Cyber Liability: What Are The Risks To My Business

Professional Liability Defense Federation Fifth Annual MeetingSeptember 18, 2014

The Westin Georgetown, Washington, DC

Richard J. Monahan, Head of XL Select Professional Claims richard.monahan@xlgroup.com

Jeremy Gittler, Assistant Vice President, XL Groupjeremy.gittler@xlgroup.com

Kenneth M. Labbate, Partner, Mound Cotton Wollan & Greengrassklabbate@moundcotton.com

Two types of Companies in Today’s Market

• Those who have been breached and know it• And . . .

• Those who have been breached and just haven’t figured it out yet!

• All businesses are exposed– A single exposure can result in:• corporate embarrassment;• PR headaches;• loss of business;• interruption of operations;• litigation;• potential liability to others;• regulatory and government investigations;• significant costs and expenses, and;• significant loss of revenue

• Currently, 95% of data breaches are caused by a combination of:

• Hacktavists • Employees • Loss/Theft of Equipment –

Malware/Viruses

Data Breach Risks

Factors Driving Exposure

• More data stored electronically now then ever before and trend is towards “paperless”

• ‘Human Element” continues to impact – genius can be used for good or evil!

Verizon 2014 Data Breach Report• Breaches between 2004 and 2013 analyzed• 63,437 confirmed security incidents (a security event that compromises the

integrity, confidentiality or availability of an information asset).• 1,367 confirmed data breaches (an incident that results in disclosure or potential

exposure of data).• In 2013, there were 243 security incidents with a confirmed data loss by the victim

industry involving an organization with fewer than 1000 employees. There were 144 incidents with a confirmed data loss of organizations with more than 1000 employees.

• Estimated cost per breach $3.5 million (See, Ponemon Institute 2014 Cost of Data Breach a Global Analysis)

Laws, Regulations and Guidelines

Laws and Regulations requiring data protection measures

• Individual State Laws: most states have enacted data breach notification laws

– California’s Song Beverly Act• restricts businesses from requesting personal identification

information (“PII”) as a condition of accepting credit card payments.

– Massachusetts Written Information Security Program (“WISP”)• requires the development, implementation, maintenance, and

monitoring of a WISP applicable to all records containing the personal information of Massachusetts residents.

– Delaware recently enacted legislation similar to Massachusetts which may have broad implications based upon number of companies incorporated under Delaware law

“Chaos”

• Breach notification laws are presently state by state. No Federal law which provides “standard” “generally accepted” response.

• Result?

Laws and Regulations require data protection measures

• Many laws require that businesses adopt “reasonable, appropriate, and necessary” measures to protect the confidentiality, integrity, and availability of data, while also avoiding the unauthorized access, disclosure, or alterations to systems and data as well as accidental loss or destruction of such data. – But these laws do not tell companies what is meant

by “reasonable, appropriate, and necessary.”

Cyber Information Sharing Act (CISA)

• In July 2014, U.S. Senate Committee on Intelligence approved CISA (formerly CISPA, which failed to pass Senate)

• Aims to prevent cyberattacks in the private sector.• Provides liability protection to the private sector to promote

voluntary real-time data sharing between companies and the federal government.

• Increases data sharing from federal government to private sector to give companies information that could aid them in investigating cyberattacks and securing computer systems.

• Authorizes private sector, with customer consent, to implement computer monitoring and other cyberattack countermeasures.

National Cybersecurity and Critical Infrastructure Protection Act

• On July 28, 2014, the House of Representatives approved the NCCIP.

• The NCCIP establishes a partnership between the Department of Homeland Security and the private sector to ensure the distribution of cyber threat information.

• In addition to passing the NCCIP, the House passed the Critical Infrastructure Research and Development Advancement Act and the Homeland Security Cybersecurity Boots-on-the-Ground. – The Critical Infrastructure Research and Development Advancement Act

was passed to make certain improvements in the laws relating to the advancement of security technologies for critical infrastructure protection.

– The Homeland Security Cybersecurity Boots-on-the-Ground was designed to recruit, hire, and train a cyber work force.

