Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications

Transcription

1 Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications Presented by: Selena J. Linde George Galt Aaron Coombs June 23, 2016 Perkins Coie LLP

2 Presenter: Selena Linde Selena Linde is a Partner in Perkins Coie's Insurance Recovery Practice and is a primary author and editor of the Association of Corporate Counsel's Policyholders Primer on Insurance. Ms. Linde has been honored as one of twenty-five worldwide recipients of Business Insurance's Women to Watch, one of eleven National Insurance Stars and one of the top 150 Women Litigators by Benchmark Plaintiff. Ms. Linde has recovered more than a billion dollars for her clients and has an active trial practice representing policyholders in complex insurance coverage cases throughout the country and an equally active arbitration, mediation, and counseling practice. Selected representations include: Lead Coverage Counsel for a Global 50 Pharmaceutical (D&O Claims related to Government Investigations and Anti-Trust Suits) Lead Coverage Counsel for Hospitality Company (Data/Privacy and Property Claims) Lead Coverage Counsel for Residential Capital ( E&O and D&O Claims related to packaging of mortgage backed securities) Lead Counsel NorthWestern Energy (CGL, D&O, Property, and EPL Claims) Co-lead Counsel Motors Liquidation Trust (CGL claims related to historical asbestos and environmental liability for pre-bk General Motors) 2 Join Ms. Linde's LinkedIn network for updates and articles on insurance coverage topics. She can be reached directly at (202) or SLinde@perkinscoie.com.

3 Presenter: George Galt George Galt is an Assistant General Counsel at AOL where he supports the advertising group. In that capacity, he negotiates agreements regarding data gathered through websites, applications and business interactions. Prior to AOL, George was the Associate General Counsel at The Associated Press managing the business transactions unit. He provided legal support for AP s efforts to gather behavior data regarding news usage and helped AP to develop a rights expression language to support automated content transactions. Prior to AP, George was in private practice at Drinker, Biddle & Reath. He can be reached at george.galt@teamaol.com. 3

4 Presenter: Aaron Coombs Aaron Coombs is Counsel in Perkins Coie s Insurance Recovery practice group. He has helped clients maximize their insurance assets under many different types of policies from spacecraft to cyber, property to casualty, and many others. He routinely counsels clients when purchasing insurance, and has extensive proficiency in identifying gaps in coverage and negotiating the terms and conditions for cyber-risk and management liability (D&O) insurance policies. He also helps clients with additional insured and contractual indemnification issues. Aaron has helped clients recover insurance proceeds for product liability claims, product recalls, government investigations, employment discrimination, as well as cases involving alleged violations of the Fair Labor Standards Act, Sherman Antitrust Act, and False Claims Act. Aaron is currently working on several cyber-risk insurance claims for clients that experienced malicious hacking attacks, as well as several product recall claims. He can be reached directly at (202) or Acoombs@perkinscoie.com 4

5 Introduction Heightened state of data and IT security How to protect your company Landscape of contract negotiations on data and IT security Avoiding the pitfalls of 3 rd parties dictating your company s policies: allocation of risk and contract tips 5

6 Heightened State of Data and IT Security Public Breaches Regulators What is Data? What is PII? 6

7 7

8 8

9 How Do You Protect Your Company? Breach response plan Insurance application requirements problematic exclusions 9

10 Contract Negotiations on Data & IT Security Broadened clauses of indemnification Third party standards Security audits Reps and warranties 10

11 Allocation of Risk and Contract Tips Your own insurance policies Your contracts 11

12 Cyber Risk/Privacy Policies Coverage Grants Vary Greatly "First-Party" Coverage: Losses due to destroyed or damaged data; data restoration Business Interruption Extortion demands "Third-Party" Coverage Privacy Liability Unauthorized disclosure of confidential information Costs to investigate breaches, satisfy notification obligations, defend against regulatory proceedings 12

13 Available Coverage Components Network Security Liability: Third-party liability resulting from a failure of your network security to protect against destruction, deletion or corruption of a third-party electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third-party computers and systems. Privacy Liability: Liability to a third-party as a result of your failure to properly handle, manage, store or otherwise control personally identifiable information, corporate information identified as confidential and protected under a nondisclosure agreement and unintentional violation of privacy regulations. Crisis Management & Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations. Cyber Extortion: Ransom or investigative expenses associated a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into the your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system. Network Business Interruption: Reimbursement of your own loss of income and/or extra expense resulting from an interruption or suspension of its systems due to a failure of network security to prevent a security breach. Data Asset Protection: Recovery of your costs and expenses incurred to restore, recreate, or regain access to any software or electronic data from back-ups or from originals or to gather, assemble and recreate such software or electronic data from other sources to the level or condition in which it existed immediately prior to its alteration, corruption, destruction, deletion, or damage. 13

14 Negotiate Insurance Policy Language Coverage Grants Vary Greatly No standard form language Customize and do not buy off the shelf policies Ensure your policy covers cyber losses not resulting from theft Review proposed policy language with a critical eye Who is the insured? How are defense costs treated? Who chooses defense counsel and breach response firms? What is the retroactive date? Are you comfortable with the proposed sublimits? 14

