Cyberinsurance 111006

Pillsbury Winthrop Shaw Pittman LLP

Emerging Legal Trends in Cyber InsuranceOctober 2011

René Siemens

John Nicholson

2 | Trends in Cyberinsurance

Are You at Risk for a Data Breach or Other Cyber-Related Losses?

Does your product have an intensely loyal consumer fan base? (Sony) Is your organization (or any senior executive) visibly politically active on any controversial issue? (Koch Industries attacked in response to Wisc. protests)Does your organization outsource the processing/collection/storage of personal information to a third party? Does your organization outsource any IT functions with access to personal information?Does your organization ship backup tapes/drives from operational facilities to a backup/storage provider? (SAIC/Tricare)Does your organization process/collect/store personal information about your customers? (SSN, credit card, address, financial information, medical information …) (Betfair)Does your organization process/collect/store personal information about your employees? (SSN, drivers license #, address, insurance information, bank account information, credit card …)


The Current Legal Landscape

Privacy / Data Security Compliance Obligations (for now)US Federal

GLBAHIPAA / HITECHRed Flags RulesFTC

US State privacy/consumer protection laws (e.g., Massachusetts)Canada, EU and many other countriesOther - PCI DSS

US Data Breach Notification Laws (for now)46 states + DC, Puerto Rico and others

Current trend is addition of medical informationHIPAA / HITECH ActOther regulations


The Evolving Legal Landscape

USPersonal Data Privacy and Security Act of 2011 (S.1151) (Sen. Leahy)Personal Data Protection and Breach Accountability Act of 2011 (S. 1535) (Sen. Blumenthal)Data Breach Notification Act (S. 1408) (Sen. Feinstein) Among others

Canada - Sept. 29, update to PIPEDA proposed in Bill C-12 to expand existing privacy law to include data breach notification requirements

"It seems to me that it's time to begin imposing fines--significant, attention-getting fines--on companies when poor privacy and security practices lead to breaches,"

- Jennifer Stoddart, Canadian Privacy Commissioner (May 2011)

EU - mid-November, EC to publish revised Data Protection Directive which will include:

Mandatory data breach disclosure law covering public and private sectorsBinding Safe Processor Rules (BSPR) requiring cloud service providers (CSPs) in the EU to be certified by the EU and making them legally liable for data breaches occurring at CSP data centers

http://www.gpo.gov/fdsys/pkg/BILLS-112s1151is/pdf/BILLS-112s1151is.pdf

http://www.gpo.gov/fdsys/pkg/BILLS-112s1535rs/pdf/BILLS-112s1535rs.pdf

http://www.gpo.gov/fdsys/pkg/BILLS-112s1408is/pdf/BILLS-112s1408is.pdf

http://www.parl.gc.ca/HousePublications/Publication.aspx?Docid=5144601&file=4


What Does Cyber-Liability Insurance Cover?

Third-Party:Data security breachesPrivacy breachesContent liability (libel, infringement, etc.)

First-Party:Loss of dataRevenue loss due to interruption of data systems“E-vandalism,” “e-extortion”


Third-Party Cyber Coverage: What’s Included?

Crisis Management ExpensesNotification costsCredit monitoring servicesPublic relations consultantsForensic investigationPursuit of indemnity rightsRegulatory compliance costs

Claim ExpensesCosts of defending against lawsuitsJudgments and settlements

Regulatory Response CostsCosts of responding to regulatory investigationsSettlement costs


First-Party Cyber Coverage: What’s Included?

Costs of restoring, recreating or re-collecting:Lost dataStolen dataDamaged data

Revenue lost due to interruption of your operations due to, e.g., HackingVirus transmissionOther security failures


Cyber Insurance Market Trends

0

200

400

600

800

2005 2008 2009 2010

Total PremiumsUnderwritten

Premiums ≈ $15,000 to $35,000 per $1,000,000 of limits, depending on retention and level of covers

Source: Aon: Cyber Insurance Options Oct. 3, 2011

Soft market: Premiums declined an average of 8.5% during the first half of 2011

Source: Marsh Insights: Benchmarking Trends July 2011

Large corporations were early adopters

Most growth is among middle market companies

Source: The Betterly Report


Who Is Buying Cyber Insurance?

