverage under a commercial general liability (“CGL”) policy for a data

breach that compromised the confidential medical records of nearly 20,000 patients – underscores that there may

be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal

And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for

data breach and network security liability and network security failures under an organization’s commercial property,

directors and officers (“D&O”), errors and omissions (“E&O”), professional liability, fiduciary, crime, and other

coverages.

#3. Purchase “Cyber” Insurance As Needed In response to decisions upholding coverage for data breach, privacy, network security, and other “cyber” risks,

the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines

of coverage. By way of example, Insurance Services Office, Inc. (“ISO”)[ii] recently filed a number of data breach

exclusionary endorsements for use with its standard-form primary, excess, and umbrella CGL policies. These are

to become effective in May 2014. By way of example, one of the endorsements, entitled “Exclusion - Access Or

Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited Bodily Injury Exception

Not Included,” adds the following exclusion to Coverage B:

Roberta D. Anderson, a partner in the Pittsburgh office of K&L Gates LLP, concentrates her practice in insurance coverage litigation and counseling. She has represented policyholders in connection with a wide range of insurance issues and disputes arising under almost every kind of insurance coverage, including general liability, commercial property and business interruption, “cyber”-liability, directors and officers, errors and omissions (“E&O”), technology E&O, professional liability, employment practices liability, political risk, environmental, fidelity, fiduciary, crime, terrorism, residual value, nuclear, and other insurance coverages, and in broker liability disputes. She can be reached at [email protected].

The Insurance Coverage Law Information Center

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s

confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial

information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic

expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any

access to or disclosure of any person’s or organization’s confidential or personal information.[iii]

Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some

time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for

companies to carefully consider specialty “cyber” insurance products. Even where insurance policies do not contain the

newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This

coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or

potentially compromises confidential personally identifiable information. By way of example, the AIG Specialty Risk

Protector® specimen policy[iv] states that the insurer will:

pay … all Loss

that the:

Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.[v]

“Privacy Event” includes:

(1) any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or

otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of

the identity of an individual or corporation;

(2) failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice

Law; or

(3) violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for

compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-

paragraphs (1) or (2) above.[vi]

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and

control or for which a Company or Information Holder is legally responsible:

(1) information from which an individual may be uniquely and reliably identified or contacted, including, without

limitation, an individual’s name, address, telephone number, social security number, account relationships,

account numbers, account balances, account histories and passwords;

(2) information concerning an individual that would be considered “nonpublic personal information” within

the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as

amended) and its implementing regulations;

(3) information concerning an individual that would be considered “protected health information” within Health

Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;

(4) information used for authenticating customers for normal business transactions;

(5) any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices,

processes, records, reports or other item of information that is not available to the general public[.]

A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations,

fines, and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis

management” or “notification” coverage) to address costs associated with a security breach, including:

• costs associated with post-data breach notification

• credit monitoring services

• forensic investigation to determine cause and scope of a breach

• public relations efforts and other “crisis management” expenses

• legal services to determine an insured’s indemnification rights where a third party’s error or omission has

caused the problem.

The sublimits typically associated with remediation coverage warrant careful attention.

Cyber insurance policies often offer other types of coverages, including:

• network security coverage (often in the same coverage grant as the “privacy” coverage discussed above),

which generally covers liability arising out of security threats to networks, including, for example,

transmission of malicious code and DDoS attacks;

• media liability coverage, which generally covers liability arising out, for example, infringement of copyright

and other intellectual property rights and misappropriation of ideas or media content;

• information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing

the insured’s own data or computer systems;

• network interruption coverage, which generally covers an insured for its lost revenue due to network

interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to

networks; and

• extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to

prevent a threatened cyber attack.

• In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk

management services, which can be valuable in preventing as well as mitigating attacks.

#4. Spotlight The “Cloud”Cyber risk is intensified by the trend in outsourcing of data handling, processing and/or storage to third party

vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March

2012, found that over 41 percent of U.S. data breaches are caused by third party errors, including “when protected

data is in the hands of outsourcers, cloud providers and business partners.”[vii] Many “off the shelf” cyber policies,

however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of

third parties) and/or to network security threats to the insured’s own network or computer system – not the networks

/ computer systems of third parties. This may result in illusory coverage. The recent high profile attack on the New

York Times homepage, during which users that tried to access www.nytimes.com were directed to a website apparently

maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies

because the attack was not on the New York Times “system” as defined in many policies, but rather on the system of

a third party domain name registrar.

#5. Remember the “Cyber”MisnomerKeep in mind that many data breaches are not electronic – they often result from non-electronic sources. Data

privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account

of stolen paper records from a closet. Neither should a “cyber” insurance policy. Although this type of coverage is

commonly referred to as “cyber” insurance, a solid policy will cover non-electronic data, such as paper records.[viii]

Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop

or loss of a USB drive.

There are many other considerations and points to focus on. There is a dizzying array of cyber products on the

marketplace, each with its own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer

– even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it

is intended to cover, successful placement requires the involvement and input, not only of a capable risk management

department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources,

and compliance personnel – and experienced insurance coverage counsel.

[i] No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013). The two

underlying class action lawsuits alleged that Stanford Hospital and Clinics and the insured, medical consulting

firm Corcino & Associates, violated the privacy rights of numerous patients by providing confidential personally

identifiable medical information to an individual who posted the information on a public website. In particular,

the claimants alleged that “the private, confidential, and sensitive medical and/or psychiatric information

of almost 20,000 patients of Stanford’s Emergency Department appeared on a public website and remained

publicly available online for almost one full year.” Id. at 2 (quoting the Second Amended Class Action Complaint

in Springer, et al. v. Stanford Hosp. and Clinics, et al., No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)).

The underlying complaints contained causes of action for violations of the claimants’ constitutional right of

privacy, common law privacy rights, the California Confidentiality of Medical Information Act (“CMIA”) and

the California Lanterman Petris Short (“LPS”) Act. The suits sought, among other things, statutory damages of

$1000 per person under CMIA and statutory damages of up to $10,000 per person under LPS.

[ii] ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to

have those forms approved by state insurance commissioners.

[iii] CG 21 07 05 14 (2013). “Electronic data” is defined as:

information, facts or programs stored as or on, created or used on, or transmitted to or from computer software,

including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing

devices or any other media which are used with electronically controlled equipment.

Id.

[iv] See AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage

Section.

[v] Id. Section 1.

[vi] Id. Section 2.(d). “Security Breach Notice Law” includes:

any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any

entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or

potential unauthorized access by others to Confidential Information stored on such Computer System, including

but not limited to, the statute known as California SB 1386 (§1798.82, et. al. of the California Civil Code).

Id. Section 2.(m).

[vii] 2011 Global Cost Of Data Breach Study, Ponemon Institute LLC, at 6 (Mar. 2012).

[viii] See Richard S. Betterley, The Betterley Report, Cyber/Privacy Insurance Market Survey, at 18 (June 2013).

Reprinted with permission from FC&S Legal: The Insurance Coverage Law Information Center (www.fcandslegal.com). All rights reserved. For information about becoming a subscriber, call 800-543-0874.

Our Team

R. Bruce Allensworth Partner

Boston T 617.261.3119F [email protected]

OVERVIEW Mr. Allensworth is a partner resident in K&L Gates’ Boston, Massachusetts office, and is a member of the firm’s Class Action Litigation Defense group. His practice focuses on complex civil litigation, primarily class action litigation. He has served as lead counsel in litigation matters pending in federal and state courts in 31 of the 50 states and in Puerto Rico and the United States Virgin Islands, including as lead counsel in more than 150 class actions. He started K&L Gates’ Consumer Financial Services Class Action Litigation practice in the firm’s Boston office.

Mr. Allensworth’s practice focuses substantially on the defense of federal and state class action litigation. He defends actions brought against banking, mortgage lending and consumer financial services institutions and other business entities. These class actions, brought throughout the country, have concerned challenges under federal statutes including the Real Estate Settlement Procedures Act, the Truth in Lending Act (including the Home Ownership and Equity Protection Act and the Consumer Leasing Act), the Fair Debt Collection Practices Act, the Fair Credit Reporting Act, the Fair Housing Act and the Equal Credit Opportunity Act; the federal securities laws, state statutes (including state unfair and deceptive acts and practices statutes, state motor vehicle sales finance acts and state statutory analogs to various federal consumer protection statutes) and common law claims.

Mr. Allensworth defends data breach class action litigation. Mr. Allensworth represents financial institutions in government enforcement actions.

Mr. Allensworth defends mobile wireless companies in class action and government enforcement litigation in various federal and state courts around the country. These actions concern disputes arising under the federal Communications Act, including the Telephone Consumer Protection Act, and state unfair and deceptive acts and practices statutes, including actions involving state tax billing disputes, contract disputes and alleged violations of the number porting requirements of the Federal Communications Commission.

Mr. Allensworth has litigated a wide variety of federal and state securities law matters, complex commercial disputes, and corporate insurance coverage matters. He has tried jury and jury-waived cases in state and federal trial courts and has appeared and argued in various state and federal appellate courts. Mr. Allensworth has tried matters in arbitration and represented clients in alternative dispute resolution forums. He has represented clients before federal and state securities agencies and the NASD.

