What Your Company Needs to
Know about Cybersecurity
June 6, 2013
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Introductions
Roberta D. Anderson
Insurance Coverage
Partner
David A. Bateman
Internet & Technology
Law Partner
klgates.com
Bruce J. Heiman
Information Technology
Policy Partner
I. Managing Attacks on Company Information,
Technology, Data and Infrastructure
klgates.com
klgates.com
The Spectrum of Cyber Attacks
Advanced Persistent Threats (“APT”)
Data Breach and Malware
Denial of Service attacks (“DDoS”)
Domain name hijacking
Corporate impersonation and Phishing
Employee mobility and disgruntled
employees
Lost or stolen laptops and mobile
devices
Inadequate security and systems: first
party and third-party vendors
klgates.com
Advanced Persistent Threats
targeted, persistent, evasive and advanced
nation state sponsored
P.L.A. Unit 61398
“Comment Crew”
klgates.com
Advanced Persistent Threats
United States Cyber Command and director of the
National Security Agency, Gen. Keith B. Alexander,
has said the attacks have resulted in the “greatest
transfer of wealth in history.”
Source: New York Times, June 1, 2013.
klgates.com
Advanced Persistent Threats
Penetration: Spear Phishing
67 percent of organizations admit that their current
security activities are insufficient to stop a targeted
attack.*
Duration:
average = 356 days**
Discovery: External Alerts
55 percent are not even aware of intrusions*
*Source: Trend Micro, USA.
http://www.trendmicro.com/us/enterprise/challeng
es/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of
China’s Cyber Espionage Units”
klgates.com
Advanced Persistent Threats
Target Profiles
Industry:
Information Technology
Aerospace
Telecom/Satellite
Energy
Engineering/Research/Defense
Chemical/Pharma
Activities:
Announcements of China deals
China presence
klgates.com
The Spectrum of Cyber Attacks
Advanced Persistent Threats (“APT”)
Data Breach and Malware
Denial of Service attacks (“DDoS”)
Domain name hijacking
Corporate impersonation and Phishing
Employee mobility and disgruntled
employees
Lost or stolen laptops and mobile
devices
Inadequate security and systems: first
party and third-party vendors
klgates.com
The Practical Risks of Cyber Attacks
Loss of “crown jewels,” IP and trade secrets
Compromise of customer information, credit cards
and other PII
Loss of web presence and online business
Interception of email and data communications
Loss of customer funds and reimbursement of
charges
Supply chain disruption and outright theft
Brand tarnishment
Collateral damage
Legal and regulatory complications
klgates.com
II. Understanding Legal and Regulatory Risk
klgates.com
II. LEGAL & REGULATORY RISKS
Bad News
No system of prevention is perfect.
There will be a data breach.
Good News
The Law doesn’t require perfection!
Reasonable prevention measures
Compliance with specified procedures to mitigate harm
STRONGEST
BEST
klgates.com
III. Government Regulations and Legislation
klgates.com
III. APPLICABLE LEGISLATION & REGULATION
We will cover
FTC Act
States’ data breach laws
GLBA
HIPAA
NIST standards
Possible CI standards
klgates.com
Federal: FTC Enforcement & General Standard
for Protecting Personal Information
Enforcement of company commitments
Reasonable Administrative, Technical, Physical
Safeguards appropriate for the …
• Size and complexity of company
• Nature and scope of activities
• Sensitivity of personal information
klgates.com
What is Personally Identifiable Information
Needing Protection?
Name
Address
DOB
Email
Telephone number
SSN
Bank account, credit card numbers
Processor serial number
klgates.com
What Are Reasonable Measures?