Source: Marsh Insights: Benchmarking Trends July 2011


Who Is Issuing It?


Are Issuers Paying Claims?

Yes, but statistical information is hard to come byAreas of potential friction:

Adequacy of limits, size of retentionsConsent and panel provisionsCoverage of vendors’ errors and omissionsLoss vs. theft of data“One size fits all” crisis management expense coverageHidden trapsInterplay with vendor indemnity agreements“Other insurance” provisionsInadequacy of defense coverage

Cyber policies are highly manuscripted: prevent disputes by negotiating clear policy language!


Ten Tips For Buying Cyber Insurance

#1 – Make sure your limits and sub-limits are adequate• Average remediation cost is $7.2 million per data breach event• Average remediation cost is $214 per record

Source: Symantec Corp. and Ponemon Institute: Global Cost of a Data Breach (2010)

• Warning! Many policies impose inadequate limits on “crisis management expenses” and “regulatory action” expenses



#2 – Watch out for “panel” and “consent” provisions• Policies often provide that you must use the insurance company’s pre-

approved forensic consultants, defense counsel, etc.• Make sure that yours are pre-approved!• Forensic, notification and defense costs are often covered only if you obtain

the insurer’s “prior consent”• Make sure you get it – and obtain policy language confirming that post-

tender costs will be covered or at least that the insurer’s consent “shall not be unreasonably withheld”



#3 – Make sure you are covered for your vendors’ errors and omissionsExample:● Bad

“The Insurer shall pay all Loss that an Insured incurs as a result of your actual or alleged breach of duty to maintain security of confidentiality Confidential Information”

● Good“The Insurer shall pay all Loss that an Insured incurs as a result of any alleged failure to protect Confidential Information in the care, custody and control of the Insured or a third party to which an Insured has provided Confidential Information”



#4 – Make sure you are covered for loss of data, not just theft or unauthorized accessExample:● Bad

“A covered breach shall include the unauthorized acquisition, access, use, or disclosure of confidential information”

● Good“A covered breach shall include the unauthorized acquisition, access, use, disclosure or loss of confidential information”



#5 – If you handle data for others, make sure your liability to them is coveredExample:● Bad

“The Insurer will not make any payment for any claim alleging or arising from … your performance of services under a contract with your client”

● Better “The Insurer will not pay for Claims arising out of breach of contract; provided, however, that this exclusion shall not apply to liabilities that the Insured would have in the absence of contract, or arising out of breach of a confidentiality agreement or a professional services agreement for the handling of confidentialinformation”

● Best “The Insurer will pay on behalf of the Insured all Damages and Claim Expense which the Insured becomes legally obligated to pay because of liability imposed by law or Assumed Under Contract”



#6 – Avoid “one size fits all” coverageExample:● Bank suffers loss of thousands of customer credit card numbers● Insurance policy covers cost of providing notice and credit monitoring● Bank would rather just cancel and re-issue the cards

Lesson: When procuring insurance, negotiate for the coverage youwill need



#7 – Beware of hidden trapsExample:

● Bad “The Insurer shall pay Crisis Management Expenses incurred by an Insured arising out of a Claim”

● Good“The Insurer shall pay Crisis Management Expenses incurred by an Insured in response to an actual or alleged security breach”



#8 – Harmonize cyber insurance with your indemnity agreements ● Bad

“The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount shall be borne by the Insured’s uninsured and at their own risk”

● Good“The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount may be paid either by the Insured, or by the Insured’s other insurance or indemnified by third parties”



#9 – Harmonize cyber insurance with your other insurance• Review your agreements with vendors

Make sure your vendors are required to have adequate insuranceAsk to be added as an additional insured on their policiesMake sure your policy’s “other insurance” clause specifies that their policy will

apply first

• Example:“This Policy shall be primary, unless the Insured is also covered for the loss under the insurance of a third party, in which case this insurance shall apply excess of amounts actually paid by that other insurance”



#10 – Negotiate favorable defense provisions• “Pay defense costs on behalf of” vs. “duty to defend”

Will you control your own defense?• At least negotiate the right to choose your own counsel if the policy has a

“panel” provision• Negotiate specific deadlines for payment by the insurer (e.g., within 30 days

of invoicing)• If rates are an issue, negotiate them up front!


