Travis Wall

Travis Wall has no picture


Articles By This Author

Sizing Up Cyber Risks after the Sony Breach

Sony’s most recent data breach underscores the difficulties in underwriting and insuring cyber risk. Sony incurred losses that were surprising in both their scope and type. The company already is a defendant in at least four new lawsuits concerning the disclosure of employees’ confidential information. In addition to potential liability, Sony suffered substantial first-party losses that may be difficult to quantify, including forensic costs, reputational injury, and business interruption losses.

According to published reports, Sony may have $60 million in cyber insurance to mitigate these losses.  Even if this figure were true and the cyber policies applied to the breach, Sony’s insurance probably would cover only a fraction of its actual damages.

The unprecedented nature of this breach may cause some insurers to reexamine their exposure to cyber risks. Although companies can purchase cybersecurity insurance, these policies are not always affordable. The problem is most acute on the first-party side. 

In a November 2012 Cybersecurity Insurance Workshop Readout Report, the Department of Homeland Security noted that, although a sizeable third-party market exists to cover loss of customer or employee data, first-party policies "remain expensive, rare, and largely unattractive." The report identified several factors for this problem including: the lack of actuarial data to model cybersecurity risks and fears that a “cyber hurricane” would overwhelm insurers with large and unpredictable losses. The Sony breach may spur more talk of “cyber hurricanes.”

Insurers have limited their exposure on the third-party side as well. Most cyber liability policies have burning limits, meaning that defense costs erode coverage. This feature allows insurers to cap their exposure at pre-determined levels. At the same time, insurers are expanding cyber-related exclusions in commercial general liability policies and other conventional insurance products, forcing companies to seek coverage for cyber risks in specialty policies.

As insurers obtain actuarial data, they will develop more affordable products for addressing third-party and first-party cyber risks. But the onus for developing this market is not only on insurers. Companies must improve their data security. Increased security should reduce the risk of breach, allow cyber losses to be more easy to predict in size and type, and in the end make cyber risks more insurable.

Travis Wall recently authored the chapter on Cyber-Security Insurance for the LexisNexis California Insurance Law & Practice treatise. For more information, please contact Travis directly (email).

 

New Chapter on Cyber-Security Insurance Authored by Hinshaw & Culbertson Partner

Hinshaw & Culbertson LLP partner Travis Wall recently authored the chapter on Cyber-Security Insurance for the LexisNexis' California Insurance Law & Practice treatise.

The chapter provides an introduction to common cyber incidents, such as data breaches, and addresses the different kinds of losses and liabilities that arise from these events.

This analysis includes a discussion of the legal and statuatory framework governing data breaches. The bulk of the chapter addresses potential coverage for cyber incidents under commercial general liability policies.

Despite recent trends, most case law in cyber context has involved traditional third-party liability insurance. Even though insurers and policy holders are shifting coverage for cyber risks away from traditional insurance into specialty policies, the prior case law is still instructive. These decisions influenced how insurers drafted cyber insurance policies. The case law also may inform how courts interpret particular provisions in specialty policies or endorsements. Thus, this chapter analyzes these pertinent court decisions. It assesses coverage provisions and exclusions under CGL Coverage A and B as applied to cyber incidents.

The chapter ends with a discussion of key characteristics of specialized cyber policies and emerging trends of coverage disputes in this area.

For more information on Cyber-Security Insurance, please contact Travis Wall (email).

Cyberattacks Push Companies to Specialty Insurance Policies

Travis Wall’s article Cyberattacks Push Companies to Specialty Insurance Policies says the window is closing for obtaining coverage for cyber attacks under traditional policies.

The article, published in The Recorder on May 23 says as insures refine coverage defenses and expand exclusions for cyber events, business will have to turn to specialty cyber policies for protection against data theft or loss.