R. Bruce Allensworth (continued)

2

PROFESSIONAL BACKGROUND Before entering private practice, Mr. Allensworth served as law clerk to the Honorable Walter J. Skinner on the United States District Court for the District of Massachusetts.

PUBLICATIONS • The Seventh Circuit Breathes New Life Into “Firm Offers of Credit;” The First Circuit Tells

Consumers to “Opt Out” and Stop Complaining, Mortgage banking and Consumer Credit Alert, R. Bruce Allensworth, Irene C. Freidel, Brian M. Forbes, Gregory N. Blase, April 28, 2008.

• Looking Back to the Future: “Presumptively Unfair” Mortgage Loans in the Case of Commonwealth of Massachusetts v. Fremont Investment & Loan, et al., Mortgage Banking & Consumer Credit Alert, R. Bruce Allensworth, Irene C. Freidel, Brian M. Forbes, Ryan M. Tosi, March 6, 2008.

• Developments in “Firm Offer” Litigation Under the Fair Credit Reporting Act, The Review of Banking & Financial Services, R. Bruce Allensworth, Irene C. Freidel, Brian M. Forbes, Gregory N. Blase, February 2008.

• Consumers Clog Courts with Codified Care Claims, Mortgage Banking & Consumer Credit Alert, Laurence E. Platt, R. Bruce Allensworth, Phoebe Gallagher Winder, Andrew C. Glass, David D. Christensen, January 30, 2008.

• Limiting Class Action Liability for Businesses, e-Finance & Payments Law & Policy, R.B. Allensworth, Andrew C. Glass, Ryan M. Tosi and David D. Christensen, July 2007.

• Recent Federal Court Decision Bolsters Growing Line of Cases Dismissing Class Action Claims for Alleged “Identity Theft,” Class Action Alert, R.B. Allensworth, Andrew C. Glass, Ryan M. Tosi and David D. Christensen, July 26, 2007.

• Class or No Class? Loan Rescission Under TILA and Class Actions: The Debate Continues, Mortgage Banking & Consumer Credit Alert, R. Bruce Allensworth, Brian M. Forbes, Irene C. Freidel, Steven M. Kaplan, Jonathan D. Jaffe, February 2007.

• Big Dollar Liability Under FCRA Clarified: Supreme Court Hears Argument Regarding The Standard for Awarding Statutory and Punitive Damages, Mortgage Banking & Consumer Credit Alert, R. Bruce Allensworth, Irene C. Freidel, Steven M. Kaplan, Leanne E. Hartmann, February 2007.

• Decisions of Federal Courts Create Uncertainty Concerning Use of Prescreened Offers of Credit: An Update on FCRA Prescreened Offer of Credit Class Action Litigation, Mortgage Banking & Consumer Credit Alert, R. Bruce Allensworth, Steven M. Kaplan, Irene C. Freidel, Brian M. Forbes, Joshua C. Rowland, April 2006.

PROFESSIONAL/CIVIC ACTIVITIES • American Bar Association (Litigation Section, Class Actions Committee; Business Law

Section, Consumer Financial Services Committee)

• Mortgage Bankers Association

R. Bruce Allensworth (continued)

3

• Former Town Meeting Member, Wellesley, MA

• Various pro bono representations

• Officer, United States Army, active duty

ADMISSIONS • Massachusetts

• United States Supreme Court

• United States Court of Appeals for the First Circuit

• United States Court of Appeals for the Second Circuit

• United States Court of Appeals for the Third Circuit

• United States Court of Appeals for the Fifth Circuit

• United States Court of Appeals for the Sixth Circuit

• United States Court of Appeals for the Seventh Circuit

• United States Court of Appeals for the Eighth Circuit

• United States Court of Appeals for the Ninth Circuit

• United States Court of Appeals for the Eleventh Circuit

• United States District Court for the District of Massachusetts

• United States District Court for the Northern District of Illinois

• United States District Court for the Eastern District of Wisconsin

EDUCATIONJ.D., Yale Law School, 1978

B.A. (Mathematics), University of Texas, 1969

Roberta D. AndersonPartner

PittsburghT 412.355.6222 F 412.355.6501 [email protected]

OVERVIEWMs. Anderson is a partner in the firm's Pittsburgh office with over fifteen years of experience in complex commercial litigation and alternative dispute resolution. A member of the firm’s global Insurance Coverage practice group, and a co-founder of the firm's global Cyber Law and Cybersecurity practice group, Ms. Anderson concentrates her practice in the areas of insurance coverage litigation and counseling and emerging cybersecurity and data privacy-related issues, including incident planning and breach response. She has represented clients in connection with a broad spectrum of insurance issues and disputes arising under almost every kind of business insurance, including general liability, commercial property and business interruption, data privacy and “cyber” liability, directors and officers (D&O) liability, errors and omissions (E&O), technology E&O, professional liability, employment practices liability (EPL), political risk, environmental, fidelity, fiduciary, crime, terrorism, residual value, and nuclear. Ms. Anderson provides strategic advice on ways to maximize the value of clients’ current and historic insurance assets.

Ms. Anderson also counsels clients on complex underwriting and risk management issues. She has unique and substantial experience in the drafting and negotiation of D&O, technology E&O, data privacy and “cyber”-liability, and other insurance coverages. She provides strategic insurance coverage advice to clients in assessing their potential risks, analyzing new insurance products, considering the adequacy of existing insurance programs, and negotiating new placements tailored to the clients’ specific risk profile. Ms. Anderson has performed insurance due diligence for clients contemplating mergers and acquisitions concerning the adequacy of the target companies’ insurance programs. She also counsel clients on risk transfer and representation and warranty insurance in connection with corporate transactions.

Ms. Anderson has served as counsel in a variety of forums, including United States federal and state courts, ad hoc arbitration and private mediations. She has acted as special counsel in reorganization proceedings in the United States Court of Appeal for the Fifth Circuit. Ms. Anderson also has participated in arbitrations in leading national and international situses, including London, Bermuda and New York. Ms. Anderson has significant knowledge and experience relating to the London and international insurance markets.

PROFESSIONAL BACKGROUNDA recognized national authority in insurance coverage, cybersecurity and data privacy related issues, Ms. Anderson frequently lectures on these subjects, including for the American Bar Association (ABA), the Risk and Insurance Management Society (RIMS), the Pennsylvania Bar Association, Practicing Law Institute, Strafford Continuing Legal Education, and Law Seminars International. In addition, she regularly provides interviews and comments on these subjects to

Roberta D. Anderson (continued)

2

leading industry publications, such as Law360 and Advisen. Ms. Anderson also publishes extensively, and currently serves on a number of editorial boards for leading industry publications, including the Tort Trial & Insurance Practice Law Journal (American Bar Association) and The Insurance Coverage Law Bulletin (American Lawyer Media). She also served on the editorial board of the CGL Reporter (International Risk Management Institute) from 2007 to 2010.

Ms. Anderson is a member of both the ABA Litigation Section and the ABA Tort and Insurance Practice Section (TIPS). She currently serves as a Co-Chair of the ABA Section of Litigation’s Insurance Coverage Litigation Committee (International/London Subcommittee). She also serves as a Vice-Chair of the ABA TIPS Insurance Coverage Litigation Committee. Ms. Anderson is past Chair of the ABA TIPS Excess, Surplus Lines and Reinsurance Committee (2008-2010) and served as a member of the ABA Public Relations Special Standing Committee from 2010 to 2012.

SPEAKING ENGAGEMENTS AND INSTRUCTION

Live Presentations (CLE, CPU, CE And CPD)Presenter: “Cybersecurity: Minimizing Risk and Managing Consequences,” K&L Gates LLP Seminar (Pittsburgh, PA), December 9, 2014

Panelist: “The Board's Role in Management of Cybersecurity and Data Privacy Threats: Achieving Cybersecurity and Data Privacy Resilience Before the Breach,” K&L Gates LLP Briefing (Seattle, WA), November 25, 2014

Panelist: “The Exchange Data Privacy and Cyber Security Forum,” Today's General Counsel and Institute (Capital Hilton, Washington, DC), November 18, 2014

Lecturer: “Cyber Risk, Regulatory Issues, and Insurance Mitigation,” ISACA Pittsburgh Information Security Awareness Day (Rivers Casino, Pittsburgh, PA), November 17, 2014

Panelist: “Cyber Speed Debates 2.0,” 2014 PLUS Conference, November 6, 2014 (Caesars Palace, Las Vegas, NV)

Panelist: “Boardroom Risks,” 22nd Annual SMU Corporate Counsel Symposium, October 31, 2014 (Park Cities Hilton, Dallas, TX)

Panelist/Moderator: “Coverage Considerations,” Advisen 2014 Cyber Risk Insights Conference, October 28, 2014 (Grand Hyatt, New York, NY)

Lecturer: “Cyber Crimes: Trends and Protections,” The Allegheny Chapter CPCU All Industry Day, October 15, 2014 (Wyndham Grand, Pittsburgh, PA)

Panelist: “Cyber Risk and Global Security Issues: is your business fully prepared?,” October 2, 2014 (One New Change, London)

