Cyber Attacks and Privacy Claims: Litigation, Insurance and

Crisis Management

Rick Bortnick | Scott Godes | Art Boyle | Mark Greisiger

#3013053

Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management

Cozen O’Connor, founded in 1970, delivers legal services on an integrated and global basis with 575 attorneys in

22 cities and two continents. Their lawyers counsel clients on their most sophisticated legal matters in all areas of

corporate and regulatory law as well as litigation.

About the Firm

Richard J. BortnickCozen O’Connor1900 Market StreetPhiladelphia, PA 19103 Tel.: (215) 665-7251rbortnick@cozen.com

cyberinquirer.com twitter.com/cyberinquirer linkedin.com/pub/richard-j-bortnick/1/690/143

Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management

Dickstein Shapiro LLP, founded in 1953, is internationally recognized for its work with clients, from start-ups to

Fortune 500 corporations. Dickstein Shapiro is U.S. News & World Report’s “Law Firm of the Year” for Insurance

Law for 2011-2012.

About the Firm

Scott N. GodesDickstein Shapiro LLP1825 I Street, NWWashington, DC 20006 Tel.: (202) 420-3369godess@dicksteinshapiro.com

corporateinsuranceblog.comtwitter.com/insurancecvg linkedin.com/in/scottgodes

Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management

Radian, which is headquartered in Philadelphia, connects lenders, homebuyers, investors and loan servicers using a suite

of private mortgage insurance and related risk management products and services. The company helps promote and

preserve the tradition of homeownership while protecting lenders from default-related losses on residential first mortgages. It

also facilitates the sale of low-downpayment mortgages in the secondary market. Radian Group Inc. is traded on the New

York Stock Exchange under the symbol RDN.

About the Firm

Art BoyleVice President – Enterprise Risk ManagementRadian Group, Inc.1601 Market StreetPhiladelphia, PA 19103 Tel.: (215) 231-1364arthur.boyle@radian.biz

http://www.linkedin.com/pub/art-boyle/7/96a/257

Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management

Mark GreisigerPresident NetDiligence®Corporate HeadquartersPhiladelphia, PA Tel.: (610) 525-6383Mark.Greisiger@NetDiligence.com

http://www.linkedin.com/pub/mark-greisiger/3/b05/475

NetDiligence®, is a Cyber Risk Management company. For the past 12 years NetDiligence has been offering cyber risk

assessment services to Risk Mgrs. NetDiligence supports the loss control needs of many US and UK insurers that offer

cyber risk coverage (aka ‘privacy insurance’). Mr. Greisiger is a frequently published contributor for various insurance &

risk management publications on similar topics. (write me to receive our monthly cyber risk newsletter)

About the Firm

Notable Cyber Risks and Events – Notable Cyber Risks and Events – Global PaymentsGlobal Payments

3rd Party?

1st Party?

How real? No One Is Immune

DateDate CompanyCompany

Jan-11 Pentagon Federal Credit Union

Dec-11 Sovereign Bank

Nov-11 AARP

Oct-11 CitiBank

Oct-11 State Farm Insurance

Oct-11 Farmers Insurance

Sep-11 Morgan Keegan & Company

Sep-11 JP Morgan Chase Bank

Aug-11 Aon Consulting

Aug-11 Wachovia Bank

Aug-11 MetLife

Jun-11 Anthem Blue Cross, Wellpoint

Feb-11 Equifax

Feb-11 Ceridian

Sep-11 Bernard Madoff Investors

Aug-11 American Express

Apr-11 Federal Reserve Bank of New York

Jan-11 Heartland Payment Systems

Sep-11 State Farm Insurance

Aug-11 Countrywide

Jun-11 United Healthcare

YearYear Number AffectedNumber Affected CompaniesCompanies

2011 100,000,000 Sony

2010 3,300,000 Educational Credit Management

2010 600,000 Citigroup

2009 130,000,000 Heartland Payment Systems

2008 4,200,000 Hannaford Brothers Co

2007 94,000,000 TJX Companies Inc.

