growing class action threat: breaches of consumer
TRANSCRIPT
Growing Class Action Threat: Breaches of
Consumer Personally Identifiable Information Minimizing Litigation Risk and Maximizing Insurance Coverage
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
TUESDAY, MARCH 18, 2014
Presenting a live 90-minute webinar with interactive Q&A
Linda D. Kornfeld, Partner, Kasowitz Benson Torres & Friedman, Los Angeles
Tracy D. Rezvani, Shareholder, Rezvani Volin & Rotbert, Washington, D.C.
Donna L. Wilson, Partner, Manatt Phelps & Phillips, Los Angeles
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-869-6667 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your
participation by completing and submitting an Official Record of Attendance (CLE
Form).
You may obtain your CLE form by going to the program page and selecting the
appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For
additional information about CLE credit processing, go to our website or call us at
1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Growing Class Action Threat: Breaches of Consumer Personally Identifiable Information
Presented by
Donna L. Wilson
Tracy D. Rezvani
March 18, 2014
6 Roadmap
Article III standing – actual vs. future damages
Trends – alternative theories of damages, liability
Enforcement – by FTC, state AGs
Class certification issues
Privacy settlements – sufficient relief to class members
Statutory claims
Google – a case study
California legislative spotlight
Takeaways
7 Standing in Data Breach Litigation
Differences among circuits re: sufficiency of injury for purposes of standing
(present v. future injuries)
Game Changer? - Clapper v. Amnesty International USA, 133 S. Ct. 1138
(Feb. 26, 2013)
– Threatened injury must be “certainly impending” to constitute injury-in-fact
– The Court, however, re-affirmed Monsanto Co. v. Geertson Seed Farms, 130 S. Ct. 2743, 2754-
55 (2010) (“reasonable probability” or “substantial risk” sufficient for standing)
Effect of Clapper on data breach litigation
– Plaintiffs have taken the position Clapper is limited to the facts. Defendants have relied upon
Clapper to challenge standing based upon possibility of damages, steps taken to prevent future
damages (i.e., future risk of identity theft, incurring costs for credit monitoring services)
In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3,
2013) – relying on Clapper, dismissing class action for lack of standing. Rejected various
theories of injury, including Barnes & Noble’s failure to promptly notify plaintiffs of security
breach; increased risk of identity theft; and time and expenses incurred to mitigate risks of
identity theft.
Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013)- relying on Clapper,
dismissing class action for lack of standing. Plaintiffs did not allege either misuse of plaintiffs’
PCI or PHI and court rejected theories of injury including increased risk of identity theft and
time and expenses incurred to mitigate risk of identity theft.
8 Standing in Data Breach Litigation
Yunker v. Pandora Media, Inc., 2013 US Dist LEXIS 42691 (N.D. Cal. Mar. 26, 2013) – Court
found diminution in the value of PII is insufficient to confer standing. Plaintiff argued that
because Pandora allegedly sold the plaintiff’s personally identifiable information, that
information is now less valuable. The court granted MTD because of the highly speculative
nature of this alleged harm.
Redressability
– Frank v. Neiman Marcus Grp., LLC, 2:14-cv-00233 (E.D.N.Y. February 12, 2014) – Defendant
challenges standing, in part, on the theory that Plaintiff cannot meet Article III’s redressability
requirement. Defendant argues that the complaint fails to allege facts showing how Plaintiff’s past
injuries can be remedied by a judgment in her favor due to Franks’ card issuer’s assurance of zero
fraud liability.
Target breach litigation
– Standing will be a hurdle for claimants
Plaintiffs will have to show injury in fact i.e. identity theft
Plaintiffs will have to show a strong enough link between Target hacking and injuries suffered
– Target has promised to pay for credit monitoring services
– Similar issues for Michaels Stores and Neiman Marcus Security Breaches
9 Trends in Data Breach Litigation
Alternative theories of damages?
– i.e., “benefit of the bargain theory”, not getting what was paid for
In re Linked In User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013). MTD granted for
plaintiffs’ lack of standing. Plaintiffs had alleged their paid premium memberships promised
security.
