Travis Wall

Travis Wall has no picture

Articles By This Author

Cyberattacks Push Companies to Specialty Insurance Policies

Travis Wall’s article Cyberattacks Push Companies to Specialty Insurance Policies says the window is closing for obtaining coverage for cyber attacks under traditional policies.

The article, published in The Recorder on May 23 says as insures refine coverage defenses and expand exclusions for cyber events, business will have to turn to specialty cyber policies for protection against data theft or loss.

Commercial general liability (CGL) policies have two basic coverage types. Coverage A addresses "property damage" and "bodily injury." Coverage B applies to "personal injury" offenses, such as publications that invade rights of privacy. Because data breaches typically do not involve property damage or bodily injury, policyholders rely primarily on the personal injury prong.

Among other requirements, personal injury coverage applies only to claims arising from a "publication" of information. Data theft through hacking does not appear to involve a "publication" as that term is commonly understood.

Courts will not presume a publication simply because a data loss occurred. In a recent case, tapes containing confidential employee information fell out of a delivery truck. An unknown person then retrieved them but there was no evidence that employee information was publicly disclosed or improperly used.

A Connecticut appellate court rejected the argument that the data loss, in and of itself, constituted a "publication." The mere potential for disclosure was not enough—there had to be evidence that confidential information on the tapes was actually published. See Recall Total Information Management Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014).

Read the full article at The Recorder.

Read more on this topic, please visit The Recorder (subscription required).

Personal Injury Coverage Does not Apply to Data Breach

According to a Law360 report, Sony Units Denied Coverage For Suits Tied To Cyber Attack (subscription required), a New York state judge ruled last Friday in the Zurich v. Sony insurance litigation that the stealing of consumer information through a cyber attack did not constitute “personal injury” under a commercial general liability policy because third-party hackers and not the insured committed the offense.  If upheld on appeal, the decision would compliment other authority holding that personal injury coverage applies only to potential liability from the insured’s purposeful acts.  

The Sony coverage litigation resulted from a 2011 data breach. Zurich American Insurance Company and Mitsui Sumitomo Insurance Company had issued primary commercial general liability policies to Sony. In April 2011, computer hackers broke into Sony networks and stole personal and financial information of over 100 million users. 

Immediately following the breach, Sony was named as a defendant in numerous class actions. Sony tendered the defense of these actions to its insurers. Mitsui denied coverage. Zurich responded by filing a declaratory relief action in New York state court seeking a declaration that Zurich had no duty to defend.

The parties later filed cross-motions for partial summary judgment. The resolution of the motions turned on whether the data breach constituted a “personal injury” offense. Among other enumerated offenses, the policies provided coverage for a “publication, in any manner, of material that violates a person’s right of privacy”

Continue Reading...

FTC Calls for National Data Security Standards as Proposed Legislation Stalls

In congressional testimony, the Federal Trade Commission’s Chairwoman, Edith Ramirez, recently reiterated the FTC’s call for stronger data security laws, while federal legislation concerning data security and breach notification remains in limbo.

Although the FTC is the nation’s leading privacy enforcement agency, it derives enforcement authority from a hodgepodge of statutes, many of which lack adequate remedies to compel compliance with data security and breach notification requirements.

Those laws include:

The FTC’s need to resort to multiple statutes results in uneven enforcement authority. Only the FCRA and COPPA allow the FTC to seek civil penalties for data security violations. To obtain a civil penalty for unfair or deceptive practices under the FTC Act, the agency must show that company violated a prior administrative order.

In her remarks, Chairwoman Ramirez stressed the need for uniform national standards for data security and breach notifications, stronger civil remedies, and expanded rulemaking authority under the Administrative Procedure Act enabling the FTC to respond effectively to changes in technology.

Ramirez’s statements echoed bipartisan calls for national data security standards. Despite widespread support for such standards, proponents have not been able to amass enough votes to pass a comprehensive data security law.  

There are competing proposals in the Senate – the Personal Data Privacy and Security Act, which Sen. Patrick Leahy, D-Vt., introduced for the fifth time in January 2014, and the Data Security Act, which Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo. re-introduced that same month.

Continue Reading...

