Fighting Phishing, Pharming, and Other Cyber-Attacks: Coverage for High Tech Liabilities Jerold Oshinsky, Lorelie S

Home , Pharming

URMIA Kenneth K. Lee Kenneth Jerold Oshinsky Jerold Cherylyn Briggs J. Lorelie S.Lorelie Masters Jenner & Block, LLP Jenner & Block, LLP Jenner & Block, LLP Jenner & Block, LLP and Insurance Association University Risk Management University Risk Management Fighting Phishing, Pharming, Cyber-Attacks: and Other Liabilities Tech for High Coverage 2010 URMIA Journal Reprint If we take as given that critical infrastructures are vulnerable to a cyber terrorist attack, then the question becomes whether there are actors with the capability and motivation to carry out such an operation.

—DOROTHY DENNING (1945– ), INFORMATION SECURITY RESEARCHER Fighting Phishing, Pharming, and Other Cyber-Attacks: Coverage for High Tech Liabilities Jerold Oshinsky, Lorelie S. Masters, Kenneth K. Lee, and Cherylyn J. Briggs, Jenner & Block, LLP

Abstract: Much like any other business or organization, as tive databases that included Social Security num- universities rely more and more on electronic resources, they bers, birth dates, and medical records of 160,000 open themselves up to a new set of unique risks. Th e ex- students and alumni. Some of the data reached amples, case studies, and research highlightedhlighted here provide a back to 1999. glimpse into the many potential cyber rrisksisks ffacingacing hihighergher ededu-u- • A ccyber-criminalyber-crimi hacked into Eastern Illinois Uni- cation risk managers. Th is article focusesses versversity’si admissions database, exposing on risks related to usage of the Internet,t, ppersonalers data of nearly 10,000 current, e-mail, and electronic devices, as well aass the Cyber-crimes ppast,ast and prospective students dating potential impacts of cyber-crimes and datadata babackck to almost a decade. can cripple an breaches. It also explores what professionalsonals should look for in their insurance cover-r- organization’s BBusinesses have also suff ered data age and how the courts have interpreteded brebreachesa in recent years. For example, whether the business or organization wwasas daily operations. cybcyber-criminalse obtained credit card, liable when faced with a variety of diffff eerentrent drivdriver’se license, and Social Security In the past year breaches or cyber-crimes. iinformationnfor from millions of customers alone, universities of TTJ Maxx and Marshalls. Hackers also Introduction targtargetede thousands of Monster.com us- Technology has increased the productiv-ctiv- frequently found ers anda stole their personal background ity of universities and businesses, butt it iinformation.nfor themselves in the comes with potential risks and liabilities.ities. CCyber-crimes can cripple the day- As organizations rely more heavily onn tthehe spotlight as victims to-to-dayd operation of organizations. Internet, e-mail, and electronic devices,es, VVirusesiru from hackers or disgruntled “cyber-crimes” and catastrophic electronicronic of cyber-crimes and ememployeesp can disable computers or mishaps loom as serious threats. oveoverloadr the network, leading to busi- data breaches. In the past year alone, universi- nesnesss interruption. Organizations also ties frequently found themselves in thehe risk the loss of valuable intellectual unwanted spotlight as victims of cyber-er- ppropertyrop if the security of their com- crimes and data breaches: puter network is breached. breac • In December 2009, hackers inserted a malware Other forms of cyber-crimes are directed at the into Pennsylvania State University’s computers, companies’ consumers or the universities’ students or exposing the Social Security numbers of about employees. Th ese Internet crimes can range from “phish- 30,000 people. ing” (where the culprit poses as a legitimate organization • Hackers accessed personal data of approximately to obtain confi dential information) to “pharming” (where 160,000 women who had enrolled in a mam- the criminal redirects web traffi c from a legitimate site to a mography project conducted by the University of sham site) to the hacking of the organization’s network to North Carolina at Chapel Hill. Th e school learned steal sensitive information. of this data breach in July 2009, but the intrusion Accidental exposure of data or loss of data from may have occurred as early as 2007. technological malfunctions can also lead to substantial • In February 2009, the University of California, economic losses and tarnished reputations. Numerous Berkeley announced that hackers infi ltrated sensi- news stories have detailed potential disclosure of sensi-

