1 cosponsored by: propertycasualty360 and insidecounsel the seminar will begin promptly at 2pm est....

1

Cosponsored by: PropertyCasualty360

andInsideCounsel

The seminar will begin promptly at 2pm EST.

A recording of this session will be made available.

FC&S Legal presents:

ALL’S FAIR IN LOVE AND CYBER WARFARE

Brought to you by The National Underwriter Company, publishers of FC&S Legal © 2013. All Rights Reserved

2

Housekeeping

Phones are muted Questions will be answered at end of sessionIn right hand corner of screen is a space for you to type in your questionsCopy of slides was in your reminder email and a link to slides and the recording will be in your follow up emailA demonstration of FC&S Legal follows today’s presentationPlease answer our brief survey at the end of the session


3

Featured Speakers

Anjali C. Das, Partner

Wilson Elser Moskowitz Edelman & Dicker, LLP (Chicago)

Wilson Elser Moskowitz Edelman & Dicker, LLP (Chicago)

Coordinating partner for firm’s D&O practice, represents insurers in professional liability coverage matters involving accounting, finance, other complex issues. Represents U.S., London and Bermuda based primary and excess insurers in high exposure claims.

Jerold Oshinsky, PartnerJenner & Block, LLP (Los Angeles)

Represents policyholders in insurance matters in federal and state courts. Recipient of “Star” ranking by Chambers USA and is considered the

foremost practitioner at the policyholder Bar. Recognized by Legal 500 as one of 13 “Leading Lawyers” nationally in its “Insurance: Advice to Policyholders” category.


4

President’s Executive Order on Cybersecurity

What is a Data Breach?

Data Breach Statistics and Costs

Aggressive Government Enforcement (FTC)

Private Litigation in the News

SEC Disclosure Guidance

Boards Still Have Their Heads in the Sand

Cyberliability Overview


5

Cyberliability

President Obama’s State of the Union Address (2/12/13)

Presidential Executive Order: Improving Critical Infrastructure Cybersecurity Cyberthreats to U.S. critical infrastructure continue to grow Cybersecurity information sharing between public and private sectors

Foreign government cyber espionage in the news Growing political tensions between U.S. and China Mandiant report Victims include some of nation’s largest tech companies


6

What Is a Data Breach?

Organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information which can include private health information (PHI) and other personally identifiable information (PII) such as:

(1)Social Security number;

(2)Driver’s license number; or

(3)Account, debit or credit card number along with a PIN or password to access the account.


7

Hacking,

Employee theft,

Theft of physical equipment, or

Misrepresentation to obtain unauthorized

access to data.

What Causes a Data Breach?


8

Breach Statistics Vary

60 major data breaches (Q2) v. 49 major data breaches (Q3)

4.4 million records compromised (Q2) v. 2.259 million (Q3)

Healthcare entities had the largest percent of breaches, followed by Government and Corporate

Avg. number of records per breach: 73,444 (Q2) v. 46,099 (Q3)

Leading causes of breach: theft (43%), hacking (27%)

Navigant November 2012 Data Breach Report Update


9

Avg. total cost of a data breach in Q2 was $14.248 million Avg. total cost of a data breach in Q3 was $8.943 million Avg. total cost of data breach by sector:

Corporate: $8.88 million (Q2) v. $25.935 million (Q3); Education: $17.67 million (Q2) v. $2.58 million (Q3); Healthcare: $3.9 million (Q2) v. $2.68 million (Q3) Government: $36.89 million (Q2) v. $15.21 million (Q3)

Navigant November 2012 Data Breach Report Update

Costs of a Data Breach


10

• FTC is dedicated to enforcing consumer privacy and ensuring that companies provide reasonable security for consumer data

• FTC may bring an enforcement action against a company that fails to appropriately protect the consumer’s personal information

• FTC may bring such actions under Section 5 of the FTC Act, the Fair Credit Report Act, and Graham-Leach Bliley Act

• FTC has taken an aggressive stance on privacy and data breaches affecting consumers

FTC: The Nation’s Privacy Watchdog


11

FTC: The Nation’s Privacy Watchdog

Facebook: Company settled charges by the FTC that Facebook deceived users to believe that their personal information would be kept private. The FTC settlement bars Facebook from making further deceptive privacy claims. In addition, Facebook was required to establish a maintain a comprehensive privacy program subject to audits for up to 20 years.

Google: Company agreed to pay a record $22.5 million civil penalty to settle FTC charges that Google misrepresented the use of tracking cookies on users’ computers.


12

Data Breaches in the Headlines

Sony (70 million records)Global Payment (1.5 million records)eHarmony (1.5 million passwords)LinkedIn (6.5 million passwords)Texas AG’s Office (6.6 million records)

And the list continues to grow . . . .


