Upload
others
View
6
Download
1
Embed Size (px)
Citation preview
© Copyright 2013 by K&L Gates LLP. All rights reserved.
What Your Company Needs to Know about CybersecurityJune 6, 2013
klgates.com
Introductions
Bruce J. HeimanInformation Technology
Policy Partner
David A. BatemanInternet & Technology
Law Partner
Roberta D. AndersonInsurance Coverage
Partner
klgates.comklgates.com
I. Managing Attacks on Company Information, Technology, Data and Infrastructure
klgates.comklgates.com
klgates.comklgates.com
The Spectrum of Cyber Attacks
� Advanced Persistent Threats (“APT”)
� Data Breach and Malware
� Denial of Service attacks (“DDoS”)
� Domain name hijacking
� Corporate impersonation and Phishing
� Employee mobility and disgruntled employees
� Lost or stolen laptops and mobile devices
� Inadequate security and systems: first party and third-party vendors
klgates.comklgates.com
Advanced Persistent Threats
� targeted, persistent, evasive and advanced
� nation state sponsored
P.L.A. Unit 61398
“Comment Crew”
klgates.comklgates.com
Advanced Persistent Threats
� United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”
Source: New York Times, June 1, 2013.
klgates.comklgates.com
Advanced Persistent Threats
� Penetration: Spear Phishing� 67 percent of organizations admit that their current
security activities are insufficient to stop a targeted attack.*
� Duration:� average = 356 days**
� Discovery: External Alerts� 55 percent are not even aware of intrusions*
*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng
es/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”
klgates.comklgates.com
Advanced Persistent Threats
� Target Profiles� Industry:
� Information Technology
� Aerospace
� Telecom/Satellite
� Energy
� Engineering/Research/Defense
� Chemical/Pharma
� Activities:� Announcements of China deals
� China presence
klgates.comklgates.com
The Spectrum of Cyber Attacks
� Advanced Persistent Threats (“APT”)
� Data Breach and Malware
� Denial of Service attacks (“DDoS”)
� Domain name hijacking
� Corporate impersonation and Phishing
� Employee mobility and disgruntled employees
� Lost or stolen laptops and mobile devices
� Inadequate security and systems: first party and third-party vendors
klgates.comklgates.com
The Practical Risks of Cyber Attacks
� Loss of “crown jewels,” IP and trade secrets
� Compromise of customer information, credit cards and other PII
� Loss of web presence and online business
� Interception of email and data communications
� Loss of customer funds and reimbursement of charges
� Supply chain disruption and outright theft
� Brand tarnishment
� Collateral damage
� Legal and regulatory complications
klgates.com
II. Understanding Legal and Regulatory Risk
klgates.com
II. LEGAL & REGULATORY RISKS
Bad News
� No system of prevention is perfect.
� There will be a data breach.
Good News
� The Law doesn’t require perfection!
� Reasonable prevention measures
� Compliance with specified procedures to mitigate harm
BEST STRONGEST
klgates.com
III. Government Regulations and Legislation
klgates.com
III. APPLICABLE LEGISLATION & REGULATION
We will cover
� FTC Act
� States’ data breach laws
� GLBA
� HIPAA
� NIST standards
� Possible CI standards
klgates.com
Federal: FTC Enforcement & General Standard for Protecting Personal Information
� Enforcement of company commitments
� Reasonable Administrative, Technical, Physical Safeguards appropriate for the …• Size and complexity of company
• Nature and scope of activities
• Sensitivity of personal information
klgates.com
What is Personally Identifiable Information Needing Protection?