FTC has focused on process in numerous consent
decrees
Designate responsible employee
Identify reasonable foreseeable risks
• Employee training
• Information systems
• Prevention, detection, response
Safeguards -- design & implement, test & monitor
Selection & retention of service providers
Evaluate and adjust
Independent assessments
klgates.com
Additional Guidance from HIPAA
Administrative
• Security management
• Security personnel
Physical
• Facility access &
control
• Workstation/Device
Security
Technical
• Access
• Audit
• Rule based access to info
• Integrity
• Workforce training
• Transmission
• Evaluation
klgates.com
States: General Standard for
Preventing Data Breaches
Data breach statutes focus on responding to breaches
impacting residents of that state
But almost all include security requirements
Mostly some version of reasonable security measures
klgates.com
States: General Standard for
Responding to Data Breaches
What is a breach
Duty to investigate
What constitutes a reportable breach
When do you have to report
Who to notify
How to notify
What does the notice have to say
klgates.com
Federal Requirements of a Breach
GLBA and HIPAA have similar requirements to states
• But recent HIPAA amendments adopt more stringent
requirements than GLBA on …
• What is a breach
• Reportable breach
• When mass notice required
Also, must consider possible violations of the
export control and arms control laws
klgates.com
Selling to the Government …
Compliance with NIST Standards
Federal agencies must meet security standards
De facto requirements for contractors
Sets baseline security controls
Requires adjustment and supplementing based on risk assessment
Just completed 4th revision adopts holistic view, increases focus on privacy,
and addresses new issues
• mobile and cloud computing
• insider threats
• applications security
• supply chain risks
• advanced persistent threat
• trustworthiness, assurance, and resilience of information systems
klgates.com
Possible Standards for Owners/Operators
of “Critical Infrastructure”
February Executive Order 13636
• CI: Incapacity or destruction would have debilitating impact
o Not commercial IT products or consumer IT services
• NIST Lead “Cybersecurity Framework”
• Incorporate voluntary consensus standards and
industry best practices
o International
o No tech mandates
Legislative proposals
• Arguably define CI more broadly
• Adopt greater regulatory approach
o Government (FTC/DHS) sets standards
• Mandates > incentives
klgates.com
IV. Litigation Risks and Case Developments
klgates.com
IV. Litigation Risks and Case Developments
Class Action exposure – Data Breach and Privacy Claims
In Re LinkedIn User Privacy Litigation (N.D. Cal. 2013)(“abstract” harm leads to
dismissal)
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)("credible threat of real
and immediate harm”)
Grigsby v. Valve Corp. (W.D. Wash. 2013)(promises of security overvalued
services)
Class Action exposure – securities litigation
In re Heartland Payment Systems, Inc. (D. N. J. 2009)(80% stock drop leads to
derivative suit)
Agency Enforcement
FTC v. Wyndham Hotels (D. Ariz. 2012)(2 year Russian hacking)
FTC v. RockYou, Inc. (N.D.Cal. 2012)(hackers access PII of 32 million users)
Mass. v. South Shore Hospital (AG enforcement; $750k settlement)
Indiana v. Wellpoint, Inc. (AG enforcement; $100k settlement)
klgates.com
V. SEC Disclosure of Cybersecurity Risks
klgates.com
V. SEC Disclosure of Cybersecurity Risks
SEC Division of Corporation Finance issued guidance on
cybersecurity disclosures.
The guidance in essence states that appropriate
disclosures may include four things
material cybersecurity risks—both internal risks and risks
from outsourced functions
cyber incidents, which individually or in the aggregate pose
material risk or cost
risks of material cyber incidents that may remain undetected
for an extended period
a “[d]escription of relevant insurance coverage” for cyber
risks
klgates.com
VI. Insurance Coverage for Cyber Risks
klgates.com
V. Insurance Coverage For Cyber Risks
Potential coverage under “traditional” third-party CGL
policies
Potential coverage for claims alleging damage to, or loss of
use of, third-party data, computers or computer systems
(“Coverage A”)
Potential coverage for data breach and other claims alleging
violation of a right to privacy (“Coverage A” and (“Coverage B”)
Potential coverage for misappropriation and infringement
claims
klgates.com
V. Insurance Coverage For Cyber Risks
Coverage A
SECTION I – COVERAGES
COVERAGE A – BODILY INJURY AND PROPERTY
DAMAGE LIABILITY
1. Insuring Agreement
1111
a. We will pay those sums that the insured
iiiiiiiiiiiiiiii1becomes legally obligated to pay as damages
iiiiiiiiiiiiiiii1because
of "bodily injury" or "property
iiiiiiiiiiiiiiii1damage” to which this insurance applies.