Assessing Cyber Threats - The Blind Spot Between Perception and Realty

A recent survey by the Ponemon Institute entitled, “Cyber Security Incident Response: Are We as Prepared as We Think?,” suggests that many companies lack the mechanisms to meaningfully address cyber risk. Among the survey’s findings:

  • Although companies recognize that better incident response capabilities would mitigate the harm cyber attacks cause, most companies devote less than 10 percent of their security budget to incident response and this percentage has remained static over the past 24 months.
  • Most organizations do not track the time to identify and respond to incidents or the effectiveness of the response. As a result, organizations have no means to measure the actual time and costs involved in managing cyber risk.
  • Companies are overly optimistic about the time to identify intrusions and address any damage the attack caused. Many respondents estimated that attacks could be identified in hours. As breaches at Target and Verizon have shown, identifying a cyber attack can take months or even years and fixing the problem could take just as long.
  • Organizations can reduce reputational harm by promptly and credibly communicating with the public about data breaches. Yet only 23% of the companies have a public relations plan in place in the event of a security breach. 
  • Executive management and boards are seldom engaged in cyber issues and thus remain in the dark about the real nature of the threat.

A growing number of companies have recognized the need for cyber risk insurance. Yet for this market to continue to grow, perceptions about cyber threats must shift. Companies cannot appreciate the need for insurance without better understanding the actual costs involved in responding to cyber attacks.       

To learn more about the Ponemon survey, click here.


One Policy Term, May Have Two Meanings

A California Court of Appeal held in Transport Ins. Co. v. Superior Ct. (R.R. Street & Co.) that a named insured’s reasonable expectations of coverage can be different from those of an additional insured’s. This ruling leaves open the possibility that the same policy language can be interpreted differently in the same lawsuit, depending upon whether the named insured or an additional insured is seeking coverage.

Transport issued an excess and umbrella commercial general liability policy to Legacy Vulcan Corp. R.R. Street & Co. was named as an additional insured by endorsement. These two companies were named as defendants in lawsuits alleging that they distributed and sold dry cleaning products that caused environmental contamination. 

A dispute arose between Transport and Legacy about the duty to defend. The dispute turned on whether the term “underlying insurance” included only the specifically scheduled policies identified in the Transport or all potentially applicable primary policies. 

In a previously published opinion, the Court of Appeal held that the term “underlying insurance” was ambiguous in the context of the Transport policy and should be construed in accordance with Legacy’s objectively reasonable expectations.

Continue Reading...

Newly introduced Data Security Act would remove data security standards from state oversight

The Federal Government has not taken significant steps to regulate data security. For that reason, local and state officials have been taking a more aggressive role in responding to data breaches and in establishing best practices for protecting data. 

Following the well publicized breaches involving Target and Neiman Marcus, Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) re-introduced legislation, the “Data Security Act,” that would establish federal standards for data security and remove the issue from state oversight, with one notable exception: standards for insurance companies. 

The Data Security Act would require companies to take appropriate steps to protect personal information and to notify consumers when data breaches could result in identity theft or financial losses. There would be no notification requirement if the stolen data was encrypted or otherwise unusable.

Healthcare insurers subject to HIPAA would be in compliance provided they comply with regulations promulgated under that act. 

The proposed law would preempt all state laws related to data security and notification requirements and prohibit all lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” These provisions, taken together, would effectively remove data security from state oversight.

Proponents of the legislation contend that federal standards for data security are necessary because companies are subject to multitude of local laws, which sometimes conflict. Yet even under the proposed law, there would not be a single set of standards. The bill would delegate regulatory authority to a patchwork of federal agencies to promulgate rules for the particular industry that agency oversees. 

For most insurance companies, state insurance departments would retain regulatory oversight for creating data security standards. This leaves open the possibility that insurers would still have to comply with standards that vary by jurisdiction.  However, the proposed legislation would require agencies to consult with each other, to the extent possible, to develop regulations that are consistent and comparable.

The bill is in its embryonic stages and certainly would undergo significant changes if ever passed. With data breaches becoming more prevalent and larger in scope, the push for federal action in this area will only increase.

Taking Precautions Against Medical Identity Theft

We recently reported that the number of cyber events involving the healthcare industry is expected to rise in 2014.

