Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL



Similar documents
Cyberinsurance: Insuring for Data Breach Risk

CLASS ACTION. Westlaw Journal. Expert Analysis The State of Coverage Disputes Concerning Advertising And Privacy Claims

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

Cyber Insurance: An Overview of an Evolving Coverage

Cyberinsurance for Financial Institutions

By Heather Howell Wright, Bradley Arant Boult Cummings, LLP. (Published July 24, 2013 in Insurance Coverage, by the ABA Section Of Litigation)

Cyber and data Policy wording

CyberSecurity for Law Firms

Henkel Corp v. Hartford Accident

Insurance Coverage In Consumer Class Actions

Data Privacy, Security, and Risk Management in the Cloud

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

A&E Briefings. Indemnification Clauses: Uninsurable Contractual Liability. Structuring risk management solutions

Cyber and CGL Insurance Coverage for Data Breach Claims

IN THE SUPREME COURT OF TEXAS

PRODUCTS LIABILITY. Expert Analysis Potential Rise in Rood-Related Product Liability Claims Calls For Proactive Risk Management

United States Court of Appeals

Cyber-insurance: Understanding Your Risks

THE RIGHT TO INDEPENDENT COUNSEL

Obtaining Indemnity Through Effective Tender Letters

Black Hats, Firewalls, and Data Loss: Insurers Confront Data Breach Litigation

Insurers Not Obligated to Defend in ZIP Code Coverage Suits

THE STATE OF FLORIDA...

FOLLOW THE SETTLEMENTS: BAD CLAIMS HANDLING EXCEPTION. Robert M. Hall

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Case 2:15-cv DDP-AGR Document 1 Filed 05/07/15 Page 1 of 15 Page ID #:1 UNITED STATES DISTRICT COURT FOR THE CENTRAL DISTRICT OF CALIFORNIA

Construction Defect Coverage Recap For 1st Quarter

Introduction to Medical Malpractice Insurance

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Rolling the Dice: Insurer s Bad Faith Failure to Settle within Limits

ENFIELD PIZZA PALACE, INC., ET AL. v. INSURANCE COMPANY OF GREATER NEW YORK (AC 19268)

Understanding Professional Liability Insurance

Case 2:15-cv SHL-dkv Document 1 Filed 04/09/15 Page 1 of 16 PageID 1 UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF TENNESSEE

FILED: NEW YORK COUNTY CLERK 07/20/2011 INDEX NO /2011 NYSCEF DOC. NO. 1 RECEIVED NYSCEF: 07/20/2011

Chapter XI INSURANCE. While many insurance policies do not cover environmental remediation and damages, insurance. A. General Liability Insurance

Allocating Defense Costs Among Multiple Insurers and Between Covered and Uncovered Claims

Case 2:14-cv TS Document 45 Filed 05/11/15 Page 1 of 9 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF UTAH

BROKER/SHIPPER AGREEMENT

Case 3:10-cv SRU Document 1 Filed 12/10/10 Page 1 of 9 UNITED STATES DISTRICT COURT DISTRICT OF CONNECTICUT : : : : : : : : : : : : : : :

CONNECTICUT I. MECHANICS LIEN BASICS

Mind the Gap Between D&O and E&O Insurance Policies

Cyber Liability Insurance: It May Surprise You

Law Firm Cyber Security & Compliance Risks

Oregon Insurance Coverage Law

DATA BREACH, NETWORK SECURITY, CYBER LIABILITY, PRIVACY PROTECTION: ARE YOU INSURED?

Understanding the Business Risk

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MISSOURI EASTERN DIVISION

Unclaimed Property Debate

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

The Effect of Product Safety Regulatory Compliance

THE TEXAS PROMPT PAYMENT OF CLAIMS STATUTE AND ITS APPLICATION TO THE DUTY TO DEFEND

Joe A. Ramirez Catherine Crane

Case 8:13-cv EAK-TGW Document 145 Filed 02/12/15 Page 1 of 12 PageID 5551 UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA TAMPA DIVISION

IN THE APPELLATE COURT OF ILLINOIS FIRST DISTRICT

Indemnity Clauses. Just boilerplate, right?

EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

After major construction

WHAT IS IT, HOW TO DEAL WITH IT, AND WHERE IS IT GOING?

INSURANCE CODE TITLE 10. PROPERTY AND CASUALTY INSURANCE SUBTITLE C. AUTOMOBILE INSURANCE CHAPTER 1952

Whistleblower Claims: Are You Covered?

