Neiman Marcus Data Breach Decision Portends Greater Risk for NW Companies, Need for Cyber Coverage

Earlier this week the Seventh Circuit Court of Appeals, in Illinois, issued a momentous decision for those of us who keep tabs on data breach litigation nationwide.  The decision in Remijas v. Neiman Marcus reinstated class action claims by thousands of shoppers who had their credit card data stolen.  Reversing a trend in the case law driven by a 2013 Supreme Court decision (the Clapper decision), the Seventh Circuit held in effect that even if some class members had not yet experienced a loss of money due to their personal information being stolen, they still had standing to pursue claims for compensation, including for the time and aggravation of having to obtain replacement credit cards, put in place credit monitoring, and take other steps to protect themselves.  It did not matter, said the court, that all of the consumers who had experienced fraudulent charges on their cards had been reimbursed by their banks, that Neiman Marcus had agreed to pay for credit monitoring, or that the consumers could not conclusively rule out that their credit card account information had been stolen in a different hack (e.g. Target).

This decision is only binding in the federal districts within the Seventh Circuit, but as Kevin LaCroix has pointed out in his blog, as a first-in-the-nation decision from an appellate court in this exact scenario, it is likely to be influential.  That is even more true for claims brought in the Northwest, for two reasons.

First, the Seventh Circuit cited extensively to a decision from the Northern District of California in the Adobe Systems data breach case, In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014).  (That decision is available here.)  The Adobe decision relied on pre-Clapper case law from the Ninth Circuit, and has already been cited twice this year to support a finding of standing in a data breach/data privacy class action, the first brought by Sony employees, and the second by users of the Google Wallet.  Those cases had already established the Ninth Circuit (and therefore the Northwest) as a favorable venue for data breach class actions.

Second, the Premera Blue Cross class action complaints involving the massive data breach at that company, and involving claims under Oregon and Washington law, have all been consolidated in the federal court in Oregon, and have been assigned to Judge Michael Simon.  Judge Simon, a former Perkins Coie partner, is inclined toward issuing cerebral and thoroughly-reasoned decisions that often have a pro-consumer bent.  I would not be surprised to see a lengthy decision from Judge Simon in the near future along the lines of the Seventh Circuit's decision, giving plaintiff's lawyers a road map for obtaining standing in data breach cases and how to properly bring claims under Oregon and Washington law.

What does any of this have to do with insurance?  Well, if you are a non-Northwest company with operations in the Northwest looking at cyber insurance, and trying to assess company-wide risk, you cannot rely on decisions from courts in your "home" jurisdiction that have made it hard for these types of claims to go forward.  If you are a Northwest business that handles a lot of consumer data, the risk of a class action in the event of a breach just went up a little but.  Even if the claims are absolutely meritless, they will get past the motion to dismiss stage, which means that defense costs will be considerable.  All of that should be fodder for your next conversation with your insurance and legal advisers about your company's cyber-coverage, and particularly defense cost coverage and limits.

Update: As reported by my colleague Brian Sniffen in our blog IP Law Trends, Neiman Marcus has now requested en banc review of this decision.  En banc review is rarely granted.

Certain cases reprinted from WestlawNext with permission of Thomson Reuters.  If you wish to check the currency of this case by using KeyCite on WestlawNext, then you may do so by visiting www.next.westlaw.com.

Lessons From CNA's Suit to Avoid Covering a Hospital Cyber-Breach

A few weeks ago the insurance-coverage community experienced a watershed event: the first publicized lawsuit by an insurer for a declaration of "no coverage" under a cyber-insurance policy.  The case is Columbia Casualty Company v. Cottage Health Systems, filed in the Central District of California, and the issue is the insured's compliance with a pledge that it would use "minimum required" data-security practices.  This case holds important lessons for those considering cyber coverage - chiefly, be careful what you say in your application, and don't think that your insurer is going to treat you with kid gloves just because cyber coverage is a new product.

(NB: although we wouldn't normally cover California litigation, this filing raises red-hot issues so we decided to make an exception.)