15 Negotiate Insurance Policy Language Be Wary of Certain Exclusions Terrorism and war Regulatory actions Breach of contract (PCI-DSS?) Fines and penalties Third-party vendor Insured vs. insured Misappropriation of intellectual property Eliminate Duplicate Coverages 15

16 Do Your Traditional Policies Cover Cyber/Privacy Risks? Many Facets of a Data Breach: Multiple Policies May Respond Errors & Omissions (E&O)/Professional Liability Directors and Officers (D&O) Fidelity Commercial General Liability New ISO CGL data breach exclusions Property Other Policies/Indemnification Agreements 16

17 Model Contract Provisions: Privacy, Data Security, and Insurance Framework to address privacy and data security and insurance in the context of an agreement between Company and a service provider or vendor Vendor/service provider will have access to Company information, information related to Company information or other confidential information of Company 17

18 Model Contract Provisions: Privacy, Data Security, and Insurance NOTE: sample provisions must be tailored and supplemented to fit particular facts and circumstances If Company will also be hosting vendor data you may not be willing or able to make mutual many of the provisions we will discuss, because hosting or storing information on behalf of other companies is not Company's business. 18

19 Model Contract Provisions: Privacy, Data Security, and Insurance Confidentiality Provisions Security of Personal Information Provisions Establishing Contractual Insurance Provisions 19

20 Confidentiality Provisions Confidentiality Provisions Definition Marking Survival Return or Destruction Boilerplate Confidentiality Carve Outs Ownership and Use 20

21 Confidentiality Provisions Definition of Confidentiality Must capture all sensitive data Also protect information that a party should reasonably understand to be of a confidential nature Marking Tangible medium Specify handling procedures Oral Information 21

22 Confidentiality Provisions Survival Must survive termination of the Agreement (non-negotiable) Ownership and Use Limit to purpose for which it was provided Specify recipient does not own 22

23 Confidentiality Provisions Return or Destruction Company should elect at time of termination or request Consider confidential information will be transmitted, and where copies may be retained (i.e. / corporate server backups, etc.) Certificate of destruction 23

24 Confidentiality Provisions BE CAREFUL of Boilerplate Carve-Outs Typically carve out certain information Publicly available through no fault of Vendor/Service Provider Disclosed via breach or other wrongful act provisions still apply to the use of the information 24

25 Security of Personal Information Provisions Company Information Representations, Warranties and Covenants. Audit rights Remedies for breach Security Breach Notification Subcontractors and Flow-Down Provisions Location of Data/Employee Issues Disaster Recovery 25

26 Company Information Company exclusively owns all Company Information. "Company Information" is any information about persons or entities that Vendor obtains in any manner from any source under this Agreement, which concerns prospective and existing customers or employees of (1) Company, (2) Company's affinity marketing partners, (3) Company s contracting parties and (4) Company s suppliers. Company Information includes, without limitation, names, addresses, telephone numbers, addresses, social security numbers, credit card numbers, call-detail information, purchase information, product and service usage information, frequent flier information, account information, credit information, demographic information and any other personally identifiable information. Company Information is the Confidential Information of Company under the Agreement. Vendor (a) may collect, store, access, use, process, maintain and disclose Company Information only to fulfill its performance obligations under the Agreement and for no other purpose, and (b) shall, without limiting any other obligations applicable to Company Information hereunder, treat all Company Information as Confidential Information of Company. For this Agreement, the acts or omissions of Vendor and anyone with which it is associated (e.g., employees of Vendor and its subsidiaries and affiliates, and Vendor's agents and approved contractors and subcontractors, and their respective employees) are Vendor s acts or omissions. 26

27 Representations, Warranties and Covenants Compliance with Applicable Laws Vendor hereby represents and warrants that it is and will remain in compliance with all applicable domestic laws, including without limitation any national, regional and local laws, and all applicable international laws ("Applicable Laws") and that it will not cause Company to be in material violation of any Applicable Laws. Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach (defined below) or otherwise regarding data privacy or information security. 27

28 Representations, Warranties and Covenants Compliance with Industry Rules or Guidelines If Vendor processes, stores, transmits or has access to Company Information that includes payment information (including, without limitation, credit card, debit card, or financial account information), Vendor represents and warrants that it is, and will remain, in compliance with the data security rules of any applicable payment network or organization, including, but not limited to, (1) the Payment Card Industry Data Security Standard for protecting credit and debit cardholder information, as the same may be amended, updated, replaced or augmented, and (2) the NACHA Operating Rules, developed and administered by NACHA The Electronic Payments Association, for protecting financial account information and the Automated Clearing House network, as they may be amended, updated, replaced or augmented. 28

29 Representations, Warranties and Covenants Vendor should be required to: Use administrative, physical and technical safeguards that prevent any unauthorized collection, use or disclosure of, or access to, Company Information Implement and maintain an information security program to protect Company Information Can be covenant or representation and warranty Strict Liability Vendor fully responsible 29

