Cyber and CGL Insurance Coverage for Data Breach Claims Paula Weseman Theisen, Partner Data breach overview Definition of data breach/types Data breach costs Data breach legal claims and damages Cyber-insurance policies First-party and third-party coverages Sample provisions/limitations/exclusions CGL coverage for data-breach claims Coverage A: Property Damage Coverage B: Personal Injury (Privacy) 1
What is a data breach? A security incident in which private or confidential data is either lost or accessed/obtained by an unauthorized person Physical loss of computer hardware (laptops, backup tapes, etc.) System failure that inadvertently allows a confidential information to be accessed or viewed A deliberate attack on a company s network by criminal hackers Recall Total Information Management, Inc. v. Federal Ins. Co., 83 A.3d 664 (Conn. Ct. App. 2014) Travelers Indem. Co. of Am. V. Portal Healthcare Solutions, LLC, 2014 WL 3887797 (E.D. Va.) Zurich Am. Inc. Co. v. Sony Corp. of Am., 3/4/14 So-Ordered Transcript No. 651982/11. http://iapps.courts.state.ny.us/iscroll, N.Y. Sup. Ct., N.Y. Cty.; Target; Neiman Marcus; etc. Data-breach costs (first party) Forensic expenses Discovery and scope of breach Identifying what data was accessed/downloaded Re-securing the network Downtime/lost business Notice expenses PR/damage control Required notices Legal expense Breach response Regulatory investigations 2
Data-breach claims/damages (third-party) Consumer Claims Risk of identity theft Costs of credit-report monitoring Costs of cancelling cards and loss of use of cards pending replacement Unreimbursed fraudulent charges Loss of time changing account numbers, passwords, etc. Financial Institution Claims Cost of replacing/mailing cards Financial losses from fraudulent charges Staff and temporary employee time to identify affected accounts, notify account holders and respond to inquiries Third-party claims for data breaches Negligence Breach of implied contract Breach of contract (third-party beneficiary of PCI contracts) Breach of warranty Misrepresentation Invasion of privacy Unfair business practices act violations Violation of notification statutes Violations of SCA, FDCPA, FCRA, etc. 3
Cyber-Liability Insurance Limit Retention A. Information Security and Privacy $15,000,000* $500,000 B. Privacy Breach Response Services $1,000,000** $20,000 C. Regulatory Defense and Penalties $5,000,000* $500,000 D. Website Media Liability $15,000,000* $500,000 E. Crisis Management & PR $250,000* $5,000 F. PCI Fines and Costs $1,000,000* $500,000 G. Cyber Extortion $15,000,000* $500,000 H. Network Business Interruption $15,000,000* $500,000 Information Security and Privacy Insurer will pay Damages and Claim Expenses in excess of the Retention that the Insured is legally obligated to pay because of any claim first made during the policy period for: Theft, loss or unauthorized disclosure of Personally Identifiable Private Information in the care, custody or control of the Insured An incident resulting from the failure of Computer Security to prevent a Security Breach involving: Failure to prevent transmission of Malicious Code to Third Party Computer Systems; Participation by the Computer System in a DOS Attack against a Third Party Computer System Failure to timely disclose a Data Breach Incident Failure to comply with a Privacy Policy that prohibits or restricts the Insured s disclosure, sharing or selling of PIPI Merchant Services Agreement fines/penalties resulting from both noncompliance with PCI DSS and a data breach caused by the above 4
Privacy Breach Response Services Costs incurred: For a computer security expert to determine the existence and cause of a data breach resulting in actual or reasonably suspected theft, loss or unauthorized disclosure of PIPI which may require the Insured to comply with a Breach Notice Law Up to $50,000 for a CSE to demonstrate the Insured s ability to prevent a future data breach as required by a Merchant Service Agreement Attorneys fees to determine the applicability of and actions necessary to comply with a breach notice law due to reasonably suspected theft, loss or unauthorized disclosure of PIPI Limitations/Exclusions Damages: Does not include fees, costs or other amounts the Insured is required to pay under a Merchant Services Agreement Merchant Services Agreement means any agreement between an Insured and a financial institution, credit/debit card company, credit/debit card processor or independent service operator enabling an Insured to accept credit card, debit card, prepaid card, or other payment cards for payments or donations. No coverage for: BI/PD Contractual liability/breach of contract Unlawful collection or retention of PIPI Intentional breach or violation of privacy law (defense costs) Except for Privacy Breach Response and Regulatory Defense and Penalties, claims by the FTC, FCC or other federal or state governmental entities 5
Do CGL policies cover data-breach liability? Most business still do not purchase cyber-coverage Understanding of risk/exposure Cost» $25-50,000 per million (larger policyholders)» $15-20,000 per million (smaller insureds) http://resources.infosecinstitute.com/cyber-insurance/ The cyber-insurance limits were inadequate, the right coverages were not purchased or there is a coverage defense CGL Insuring Provisions Coverage A: Property damage Insuring agreement Property damage definition Damages the insured is legally obligated to pay because of property damage (during the policy period caused by an occurrence). 1. Physical damage to tangible property; 2. Loss of use of tangible property that was not physically damaged 6
Property Damage Definition: Electronic Data Tangible Property Electronic data is not tangible property. Electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from, computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. Data vs. media distinction Loss of use of credit/debit card Electronic data exclusion Damages arising out of the loss of, loss of use of damage to, corruption or inability to access, or inability to manipulate electronic data. Electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. 7
Other Coverage A Exclusions Any "property damage" to personal property in the care, custody or control of any "Insured," loaned to any "Insured," or used by any "Insured," or as to which any "Insured" is for any purpose exercising physical control. Liability arising out of a violation of the [TCPA, Can_SPAM Act] or any act that violates any other statute, ordinance or regulation of any federal, [or] state government that prohibits or limits the sending, transmitting or communicating of material or information. Property Damage Caselaw Pennsylvania State Employees Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, 2005 WL 1154594 (M.D. Pa.), aff d in pertinent part Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008). [T]he credit and debit cards are tangible personal property. [T]hey are palpable, can be touched, [are] capable of ownership, and endowed with intrinsic value. The intrinsic value of each card is probably not very much, whatever the cost of a blank card is, but it nonetheless has intrinsic value. Id. (emphasis added). IBM was asserting liability for injury to these cards as physical objects to be used for credit or debit transactions, the loss of use of these cards for those purposes, but measured by the value of the cards as blanks. 8
Recall Total Info. Mgmt. Inc. v. Federal Ins. Co. Recall argued, somewhat hesitantly, that the loss or theft of the tapes themselves constituted property damage. IBM did not claim damages for the cost of the lost tapes or the cart on which they were contained. Instead, the claims for damages related to preventive measures IBM took due to the theft or loss of use of the data on the tapes, not the tapes themselves. This, the court held, is not damage to tangible property. No. X07CV095031734S, 2012 WL 469988 (Conn. Super. Ct.), aff d 83 A.3d 664 (Conn. Ct. App. 2014). Coverage B: Personal Injury Damages the insured is legally obligated to pay because of personal and advertising injury. Personal and advertising injury" means injury, including consequential "bodily injury", arising out of one or more of the following offenses: e. Oral or written publication, in any manner, of material that violates a person's right of privacy. Zurich Am. Ins. Co. v. Sony Corp. 9
PAULA WESEMAN THEISEN, PARTNER Meagher & Geer PLLP 33 South 6 th Street, Suite 4400 Minneapolis, MN 55402 612/337-9653 ptheisen@meagher.com 10