2007 25,000,000 HM Customs and Revenue

2007 8,500,000 Fidelity National Information Services

2007 6,300,000 TD Ameritrade

2006 26,500,000 U.S. Department of Veterans Affairs

2005 40,000,000 Visa, CardSystems, Mastercard, AMEX

…Sampling of live events

Notable Recent Cases - Defense

• Katz v. Pershing, LLC– “The innovations and problems of the electronic age have

created new challenges for the courts. But venerable principles of our jurisprudence can guide us on this frontier. This case is illustrative: the plaintiff has asserted a litany of novel harms under freshly inked laws, but the irreducible minimum requirements of pleading and Article III doom her case.”

• Paul v. Providence Health System-Oregon– “plaintiffs failed to state a legally sufficient claim for

negligence or under the UTPA.”

Notable Recent Cases - Plaintiffs

• Anderson v. Hannaford Bros.– “two forms of mitigation damages . . . are cognizable under Maine law

and we reverse . . . dismissal of the plaintiffs’ negligence and implied contract claims as to those damages”

• Claridge v. RockYou, Inc.– “breach of his PII has caused him to lose some ascertainable but

unidentified ‘value’ and/or property right inherent in the PII.”– “Online gaming firm will pay $250,000, submit to independent audits for

20 years after exposing data on 30 million users” (ComputerWorld.com)

• Krottner v. Starbucks Corp.– increased risk of identity theft constitutes an injury-in-fact

Types of First-Party Loss

• Hardware or Software Malfunction

• Data Corruption

• Denial of Service Attack

• Extortion

• Forensics

Types of Third-Party Claims and Liabilities

• Copyright/Trademark Infringement

• Data Privacy Breach

• Internet Media Liability (e.g., Defamation)

• Unauthorized Access/Unauthorized Use (e.g., Third Party Data Corruption, Denial of Service Attack)

• Statutory Liability (Federal and State Privacy Laws)

What is a “Privacy Breach”?

• Violation of posted Privacy Policy

• Violation of State or Federal Law

• Involves PII, non-public data, or paper records

• Unencrypted Data

• Holds potential for identity theft

• May occur in: – Systems (server farms)– Facilities (dumpsters) – Stolen laptops or mobile devices

What are the Causes of Loss? (Per Ponemon Institute)

• 35% lost laptop

• 21% third party/outsource

• 19% electronic backup

• 9% paper records

• 9% malicious insider

• 7% hacker

14

Who are the Breach Perpetrators?

• Employees – Intentional– Unintentional

• Unknown Third Parties – Hackers – Crackers– Hacktivists

• Business Partners

15

Typical Allegations In a Privacy Breach (Class Action) Lawsuit

• Failure to protect customer information/privacy

• Reduction in value of claimants’ PII

• Failure to notify/timely notification

• Cost to reissue payment cards/open new accounts

• Cost of fraudulent purchases

• Consumer Redress: credit monitoring/identity theft insurance

• Regulatory Actions: fines and penalties

Identity Theft Victims

• 11.6 million adults in 2011 (increase of 13% over 2010)

• Total amount of fraud = $37 billion

• 1 in 10 consumers already victimized

• Source: Javelin Research

Costs of a Data Breach

• 2011 average total cost per incident (among surveyed companies) = $5.5 million to $7.2 million, depending on whose study you read

• 2011 per record cost (among surveyed companies) = ~$194.00, depending on the cause and impact

• Sources: Ponemon Institute and NetDiligence survey

Federal and State Laws

• SEC Guidelines, published October, 13, 2011

• Federal and state laws require businesses to maintain adequate data security and destroy data with Personal Identifiable Informationor Personal Health Information

• Notification statutes require disclosure in certain circumstances where Personal Identifiable Information or Personal Health Information has been obtained by an unauthorized third party

What Is Personal Identifiable Information?