ADDITIONAL INSURED STATUS: RECOGNIZING COVERAGE RISKS. by Todd Rossi and Mark Mese

6 Commercial General Liability Insurance

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF RHODE ISLAND

THE THREAT OF BAD FAITH LITIGATION ETHICAL HANDLING OF CLAIMS AND GOOD FAITH SETTLEMENT PRACTICES. By Craig R. White

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Insurance Coverage Issues for Products Manufactured by Foreign Companies

Cyber Risks in the Boardroom

IN THE UNITED STATES COURT OF APPEALS FOR THE FIFTH CIRCUIT

Case 1:14-cv RMC Document 65-8 Filed 09/30/14 Page 1 of 10 EXHIBIT G

Transcription:

Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL

Using Insurance Coverage to Mitigate Cybersecurity Risks To Warranty and Service Contract Businesses Barry Buchman, Partner Adrian Azer, Of Counsel Gilbert LLP 2

Cybersecurity Risks to Warranty and Service Contract Businesses Cyber-attack directly against warranty and service contract providers: This can be especially costly given the significant amount of personal identifying information that is obtained in connection with warranty and service contracts. Cyber-attack on Warranty Management Vendor: Many warranty and service contract providers are outsourcing data management to vendors such as warranty management solutions businesses to maintain their warranty and service contracts. This creates the additional risk of cyber-attacks against warranty management vendors that exposes both the warranty and service contract providers and vendors to liability. Cyber-attack on Cloud Computing Technologies 3

Two Types of Losses That Result From a Cyber-Breach First Party Losses: Damage to the policyholder s own data or systems, lost income, and extra expenses. (1) the costs of providing notice to individuals whose identifying information was compromised; (2) the costs of investigating/stopping the breach; (3) the costs of replacing damaged hardware or software; (4) business interruption costs; and (5) the costs of a public relations firm. Third Party Losses: Policyholder s potential liability to customers, government or regulatory entities, or another third party. (1) customer lawsuits; (2) government investigations and government enforcement actions; and (3) potential shareholder suits. 4

Increasing Cost of Cybersecurity Breach The average cost of a data breach has risen, with the average cost in 2015 being approximately $3.79 million. See 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute LLC (May 2015). Both large and small companies are increasingly acquiring cybersecurity insurance coverage; data suggests [that] small companies are actually targeted as frequently, and if not more, than larger companies. See Mark Sanchez, Data Breaches Push More Firms to Consider Cyber- Insurance Policies, MiBiz (Jan. 18, 2015); see also Matt Egan, Companies Turn to Cyber Insurance as Hacker Threats Mount, Fox News, Business (Mar. 20, 2014). Boards of Directors are increasingly concerned about cybersecurity. See Henry Stoever, Only 11% of Corporate Directors Say Boards Have High Level of Cyber-Risk Understanding, National Association of Corporate Directors (June 22, 2015); see also C. Dunn, Cybersecurity Becoming No. 1 Concern for GCs and Directors, Corporate Counsel (Aug. 15, 2012). 5

How Cyber-Breaches May be Covered Under Traditional Insurance 6

Overview of Traditional Insurance Policies Most businesses maintain: Comprehensive-General-Liability insurance ( CGL ) Typically covers: (1) bodily injury or property damage caused by an occurrence (accident); or (2) personal and advertising injury. Property Damage/Business Interruption Insurance Errors and Omissions Insurance Directors & Officers Insurance Most insureds have sought coverage for cyber-breaches under the personal and advertising injury coverage of CGL policies. 7

Coverage for Cyber-Breach Under Traditional Insurance Policies Coverage may be available under CGL policies as many courts have found coverage, and a number of jurisdictions have not addressed this issue and may conclude that coverage exists. See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013); Retailer Ventures, Inc. v. National Union Fire Insurance Co., 691 F.3d 821 (6th Cir. Aug. 23, 2012); Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010). Two recent decisions, however, have rejected coverage for cyberbreaches under the personal and advertising injury coverage of CGL policies. Recall Total Information Mgmt. v. Federal Ins. Co., 317 Conn. 46, 51-52 (2015); Zurich Am. Ins. V. Sony Corp. of Am., Case No. 651982/2011, 2014 WL 3253541 (N.Y. Sup. Feb. 24, 2014). Both the Connecticut Supreme Court and a trial court in New York held that there was no publication by the insured to trigger the personal and advertising injury coverage. 8

