DOCSLIB.ORG

Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures This material was published as chapter 16 in Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age (2nd ed.) by Ryan P. Blaney of Proskauer Rose LLP (©2016 & Supp. 2019 by Practising Law Institute), www.pli.edu. Reprinted with permission. Not for resale or redistribution. Chapter 16 Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures Steven R. Gilford JAMS Marc E. Rosenthal* Proskauer Rose LLP § 16:1 Overview § 16:2 Applicability of Historic Coverages § 16:2.1 First- and Third-Party Coverages for Property Loss [A] First-Party Property Policies [B] Third-Party CGL Policies: Coverage for Property Damage Claims § 16:2.2 CGL Coverage for Personal and Advertising Injury Claims [A] Publication Requirement [B] Right to Privacy As an Enumerated Offense [B][1] Telephone Consumer Protection Act Cases [B][2] Fair Credit Reporting Act Cases [B][3] “ZIP Code” Cases * The authors would like to thank Proskauer summer associates Dakota Treece and Libbie Osaben for their work researching and updating the current version of this chapter. (Proskauer, Rel. #6, 10/19) 16–1 ©2016 & Supp. 2019 by Practising Law Institute. Not for resale or redistribution. § 16:1 Proskauer on Privacy § 16:2.3 Other Coverages [A] Directors and Officers Liability Insurance [B] Errors and Omission Policies [C] Crime Policies § 16:3 Modern Cyber Policies § 16:3.1 Key Concepts in Cyber Coverage [A] Named Peril [B] Claims Made § 16:3.2 Issues of Concern in Evaluating Cyber Risk Policies [A] What Is Covered? [B] Confidential Information, Privacy Breach, and Other Key Definitions [C] Overlap with Existing Coverage [D] Limits and Deductibles [E] Notice Requirements [F] Coverage for Regulatory Investigations or Actions [G] Definition of Loss [H] Who Controls Defense and Settlement [I] Control of Public Relations Professionals [J] Issues Created by Involvement of Policyholder Employees [K] Coverage of a Threatened Security Breach [L] Coverage for “Breachless” Claims [M] The “Internet of Things” and Potential Physical Damage or Bodily Injury from a Cyber Attack [N] Governmental Activity Exclusion [O] Other Exclusions § 16:3.3 SEC Disclosure and Other Regulatory Initiatives § 16:1 Overview The unauthorized disclosure of personal and other confidential information has become a well-known and ever-increasing risk for holders of third-party information and business data.1 Notification letters from companies that have suffered data breaches have become 1. See, e.g., Taylor Armerding, The 17 biggest data breaches of the 21st cen- tury, CSO (Dec. 20, 2018), https://www.csoonline.com/article/2130877/ data-breach/the-biggest-data-breaches-of-the-21st-century.html; Dennis Green, If you shopped at these 14 stores in the last year, your data might have been stolen, BUS. INSIDER (Apr. 6, 2018), http://www. businessinsider.com/data-breaches-2018-4; Paige Leskin, The 21 scari- est data breaches of 2018, BUS. INSIDER (Dec. 30, 2018), https://www. businessinsider.com/data-hacks-breaches-biggest-of-2018-2018-12. Well- known companies like Sears, Delta, Best Buy, Marriott/Starwood, Chegg, Eventbrite, Facebook, MyFitnessPal, Under Armour, and Whole Foods experienced data breaches in 2017 and 2018. 16–2 ©2016 & Supp. 2019 by Practising Law Institute. Not for resale or redistribution. Insurance Coverage for Data Breaches § 16:1 commonplace, and high-profile breaches of millions of records at major companies have become the subject of headlines and board of directors meetings around the world.1.1 In addition to asserted claims of data privacy breaches, risks from technology exposures include business interruption, extortion demands, inability to perform obligations to others, damage to rep- utation, and loss or distortion of company and client data. As busi- nesses continue to evolve in a technology-driven environment, so too do practices for the handling and protection of sensitive information and data. Due to the ubiquity and increasing quantity of digital infor- mation, information holders are exposed to a multitude of risks that data can be lost or stolen.2 The costs associated with a data breach or unauthorized disclosure of confidential information can be sub- stantial,3 and they are likely to continue to increase as governmental 1.1. See, e.g., Maria Korolov, Cybersecurity on the Agenda for 80 Percent of Corporate Boards, CSO (May 28, 2015), www.csoonline.com/article/ 2927395/data-protection/cybersecurity-on-the-agenda-for-80-percent- of-corporate-boards.html; Eve Tahmincioglu, Report: Cybersecurity Remains a Top Company Threat for Directors (Dec. 6, 2018), https:// www.directorsandboards.com/news/report-cybersecurity-remains-top- company-threat-directors (noting that while a majority of directors report understanding cybersecurity issues, only 52% report being confident in providing “effective cyber-risk oversight” and 50% being “confident that their companies are secured against a cyber attack”). 