August 2008
Authors:
David T. Case
+1.202.778.9084 david.case@klgates.com
Julia Reynolds Johnson
+1.202.778.9227
julia.johnson@klgates.com
Becky Lobenherz
+1.202.778.9357
becky.lobenherz@klgates.com
K&L Gates comprises approximately
1,700 lawyers in 28 offices located in
North America, Europe and Asia, and represents capital markets participants, entrepreneurs, growth and middle market companies, leading FORTUNE 100 and
FTSE 100 global corporations and public sector entities. For more information, visit www.klgates.com. www.klgates.com
As cyber attacks become a more serious threat, many companies are looking at traditional and newer types of insurance policies to determine if they cover the costs associated with data breaches, business interruption, and damaged reputations. Certain issues relating to coverage for cyber risks are addressed below and in a recent TV interview of two of the authors of this Alert, which can be viewed by clicking here.
Increasingly, companies rely on the Internet and computer technology to conduct business, make transactions and store sensitive information. As technology becomes more prevalent in the workplace, however, the potential losses from failures or breaches of this technology become far greater.
Modern businesses must contend with cyber risks as varied as data breaches due to hackers or rogue employees and business interruptions from computer viruses and overloaded servers. Federal officials just announced that a group of hackers installed “sniffer” programs, which capture credit card numbers, passwords and other account information, at a number of large U.S. retailers. The hackers reportedly stole more than 40 million credit and debit card numbers.
Other recent high-profile data breaches include the theft of PIN information from Citibank
ATMs 1 and the theft of four million customer account numbers from the Hannaford
Brothers chain of supermarkets.
2 Many companies, including Yahoo! Inc. and E*Trade
Financial Corp., have suffered denial of service attacks that overloaded the servers for their websites.
3 Although no data or consumer information was compromised, the costs from the long service interruptions were substantial.
Internet crime, in the form of phishing schemes (a culprit poses as a legitimate business to obtain confidential information), pharming schemes (a thief redirects web traffic from a legitimate site to a sham website to defraud site users), theft and extortion, also has increased. Even accidental exposure of data or loss of data from technological malfunctions can lead to substantial losses. For example, the Ponemon Institute, a think tank on privacy management practices, estimates that the average data breach will cost a company $6.3 million.
4
Also, a cyber attack may cause losses due to reputational damage, litigation costs, notification expenses and fines. In 2005, ChoicePoint, a company that collects personal data
* The authors would like to thank Todd Nunn of the Seattle office of K&L Gates for his assistance.
1 Robertson, Jordan. “ATM breach highlights security problems,” Associated Press, July 2, 2008, available at http://www.msnbc.msn.com/
id/25495280.
2 Canfield, Clarke. “Supermarket data breach still unsolved,” Associated Press, Mar. 18, 2008, available at http://www.msnbc.msn.com/
id/23698169.
3 Yasin, Rutrell. “New weapons in the war against DoS attacks,” TechRepublic, Dec. 6, 2002, available at http://www.builderau.com.au/strategy/
businessmanagement/soa/New-weapons-in-the-war-against-DoS-attacks/0,339028271,320265898,00.htm?feed=pt_yahoo.
4 Ponemon Institute, “2007 Annual Study: Cost of a Data Breach,” 2007, summary of results available at http://www.ponemon.org/press/PR_
Ponemon_2007-COB_071126_F.pdf.
such as credit histories and social security numbers, made national headlines when it sold 145,000 customer records to criminals posing as a legitimate business. Its losses included payment of a $15 million fine to the
Federal Trade Commission (“FTC”) and a multimillion dollar decrease in market capitalization.
5
In the event that confidential data is exposed as a result of a cyber attack, a company will want to determine its legal obligations arising out of the data breach. On the federal level, several privacy laws create notice requirements for specific industries when there is a release of protected information. For instance, the
Gramm-Leach-Bliley Act concerns the requirements for financial institutions when confidential consumer
6 information is released.
The Health Insurance
Portability and Accountability Act, which protects healthcare information, and the Children’s Online
Privacy Act, which protects online information about children, create similar reporting burdens.
7
Along with federal privacy laws, the vast majority of states have laws requiring additional notice to affected individuals and state officials following a breach. A company may also face regulatory action, including investigations and fines, by agencies such as the FTC.
Losses from cyber attacks may be averted or minimized through appropriate risk management.