URMIA Journal 2010 17 tive information caused by the loss of employee laptops, commerce portal. Th ird-party liability may include claims wireless devices, USB memory sticks, and other portable arising from lost or stolen data. For example, a business storage devices. may face lawsuits if a hacker or disgruntled employee Even as companies and universities work to reduce steals confi dential customer information. their vulnerability to technology-related risks, new Organizations may also face exposure to signifi cant technology advances can lead to new problems that arise litigation and fi nes from federal and state agencies if confi - more quickly than defenses can be geared up. In response, dential data is exposed due to a cyber-attack. organizations have realized a heightened need for strin- gent risk management and insurance coverage for mishaps Federal Statutes and Regulations related to these technologies. Numerous federal statutes and regulations establish Th is paper briefl y outlines signifi cant practical and notifi cation requirements if there is a release of protected substantive issues in insurance coverage cases involving information, and they also provide for enforcement action underlying technology-related liabilities. Th e fi rst section and/or fi nes. For example: of this paper provides a brief landscape of the potential • Th e Gramm-Leach-Bliley Act requires fi nancial liability issues. Th e next section analyzes the evolution institutions to safeguard confi dential consumer of the ISO comprehensive general liability (CGL) policy information.3 language for data losses. Th e third section provides a brief • Th e Health Insurance Portability and Account- summary of cases that have addressed whether the loss of ability Act (HIPAA) protects sensitive health electronic data and software is covered under fi rst-party or care information of patients.4 third-party CGL policies. Finally, the last section discusses • Th e Children’s Online Privacy Act protects online various other areas of potential policy coverage. information about children, creating reporting burdens.5 I. Increasing Risk, Increasing Losses • Th e Counterfeit Access Device and Computer In 2009, the Ponemon Institute, a privacy management Fraud and Abuse Act (CFAA) provides a civil practices think tank, estimated that the average data cause of action with standing for anyone who suf- breach will cost an organization in the United States $204 fers damage as the result of a breach of the act.6 per customer record.1 Technology liability damages may • Th e FTC has enforcement and administrative include losses due to reputational damage, litigation and responsibilities arising from a number of laws, defense fees, notifi cation expenses, and costs to restore or including the FTC Act and Fair Credit Reporting repair lost or corrupt data. Furthermore, a data breach Act. In the past few years, the FTC has brought can lead to costly governmental investigations and fi nes. more than a dozen related enforcement actions. For example, ChoicePoint—a company that collects For example, in 2006, the FTC settled with Card- personal data, such as credit histories and Social Secu- Systems and its successor, Soldius Networks, for rity numbers—made national headlines in 2005 when a 2005 security breach that caused millions of dol- it sold 145,000 customer records to criminals posing as lars in fraudulent purchases. In 2005, pursuant to a legitimate business. It paid a $15 million fi ne to the the Fair Credit Reporting Act, the FTC brought Federal Trade Commission (FTC), and the incident led action against ChoicePoint for compromised data. to a multimillion-dollar decrease in the company’s market BJ’s Wholesale Club and others have also settled capitalization.2 with the FTC. First-party and third-party liabilities may arise from • A securities fraud action could be brought, for cyber-crimes and technology-related losses. First-party li- example, under a 10b-5 claim arising from stock ability may include damages to the organization’s comput- price drops following the disclosure of a database ers, networks, and data; stolen or destroyed proprietary security breach or misrepresentation of security information; deletion or alteration of vital records; and safeguards. business interruption due to a shutdown of a website or e-

18 URMIA Journal 2010 • Derivative suits could also be brought against mation.10 Nonetheless, organizations may still want to directors and offi cers for gross mismanagement of settle quickly in order to avoid bad publicity and poten- security. tially adverse precedents. Th ese exposures have led companies and universities State Laws and Regulations to review their current insurance coverage and investigate Due to the torrent of data breaches, states in the past the availability of new cyber-related insurance to cover decade began to enact notifi cation laws.Today,ws.Today, 45 states thethe costs associated wwith data breaches, business inter- and the District of Columbia have en-n- ruruptions,pt and damaged reputations. acted such laws. 7 California, for example,mple, SSomeom organizations are in for a rude requires that all businesses, universities,ties, Cyber exposures aawakening;wak there are often signifi cant and government agencies notify aff ectedcted iinsurancensu gaps, and the issue of coverage or potentially aff ected people when ttherehere have led companies for ttechnology liability remains an open is evidence that private information hhasas