2. Data loss or security breaches can occur in a number of ways, includ- ing network hacking, lost or stolen laptops, spyware, phishing, insecure media disposal, hacked card swiping devices, security vulnerabilities on mobile devices, misdirected mail and faxes, insecure wireless networks, peer-to-peer software, breaches in physical security, problematic software updates or upgrades, human error, rogue or disgruntled employees, and lost or stolen media. Even companies that specialize in storing personal information or passwords have been hacked. See, e.g., Jose Pagliery, Irony Alert: Password-storing Company Is Hacked, CNN (June 16, 2015), http:// money.cnn.com/2015/06/15/technology/lastpass-password-hack/index. html; Taylor Armerding, The 17 biggest data breaches of the 21st cen- tury, CSO (Jan. 26, 2018), https://www.csoonline.com/article/2130877/ data-breach/the-biggest-data-breaches-of-the-21st-century.html (in 2017, Equifax, one of the largest credit bureaus in the United States, expe- rienced a data breach that exposed the personal information of about 143 million consumers; 209,000 consumers also had their credit card data exposed); Paige Leskin, The 21 scariest data breaches of 2018, BUS. INSIDER (Dec. 30, 2018), https://www.businessinsider.com/data-hacks- breaches-biggest-of-2018-2018-12. 3. In 2018, the costs of a compromised record reportedly averaged $148 per record globally, and the average cost per data breach event was $3.86 million. Data breaches are most expensive in the United States where the average per capita cost of a data breach was $233 in 2018, and the aver- age cost per data breach event was $7.91 million. PONEMON INSTITUTE LLC, 2018 COST OF DATA BREACH STUDY: GLOBAL OVERVIEW (July 2018), (Proskauer, Rel. #6, 10/19) 16–3 ©2016 & Supp. 2019 by Practising Law Institute. Not for resale or redistribution. § 16:1 Proskauer on Privacy regulators become increasingly vigilant and sophisticated in the reg- ulation of cyber privacy issues and concerns.4 At the same time, cor- porate directors and officers are facing increased exposure to liability in relation to data breaches, as plaintiffs’ attorneys have endeavored to hold them responsible for allegedly inadequate attention to data security.5 As the risks associated with data and privacy breaches continue to grow and evolve, companies and individuals have turned, in vary- ing degrees, to their insurers for protection. One report estimates the market for cyber insurance at $3.89 billion in gross annual premiums and predicts it to increase to $23.07 billion in 2025.6 The number of companies and individuals buying cyber policies reportedly increased by 50% from 2015 to 2016, with companies that handle large amounts of personal data, such as health care, retail, manufacturing, logistics, and telecommunications, having the highest growth.6.1 The demand for cyber coverage is also increasing in the financial, energy, utilities, and transportation sectors due to the increasing risks they face from interconnectivity with consumers.6.2 Historically, claims for insurance for data privacy risks have been asserted under traditional coverages, including commercial general liability (CGL) policies, directors and officers (D&O) liability insur- ance, errors and omissions (E&O) policies, and commercial crime and first-party property and business interruption policies. Insurers, how- ever, have frequently taken the position that these traditional cover- ages do not cover claims for data and privacy breaches. https://public.dhe.ibm.com/common/ssi/ecm/55/en/55017055usen/2018- global-codb-report_06271811_55017055USEN.pdf. Costs associated with a typical data breach can include, but are not limited to, internal investigations, forensic experts, consumer notifica- tions, discounts for future products and services, credit monitoring, crisis management, call centers, attorney fees, payment card industry fines, increased processing fees, litigation (including damages, awards and set- tlements, agency and attorney general actions), reputational costs, and technology upgrades. Id. 4. See infra section 16:3.3. 