The reliance on electronic medical records and the use of insurance exchanges increase efficiency but also heighten the risk of medical identity theft. 

In October 2013, the California Department of Justice published recommendations for preventing and managing medical identity theft. See Medical Identity Theft: Recommendations for the Age of Electronic Medical Records

For insurance companies, the recommendations include:

  • Make Explanation of Benefits statements patient friendly. Include information on how to report any errors that are discovered.
  • Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
  • Used automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
  • When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.

In an earlier publication, the Department of Justice provided guidance for all companies that handle personal or private data. See Data Breach Report 2012

The key recommendations include:

  • Encrypt personal information sent by email, mailed in thumb drives or tapes, or stored in laptop or desktop computers. 
  • The Attorney General’s Office would make it an “enforcement priority” to investigate breaches involving unencrypted personal information and recommended that other agencies and regulators do the same.
  • Tighten security controls protecting personal information, including training of employees and contractors.
  • Improve the readability of breach notices.
  • Offer mitigation products or provide victims information on how to protect themselves against identity theft after a breach.

The Department of Justice’s recommendations are not detailed. Nonetheless, they may inform what constitute “best practices” in the healthcare insurance industry with respect to preventing medical identity theft. At the very least, the publications provide guidance about what precautions regulators consider most important.

Click here to read more about the California Department of Justice’s recommendations concerning privacy enforcement and protection.


Evolving Expectations of Privacy: Klayman v. Obama

In a 68-page opinion, Federal District Judge Richard J. Leon of the District of Columbia ruled yesterday in Klayman v. Obama that the NSA's systematic collection of telephone metadata of millions of citizens violates the Fourth Amendment's prohibition on unreasonable searches.  

The opinion highlights an important issue that will have implications beyond the constitutional dispute in that case -- how expectations of privacy are evolving in light of changing technologies and the rapidly expanding use of the internet and mobile phones.    

Judge Leon's ruling concerns the government's collection of "metadata" about telephone calls, such as information about what numbers were called, when calls were made, and how long they lasted.  The government maintains that, under the program at issue, the NSA were not storing information about the content of calls or the participants' names, addresses or financial information.   

Relying on the United States Supreme Court opinion in Smith v. Maryland, government lawyers argued that individuals have no expectation of privacy, let alone a reasonable one, with respect to telephone service provider metadata.  Smith involved an investigation into threatening and obscene phone calls that a robbery victim had received.  Without obtaining a warrant or court order, the police installed a "pen register" to record numbers dialed from a telephone at Smith's home.

The Supreme Court ruled that Smith had no reasonable expectation of privacy in the numbers dialed, since he voluntarily submitted this information to the phone company and reasonably should have known that the company maintained this information as business records.  

Leon did not find the government's precedent compelling.  As the judge phrased the issue,

When do present-day circumstances -- the evolutions in the Government's surveillance capabilities, citizen's phone habits, and the relationship between the NSA and telecom companies -- become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith simply does not apply?"  

For Leon, that time had come. He found Smith distinguishable; the case involved the collection of limited telephone data for a few weeks. Klayman on the other hand concerns the creation and maintenance of a historical database containing information about calls made by everyone in the country.    

The government's ability to store, collect, and analyze phone data not only is much greater now than in 1979, but the amount and type of available metadata are much greater as well. As the judge noted,

[data that] once would have revealed a few scattered lines of information about a person now reveal an entire mosaic -- a vibrant and constantly updating picture of the person's life." 

Some would argue that changes in technology and the ubiquitous storing and analysis of metadata by companies and the government would lower individual expectations of privacy.  Taking the opposite view, Judge Leon assumed that these trends have resulted in greater expectations of privacy.

This decision will not be the last word on the subject.  Other courts have reached the opposite conclusion, and the government certainly will appeal the ruling. Regardless of the ultimate outcome, Judge Leon makes an obvious point -- courts cannot analyze present-day expectations of privacy by reference to technology and cultural norms that existed over three decades ago.  