qquestion.ues been exposed.8 and universities to Many of these federal and state ddataata review their current II. WWill Commercial General Liability privacy laws also provide private causesses InInsurancesu Cover Technology-Related of actions. For example, CFAA allowsws insurance coverage LLiability?iab aff ected consumers to bring civil actions,ions, A crcritical coverage question for many though it does not appear that any con-on- and investigate ororganizationsga is whether the technology- sumer class action suits have been suc-uc- the availability of relarelatedt loss falls within the defi nition of cessful to date. State laws vary in termsms “p“propertyro damage” under their third- of defi ning who has standing to sue aandnd new cyber-related ppartyart CGL policies. Recent post-2001 establishing the pool of potential plain-ain- cchangeshan to the standard ISO policy tiff s. A minority of states allow consum-um- insurance. Some foformrm specify that electronic data are not ers to bring private statutory causes of organizations “tan“tangibleg property” and, therefore, that actions alleging actual identity theft.9 SSoo llossoss of such data does not constitute far, there have not been any large liabilitybility are in for a rude “p“propertyro damage.” Th is new language verdicts, though there have been settle-tle- hhasas yyet to be interpreted by the courts, ments. awakening; there but iit will likely be more diffi cult for the In states where there is no privatee are often signifi cant iinsurednsu to obtain coverage for electronic right of action for identity theft, con-- dadatata loss. Many organizations, however, sumers must rely on state consumer insurance gaps. mamayy still have coverage under the pre- protection laws. It is often diffi cult too 22001001 ISO standard policy forms that do determine liability under these laws not ccontain such language. because data breach negligence standardsdards have not been clearly established. For example, in 2006, a ISO Pre-2001 Policiesli i fi nancial analyst’s laptop was stolen with unencrypted fi les Property damage has historically been defi ned in stan- of more than 550,000 mortgage loans. Th e court granted dard CGL policies as either (a) physical injury to tangible summary judgment for the defendant mortgage company, property, including all resulting loss of use of that prop- fi nding that it was not negligent and that the victims who erty, or (b) loss of use of tangible property that is not lost data could not demonstrate any damages because of physically injured.11 Th us, the fi rst question that needs to the conduct. Th e court reasoned that the defendant had be addressed is whether the data breach or technology- complied with the pertinent statutory regulations because related loss involves damage to a “tangible property.” it had written security policies, risk assessment reports, Courts consistently have held that hardware defects that and proper safeguards for its customers’ personal infor- cause physical injury to computer components constitute

URMIA Journal 2010 19 physical injury to tangible property.12 However, courts Insurance companies will argue that the post-2001 are not in agreement about whether electronic data are ISO policies explicitly exclude coverage for claims involv- tangible property. As set forth in Section III, there is split ing corrupted, damaged, or lost computer data. However, authority with respect to pre-2001 ISO policies. Some no known court decision has yet opined on the meaning courts have held that electronic data are not tangible, and and scope of the post-2001 ISO policies, and indeed these thus that loss of data is not property damage.13 Other policy language questions may raise additional interpre- courts have found that loss of data constitutes ppropertyp y tive qquestions. For example, although the 2001 ISO damage.14 And still other courts havee avoided decidindecidingg ppolicyolicy states that elecelectronic data is not tangible property, what constitutes tangible property byy it dodoes not appear to exclude cover- granting or denying coverage based oonn age ffor the loss of use of an undamaged 15 other policy terms or exclusions. If a cyber-attack cocomputerm caused by a data loss (i.e., loss of uuses of tangible property). ISO Post-2001 Policies causes physical In 2001, ISO amended the defi nitionn of III. OOverview of Case Law Interpret- property damage in the standard CGLGL damage to ing Technology-Related Coverage policy (ISO Form CG 00 01 10 01) to servers or hard IsIssuessu expressly state that “electronic data iiss not If a cyber-attackc causes physical dam- tangible property.” Th e term “electroniconic drives, there is no aagege tto an organization’s servers or hard data” is further defi ned as: drivdrives,e the insurer must cover the losses [I]nformation, facts, or programs question that there becbecausea there is no question that there stored as or on, created or used on,, has been direct hhasas beenb direct physical damage. Th e or transmitted to or from computerer thothornierr legal question is whether