*****
15. "Property damage" means:
a. Physical injury to tangible property,
including all resulting loss of use of that
property. All such loss of use shall be deemed
to occur at the time of the physical Iinjury that
caused it; or
b. Loss of use of tangible property that is not
physically injured. All such loss of use shall
be deemed to occur at the time of the
"occurrence“ that caused it.
klgates.com
V. Insurance Coverage For Cyber Risks
ISSUE: Is data is “tangible property” that can suffer “physical
injury”?
Some courts have found coverage
Retail Systems, Inc. v. CNA Ins. Co. 469 N.W.2d 735, 737 (Minn.
Ct. App. 1991) (“data on the tape was of permanent value and was
integrated completely with the physical property of the tape … the
computer tape and data are tangible property”)
Computer Corner, Inc. v. Fireman's Fund Ins. Co., No. CV97-10380,
slip op. at 3-4 (2d Dist. Ct. N.M. May 24, 2000) (“computer data is
tangible property”)
klgates.com
V. Insurance Coverage For Cyber Risks
ISSUE: Is data is “tangible property” that can suffer “physical
injury”?
Some courts have rejected coverage
America Online Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d
459, 467, 468-69 (E.D. Va. 2002) (“the Policy does not cover
damage to computer data, software and systems because such
items are not tangible property”)
State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147
F.Supp.2d 1113, 1116 (W.D. Okla. 2001) (“Alone, computer data
cannot be touched, held, or sensed by the human mind; it has no
physical substance. It is not tangible property.”)
klgates.com
V. Insurance Coverage For Cyber Risks
Potential additional hurdles to coverage
“Property damage” definition (ISO 2001 and later forms)
“Electronic Data” exclusion (ISO 2004 and later forms)
klgates.com
V. Insurance Coverage For Cyber Risks
“Property damage” definition
17. "Property damage" means:
a. Physical injury to tangible property, including all
resulting loss of use of that property. All such
loss of use shall be deemed to occur at the time
of the physical injury that caused it; or
b. Loss of use of tangible property that is not
physically injured. All such loss of use shall be
deemed to occur at the time of the "occurrence"
that caused it.
For the purposes of this insurance, electronic data is
not tangible property.
As used in this definition, electronic data means
information, facts or programs stored as or on, created
or used on, or transmitted to or from computer
software, including systems and applications software,
hard or floppy disks, CDROMs, tapes, drives, cells,
data processing devices or any other media which are
used with electronically controlled equipment
klgates.com
V. Insurance Coverage For Cyber Risks
“Electronic Data” Exclusion
2. Exclusions
This insurance does not apply to:
*****
p. Electronic Data
Damages arising out of the loss of, loss of use
of, damage to, corruption of, inability to access,
or inability to manipulate electronic data.
However, this exclusion does not apply to liability for
damages because of "bodily injury".
As used in this exclusion, electronic data means
information, facts or programs stored as or on,
created or used on, or transmitted to or from
computer software, including systems and
applications software, hard or floppy disks,
CDROMs, tapes, drives, cells, data processing
devices or any other media which are used with
electronically controlled equipment.
klgates.com
V. Insurance Coverage For Cyber Risks
Potential avenues to coverage
Coverage may be added through endorsement
ISO “Electronic Data Liability Endorsement” adds “electronic
data” back to the definition of “property damage”
Coverage may have been purchased through the ISO
“Electronic Data Liability Coverage Form”
ISO pre-2001 forms do not except “electronic data” from the
definition of “property damage” and do not exclude
“electronic data”
Even recently issued policies may not contain such
exceptions or exclusions
Zurich American Ins. Co., et al. vs. Sony Corp. of America, et
al., No. 651982/2011 (N.Y. Sup. Ct. New York Cty.)
klgates.com
V. Insurance Coverage For Cyber Risks
Even when the policy contains an exclusion, there may be
coverage if a suit alleges damage to or loss of use of a
computer or computer systems
Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir.
2010)
The underlying suit alleged injury to the plaintiff’s “computer,
software, and data after he visited [the insured’s] website.” The
definition of “tangible property” excluded “any software, data or
other information that is in electronic form”
The court held that the insurer was obligated to defend the
insured because the complaint alleged “loss of use of tangible
property that is not physically injured” under the second prong
of the “property damage” definition
klgates.com
V. Insurance Coverage For Cyber Risks
Potential coverage for data breach and other claims
alleging violation of a right to privacy
ISO “Coverage A”
ISO “Coverage B”
klgates.com
V. Insurance Coverage For Cyber Risks
ISO “Coverage A”
SECTION I – COVERAGES
COVERAGE A – BODILY INJURY AND PROPERTY
DAMAGE LIABILITY
1. Insuring Agreement
a. We will pay those sums that the insured
11111becomes legally obligated to pay as damages
11111because
of "bodily injury" or "property
1111damage” to which this insurance applies.