Lecturer: “Cybersecurity Law 2014: Minimizing Data Legal Liability Risk in the Digital Age,” Pennsylvania Bar Institute CLE Program, August 11, 2014 (Pittsburgh, PA)

Panelist: “D&O & Cyber Forum,” AON, May 7, 2014 (The Duquesne Club, Pittsburgh, PA)


3

Speaker/Coordinator: “Cyber3.0: Cutting Edge Advancements in Insurance Coverage For Cyber Risk & Reality,” RIMS Annual Conference, April 29, 2014 (Denver. CO)

Panelist: “What Your Company Needs to Know about Cybersecurity,” OCTANe Presentation, April 17, 2014 (Irvine, CA)

Lecturer: “Cutting-Edge Advancements in Insurance Coverage for Cyber Risk and Reality,” RIMS Pittsburgh Chapter Meeting, April 8 2014 (Pittsburgh, PA)

Panelist: “Cybersecurity Threats in the Financial Sector,” March 5, 2014 (Pershing LLC, Jersey City, NJ)

Panelist: “Who's On First? Insurance Coverage For Mass And Class Actions,” ABA Tort Trial & Insurance Practice Section Insurance Coverage Litigation Committee Midyear Program, February 20-22, 2014 (Pheonix, AZ)

Speaker: “Cybersecurity and Privacy: Managing Threats, Risks and Protection,” October 22, 2013 (University Club, Palo Alto, CA)

Speaker: “Insurance Coverage For Cyber Risks And Realities,” Co-Sponsored by the Association of Corporate Counsel, Western Pennsylvania Chapter and K&L Gates, September 24 ,2013 (Pittsburgh, PA)

Speaker: "Additional Insured Coverage & Contractual Indemnification," K&L Gates Insurance Coverage Training Series CLE, June 3, 2013 (Pittsburgh, PA)

Speaker: “Cyber Risk And Insurance,” K&L Gates Insurance Coverage Training Series CLE, September 5, 2012 (Pittsburgh, PA)

Panelist: “Finding Balance in the Shifting Sands of Insurance Coverage” – ABA Tort Trial & Insurance Practice Section’s Insurance Coverage Litigation Committee’s Midyear Program, February 24-26, 2011 (Phoenix, AZ)

Speaker: "Insurance Coverage Training Series: Nuclear-Related Liabilities" Insurance Coverage Training Series CLE, January 7, 2009 (Pittsburgh, PA)

Panelist: “Testing the Waters: Discovering the Latest Currents in Insurance Coverage Law: Navigating Current Issues Under E&O and D&O Policies,” ABA Tort Trial & Insurance Practice Section Insurance Coverage Litigation Committee Midyear Program, February 28–March 1, 2008 (Marina Del Rey, CA)

Panelist: “The Battle Before the Battle: Shifting Sands of Insurance Coverage Seeking Relief from the Changing Winds of Judicial Review,” ABA Tort Trial & Insurance Practice Section Insurance Coverage Litigation Committee Midyear Program, February 15–17, 2007 (Tucson, AZ)

Speaker: “Challenging the Guidelines & the Carrier’s Response,” LexisNexis® Mealeys™ Litigation Management Guidelines Conference, July 20-21, 2006 (New York, NY)

Speaker: “Broker Contingent Commissions Investigations,” RIMS Pittsburgh Chapter Meeting, April 2005 (Pittsburgh, PA)


4

Speaker: “Getting the Most Out of Lloyd’s And Equitas: Basics I: Organization And Terminology,” ABA Section of Litigation Essential Intelligence for US Coverage Lawyers™ Conference, May 14-15, 2002 (Chicago, IL)

Live WebinarsPanelist: “Feeling the Heat? How to Cool Off with Cyber Risk Insurance,” AccessData Webinar, October 16, 2014

Lecturer: “Data Privacy and Cybersecurity Due Diligence in M&A Deals,” Strafford CLE Webinar, October 9, 2014

Panelist: “Cyber Exposures of Small and Mid-Size Businesses – A Digital Pandemic,” Advisen, October 7, 2014

Lecturer: “Dropping the ‘Hammer’ on Security Threats with Rapid Detection and Resolution,” ALM Virtual LegalTech Webinar, September 12, 2014

Lecturer: “FDIC and Other Banking Agency Litigation Against Auditors, Law Firms, Appraisers and Other Outside Advisors: Latest Developments in Defending Agency Claims and Maximizing E&O Insurance Coverage,” Strafford CLE Webinar, August 7, 2014

Lecturer: “Insurance Coverage for Data Breaches and Privacy Violations: Are Your Corporate Clients Truly Protected?,” Strafford CLE Webinar, August 6, 2014

Panelist: “Cyber Sanity: Innovative Approaches to Data Security,” Advisen, July 22, 2014

Lecturer: “Before the Breach: Insurance and Other Ways to Proactively and Effectively Mitigate Cyber Risk,” FX Conferences, July 14. 2014

Lecturer: “Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance Managing a Cyber Disaster: Cyber Insurance and Tools to Mitigate Losses and Liability 2014,” Practicing Law Institute CLE Webcast, July 8, 2014

Lecturer: “Cyber-Attacks: Insurance Coverage for Cyber Risks and Realities,” K&L Gates CLE Webinar, June 25, 2014 (Pittsburgh, PA)

Lecturer: “Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance,” Securedocs Webinar, June 12, 2014

Lecturer: “Cultivating Ethics: Mitigating Vulnerability to Cyber and Data Security Threats in Order to Maintain Client Confidentiality.” ALM Virtual LegalTech Webinar, May 15, 2014

Lecturer: “Insurance Coverage for Data Breaches and Privacy Violations: Are Your Corporate Clients Truly Protected?,” Strafford CLE Webinar, February 26, 2014

Lecturer: “Insurance Coverage For Cyber Security Beaches: Insurance Strategies For Managing Cyber Risk,” Law Seminars International TeleBriefing, October 25, 2013

Speaker: “What Your Company Needs to Know about Cybersecurity,” K&L Gates Webinar, June 6, 2013 (Pittsburgh, PA)


5

Interviews/Media Quotes“Obama again proposes federal cybersecurity rules for consumers, businesses,” Pittsburgh Tribune-Review, January 13, 2015

“Sony Hack Shows Need For Cyber Coverage On Many Fronts,” Law360, January 12, 2015

“The Sony Breach Carries Broad Implications Surrounding National Security,” Forbes, December 19, 2014

“Should Your Company Get Cybersecurity Insurance?,” Inc.com, December 17, 2014

“Federal Prosecutors In Pittsburgh Want To Tackle Hacking With Companies,” Pittsburgh Tribune-Review, December 9, 2014

“The Hidden Strategic Advantage in Cyber Insurance,” Jim McFarland for SecurityWeek, December 4, 2014

“Cybersecurity Experts Warn Pittsburgh Conference About Dangers Of Hacking,” Pittsburgh Tribune-Review, Nov. 17, 2014

“Cyber-Insurance Becomes Popular Among Smaller, Mid-Size Businesses,” The Washington Post, August 12, 2014

“Financial Institutions Warned On Cyber-Insurance,” COOConnect, October 8, 2014

“Insurers Flocking To Data Breach Exclusions In CGL Policies,” Law360, August 27, 2014

“Cybersecurity easing its way into M&A due diligence,” Advisen Cyber Risk Network, August 22, 2014

“Disruptors,” Fox Business News, August 20, 2014

“Specialized Cyber Insurance Becoming A Must For Many Cos.,” Law360, August 12, 2014

“Cyber Security Insurance Difficult for Business to Navigate,” The Huffington Post, August 4, 2014

“Third-party Vendor Contracts Must Reflect Data Risk,” Advisen Cyber Risk Network, May 30, 2014

“FTC Shines Data Security Badge After Wyndham Ruling,” Advisen Cyber Risk Network, April 14, 2014

“Cyber Insurance vs. General Liability,” The Huffington Post, April 10, 2014

“Cyber Threat: Aviation, Unmanned Risk,” Risk & Insurance, April 7, 2014

“No Right Way Or Right Time, But Data Breach Notification A Must,” Advisen Cyber Risk Network, April 4, 2014

"NIST Cybersecurity Framework Remains Potential Standard of Care, Lawyers Say," Vol. 34, No. 46, Communications Daily, March 10, 2014

”Policy Language Interpretation Favors Insurers in Sony Case,” Advisen Cyber Risk Network, March 7, 2014


6

“Sony Coverage Denial Could Be Boon For Cyber Insurers,” Law360, February 25, 2014

“Insurers prepare for implementation of new cyber liability exclusions,” Business Insurance, January 19, 2014

“Cyber policies a good deal, but choose carefully,” Healthcare Risk Management, Vol. 36, No. 1, January 2014

“Insurer tried to say CGL offered no breach coverage,” Healthcare Risk Management, Vol. 36, No. 1, January 2014

“Court says insurer liable for data breach expenses,” Healthcare Risk Management, Vol. 36, No. 1, January 2014

“Target credit card thefts a cue to review cyber coverage terms,” Advisen, December 23, 2013

“TalkingPoint: Managing Risk In The Chemicals Industry,” Financer Worldwide, December 2013