The Cottage Health data breach was caused by user error, which is reported to be the leading cause of data security incidents across all sectors of the economy.   Cottage is a three-hospital health system in the Santa Barbara area.  According to published reports, the hospital contracted with an IT firm, "InSync," to put medical records on a File Transfer Protocol ("FTP") server so that they could be accessed remotely, but no-one made sure that access to the records was locked-down to credentialed people only, or encrypted.  As a result the FTP files were available to Google's search "bots", and could be found by using a Google search.  Reportedly only after someone reported the issue to the hospital was the error caught.  A class-action suit against Insync and Cottage followed, alleging (among other things) violations of California's Confidentiality of Medical Information Act.  Apparently the state DOJ is also investigating possible HIPAA violations.

Cottage's cyber-liability insurer, Columbia Casualty (owned by mega-insurer CNA), picked up the defense, and even funded a $4.1 million settlement with the class, but under a reservation of rights.   In the new coverage lawsuit CNA is suing Cottage to get the settlement money -- and all of its defense costs -- back from Cottage.

CNA, like many insurers, required Cottage to fill out a detailed cyber coverage application and "self-assessment" which involved answering a host of questions about IT security practices.  Most of the questions were broadly worded, such as "Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?"  A few of the questions were more specific, however, such as whether Cottage routinely changed default software settings if required to make systems secure.  The application also addressed the use of vendors, including questions about whether Cottage required its third-party vendors to observe the same or stricter security practices as those used by Cottage, and whether Cottage required vendors to have cyber-liability insurance.  (Cottage of course answered "yes" to all questions.) 

The application and the policy itself contained several kinds of "warranties" about Cottage's compliance with security standards, and the policy contained an exclusion that coverage would not be provided for damages resulting from "[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing . . ." (emphasis added).

CNA claims that Cottage's "yes" answers on the application were false or that if the answers were true when the application was made, Cottage subsequently failed to "maintain" those practices.  Although CNA's complaint does not specifically say what Cottage didn't do that it should have done, reading between the lines it appears that CNA is focusing on three contentions: first, that the breach occurred because the vendor, InSync, failed to change the default FTP setting on the server software from "open access" to password-only access; second, the medical data was not encrypted on the server; and third, that Cottage did not make sure that InSync had cyber insurance coverage of its own.

This is something of a nightmare scenario for those of us who advise policyholders on cyber liability and coverage.  There are several "weak links" when it comes to cyber, and this case appears to hit on several of them.

First, because there is so little claims history in the "cyber" world, and because the risks are so high, insurers are requiring applicants to answer lots of questions and go through unusually detailed "self-assessments."  That's not a problem if the folks filling out the application thoroughly vet the answers with IT, legal, and the contracts department. But any breakdown in communication among those players can result in coverage problems.

Second, because of the evolving nature of cyber risks (and because it is the nature of their approach to the business) insurance companies frequently use vague wording in application materials and in their policies.  Vague language allows the insurer to argue after the fact a particular meaning that favors them.  We can see that in action in this case, in the question asking whether Cottage did a yearly re-assessment of risks and "enhanced" its "risk controls in response to changes."  What does that mean?  Does that mean that if there is an increase in "spear-phishing" attacks the company must eliminate the use of email?  Or is it good enough to adopt published "best practices" - a rule of reasonableness?  Those are the kind of questions that may be litigated in this case - questions that could have been avoided if the insurer had not been able to get away with vague language that it could later use to its advantage.

Third, vendors.  Vendors, the cause of so many data security problems, create substantial problems when it comes to insurance.  What is a reasonable security precaution to a hospital may seem like overkill to an outsourced IT or cloud provider, or the reverse may be true, and there is often no practical way to monitor changes that a vendor makes in its security practices.  That makes it very difficult to accurately answer a question about whether a vendor uses the same security standards as the insurance applicant.  It is also particularly difficult to ensure, as the CNA application asked, that every vendor "maintain[s] enough insurance to cover their liability arising from a breach of privacy or confidentiality" when there are no standardized forms for cyber coverage that can be required in the vendor contract, and where the risks to the vendor may be dramatically different than those of the customer.