� Name
� Address
� DOB
� Telephone number
� SSN
� Bank account, credit card numbers
� Processor serial number
klgates.com
What Are Reasonable Measures?FTC has focused on process in numerous consent
decrees� Designate responsible employee� Identify reasonable foreseeable risks
• Employee training• Information systems• Prevention, detection, response
� Safeguards -- design & implement, test & monitor� Selection & retention of service providers� Evaluate and adjust� Independent assessments
klgates.com
Additional Guidance from HIPAA
• Evaluation
• Transmission• Workforce training
• Integrity• Rule based access to info
• Audit• Workstation/DeviceSecurity
• Security personnel
• Access• Facility access & control
• Security management
TechnicalPhysicalAdministrative
klgates.com
States: General Standard for Preventing Data Breaches
� Data breach statutes focus on responding to breaches impacting residents of that state
� But almost all include security requirements
� Mostly some version of reasonable security measures
klgates.com
States: General Standard forResponding to Data Breaches
� What is a breach
� Duty to investigate
� What constitutes a reportable breach
� When do you have to report
� Who to notify
� How to notify
� What does the notice have to say
klgates.com
Federal Requirements of a Breach� GLBA and HIPAA have similar requirements to states
• But recent HIPAA amendments adopt more stringent requirements than GLBA on …
• What is a breach
• Reportable breach
• When mass notice required
� Also, must consider possible violations of the
export control and arms control laws
klgates.com
Selling to the Government …Compliance with NIST Standards
� Federal agencies must meet security standards � De facto requirements for contractors� Sets baseline security controls � Requires adjustment and supplementing based on risk assessment � Just completed 4th revision adopts holistic view, increases focus on privacy,
and addresses new issues • mobile and cloud computing • insider threats • applications security • supply chain risks • advanced persistent threat • trustworthiness, assurance, and resilience of information systems
klgates.com
Possible Standards for Owners/Operatorsof “Critical Infrastructure”
� February Executive Order 13636• CI: Incapacity or destruction would have debilitating impact
o Not commercial IT products or consumer IT services• NIST Lead “Cybersecurity Framework”• Incorporate voluntary consensus standards and
industry best practiceso Internationalo No tech mandates
� Legislative proposals• Arguably define CI more broadly• Adopt greater regulatory approach
o Government (FTC/DHS) sets standards• Mandates > incentives
klgates.comklgates.com
IV. Litigation Risks and Case Developments
klgates.comklgates.com
IV. Litigation Risks and Case Developments � Class Action exposure – Data Breach and Privacy Claims
� In Re LinkedIn User Privacy Litigation (N.D. Cal. 2013)(“abstract” harm leads to dismissal)
� Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)("credible threat of real and immediate harm”)
� Grigsby v. Valve Corp. (W.D. Wash. 2013)(promises of security overvalued services)
� Class Action exposure – securities litigation� In re Heartland Payment Systems, Inc. (D. N. J. 2009)(80% stock drop leads to
derivative suit)
� Agency Enforcement� FTC v. Wyndham Hotels (D. Ariz. 2012)(2 year Russian hacking)
� FTC v. RockYou, Inc. (N.D.Cal. 2012)(hackers access PII of 32 million users)
� Mass. v. South Shore Hospital (AG enforcement; $750k settlement)
� Indiana v. Wellpoint, Inc. (AG enforcement; $100k settlement)
klgates.com
V. SEC Disclosure of Cybersecurity Risks
klgates.com
V. SEC Disclosure of Cybersecurity Risks
� SEC Division of Corporation Finance issued guidance on cybersecurity disclosures.
� The guidance in essence states that appropriate disclosures may include four things � material cybersecurity risks—both internal risks and risks
from outsourced functions
� cyber incidents, which individually or in the aggregate pose material risk or cost
� risks of material cyber incidents that may remain undetected for an extended period
� a “[d]escription of relevant insurance coverage” for cyber risks
klgates.com
VI. Insurance Coverage for Cyber Risks
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential coverage under “traditional” third-party CGL policies� Potential coverage for claims alleging damage to, or loss of
use of, third-party data, computers or computer systems (“Coverage A”)
� Potential coverage for data breach and other claims alleging violation of a right to privacy (“Coverage A” and (“Coverage B”)
� Potential coverage for misappropriation and infringement claims
klgates.com
� Coverage A
SECTION I – COVERAGESCOVERAGE A – BODILY INJURY AND PROPERTY DAMAGE LIABILITY1. Insuring Agreement
a. We will pay those sums that the insured 1111
iiiiiiiiiiiiiiii1becomes legally obligated to pay as damages iiiiiiiiiiiiiiii1because of "bodily injury" or "property iiiiiiiiiiiiiiii1damage” to which this insurance applies. *****
V. Insurance Coverage For Cyber Risks
15. "Property damage" means:a. Physical injury to tangible property,
including all resulting loss of use of that property . All such loss of use shall be deemed to occur at the time of the physical Iinjury that caused it; or
b. Loss of use of tangible property that is not physically injured . All such loss of use shall be deemed to occur at the time of the "occurrence“ that caused it.