“CGL exclusions will fuel cyber purchase trend,” Advisen, November 18, 2013

“PA Ruling Favors Nuclear Insurers,” Business Insurance, December 6, 2002

PUBLICATIONS

“Cyber” Insurance What to Consider When Buying Cyberinsurance, Risk Management Magazine, October 1, 2014

Retailers Face a Blizzard of Breaches: Are You Covered?, Insurance Coverage Alert,September 11, 2014, originally published in Law360, September 2, 2014

Why Buy Cyber and Privacy Liability Insurance, Insurance Thought Leadership, July 21, 2014

You Have a Perfectly Good CGL, So Why Buy Cyber and Privacy Liability Insurance?, Advisen Cyber Risk Network, July 15, 2014

Why Buy Cyber and Privacy Liability When You Have a Perfectly Good Commercial General Liability Program?, Advisen Risk Network, July 3, 2014

Does Your Cybersecurity Policy Cover Cyberterrorism?, Advisen Cyber Risk Network,June 5, 2014

Viruses, Trojans and Spyware, Oh My! The Yellow Brick Road to Coverage in the Land of Internet Oz, Tort Trial & Insurance Practice Law Journal, Vol. 49-2, May 2014

Coming To A CGL Policy Near You: Data Breach Exclusions, Law360, April 23, 2014

Does Your Insurance Cover a Data Breach? Don’t Be So Sure, The Security Advocate,April 21, 2014


7

Another Reason to Consider Cyber Insurance, Insurance Thought Leadership, April 3, 2014

Viruses, Trojans and Spyware, Oh My! The Yellow Brick Road to Coverage in the Land of Internet Oz, FC&S Legal, The Insurance Coverage Law Report, Part I (December 2013/January 2014), Part II (February 2014), Part III (March 2014), and Part IV (April 2014)

Coming Soon to a CGL Policy Near You: ISO’s New Data Breach Exclusions, Advisen Cyber Risk Network, March 21, 2014

How to Purchase Cyber Insurance, Insurance Thought Leadership, March 14, 2014

Five Reasons Why The Sony Data Breach Coverage Decision Is Wrong, Insurance Coverage Alert, March 10, 2014, originally published in Law360, February 28, 2014

Recall Decision Points Toward CGL Coverage For Data Breach, Advisen Cyber Risk Network, January 24, 2014

Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert, January 16, 2014, originally published in Law360, January 14, 2014

How to Purchase Cyber Insurance, FC&S Legal, The National Underwriter Company,January 2014

Top 10 Tips For Insuring Cyber Risks, The Risk Report, International Risk Management Institute, Inc. (IRMI), Volume XXXVI, No. 4, December 2013

Recent California Decision Upholds Data Breach Coverage, Commercial Disputes Alert,November 26, 2013

How to Secure Data Breach Coverage, FC&S Legal, The Insurance Coverage Law Information Center, November 26, 2013

Some Traditional Insurance Policies May Cover Data Breach, Law360, November 19, 2013

When Companies Need Cyber Insurance, Today’s General Counsel, October 25, 2013

Cyber Insurance - Selecting the Right Policy to Identify and Mitigate Risk, TMT Law Watch Blog, October 23, 2013, Legal Cloud Central Blog, October 25, 2013

How to Purchase “Cyber” Insurance, Insurance Coverage Alert, October 21, 2013

Recent California Decision Holds That Privacy / Data Breach Liability Covered Under “Traditional” Insurance Policy, Insurance Coverage Alert, October 18, 2013

How to Purchase “Cyber” Insurance, FC&S Legal, The Insurance Coverage Law Information Center, October 17, 2013

ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider "Cyber" Insurance, Law360, September 26, 2013

Yet Another Reason To Consider Cyber Insurance, Law360, September 23, 2013

Extend Cyber Insurance Coverage To The Cloud, Today's General Counsel, July 10, 2013


8

Shine a Spotlight on Cyber "Cloud" Coverage, IRMI Update, Issue 297, July 10, 2013

Spotlight On Cyber "Cloud" Insurance Coverage, Legal Cloud Central Blog, July 1, 2013

Insurance Coverage for Cyber Attacks, The Insurance Coverage Law Bulletin, Part 1, Volume 12, Number 4, May 2013, and Part 2, Volume 12, Number 5, June 2013

The Role of Insurance in the Land of Viruses, Trojans, and Spyware, Coverage, Volume 23, Number 1, January-February 2013

“Cyber-Attacks”: Important Insurance Coverage Considerations, Insurance Coverage Alert, June 30, 2011

Insurance Coverage for “Cyber-Losses,” 35 Tort & Ins. L. J. 891, Tort & Insurance Law Journal, Summer 2000

Companies May Be Covered For Business Interruption or Related Losses Resulting from “Hacker Attacks” and Other E-Commerce Risks, Insurance Coverage Bulletin, March 2000

Cybersecurity and Data PrivacyCybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, Global Boardroom Risk Solutions Newsletter, July 2014

3 Tips for Navigating Data Breaches, Insurance Thought Leadership, July 14, 2014

Tips For Navigating US And International Data Breaches, Law360, June 20, 2014

Cyber Challenges Under NIST’s Framework, Insurance Thought Leadership, April 21, 2014

FTC Has Power to Regulate Data Security Practices, Court Rules, TMT Law Watch Blog,April 17, 2014

Target Security Breach Could Be a Wake-up Call, Pittsburgh Post-Gazette, April 12, 2014

Cybersecurity: Five Tips on Disclosure Requirements, Insurance Thought Leadership,March 24, 2014

After Data Breach, The Best First Responder Is A Law Firm, Law360, Interview, March 13, 2014

NIST Unveils Cybersecurity Framework, Cybersecurity and Insurance Coverage Alert,February 17, 2014

Five Tips to Consider When Any Public Company Might be The Next Target, Cybersecurity Risk Factors Alert, February 11, 2014

5 Cybersecurity Considerations For Public Companies, Law360, February 10, 2014

Suffer a Data Breach? Your 1st Call Should Be to… a Lawyer, The Security Advocate, Interview, January 27, 2014

NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert, November 25, 2013


9

Shine a Spotlight on Cyber "Cloud" Coverage, IRMI Update, Issue 297, July 10, 2013

Policy Matters: Insurance Facts of Life Every IT Leader Should Know, Best Practices In IT Leadership, October 2000

Directors and Officers Liability Insurance U.S. Bank v. Indian Harbor: Insurers Face Another Restitution/Disgorgement Setback, Insurance Coverage Alert, September 11, 2014

Your D&O Insurance Policy Post-Halliburton, Insurance Coverage Alert, July 28, 2014

Your D&O Insurance Policy Post-Halliburton, Law360, July 25, 2014

Halliburton II: Supreme Court Upholds Fraud on the Market Presumption, but Gives Securities Defendants a Fighting Chance at Defeating Class Certification, Securities and Transactional Litigation Alert, July 7, 2014

Basic fraud-on-the-market presumption survives Halliburton, Advisen Risk Network, July 1, 2014

Untimely Notice Under a Claims-Made Policy, The Insurance Coverage Law Bulletin, Vol. 8, No. 5, June 2009

A Timely Lesson From The WorldCom And Enron Settlements: Make Sure Your D&O Program Is Adequate, Insurance Coverage Alert, January 2005

Insurance Coverage for Investigations and Demands of State Attorneys General, Insurance Coverage Alert, September 2005

Insurance Coverage For Inside Corporate Counsel: A Topic Of Increasing Interest, Insurance Coverage Alert, April 2004

Expanding Risk: Directors’ and Officers’ Coverage is Shrinking Just When People Need It Most, Legal Times, Vol. XXVI, No. 7, February 17, 2003

Business Interruption Insurance The Calm Before the Storm Is the Time to Consider Insurance Coverage, The Insurance Coverage Law Bulletin Part I, Volume 12, Number 12, January 2014, and Part 2, Volume 12, Number 13, February 2014

Recent Developments in a Post-Sandy World, Recent Developments in Insurance Coverage Litigation, 49 Tort Trial & Ins. Prac. L.J. 271, Fall 2013

Key Insurance Coverage Considerations in the Wake of Superstorm Sandy, The Insurance Coverage Law Bulletin, Volume 11, Number 12, January 2013

The Calm Before a Storm of Claims: Identifying and Preserving Insurance Coverage for Hurricane Irene-Related Losses, The Insurance Coverage Law Bulletin, Volume 10, Number 9, October 2011


10

Recent Developments in Insurance Coverage Litigation, 47 Tort Trial & Ins. Prac. L.J. 297, Tort Trial & Insurance Practice Law Journal, Fall 2011

Losses from Hurricane Irene: Are You Covered?, Insurance Coverage Alert, August 30, 2011

Disaster in Japan: Worldwide Insurance Coverage Considerations, Insurance Coverage Alert, March 16, 2011

Potential Business Interruption Coverage: July 18, 2007 Manhattan Steam Pipe Explosion, Insurance Coverage Alert, August 31, 2007

Companies May Be Covered For Business Interruption or Related Losses Resulting from “Hacker Attacks” and Other E-Commerce Risks, Insurance Coverage Bulletin, March 2000