Expansion of who may be held liable for a data breach?
– Employers of a rogue employee?
Kiminiski v. Hunt, et al., No. 13-cv-208 (D. Minn. Sept. 20, 2013). State defendants’ MTD DPPA
claim granted because, inter alia, plaintiffs failed to allege that defendants knowingly gave the
former employee database access for an impermissible purpose.
– In the absence of a contractual relationship?
Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013).
Reversed district court’s dismissal of negligence claim arising from hackers’ breach of
Heartland’s data systems. Held that economic loss doctrine did not bar negligence claim.
Payment card issuing banks had sued payment processor; Visa and MasterCard had
contractual agreements with the issuing banks.
10 Trends in Data Breach Litigation (continued)
Focus on statutory claims, rather than common law claims?
– In re Zappos.com, Inc., No. 12-cv-325, 2013 WL 4830497 (D. Nev. Sept. 9, 2013). Court granted
MTD in part. Dismissed most of common law claims, allowed MDL to proceed on most of the
state statutory claims and negligence claim.
– Standing based simply on the availability of statutory injury and damages?
11 Data Breach Enforcement Actions
FTC jurisdiction to regulate privacy and data security in the private sector
– Many FTC settlements under Section 5 of the FTC Act
FTC v. Wyndham Worldwide Corp., No. 13-cv-1887 (D.N.J.) – motions to dismiss pending, parties asked to submit supplemental briefing regarding FTC Commissioners’ testimony at a subcommittee hearing that Section 5 enforcement is “vague” and “formal guidelines” are needed. Wyndham contends that Section 5 does not authorize the FTC to regulate data security standards for the private sector.
– Rare challenge to FTC’s enforcement authority
– Potential impact on the breadth of FTC authority in the future
Closely followed. See, e.g., In the Matter of LabMD, Inc., FTC Docket No. 9357 – in answer, respondent asserted that the FTC lacks subject-matter jurisdiction
On the horizon in 2014 – FTC to focus on data security, big data, mobile technologies
State AGs
– Example: Connecticut AG reached a $55,000 settlement with Citibank N.A., where Citibank allegedly delayed in fixing vulnerability and notifying customers.
Civil penalties, third party information security audit, maintenance of reasonable security procedures and practices, free credit monitoring for two years for any individual affected by future security incidents
12 Class Certification Issues in Privacy and Data Breach Litigation
Predominance
– In re Hannaford Bros. Co. Customer Data Sec. Breach Litigation, No. 08-md-1954, 293 F.R.D. 21 (D. Me.
Mar. 20, 2013)
Denied motion for class certification. Plaintiffs had failed to offer expert opinion testimony regarding
class wide damages.
Instructive for plaintiffs in the future on how to overcome issue of individualized damages?
Class certification rare in privacy litigation
– But see Harris v. comScore, No. 11-cv-5807, 292 F.R.D. 579 (N.D. Ill. Apr. 2, 2013)
Certified a class based on claims comScore gathered and sold customers’ personal information without
their consent, alleging violations of the Stored Communications Act, Electronic Communications
Privacy Act, Computer Fraud and Abuse Act
Class consisted of all individuals who have downloaded and installed comScore’s tracking software
onto their computers via one of comScore’s third party bundling partners at any time since 2005
– Largest class ever certified after Schwab v. Philip Morris USA, Inc., 449 F. Supp. 2d 992, 2006 U.S.
Dist. LEXIS 73196 (E.D.N.Y., 2006), class cert overturned, McLaughlin v. Am. Tobacco Co., 522
F.3d 215 (2d Cir. N.Y. 2008).
The Seventh Circuit denied comScore’s petition for an interlocutory appeal on June 11, 2013
Effect: increase number of privacy class actions based on statutory damages?
13 Privacy/Data Breach Litigation Settlements
Sufficient relief for class members
– Fraley v. Facebook, Inc., No. 11-cv-1726, --- F. Supp. 2d ----, 2013 WL 4516819 (N.D. Cal. Aug.