How Cyber-Breaches May be Covered Under Specialty Cybersecurity Insurance 9

Specialty Cybersecurity Insurance Coverage There are three fundamental coverage types in specialty cyber-security insurance: Liability for loss or breach of data (third party). Defense and settlement costs for third-party claims by customers. Remediation costs to respond to the breach. Response costs following a data breach, including investigation, public relations, customer notification, and credit monitoring. Coverage for fines and/or penalties imposed by law or regulation.* Costs to investigate, defend, and settle fines and penalties that may be assessed by a regulator. * Where insurable by law. 10

Considerations When Negotiating Cybersecurity Insurance Policies When procuring cyber-security insurance coverage, warranty and service contract businesses should: Negotiate the terms of the policy. These policies are negotiable given the lack of a standard form. Warranty and service contract businesses should ensure that a breach at a data management vendor or cloud-based vendor is within the scope of coverage, e.g., avoid policy provisions requiring connection to a network. Know your limits and sublimits. Many cybersecurity policies include sublimits that limit the recovery for certain types of losses. Carefully complete the application. Be careful when representing the security measures in place as the insurer may use the application to avoid coverage. 11

Four Areas to Watch Related to Cybersecurity Insurance (1) Security Requirements (more commonly known as, Best Practices or Minimum Required Practices Provisions) In 2015, an insurer preemptively filed a lawsuit seeking a declaration (a declaratory judgment ) that its cybersecurity policy did not cover a cybersecurity breach because of an insured s alleged failure to have appropriate security measures. Columbia Casualty Co. v. Cottage Health Systems, No. 2:15-cv-03432 (C.D. Cal May 7, 2015). (2) Act of War and Terrorism Exclusion Given the prevalence of state-sponsored cyber-attacks or cyber-attacks by rogue terrorist organizations (e.g., ISIS), insurers may begin to rely on this exclusion to avoid their coverage obligations. The exclusion, however, may not be as broad as an insurer asserts. See, e.g., Pan Am. World Airways, Inc. v. AETNA Casualty & Surety Co., 505 F.2d 989, 1012-1014 (2d Cir. 1974). (3) Third-Party Acts and Omissions There may be questions regarding whether cybersecurity insurance covers cyber-attacks at third-party vendors who are providing data management or cloud-based services. (4) Coverage for Statutory Damages There may also be disputes regarding coverage for regulatory fines or penalties. 12

Practical Considerations When Addressing Cybersecurity 13

Insurance Considerations When Negotiating Vendor Contracts In the event of a cyber-security breach, there are two possible avenues for recovery: (1) insurance coverage, and (2) indemnities from vendors and other contracting parties. These two avenues of recovery often overlap and are intertwined; however, the pursuit of indemnities may detrimentally impact the business relationships between warranty and service contract providers and their vendors. Parties can structure cross-indemnities to mitigate the impact on the business relationship, including by: requiring that a party be named as an additional insured under the other party s insurance; be careful about relying solely on certificates of insurance; structuring indemnities so that they are net of insurance, i.e., they require the pursuit of insurance before the pursuit of indemnities; and negotiating whose insurance will respond first. 14

Conclusion and Other Practical Pointers Businesses involved in warranties and service contracts should conduct an insurance audit -- analyzing their policies, the requirements to pursue coverage, and their indemnities. In the event of a loss, these businesses should consider: Notice requirements in their policies; Policy preservation and examination; Review policies issued not only to your business but also to other businesses, e.g., vendors and affiliates -- such policies may provide additional insured coverage; also not just the current year s policy but also prior policies. Communication protocols, both for internal communications and communications with insurers; and Proof of loss deadlines and contractual limitations periods. 15

Additional Reading Adrian Azer, Cyber-Attacks Against Government Contractors and the Availability of Insurance Coverage, Gilbert Insurance Law Blog (Aug. 6, 2015). Miriam Smolen and Adrian Azer, Insurance Cybersecurity Regulations What Insurance Coverage Do You Need?, Gilbert Insurance Law Blog (Feb. 15, 2013). Barry Buchman and Adrian Azer, Recent Trends in Cybersecurity Scrutiny, Law360 (Oct. 22, 2012). 16

Adrian C. Azer E-mail: azera@gotofirm.com Telephone: 202.772.3991 Gilbert LLP 1100 New York Avenue, NW Suite 700 Washington, DC 20005 gotofirm.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information