Commercial general liability (CGL) policies have two basic coverage types. Coverage A addresses "property damage" and "bodily injury." Coverage B applies to "personal injury" offenses, such as publications that invade rights of privacy. Because data breaches typically do not involve property damage or bodily injury, policyholders rely primarily on the personal injury prong.

Among other requirements, personal injury coverage applies only to claims arising from a "publication" of information. Data theft through hacking does not appear to involve a "publication" as that term is commonly understood.

Courts will not presume a publication simply because a data loss occurred. In a recent case, tapes containing confidential employee information fell out of a delivery truck. An unknown person then retrieved them but there was no evidence that employee information was publicly disclosed or improperly used.

A Connecticut appellate court rejected the argument that the data loss, in and of itself, constituted a "publication." The mere potential for disclosure was not enough—there had to be evidence that confidential information on the tapes was actually published. See Recall Total Information Management Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014).

Read the full article at The Recorder.

Read more on this topic, please visit The Recorder (subscription required).

Personal Injury Coverage Does not Apply to Data Breach

According to a Law360 report, Sony Units Denied Coverage For Suits Tied To Cyber Attack (subscription required), a New York state judge ruled last Friday in the Zurich v. Sony insurance litigation that the stealing of consumer information through a cyber attack did not constitute “personal injury” under a commercial general liability policy because third-party hackers and not the insured committed the offense.  If upheld on appeal, the decision would compliment other authority holding that personal injury coverage applies only to potential liability from the insured’s purposeful acts.  

The Sony coverage litigation resulted from a 2011 data breach. Zurich American Insurance Company and Mitsui Sumitomo Insurance Company had issued primary commercial general liability policies to Sony. In April 2011, computer hackers broke into Sony networks and stole personal and financial information of over 100 million users. 

Immediately following the breach, Sony was named as a defendant in numerous class actions. Sony tendered the defense of these actions to its insurers. Mitsui denied coverage. Zurich responded by filing a declaratory relief action in New York state court seeking a declaration that Zurich had no duty to defend.

The parties later filed cross-motions for partial summary judgment. The resolution of the motions turned on whether the data breach constituted a “personal injury” offense. Among other enumerated offenses, the policies provided coverage for a “publication, in any manner, of material that violates a person’s right of privacy”

Continue Reading...

FTC Calls for National Data Security Standards as Proposed Legislation Stalls

In congressional testimony, the Federal Trade Commission’s Chairwoman, Edith Ramirez, recently reiterated the FTC’s call for stronger data security laws, while federal legislation concerning data security and breach notification remains in limbo.

Although the FTC is the nation’s leading privacy enforcement agency, it derives enforcement authority from a hodgepodge of statutes, many of which lack adequate remedies to compel compliance with data security and breach notification requirements.

Those laws include:

The FTC’s need to resort to multiple statutes results in uneven enforcement authority. Only the FCRA and COPPA allow the FTC to seek civil penalties for data security violations. To obtain a civil penalty for unfair or deceptive practices under the FTC Act, the agency must show that company violated a prior administrative order.

In her remarks, Chairwoman Ramirez stressed the need for uniform national standards for data security and breach notifications, stronger civil remedies, and expanded rulemaking authority under the Administrative Procedure Act enabling the FTC to respond effectively to changes in technology.

Ramirez’s statements echoed bipartisan calls for national data security standards. Despite widespread support for such standards, proponents have not been able to amass enough votes to pass a comprehensive data security law.  

There are competing proposals in the Senate – the Personal Data Privacy and Security Act, which Sen. Patrick Leahy, D-Vt., introduced for the fifth time in January 2014, and the Data Security Act, which Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo. re-introduced that same month.

Continue Reading...