klgates.com
V. Insurance Coverage For Cyber Risks
� ISSUE: Is data is “tangible property” that can suffer “physical injury”?� Some courts have found coverage
� Retail Systems, Inc. v. CNA Ins. Co. 469 N.W.2d 735, 737 (Minn. Ct. App. 1991) (“data on the tape was of permanent value and was integrated completely with the physical property of the tape … the computer tape and data are tangible property ”)
� Computer Corner, Inc. v. Fireman's Fund Ins. Co., No. CV97-10380, slip op. at 3-4 (2d Dist. Ct. N.M. May 24, 2000) (“computer data is tangible property ”)
klgates.com
V. Insurance Coverage For Cyber Risks
� ISSUE: Is data is “tangible property” that can suffer “physical injury”?� Some courts have rejected coverage
� America Online Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459, 467, 468-69 (E.D. Va. 2002) (“the Policy does not cover damage to computer data, software and systems because such items are not tangible property ”)
� State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F.Supp.2d 1113, 1116 (W.D. Okla. 2001) (“Alone, computer data cannot be touched, held, or sensed by the human mind; it has no physical substance. It is not tangible property .”)
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential additional hurdles to coverage � “Property damage” definition (ISO 2001 and later forms)
� “Electronic Data” exclusion (ISO 2004 and later forms)
klgates.com
17. "Property damage" means:a. Physical injury to tangible property, including all
resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the "occurrence" that caused it.
For the purposes of this insurance, electronic data is not tangible property.As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment
V. Insurance Coverage For Cyber Risks
� “Property damage” definition
klgates.com
2. ExclusionsThis insurance does not apply to:
*****p. Electronic Data
Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data .However, this exclusion does not apply to liability for damages because of "bodily injury".As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.
V. Insurance Coverage For Cyber Risks
� “Electronic Data” Exclusion
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential avenues to coverage � Coverage may be added through endorsement
� ISO “Electronic Data Liability Endorsement” adds “electronic data” back to the definition of “property damage”
� Coverage may have been purchased through the ISO “Electronic Data Liability Coverage Form”
� ISO pre-2001 forms do not except “electronic data” from the definition of “property damage” and do not exclude “electronic data”
� Even recently issued policies may not contain such exceptions or exclusions
� Zurich American Ins. Co., et al. vs. Sony Corp. of America, et al., No. 651982/2011 (N.Y. Sup. Ct. New York Cty.)
klgates.com
V. Insurance Coverage For Cyber Risks
� Even when the policy contains an exclusion, there may be coverage if a suit alleges damage to or loss of use of a computer or computer systems � Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir.
2010)� The underlying suit alleged injury to the plaintiff’s “computer,
software, and data after he visited [the insured’s] website.” The definition of “tangible property” excluded “any software, data or other information that is in electronic form”
� The court held that the insurer was obligated to defend the insured because the complaint alleged “loss of use of tangible property that is not physically injured” under the second prong of the “property damage” definition
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential coverage for data breach and other claims alleging violation of a right to privacy � ISO “Coverage A”
� ISO “Coverage B”
klgates.com
SECTION I – COVERAGESCOVERAGE A – BODILY INJURY AND PROPERTY DAMAGE LIABILITY1. Insuring Agreementa. We will pay those sums that the insured 11111becomes legally obligated to pay as damages 11111because of "bodily injury" or "property 1111damage” to which this insurance applies. *****3. "Bodily injury" means bodily injury, sickness or 11111disease sustained by a person , including death 11111resulting from any of these at any time.
V. Insurance Coverage For Cyber Risks
� ISO “Coverage A”
klgates.com
2. ExclusionsThis insurance does not apply to:
*****p. Electronic Data
Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.However, this exclusion does not apply to liability for damages because of "bodily injury".As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.
V. Insurance Coverage For Cyber Risks
� “Electronic Data” exclusion
klgates.com
COVERAGE B – PERSONAL AND ADVERTISING INJURY LIABILITY1. Insuring Agreement
a. We will pay those sums that the insured iiiiiiiiibecomes legally obligated to pay as damages iiiiiiiiibecause of "personal and advertising injury"iiiiiiiiito which this insurance applies.*****14. "Personal and advertising injury" means injury iiiii1111including consequential "bodily injury", arising out iiiii1111of one or more of the following offenses:*****
e. Oral or written publication, in any manner, iiiiiiiiiiii of material that violates a person's right of iiiiiiiiiiii privacy ;
V. Insurance Coverage For Cyber Risks
� ISO “Coverage B”
klgates.com
V. Insurance Coverage For Cyber Risks
� ISSUE: Has there been a “publication” that violates a “right of privacy”?� Some courts have found coverage
� Park Univ. Enters., Inc. v. American Cas. Co. Of Reading, PA, 442 F.3d 1239, 1250 (10th Cir. 2006) (Kansas law) (“the [district] court correctly determined that in layman's terms, ‘[t]he plain and ordinary meaning of privacy includes the right to be left alone.’ … We likewise agree with the district court's broad cons truction of the term “publication” in favor of [the insured] ”)
� Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460, at *5 (D.Md. 2007) (Maryland law) (“Of the circuits to examine ‘publication’ in the context of an ‘advertising injury’provision, the majority have found that the publication need n ot be to a third party .”)