In this case it appears that CNA is trying to avoid coverage using Cottage's "warranty" to comply with vaguely-worded promises that Cottage made about its security practices in a case where negligent oversight of a vendor caused an accidental data breach.  That is, of course, exactly why a business buys liability insurance - to cover an accident caused through negligence.  The fact that CNA is relying on vague language against its customer, Cottage, rather than giving Cottage the benefit of the doubt, demonstrates that this insurer, at least, is willing to use the kind of sharp-elbow tactics to limit its loss payments that we see with other kinds of coverage.  In other words, cyber coverage is not going to be treated differently by the insurance industry and its lawyers.

To try to avoid this kind of situation, businesses would be well advised to treat cyber coverage applications very carefully, to try to negotiate "warranty" language that is less onerous and open-ended, and to exercise increased oversight of vendor contracts and compliance with contract terms, including actually reviewing the vendor's insurance policies and security practices.  Taking those steps will not of course eliminate coverage disputes of this sort, but in this area, every step is an important one.    

Premera Data-Breach Class Action Claims Illustrate Cyber Coverage Issues

The massive data breach at Washington health insurer Premera Blue Cross Blue Shield has spawned at last count fifteen class action lawsuits in Washington alone and least one suit in Oregon federal court.  The suits allege that over 11 million records were exposed in the hack, including not just personally identifiable information but also health treatment and medication histories.

Examining the allegations in these class action complaints, and the differences among them, is instructive for those of us advising clients on insuring against these kinds of risks, because this will not be the last time this kind of breach will occur.  This post will focus on only two of the many issues that these complaints raise.

I should emphasize that I know nothing about Premera's insurance situation, and that the discussion below is purely based on general observations. Also, the below comments should not be taken as commentary on the validity or any of the plaintiffs' claims (some of which -- like the "bailment" claim -- have been rejected in other class action suits).

Timing Issues & Known Loss.    One of the more striking things about the complaints against Premera is the contention that Premera knew that its systems were vulnerable, and  that it had been hacked, well before it disclosed the data breach to its customers.  Each of the complaints claim that the federal Officer of Personnel Management audited Premera's systems in early 2014 and that on April 18, 2014 Premera received a report from OPM that its systems were vulnerable to attack due to (among other things) failure to make updates to security software, and that the hackers infiltrated Premera's IT system almost immediately thereafter, in early May, 2014.   The complaints also allege that Premera knew that it had been hacked in January, 2015.  But Premera did not disclose the breach to customers until March, 2015.

This brings to mind common coverage defenses used by insurers who issue "claims made" policies, which most cyber coverage policies are: that the claim was known earlier than it was reported.  A claims-made policy provides liability coverage for claims made against the insured during the policy year, irrespective of when the incident happened.  That would mean that a complaint filed against Premera in April, 2015 would generally be covered by its policy in effect in April, 2015.  But what if Premera knew that it would very likely be sued before that policy period started, or before it even applied for the policy?  And what if it failed to disclose what it knew during the application process?  All of these are issues commonly raised by insurance carriers looking to get out of paying a loss.

Also, cyber coverage in particular is often tied not only to when a claim is made but also to when the "wrongful act" or "negligent act" that allowed the breach to happen took place.  Coverage is sometimes conditioned on the negligent act having occurred within a certain time span prior to the beginning date of the policy, referred to as the "retroactive date."  It is increasingly common to hear that a "hack" was accomplished months before the data breach was discovered.  If the hackers got in before the retroactive date, does that mean no coverage?