26, 2013)
Approving $20MM settlement arising from alleged misappropriation of users’ names and/or
likenesses to promote products and services through Facebook’s “Sponsored Stories” program.
Original proposed settlement did not win preliminary approval
Claims by customers who did not suffer identity theft
– Resnick v. AvMed Inc., No. 10-cv-24513 (S.D. Fla. Oct. 25, 2013)
Granted preliminary approval of $3MM data breach settlement. Claims can be made by both
customers that paid defendant for insurance and customers who suffered identity theft caused
by the breach
– Data breach plaintiffs will likely attempt to follow this model in the future
14 Privacy Claims for Statutory Damages (Federal)
E.g., Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”)
– FCC new regulations – effective October 2013
“prior express consent”- Physical or electronic signature and the signing agreement must be
optional
Elimination of “established business relationship” exception - requires callers to obtain signed
written consent from the recipients, even ones who are established customers
– Large volume of class actions already, potential for increase
– Penalties of $500-$1500 per unauthorized call
Large settlements (examples: Domino’s $9.75MM; Papa John’s $16.5MM)
Limitations on class judgments (Holtzman v. Turza, 728 F.3d 682 (7th Cir. 2013))
– Revocation of prior consent
Gager v. Dell Financial Services, LLC, 727 F.3d 265 (3d Cir. 2013) - although TCPA does not
expressly grant a right of revocation, this does not mean that the right to revoke does not exist.
15 Privacy Claims for Statutory Damages (Federal)
– Availability of New York as a forum for TCPA class action
Bank v. Independence Energy Grp. LLC, 736 F. 3d 660, 661 (2d Cir. 2013)- Holding that
Federal Rule of Civil Procedure 23, not state law, governs when a federal TCPA suit may
proceed as a class action.
E.g., Video Privacy Protection Act, 18 U.S.C. § 2710
– VPPA new regulations effective January, 10, 2013
Streamlines the process for consumers to share data regarding their video viewing activities.
Allows consumers to consent via electronic means, and if the consumer chooses, grant
consent in advance for up to two years. Customers may withdraw consent on a case by case
basis or withdraw consent from ongoing disclosures.
– In re Netflix Privacy Litigation, No. 11-cv-3379, 2013 WL 1120801 (N.D. Cal. Mar. 18, 2013) –
granting final approval of class action settlement. $9MM settlement fund
Objectors appealed to Ninth Circuit. Netflix argued reasonableness, relying on the Facebook
Beacon settlement.
Issue: no monetary relief for class members despite high statutory damages
16 Privacy Claims for Statutory Damages (State: Focus on California)
California’s Shine the Light Law, Cal. Civ. Code § 1798.83 - 1798.84
– Game changers: Boorstein, King, Miller and Baxter affirming dismissals on basis of lack of
standing because plaintiffs failed to allege that they had submitted a request for information as
permitted under the statute, or that they would have submitted such a request had accurate
contact information been provided
California’s Confidentiality of Medical Information Act (CMIA), Civ. Code § 56
– Expect continued and increased class action activity in the area
– Recent cases filed, including against Kaiser, Sutherland Healthcare Solutions and Los Angeles
County, and numerous settlements.
– But see Platter v. UCLA (narrowing the scope of the CMIA through the term “release”)
17 Privacy Claims for Statutory Damages (State)
E.g., California’s Song-Beverly Credit Card Act, Cal. Civ. Code § 1747.08
– Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011) – finding that a ZIP code
constitutes PII under the Song-Beverly Credit Card Act.
– Apple Inc. v. Superior Court, 56 Cal. 4th 128, 133 (2013) – holding section 1747.08 does not
govern online purchases of electronically downloadable products because electronic transactions
do not fit within the statutory scheme.