an software, including systems and appli-ppli- physical damage. insinsureru is liable if the damage occurs cations software, hard or fl oppy disks,isks, to ssoftwareo or electronic data. Courts CD-ROMS, tapes, drives, cells, dataata The thornier legal ofteoftenn attempt to resolve that question by processing devices, or any other mediaedia question is whether detdetermininge whether or not software or which are used with electronically ddataata constitutes tangible property. Th ere controlled equipment. an insurer is liable if is a splits of authority about whether the loss of electronic data is covered, and Th en in 2004, ISO created a neww the damage occurs tthehe ddecisions often hinge on the precise exclusion for electronic data (ISO Formorm to software or data. lalanguageng of the policy. CG 00 01 12 04). Exclusion p states:s: p. Electronic Data: Damages arisinging DecDecisionsi Providing Coverage for out of the loss of, loss of use of, damagemage ElElectronicec Data to, corruption of, inability to access,s or iinabilitynability ttoo • Th e TeTexasxas CoCourt of Appeals in Lambrecht & manipulate electronic data. Associates, Inc. v. State Farm Lloyds held that the policyholder’s computer server, software, and As used in this exclusion, electronic data means data stored on the server were physical property, information, facts, or programs stored as or on, cre- where a hacker invaded the computer system and ated or used on, or transmitted to or from computer installed a virus that rendered the server useless. software, including systems and application software, Th e court avoided the abstract issue of whether hard or fl oppy disks, CD-ROMS, tapes, drives, cells, electronic data and software can constitute tan- data processing devices, or any other media which gible property and instead focused on the language are used with electronically controlled equipment. of the fi rst-party insurance policy. It held that the policy covered lost data because “electronic media

20 URMIA Journal 2010 and records” was defi ned to include “data stored on cal location, occupied space, and was capable of such [electronic] media.” Th e loss of software was being physically damaged or destroyed” and that also covered because the policy off ered coverage the lost data was therefore covered under a CGL for replacing “prepackaged software programs.”16 policy.22 • A federal district court in Arizona held that “physical loss or damage” in a fi rst-party all-risk Decisions Refusing to Provide Coverage for policy “is not restricted to the physical destruction Electronic Data or harm of computer circuitry but includes loss • In Ward General Ins. Services, Inc. v. Employers of access, loss of use, and loss of functionality.”17 Fire Ins. Co., the California Court of Appeals held Th ree mainframe computers lost power due to that the policyholder’s loss of information in a an outage, causing the loss of data in the random database was not covered under a fi rst-party policy access memory. Th e policyholder claimed that the because the loss was not a “direct physical loss.” loss was covered as a direct physical loss, but the Ward, an insurance services company, was updat- insurer denied the claim on the grounds that there ing a software program when a programming error was no physical damage.18 Relying on federal and led to a crash of the database. All of the electroni- state computer fraud laws, the court interpreted cally stored data used to service Ward’s insurance “physical loss or damage” broadly and noted that policies were lost. Th e court held that there was “[a]t a time when computer technology domi- no “direct physical loss” because electronic data did nates our professional as well as personal lives, the not have “material existence” and was not “percep- Court must side with Ingram’s broader defi nition tible to the senses.”23 of ‘physical damage.’”19 • Similarly, in State Auto Property and Cas. Ins. Co. • Th e Minnesota Court of Appeals in Retail Systems, v. Midwest Computers & More, the insurance com- Inc. v. CNA Ins. Co. held that a computer tape and pany argued that it was not obligated to defend electronic information in the tape were tangible and indemnify a computer repair company which property within the meaning of a third-party lia- had negligently caused the loss of data of its client. bility policy covering physical injury or destruction A federal court in Oklahoma held that the com- of tangible property. Th e plaintiff , a data process- puter was not damaged and that the data stored ing consultant, developed computer programs and on a computer disk was not tangible property.24 processed data for other companies. A third-party Th e court relied on the defi nition of “tangible” gave the plaintiff a computer tape to process, but in Webster’s Ninth Collegiate Dictionary, which the tape was damaged. Th e third-party then sued defi ned it as “capable of being perceived, esp. by the the plaintiff , who then sought coverage under his sense of touch…capable of being precisely identi- policy. Th e court held that the data