• Generally defined as including any combination of the following:

Name; address; telephone number; electronic mail address; fingerprints; photographs or computerized images; a password; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; date of birth; medical information; financial information; tax information; disability information; and zip codes (depending on the state).

SEC CF Disclosure Guidance: Topic No. 2:CYBERSECURITY

“appropriate disclosures may include: . . . Description of relevant insurance coverage.”

SEC CF Disclosure Guidance: Topic No. 2: CYBERSECURITY

Risk Factors– Tailor to company’s individual facts and circumstances;

avoid “boilerplate” disclosures.– Disclosures that may be appropriate include:

• The company’s business or operations that give rise to cybersecurity risk;

• Outsourced functions that have material cybersecurity risks, including how the company addresses those risks

• Cyber incidents that the company has experienced, including costs and consequences;

• Cyber risks that may remain undetected; and• Relevant insurance held by the company.

Examples of Federal Statutes Protecting a Person’s Privacy

• Gramm-Leach-Bliley Act

• Driver Privacy Protection Act

• Health Insurance Portability and Accountability Act

• Electronic Communications Privacy Act of 1986

States With Breach Notification LawsAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareDistrict of ColumbiaFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansas

LouisianaMaineMarylandMassachusettsMichiganMississippiMissouriMinnesotaMontanaNebraskaNevadaNew HampshireNew JerseyNew YorkNorth CarolinaNorth Dakota

OhioOklahomaOregonPennsylvaniaPuerto RicoRhode IslandSouth CarolinaTennesseeTexas UtahVermontVirginiaWashingtonWest VirginiaWisconsinWyoming

Typical Requirements of State Breach Notification Laws

• Generally require written notification to affected individual in the event of a security breach

• Each state varies in:– the definition of what constitutes a breach– the definition of Personal Identifiable Information (only a

few states include Personal Health Information)– whether a risk of harm standard applies– content requirements for notice– authorities that must be notified– available penalties and private rights of action

States With No Breach Notification Law

• Alabama

• Kentucky– HB 581 introduced on March 2, 2010

• New Mexico

• South Dakota

DIRECT COSTSNotificationCall CenterIdentity Monitoring (credit/non-credit)Identity RestorationDiscovery / Data ForensicsLoss of Employee Productivity

INDIRECT COSTSRestitutionAdditional Security and Audit RequirementsLawsuitsRegulatory FinesLoss of Consumer ConfidenceLoss of Funding

$73.00

Cost per record:$214 (2010) (up $10 from 2009)

© Ponemon Institute 2011

$141.00

Cost of a Data Breach

NetDiligence® Cyber Risk Claims Study

Insurers paid out losses. This is a Highlights of Findings

• Collected from insurers data on actual data/privacy breach claims based on following criteria– The victimized organization had some form of cyber or privacy liability coverage– A legitimate claim was filed

• Analyze data in terms of types of events and their associated costs

• 117 data breach claim events were submitted for our study

• Data at Risk– PII is the most frequently exposed data (37% of breaches), followed by PHI (21% of breaches)– Credit card information accounts for a whopping 88% of records exposed

• Cause of Loss– Hackers are the most frequent cause of loss (32%), followed by rogue employees/contractors (19%)

• Sectors at Risk– Healthcare is the sector most frequently breached (24%), followed by Financial Services (22%)

Highlights of Findings

Costs (at-a-glance)– Average cost* per breach was $2.4 million– Average cost* per record was $5.00– Legal (Defense & Settlement) represents the largest

portion of costs incurred• Average Cost of Defense $500K• Average Cost of Settlement $1 million

– Crisis services costs (forensics, notice & credit monitoring) avg $800k (combined) per event

% of Breaches by Data Type

37%

21%

21%

16%

5%

% of Breaches by Cause of Loss

19%

19%32%

8%

15%

7%

Average Cost per BreachHundred

Thousands

Typical First-Party Coverages

• Digital Asset Expenses

• Business Interruption Income Loss and Dependent Business Interruption Income Loss Coverage