5. See infra section 16:2.3[A]. 6. Adroit Market Research, Cyber Security Insurance Market to Reach $23.07 Billion by 2025 (Apr. 10, 2019), https://www.globenewswire.com/news- release/2019/04/10/1802202/0/en/Cyber-Security-Insurance-Market- to-reach-23-07-Billion-by-2025-Adroit-Market-Research.html. 6.1. John P. Mello, Jr., Cyberinsurance Report 2017, Cybersecurity Ventures (Mar. 6, 2017), https://cyberseucrityventures.com/cyberinsurance-report- 2017/. 6.2. Id. 16–4 ©2016 & Supp. 2019 by Practising
Load more

Recommended publications
  • Defending Against an Invisible Threat Pragmatic Cybersecurity for the Interconnected Business
    Defending Against an Invisible Threat Pragmatic Cybersecurity for the Interconnected Business This white paper has been reformatted and reprinted with permission fromassurexglobal.com ACE Private Risk Services® for the clients of Assurex Global Private Client Group members. 1 SUMMARY THINK YOUR BUSINESS IS REASONABLY SAFE FROM A CYBER-ATTACK? Think again. The threat is so widespread that there is an entire black market built to arm hackers with the tools they need to breach your systems. Even worse, 50 percent of online traffic is automated. It does not sleep. It is ever-present, and it can be searching for your data—or your client’s data at any moment. Should a hacker gain access into your business’ network, the results could be devastating in terms of lost assets, lost credibility, and a tarnished reputation. The good news is that there are a number of steps your business can take to not only protect your employee and client data, but also to demonstrate the level of diligence that is critical to your customers and insurers. The first step is understanding the extent of cyber-attacks and familiarizing yourself with the various methods hackers use to infiltrate your system. Armed with this basic knowledge, you will be better equipped to recognize the signs of an attack and prevent a breach from happening in the first place. This white paper is based on a presentation from Mr. Chris Ensey, COO of Dunbar CyberSecurity. By reading it, you will learn what constitutes a cyber-attack and the associated tactics. You will also learn about preventative measures that you can take to strengthen your company’s security.
    [Show full text]
  • Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber
    Journal of Cybersecurity, 2019, 1–19 doi: 10.1093/cybsec/tyz002 Research paper Research paper Content analysis of cyber insurance policies: how do carriers price cyber risk? Downloaded from https://academic.oup.com/cybersecurity/article-abstract/5/1/tyz002/5366419 by guest on 18 June 2019 Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones RAND Corporation, 1200 South Hayes St, Arlington VA, 22202 *Corresponding author: E-mail: [email protected] Received 1 October 2018; accepted 20 December 2018 Abstract Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses has grown rapidly in the past decade. While there exists much theoretical litera- ture about cyber insurance, very little practical information is publicly available about the actual con- tent of the polices and how carriers price cyber insurance premiums. This lack of transparency is es- pecially troubling because insurance carriers are often cited as having the best information about cyber risk, and know how to assess – and differentiate – these risks across firms. In this qualitative re- search, we examined cyber insurance policies filed with state insurance commissioners and per- formed thematic (content) analysis to determine (i) what losses are covered by cyber insurance poli- cies, and which are excluded?; (ii) what questions do carriers pose to applicants in order to assess risk?; and (iii) how are cyber insurance premiums determined – that is, what factors about the firm and its cybersecurity practices are used to compute the premiums? By analyzing these policies, we provide the first-ever systematic qualitative analysis of the underwriting process for cyber insurance and uncover how insurance companies understand and price cyber risks.