Assessing Cyber Threats - The Blind Spot Between Perception and Realty

A recent survey by the Ponemon Institute entitled, “Cyber Security Incident Response: Are We as Prepared as We Think?,” suggests that many companies lack the mechanisms to meaningfully address cyber risk. Among the survey’s findings:

  • Although companies recognize that better incident response capabilities would mitigate the harm cyber attacks cause, most companies devote less than 10 percent of their security budget to incident response and this percentage has remained static over the past 24 months.
  • Most organizations do not track the time to identify and respond to incidents or the effectiveness of the response. As a result, organizations have no means to measure the actual time and costs involved in managing cyber risk.
  • Companies are overly optimistic about the time to identify intrusions and address any damage the attack caused. Many respondents estimated that attacks could be identified in hours. As breaches at Target and Verizon have shown, identifying a cyber attack can take months or even years and fixing the problem could take just as long.
  • Organizations can reduce reputational harm by promptly and credibly communicating with the public about data breaches. Yet only 23% of the companies have a public relations plan in place in the event of a security breach. 
  • Executive management and boards are seldom engaged in cyber issues and thus remain in the dark about the real nature of the threat.

A growing number of companies have recognized the need for cyber risk insurance. Yet for this market to continue to grow, perceptions about cyber threats must shift. Companies cannot appreciate the need for insurance without better understanding the actual costs involved in responding to cyber attacks.       

To learn more about the Ponemon survey, click here.

 

One Policy Term, May Have Two Meanings

A California Court of Appeal held in Transport Ins. Co. v. Superior Ct. (R.R. Street & Co.) that a named insured’s reasonable expectations of coverage can be different from those of an additional insured’s. This ruling leaves open the possibility that the same policy language can be interpreted differently in the same lawsuit, depending upon whether the named insured or an additional insured is seeking coverage.

Transport issued an excess and umbrella commercial general liability policy to Legacy Vulcan Corp. R.R. Street & Co. was named as an additional insured by endorsement. These two companies were named as defendants in lawsuits alleging that they distributed and sold dry cleaning products that caused environmental contamination. 

A dispute arose between Transport and Legacy about the duty to defend. The dispute turned on whether the term “underlying insurance” included only the specifically scheduled policies identified in the Transport or all potentially applicable primary policies. 

In a previously published opinion, the Court of Appeal held that the term “underlying insurance” was ambiguous in the context of the Transport policy and should be construed in accordance with Legacy’s objectively reasonable expectations.

Continue Reading...

Newly introduced Data Security Act would remove data security standards from state oversight

The Federal Government has not taken significant steps to regulate data security. For that reason, local and state officials have been taking a more aggressive role in responding to data breaches and in establishing best practices for protecting data. 

Following the well publicized breaches involving Target and Neiman Marcus, Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) re-introduced legislation, the “Data Security Act,” that would establish federal standards for data security and remove the issue from state oversight, with one notable exception: standards for insurance companies. 

The Data Security Act would require companies to take appropriate steps to protect personal information and to notify consumers when data breaches could result in identity theft or financial losses. There would be no notification requirement if the stolen data was encrypted or otherwise unusable.

Healthcare insurers subject to HIPAA would be in compliance provided they comply with regulations promulgated under that act. 

The proposed law would preempt all state laws related to data security and notification requirements and prohibit all lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” These provisions, taken together, would effectively remove data security from state oversight.

Proponents of the legislation contend that federal standards for data security are necessary because companies are subject to multitude of local laws, which sometimes conflict. Yet even under the proposed law, there would not be a single set of standards. The bill would delegate regulatory authority to a patchwork of federal agencies to promulgate rules for the particular industry that agency oversees. 

For most insurance companies, state insurance departments would retain regulatory oversight for creating data security standards. This leaves open the possibility that insurers would still have to comply with standards that vary by jurisdiction.  However, the proposed legislation would require agencies to consult with each other, to the extent possible, to develop regulations that are consistent and comparable.

The bill is in its embryonic stages and certainly would undergo significant changes if ever passed. With data breaches becoming more prevalent and larger in scope, the push for federal action in this area will only increase.

Taking Precautions Against Medical Identity Theft

We recently reported that the number of cyber events involving the healthcare industry is expected to rise in 2014.

