Cyber and CGL Insurance Coverage for Data Breach Claims



Similar documents
Cyber Liability. What School Districts Need to Know

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Joe A. Ramirez Catherine Crane

Cyberinsurance: Insuring for Data Breach Risk

Managing Cyber & Privacy Risks

Cyber-insurance: Understanding Your Risks

Cyber Liability Insurance: It May Surprise You

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

INSURANCE COVERAGE FOR CYBER RISKS AND REALITIES September 24, 2013

plantemoran.com What School Personnel Administrators Need to know

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Data Privacy, Security, and Risk Management in the Cloud

Insurance Coverage Issues Implicated in Data Breach Claims

Zurich Security And Privacy Protection Policy Application

Network Security & Privacy Landscape

INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Insurance for Data Breaches in the Hospitality Industry

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL

Cyber Liability. AlaHA Annual Meeting 2013

What would you do if your agency had a data breach?

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

Understanding the Business Risk

Data security: A growing liability threat

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Enterprise PrivaProtector 9.0

CYBER INSURANCE. Cyber Insurance and Gaps in Traditional Insurance. Cyber and E&O Team Willis FINEX North America

Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Data Breach and Senior Living Communities May 29, 2015

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Privacy Rights Clearing House

Black Hats, Firewalls, and Data Loss: Insurers Confront Data Breach Litigation

Cyber and data Policy wording

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

cyber invasions cyber risk insurance AFP Exchange

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

CyberSecurity for Law Firms

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

CYBER 3.0. CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR CYBER RISK AND REALITY SFOR005 Speakers:

Data Security: Risks, Compliance and How to be Prepared for a Breach

Why Buy Cyber and Privacy Liability When You Have a Perfectly Good Commercial General Liability Program?

Cyber Liability & Data Breach Insurance Claims

How To Write A Network Security Endorsement

Merchants Must Be Aware of Potentially Mishandled Credit Card Information

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Threats: Exposures and Breach Costs

TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith

Cyber Risks in Italian market

Cordova Telephone Cooperative/Cordova Wireless Communications. Internet Service Agreement

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

First Northern Bank and Trust Co. Business Online Banking Application

TechDefender SM. Tech E&O, Network Security, Privacy, Internet Media, and MPL Insurance Application

The Insurance Coverage Law Information Center

Sycamore Leaf Solutions LLC

COLOCATION AGREEMENT. 1. Term and Payment for Services

General Terms and Conditions (GTC)

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

MEDIATECH APPLICATION

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

April 10, 2015 FLANNER HOUSE OF INDIANAPOLIS INC FLANNER HOUSE ELEMENTARY 2424 DR MARTIN LUTHER KING ST INDIANAPOLIS IN 46208

Cyber Liability & Data Breach Insurance Claims

Insuring Innovation. CyberFirst Coverage for Technology Companies

APPLICATION FOR TECHNOLOGY & PRIVACY PROFESSIONAL LIABILITY

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Mobile Banking Services Addendum To the Agreement and Disclosure for 24/7 Online Banking A Service of Pendleton Community Bank, Franklin, WV

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

Website & Hosting Terms & Conditions

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Cyber and Data Security. Proposal form

HIGHLIGHTS OF THE ERRORS AND OMISSIONS INSURANCE PROGRAM

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Coverage for Cyber-Liability Under Existing Policies

Insurance Coverage Law Report

DATA BREACH COVERAGE

Cyberinsurance for Financial Institutions

Cyber Exposure for Credit Unions

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Tuition Online Banking Agreement and Disclosure

Insurers Not Obligated to Defend in ZIP Code Coverage Suits

ACE Advantage PRIVACY & NETWORK SECURITY

Website Hosting Agreement

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Transcription:

Cyber and CGL Insurance Coverage for Data Breach Claims Paula Weseman Theisen, Partner Data breach overview Definition of data breach/types Data breach costs Data breach legal claims and damages Cyber-insurance policies First-party and third-party coverages Sample provisions/limitations/exclusions CGL coverage for data-breach claims Coverage A: Property Damage Coverage B: Personal Injury (Privacy) 1

What is a data breach? A security incident in which private or confidential data is either lost or accessed/obtained by an unauthorized person Physical loss of computer hardware (laptops, backup tapes, etc.) System failure that inadvertently allows a confidential information to be accessed or viewed A deliberate attack on a company s network by criminal hackers Recall Total Information Management, Inc. v. Federal Ins. Co., 83 A.3d 664 (Conn. Ct. App. 2014) Travelers Indem. Co. of Am. V. Portal Healthcare Solutions, LLC, 2014 WL 3887797 (E.D. Va.) Zurich Am. Inc. Co. v. Sony Corp. of Am., 3/4/14 So-Ordered Transcript No. 651982/11. http://iapps.courts.state.ny.us/iscroll, N.Y. Sup. Ct., N.Y. Cty.; Target; Neiman Marcus; etc. Data-breach costs (first party) Forensic expenses Discovery and scope of breach Identifying what data was accessed/downloaded Re-securing the network Downtime/lost business Notice expenses PR/damage control Required notices Legal expense Breach response Regulatory investigations 2

Data-breach claims/damages (third-party) Consumer Claims Risk of identity theft Costs of credit-report monitoring Costs of cancelling cards and loss of use of cards pending replacement Unreimbursed fraudulent charges Loss of time changing account numbers, passwords, etc. Financial Institution Claims Cost of replacing/mailing cards Financial losses from fraudulent charges Staff and temporary employee time to identify affected accounts, notify account holders and respond to inquiries Third-party claims for data breaches Negligence Breach of implied contract Breach of contract (third-party beneficiary of PCI contracts) Breach of warranty Misrepresentation Invasion of privacy Unfair business practices act violations Violation of notification statutes Violations of SCA, FDCPA, FCRA, etc. 3