– Capp v. Nordstrom, Inc., 2013 WL 5739102 (E.D. Cal. Oct. 22, 2013) – predicting that the
California Supreme Court will decide that an email address constitutes PII under § 1747.08
But see: Bell v. Blizzard Entertainment, Inc., 12-CV-09475 BRO (PJWx) (C.D. Cal July 11,
2013) –holding email addresses, secret question answers, and cryptographically scrambled
passwords are not PII within the meaning of Delaware’s Data Breach notification Law.
– Leebove v. Wal-Mart Stores, Inc., No. 13-cv-01024 (C.D. Cal. Oct. 4, 2013) - denying motion for
class certification. Questions common to the class do not predominate over questions affecting
only individual members (i.e., whether Wal-Mart was justified in requesting the personal
information)
18 Privacy Claims for Statutory Damages (State)
E.g., Massachusetts General Laws, ch. 93, § 105(a)
– Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013)
E.g., District of Columbia Code, § 47-3153
– Hancock v. Urban Outfitters, Inc. et. al, cv-13-939, 2014 U.S. Dist. LEXIS 33324 (D.D.C. Mar. 14,
2014)
E.g., Kansas Consumer Protection Statute § 50-669a
E.g., New Jersey Statute § 56:11-17
E.g., New York General Business Laws § 520-A(3)
E.g., Rhode Island General Laws § 6-13-16
E.g., Wisconsin Statute § 423.401
19 Google: a case study
Cookies, tracking the subject of privacy class actions
– In re Google Inc. Cookie Placement Consumer Privacy Litigation, No. 12-md-2358, 2013 WL
5582866 (D. Del. Oct. 9, 2013) – MTD granted.
Court found plaintiffs had not alleged injury in fact (ability to monetize their PII had been
diminished or lost by virtue of Google’s previous collection of it) and therefore lacked Article III
standing
Example of trend requiring actual harm
Sufficient relief for class?
– In re Google Referrer Header Privacy Litig., No. 10-cv-4809, N.D. Cal.
Plaintiffs allege Google divulged user search queries to third parties without user knowledge or
consent. Motion for preliminary approval of class action settlement filed on July 19, 2013;
$8.5MM proposed settlement to be used for payment of settlement administration expenses, cy
pres distributions, fee awards and incentive awards
20 Google, a case study (continued)
Interpretation of the Wiretap Act
– In re Google Inc. Gmail Litigation, No. 13-md-2430, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013)
– MTD granted in part, denied in part
Plaintiffs alleged Google has intercepted, read and acquired content of emails sent or received
by Gmail users to provide target advertising. Among other things, district court rejected theory
based upon “ordinary course of business” exception to Wiretap Act; rejected contention that
plaintiffs consented to interception of their emails
Google is seeking certification of the order for interlocutory appeal
Plaintiffs filed motion for class certification on October 24, 2013
Judge Koh stated that she foresaw a “huge hurdle” to showing that non-Gmail users should be
allowed to participate in class action lawsuit on February 27, 2014
– Joffe v. Google, Inc., ---F.3d ---- (2013) WL 6905957 (9th Cir. 2013)
Plaintiffs brought suit under federal and state law, including the Wiretap Act, based on
collection of data from unencrypted Wi-Fi networks in connection with its Street View
photographs. District court rejected argument that data collection did not violate the Wiretap
Act because data transmitted over a Wi-Fi network is an “electronic communication” “readily
accessible to the general public” and therefore exempt. Ninth Circuit affirmed.
21 California Spotlight
AB 370 (Do Not Track disclosures)
– But lack of clarity about meaning of do not track; does not actually require that websites do not
track, but just that they disclose how they respond to do not track signals; unclear whether applies
to mobile apps
SB 46 (expanding definition of PI to include customers' passwords, user
names, security questions or answers)
– Other states may follow CA lead
SB 568 signed, allows minors to delete social media content
– Likely to spawn similar state and federal legislation, activity by FTC
AB 648 (expands confidentiality of Medical Information Act to businesses that
offer hardware or software to consumers that is designed to manage medical
information)
22 Takeaways
Review of how data is collected, managed, stored, destroyed, etc.
