All's Fair in Love and Cyber Warfare

367 views

Published on

Presented by The National Underwriter Company, and brought to you by FC&S Legal:

Insurance coverage experts Anjali C. Das and Jerold Oshinsky provide a timely presentation on cyber liability insurance--offering practical tools and guidance on key insurance coverage issues.

Also included: The latest cyber policies—including a discussion of key policy provisions and leading cases that have interpreted the new policies.

Viewers will also find vital information on:
• Examples of the kinds of claims asserted for data breach and privacy
• Coverage under traditional policies: ISO Pre-2001 CGL; ISO Post-2001 CGL
• The evolution of case law for coverage under traditional policies
• Why corporate boards should pay attention to cyber risk, including statistics, D&O Exposure, and D&O Policies

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
367
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

All's Fair in Love and Cyber Warfare

  1. 1. 1 Cosponsored by: PropertyCasualty360 and InsideCounsel The seminar will begin promptly at 2pm EST. A recording of this session will be made available. FC&S Legal presents: ALL’S FAIR IN LOVE AND CYBER WARFARE Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  2. 2. 2 Featured Speakers Anjali C. Das, Partner Wilson Elser Moskowitz Edelman & Dicker, LLP (Chicago) Jerold Oshinsky, Partner Jenner & Block, LLP (Los Angeles) Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  3. 3. 3  President’s Executive Order on Cybersecurity  What is a Data Breach?  Data Breach Statistics and Costs  Aggressive Government Enforcement (FTC)  Private Litigation in the News  SEC Disclosure Guidance  Boards Still Have Their Heads in the Sand Cyberliability Overview Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  4. 4. 4 Cyberliability  President Obama’s State of the Union Address (2/12/13)  Presidential Executive Order: Improving Critical Infrastructure Cybersecurity  Cyberthreats to U.S. critical infrastructure continue to grow  Cybersecurity information sharing between public and private sectors  Foreign government cyber espionage in the news  Growing political tensions between U.S. and China  Mandiant report  Victims include some of nation’s largest tech companies Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  5. 5. 5 What Is a Data Breach? Organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information which can include private health information (PHI) and other personally identifiable information (PII) such as: (1)Social Security number; (2)Driver’s license number; or (3)Account, debit or credit card number along with a PIN or password to access the account. Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  6. 6. 6  Hacking,  Employee theft,  Theft of physical equipment, or  Misrepresentation to obtain unauthorized access to data. What Causes a Data Breach? Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  7. 7. 7 Breach Statistics Vary but the Numbers Keep Climbing  60 major data breaches (Q2) v. 49 major data breaches (Q3)  4.4 million records compromised (Q2) v. 2.259 million (Q3)  Healthcare entities had the largest percent of breaches, followed by Government and Corporate  Avg. number of records per breach: 73,444 (Q2) v. 46,099 (Q3)  Leading causes of breach: theft (43%), hacking (27%) Navigant November 2012 Data Breach Report Update Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  8. 8. 8  Avg. total cost of a data breach in Q2 was $14.248 million  Avg. total cost of a data breach in Q3 was $8.943 million  Avg. total cost of data breach by sector:  Corporate: $8.88 million (Q2) v. $25.935 million (Q3);  Education: $17.67 million (Q2) v. $2.58 million (Q3);  Healthcare: $3.9 million (Q2) v. $2.68 million (Q3)  Government: $36.89 million (Q2) v. $15.21 million (Q3) Navigant November 2012 Data Breach Report Update Increasing Costs of a Data Breach Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  9. 9. 9 • FTC is dedicated to enforcing consumer privacy and ensuring that companies provide reasonable security for consumer data • FTC may bring an enforcement action against a company that fails to appropriately protect the consumer’s personal information • FTC may bring such actions under Section 5 of the FTC Act, the Fair Credit Report Act, and Graham-Leach Bliley Act • FTC has taken an aggressive stance on privacy and data breaches affecting consumers FTC: The Nation’s Privacy Watchdog Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  10. 10. 10 FTC: The Nation’s Privacy Watchdog  Facebook: Company settled charges by the FTC that Facebook deceived users to believe that their personal information would be kept private. The FTC settlement bars Facebook from making further deceptive privacy claims. In addition, Facebook was required to establish a maintain a comprehensive privacy program subject to audits for up to 20 years.  Google: Company agreed to pay a record $22.5 million civil penalty to settle FTC charges that Google misrepresented the use of tracking cookies on users’ computers. Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  11. 11. 11 Data Breaches in the Headlines Sony (70 million records) Global Payment (1.5 million records) eHarmony (1.5 million passwords) LinkedIn (6.5 million passwords) Texas AG’s Office (6.6 million records) And the list continues to grow . . . . Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  12. 12. 12 Private Litigation Sony Data Breach Litigation  Hackers attacked Sony’s Playstation network and stole 70 million users’ account and credit card information  58 class actions filed against Sony for violation of various consumer protection statutes and failing to comply with industry-standard protocols to safeguard customer information.  