on the tape fi ed or realized by the mind.”25 was of permanent value and was integrated com- • Th e US Court of Appeals for the Fourth Circuit pletely with the physical property of the tape.20 In held in America Online, Inc. v. St. Paul Mercury Ins. fi nding coverage for the plaintiff , the court rejected Co. that damage to computer operating systems a series of cases that had concluded that computer and software does not constitute tangible dam- tapes are intangible property for tax purposes. age.26 America Online faced a spate of lawsuits It reasoned that computer tapes have little value after consumers claimed that the new software for tax purposes, but they may have signifi cantly had bugs that made it incompatible with their greater value when used for storage of valuable computers’ operating systems and other software. data.21 Th e Fourth Circuit held that St. Paul did not have • In Computer Corner v. Fireman’s Fund Ins. Co., a a duty to defend America Online under its CGL New Mexico Court of Appeals held that lost data policy because computer data, software, and sys- on a hard-drive “was physical, had an actual physi- tems were not tangible. Relying on the purported

URMIA Journal 2010 21 plain meaning of “tangible,” the court held that the Th ese forms are commonly called network security liabil- computers’ operating systems and software were ity, privacy liability, or data loss liability coverage. incapable of perception by any of the senses. As the Fourth Circuit put it, “Th e insurance policy Network Security Liability Policies in this case covers liability for ‘physical damage to • Network security liability policies typically tangible property,’ not damage to data, software, cover unauthorized access to databases, iden- i.e., the abstract ideas, logic, instructions, and in- tity theft, or disruption of service. formation.”27 Perhaps highlighting the state of fl ux • Defense costs are covered, but there may be a in this area of law, the Fourth Circuit’s America decrease in the limits of liability. Online decision was issued only six months after • Trigger is determined by whether the policy is a diff erent Fourth Circuit panel in an unpublished claims-made or occurrence. opinion held that data destroyed by a hacker • Th ere is no coverage for computer failure was “direct physical loss” under the policy.28 Th e because of fi re, explosion, electrical failure, or concurring opinion in NMS Servs. Inc. v. Hartford misappropriation of trade secrets. explained that the loss of electronic data constituted physical loss because “a computer stores Privacy Liability Policies information by rearrangement of the atoms or • Th ese policies typically cover invasion of pri- molecules of a disc or tape to eff ect the formation vacy, trespass, eavesdropping, and breach of a of a particular order of magnetic impulses, and a company’s privacy policy. ‘meaningful sequence of magnetic impulses cannot fl oat in space.’”29 Data Loss Liability Policies • Data loss liability policies typically cover virus The Role of Policy Exclusions attacks, information corruption, computer Insurance companies may raise various policy exclusions theft and fraud, security threats to networks, to seek to bar coverage for underlying technology claims. and claims arising from contractual liability or However, the burden is on the insurance company to dem- invasion of privacy. onstrate that the exclusion applies. • Th ese policies do not usually cover both fi rst- In some cases, courts have used policy exclusions to and third-party claims. Some policies cover deny coverage without reaching a decision as to whether fi rst-party risks such as an interruption of the the data was tangible property. For example, in Magnetic policyholder’s business due to a cyber attack, Data, Inc. v. St. Paul Fire and Marine Ins. Co., the Min- while others provide coverage only for third- nesota Supreme Court declined to decide if erased data party claims (e.g., damage due to sending a was intangible. Instead, the court said that even if data computer virus). was tangible, a “control of property” exclusion in the policy applied because the property was damaged at the insured’s Other Technology Policy Forms premises.30 • Th ere are additional technology-related policy forms that cover acts of negligence (e.g., policy- IV. Other Technology-Related Insurance Policies holder’s mistaken transmission of information New Insurance Products for Cyber-Liabilities to another company that causes damage or Due to gaps in traditional insurance policies, insurance breach of security) or unauthorized access to companies have begun to market new insurance policies a computer network resulting in data theft or that address some of the cyber-liability issues. Th ese new loss or invasion of privacy. A number of third- policies and endorsements are available from most of the party technology policies provide some type of major insurance companies. Th e policy forms are available coverage for intellectual property liability. with specifi c coverage or bundled in a multi-line policy.