Preparing for/Responding to an Incident

1. Know what information you collect. Conduct an audit to identify what you have and what you really need. Determine whether you can encrypt what you must have. Securely dispose of information when it is no longer required -You can’t lose what you don’t have!

2. Create an incident response team including: IT, HR, Legal, CEO/CIO/CFO, Media relations

3. Develop incident response plan BEFORE you have an incidentPlan for different scenarios (DDOS, insider breach, hacking attack, etc.)Know which third parties you plan to contact – computer security forensics, external legal, law enforcement, crisis communicationsConduct practice exercises

4. Acquire insurance based on risks and potential losses


What If You Don’t Have Cyber Insurance?

Insurance industry and brokers assert that there is no coverage under conventional insurance, but many courts disagree.

Therefore, tender to all of your other insurers!


General Liability Property

Errors & Omissions Crime Cyber

Data security breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE

Privacy breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE

Media liability POSSIBLE NONE POSSIBLE NONE COVERAGE

Professional services NONE NONE POSSIBLE NONE COVERAGE

Virus Transmission POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE

Damage to data POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE

Breach notification POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE

Regulatory investigation POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE

Extortion POSSIBLE NONE NONE NONE COVERAGE

Virus/hacker attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE

Denial of service attackPOSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE

Business interruption loss NONE POSSIBLE POSSIBLE NONE COVERAGE


Case Study – Sony PSN Attack

Sony PS3 user posts code to “jailbreak” Sony PSN consoles and Sony sues user in US federal courtApril 4 - Members of Anonymous launch attack on SonyApril 20 – Sony takes PSN and Qriocity networks offlineApril 26 - Sony announces that 77 million names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/PSN online ID, profile data, purchase history and possibly credit cards obtained April 27 – Sony shares fall 2%April 28 – Sony shares fall 4.5%; 1st class action lawsuit filedMay 2 – Sony Online Entertainment attacked; 24.6 million customer dates of birth, email addresses and phone numbers, including 12,700 non-U.S. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account number breached


Case Study – Sony PSN Attack (cont)

May 14 – Sony brings PSN/Qriocity back online; Offline for a total of 24 daysMay 23 – Sony estimates that PSN breach and restoration cost $171MAt least 58 class action lawsuits filed against SonyNumerous additional attacks from other hacking groups target various Sony companies and online properties. Full timelineJuly 20 – Zurich Insurance filed suit seeking a declaration that various Zurich policies do not provide coverage for hacking claimsZurich issued:

Primary CGL policy to Sony Online Computer Entertainment America LLC (“SCEA”)Excess liability policy to Sony Corp. of America. Policy attaches above a lead umbrella policy issued by National UnionPrimary CGL policy to SCEA for its Canadian operations

Zurich policies provide coverage for “bodily injury,” “property damage” and “personal and advertising injury” arising out of an “occurrence.”Zurich argues Sony claims do not allege any such injury or damage and therefore Zurich does not owe a defense or indemnification to Sony under any of its policies

http://attrition.org/security/rant/sony_aka_sownage.html

https://iapps.courts.state.ny.us/fbem/DocumentDisplayServlet?documentId=tirVQewp3WujFno1EgNuTA==&system=prod


Questions & Answers

John NicholsonCounselPillsbury Winthrop Shaw Pittman LLP+1 [email protected]

René SiemensPartnerPillsbury Winthrop Shaw Pittman LLP+1 [email protected]

Cyberinsurance 111006

Documents

Transcript of Cyberinsurance 111006