*****
3. "Bodily injury" means bodily injury, sickness or
11111disease sustained by a person, including death
11111resulting from any of these at any time.
klgates.com
V. Insurance Coverage For Cyber Risks
“Electronic Data” exclusion
2. Exclusions
This insurance does not apply to:
*****
p. Electronic Data
Damages arising out of the loss of, loss of use
of, damage to, corruption of, inability to access,
or inability to manipulate electronic data.
However, this exclusion does not apply to
liability for damages because of "bodily injury".
As used in this exclusion, electronic data means
information, facts or programs stored as or on,
created or used on, or transmitted to or from
computer software, including systems and
applications software, hard or floppy disks,
CDROMs, tapes, drives, cells, data processing
devices or any other media which are used with
electronically controlled equipment.
klgates.com
V. Insurance Coverage For Cyber Risks
ISO “Coverage B”
COVERAGE B – PERSONAL AND
ADVERTISING INJURY LIABILITY
1. Insuring Agreement
a. We will pay those sums that the insured
iiiiiiiiibecomes legally obligated to pay as damages
iiiiiiiiibecause of "personal and advertising injury"
iiiiiiiiito which this insurance applies.
*****
14. "Personal and advertising injury" means injury
iiiii1111including consequential "bodily injury", arising out
iiiii1111of one or more of the following offenses:
*****
e. Oral or written publication, in any manner,
iiiiiiiiiiii of material that violates a person's right of
iiiiiiiiiiii privacy;
klgates.com
V. Insurance Coverage For Cyber Risks
ISSUE: Has there been a “publication” that violates a “right of
privacy”?
Some courts have found coverage
Park Univ. Enters., Inc. v. American Cas. Co. Of Reading, PA, 442
F.3d 1239, 1250 (10th Cir. 2006) (Kansas law) (“the [district] court
correctly determined that in layman's terms, ‘[t]he plain and ordinary
meaning of privacy includes the right to be left alone.’ … We
likewise agree with the district court's broad construction of
the term “publication” in favor of [the insured]”)
Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007 WL
3268460, at *5 (D.Md. 2007) (Maryland law) (“Of the circuits to
examine ‘publication’ in the context of an ‘advertising injury’
provision, the majority have found that the publication need not
be to a third party.”)
klgates.com
V. Insurance Coverage For Cyber Risks
ISSUE: Has there been a “publication” that violates a “right of
privacy”?
Some courts have rejected coverage
Resource Bankshares Corp. v. St. Paul Mercury Ins. Co., 407 F.3d
631, 642 (4th Cir. 2005) (Virginia law) (“[T]he TCPA's unsolicited fax
prohibition protects ‘seclusion’ privacy, for which content is
irrelevant. Unfortunately for [the insured, it did not buy
insurance policies for seclusion damages; instead, it insured
against, among other things, damages arising from violations of
content-based privacy.”)
Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 2012 WL 469988,
at *6 (Conn. Super. Ct. Jan. 17, 2012) (no coverage for loss of
employee information because “there [wa]s no evidence of
communication to a third party”)
klgates.com
V. Insurance Coverage For Cyber Risks
Potential hurdles to coverage
Exclusions relating to internet activities and breach of
privacy-related laws
“Insureds In Media And Internet Type Businesses”
“Electronic Chatrooms Or Bulletin Boards”
“Recording And Distribution Of Material Or Information In
Violation Of Law”
New 2013 ISO “Amendment Of Personal And Advertising Injury
Definition” endorsement
klgates.com
V. Insurance Coverage For Cyber Risks
“Insureds In Media And Internet Type Businesses”
2. Exclusions
This insurance does not apply to:
*****
j. Insureds In Media And Internet Type
Businesses
"Personal and advertising injury" committed by an
insured whose business is:
(1) Advertising, broadcasting, publishing or
telecasting;
(2) Designing or determining content of web sites
for others; or
(3) An Internet search, access, content or service
provider.