22 URMIA Journal 2010 Other Potential Sources of Coverage in Common and that the insurer had a duty to defend the poli- Policies and Provisions cyholder under the personal and advertising injury While companies and universities may benefi t from these clause.31 Th e underlying claim alleged that the poli- new cyber-liability forms, they should not overlook that cyholder had violated FCRA by improperly access- their technology-related losses may already be covered ing the plaintiff ’s credit information to solicit their by common insurance policies and provisions: (a) the business for subprime mortgages. Th e court held that personal and advertising injury clausese in CGL policies, thethe policyholder’spolicyholder’ use of credit information in a writ- (b) directors and offi cers (D&O) poli-oli- ten solicitations constituted a publication, cies, and (c) errors and omissions (E&O)E&O) andand thus fell within the scope of the policies. An advertising personalpers and advertising injury clause. Similarly,S in a case involving personal Personal and Advertising Injuryy injury occurs when injuryinjur language, the Ninth Circuit, in an Clause in CGL Policies unpublishedunpu opinion, read the provision Organizations facing privacy or ddataata a third-party suffers broadlybroa to fi nd coverage for a breach- breach-related claims often do nnotot harm due to the of-privacyof-p claim. In Netscape Commu- consider the personal and adver-- nicationsnicat Corp. v. Federal Ins. Co., the tising injury clause in their CGLL policyholder’s underlyingunde complaint alleged that AOL’s policies. subsidiary,subs Netscape, had collected and An advertising injury occurs “advertising” usedused information regarding Internet when a third-party suff ers harmm activities. The users’user activities for technical support due to the policyholder’s “advertis-tis- reasons,reaso as well as opportunities for ing” activities. If the term “advertis-rtis- personal and targetedtarge advertising in violation of the ing” is read properly, the personalnal ElectronicElec Communications Privacy Act and advertising injury clause cann advertising injury andand Computer Fraud and Abuse Act. provide coverage and defense forr clause can provide AOL’sAOL insurance policy provided indem- a wide variety of claims, includingng nity and defense against losses sustained violation of privacy rights, misap-p- coverage and defense for personalp injury, which was defi ned propriation of advertising ideas or to includein losses arising from “making style of doing business, and infringe-inge- for many claims, knownknow to any person or organization ment of copyright, title, or slogan.an. including violation of writtenwrit or spoken material that violates A number of decisions interpretingting a peperson’sr right to privacy.” Th e Ninth this clause in the context of technol-hnol- privacy rights. CircuitCirc acknowledged that the underly- ogy liability claims have centeredd on inging claimsc were “not traditional breach whether the defi nition of advertisingtising ofof privacypr claims” because the Internet requires communication to a broadoad users’user activities had not been disclosed audience. Insurers may argue thath a policyholder’s li h ld ’ to any third-partyhi d (other than AOL and Netscape). technology-related claims do not constitute advertis- Nonetheless, the Ninth Circuit relied on the broad ing because certain Internet-related activities may defi nition of personal injury to fi nd coverage, holding not reach a broad audience, but several courts have that the Internet users’ activities had been dissemi- rejected insurers’ attempts to narrow the defi nition of nated literally to “any person or organization.”32 advertising. For example, in Zurich American Insurance Co. Directors and Offi cers Liability Policies v. Fieldstone Mortgage Company, the court held that Directors and offi cers (D&O) liability policies can claims made under the Fair Credit Reporting Act also be invoked for potential coverage when directors (FCRA) can trigger coverage under a CGL policy and offi cers face technology-related liability unless