Data breach incident response plan
Review privacy policies, compliance with privacy policies; revise as
appropriate
Monitor legal developments
Growing Class Action Threat: Breaches of
Consumer Personally identifiable
Information
March 18, 2014
Linda Kornfeld
Kasowitz Benson Torres & Friedman
(424) 288-7902
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Biography
Linda D. Kornfeld is a nationally recognized insurance coverage litigator
whom Chambers USA has described as one of “the best attorneys in
California” for coverage litigation. Ms. Kornfeld has extensive trial and
appellate experience representing corporate and individual policyholders
in high-stakes litigation in California and across the country.
Ms. Kornfeld has assisted clients in recovering hundreds of millions of
dollars over the years in a variety of types of claims. Ms. Kornfeld has
been repeatedly cited as an exceptional insurance litigator and one of the
top women lawyers in California by leading legal publications and
directories, including Chambers USA, Lawdragon in its top 500 “leading
lawyers” in America, Benchmark Litigation as a “Litigation Star” both
nationally and in California, the Daily Journal as one of California’s top 75
women litigators, Business Insurance as one of the country’s “50 Women
to Watch” in insurance, and Southern California Super Lawyers, as one
of the top 50 women lawyers in Southern California.
24
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
WHICH POLICIES MAY APPLY?
Review potentially applicable policies
oTraditional coverages:
General liability
Errors & Omissions and D&O
coverages
25
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Specialty Coverages
Has the company purchased data
breach/privacy policies?
Has the company’s traditional coverage been
endorsed to add some form of data breach
protection?
Does that coverage match the ever evolving
data breach exposures?
26
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Audit traditional coverages to see what
may be triggered
27
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
CGL Policies: Is There a Potential For
Coverage?
Where’s the coverage for alleged “privacy”
violations?
Is the “personal injury” or “advertising injury”
coverage potentially triggered?
28
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
What is Covered?
“Oral or written publication, in any manner, of
material that violates a person’s right of
privacy.”
Does the claim involve some form of
“publication”?
Does the claim involve a “privacy” violation?
29
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
“Publication”?
What is required to constitute “publication”?
Some form of “public” dissemination?
Term not defined in many policies.
“In any manner” language allows for broad
interpretation—courts have concluded that
any form of third-party dissemination is
sufficient.
30
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
“PUBLICATION”
• Still a “live” issue.
• 2013—Ohio: coverage litigation re
“unlawful recording without consent” under
California Privacy Act: Insurer had duty to
defend even though no dissemination to
3P’s or public at large.
• According to the court, recording the
conversation itself invades privacy and is a
“publication” of material.
WWW.KASOWITZ.COM
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
PUBLICATION, con’t
• 2014—Connecticut: Recall v. Federal:
– 130 tapes containing 500,000 IBM employee
PII fell of a transport truck and removed from
roadside by unknown person.
– No “publication” because plaintiffs did not
prove that the PII on the tapes ever was
accessed by anyone—no evidence that the
information could or was accessed.
– No impact if evidence exists that even one
person reviewed.
–
WWW.KASOWITZ.COM
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Violation of a “Right of Privacy”?
“Privacy” often is not defined in CGL policies
“Where an insurance policy does not define
privacy” policy can be broadly interpreted “to
include aspects of privacy protected
by…privacy statutes.”
The theory underlying data breach claims is a
privacy violation.
33
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Sony v. Zurich
• No “personal injury” coverage for 2011
Sony PlayStation breach because “third
party” hackers and not Sony committed
the offense.
• The decision is faulty because it adds
words to the “personal injury” coverage not
contained in standard form policies.
• It also is one state court and is contra to
law in other states.
WWW.KASOWITZ.COM
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
CGL POLICY EXCLUSIONS
35
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
“Statutory” Exclusions
An exemplar exclusion excludes, “Personal Injury…
arising directly or indirectly out of any action or
omission that violates or is alleged to violate: …any
statute, ordinance or regulation…that prohibits or
limits the sending, transmitting, communicating or
distribution of material or information.”