Commercial General Liability Insurance Texas Supreme Court Holds “Contractual Liability” Exclusion Inapplicable, Insurance Coverage Alert, January 21, 2014

Texas High Court Fortunately Says 'No' In Ewing, Law360, January 17, 2014

Leading Coverage Lawyers: The Most Significant Insurance Coverage Decisions Of 2013,Coverage Opinions, Vol. 3, Issue 1, January 8, 2014

Late Notice Decision Favors Policyholders, The Insurance Coverage Law Bulletin, Vol. 7, No. 1, February 2008

Decision Favors Policyholders Asserting Construction Defect Claims, The Insurance Coverage Law Bulletin, Vol. 6, No. 10, November 2007

Recent Pennsylvania Legislative And Judicial Developments Favor Policyholders Asserting Statutory And Common Law Bad Faith Claims, Mealey’s litigation Report: Insurance Bad Faith, November 2007

The Emergence of Prejudice As a Necessary Element of an Insurer’s Late Notice Defense: An Analysis of NY Law, The Insurance Coverage Law Bulletin, Vol. 6, No. 7, August 2007

NY Decision Favors Policyholders Seeking Coverage for Unresolved Asbestos-Related Liabilities, The Insurance Coverage Law Bulletin, Vol. 6, No. 5, June 2007

Pennsylvania Supreme Court Rules On Assignments, The Insurance Coverage Law Bulletin, Vol. 6, No. 1, February 2007

Insurance Coverage For Silica Claims, Silica Legal News Report, Vol. 1, No. 1, July 2005

Insurance Coverage For Silica Claims, The Insurance Coverage Law Bulletin, Vol. 3, No. 7, August 2004

Insurance Coverage For Mandolidis-Type Claims, Insurance Coverage Update, February 2003

Insurance Coverage for Natural Resource Damages, Insurance Coverage Alert, January 2003


11

Terrorism Risk Insurance Act of 2002, Insurance Coverage Alert, December 2002

Lititz Mutual Insurance Co. v. Steely. Pennsylvania Supreme Court Takes a Second Look at the Absolute Pollution Exclusion, Journal of Insurance Coverage, Summer 2002

The Absolute Pollution Exclusion in Pennsylvania Post-Madison: Intermediate Appellate Courts Resume the Debate, Journal of Insurance Coverage, Autumn 2001

Pennsylvania High Court Hands Down Long-Awaited Sunbeam Decision Insurance Coverage Alert, October 2001

California High Court Hands Down Two Pro-Insurer Split Decisions on Environmental Coverage Issues: Foster-Gardner, Inc. v. National Union Fire Insurance Co. and Aydin Corp. v. First State Insurance Co., Journal of Insurance Coverage, Winter 1999

Additional Insured Issues Wrap Your Head Around ISO's Additional Insured Revisions, Insurance Coverage Alert,July 16, 2013, originally published in Law360, June 14, 2013

Determining the Scope of “Additional Insured” Coverage: Recent ISO CGL Insurance Form Revisions Merit Close Attention By Contracting Parties, Insurance Coverage Alert, 9 May 2013

ISO's 2013 “Additional Insured” Endorsement Changes Merit Close Attention, Coverage,Vol. 23. No. 3, May-June 2013

International Arbitration The International Comparative Legal Guide to: International Arbitration: USA, Chapter 62 (2014), Chapter 64 (2013), Chapter 58 (2012), Chapter 51 (2012)

ICC To Unveil New Rules of Arbitration, Arbitration World, August 2011

The UAE's Proposed Federal Arbitration Law, Arbitration World, October 2010

Recent Developments Concerning Dubai Ruler’s Decree 57 of 2009, Arbitration World,May 2010

International Arbitration in the UAE and the Middle East Region: Recent Developments, Arbitration World, February 2010

Protocol of Enforcement Affords Reassurance on Enforcement of DIFC-LCIA Arbitral Awards and DIFC Judgments Beyond DIFC Boundaries, Arbitration World, October 2009

The London Market Proposed Part VII Transfer of Liability on Lloyd’s Policies: Considerations for Lloyd’s Policyholders, Insurance Coverage Alert, May 22, 2009

Proposed Equitas Transaction with Berkshire Hathaway: What Does It Mean for Lloyd’s Policyholders?, Insurance Coverage Alert, January 2007


12

Threatened Equitas Insolvency: Is The Lloyd’s “Chain of Security” Really Secure? Journal of Insurance Coverage, Summer 2002

Is it Still Possible to Litigate Against Lloyd’s in Federal Court?, 34 Tort & Ins. L. J. 1065, Tort & Insurance Law Journal, Summer 1999

Class Action LitigationUtilizing Recent Case Law to Develop Effective Products Liability Class Action Strategies,Copyright 2011 Thomson Reuters/Aspatore, July 18, 2013

Utilizing Recent Case Law to Develop Effective Products Liability Class Action Strategies, Litigating Products Liability Class Actions , Chapter 1, Aspatore Books (Inside the Minds Series), November 2011

Other Publications Federal Insurance Office Unveils Long-Awaited Modernization Report, Insurance Coverage Alert, December 17, 2013

TalkingPoint: Managing Risk In The Chemicals Industry, Financer Worldwide, December 2013

New York Appellate Court Clarifies Fidelity Bond "Direct Loss" Requirement, Insurance Coverage Alert, August 7, 2013

Recent Developments in Insurance Coverage, 48 Tort Trial & Ins. Prac. L.J. 285, Tort Trial & Insurance Practice Law Journal, Fall 2012.

Recent Developments in Insurance Coverage Litigation, 47 Tort Trial & Ins. Prac. L.J. 297, Tort Trial & Insurance Practice Law Journal, Fall 2011

Recent Developments In Excess Insurance, Surplus Lines Insurance, And Reinsurance Law, 45 Tort Trial & Ins. Prac. L.J. 329, Tort & Insurance Practice Law Journal, Winter 2010

Recent Developments In Excess Insurance, Surplus Lines Insurance, and ReinsuranceLaw, 41 Tort Trial & Ins. Prac. L.J. 393, Tort & Insurance Practice Law Journal, Winter 2006

Upheaval in the Insurance Industry: Potential Implications for Policyholders, Practical Law Company Cross-Border, Vol. 1, No. 1, April-June 2005

Marsh Settles Spitzer Charges For $850 Million, Insurance Coverage Alert, February 2005

Insurance Industry Bid-Rigging/Steering Scheme Allegations Demand Policyholder Attention, Insurance Coverage Alert, October 2004

Proposed Life Insurance Employee Notification Act, Corporate Alert, February 2003

Terrorism Risk Insurance Act of 2002, Insurance Coverage Alert, December 2002


13

Bankruptcy Court Rules The Babcock & Wilcox Company Solvent At Time Of Asset Transfer, K&L Update, Spring 2002

Insurance Facts Businesses Should Know In The Wake of September 11, Journal of Investment Compliance, Vol. 2, No. 3, Winter 2002

PROFESSIONAL/CIVIC ACTIVITIESUnited Way of Allegheny County

Tocqueville Committee (2012 to present)

Emerging Leaders Tocqueville Sub-Committee Tocqueville Committee (2013 to present)

Young Leaders Group (Member, 2000 to present; Committee Member, 2001; Co-Chair, 2002; Philanthropy Sub-Committee, 2006)

Women’s Leadership Counsel (Member, 2001 to present)

Campaign Cabinet (2002)

Allegheny Conference on Community Development (Athena Award Program Host Committee, 2004 to 2010)

Downtown Pittsburgh YMCA (Board of Management, 2004 to 2010; Advisory Committee, 2010 to present)

University of Pittsburgh School Of Law

Chancellor’s Circle

Law Fellows

Murray S. Love Mock Trial Competition Judge (2011 and 2012)

Alumni Reunion Class Representative (2008 and 2013)

American Bar Association

Section of Litigation

Tort and Insurance Practice Section

Allegheny County Bar Association (Civil Litigation Section)

Pennsylvania Bar Association (Civil Litigation Section)

ADMISSIONSPennsylvania

Supreme Court of Pennsylvania

U.S. Courts of Appeal for the Fifth and Tenth Circuits

U.S. District Court for the Western District of Pennsylvania


14

Numerous pro hac vice admissions in various state and federal courts

EDUCATIONJ.D., University of Pittsburgh School of Law, 1998 (magna cum laude, Order of the Coif; Managing Editor, University of Pittsburgh Law Review, Faculty Award For Excellence In Legal Scholarship; CALI Excellence for the Future Award®)

B.A., Carnegie Mellon University, 1994 (cum laude)

REPRESENTATIVE EXPERIENCE

Insurance Coverage Litigation and Arbitration

Ms. Anderson has significant experience in complex commercial litigation with a substantial focus on the litigation, trial, appeal, arbitration and mediation of insurance coverage disputes. Representative matters include:

Briefed, argued and secured a precedent-setting victory on behalf of the policyholder in a landmark decision concerning insurance coverage for losses caused by a mechanical equipment failure. The suit successfully challenged the applicability of the standard-form “your work,” “your product,” product recall, and “impaired property” business risk exclusions typically contained in CGL policies. Reported in Risk & Insurance.