Safety Act 2002

• A subdivision of the Homeland Security Act of 2002• The Support Anti-Terrorism by Fostering Effective

Technologies Act of 2002, effective July 10, 2006.• Provides incentives for development and

deployment of anti-terrorist technologies.• Secretary of the Department of Homeland Security

in charge of “designations” and “certification” of “qualified anti-terrorist technology.”

Safety Act 2002

• If “designated” entitled to– exclusive federal court jurisdiction– limitation of liability to insurance proposed and

accepted as reasonable for technology submitted– prohibition on joint and several liability for non-

economic damages– complete bar to punitive damages and pre-

judgment interest– reduction of a plaintiff’s recovery by collateral

sources received or eligible to be received

Safety Act 2002

• If “certified” entitled to further protection of “government contractor defense” – federal preemption of liability for technology so certified

• While Act contemplates immunity for products manufactured for federal government and non-federal government customers, courts are divided on the extent of immunity in non-federal government cases.

Safety Act 2002• Examples: – Boeing – July 17, 2014 – Certification received for its aviation security services which

included “software and data” involved in the Boeing Security Program for deliveries destined for U.S. terminals

– General Growth Properties – July 11, 2014 – Designation granted for centralized corporate program designed to: (1) identify and promulgate security practices inclusive of anti-terrorism capabilities across GGP’s properties, (2) track and enforce compliance with those measures, and (3) develop and implement a program for responding to emergencies at GGP’s properties.

– New Meadowlands Stadium – December 20, 2013 – Certified technology - integrated security program composed of physical and electronic security measures, policies and procedures, and personnel, designed to detect, deter, prevent, respond to, and mitigate Acts of Terrorism for use exclusively at Met Life Stadium, inclusive of the Stadium and parking lots, during National Football League (“NFL”) Game Days, Non-Game Days, and Special Events.

• Can protection be relied upon if approved technology breached?• What about for exposure presented by post-breach activities?

Risks

Risks Presented by the Internet

• 10 years ago how much information was on the internet? Very little.

• Today, massive amount of information• How much more will be on the internet 10 years from

now?• Are employees permitted access to the internet at

work? On company supplied equipment?• Are employees allowed to download material from

the internet?• Can they connect their personal mobile devices to the

company network?

Lost/Stolen Devices

• Stolen or lost laptops with personal information of hundreds of thousands of patients

• Attorney who loses USB drive containing personal information and data of hundreds of class action clients

• All data stored on laptops and mobile devices should be encrypted

Example: Target Breach• System was accessed through a contractor that

connected remotely to the retailer’s system to do online billing.

• Personal data of as many as 110 million shoppers was stolen.• Hackers target low-level victims to get credentials allowing them to

access a bigger company’s network.• However, since the Target breach story broke, businesses outside the

information technology sector have been less likely to seek cyber liability insurance.• Before the Target breach, 9% of non-IT applicants requested

cyber coverage.• Post Target breach, only 5% have.• The trend suggests that applicants are being misled by the fact

that the media only reports large company hackings into believing that small businesses are less likely to be hacked.

Cloud Based Exposure – What Are the Risks

• Sharing Space with Others Presents Risks if Breach Occurs – Corporate Data could be lost, stolen or shared with others on Cloud (competitors)

• Cloud service provider goes down or closes, what happens to your data? How do you retrieve it?

Risks to Professionals

• These service providers may maintain:– Client’s personal data– Social security numbers– Tax IDs– Medical records– Financial records– Tax records– Attorney client privileged materials– Client confidential or proprietary data

Risk to Attorneys, Accountants, Other Professionals

• With tightening profit margins and increased cost of real estate rental, firms are pressured to turn to electronically stored data.

• Some risks include:– Data breach– Hackers– Careless disposal of records– Loss/theft of laptops and mobile devices– Misuse of internal controls– Picking up and transmitting malware from employee’s

internet use

Risk to Attorneys, Accountants, Other Professionals

Risk to Attorneys, Accountants, Other Professionals

• Sensitive client data • Is data storage covered within definition of

professional services?• Can loss/theft of client data amount to

malpractice?• Is failure to maintain software updates a

deviation from the requisite standard of care?

Cloud Based Storage of Client Documents – Risk to Attorney/Client Privilege

• Have you breached privilege? Attorney-Client? Can Cloud Provider Access your data? Is space on cloud shared space?