30 Representations, Warranties and Covenants: Security Vendor is fully responsible for any authorized or unauthorized collection, storage, disclosure and use of, and access to, Company Information. 30 Vendor shall implement and maintain administrative, physical and technical safeguards ("Safeguards") that prevent any collection, use or disclosure of, or access to, Company Information that this Agreement does not expressly authorize, including, without limitation, an information security program that meets the highest standards of best industry practice to safeguard Company Information. Such information security program will include, without limitation, (i) adequate physical security of all premises in which Company Information will be processed and/or stored; (ii) reasonable precautions taken with respect to the employment of and access given to Vendor personnel, including background checks and security clearances that assign specific access privileges to individuals, training employees on the proper use of Vendor s computer systems and the importance of personal information security, and restricting access to records and files containing Company Information to those who need such information to perform their job duties; and (iii) an appropriate network security program, including designation of one or more employees to coordinate the security program, monitoring of systems for unauthorized use of, or access to, personal information, appropriate access and data integrity controls, testing and auditing of all controls, appropriate corrective action and incident response plans, and encryption of all records and files containing personal information that will travel across public networks, be transmitted wirelessly, or be transmitted outside of the secure system of the business; and (iv) encryption of all Company Information stored on laptops and other portable devices.

31 Representations, Warranties and Covenants Compliance with Company Policies Vendor should comply with your company s written privacy and security policies Provide policy not less than 30 days prior to effective date of policies Compliance does not relieve Vendor of duties to protect Company Information or other Confidential Information 31

32 Representations, Warranties and Covenants Prior Audits Require vendor to represent and warrant that its network, systems and premises have undergone annual audits Audits did not reveal vulnerabilities! What if Vendor objects to materiality standard? Will vendor agree to use language of audit standard? Provide copies of audits? Provide summaries? 32

33 Representations, Warranties and Covenants Disclosure of Prior Breaches Require vendor to represent and warrant no prior security breaches or disclosure Prior enforcement actions? Non mutual provisions 33

34 Representations, Warranties and Covenants Disclosure of Prior Breaches: Vendor represents and warrants that the Vendor Systems have (a) not suffered any actual, probable or reasonably suspected breach of any safeguards or of any other actual, probable or reasonably suspected unauthorized access to or acquisition, use, loss, destruction, compromise or disclosure of any information maintained on the Vendor Systems (each, a "Security Breach"); or (b) if the Vendor Systems have suffered one or more Security Breaches, that Vendor has disclosed each Security Breach to Company. Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach or otherwise regarding data or information security. 34

35 Representations, Warranties and Covenants NO overriding disclaimers! 35

36 Audit Rights Is Vendor hosting sensitive or mission critical data? Annual 3 rd party audits Report audit results Promptly correct vulnerabilities Right to terminate for breach of this provision? Liquidated damages? 36

37 Audit Rights Independent Auditor Costs Visitation and Inspection Right 37

38 Remedies for Breach Injunctive Relief Liquidated Damages Termination Indemnification Limitation of Liability 38

39 Security Breach Notification Definition Notification Point of Contact Notice of Third-Party Legal Process Expense Responsibilities 39

40 Subcontractors and Flow-Down Provisions Prior approval All data security provisions must flow down Necessary to fulfill subcontractor obligations Notification Require express consent? 40

41 Location of Data/Employee Issues Domestic or Overseas Storage Requirements Applicable to Overseas Storage and Processing EU Safe Harbor EU-US Privacy Shield Additional Requirements US Citizenship or Permanent Residence No Citizenship or Permanent Residence Requirement/Prohibition on Access by Individuals on Export Control Lists 41

42 Disaster Recovery During the term of this Agreement, Vendor shall implement and maintain a disaster recovery plan that ensures that all Company Confidential Information in Vendor's possession or control at a given time is capable of being recovered, and that the integrity of all such recovered Company Confidential Information is retained, in the event that Vendor's network, systems or other facilities experience a Security Breach or any significant interruption or impairment of operation or any loss, deletion, corruption or alteration of data ("Disaster Recovery Plan"). Vendor shall, at minimum, conduct annual internal information security audits of its Disaster Recovery Plan and certify the results of each such audit to Company within ten (10) days of completing each such audit. 42

43 Service Level Agreement Issues Data storage Encryption Access logging Records monthly/on request 43

44 Model Insurance Requirements Establishing Contractual Insurance Provisions: General Recommendations for all Maintenance of Insurance Provisions Types of Insurance Coverage to Consider Including In Maintenance of Insurance Provisions Minimum Insurance Provision Recommended 44

45 Contractual Insurance Provisions What kind of work is being done? Types of potential losses or accidents? Worst case scenario? Is entity responsible for the risk the same entity in the best position to control the risk? Additional insured status? Limits? 45

46 Contractual Insurance Provisions Licensed and approved in states Minimum A.M. Best Rating Additional Insured status Primary and non-contributory Notice of cancellation/renewal Evidence of Insurance Indemnification excess of insurance 46

47 Types of Policies to Consider Cyber Risk/Privacy Policies Errors and Omissions Commercial General Liability Workers Compensation 47

48 Questions? Selena J. Linde Aaron Coombs