Sony reportedly incurred > $171 million to respond to the breach  Any settlements, damages, or judgments from the civil litigation would be on top of these costs Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  13. 13. 13 Private Litigation Sony Coverage Litigation  Sony is seeking coverage under its CGL and commercial umbrella policies for the hacking incident  Zurich Ins. Co. filed a dec action seeking to avoid coverage under its CGL policy for the network breach on the basis that unauthorized access to and theft of personal identification and financial information are not claims for “bodily injury,” “property damage,” or “personal and advertising injury” Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  14. 14. 14 SEC Disclosure Guidance: Topic No. 2 – Cybersecurity Disclosure of Cyber Risk Factors: 1. Aspects of registrant’s business that give rise to material cyber risks and potential costs and consequences 2. Outsourced functions that have material cyber risks 3. Material cyber incidents experienced by the company, including costs and other consequences 4. Risks related to cyber incidents that may remain undetected for an extended period 5. Description of relevant insurance coverage SEC Sounds Off on Cyber Risks Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  15. 15. 15  “Only a few executive officers understand security and the rest are clueless”  “Boards are not actively addressing cyber risk management”  82% of companies surveyed did not have a Chief Privacy Officer  More than half of boards surveyed did not review their insurance policies for cyber risk coverage  On a global basis, North American boards lag behind their European and Asian counterparts with respect to privacy and security governance Lack of Board Oversight of Cyber Risk Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  16. 16. 16 • First- and third-party coverage • Pre-2001 Standard policies • Is there property damage? • Property damage requires injury to tangible property • Is computer damage tangible? Is virtual loss “tangible?” • Post-2001 ISO policy language covering technology liabilities • Coverage will depend on the facts of the claim and the policy language What Coverage Might Apply? Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  17. 17. 17 Property damage has historically been defined in standard CGL policies as either: a)physical injury to tangible property, including all resulting loss of use of that property, or b)loss of use of tangible property that is not physically injured. Thus, the first question that needs to be addressed is whether the data breach or technology-related loss involves damage to “tangible property.” (ISO form CG 00 01 01 96, Commercial General Liability Form). ISO Pre-2001 Policies Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  18. 18. 18 In 2001, ISO amended the definition of “property damage” in the standard CGL policy (form CG 0001 10 01) to expressly state that “electronic data is not tangible property.” The term “electronic data” is further defined as: [I]nformation, facts, or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. ISO Post-2001 Policies Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  19. 19. 19 Then in 2004, ISO created a new exclusion for electronic data (ISO Form CG 00 01 12 04). Exclusion p states: p. Electronic Data: Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data. As used in this exclusion, electronic data means information, facts, or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and application software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. ISO Post-2001 Exclusion Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  20. 20. 20 The Texas Court of Appeals in Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W. 3d 16, 25-26 (Tex. App. 2003), held that the policyholder’s computer server, software, and data stored on the server were “physical” where a hacker invaded the computer system and installed a virus that rendered the server useless. The court avoided the abstract issue of whether electronic data and software can constitute “tangible property,” and instead focused on the language of the policy. It held that the policy covered lost data because “electronic media and records” were defined to include “data stored on such [electronic] media.” The loss of software was also covered because the policy offers coverage for replacing “prepackaged software programs.” Decisions Providing Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  21. 21. 21 Recently, a federal district court in Louisiana reached the conclusion that electronic data could “[make] physical things happen,” and was “corporeal and moveable in nature,” and therefore a loss of electronic data due to a hard drive malfunction was covered under the insured’s policy. Landmark Am. Ins. Co. v. Gulf Coast Analytical Labs., Inc., No. 10-809, 2012 WL 1094761, at *4 (M.D. La. Mar. 30, 2012). Additionally, a federal district court in Illinois found that the loss of electronic data did give rise to a property injury because the medium of storage (in this case, a CD), had been physically taken. Nationwide Ins. Co. v. Hentz, 2012 WL 734193, at *4 (S.D. Ill. Mar. 6, 2012). Decisions Providing Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  22. 22. 22 A federal district court in Arizona held that “physical loss or damage” in a first-party all-risk policy “is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss functionality.” Am. Guar. & Liab. Ins. v. Ingram Micro, Inc., No. 99-185, 2000 WL 726789, at *3 (D. Ariz. 2000). In that case, three mainframe computers lost power due to an outage, causing the loss of data in the random access memory. Relying on federal and state computer fraud laws, the court interpreted “physical loss or damage” broadly and noted that “[a]t a time when computer technology dominates our professional as well as personal lives, the Court must side with Ingram’s broader definition of ‘physical damage.’” Id. at *2. Decisions Providing Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  23. 