However, this exclusion does not apply to
Paragraphs 14.a., b. and c. of "personal and
advertising injury" under the Definitions section.
For the purposes of this exclusion, the placing of
frames, borders or links, or advertising, for you or
others anywhere on the Internet, is not by itself,
considered the business of advertising,
broadcasting, publishing or telecasting.
klgates.com
V. Insurance Coverage For Cyber Risks
“Electronic Chatrooms Or Bulletin Boards”
2. Exclusions
This insurance does not apply to:
*****
k. Electronic Chatrooms Or Bulletin Boards
"Personal and advertising injury" arising out of an
electronic chatroom or bulletin board the insured
hosts, owns, or over which the insured exercises
control.
klgates.com
V. Insurance Coverage For Cyber Risks
“Distribution Of Material Or Information In Violation Of Law ”
2. Exclusions
This insurance does not apply to:
*****
"Personal and advertising injury" arising directly or
indirectly out of any action or omission that violates or
is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA),
including any amendment of or addition to such
law;
(2) The CAN-SPAM Act of 2003, including any
amendment of or addition to such law;
(3) The Fair Credit Reporting Act (FCRA), and any
amendment of or addition to such law, including
the Fair and Accurate Credit Transactions Act
(FACTA); or
(4) Any federal, state or local statute, ordinance or
regulation, other than the TCPA, CAN-SPAM Act of
2003 or FCRA and their amendments and
additions, that addresses, prohibits, or limits the
printing, dissemination, disposal, collecting,
recording, sending, transmitting, communicating or
distribution of material or information.
klgates.com
V. Insurance Coverage For Cyber Risks
“Amendment Of Personal And Advertising Injury Definition”
This endorsement modifies insurance provided under the
following:
COMMERCIAL GENERAL LIABILITY COVERAGE PART
With respect to Coverage B Personal And
Advertising Injury Liability, Paragraph 14.e. [“Oral or written
publication, in any manner, of material that violates a person's
right of privacy”] of the Definitions section does not apply.
klgates.com
V. Insurance Coverage For Cyber Risks
Potential coverage for misappropriation and infringement
claims
ISO “Coverage B”
klgates.com
V. Insurance Coverage For Cyber Risks
ISO “Coverage B”
COVERAGE B – PERSONAL AND
ADVERTISING INJURY LIABILITY
1. Insuring Agreement
a. We will pay those sums that the insured
iiiiiiiiibecomes legally obligated to pay as damages
iiiiiiiiibecause of "personal and advertising injury"
iiiiiiiiito which this insurance applies.
*****
14. "Personal and advertising injury" means injury
iiiiiincluding consequential "bodily injury", arising out
iiiiiof one or more of the following offenses:
*****
11111if. The use of another's advertising idea in your
iiiiiiiiiiii "advertisement"; or
11111g. Infringing upon another's copyright, trade
iiiiiiiiiiiiidress or slogan in your "advertisement".
klgates.com
V. Insurance Coverage For Cyber Risks
“Advertisement” (1998 and subsequent ISO forms)
SECTION V – DEFINITIONS
1. "Advertisement" means a notice that is broadcast or
published to the general public or specific
market segments about your goods, products
or services for the purpose of attracting
customers or supporters. For the purposes of this
definition:
a. Notices that are published include material
placed on the Internet or on similar electronic
means of communication; and
b. Regarding web sites, only that part of a web site
that is about your goods, products or services for
the purposes of attracting customers or
supporters is considered an advertisement.
klgates.com
V. Insurance Coverage For Cyber Risks
“Advertisement” (1996 and prior ISO forms)
SECTION V – DEFINITIONS
1. "Advertising injury" means injury arising out of one
or more of the following offenses:
a. Oral or written publication of material that
slanders or libels a person or organization or
disparages a person's or organization's goods,
products or services;
b. Oral or written publication of material that violates
a person's right of privacy;
c. Misappropriation of advertising ideas or style
of doing business; or
d. Infringement of copyright, title or slogan.
klgates.com
V. Insurance Coverage For Cyber Risks
ISSUE: Has there been an “advertisement”?