    [Show full text]
  • Chapter 2 Types of Cyber Incidents and Losses
    Enhancing the Role of Insurance in Cyber Risk Management © OECD 2017 Chapter 2 Types of cyber incidents and losses This chapter provides an overview of the different types of cyber incidents, based on a categorisation approach developed by the CRO Forum, as well as the types of losses that may result from these incidents. Where available, data is presented on the magnitude of losses from past incidents including trends in the magnitude of losses and some of the drivers of cost variations across different countries (such as differences in terms of notification requirements). There is significant literature on the nature and evolution of cyber risk as well as the magnitude of potential costs - although limited consensus in terms of definitions, categorisation or the reliability of the data that has been made available on the frequency and impact of cyber incidents. For example, there is no prevailing definition of cyber risk or prevailing taxonomy for categorisation of different types of incidents and losses. Much of the data that is publicly available on cyber incidents and costs is provided by security and consulting firms and is perceived by some as potentially biased due to the commercial incentives that these firms may have to inflate the significance of cyber risk. For example, Romanosky (2016), using data collected mostly by Advisen, questions a number of commonly cited statistics and trends including the typical cost of a third party confidentiality breach, the share of companies that have been impacted by cyber incidents and the rise in the relative share of incidents that are malicious relative to accidental.
    [Show full text]
  • Enhancing the Role of Insurance in Cyber Risk Management
    Enhancing the Role of Insurance in Cyber Risk Management The digital transformation of economic activities is creating significant opportunities for innovation, convenience and efficiency. However, recent major incidents have highlighted the digital security and privacy protection risks that come with an increased reliance on digital technologies. While not a substitute for investing in cyber Enhancing the Role security and risk management, insurance coverage for cyber risk can make a significant contribution to the management of cyber risk by promoting awareness about exposure to cyber losses, sharing expertise on risk management, encouraging investment in risk reduction and facilitating the response to cyber incidents. This of Insurance in Cyber Risk report provides an overview of the financial impact of cyber incidents, the coverage of cyber risk available in the insurance market, the challenges to market development and initiatives to address those challenges. It includes Management a number of policy recommendations which support the development of the cyber insurance market and contribute to improving the management of cyber risk. Enhancing the Role of Insurance in Cyber Risk Management Enhancing the Role of Insurance in Cyber Risk Management This work is published under the responsibility of the Secretary-General of the OECD. The opinions expressed and arguments employed herein do not necessarily reflect the official views of OECD member countries. This document, as well as any data and any map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Please cite this publication as: OECD (2017), Enhancing the Role of Insurance in Cyber Risk Management, OECD Publishing, Paris.
    [Show full text]
  • Cyber Security and Cyber Liability Insurance
    Cyber Security and Cyber Liability Insurance Wednesday, July 7, 2021 WEBCAST Speaker: Brandon Gordon Brandon Gordon is a proud Iowa State University Alumni and President of Run Networks, a Managed IT Services company based in Omaha, Nebraska. He started Run Networks in 2007 and has over 20 years of experience in business IT. Brandon encourages his IT team to follow the company’s core values of being passionate about IT services and providing those services with value and efficiency. When Brandon is not at his computer saving the business world, he is under the hood of his 1968 MG tuning carburetors. He and his wife, Sarah have been married since 2001 and have 3 girls. Brought to you by This page intentionally left blank. 7/7/2021 CYBER SECURITY AND CYBER LIABILITY INSURANCE JULY 7 2021 12:00-1:00 RUN NETWORKS, MERCER 1 Cyber Liability Insurance Cyber liability applications are in depth with some questions that can be confusing. In this session we will walk through some sample questions we see on cyber insurance applications and discuss how they apply to a firm, and review some options to fulfill that requirement. 2 1 7/7/2021 Introductions • Caroline Murray – McGowan Program Administrators • John Collentine - Mercer • Mark Kollar – McGowan Program Administrators • Brandon Gordon – Run Networks 3 IMPORTANT – CYBERPRO POLICY STATEMENT OF FACT • By accepting this insurance you confirm that the facts contained in the proposal form are true. These statements, and all information you or anyone on your behalf provided before we agree to insure you, are incorporated into and form the basis of your policy.