Cyber Risk Trends for 2014

According to recent post from Property Casualty 360°, The Six Trends of Cyber Risk in 2014, insurers need to know:

  1. Data breach costs are trending downward. The cost per record to respond to a breach dropped from $194 to $188 and is expected to continue to decline.
  2. With the rise of cloud computing and the storing of data oversees, data breaches are likely to be global in nature. This could lead to complexities in managing or responding to breaches since the data flows are global but the laws and norms applying to the breaches might be local.
  3. The concentration of data breaches in the healthcare industry is already high. With the significant changes taking place in the healthcare industry and use of exchanges, the number of breaches in this industry could increase in 2014.
  4. More companies will be buying cyber security insurance. One third of the companies have purchased some form of insurance against cyber risks, and one study estimates a 50% growth in policies purchased next year.
  5. Tired of hearing about breaches, consumers might not respond to warnings or take adequate steps to protect themselves after an incident. This “breach fatigue” could result in higher levels of fraud.
  6. In the absence of significant action on the federal level, state officials are expected to take a more active role in responding to data breaches and in establishing best practices for protecting data.

A few other things to consider:

  • The increased awareness of cyber risks should cause more companies to consider buying cyber insurance. 
  • While there is a sizable and growing market for third-party policies covering losses suffered by an insured’s customers or clients, the market for first-party cyber insurance is less robust.  
  • With the rise of cyber attacks, insureds also need insurance covering direct losses to the companies, such as reputational injury or costs incurred to recover lost data or to repair infrastructure. 
  • The industry needs to educate the market about the importance of first-party cyber insurance and then develop cost-effective products to address this need.

For more information on cyber risk and cyber insurance, please contact Travis Wall directly. To read the full Experian study, 2014 Data Breach Industry Forecast, click here.

The Potential Pitfalls of Joint Representation

A recent California Court of Appeal opinion, Yanez v. Plummer, provides a cautionary tale for in-house counsel or outside attorneys who jointly represent their institutional client’s employees or agents in depositions. If handled inappropriately, joint representation can result in liability for the lawyer and undercut the institution’s own interests.

Plaintiff Michael Yanez worked for a railroad. He was a witness with respect to a workplace accident that injured a co-employee, Robert Garcia. Yanez prepared two statements related to the incident – one directly after the accident and the other an hour later. 

In the first statement, he wrote: “I was watching motor come up while Boby went downstairs & went to retrieve tool had sliped & fell on concrete floor, soaked in oil & grease.” Yanez’s supervisor asked him to write a second statement because the first lacked details. In the second statement, Yanez wrote in relevant part: “I saw Boby slip & fall down on oil soaked floor . . . .”

The injured employee sued the railroad and deposed Yanez. The railroad assigned in-house counsel to defend the lawsuit. Prior to the deposition, Yanez met with the attorney to prepare for the testimony. Yanez told the attorney that he had not actually seen the slip and fall. Yanez expressed concern about his job security in giving testimony unfavorable to the railroad and sought assurances that the attorney would “protect” him at the deposition. Counsel assured Yanez that his job would not be affected as long as he told the truth. They did not discuss the discrepancies between the two witness statements or conflicts of interest between Yanez and the railroad.

At the deposition, the injured employee’s attorney elicited testimony that Yanez had not seen the fall. In addition, the attorney asked Yanez about several unsafe conditions at the site of the accident. In-house counsel also questioned Yanez. The attorney had Yanez confirm that his “testimony today” was that the accident was not within his “line of sight.”  Counsel then asked Yanez about the sentence in his second witness statement that he “saw Boby slip & fall.” Counsel did not provide Yanez an opportunity to explain the discrepancy or mark the other witness statement as an exhibit. Counsel’s reasons for impeaching Yanez are not entirely clear. Yanez contended that the attorney was attempting to undercut Yanez’s credibility and his other testimony about unsafe working conditions.

A railroad representative was present at the deposition. After listening to Yanez’s testimony, the representative recommended that the railroad initiate a disciplinary hearing for dishonesty, which eventually resulted in Yanez’s termination. At that proceeding, Yanez maintained that he simply miswrote his second witness statement and meant to state, “I saw Bobby had slipped and fell down on oil soaked floor.” 

Yanez sued the railroad for wrongful discharge and sued in-house counsel for malpractice, breach of fiduciary duty, and fraud. The attorney claimed that, since he had not prepared Yanez’s two witness statements or participated in the process leading to his termination, Yanez could not prove causation. The court of appeal disagreed.


Continue Reading...