23. 23  Relying on American Guaranty & Liability Insurance, and noting that “‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality,” a Tennessee federal court found that the business losses sustained by the plaintiff pharmacy as a result of corruption of programming information on a pharmacy computer constituted “direct physical loss of or damage to property.” See Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., Ltd., 439 F. Supp. 2d 831, 837-38 (W.D. Tenn. 2006).  That is, the court held that “‘physical damage’ could include loss of functionality even if the affected machinery remained intact.” Id., see also Wakefern Food Corp. v. Liberty Mut. Fire Ins. Co., 968 A.2d 724, 736 (N.J. Super. Ct. App. Div. 2009). The Wakefern court went on, incidentally, to conclude that there was no reason to require that the damage to malfunctioning machinery be permanent, and that the definition of “physical damage” could be extended to include temporary loss of use. Id.; contraAmerica Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003) (noting that the temporary disordering of programmed data on a hard drive could be reoriented, and therefore, the “tangible” hardware could not be said to have been “damaged”). Decisions Providing Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  24. 24. 24 The Minnesota Court of Appeals in Retail Systems, Inc. v. CNA Ins. Co., 469 N.W. 2d 737 (Minn. Ct. App. 1991), held that a computer tape and electronic information in the tape were “tangible property” within the meaning of a third-party liability policy covering physical injury or destruction of tangible property. The plaintiff, a data processing consultant, developed computer programs and processed data for other companies. A third-party gave the plaintiff a computer tape to process, but the tape was damaged. The third-party then sued the plaintiff, who then sought coverage under his policy. The court held that the data on tape was of permanent value and was integrated completely with the physical property of the tape. Decisions Providing Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  25. 25. 25 In Computer Corner v. Fireman’s Fund Ins. Co., 46 P. 3d 1264, 1266 (N.M. Ct. App. 2002), a New Mexico Court of Appeals held that lost data on a hard-drive “was physical, had an actual physical location, occupied space and was capable of being physically damaged or destroyed” and that the lost data was therefore covered under a CGL policy. Decisions Providing Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  26. 26. 26 The policy at issue in Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010) specifically defined “tangible property” to exclude “software, data or other information that [was] in electronic form.” Id. at 801. Construing this provision in light of America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003), the court held that the plaintiff’s allegations of direct injury to the operation of his computer were insufficient to allege damage to tangible property, and that he would instead have had to have alleged a claim for physical injury to the hardware itself. Id. However, the court also found that the loss of use of a computer (“tangible property”) due to data corruption constituted covered property damage. Id. at 802 (citing America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459 (E.D. Va. 2002); State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113, 1115-1116 (W. D. Okla. 2001)). Decisions Providing Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  27. 27. 27 In Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851 (Cal. Ct. App. 2003), the California Court of Appeal held that the policyholder’s loss of information in a database was not covered under a first-party policy because the loss was not a “direct physical loss.” Ward, an insurance services company, was updating a software program when a programming error led to a crash of the database. All of the electronically stored data used to service Ward’s insurance policies were lost. The court held that there was no “direct physical loss” because electronic data did not have “material existence” and was not “perceptible to the senses.” Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  28. 28. 28 In Recall Total Information Mgmt., Inc. v. Fed. Ins. Co., 2012 WL 469988, at *5 (Conn. Super. Ct. Jan. 17, 2012), the Court held that the loss of several electronic tapes containing personal information did not constitute a physical injury within the meaning of the insured’s policy. See id. at *5 (“In the present case, there are no claims for actual damage to the tapes, the cost of the lost tapes or the cart. Indeed, the claims arise from the preventative measures taken by IBM because of the theft, or loss of use, of the data on the tapes — not the tapes themselves. This is not damage to tangible property.”). Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  29. 29. 29 In State Auto Property and Casualty Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113, 1115-16 (W.D. Okla. 2001), the insurance company argued that it was not obligated to defend and indemnify a computer repair company which had negligently caused the loss of data of its client. The court held that the computer was not damaged, and that the data stored on a computer disk was not tangible property. It relied on the dictionary definition of “tangible,” which defined it as “capable of being perceived, especially by the sense of touch … capable of being precisely identified or realized by the mind.” The court further said that the loss of use of computer would have been covered because a computer is clearly a tangible property but for an applicable policy exception. Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  30. 