Invas ion of Privacy, Hacking and Intellectual Property Claims : Are You Covered?

Size: px

Start display at page:

Download "Invas ion of Privacy, Hacking and Intellectual Property Claims : Are You Covered?"

Ariel Carroll
5 years ago
Views:

1 Invas ion of Privacy, Hacking and Intellectual Property Claims : Are You Covered? Speakers : Edward M. Joyce, Partner, Jones Day Leslie Lamb, Director Global Risk Management, Cisco Systems, Inc.

2 The views expres s ed by the s peakers are not thos e of the s peaker s employer, firm, clients, or any other organization. The opinions expres s ed do not cons titute legal or ris k management advice. The views dis cus s ed are for educational purpos es only, and provided only for us e during this s es s ion.

3 Learning Objectives At the end of this s es s ion, you will: Identify and decipher relevant ins urance policies regarding privacy, hacking and IP claims Be prepared to develop a good paper trail for pres enting thes e claims Identify and addres s common pitfalls in pres enting cyber ins urance claims

5 Recent Cyber Attacks Oct 2016 Dyn Cyberattack DDoS causing major internet platforms and services to be unavailable to many in Europe and North America May Primera Blue Cross 11 million customers Feb 2015 Anthem tens of millions of customers and employees Nov 2014 Sony Pictures attack wiped clean internal DCs and led to cancellation of The Interview Sept 2014 Home Depot 56 million payment cards July/Aug 2014 JP Morgan Chase 83 million households and small businesses June 2014 Community Health Systems 4.5 million patient records April 2014 Michaels Stores 3 million customer payment cards stolen December 2013 Target 40 million credit and debit cards stolen and 70 million people affected by stolen PII

6 A Public Relations Nightmare Data breaches/cyber attacks become public Neiman Marcus (Jan 2014) Barnes & Noble (Oct 2012) Global Payments (Mar 2012) Zappos (Jan 2012) Sony s Playstation Network (Apr 2012) Michael Stores (May 2011) State attorneys general publicize breaches online Privacy advocates track and publicize breaches Litigation

7 Target Industries Targets of Opportunity Retail Hospitality Health Care Education Ongoing Targets Financial Services Technology Government Potential Targets? Energy Transportation Critical Infrastructure

8 RECENT DATA BREACHES Yahoo!, Inc. [September 2016] Yahoo admitted an unknown group hacked 500 million accounts in 2014 one of the largest number of user accounts hacked from a single website in history Verizon Enterprise Solutions [March 2016] Hackers stole contact information for 1.5 million customers AdultFriendFinder.com [October 2016] In an attack similar to the AshleyMadison attack, hackers stole data associated with 412 million accounts Jones Day

9 ANATOMY OF A DATA BREACH A major breach incident creates an immediate and urgent crisis similar to a natural disaster Requires decisive and coordinated action on several fronts with multiple constituencies Significant legal challenges include: Breach Notification Requirements Regulatory Investigations Class Action Litigation Insurance Coverage Jones Day

10 BREACH NOTIFICATION 47 out of 50 states require consumers to be notified if unencrypted Personal Information exposed. Some states also require notification to Attorney General. Personal Information is defined somewhat differently by the 50 states Generally includes a person s name in combination with other information that identifies a particular individual or permits contacting of an individual Jones Day

11 BREACH NOTIFICATION Decision must be made early, sometime under difficult circumstances Time to assess notice obligations? Risk of leaks or bloggers Factual or forensic uncertainty Decision has important ramifications Breach becomes public Increases costs Generates litigation and government involvement Jones Day

12 REGULATORY ENFORCEMENT Data breach can result in investigations by government agencies Federal, state, and foreign jurisdictions Government can issue subpoenas, demand documents, impose fines and penalties Claims include: Failure to implement sound security protocols Violation of company privacy policy Many states have data security statutes that require reasonable security procedures or other requirements Jones Day

13 REGULATORY ENFORCEMENT Federal Agencies Federal Trade Commission (FTC) Securities Exchange Commission (SEC) Department of Health and Human Services Office for Civil Rights (OCR) State Attorneys General Multi-state AG investigations -- common in major breaches Coordination between state/federal may not be optimal Jones Day

14 CLASS ACTION LITIGATION Breaches that involve customer or employee data often result in class action lawsuits Lawsuits typically allege: Company s negligent data security practices caused breach Injury to privacy rights due to release of personal information Heightened risk of identity theft Expenses for ID protection Company delay in notifying consumers Jones Day

15 CLASS ACTION LITIGATION Common Law Claims Statutory Claims Invasion of Privacy State Consumer Protection Statutes Negligent data security State Data Breach Acts Breach of contract / warranty Fraud / misrepresentation State Medical Privacy statutes Fair Credit Reporting Act Jones Day

16 CLASS ACTION LITIGATION Key legal issues include: Standing who sues for damages re data breach? out-of-pocket loss? Legal standard -- strict liability, negligence, something else? What are reasonable cybersecurity measures? Causation Can harm be traced to your breach? Defenses based on user agreement Waiver / Arbitration Clause Jones Day

17 BREACH COSTS/DAMAGES Response Costs Legal Claims Legal fees for breach response Forensic investigation Breach Notice ID protection/credit monitoring Class action defense costs and settlement Defense of government proceedings Government fines/penalties Card brand claims & assessments Business Losses Restoration of data Lost revenue/business interruption Extra expenses Reputational harm / loss of market share Jones Day