klgates.com
V. Insurance Coverage For Cyber Risks
� ISSUE: Has there been a “publication” that violates a “right of privacy”?� Some courts have rejected coverage
� Resource Bankshares Corp. v. St. Paul Mercury Ins. Co., 407 F.3d 631, 642 (4th Cir. 2005) (Virginia law) (“[T]he TCPA's unsolicited fax prohibition protects ‘seclusion’ privacy, for which content is irrelevant. Unfortunately for [the insured, it did not buy insurance policies for seclusion damages ; instead, it insured against, among other things, damages arising from violations of content-based privacy.”)
� Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 2012 WL 469988, at *6 (Conn. Super. Ct. Jan. 17, 2012) (no coverage for loss of employee information because “there [wa]s no evidence of communication to a third party ”)
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential hurdles to coverage � Exclusions relating to internet activities and breach of
privacy-related laws� “Insureds In Media And Internet Type Businesses”
� “Electronic Chatrooms Or Bulletin Boards”
� “Recording And Distribution Of Material Or Information In Violation Of Law”
� New 2013 ISO “Amendment Of Personal And Advertising Injury Definition” endorsement
klgates.com
2. ExclusionsThis insurance does not apply to:
*****j. Insureds In Media And Internet Type
Businesses"Personal and advertising injury" committed by an insured whose business is:(1) Advertising, broadcasting, publishing or
telecasting;(2) Designing or determining content of web sites
for others; or(3) An Internet search, access, content or service
provider.However, this exclusion does not apply to Paragraphs 14.a., b. and c. of "personal and advertising injury" under the Definitions section.
For the purposes of this exclusion, the placing of frames, borders or links, or advertising, for you or others anywhere on the Internet, is not by itself, considered the business of advertising, broadcasting, publishing or telecasting.
V. Insurance Coverage For Cyber Risks
� “Insureds In Media And Internet Type Businesses”
klgates.com
2. ExclusionsThis insurance does not apply to:
*****k. Electronic Chatrooms Or Bulletin Boards
"Personal and advertising injury" arising out of an electronic chatroom or bulletin board the insured hosts, owns, or over which the insured exercises control.
V. Insurance Coverage For Cyber Risks
� “Electronic Chatrooms Or Bulletin Boards”
klgates.com
2. ExclusionsThis insurance does not apply to:
*****"Personal and advertising injury" arising directly or indirectly out of any action or omission that violates or is alleged to violate:(1) The Telephone Consumer Protection Act (TCPA),
including any amendment of or addition to such law;
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
(3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
(4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.
V. Insurance Coverage For Cyber Risks
� “Distribution Of Material Or Information In Violation Of Law ”
klgates.com
This endorsement modifies insurance provided under the following:
COMMERCIAL GENERAL LIABILITY COVERAGE PART
With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. [“Oral or written publication, in any manner, of material that violates a person'sright of privacy”] of the Definitions section does not apply.
V. Insurance Coverage For Cyber Risks
� “Amendment Of Personal And Advertising Injury Definition”
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential coverage for misappropriation and infringement claims
� ISO “Coverage B”
klgates.com
COVERAGE B – PERSONAL AND ADVERTISING INJURY LIABILITY1. Insuring Agreement
a. We will pay those sums that the insured iiiiiiiiibecomes legally obligated to pay as damages iiiiiiiiibecause of "personal and advertising injury"iiiiiiiiito which this insurance applies.*****14. "Personal and advertising injury" means injury iiiiiincluding consequential "bodily injury", arising out iiiiiof one or more of the following offenses:*****11111if. The use of another's advertising idea in your iiiiiiiiiiii "advertisement" ; or 11111g. Infringing upon another's copyright, trade iiiiiiiiiiiiidress or slogan in your "advertisement" .