• Network Extortion Threat and Reward Payments Coverage

Typical Third-Party Coverages

• Network Security Liability Coverage

• Privacy Liability Coverage

• Media Liability Coverage

• Technology Liability Coverage

• Miscellaneous Professional Liability Coverage

Personal and Advertising Injury Coverage

• Cyber privacy claims may implicate personal and advertising injury coverage – Right to Privacy– Defamation– Scope of Publication– Social Media– Copyright and Trademark Issues

Other Insurance and Overlapping Coverage

• Liability coverage may overlap and converge with other insurance products – Part A of CGL Policies– Part B of CGL Policies– Pure Cyber and Technology Policies– Professional Liability Policies– Crime and Fidelity Policies– Directors and Officers Liability Policies– First-Party Property Policies– Business Interruption Policies – EPLI Policies– Kidnap, Ransom, Extortion Policies

Other Insurance and Overlapping Coverage

• Scope of Duty to Defend

• Allocation of Defense Costs

• Damages Covered under Each Form

• Implications of “Other Insurance” Clauses

• Scope of Duty to Pay under Pure Indemnity Policies

Common Weak Spots• PROBLEM 1) IDS or ‘Intrusion Detection Software’ (bad guy alert sys)

– Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3rd parties (and many more go undetected completely).

– FTC and plaintiff lawyers often cite ‘failure to detect’– Vast Data: companies IDS can log millions events against their network each month– False positives: 70%

• PROBLEM 2) Patch Mgmt - Challenges: – All systems need constant care (patching) to keep bad guys out.– Complexity of networking environments– Lack of time: Gartner Group estimates that “IT Managers spend an average of 2 hours per day

managing patches.”

• PROBLEM 3) - Encryption (of private data)– Problem spans all sizes & sectors.– ITRC (Identity Theft Resource Center): only 2.4% of all breaches had ‘encryption’– Issues: budgets, complexities and partner systems– Key soft spots: Data ‘at rest’ for database & laptops (lesser extent)– Benefits: safe harbor (usually)

• Plan for the loss– CFO must understand that data / network security is NEVER 100%..... It’s really

not if but when.– 4 Legs of Traditional Risk Mgmt:

• Eliminate: e.g., patch known exploits, encrypt laptops etc• Mitigate: e.g., dedicated security staff; policies; IDS/ IPS; et• Accept: e.g., partner SLAs, capabilities (trusting their assurances)• Cede: residual risk via privacy risk insurance

Wide-Angle Assess Safeguard Controls Surrounding:– People: they seem to ‘get it’…Proper security budget and vigilant about their

job!– Processes/ Policies: enterprise ISO27002, HITECH ready; employee education/

training; change management processes, breach response plan etc.– Technology: proven IDS/IPS capabilities, DLP solutions, hardened & patched

servers (tested), full encryption of PII.

Strategies for Risk Managers

Are you at risk? Ask your team:

• Has your firm ever experienced a data breach or system attack event? Some studies show 80-100% of execs admitted to a recent breach incident

• Does your organization collect, store or transact any personal, or financial or health data?

• Do you outsource any part of computer network operations to a third-party service provider?

Your security is only as good as their practices and you are still responsible to your customers

• Do you use outside contractors to manage your data or network in any way?

The contractor, SP, Biz partner is often the responsible party for data breach events

Are you at risk? Ask your team:

• Do you partner with entities and does this alliance involve the sharing or handling of their data (or your data) or do your systems connect/touch their systems?

You may be liable for a future breach of their network and/or business partners often require cyber risk insurance as part of their requirements

• Does your posted Privacy Policy actually align with your internal data management practices?

If not you may be facing a deceptive trade practice allegation

• Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers?

Doing nothing is a plaintiff lawyers dream. It is vital for the Risk Mgr to know if your practices are reasonable, in line with peers and the many regulations