Briefed a precedent-setting victory on behalf of the policyholder in a landmark decision concerning insurance coverage for claims alleging injuries resulting from exposure to radioactive emissions from nuclear fuel processing facilities. Reported in Business Insurance.

Successfully represented a worldwide oil and gas exploration and production company regarding recovery under its Bermuda Form excess liability insurance policies in connection with underlying class action litigation alleging property damage relating to a Hurricane Katrina related crude oil spill at a refinery.

Successfully represented one of the four largest U.S. bank holding companies regarding recovery under its financial institution bonds/fidelity policies in connection with a substantial employee theft loss.

Successfully represented one of the largest U.S. diversified financial institutions regarding recovery under its vehicle residual value insurance policy. The case settled favorably on the eve of trial for a mid-nine figure recovery.

Successfully represented one of the world's three largest producers of aluminum regarding recovery under its general liability insurance policies in connection with underlying claims alleging property damage to boats and other seafaring vessels arising out of the distribution of an aluminum alloy.

Successfully represented a provider of health benefit plans regarding recovery under its excess loss mitigation insurance policies in connection with the settlement of underlying


15

securities class action lawsuits. Following the initiation of litigation and mediation, the case settled favorably.

Successfully represented an energy-sector policyholder regarding recovery under its pollution insurance policy in connection with the remediation of a former nuclear fuel processing facility. Following the initiation of litigation and discovery, the case settled favorably.

Successfully represented a private equity investment firm regarding recovery under its professional liability insurance policy in connection with underlying litigation alleging breach of a merger agreement. Following the initiation of New York-seated arbitration proceedings, discovery and successful briefing on disputed coverage issues, the case settled favorably.

Successfully represented a group self-insurance fund policyholder regarding recovery under its crime/fiduciary policy in connection with a substantial employee theft loss. Following the initiation of litigation, discovery and successful briefing on disputed issues, the case settled favorably.

Insurance Coverage Counseling Ms. Anderson has counseled policyholders in connection with a wide range of insurance issues and disputes arising under almost every kind of business insurance policy, including under“cyber”/privacy policies in connection with the largest data breaches to date. A list of representative matters is available on request.

Insurance Coverage Due Diligence Ms. Anderson has performed insurance due diligence for clients contemplating mergers and acquisitions concerning the adequacy of the target companies’ insurance programs.Representative matters include:

Counseled an energy-sector client in assessing key coverage terms and conditions, including sufficiency of limits, of a target company’s nuclear, pollution legal liability,commercial general liability and property insurance policies prior to acquisition.

Counseled a non-profit client in assessing key coverage terms and conditions, including change-in-control, anti-assignment, cancellation provisions, and extended reporting and tail coverage options, of a target’s commercial general liability, D&O, E&O, professional liability and workers’ compensation/employers’ liability policies prior to merger.

Insurance Coverage Negotiation and Placement Ms. Anderson has counseled clients on complex underwriting and risk management issues, including the drafting and negotiation of D&O, E&O, data privacy and “cyber”-liability, and other insurance policy and blended program placements. Representative matters include:


16

Represented the world’s largest global and telecommunications company in structuring and negotiating the terms of its technology E&O, cybersecurity and data privacy and D&O insurance programs, with unprecedented market capacity

Represented one of the world’s four largest media conglomerates in structuring andnegotiating the terms of its D&O insurance program

Represented a Fortune 100 multinational financial services corporation in assessing andnegotiating the terms of its cybersecurity and data privacy insurance program

Represented one of the five largest U.S. banks in structuring and negotiating the terms of its cybersecurity and data privacy insurance program

Represented the world’s largest private operator of health care facilities in assessing and negotiating the terms of its technology E&O, cybersecurity and data privacy insurance program

Represented a Fortune 500 retailer in assessing and negotiating the terms of its technology E&O, cybersecurity and data privacy and D&O insurance programs

Matthew G. Ball Partner

San Francisco T 415.882.1014F [email protected]

OVERVIEW Mr. Ball is a litigation partner and business trial lawyer in K&L Gates’ San Francisco office. Mr. Ball concentrates his practice on class action defense and strategic commercial litigation for consumer-focused industries, such as homebuilding, consumer financial services, makers of food, dietary supplements, and homeopathic remedies, as well as makers of other consumer products. He also represents employers in wage and hour class actions, and plaintiffs and defendants in complex commercial and intellectual property litigation.

At times “strategic litigation” means finding the “silver bullet” argument that leads to a win on summary judgment, or to the defeat of class certification, or persuading the other side that a favorable settlement is in their best interests. Other times, when necessary, it means trying a case successfully to verdict. Mr. Ball has extensive experience in all types of legal problem-solving in federal and state courts, as well as alternative dispute resolution settings.

Mr. Ball has been named a California “Super Lawyer” for 2010-2013, and has been peer rated in the Martindale Hubbell directory as AV® Preeminent™, the highest rating in ethical standards and legal ability.

PROFESSIONAL BACKGROUND Mr. Ball served as judicial clerk for the Honorable Robert E. Coyle, United States District Judge for the Eastern District of California, from 1997 to 1998.

PRESENTATIONS• “Preventative Medicine: Limiting Your Exposure to the Consumer Protection Lawsuit

Before It Happens,” A Roundtable Discussion for the Dietary Supplements Industry

• “Private Attorney General” Actions Under California’s Unfair Competition Law: What Every Lawyer Should Know

• “Expert Witnesses: How to Help Attorneys Get the Most Out of Your Retention, Credibility Pitfalls”

• “2006 Class Action & UCL Conference”

PUBLICATIONS • “Comcast v. Behrend: New Opportunities for Class Action Defendants?” K&L Gates

Commercial Disputes Alert, April 18, 2013

Matthew G. Ball (continued)

• “The Expansion of Potential Class Size (and Exposure) Under Aryeh v. Canon Business Solutions, Inc.” K&L Gates Class Action Litigation Defense Alert, January 31, 2013

• "Construction workers' suit knocked down", The Recorder, April 6, 2010. The article describes a summary judgment victory on behalf of Toll Bros., Inc. against a putative class of framers who had sued Toll under Section 2810 of the California Labor Code.

• Co-edited the 50-state treatise, State Class Actions: Practice and Procedure, with Todd L. Nunn and Irene C. Freidel (Wolters Klewer 2010). Co-wrote the California chapter of that treatise.

• “Unfair Competition Law Update: A look at 2005,” Civil Litigation Reporter, April 2006

• “The Ephedra Verdicts: What Do They Mean?,” Nutrition Industry Executive, March 2005

• “Low-Carb Lawsuits, California litigation risks await America's newest diet craze,” Nutritional Outlook, September 2004

• “Court insists that class actions actually be beneficial,” Los Angeles Daily Journal, March 15, 2004

• “Make Them Prove It: Strategies for Makers and Sellers of Dietary Supplements Facing Private Attorney General Claims Brought Under California’s Unfair Competition Law,” Natural Products Industry Insider, September 24, 2003

• “Consumer Justice Center v. Olympian Labs: A Presumption Against Preemption,” FDLIUpdate, May/June 2003

• “Three New Cases Assist with Defense of Section 17200 Suits,” San Francisco Daily Journal, April 15, 2003

• “Cruz v. PacifiCare Health Systems: The California Supreme Court’s Decision on Section 17200 Arbitration has Something for Everyone to Dislike,” K&LNG California Litigation Alert, July 1, 2003

• “California Legislators Introduce a Plethora of Proposed Amendments to the Unfair Competition Law (B&P §§ 17200, et seq.),” K&LNG California Litigation Alert, April 2003

• “California Legislature to Amend the Unfair Competition Law (B&P §§ 17200, et seq.) in Wake of Publicized Private Attorney General Abuses,” K&LNG California Litigation Alert,January 2003

• “Large and Small Business Owners Take Note: Private Attorney General Actions Under California’s Unfair Competition Law,” K&LNG California Litigation Alert, September 2002

ADMISSIONS • California

• All California State Courts

• U.S. Court of Appeals for the Third and Ninth Circuits

• U.S. District Court for the Central, Southern, Northern, and Eastern Districts of California


EDUCATIONJ.D., Hastings College of the Law, 1997 (magna cum laude; Thurston Society; Order of the Coif)

B.S., University of California Los Angeles, 1992 (magna cum laude; Phi Beta Kappa)

REPRESENTATIVE WORK Mr. Ball’s representative engagements, which he led or handled as a key member of the team include:

Business Trials • Defeated 97% of plaintiff’s damage claims as part of a three-person trial team in federal

jury trial alleging breach of contract to pay finder’s fee.

• Obtained finding of no liability on behalf of large industrial manufacturer as part of a four-person trial team in state court bench trial lasting more than six months where plaintiff sought a joint and several award of damages exceeding $150 million for alleged groundwater contamination.

• Won federal jury trial on behalf of financial advisor alleging nonpayment of various fees.

• Won a complete defense verdict in four-month state jury trial as part of three-person trial team on behalf of an investment banker and financial advisor; the amount claimed was in the nine-figure range.

Published Decisions • Castillo v. Toll Bros., Inc., 197 Cal. App. 4th 1172 (2011).

Consumer Litigation and Class Actions • Defeated putative class action against homebuilder on summary judgment alleging

violation of California Labor Code laws.