V. Insurance Coverage For Cyber Risks
� ISO “Coverage B”
klgates.com
SECTION V – DEFINITIONS1. "Advertisement" means a notice that is broadcast or
published to the general public or specific market segments about your goods, products or services for the purpose of attracting customers or supporters . For the purposes of this definition:a. Notices that are published include material
placed on the Internet or on similar electronic means of communication; and
b. Regarding web sites, only that part of a web site that is about your goods, products or services for the purposes of attracting customers or supporters is considered an advertisement.
V. Insurance Coverage For Cyber Risks
� “Advertisement” (1998 and subsequent ISO forms)
klgates.com
SECTION V – DEFINITIONS1. "Advertising injury" means injury arising out of one or more of the following offenses:
a. Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;
b. Oral or written publication of material that violates a person's right of privacy;
c. Misappropriation of advertising ideas or style of doing business ; or
d. Infringement of copyright, title or slogan .
V. Insurance Coverage For Cyber Risks
� “Advertisement” (1996 and prior ISO forms)
klgates.com
V. Insurance Coverage For Cyber Risks
� ISSUE: Has there been an “advertisement”?� May turn on the relevant definition
� Oglio Entm't Group, Inc. v. Hartford Cas. Ins. Co., 132 Cal.Rptr.3d 754, 763 (Cal. Ct. App. 2011) (“There is no description of any advertisement used by [the insured] … This is especially clear, given that the policy defines advertisement as the widespread dissemination of information or images with the purpose of selling a product[.]”) (1998 and prior language)
� Sentex Systems, Inc. v. Hartford Acc. & Indem. Co., 93 F.3d 578(9th Cir. 1998) (“Hartford's principal contention is that the district court erred … because ‘advertising injury,’ defined in part in the policy as arising out of the ‘misappropriation of advertising ideas,”’includes only alleged wrongdoing that involves the text, words, or form of an advertisement. This policy's language … does not limit itself to the misappropriation of an actual advertising text. It is concerned with ‘ideas,’ a broader term.”)
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential hurdles to coverage � Same “Coverage B” exclusions discussed in the previous
section
� Additional exclusions� “Knowing Violation Of Rights Of Another”
� “Unauthorized Use Of Another's Name Or Product”
klgates.com
2. ExclusionsThis insurance does not apply to:
*****a. Knowing Violation Of Rights Of Another
"Personal and advertising injury" caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and would inflict "personal and advertising injury".
V. Insurance Coverage For Cyber Risks
� “Knowing Violation Of Rights Of Another”
klgates.com
2. ExclusionsThis insurance does not apply to:
*****l. Unauthorized Use Of Another's Name Or
Product "Personal and advertising injury" arising out of the unauthorized use of another's name or product in your e-mail address, domain name or metatag, or any other similar tactics to mislead another's potential customers
V. Insurance Coverage For Cyber Risks
� “Insureds In Media And Internet Type Businesses”
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential coverage under “traditional” first-party property policies� Potential coverage for loss of data, computers or computer
systems
� Potential coverage for “time element” losses� Business interruption
� Extra expense
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential coverage for loss of data, computers or computer systems� The 2007 standard-form ISO commercial property policy
covers “direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.”
� Such policies may be in the form of broadly worded “all risk,”“difference in conditions,” “multiperil” or “inland marine”policies.
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential coverage for “time element” losses� “Business Interruption” coverage generally reimburses the
insured for its loss of earnings or revenue resulting from covered property damage.
� ISO’s “Business Income (and Extra Expense) Coverage Form”covers the loss of net profit and operating expenses that the insured “sustain[s] due to the necessary ‘suspension’ of [the insured’s] ‘operations’ during the ‘period of restoration.’”
� “Extra Expense” coverage generally covers the insured for certain extra expenses incurred to minimize or avoid business interruption and to resume normal operations.
� ISO’s form covers “Extra Expense” to “[a]void or minimize the ‘suspension’ of business and to continue operations at the described premises or at replacement premises or temporary locations….”
klgates.com
V. Insurance Coverage For Cyber Risks
� ISSUE: is there “direct physical loss of or damage”?� See cases above
� A couple other examples� NMS Services Inc. v. Hartford, 62 Fed.Appx. 511, 514(4th Cir.
2003) (upholding coverage for business interruption and extra expense, finding “no question that [the insured] suffered damage to its property.”)
� Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W.3d 16, 23, 25 (Tex. App. Ct. 2003) (findingn that “the personal property losses alleged by Lambrecht were ‘physical’as a matter of law” and holding that “the business income [the insured] lost as a result of the virus [wa]s covered under the policy.”)
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential limitations to coverage� Some standard forms seek to shift data loss from the principal
coverage grant by excluding electronic data from the definition of “Covered Property” and instead providing coverage under “additional coverage” that may be subject to relatively low—presumptively inadequate—coverage sublimits
� 2007 ISO Commercial Property Form excepts “electronic data”from the definition of “Covered Property” and provides coverage under an “Additional Coverage” that is limited to “$2,500 for all loss or damage sustained in any one policy year….”
� 2007 ISO standard-form Business Income (and Extra Expense) Coverage Form excludes coverage for electronic data under the main coverage part and provides coverage under an “Additional Coverage” subject to a $2,500 limit for “all loss sustained and expense incurred in any one policy year….”
klgates.com
V. Insurance Coverage For Cyber Risks
� Potential coverage under other “traditional” policies� Directors’ and Officers’ (D&O)
� Errors and Omissions (E&O)
� Employment practices liability (EPL) � Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010)
(Network Technology E&O policy)
� Professional liability
� Fiduciary
� Crime� Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa.,
691 F.3d 821(6th Cir. 2012) (blanket crime policy)
klgates.com
V. Insurance Coverage For Cyber Risks
� New “Cyber” Policies� There will be gaps in “traditional programs”
� Types of coverages offered by many insurers� Third-Party Coverages
� Privacy And Network Security
� Media Liability
� Regulatory Liability
� First-Party Cyber Coverage
� Damage To Computer Systems
� Business Interruption And Extra Expense
� Remediation� Extortion
� “Cyber” coverage can be extremely valuable
klgates.com
V. Insurance Coverage For Cyber Risks
� Types of claims and losses that may be covered:� In the event of a data breach
� defense and indemnity costs associated with third-party claims against a company
� response costs associated with post-breach remediation, including notification requirements, credit monitoring, call centers, public relations efforts, forensics and crisis management
� regulatory investigations, fines and/or penalties
� misappropriation of intellectual property or confidential business information
� the receipt or transmission of malicious code, DoS attacks, and other security threats to networks
� the cost to restore or recover data that is lost or damaged� business interruption� extortion from cyber attackers who have stolen data
klgates.com
V. Insurance Coverage For Cyber Risks
� New “Cyber” Policies� Come under names like “Privacy and Security,” “Network
Security,” and names that incorporate “Cyber,” “Privacy,”“Media” or some form of “Technology” or “Digital”
� As noted, they can be extremely valuable
� This makes successful placement a real challenge
� We will end with some tips for a successful placement
� But they are like snowflakes
klgates.com
I. INSURING AGREEMENTS.(A) Data Privacy and Network
Security Liability InsuranceWe will pay Damages and Defense Costs on behalf of the Insuredwhich the Insured shall become legally obligated to pay as a result of a Claim … alleging a Data Privacy Wrongful Act or a Network Security Wrongful Act by the Insured [.]
V. Insurance Coverage For Cyber Risks
� Privacy And Network Security� Typically covers against liability from data breaches,
transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats
klgates.com
V. Insurance Coverage For Cyber Risks
� Data Privacy Wrongful Act� “Data Privacy Wrongful Act” is defined to include “any negligent
act, error or omission by the Insured that results in: the improper dissemination of Nonpublic Personal Information” or “any breach or violation by the Insured of any Data Privacy Laws.”
� “Nonpublic Personal Information” is defined as a natural person’s first name and last name combination with a social security number, medical or healthcare information or data, financial account information that would permit access to that individual’s financial account; or a natural person’s information that is designated as private by a Data Privacy Law.