• Do you need to disclose to clients that confidential information will be stored in the Cloud?

Insurance Agents and Brokers – Additional Issues

• Exposure to insurance agents– Failure to advise– Scope of coverage– Coverage limits– Aggregate policy limits

• Agent must understand client’s potential risk scenarios and knowledge of coverages available in the insurance market

D&O Exposure

• Can a cyber attack affect stock prices?• Attacks themselves have become so

commonplace that the initial attack appears to have little impact on stock prices

• But the effect of the attack, company response, and available insurance can affect stock prices

• Directors and officers need to be careful to identify risks and have in place and follow a plan to avoid exposing the company to D&O claims

D&O Exposure

• Relates to failure to take reasonable steps to prevent data breach

• Exposure also arises for post-breach handling of events. Exposure is aggravated by:– Failure to provide reasonable notice to

client/customers– Releasing statements that create false sense of

security.

Coverage

Types of Coverage Implicated

• Commercial General Liability • Professional Liability• Technology Errors & Omissions Liability• Employment Practices Liability• D&O and Executive Liability • Cyber Liability

First Party Cyber Liability Exposure• Data breach notice• Credit monitoring• Forensics• Public relations• Business interruption• Call centers• Restore/replace electronic data• Hardware replacement/restoration• Cyber extortion• Regulatory fines penalties

Contingent Business Interruption

• Contingent Business Interruption Coverage– Losses including lost earnings as a result of

damage not to insured’s own property but the property of insured’s supplier, customer or other business partner• For instance, a partner working through the cloud and

the cloud shuts down

Third Party Cyber Liability Exposure• Coverage for suits by clients whose networks

were compromised• Website publishers face defamation, copyright

infringement, privacy violation lawsuits• Liability for not maintaining adequate security

which allows virus to be transmitted

Cyber War

• Cyber War– Most policies exclude losses arising from war and

cyber war– There are attacks on companies by bad actors in other

countries, possibly sponsored by foreign governments– It is very difficult to prove that the act is a war-like act

making it difficult for insurers to deny claims– It is unclear how the insurance industry will respond

since it is not in the business of insuring against war-like acts

CGL Policies

• Operative provisions– “Personal and advertising injury”– Does data breach constitute “publication” of

information by the insured which violates the right to privacy?

Hartford v. Corcino

• Current industry standard-form CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury.’”

• The key definition, “personal and advertising injury” is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”

• The Hartford court upheld coverage in a data breach case under a policy that covered damages that the insured was “legally obligated to pay as damages because of . . . electronic publication of material that violates the right to privacy.”

No. 2:13-cv-3728, Minutes (in Chambers) Order Re: Motion to Dismiss (Cal. Central Dist. Oct. 7, 2013)

• Hackers attacked three networks operated by Sony for benefit of Playstation owners. Stole personal information of 100 million users including financial information. Sony was sued in multiple actions due to injury for publication of personal information and failure to notify.

• Sony sought coverage under “personal and advertising injury coverage” for “oral and written publication.”

• Zurich court held that Zurich did not need to cover the breach, because third-party hacking did not constitute “oral or written publication . . . of the material that violates a person’s right of privacy” under the personal and advertising injury coverage under the CGL policy.

• Lessons learned from Sony:– Industry working to exclude exposure under CGL policies– Purchase cyber policies– Purchase sufficient limits – Sony had exhausted cyber coverage and was

seeking additional coverage under CGL

But see, e.g., Zurich v. SonyNo. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014)

The Bottom Line

• CGL coverage is unpredictable and is impacted by state law interpretation.

• Carriers and industry are pushing coverage into cyber policies and away from CGL.

• Businesses can no longer rely on transitional CGL policies to adequately protect their interests.

Cyber Security – Next Wave Concerns

• Started with the theft & possible disclosure of personal information

• Moving towards theft of confidential & proprietary information

• Traditional coverage is only the tip of the iceberg.

• We are moving rapidly towards becoming a paperless society and focus is shifting towards information that can be monetized.• Product designs/ formulas• Terms and conditions of service

contracts

Where are we going?

Challenge to Underwriters

• The risks are always increasing– Attackers are becoming more sophisticated– Companies are storing more information and

more valuable information online• Past data breaches do not necessarily predict

future exposures