May turn on the relevant definition
Oglio Entm't Group, Inc. v. Hartford Cas. Ins. Co., 132 Cal.Rptr.3d
754, 763 (Cal. Ct. App. 2011) (“There is no description of any
advertisement used by [the insured] … This is especially clear,
given that the policy defines advertisement as the widespread
dissemination of information or images with the purpose of selling a
product[.]”) (1998 and prior language)
Sentex Systems, Inc. v. Hartford Acc. & Indem. Co., 93 F.3d 578
(9th Cir. 1998) (“Hartford's principal contention is that the district
court erred … because ‘advertising injury,’ defined in part in the
policy as arising out of the ‘misappropriation of advertising ideas,”’
includes only alleged wrongdoing that involves the text, words, or
form of an advertisement. This policy's language … does not limit
itself to the misappropriation of an actual advertising text. It is
concerned with ‘ideas,’ a broader term.”)
klgates.com
V. Insurance Coverage For Cyber Risks
Potential hurdles to coverage
Same “Coverage B” exclusions discussed in the previous
section
Additional exclusions
“Knowing Violation Of Rights Of Another”
“Unauthorized Use Of Another's Name Or Product”
klgates.com
V. Insurance Coverage For Cyber Risks
“Knowing Violation Of Rights Of Another”
2. Exclusions
This insurance does not apply to:
*****
a. Knowing Violation Of Rights Of Another
"Personal and advertising injury" caused by or at the
direction of the insured with the knowledge that the
act would violate the rights of another and would
inflict "personal and advertising injury".
klgates.com
V. Insurance Coverage For Cyber Risks
“Insureds In Media And Internet Type Businesses”
2. Exclusions
This insurance does not apply to:
*****
l. Unauthorized Use Of Another's Name Or
Product "Personal and advertising injury" arising
out of the unauthorized use of another's name or
product in your e-mail address, domain name or
metatag, or any other similar tactics to mislead
another's potential customers
klgates.com
V. Insurance Coverage For Cyber Risks
Potential coverage under “traditional” first-party property
policies
Potential coverage for loss of data, computers or computer
systems
Potential coverage for “time element” losses
Business interruption
Extra expense
klgates.com
V. Insurance Coverage For Cyber Risks
Potential coverage for loss of data, computers or computer
systems
The 2007 standard-form ISO commercial property policy
covers “direct physical loss of or damage to Covered
Property at the premises described in the Declarations
caused by or resulting from any Covered Cause of Loss.”
Such policies may be in the form of broadly worded “all risk,”
“difference in conditions,” “multiperil” or “inland marine”
policies.
klgates.com
V. Insurance Coverage For Cyber Risks
Potential coverage for “time element” losses
“Business Interruption” coverage generally reimburses the
insured for its loss of earnings or revenue resulting from
covered property damage.
ISO’s “Business Income (and Extra Expense) Coverage Form”
covers the loss of net profit and operating expenses that the
insured “sustain[s] due to the necessary ‘suspension’ of [the
insured’s] ‘operations’ during the ‘period of restoration.’”
“Extra Expense” coverage generally covers the insured for
certain extra expenses incurred to minimize or avoid
business interruption and to resume normal operations.
ISO’s form covers “Extra Expense” to “[a]void or minimize the
‘suspension’ of business and to continue operations at the
described premises or at replacement premises or temporary
locations….”
klgates.com
V. Insurance Coverage For Cyber Risks
ISSUE: is there “direct physical loss of or damage”?
See cases above
A couple other examples
NMS Services Inc. v. Hartford, 62 Fed.Appx. 511, 514(4th Cir.
2003) (upholding coverage for business interruption and extra
expense, finding “no question that [the insured] suffered
damage to its property.”)
Lambrecht & Associates, Inc. v. State Farm Lloyds, 119
S.W.3d 16, 23, 25 (Tex. App. Ct. 2003) (findingn that “the
personal property losses alleged by Lambrecht were ‘physical’
as a matter of law” and holding that “the business income [the
insured] lost as a result of the virus [wa]s covered under the
policy.”)
klgates.com
V. Insurance Coverage For Cyber Risks
Potential limitations to coverage
Some standard forms seek to shift data loss from the principal
coverage grant by excluding electronic data from the definition of
“Covered Property” and instead providing coverage under
“additional coverage” that may be subject to relatively low—
presumptively inadequate—coverage sublimits
2007 ISO Commercial Property Form excepts “electronic data”
from the definition of “Covered Property” and provides coverage
under an “Additional Coverage” that is limited to “$2,500 for all loss
or damage sustained in any one policy year….”