Claims Under State Data Breach Laws.   Most of the complaints contain a claim under Washington's "Data Disclosure Law," but not a direct claim under the Oregon analogue.  Why?  Because the Washington law expressly provides a private cause of action for damages if any Washington company fails to promptly notify consumers of a breach.  Oregon law ( http://www.oregonlaws.org/ors/646A.624) does not provide for a private cause of action.  The Washington statute, however, does not provide for any kind of minimal or statutory damages, and requires that the customer have been "injured" to maintain a suit.  That is both good for the defense of the claim (since the customers may have trouble establishing standing if their personal data has not actually been used, as discussed in this post), and good for coverage.  Cyber policies, like many similar kinds of policies, often provide coverage for "damages" but exclude coverage for "penalties and fines," leading to coverage disputes about whether statutory damages are in fact "damages."  Some states, like Arizona, provide civil penalties for violations of breach laws. And increasingly cyber policies are providing coverage for some kinds of regulatory fines or penalties, which is a good thing particularly given the recent news about large HIPAA fines.

In addition to the claim under the Washington statute, and in lieu of a direct claim under the Oregon statute, many of the complaints bring claims under the Washington and Oregon unfair trade practices or "consumer protection" statutes.   Potentially relevant to coverage are the claims under those statutes for treble damages.  Carriers routinely argue that the multiplied portions of awards are uninsurable punitive damages or are not covered as a penalty. 

There is no question that a large damages exposure will give an insurer incentive to take aggressive coverage positions. Data breach suits will be no exception. Savvy policyholder advisors will need to anticipate these defenses and plan accordingly.  So stay tuned for further reflections on the coverage issues that may arise from the Premera and similar suits.

Cert Grant in FCRA Case Could Impact Cyber Coverage

News today that the Supreme Court has granted certiorari in Spokeo v. Robins, which tests whether Congress can confer "standing" by giving consumers a private right of action under a federal law, and entitlement to statutory damages, even if the consumer cannot prove any concrete damages.  The Court will review a decision by the Ninth Circuit that said, essentially, "yes" to that question.

In Robins, the plaintiff claimed to have been harmed when Spokeo, an online directory that aggregates publicly-available personal information, published inaccurate information about him on the site.  The plaintiff contended that in doing so Spokeo violated the Fair Credit Reporting Act (FCRA), but he could not prove specific damages tied to the inaccurate information.  Instead, he claimed entitlement under the FCRA to "statutory damages" (typically set at $1,000 per violation).  Robins sued on behalf of a class of people -- allegedly numbering in the thousands -- who were similarly aggrieved by Spokeo's failure to report accurate information. The trial court dismissed the suit based on the constitutional requirements that a plaintiff demonstrate "standing" based on "actual or imminent harm."  The Ninth Circuit, however, reversed, reasoning that Congress could create a statutory right and in essence create standing by providing a private right of action for violation of that right.  The Supreme Court has agreed to decide whether that view of Congress' power is correct.

What does this have to do with cyber-insurance?  Plenty. For one thing, the decision may undermine state laws that have fueled the market for robust first-party cyber coverage.  Many consumer advocates believe that data-breach notification laws will be ineffective at forcing businesses to "fess up" when a breach happens unless the breach law contains a private right of action with a small statutory damages component, modeled on FCRA.  Washington's data-breach law, recently amended, is just such a law.  The spread of such laws has driven the market for cyber policies that will cover not just the cost of  notifications but also for liability protection relating to breach notification.  And just as many predict that  legislation working its way through Congress allowing companies to confidentially share data on cyber breaches may eventually bring rates down, state legislation has had an impact on premiums that may be blunted by the Court's decision in Robins.

Beyond breach-notification laws, the way that the Supreme Court approaches the "actual or imminent harm" question could impact how courts handle data breach consumer lawsuits that do not rely on any federal statute but instead are based on common-law grounds, such as negligence or fiduciary duty.  Some courts have dismissed consumer lawsuits that fail to allege specific harm arising from a breach, while other courts have allowed those suits to proceed at least into the discovery phase.  The Supreme Court might take this opportunity to address "standing" more generally, leading to fewer consumer class actions, which could further result in lower premiums for cyber coverage.

Data Breaches at Franchisees Raise Cyber Insurance Issues

A recent article about a data breach at a Marriott franchise highlights an emerging cyber insurance issue for franchisors, and indeed all companies involved in contractual relationships that expose them to liability for cyber risks over which they may have little control.  