Security measures such as the encryption of data, employee screening, regular virus scanning and the use of security management software all help to reduce the frequency and severity of cyber attacks. When combined with data recovery plans and a consumer notification protocol, these measures may be effective in lowering costs associated with online business.
Companies also may look to insurance to provide further protection against cyber threats. Of note, many of the above-mentioned security controls may be necessary to obtain insurance coverage and a security analysis may be required before insurance is granted.
8
Companies may want to review their existing insurance policies to assess whether cyber risks are covered. For example, most companies procure comprehensive general liability (“CGL”) policies. Depending on the nature of the cyber attack and resulting losses, a company may be able to argue that damages should be covered as “property damage” or as “personal or advertising injury” under the CGL policy. But insurers may raise certain coverage defenses and, increasingly, they are adding purported exclusions for Internet- and technology-related damages to CGL policies.
Also, a company’s directors’ and officers’ liability
(“D&O”) insurance may cover certain costs associated with a data breach or service interruption. For many technology companies, errors and omissions liability
(“E&O”) insurance may cover professional liability due to software or performance issues. First-party property insurance, which covers damage to the insured’s property, may apply to property damage and business interruption losses, although insurers may argue that damaged data is not covered.
Because traditional insurance policies may not cover certain types of cyber risks, many companies may want to consider purchasing an insurance policy specifically designed to cover cyber risks. Policies covering cyber risks are offered by many major insurance companies,
5 Jones, Michael E. “Data Breaches: Recent Developments in the Public and Private Sectors,” J. L. & Pol’y for Info. Soc’y, 556, 579
(Winter 2007-2008).
6 See Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), as codified at 15 U.S.C. § 6801-09.
7 Jones, Michael E. “Data Breaches: Recent Developments in the Public and Private Sectors,” J. L. & Pol’y for Info. Soc’y, 555, 567 (Winter 2007-2008).
8 Drouin, Denis. SANS Institute, “Cyber Risk Insurance: A Discourse and Preparatory Guide,” Feb. 9, 2004 at 26.
August 2008 | 2
including AIG, CNA, Hartford, Chubb, Travelers,
Liberty International, SafeOnline and Lloyds.
9
Some insurers offer policies covering general Internet crime liability, which extends general coverage to e-business activities. Other insurers offer network security liability insurance, which includes coverage for the unauthorized access to, or theft of, data. Policies may cover first-party risks (such as an interruption of the insured’s business because of a hacker attack) or third-party claims (such as damage caused to another through the transmission of a computer virus), but usually not both.
The terms of such policies vary considerably and companies may want to consult with their brokers and insurance coverage counsel to obtain the most appropriate coverage. There are a number of issues that should be considered, such as does the policy cover losses caused by employees, hackers, or both? Does the policy cover regulatory investigations? Are there sub-limits of liability for different coverages, and, if so, are they adequate? Does the policy offer worldwide coverage?
Although many companies previously considered the benefits of cyber coverage to not be worth the cost, it appears that more companies are procuring such coverage to protect against cyber risks. Also, the SANS Institute, an information security research and education organization, notes that premiums are changing over time.
10 As cyber risks increase, it seems likely that more companies are considering the purchase of cyber risk policies.
9 Further information regarding such policies may be obtained from these companies or
insurance brokers.
10 Drouin, Denis. SANS Institute, “Cyber Risk Insurance: A Discourse and Preparatory
Guide,” Feb. 9, 2004 at 26.
K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and maintaining offices throughout the U.S., in Berlin, in Beijing (K&L Gates LLP Beijing Representative Office), and in Shanghai (K&L Gates LLP Shanghai
Representative Office); a limited liability partnership (also named K&L Gates LLP) incorporated in England and maintaining our London and Paris offices; a Taiwan general partnership (K&L Gates) which practices from our Taipei office; and a Hong Kong general partnership (K&L Gates,
Solicitors) which practices from our Hong Kong office. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners in each entity is available for inspection at any K&L Gates office.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.
Data Protection Act 1998—We may contact you from time to time with information on K&L Gates LLP seminars and with our regular newsletters, which may be of interest to you. We will not provide your details to any third parties. Please e-mail london@klgates.com if you would prefer not to receive this information.
©1996-2008 K&L Gates LLP. All Rights Reserved.
August 2008 | 3