    [Show full text]
  • Cyber Third-Party Risk Management: a Comparison of Non-Intrusive Risk Scoring Reports
    electronics Article Cyber Third-Party Risk Management: A Comparison of Non-Intrusive Risk Scoring Reports Omer F. Keskin, Kevin Matthe Caramancion, Irem Tatar, Owais Raza and Unal Tatar * College of Emergency Preparedness, Homeland Security and Cybersecurity, University at Albany, State University of New York, Albany, NY 12203, USA; [email protected] (O.F.K.); [email protected] (K.M.C.); [email protected] (I.T.); [email protected] (O.R.) * Correspondence: [email protected] Abstract: Cybersecurity is a concern for organizations in this era. However, strengthening the security of an organization’s internal network may not be sufficient since modern organizations depend on third parties, and these dependencies may open new attack paths to cybercriminals. Cyber Third-Party Risk Management (C-TPRM) is a relatively new concept in the business world. All vendors or partners possess a potential security vulnerability and threat. Even if an organization has the best cybersecurity practice, its data, customers, and reputation may be at risk because of a third party. Organizations seek effective and efficient methods to assess their partners’ cybersecurity risks. In addition to intrusive methods to assess an organization’s cybersecurity risks, such as penetration testing, non-intrusive methods are emerging to conduct C-TPRM more easily by synthesizing the publicly available information without requiring any involvement of the subject organization. In this study, the existing methods for C-TPRM built by different companies are presented and compared to discover the commonly used indicators and criteria for the assessments. Additionally, the results Citation: Keskin, O.F.; Caramancion, of different methods assessing the cybersecurity risks of a specific organization were compared to K.M.; Tatar, I.; Raza, O.; Tatar, U.
    [Show full text]
  • Cyber Insurance – Technical Challenges and a System Security Roadmap
    SoK: Cyber Insurance – Technical Challenges and a System Security Roadmap Savino Dambra Leyla Bilge Davide Balzarotti Eurecom Symantec Research Labs Eurecom Abstract—Cyber attacks have increased in number and complexity instance, digital data loss, damage and theft, as well as losses due in recent years, and companies and organizations have accordingly to network outages, computer failures, and website defacements. raised their investments in more robust infrastructure to preserve their data, assets and reputation. However, the full protection against these countless and constantly evolving threats is unattainable by the sole use of preventive measures. Therefore, to handle residual A. A booming phenomenon missing solid foundations risks and contain business losses in case of an incident, firms are increasingly adopting a cyber insurance as part of their corporate As evinced by recent market reports, the adoption of cyber risk management strategy. insurance has tremendously increased over the last decade, As a result, the cyber insurance sector – which offers to transfer achieving an annual growth rate of over 30% since 2011 [6]. This the financial risks related to network and computer incidents to a is also reflected in the growing number of claims submitted for third party – is rapidly growing, with recent claims that already reached a $100M dollars. However, while other insurance sectors rely cyber incidents in a wide range of business sectors [7] and that, on consolidated methodologies to accurately predict risks, the many in few striking cases, have seen insurance companies paying even peculiarities of the cyber domain resulted in carriers to often resort hundred-million-dollar indemnities [8]. to qualitative approaches based on experts opinions.
    [Show full text]
  • The Evolution of Cyber Risk and the Cyber Insurance Market
    University of South Carolina Scholar Commons Senior Theses Honors College Spring 2021 The Evolution of Cyber Risk and the Cyber Insurance Market Abigail Chase University of South Carolina - Columbia, [email protected] Follow this and additional works at: https://scholarcommons.sc.edu/senior_theses Part of the Insurance Commons Recommended Citation Chase, Abigail, "The Evolution of Cyber Risk and the Cyber Insurance Market" (2021). Senior Theses. 412. https://scholarcommons.sc.edu/senior_theses/412 This Thesis is brought to you by the Honors College at Scholar Commons. It has been accepted for inclusion in Senior Theses by an authorized administrator of Scholar Commons. For more information, please contact [email protected]. The Evolution of Cyber Risk and the Cyber Insurance Market By Abigail Chase Submitted in Partial Fulfillment of the Requirements for Graduation with Honors from the South Carolina Honors College May 2021 1 Table of Contents THESIS SUMMARY ............................................................................................................. 3 INTRODUCTION ................................................................................................................. 4 HISTORY OF CYBERSECURITY AND CYBER RISK ......................................................... 4 How Y2K Changed Cyber Risk ............................................................................................................ 5 The Interconnectivity of Systems .........................................................................................................
    [Show full text]