Cyber-Liability Insurance Limit Retention A. Information Security and Privacy $15,000,000* $500,000 B. Privacy Breach Response Services $1,000,000** $20,000 C. Regulatory Defense and Penalties $5,000,000* $500,000 D. Website Media Liability $15,000,000* $500,000 E. Crisis Management & PR $250,000* $5,000 F. PCI Fines and Costs $1,000,000* $500,000 G. Cyber Extortion $15,000,000* $500,000 H. Network Business Interruption $15,000,000* $500,000 Information Security and Privacy Insurer will pay Damages and Claim Expenses in excess of the Retention that the Insured is legally obligated to pay because of any claim first made during the policy period for: Theft, loss or unauthorized disclosure of Personally Identifiable Private Information in the care, custody or control of the Insured An incident resulting from the failure of Computer Security to prevent a Security Breach involving: Failure to prevent transmission of Malicious Code to Third Party Computer Systems; Participation by the Computer System in a DOS Attack against a Third Party Computer System Failure to timely disclose a Data Breach Incident Failure to comply with a Privacy Policy that prohibits or restricts the Insured s disclosure, sharing or selling of PIPI Merchant Services Agreement fines/penalties resulting from both noncompliance with PCI DSS and a data breach caused by the above 4

Privacy Breach Response Services Costs incurred: For a computer security expert to determine the existence and cause of a data breach resulting in actual or reasonably suspected theft, loss or unauthorized disclosure of PIPI which may require the Insured to comply with a Breach Notice Law Up to $50,000 for a CSE to demonstrate the Insured s ability to prevent a future data breach as required by a Merchant Service Agreement Attorneys fees to determine the applicability of and actions necessary to comply with a breach notice law due to reasonably suspected theft, loss or unauthorized disclosure of PIPI Limitations/Exclusions Damages: Does not include fees, costs or other amounts the Insured is required to pay under a Merchant Services Agreement Merchant Services Agreement means any agreement between an Insured and a financial institution, credit/debit card company, credit/debit card processor or independent service operator enabling an Insured to accept credit card, debit card, prepaid card, or other payment cards for payments or donations. No coverage for: BI/PD Contractual liability/breach of contract Unlawful collection or retention of PIPI Intentional breach or violation of privacy law (defense costs) Except for Privacy Breach Response and Regulatory Defense and Penalties, claims by the FTC, FCC or other federal or state governmental entities 5

Do CGL policies cover data-breach liability? Most business still do not purchase cyber-coverage Understanding of risk/exposure Cost» $25-50,000 per million (larger policyholders)» $15-20,000 per million (smaller insureds) http://resources.infosecinstitute.com/cyber-insurance/ The cyber-insurance limits were inadequate, the right coverages were not purchased or there is a coverage defense CGL Insuring Provisions Coverage A: Property damage Insuring agreement Property damage definition Damages the insured is legally obligated to pay because of property damage (during the policy period caused by an occurrence). 1. Physical damage to tangible property; 2. Loss of use of tangible property that was not physically damaged 6

Property Damage Definition: Electronic Data Tangible Property Electronic data is not tangible property. Electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from, computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. Data vs. media distinction Loss of use of credit/debit card Electronic data exclusion Damages arising out of the loss of, loss of use of damage to, corruption or inability to access, or inability to manipulate electronic data. Electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. 7

Other Coverage A Exclusions Any "property damage" to personal property in the care, custody or control of any "Insured," loaned to any "Insured," or used by any "Insured," or as to which any "Insured" is for any purpose exercising physical control. Liability arising out of a violation of the [TCPA, Can_SPAM Act] or any act that violates any other statute, ordinance or regulation of any federal, [or] state government that prohibits or limits the sending, transmitting or communicating of material or information. Property Damage Caselaw Pennsylvania State Employees Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, 2005 WL 1154594 (M.D. Pa.), aff d in pertinent part Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008). [T]he credit and debit cards are tangible personal property. [T]hey are palpable, can be touched, [are] capable of ownership, and endowed with intrinsic value. The intrinsic value of each card is probably not very much, whatever the cost of a blank card is, but it nonetheless has intrinsic value. Id. (emphasis added). IBM was asserting liability for injury to these cards as physical objects to be used for credit or debit transactions, the loss of use of these cards for those purposes, but measured by the value of the cards as blanks. 8

Recall Total Info. Mgmt. Inc. v. Federal Ins. Co. Recall argued, somewhat hesitantly, that the loss or theft of the tapes themselves constituted property damage. IBM did not claim damages for the cost of the lost tapes or the cart on which they were contained. Instead, the claims for damages related to preventive measures IBM took due to the theft or loss of use of the data on the tapes, not the tapes themselves. This, the court held, is not damage to tangible property. No. X07CV095031734S, 2012 WL 469988 (Conn. Super. Ct.), aff d 83 A.3d 664 (Conn. Ct. App. 2014). Coverage B: Personal Injury Damages the insured is legally obligated to pay because of personal and advertising injury. Personal and advertising injury" means injury, including consequential "bodily injury", arising out of one or more of the following offenses: e. Oral or written publication, in any manner, of material that violates a person's right of privacy. Zurich Am. Ins. Co. v. Sony Corp. 9

PAULA WESEMAN THEISEN, PARTNER Meagher & Geer PLLP 33 South 6 th Street, Suite 4400 Minneapolis, MN 55402 612/337-9653 ptheisen@meagher.com 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information