Insurers assert as a broad-based excuse to avoid
coverage for alleged violations of privacy statutes.
36
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Statutory Exclusions, Con’t
Carefully read the underlying complaint: Song Beverly
and Massachusetts cases, as an example:
What if it solely alleges that you “requested and
recorded” customer’s zip information?
Does that constitute “sending, transmitting
communicating or distributing”?
What if in addition to alleged statutory violations the
complaint also contains common law privacy claims?
37
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Hartford v. Corcino (c.d. cal oct. 7, 2013)
Personal/Advertising Injury defined to include,
“electronic publication of material that violates a
person’s right of privacy.”
But, the policy excluded, injury “arising out of
violation of a person’s right to privacy created by
any state or federal act.”
The exclusion did not apply to “liability for
damages that the insured would have in absence
of such state or federal act.”
38
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Hartford v. Corcino (c.d. cal Oct. 7, 2013)
Motion to dismiss granted: exclusion inapplicable
to “liability for damages that the insured would
have in absence of such state or federal act.”
“Since . . .1931, California has recognized both a
constitutional privacy right and a common law tort
cause of action for [privacy] violations.”
39
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Hartford v. Corcino (c.d. cal Oct. 7, 2013)
“The statutes … permit an injured individual to
recover damages for breach of an established
privacy right, and as such, fall squarely within the
Policy's coverage. If Hartford had intended to
include a specific distinction in its exclusion, it
could have done so when drafting its Policy.
However, the Court cannot read restrictive
language into the Policy that is not actually
there.”
40
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Mitigation Costs
Average “expense” of data breach event can
be in the multi-millions.
Can company’s look to CGL policy to pay for
these expenses?
Are they “necessary” to prevent covered
personal or advertising injury claims?
41
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Errors & Omissions Coverage
Also review E&O policies.
Cover “claims” for allegations of “professional”
misconduct.
Must act within “professional” capacity as
defined by policy.
Some cover “damages arising from violation
of ‘privacy’ laws.”
42
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
Directors & Officers Coverage
Covers certain claims for “wrongful acts, errors or
omissions” by company and its executives.
If executives have not done what may be
reasonably necessary to protect against a data
breach event, including purchasing adequate
insurance, coverage may apply.
Target class actions address failures to have
adequate protective procedures in place to
prevent data breach events.
43
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
What to Purchase?
What is your risk of exposure?
Involve privacy and other in-house counsel, CIO,
CTO, in the purchase/renewal process.
Policies are complex with multiple definitions—
carefully review to confirm that definitions match
business risks.
Sony ruling, new ISO exclusion, evolving risk and
associated expenses mean companies need to
think about buying specialty coverage.
44
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
What to Purchase?
Are limits/sublimits adequate?
Does the policy provide adequate notification,
credit monitoring, consultant, lawyer, public
relation, and other mitigation cost coverage.
Have you reviewed your trading partners’
coverage?
45
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
“Statutory Damages/fines/penalties”
Watch out for “fines/penalties” exclusions, or loss
definition restrictions.
Corcino court rejected Hartford’s argument that
statutory penalties are not covered “damages”:
“[t]he statutes … permit …recover[y of] damages
for breach of an established privacy right, and as
such, fall squarely within the Policy’s coverage.”
46
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
“Statutory Damages/fines/penalties”
Standard Mutual Insurance v. Lay (Illinois S. Ct. May
2013): In TCPA action, court rejected insurer
argument that statutory damages were punitive and
uninsurable.
Congress identified harms caused by a TCPA breach
and made them compensable by a liquidated sum per
violation.
Such liquidated damages intended by Congress to
be “an incentive for private parties to enforce the
statute.”
47
kasowitz benson torres & friedman llp KASOWITZ BENSON TORRES & FRIEDMAN LLP
“Statutory Damages/fines/penalties”
Columbia Casualty v. HIAR Holdings (S. Ct.
Missouri August 2013).
Court found that fixed TCPA damages
encompassed compensable harms that were
covered as “damages.”
48