18 BREACH COSTS/DAMAGES Data breach costs continue to rise 2016 costs up 2.6% from 2015 costs Published estimates of average data breach costs vary Ponemon: $236 per compromised record (in the U.S.) Verizon : $0.58 per compromised record True costs will depend on certain key factors Degree of preparedness Personally Identifiable Information ( PII ) and disclosure requirements Class action litigation Market impact Insurance Coverage Jones Day

19 INSURANCE COVERAGE Major shifts insurance industry over the last decade Insurers broadened coverage under traditional insurance policies to provide some cyber protection during early days of the internet Today, insurers have reversed course Denying coverage under traditional insurance policies Adding exclusions and coverage limitations Marketing new forms of cyber insurance sets up a straw man Jones Day

20 CYBER INSURANCE COVERAGE Cyber Insurance policies cover five major categories of costs: Incident Response Coverage - cost of legal and forensic investigations, data restoration Privacy Notification Coverage - notice to customers, identity theft protection, credit monitoring Third-Party Liability Coverage - defense and settlement of claims alleging breach of data security or disclosure of PII Regulatory Coverage - defense and settlement of government claims and investigations First-Party Coverage - lost revenue and extra expense Jones Day

21 CYBER INSURANCE COVERAGE Cyber insurance market is not yet mature and policies may be inadequate Standard forms have not yet been developed. Policies are complex and have not yet been tested by the courts Policies are expensive and may require a high self-insured retention (SIR) Numerous exclusions that limit coverage Notification and consent requirements (for counsel, consultants, and major costs) create pitfalls for the uninformed policyholder Jones Day

22 Traditional Coverage for a Data Breach?? Property Insurance Crime Insurance/Fidelity Bond CGL Insurance Policies D&O/Professional Liability Insurance Policies

23 Lawsuits that Follow Data Breach/Invasion of Privacy Invasion of privacy Negligence and other tort claims Breach of contract Enforcement actions by federal regulators Actions by State Attorneys General Can res ult in (1) s ubs tantial defens e cos ts ; and (2) pos s ible damages /s ettlements 23

24 Coverage for the Follow-on Lawsuits -- Data Breach/Invasion of Privacy Commercial General Liability (CGL) Errors and Omissions (E&O) Liability Directors and Officers (D&O) Liability Cyber Liability/Data Breach Policies

25 Traps to Avoid First Party Property Policies Notice of loss Proof of loss When and how? At the Company s request? Partial Proof/interim payment Suit limitation clause Tolling agreement/waiver

26 Traps to Avoid - Liability Policies Notice Give notice as soon as practicable v. immediately; but give notice of what? Notice of claim/notice of circumstances to lock in a specific policy period (typically claims made policies) Cooperation Clause/Claims Management What should you be sending the insurer? Insurance Company Consent/Approval For expenses, defense costs and settlements Is it in writing?

27 Insurance Policy Conditions Traps to Avoid Notice is not like wine, it does not get better with age!

28 What Triggers the First Party Property Policies for Data Breaches? First Party Property Policies Direct physical loss of or damage to property Exclusions: computer data -- in or out? Date of discovery -- Crime Insurance/Fidelity Bond 6th Circuit decision in DSW Inc. (Aug 2012) Note: does your policy specifically include coverage?

29 What Triggers the Liability Policies for Data Breach/Invasion of Privacy Claims? CGL Policies Bodily Injury and Property Damage Personal and Advertising Injury Oral or written publication, in any manner, of material that violates a person's right of privacy Covered Offense Invasion of Privacy During the Policy Period Publication

30 What Triggers the Liability Policies for Data Breach/Invasion of Privacy Claims? Claims-Made Policies D&O, E&O/Professional Liability Breadth of your D&O entity coverage Private company v. public company: what are the differences?

31 What Triggers the Liability Policies for Data Breach/Invasion of Privacy Claims? Claims-Made Policies (cont.) Breadth of "Claim" definition - What is included? FTC action/proceeding? What kind? Subpoena? Investigations? "Wrongful Act" definition -- error, omission and/or act; does it need to be negligent? "Loss" Definition -- does the definition list specific ins and outs?

32 What Triggers the Liability Policies for Data Breach/Invasion of Privacy Claims? Claims-Made Policies (cont.) Breadth of exclusions -- willful, malicious and/or criminal acts? Whose willful, malicious and/or criminal acts? Interrelated claims/interrelated wrongful acts -- Where does this claim go? Whose policy is triggered? Tension between interrelated claims/wrongful acts, Claim definition, exclusions and notice

33 INSURANCE TAKEAWAYS Insurers appear to be paying cyber claims for now Market is growing while insurers compete for market share Opportunities for policyholders to improve coverage through smart and focused approach during renewal process Understand your existing policy and its limitations Understand which terms matter most in the event of a breach Seek targeted changes that will enhance coverage Jones Day

34 INSURANCE TAKEAWAYS Cyber and data breach claim require proactive insurance strategy with early engagement. Initial action should include: 1. Review relevant policies and develop strategic plan which policies apply, what losses are covered, what steps must be taken 2. Integrate insurance strategy into overall response efforts 3. Identify and track breach-related costs 4. Maintain active, ongoing communication with insurers 5. Added: Maintain active communication with your internal CISO and/or IT Organization

35 Questions?

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Information,