2007 ISO standard-form Business Income (and Extra Expense)
Coverage Form excludes coverage for electronic data under the
main coverage part and provides coverage under an “Additional
Coverage” subject to a $2,500 limit for “all loss sustained and
expense incurred in any one policy year….”
klgates.com
V. Insurance Coverage For Cyber Risks
Potential coverage under other “traditional” policies
Directors’ and Officers’ (D&O)
Errors and Omissions (E&O)
Employment practices liability (EPL)
Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010)
(Network Technology E&O policy)
Professional liability
Fiduciary
Crime
Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa.,
691 F.3d 821(6th Cir. 2012) (blanket crime policy)
klgates.com
V. Insurance Coverage For Cyber Risks
New “Cyber” Policies
There will be gaps in “traditional programs”
“Cyber” coverage can be extremely valuable
Types of coverages offered by many insurers
Third-Party Coverages
Privacy And Network Security
Media Liability
Regulatory Liability
First-Party Cyber Coverage
Damage To Computer Systems
Business Interruption And Extra Expense
Remediation
Extortion
klgates.com
V. Insurance Coverage For Cyber Risks
Types of claims and losses that may be covered:
In the event of a data breach
defense and indemnity costs associated with third-party claims
against a company
response costs associated with post-breach remediation, including
notification requirements, credit monitoring, call centers, public
relations efforts, forensics and crisis management
regulatory investigations, fines and/or penalties
misappropriation of intellectual property or confidential
business information
the receipt or transmission of malicious code, DoS attacks, and
other security threats to networks
the cost to restore or recover data that is lost or damaged
business interruption
extortion from cyber attackers who have stolen data
klgates.com
V. Insurance Coverage For Cyber Risks
New “Cyber” Policies
Come under names like “Privacy and Security,” “Network
Security,” and names that incorporate “Cyber,” “Privacy,”
“Media” or some form of “Technology” or “Digital”
As noted, they can be extremely valuable
But they are like snowflakes
This makes successful placement a real challenge
We will end with some tips for a successful placement
klgates.com
V. Insurance Coverage For Cyber Risks
Privacy And Network Security
Typically covers against liability from data breaches,
transmission of malicious code, denial of third-party access to
the insured’s network, and other network security threats
I. INSURING AGREEMENTS.
(A) Data Privacy and Network
Security Liability Insurance
We will pay Damages and Defense
Costs on behalf of the Insured
which the Insured shall become
legally obligated to pay as a result of
a Claim … alleging a Data Privacy
Wrongful Act or a Network
Security Wrongful Act by
the Insured[.]
klgates.com
V. Insurance Coverage For Cyber Risks
Data Privacy Wrongful Act
“Data Privacy Wrongful Act” is defined to include “any negligent
act, error or omission by the Insured that results in: the improper
dissemination of Nonpublic Personal Information” or “any breach
or violation by the Insured of any Data Privacy Laws.”
“Nonpublic Personal Information” is defined as a natural person’s
first name and last name combination with a social security number,
medical or healthcare information or data, financial account
information that would permit access to that individual’s financial
account; or a natural person’s information that is designated as
private by a Data Privacy Law.
“Data Privacy Laws” is defined to include “any Canadian or U.S.,
federal, state, provincial, territorial and local statutes and regulations
governing the confidentiality, control and use of Nonpublic Personal
Information including but not limited to” key laws.
klgates.com
V. Insurance Coverage For Cyber Risks
Network Security Wrongful Act
“Network Security Wrongful Act” is defined to include “any
negligent act, error or omission by the Insured resulting in
Unauthorized Access or Unauthorized Use of the Organization’s
Computer System, the consequences of which include, but are
not limited to:
(1) the failure to prevent Unauthorized Access to, use of,
or
tampering with a Third Party’s computer systems;
(2) the inability of an authorized Third Party to gain access to
the Insured’s services;
(3) the failure to prevent denial or disruption of Internet
service to an authorized Third Party;
(4) the failure to prevent Identity Theft or credit/debit card
fraud; or
(5) the transmission of Malicious Code.