The article reports that a Marriott franchisee had a seven-month-long data breach relating to the food and beverage point-of-sale (POS) system at ten of its hotels.  Unfortunately, this kind of scenario is becoming commonplace - hackers exploiting weaknesses in POS security to obtain credit card numbers, often focusing on heavy users of POS systems like restaurants.  

But the franchise aspect of this incident clearly adds some wrinkles worth considering.  I reached out to my partner Shannon McCarthy, a member of our franchise & distribution practice group and frequent contributor to our firm's blog on franchise issues -- ZorBlog -- for some thoughts.

Shannon first confirmed that in the event of a consumer lawsuit over a data breach the franchisor will likely be sued along with the franchisee.  Franchisors are typically viewed as a "deep pocket" and so the plaintiff may seek to hold the franchisor directly or indirectly liable for the breach.  A franchisor might be liable if it controlled the consumer data, if it contractually required the franchisee to use a certain system or provided the system itself, or exercised control over the way that the franchisee collected or used the data.  As examples, Shannon pointed me to both this FTC suit against Wyndham Hotel Group and the consumer class action (and related FTC action) against the rent-to-own franchisor Aaron's, Inc.  

In the Wyndham case the FTC alleged that the hotelier, which operates through over 90 franchisees, itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security, because it "allowed" franchisees to use improper software and lax security practices, and because its own data systems did not encrypt consumer information.  Wyndham has pushed back against the FTC's claims and has appealed an early ruling that the FTC has jurisdiction to pursue the claims, and recently defeated a related derivative action in federal court.  

In the Aaron's case, customers who rented laptops sued the franchisees and the franchisor alleging that spyware on the laptops captured keystrokes, browsing history, and screenshots, and took pictures of the customers using the computer's built-in camera, invading the customers' privacy.  (The customers' case was recently reinstated by the Third Circuit after having been dismissed on procedural grounds).  The customer suit follows on the heels of a consent decree that Aaron's reached with the FTC in which the franchisor essentially admitted that it not only knew about the practice but actively participated in providing the software to its franchisees.  (Given that settlement it may be difficult for Aaron's to deflect responsibility to its franchisees.)

Where does insurance fit into all of this?  First, franchisors (like all businesses) should assess whether they themselves are adequately covered for cyber losses, including whether their traditional insurance policies carry endorsements specifically excluding data-breach liability or first-party losses, and whether they should purchase specific "cyber insurance."  In making this assessment franchisors should take into account all of the potential risks that they face beyond just regulatory or class-action consumer lawsuits; for example, credit-card issuers and banks may file suit seeking to recover their costs for writing off fraudulent charges and issuing new cards.

Second, franchisors should consider the requirements that they impose on franchisees with regard to cyber-security practices.  For example, franchisors might incorporate into their franchise agreements some of the security standards and "best practices" being developed by cyber-security organizations.  Of course this brings into play the tension that has always existed between maintaining enough separation from the franchisee such that liability could be avoided altogether, wanting to protect the brand by ensuring that the franchise is run competently, not imposing unreasonable burdens on franchisees, and business interests that may require a certain amount of intermingling of operations.  (For example, one of the key advantages of owning a hotel franchise is the access to the unified reservations and loyalty-reward programs operated by the franchisor.)

Finally, because preventing data breaches or liability claims may be impossible, franchisors should evaluate whether to require their franchisees to carry cyber insurance, and whether those insurance policies can provide protection to the franchisor.  Much as general contractors require subcontractors to carry insurance providing "additional insured" protection if the general is sued because of the subs' negligence, some cyber insurance programs purchased by a franchisee could be made to assist a franchisor in the event of a data breach caused by a franchisee's error.  However, because cyber insurance is not being written on standardized forms, it is not possible to simply specify in a franchise contract that a specific ISO additional insured endorsement be used.  Instead, franchisors would be well served to work out requirements language with their franchisees that takes into account evolving norms in the insurance industry regarding language, sub-limits, and other aspects of cyber insurance.  What will likely be needed in this, as with almost all things in the cyber insurance world, is a team approach involving counsel, insurance broker, and business people.