13

Private Litigation

Sony Data Breach Litigation

Hackers attacked Sony’s Playstation network and stole 70 million users’ account and credit card information

58 class actions filed against Sony for violation of various consumer protection statutes and failing to comply with industry-standard protocols to safeguard customer information.

Sony reportedly incurred > $171 million to respond to the breach

Any settlements, damages, or judgments from the civil litigation would be on top of these costs


14

Private Litigation

Sony Coverage Litigation

Sony is seeking coverage under its CGL and commercial umbrella policies for the hacking incident

Zurich Ins. Co. filed a dec action seeking to avoid coverage under its CGL policy for the network breach on the basis that unauthorized access to and theft of personal identification and financial information are not claims for “bodily injury,” “property damage,” or “personal and advertising injury”


15

SEC Disclosure Guidance: Topic No. 2 – Cybersecurity

Disclosure of Cyber Risk Factors:

1. Aspects of registrant’s business that give rise to material cyber risks and potential costs and consequences

2. Outsourced functions that have material cyber risks

3. Material cyber incidents experienced by the company, including costs and other consequences

4. Risks related to cyber incidents that may remain undetected for an extended period

5. Description of relevant insurance coverage

SEC Sounds Off on Cyber Risks


16

“Only a few executive officers understand security and the rest are clueless”

“Boards are not actively addressing cyber risk management”

82% of companies surveyed did not have a Chief Privacy Officer

More than half of boards surveyed did not review their insurance policies for cyber risk coverage

On a global basis, North American boards lag behind their European and Asian counterparts with respect to privacy and security governance

Lack of Board Oversight of Cyber Risk


17

• First- and third-party coverage

• Pre-2001 Standard policies

• Is there property damage?

• Property damage requires injury to tangible property

• Is computer damage tangible? Is virtual loss “tangible?”

• Post-2001 ISO policy language covering technology liabilities

• Coverage will depend on the facts of the claim and the policy language

What Coverage Might Apply?


18

Property damage has historically been defined in standard CGL policies as either:

a)physical injury to tangible property, including all resulting loss of use of that property, or

b)loss of use of tangible property that is not physically injured.

Thus, the first question that needs to be addressed is whether the data breach or technology-related loss involves damage to “tangible property.” (ISO form CG 00 01 01 96, Commercial General Liability Form).

ISO Pre-2001 Policies


19

In 2001, ISO amended the definition of “property damage” in the standard CGL policy (form CG 0001 10 01) to expressly state that “electronic data is not tangible property.” The term “electronic data” is further defined as:

[I]nformation, facts, or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.

ISO Post-2001 Policies


20

Then in 2004, ISO created a new exclusion for electronic data (ISO Form CG 00 01 12 04). Exclusion p states:

p. Electronic Data: Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

As used in this exclusion, electronic data means information, facts, or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and application software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.

ISO Post-2001 Exclusion


21

Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W. 3d 16, 25-26 (Tex. App. 2003)

Policyholder’s computer server, software, and data stored on server were “physical” where hacker invaded computer system and installed virus that rendered server useless

Court avoided abstract issue of whether electronic data and software can constitute “tangible property,” instead focused on language of policy

Decisions Providing Coverage for Electronic Data


22

Landmark Am. Ins. Co. v. Gulf Coast Analytical Labs., Inc., No. 10-809, 2012 WL 1094761, at *4 (M.D. La. Mar. 30, 2012)

Electronic data could “[make] physical things happen,” and was “corporeal and moveable in nature,” and therefore a loss of electronic data due to hard drive malfunction was covered under insured’s policy.

Nationwide Ins. Co. v. Hentz, 2012 WL 734193, at *4 (S.D. Ill. Mar. 6, 2012)

•Loss of electronic data gave rise to property injury because medium of storage had been physically taken



23

Am. Guar. & Liab. Ins. v. Ingram Micro, Inc., No. 99-185, 2000 WL 726789, at *3 (D. Ariz. 2000)

“physical loss or damage” in a first-party all-risk policy “is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss functionality”

Court interpreted “physical loss or damage” broadly, noted that “[a]t a time when computer technology dominates our professional as well as personal lives, the Court must side with Ingram’s broader definition of ‘physical damage.’”



24

Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., Ltd., 439 F. Supp. 2d 831, 837-38 (W.D. Tenn. 2006)•“‘physical damage’ could include loss of functionality even if the affected machinery remained intact

Wakefern Food Corp. v. Liberty Mut. Fire Ins. Co., 968 A.2d 724, 736 (N.J. Super. Ct. App. Div. 2009) Concluded there was no reason to require that damage to malfunctioning machinery be permanent, and that the definition of “physical damage” could be extended to include temporary loss of use



25

Retail Systems, Inc. v. CNA Ins. Co., 469 N.W. 2d 737 (Minn. Ct. App. 1991)

Computer tape and electronic information in tape were “tangible property” within meaning of third-party liability policy covering physical injury or destruction of tangible property