• Obtained favorable settlement for the Board of Directors of a large timeshare organization in complex derivative lawsuit.

• Won motion to dismiss on behalf of broker-dealer subsidiary of large bank in putative class action involving mutual fund breakpoint discounts.

• Settled putative class action on a favorable, non-class basis on behalf of game console and game manufacturer after motion to dismiss filed.

• Obtained numerous favorable pre-filing settlements in putative class actions threatenedagainst makers of foods, homeopathic remedies, and dietary supplements.

• Prevented a California regulatory agency from enforcing laws preempted by federal statute against a mortgage lender by obtaining a favorable preemption ruling from a federal court.

• Defeated class certification in a consumer class action alleging that a large insurer engaged in improper collision repair claims practices.


Other Commercial Litigation • Defeated a federal court action against a software company that alleged entitlement to a

substantial amount of stock options.

• Unraveled a complex Southern California land fraud scheme to achieve a favorable settlement for a foreign bank who sought to recover money on behalf of its depositors.

Intellectual Property Litigation • Obtained summary judgment for venture capital funds and one of the funds’ principals in a

case alleging misappropriation of trade secrets.

• Won a six-figure award of attorneys fees for venture capital funds and one of the funds’ principals in trade secret case, after establishing the trade secret case had been maintained in bad faith.

• Achieved a favorable “courthouse steps” settlement in a Lanham Act case on behalf of a grower, wholesaler, and retailer of a specialty agricultural product.

Andrew C. Glass Partner

Boston T 617.261.3107 F 617.261.3175 [email protected]

OVERVIEW Mr. Glass is a partner resident in K&L Gates’ Boston office, and a member of the firm's Class Action Litigation Defense group, with extensive experience in complex commercial litigation.

Mr. Glass's practice focuses on the defense of federal and state class action and government enforcement litigation for mobile wireless and consumer services companies. These actions concern disputes arising under the federal Communications Act, including the Telephone Consumer Protection Act, state unfair and deceptive acts and practices statutes, and common law claims, including actions involving alleged data breach events and alleged unauthorized use of private personal information, state tax billing disputes, misrepresentation claims, contract disputes concerning the assessment of surcharges and fees.

Mr. Glass's practice further focuses on the defense of federal and state class action litigation brought against consumer financial services, mortgage lending, and consumer credit institutions. These class actions concern challenges under federal statutes, including the Fair Housing Act, Equal Credit Opportunity Act, Fair Credit Reporting Act, Real Estate Settlement Procedures Act, Truth in Lending Act, and Racketeer Influenced and Corrupt Organizations Act, state unfair and deceptive acts and practices statutes, and common law claims. He also represents consumer financial services institutions in government enforcement proceedings and individual litigation matters.

Mr. Glass has litigated a wide variety of securities law matters and complex commercial disputes, including contract, products liability, and civil rights matters.

Mr. Glass is actively involved in the management of cases before federal and state courts throughout the United States, including California, Florida, Georgia, Illinois, Kansas, Massachusetts, Michigan, Mississippi, New Hampshire, Nevada, New York, Ohio, Oregon, Pennsylvania, Texas, the U.S. Virgin Islands, Virginia, and Washington State. His trial experience includes jury and jury-waived cases brought in federal and state courts as well as in arbitration facilities. Mr. Glass has prepared briefs for the United States Supreme Court as well as for the First, Second, Seventh, Ninth, and Eleventh Circuit Courts of Appeal. He has argued before the Ninth Circuit Court of Appeals.

PROFESSIONAL BACKGROUND Before joining K&L Gates in 1998, Mr. Glass served as law clerk to Chief Judge Paul J. Barbadoro of the United States District Court for the District of New Hampshire. Before

Andrew C. Glass (continued)

attending law school, Mr. Glass trained as an architect. At K&L Gates, Mr. Glass is active in providing pro bono legal representation and is the pro bono coordinator for K&L Gates’ Boston office.

PROFESSIONAL/CIVIC ACTIVITIES • American Bar Association (Litigation Section; Business Law Section)

• Boston Bar Association

• Lawyers’ Committee for Civil Rights under Law

PRESENTATIONS • Telemarketing and the Telephone Consumer Protection Act—Avoiding Traps and

Minimizing Risk, K&L Gates Webinar, October 2, 2014

• Mortgage Bankers Association Legal Issues Conference, Litigation Forum on Fair Lending, San Diego, CA, May 4, 2014

• Emerging Legal Challenges in Residential Real Estate Litigation and the Implications for Commercial Real Estate, K&L Gates Program, December 17, 2013

• K&L Gates/Ernst & Young Fair and Responsible Banking and UDAAP Strategies Symposium, May 9, 2013

• HUD Disparate Impact Rule – Understanding the Fair Housing Act’s Discriminatory Effects Standard, K&L Gates Webinar, March 7, 2013

• Unfair, Deceptive and Abusive Acts and Practices: Understanding the Standards and Avoiding Risk, K&L Gates Webinar, November 15, 2012

• Arbitration Nation, K&L Gates Program, November 9, 2012

RECENT PUBLICATIONS • Mortgage Lenders File Brief with Supreme Court Arguing That Fair Housing Act Does Not

Support Disparate-Impact Claims, U.S. Consumer Financial Services Alert, by Paul F. Hancock, Andrew C. Glass, Roger L. Smerage, and Olivia Kelman, December 1, 2014

• Arbitration Provision Unenforceable in TCPA Class Action, Ninth Circuit Holds, K&L Gates Blog, by Andrew Glass and Roger Smerage, November 20, 2014

• Eleventh Circuit Bolsters FCC Interpretation of “Prior Express Consent” under the TCPA, K&L Gates Blog, by Gregory N. Blase, Andrew C. Glass, Samantha A. Miko, November 14, 2014

• U.S. District Court Strikes Down HUD’s Fair Housing Act Disparate Impact Rule, K&LGates Blog, by Paul F. Hancock, Andrew C. Glass, Roger L. Smerage, and Olivia Kelman, November 4, 2014

• Is the Third Time the Charm? The Supreme Court to Again Consider Whether the Fair Housing Act Recognizes a Disparate Impact Theory of Liability, U.S. Consumer Financial


Services Alert, by Paul F. Hancock, Andrew C. Glass, Roger L. Smerage, and Olivia Kelman, October 7, 2014

• It’s a Whole New Game in Opalinski v. Robert Half International, Inc. – Third Circuit Rules That Courts Decide the Availability of Classwide Arbitration, Commercial Disputes Alert, byAndrew C. Glass, Roger L. Smerage, and Eric W. Lee, August 15, 2014

• Supreme Court Will Not Review Sixth Circuit Ruling That Courts Decide the Availability of Classwide Arbitration, Commercial Disputes Alert, by Andrew C. Glass and Roger L. Smerage, June 11, 2014

• Eleventh Circuit Construes ‘Called Party’ Consent Provision of TCPA, K&L Gates Blog,April 22, 2014

• Penmanship Lesson: Technical Defects in Massachusetts Pre-foreclosure Letters Not Grounds For Voiding Foreclosures, K&L Gates Financial Institutions and Services Litigation Alert, March 27, 2014

• Township of Mount Holly: The United States Supreme Court Considers Whether the Fair Housing Act Recognizes Disparate-Impact Liability, K&L Gates Consumer Financial Services Alert, September 4, 2013

• Solicitor General Urges Supreme Court to Reject Mt. Holly Case; Argues No Review is needed as to Whether the Fair Housing Act Recognizes Disparate Impact Claims, K&LGates Blog, May 22, 2013

• HUD Proposal Would Impose “Disparate Impact” Regulation on Property Insurance, Washington Legal Foundation, Legal Backgrounder, Vol. 27 No. 11, by Paul F. Hancock, Andrew C. Glass, and Roger Smerage. June 8, 2012

• It Takes Two to Tango: The Supreme Court Rejects Unilateral Liability under Section 8(b) of RESPA, Consumer Financial Services Alert, by Phillip L. Schulman, Andrew C. Glass, Holly Spencer Bunting, Roger L. Smerage. June 7, 2012

• HUD Proposal Would Impose Disparate-Impact Approach, National Mortgage News, by Andrew C. Glass, Paul F. Hancock, Melanie H. Brody, and Roger L. Smerage. May 4, 2012

• Mortgage Industry Submits Comments on HUD’s Proposed Disparate-Impact Rule under the Fair Housing Act, Consumer Financial Services Alert, by Paul F. Hancock, Andrew C. Glass, Melanie Hibbs Brody, Roger L. Smerage, Melissa S. Malpass, Gregory N. Blase. February 1, 2012

• Supreme Court Brief Filed on Behalf of Mortgage Lenders, Consumer Financial Services Alert, by Paul F. Hancock, Andrew C. Glass, Melanie Hibbs Brody, Melissa S. Malpass, Gregory N. Blase. January 5, 2012

• When Trying Title Becomes Trying: The Impact of Bevilacqua v. Rodriguez on Massachusetts Foreclosure Law, Mortgage Banking & Consumer Financial Products Alert,by R. Bruce Allensworth, Andrew C. Glass, Roger L. Smerage. November 2, 2011

• No More Split Decisions: The Supreme Court Grants Certiorari to Address What it Means to Split Charges under RESPA Section 8(b), Mortgage Banking & Consumer Financial


Products Alert, by Phillip L. Schulman, Andrew C. Glass, Roger L. Smerage. October 24, 2011.