Likely Changes to Oregon Data Breach Law Should Prompt Review of Cyber Coverage

This excellent post by my colleague Brian Sniffen in our firm's IP Law Trends blog reports on the efforts by Oregon's attorney to strengthen the state's data breach notification laws.   The proposed amendments to the Oregon Consumer Identity Theft Protection Act (ORS 646A.602 et seq.) are part of Senate Bill 601, which is making its way through the legislature right now.  You can follow the bill's progress here).

As Brian reports, among the proposed changes are a lowering of the threshold for notification to the Attorney General to 100 records; expansion of the definition of confidential data to include medical and biometric information; and giving enforcement power to the Attorney General under the Unfair Trade Practices Act.

As we observed last week in our post about the insurance implications of Washington's effort to toughen its data-breach notification laws, these proposed Oregon changes should prompt every business -- whether it handles loads of consumer data or not -- to review its cyber insurance coverage to get a comfort level with any sub-limits relating to notification costs, and liability coverage for regulatory claims.  Of course, both state-level efforts could be upended if the President's proposed data-breach bill becomes federal law, because the federal law will likely trump all state laws.  All the more reason to review your cyber coverage with an insurance professional today.

Update April 22: The Oregon bill has received a "do pass" recommendation, with some amendments, from the Senate Judiciary Committee, and is awaiting transfer to the floor for passage.

Washington Policyholders, Check Your Cyber Policy as Data BreachNotification Law Moves Forward

Washington has moved a step closer to bringing its data-breach notification law in line with the laws of many states (including Oregon) that require notification in the majority of scenarios, closing what some viewed as loopholes in the law and mandating notification within 45 days, rather than the prior "as soon as possible" requirement.  (Oregon law still lacks a specific presumptive deadline).  In particular, the new Washington bill removes the exemption for lost or stolen data that is "encrypted," in recognition of the fact that "encryption" can fail if the technology used was old or if the encryption key was also stolen.  The Washington bill has passed the House and it set for hearings in the Senate later this week, and is expected to pass.

What does this mean from an insurance standpoint?  Cyber insurance policies typically provide "first-party" coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage.  In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required.  That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined.  And of course if your business lacks cyber coverage entirely, it is time to explore your options.  The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology).  By comparison the cost of regulatory fines and lawsuits was tenth in the ranking of impacts on businesses experiencing a breach.   The conventional wisdom is that a business should expect to spend at least $188 per record  on notification and similar first-party response-related costs.  With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs.  So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.

ps.  Speaking of Washington, not 48 hours after news broke this week of a major data breach at Premera in Washington a class action was filed. But the cause of action -- breach of contract -- may cause coverage problems. The liability portions of cyber policies often exclude breach of contract actions. One more reason to check those policies.

Update April 22: The bill has passed and is now awaiting signature by the Governor.

Cyber Coverage No Longer a Novelty But Many Concerns Remain

That is the message that I took away from last week's annual conference of the ABA's Insurance Coverage Litigation Committee in Tucson, Arizona.  Gone was the "gee whiz" discussion of the technology and its risks, and most presenters avoided the scare tactics all too commonly used in the industry to drum up sales.  (Not that there isn't reason to be scared - but the horror stories are so widely reported it hardly seems necessary to dwell on them at a conference of insurance coverage pros).

One particularly useful panel  took a deep dive into problematic policy language and the limitations of the products currently offered.  This is critically important because although cyber coverage is no longer new, the language of the policies is not yet standardized.  A few of the many things to look out for are:

- long "waiting periods" for business interruption coverage.  Business interruption coverage is "time loss" cover in that the loss amount is calculated (generally speaking) as average sales per hour multiplied by the number of hours of downtime due the covered event.  However, some chunk of time (the "waiting period") is routinely excluded as a kind of deductible.  Some cyber insurers default to a 24 hour waiting period (an eternity for an many businesses and particularly online retailers) putting the burden on the policyholder to ask for a more reasonable period.  According to the panel (and my own experience has shown this to be true) carriers will agree to 12 hours or less - sometimes 8 hours.  If your business relies on closing sales around the clock, cutting down the waiting period could mean hundreds of thousands of dollars more in business interruption coverage.