Data on tape was of permanent value and was integrated completely with physical property of the tape



26

Computer Corner v. Fireman’s Fund Ins. Co., 46 P. 3d 1264, 1266 (N.M. Ct. App. 2002)

Lost data on hard-drive “was physical, had an actual physical location, occupied space and was capable of being physically damaged or destroyed” and therefore covered under a CGL policy



27

Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010)

Plaintiff’s allegations of direct injury to operation of computer were insufficient to allege damage to tangible property, and that he would instead have had to have alleged claim for physical injury to hardware itself

Loss of use of a computer (“tangible property”) due to data corruption constituted covered property damage



28

Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851 (Cal. Ct. App. 2003)

Policyholder’s loss of information in database not covered under first-party policy because loss was not “direct physical loss”

No “direct physical loss” because electronic data did not have “material existence” and was not “perceptible to the senses”

Decisions Declining Coverage for Electronic Data


29

Recall Total Information Mgmt., Inc. v. Fed. Ins. Co., 2012 WL 469988, at *5 (Conn. Super. Ct. Jan. 17, 2012)

Loss of several electronic tapes containing personal information did not constitute physical injury within meaning of the insured’s policy



30

State Auto Property and Casualty Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113, 1115-16 (W.D. Okla. 2001)

Insurance company argued it was not obligated to defend and indemnify computer repair company which had negligently caused loss of data of its client

Court held that computer was not damaged, data stored on computer disk was not tangible property

Loss of use of computer would have been covered because computer clearly tangible property but for applicable policy exception



31

Compaq Computer Corp. v. St. Paul Fire and Marine Ins. Co., 2003 WL 22039551 (Minn. Ct. App. Sept. 2, 2003)

“data are not tangible property,” even when communicated by electronic means such as a fax machine, telephone, telegram or computer

No valid claim (thus no coverage) for property damage that existed after Compaq’s allegedly faulty floppy diskettes and microcodes caused corruption and destruction of users’ data



32

America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003)

No duty to defend under CGL policy because computer data, software and systems not tangible

Computers’ operating systems and software incapable of perception by the senses, were merely abstract ideas that did not permanently alter tangible computer hardware

Decision issued only six months after different Fourth Circuit panel held data destroyed hacker was “direct physical loss” under the policy…



33

NMS Servs. Inc. v. Hartford, 62 Fed. App’x 511 (4th Cir. 2003)

Concurring opinion explained loss of electronic data constituted “physical loss” because “a computer stores information by rearrangement of the atoms or molecules of a disc or tape to effect the formation of a particular order of magnetic impulses, and a ‘meaningful sequence of magnetic impulses cannot float in space’”

America Online dissent agreed with NMS Court, concluding software bugs changed physical structure of computer hardware, should have been viewed as “physical damage to computer itself



34

Cincinnati Insurance Company v. Professional Data Services, Inc., 2003 WL 22102138 (D. Kan. July 18, 2003)

Relied on America Online and State Auto to find allegations of loss of use of software and corruption of data therein, without allegations of resulting loss of use of hardware, were insufficient to assert a claim resulting from injury to, or loss of use of “tangible property”

court reasoned that neither software nor data incorporated therein constituted tangible property because neither had any physical substance nor were perceptible to the senses



35

Growing Demand for Cyber Coverage

Rise in cyber risk and hack attacks Business and litigation costs to address breach

events SEC disclosure requirement re cyber insurance Denials and exclusions from coverage under

traditional CGL and other liability policies Increased availability of cyber insurance


36

Comprehensive Cyber Coverage

Network security/privacy/data loss coverage Third-party liability coverage

3P claims arising from data breach Government and regulatory claims

First-party coverage Crisis management, breach notification, remediation costs

Other bells and whistles Immediate access to forensic and legal experts Loss and risk mitigation tools and technology


37

Payments Under Cyber Policies

Avg. cost per incident $3.7 million Avg. cost per record $3.94 Avg. defense costs $582,000 Avg. legal settlement $2.1 million Avg. cost for crisis services $983,000

NetDiligence Oct 2012 Cyber Liability & Data Breach Insurance Claims Survey


38

Conclusions and Takeaways

Increase in cyber risks for all companies

Rise in private class actions and government enforcement

Differing state, federal and international laws governing privacy and data breaches

Sizeable business and legal costs to respond to breach

Board accountability for failure to obtain cyber coverage

Traditional policies may deny or exclude coverage for cyber

More insurers offering comprehensive cyber liability coverage


39

Q&A


40

Stay with us…

A Demonstration of FC&S Legal follows.


41

FC&S Legal: The Insurance Coverage Law Information Center

Visit www.fcandslegal.com for your 14-Day FREE Trial!

To purchase FC&S Legal, call 1.800.543.0874.


1 cosponsored by: propertycasualty360 and insidecounsel the seminar will begin promptly at 2pm est....

Documents