klgates.com
V. Insurance Coverage For Cyber Risks
Media Liability
Typically covers against liability from claims for alleging
infringement of copyright and other intellectual property rights
and misappropriation of ideas or media content
I. INSURING AGREEMENTS.
(B) e-Media Liability Insurance
We will pay Damages and Defense
Costs on behalf of the Insured
which the Insured shall become
legally obligated to pay as a result of
a Claim … alleging a e-Media
Wrongful Act by the Insured[.]
klgates.com
V. Insurance Coverage For Cyber Risks
“e-Media Wrongful Act”
e-Media Wrongful Act” is defined to include “any negligent act,
error or omission by the Insured that results in the following:
(1) infringement of copyright, service mark, trademark, or
misappropriation of ideas or any other intellectual property right,
other than infringement of patents or trade secrets; defamation,
libel, product disparagement, trade libel, false arrest, detention or
imprisonment, or malicious prosecution, infringement or
interference with rights of privacy or publicity; wrongful entry or
eviction; invasion of the right of private occupancy; and/or
plagiarism, misappropriation of ideas under implied contract I
nvasion or other tort related to disparagement or harm to the
reputation or character of any person or organization in the
Insured Entity’s Electronic Advertising or in the Insured Entity’s
Advertising; or
(2) misappropriation or misdirection of lnternet based messages or
media of third parties on the Internet by the Insured, including
meta-tags, web site domains and names, and related cyber
content.
klgates.com
V. Insurance Coverage For Cyber Risks
Regulatory Liability
Many “third-party” cyber risk policies include defense and
indemnity coverage for claims for civil, administrative or
regulatory proceedings, fines and penalties
klgates.com
V. Insurance Coverage For Cyber Risks
Damage To Computer Systems
“First-party” cyber coverage may include damage to or
theft of the insured’s own computer systems and hardware,
and may cover the cost of restoring or recreating stolen or
corrupted daat.
klgates.com
V. Insurance Coverage For Cyber Risks
Business Interruption And Extra Expense
Coverage for business interruption and extra expense
caused by malicious code (viruses, worms, Trojans,
malware, spyware, etc.), DDoS attacks, unauthorized
access to, or theft of, information, and other security
threats to networks.
klgates.com
V. Insurance Coverage For Cyber Risks
Remediation
costs associated with post-data breach notification—
notification required by regulation and voluntary notification
credit monitoring services
forensic investigation to determine the existence or cause
of a breach
public relations efforts and other “crisis management”
expenses
legal services to determine an insured’s indemnification
rights where a third party’s error or omission has caused
the problem
klgates.com
V. Insurance Coverage For Cyber Risks
Extortion
Cyber policies often cover losses resulting from extortion
(payments of an extortionist’s demand to prevent network
loss or implementation of a threat)
klgates.com
V. Insurance Coverage For Cyber Risks
Beware The Fine Print
klgates.com
Where We Can Help
klgates.com
Our Cyber Law and Cybersecurity Approach
Prevent and deter attacks
Provide advice on the recognized security standards by the USG and industry standard
setting organizations
Assist in drafting security policies and procedures
Training and employee education
Prophylactic domain name registration
Aggressively pursue perpetrators
Experienced cyber-forensic investigation team and lab
Civil litigation to unmask perpetrators
Collaboration with law enforcement
Respond to problems
Advice on best practices and policies to establish to manage an identified attack
Assistance in responding to an active attack (K&L Gates Rapid Response Team)
Help in responding to a data breach after the fact
klgates.com
Our Cyber Law and Cybersecurity Approach
Avoid liability
Review of company's cybersecurity policies and standards
Ensure physical, administrative and technical measures are reasonable
Review of company’s data breach policies and procedures against applicable state,
federal and international laws
Review of contractual provisions
Partner, customer, employee
Review of SEC reporting
Advice on establishing best practices
Asses litigation exposure
another company's proprietary or confidential information accessed
consumer class action
Mitigate risk and loss through insurance
We counsel clients regarding insurance coverage for data security breach liability
Traditional policies may respond to cyber liabilities, but there are limitations
New “cyber” insurance products can be valuable as part of a company’s overall strategy to
mitigate cyber risk
klgates.com
klgates.com
Questions
5 81