-  liability coverage limited to liability for the insured's own wrongful acts. Because so much electronic data is now routinely hosted, handled or safeguarded in some manner by vendors, any kind of strict limitation with regard to who made the "oops" may result in no coverage, even though the insured may be held liable as the owner of the data. The panel discussed several recent data breach incidents in which the error that allowed confidential data to be stolen was committed by one entity, but liability was imposed on another entity (e.g. the Target hack, where intruders gained access through a "phishing" scam on Target's HVAC contractor).  Companies need to pay careful attention to the language of their policies and candidly assess their risks associated with vendors and consultants, particularly in the retail and healthcare sectors.

- coverage for fines and penalties.  The number of regulatory bodies (state and federal) that are being given authority to issues fines and penalties for data breach violations is growing at a fast clip.  Some policies strictly exclude coverage for any kind of fine or penalty, while some do not.  Policyholders should examine their current coverage and evaluate whether their current and future coverage needs are being met, depending on the regulatory environment in which they operate.

The upside of the fact that cyber coverage is still issued largely on a "manuscript" basis (that is, without relying on industry-wide forms) is that insurers are sometimes willing to negotiate on policy language even for relatively small accounts, and oftentimes mid-period if circumstances have changed.  Careful attention to  evolving risks from "cyber" events combined with close examination of your policy language  can lead to productive conversations with your broker and carrier and needn't wait until renewal.

* Update: This morning Apple is experiencing a major outage in its iTunes store, among other services.  Some are estimating that the six-hour outage has cost Apple $7 million - now that's a serious cyber-business interruption loss (if covered).

Target Data Breach Lawsuits Increase Focus on Insurance Coverage for Cyber-Risk

I just finished a very fine (and, unusual for a lawyer blog, concise!) piece on the deluge of lawsuits already filed against Target entitled The Target Data Breach Lawsuits: Why Every Company Should Care.  I recommend it.  The author does not touch on the insurance coverage issues raised by data breach litigation, and who can blame him.  The author probably realized that his subject matter - causes of action, standing, multi-district litigation - was dry enough.  No need to put absolutely everyone to sleep by bringing up insurance.  But that's my stock in trade.  So are suits like these covered by traditional GL policies?  Are you sitting down, 'cause this will be a shocker... it depends.  It depends on what the plaintiffs allege, it depends on what the hackers got, it depends on what jurisdiction you are in.  As it happens, right before the Target news came out I had begun working on some CE (continuing education) materials for insurance professionals on data breach and cyber-risk coverage at the suggestion of a good friend in the industry.  I'll share some of the highlights here as I develop those materials, so please subscribe via RSS or email for further updates!  And Happy New Year, readers!

New York investigates insurance companies’ cyber security

I was very interested to read this morning that Governor Cuomo of New York will investigate insurance companies’ cyber security.  According to the article the focus of the investigation will be what safeguards insurers have in place to protect customers' sensitive personal and financial information.  Hopefully this inquiry will take into account commercial-lines policyholders' data as well.  Recent experience has made me skeptical about how well insurers do just about anything related to information management.  I recently had an insurer claim that it would have to review reams of paper files to find information on a group of claims that are currently being adjusted.  Investigation revealed that in fact the carrier has multiple electronic data repositories, but many them do not talk to each other, and that much coordination relies on information kept in the heads of certain supervisors!

Insurers demand a great deal of sensitive information about commercial policyholders in the underwriting process, from social security numbers and driving records of employees, to information on security systems.  I will be very interested to see what New York turns up about the cyber security measures, or lack thereof, at the nation's larger insurers.

'via Blog this'