30. 30 In Compaq Computer Corp. v. St. Paul Fire and Marine Ins. Co., 2003 WL 22039551 (Minn. Ct. App. Sept. 2, 2003), the court concluded that “data are not tangible property,” even when communicated by electronic means such as a fax machine, telephone, telegram or computer, and that no valid claim (and thus no coverage) for property damage existed after Compaq’s allegedly faulty floppy diskettes and microcodes caused corruption and destruction of users’ data. Id. at *7. Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  31. 31. 31 The Fourth Circuit held in America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003), that St. Paul did not have a duty to defend America Online under its CGL policy because computer data, software and systems were not tangible. Id. at 95-96. Relying on the plain meaning of “tangible,” the court held that the computers’ operating systems and software were incapable of perception by any of the senses, and were merely abstract ideas that did not permanently alter tangible computer hardware. Id. The court concluded that “[t]he insurance policy in this case covers liability for ‘physical damage to tangible property,’ not damage to data, software, i.e., the abstract ideas, logic, instructions, and information.” Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  32. 32. 32 Highlighting the state of flux in this area of law, the America Online decision was issued only six months after a different Fourth Circuit panel held that data destroyed by a hacker was “direct physical loss” under the policy. NMS Servs. Inc. v. Hartford, 62 Fed. App’x 511 (4th Cir. 2003). The concurring opinion in that case explained that the loss of electronic data constituted “physical loss” because “a computer stores information by rearrangement of the atoms or molecules of a disc or tape to effect the formation of a particular order of magnetic impulses, and a ‘meaningful sequence of magnetic impulses cannot float in space.’” Id. at 514. The America Online dissent agreed with the NMS court, concluding that software bugs did in fact change the physical structure of the computer hardware, and thus, should have been viewed as “physical damage to the computer itself. Id. at 102 (Traxler, J., dissenting). Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  33. 33. 33 In Cincinnati Insurance Company v. Professional Data Services, Inc., 2003 WL 22102138 (D. Kan. July 18, 2003), the court relied on both America Online and State Auto in finding that allegations of loss of use of software and corruption of data therein, without allegations of resulting loss of use of hardware, were insufficient to assert a claim resulting from injury to, or loss of use of “tangible property.” Id. at *7. The court reasoned that neither software nor data incorporated therein constituted tangible property because they neither had any physical substance nor were perceptible to the senses. Id. Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  34. 34. 34 The Role of Policy Exclusions:  Insurance companies may raise various policy exclusions to bar coverage for underlying technology claims. However, the burden is on the insurance company to demonstrate that the exclusion applies.  In some cases, courts have used policy exclusions to deny coverage without reaching a decision as to whether the data was tangible property. For example, in Magnetic Data, Inc. v. St. Paul Fire and Marine Ins. Co., 442 N.W. 2d 153, 156 (Minn. 1989), the Minnesota Supreme Court declined to decide if erased data was tangible. Instead, the court said that even if data were tangible, a “control of property” exclusion in the policy applied because the property was damaged at the insured’s premises. Decisions Declining Coverage for Electronic Data Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  35. 35. 35 Growing Demand for Cyber Coverage  Rise in cyber risk and hack attacks  Business and litigation costs to address breach events  SEC disclosure requirement re cyber insurance  Denials and exclusions from coverage under traditional CGL and other liability policies  Increased availability of cyber insurance Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  36. 36. 36 Comprehensive Cyber Coverage  Network security/privacy/data loss coverage  Third-party liability coverage  3P claims arising from data breach  Government and regulatory claims  First-party coverage  Crisis management, breach notification, remediation costs  Other bells and whistles  Immediate access to forensic and legal experts  Loss and risk mitigation tools and technology Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  37. 37. 37 Payments Under Cyber Policies Avg. cost per incident $3.7 million Avg. cost per record $3.94 Avg. defense costs $582,000 Avg. legal settlement $2.1 million Avg. cost for crisis services $983,000 NetDiligence Oct 2012 Cyber Liability & Data Breach Insurance Claims Survey Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  38. 38. 38 Conclusions and Takeaways  Increase in cyber risks for all companies  Rise in private class actions and government enforcement  Differing state, federal and international laws governing privacy and data breaches  Sizeable business and legal costs to respond to breach  Board accountability for failure to obtain cyber coverage  Traditional policies may deny or exclude coverage for cyber  More insurers offering comprehensive cyber liability coverage Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  39. 39. 39 Stay with us… The DEBUT of FC&S Legal will follow after a few brief announcements. Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved
  40. 40. 40 FC&S Legal: The Insurance Coverage Law Information Center Visit www.fcandslegal.com for your 14-Day FREE Trial! To purchase FC&S Legal, call 1.800.543.0874. Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved

×