� “Data Privacy Laws” is defined to include “any Canadian or U.S., federal, state, provincial, territorial and local statutes and regulations governing the confidentiality, control and use of Nonpublic Personal Information including but not limited to” key laws.
klgates.com
V. Insurance Coverage For Cyber Risks
� Network Security Wrongful Act� “Network Security Wrongful Act” is defined to include “any
negligent act, error or omission by the Insured resulting in Unauthorized Access or Unauthorized Use of the Organization’s Computer System, the consequences of which include, but are not limited to:(1) the failure to prevent Unauthorized Access to, use of, or tampering with a Third Party’s computer systems;(2) the inability of an authorized Third Party to gain access to the Insured’s services;(3) the failure to prevent denial or disruption of Internet
service to an authorized Third Party;(4) the failure to prevent Identity Theft or credit/debit card
fraud; or(5) the transmission of Malicious Code.
klgates.com
I. INSURING AGREEMENTS.
(B) e-Media Liability Insurance We will pay Damages and Defense Costs on behalf of the Insuredwhich the Insured shall become legally obligated to pay as a result of a Claim … alleging a e-Media Wrongful Act by the Insured[.]
V. Insurance Coverage For Cyber Risks
� Media Liability� Typically covers against liability from claims for alleging
infringement of copyright and other intellectual property rightsand misappropriation of ideas or media content
klgates.com
V. Insurance Coverage For Cyber Risks
� “ e-Media Wrongful Act”� e-Media Wrongful Act” is defined to include “any negligent act,
error or omission by the Insured that results in the following:(1) infringement of copyright, service mark, trademark, or
misappropriation of ideas or any other intellectual property right, other than infringement of patents or trade secrets; defamation,libel, product disparagement, trade libel, false arrest, detention or imprisonment, or malicious prosecution, infringement or interference with rights of privacy or publicity; wrongful entry or eviction; invasion of the right of private occupancy; and/or plagiarism, misappropriation of ideas under implied contract Invasion or other tort related to disparagement or harm to the reputation or character of any person or organization in the Insured Entity’s Electronic Advertising or in the Insured Entity’s Advertising; or
(2) misappropriation or misdirection of lnternet based messages or media of third parties on the Internet by the Insured, includingmeta-tags, web site domains and names, and related cyber content.
klgates.com
V. Insurance Coverage For Cyber Risks
� Regulatory Liability� Many “third-party” cyber risk policies include defense and
indemnity coverage for claims for civil, administrative or regulatory proceedings, fines and penalties
klgates.com
V. Insurance Coverage For Cyber Risks
� Damage To Computer Systems� “First-party” cyber coverage may include damage to or
theft of the insured’s own computer systems and hardware, and may cover the cost of restoring or recreating stolen or corrupted daat.
klgates.com
V. Insurance Coverage For Cyber Risks
� Business Interruption And Extra Expense� Coverage for business interruption and extra expense
caused by malicious code (viruses, worms, Trojans, malware, spyware, etc.), DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks.
klgates.com
V. Insurance Coverage For Cyber Risks
� Remediation� costs associated with post-data breach notification—
notification required by regulation and voluntary notification
� credit monitoring services
� forensic investigation to determine the existence or cause of a breach
� public relations efforts and other “crisis management”expenses
� legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem
klgates.com
V. Insurance Coverage For Cyber Risks
� Extortion� Cyber policies often cover losses resulting from extortion
(payments of an extortionist’s demand to prevent network loss or implementation of a threat)
klgates.com
V. Insurance Coverage For Cyber Risks
� Beware The Fine Print
klgates.com
Where We Can Help
klgates.com
Prevent and deter attacks
� Provide advice on the recognized security standards by the USG and industry standard setting organizations
� Assist in drafting security policies and procedures
� Training and employee education
� Prophylactic domain name registration
Aggressively pursue perpetrators
� Experienced cyber-forensic investigation team and lab
� Civil litigation to unmask perpetrators
� Collaboration with law enforcement
Respond to problems
� Advice on best practices and policies to establish to manage an identified attack
� Assistance in responding to an active attack (K&L Gates Rapid Response Team)
� Help in responding to a data breach after the fact
Our Cyber Law and Cybersecurity Approach
klgates.com
Avoid liability
� Review of company's cybersecurity policies and standards� Ensure physical, administrative and technical measures are reasonable
� Review of company’s data breach policies and procedures against applicable state, federal and international laws
� Review of contractual provisions � Partner, customer, employee
� Review of SEC reporting
� Advice on establishing best practices
� Asses litigation exposure
� another company's proprietary or confidential information accessed
� consumer class action
Mitigate risk and loss through insurance
� We counsel clients regarding insurance coverage for data security breach liability
� Traditional policies may respond to cyber liabilities, but there are limitations
� New “cyber” insurance products can be valuable as part of a company’s overall strategy to mitigate cyber risk
Our Cyber Law and Cybersecurity Approach
klgates.comklgates.comklgates.com
81
Questions
5