• No Pain Relief in Smith v. Bayer Corporation: the Supreme Court Rules on When a Federal Court Class Certification Denial Bars a Similar State Court Action. Commercial Disputes – Class Action Defense Alert, by R. B. Allensworth, Andrew C. Glass, Ryan M. Tosi. September 22, 2011.

• “Everything Old Is New Again”: Following the Concepcion Decision, New Motions to Compel Individual Arbitration Are Granted in Old Class Actions, Mortgage Banking & Consumer Financial Products Alert, by R. Bruce Allensworth, Andrew C. Glass, Roger L. Smerage. August 31, 2011

• Wal-Mart Stores, Inc. v. Dukes: The Supreme Court Reins In Expansive Class Actions, Mortgage Banking & Consumer Financial Products Alert, by R. Bruce Allensworth, Andrew C. Glass, Robert W. Sparkes, III. July 18, 2011.

• “Waive of Change:” Class Arbitration in the Aftermath of the Supreme Court’s Decision inAT&T Mobility LLC v. Concepcion, Mortgage Banking & Consumer Financial Products Alert, by R. Bruce Allensworth, Andrew C. Glass, Robert W. Sparkes, III. May 11, 2011.

• Disparate Impasse in Fair Lending Case – Barrett v. H&R Block Class Certification Decision at Odds With Supreme Court Precedent, Mortgage Banking & Consumer Financial Products Alert, by Paul F. Hancock, R. Bruce Allensworth, Melanie H. Brody, Andrew C. Glass, David G. McDonough, Jr. April 14, 2011.

• “The Reports of My Death are Greatly Exaggerated”: Foreclosures in Massachusetts Following the Supreme Judicial Court Decision in Ibanez. Mortgage Banking & Consumer Financial Products Alert, by R. B. Allensworth, Phoebe S. Winder, Andrew C. Glass, Robert W. Sparkes, III. January 12, 2011.

• Trust But Verify: Claim That New York Trust Law Voids Mortgage Transfers Does Not Survive Legal Scrutiny, Mortgage Banking & Consumer Financial Products Alert, by Laurence E. Platt, Phoebe S. Winder, Andrew C. Glass. December 22, 2010.

• In the Wake of Stolt-Nielsen: The Supreme Court Dives into Multiple Arbitration-Related Cases, U.S.- Mexico Bar Association Newsletter, by Andrew C. Glass, David Coale, Robert W. Sparkes, III, Roger L. Smerage. July/August 2010.

• Double Vision: The Eleventh Circuit Requires Class Action Plaintiffs to Satisfy Both CAFA and Traditional Diversity Amount-in-Controversy Requirements, American Bar Association, Section of Litigation, Class Actions & Derivative Suits Committee, by Andrew C. Glass, Ryan M. Tosi. July 21, 2010.

• Class Arbitration Waivers: Silence Reigns In Stolt-Nielsen, But The Courts Have More To Say, Mortgage Banking & Consumer Financial Products Alert, by R. Bruce Allensworth, Andrew C. Glass, Robert W. Sparkes, III, Roger L. Smerage. June 15, 2010.

• Lind v. New Hope Property, LLC: No Hope for Implausible Claims under Iqbal, Mortgage Banking and Consumer Financial Products Alert, by R. Bruce Allensworth, Andrew C. Glass, Ryan M. Tosi, Nicole D. Newman. May 18, 2010.


• Recent Third Circuit Decision Explores Scope of CAFA’s Local Controversy Exception. Commercial Disputes – Class Action Defense Alert, by R. B. Allensworth, Andrew C. Glass, David D. Christensen. April 28, 2009.

• With Reasonable Probability: The First Circuit Defines Defendants’ CAFA Jurisdictional Burden. Commercial Disputes – Class Action Defense Alert, by R. B. Allensworth, Andrew C. Glass, David D. Christensen. March 17, 2009.

• Putting the Rigor in Rigorous: The Third Circuit Clarifies Plaintiffs’ Burden of Proof in Seeking Class Certification. Commercial Disputes — Class Action Defense Alert, by R. B. Allensworth, Andrew C. Glass, David D. Christensen. February 13, 2009.

• Eleventh Circuit Rejects Challenge to Optional Discounts under RESPA. MortgageBanking and Consumer Credit Alert, by Phillip L. Schulman, R. B. Allensworth, Andrew C. Glass, David D. Christensen. November 17, 2008.

• Consumers Clog Courts with Codified Care Claims. Mortgage Banking & Consumer Credit Alert, by Laurence E. Platt, R. B. Allensworth, Phoebe Gallagher Winder, Andrew C. Glass, David D. Christensen. January 30, 2008.

• Recent Federal Court Decision Bolsters Growing Line of Cases Dismissing Class Action Claims for Alleged Identity Theft. Class Action Alert, by R. B. Allensworth, Andrew C. Glass, Ryan M. Tosi, David D. Christensen. July 26, 2007.

• Limiting Class Action Liability for Businesses. e-finance & payments law & policy by R. B. Allensworth, Andrew C. Glass, Ryan M. Tosi, David D. Christensen. July 2007.

• Andrew C. Glass & Albert S. Lee, Comment, “The Validity of Arbitral Awards of Punitive Damages: Mastrobuono v. Shearson Leahman Hutton, Inc.,” Harvard Negotiation Law Review, 1996.

ADMISSIONS • Massachusetts

• Supreme Court of the United States

• United States Court of Appeals for the First Circuit

• United States Court of Appeals for the Ninth Circuit

• United States Court of Appeals for the Eleventh Circuit

• United States District Court for the District of Massachusetts

• United States District Court for the District of New Hampshire

EDUCATION J.D., Harvard Law School, 1997 (cum laude; Editor, Harvard Negotiation Law Review; Harvard Legal Aid Bureau)

M.Arch., Harvard University, 1992 (Department of Architecture; with honors – highest distinction)

A.B., Dartmouth College, 1988 (summa cum laude; phi beta kappa)

Joseph C. Wylie II Partner

Chicago T 312.807.4439 F 312.827.8108 [email protected]

OVERVIEW Mr. Wylie’s practice focuses on commercial, securities, and consumer litigation. Mr. Wylie represents clients in defending against a wide range of individual and class-action consumer claims, including consumer fraud actions and claims brought under the Telephone Consumer Protection Act. Mr. Wylie also represents clients in business tort litigation, including lawsuits concerning enforcement of noncompetition and nonsolicitation agreements and misappropriation of trade secrets, breaches of commercial and employment contracts, and design and construction issues. Mr. Wylie represents clients involved in disputes concerning the management and control of limited partnerships, limited liability companies, and closely-held businesses, including lawsuits concerning alleged breaches of fiduciary duties.

PUBLICATIONS • “Proving and Defending Lost-Profits Claims,” ABA Section of Litigation, 2007 (co-author)

• “Using No-Reliance Clauses to Prevent Fraud-in-the-Inducement Claims,” Illinois Bar Journal, October 2004

PROFESSIONAL/CIVIC ACTIVITIES • Chicago Bar Association

• Illinois State Bar Association

• American Bar Association

ADMISSIONS • Illinois

• U.S. Court of Appeals for the Seventh Circuit

• U.S. Court of Appeals for the Third Circuit

• U.S. District Court for the Northern District of Illinois (including the Trial Bar)

• U.S. District Court for the Eastern District of Wisconsin

• U.S. District Court for the Western District of Wisconsin

• U.S. District Court for the Central District of Illinois

• U.S. District Court for the Northern District of Indiana

Joseph C. Wylie II (continued)

EDUCATIONJ.D., Georgetown University Law Center, 1999 (cum laude; Notes and Comments Editor, Georgetown Law Journal)

B.A., University of California, Berkeley, 1996

REPRESENTATIVE WORK • Representation of defendants in class actions brought under the Telephone Consumer

Protection Act and providing regulatory advice to clients under that statute.

• Representation of a major procurement cooperative in a wide variety of litigation matters, including disputes with suppliers and employees.

• Representation of a consumer finance company against consumer claims and successful enforcement of class action waiver and binding arbitration clauses in consumer-finance contracts.

• Representation of both individuals and corporations in noncompete, nonsolicitation, and trade secret misappropriation litigation.

• Representation of registered investment advisors and other financial industry companies and individuals in proceedings brought by federal regulators and self-regulatory organizations including investigations by the Securities and Exchange Commission, the Commodity Futures Trading Commission, and FINRA.

• Representation of the developer of a 1,000-acre residential and commercial development in trial and appellate courts against efforts by a municipality to prevent the developer's proposed land use, resulting in an order securing the developer's land-use rights.

• Representation of the design-builder of an ethanol plant in an arbitration initiated by the plant's owner, resulting in the denial of the plant owner's claims and the recovery by the design-builder of significant unpaid amounts owed by the owner, in addition to recovery of substantial legal fees incurred in defending the arbitration.

what you need to know about defending cyber related class ...€¦ · 14 see coming to a cgl policy...

Documents