The reliance on electronic medical records and the use of insurance exchanges increase efficiency but also heighten the risk of medical identity theft. 

In October 2013, the California Department of Justice published recommendations for preventing and managing medical identity theft. See Medical Identity Theft: Recommendations for the Age of Electronic Medical Records

For insurance companies, the recommendations include:

  • Make Explanation of Benefits statements patient friendly. Include information on how to report any errors that are discovered.
  • Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
  • Used automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
  • When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.

In an earlier publication, the Department of Justice provided guidance for all companies that handle personal or private data. See Data Breach Report 2012

The key recommendations include:

  • Encrypt personal information sent by email, mailed in thumb drives or tapes, or stored in laptop or desktop computers. 
  • The Attorney General’s Office would make it an “enforcement priority” to investigate breaches involving unencrypted personal information and recommended that other agencies and regulators do the same.
  • Tighten security controls protecting personal information, including training of employees and contractors.
  • Improve the readability of breach notices.
  • Offer mitigation products or provide victims information on how to protect themselves against identity theft after a breach.

The Department of Justice’s recommendations are not detailed. Nonetheless, they may inform what constitute “best practices” in the healthcare insurance industry with respect to preventing medical identity theft. At the very least, the publications provide guidance about what precautions regulators consider most important.

Click here to read more about the California Department of Justice’s recommendations concerning privacy enforcement and protection.

 

Evolving Expectations of Privacy: Klayman v. Obama

In a 68-page opinion, Federal District Judge Richard J. Leon of the District of Columbia ruled yesterday in Klayman v. Obama that the NSA's systematic collection of telephone metadata of millions of citizens violates the Fourth Amendment's prohibition on unreasonable searches.  

The opinion highlights an important issue that will have implications beyond the constitutional dispute in that case -- how expectations of privacy are evolving in light of changing technologies and the rapidly expanding use of the internet and mobile phones.    

Judge Leon's ruling concerns the government's collection of "metadata" about telephone calls, such as information about what numbers were called, when calls were made, and how long they lasted.  The government maintains that, under the program at issue, the NSA were not storing information about the content of calls or the participants' names, addresses or financial information.   

Relying on the United States Supreme Court opinion in Smith v. Maryland, government lawyers argued that individuals have no expectation of privacy, let alone a reasonable one, with respect to telephone service provider metadata.  Smith involved an investigation into threatening and obscene phone calls that a robbery victim had received.  Without obtaining a warrant or court order, the police installed a "pen register" to record numbers dialed from a telephone at Smith's home.

The Supreme Court ruled that Smith had no reasonable expectation of privacy in the numbers dialed, since he voluntarily submitted this information to the phone company and reasonably should have known that the company maintained this information as business records.  

Leon did not find the government's precedent compelling.  As the judge phrased the issue,

When do present-day circumstances -- the evolutions in the Government's surveillance capabilities, citizen's phone habits, and the relationship between the NSA and telecom companies -- become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith simply does not apply?"  

For Leon, that time had come. He found Smith distinguishable; the case involved the collection of limited telephone data for a few weeks. Klayman on the other hand concerns the creation and maintenance of a historical database containing information about calls made by everyone in the country.    

The government's ability to store, collect, and analyze phone data not only is much greater now than in 1979, but the amount and type of available metadata are much greater as well. As the judge noted,

[data that] once would have revealed a few scattered lines of information about a person now reveal an entire mosaic -- a vibrant and constantly updating picture of the person's life." 

Some would argue that changes in technology and the ubiquitous storing and analysis of metadata by companies and the government would lower individual expectations of privacy.  Taking the opposite view, Judge Leon assumed that these trends have resulted in greater expectations of privacy.

This decision will not be the last word on the subject.  Other courts have reached the opposite conclusion, and the government certainly will appeal the ruling. Regardless of the ultimate outcome, Judge Leon makes an obvious point -- courts cannot analyze present-day expectations of privacy by reference to technology and cultural norms that existed over three decades ago.