URMIA Journal 2010 23 the policies expressly exclude data breach claims. About the Authors An organization’s D&O insurance may cover JeroldJ Oshinsky is a partner in Jenner certain costs associated with a data breach or service & Block’s Litigation Department and interruption. For example, directors and offi cers may a member of the Insurance Litigation be sued for their failure to make proper disclosures & Counseling Practice. of inadequate security or technology-related damage Mr. Oshinsky focuses his practice that may have substantial impact on the company on insurance coverage litigation on or institution. In one notable case, the credit card behalf of policyholders in federal and information of more than 130 million people was state courts throughout the country stolen.33 Th e news of the data breach led to a severe and on advising clients nationwide on insurance coverage- decline in the company’s stock price, leading to a related matters. He represented Keene Corporation shareholder derivative suit. Although the court in Keene Corp v. Insurance Co. of North America, the dismissed the shareholder’s complaint in this case, landmark DC Circuit case establishing the “continuous directors and offi cers may be subject to liability for trigger” principle in insurance coverage law. Mr. Oshinsky exposure of sensitive data. has litigated, and continues to litigate, many of the most signifi cant, complex insurance coverage issues in Errors and Omissions Liability Policies the country. His sought after experience has touched Errors and omissions (E&O) coverage provides numerous clients, including Fortune 100 companies, in insurance for damages resulting from negligence, a wide variety of industries—chemical, pharmaceutical, omissions, mistakes, and errors made by the insured food, communications, education, fi nancial, technology, in the course of providing professional services. A and construction industries. number of diff erent types of E&O policies may cover Mr. Oshinsky’s insurance coverage litigation practice technology-related liabilities. Th ese include software consists of cutting edge work on matters including designers’ professional liability insurance, electronic advertising liability, asbestos, broker’s liability, business data processors’ professional liability insurance, and interruption, construction defects, directors and offi cers, computer consultants’ professional liability insur- employment and discrimination issues, environmental ance. In at least one case, a federal court in California liability, errors and omissions, fi delity bonds, professional held that exclusions in an errors and omissions policy indemnity, general liability, intellectual property, products precluded coverage for an underlying lawsuit. How- liability, and fi rst-party property policies. ever, this decision provides little guidance as to the Chambers recognizes Mr. Oshinsky as the “dean of the scope of coverage under an E&O policy because the policyholder bar,” and in 2009 was included in its top- policyholder engaged in dishonest and illegal activity tier “Band 1” national ranking based on feedback from involving a phishing scheme.34 corporate clients and peers. He was recognized by Legal Times in 2007 as one of the 10 best insurance attorneys Conclusion in Washington, DC, in its “Leading Lawyers” honors and In today’s technological world, no organization is immune also selected as “Th e Leading Lawyer in Insurance” for to technology-related claims. Accordingly, no university Washington, DC, in October 2007. He is regularly cited or company should remain in the dark about whether in Best Lawyers, Super Lawyers, and in the Lawdragon 500 they have adequate insurance protection against such Leading Lawyers in America. claims. University risk managers and counsel need to Mr. Oshinsky frequently lectures and publishes on a determine whether they have suffi cient coverage, and, if wide variety of insurance law topics. He is the lead author not, determine what type of coverage they need to protect and editor of Aspen’s multi-volume Practitioner’s Guide to themselves against the rise of technology-related liability. Litigating Insurance Coverage Actions. He has published articles in the Insurance Coverage Law Bulletin, Journal of Insurance Coverage, Th e Corporate Analyst, Th e John

24 URMIA Journal 2010 Liner Review, Environmental Hazards, Th e Environmental country and, more recently, in arbitrations in the United Counselor, Chemical Waste Litigation Reporter, Asbestos States and abroad. At issue in these cases typically have Issues Magazine, Journal of Products Liability, Legal Notes been millions of dollars of insurance coverage for products & Viewpoints Quarterly, and Financier Worldwide, among liability and directors and offi cers claims. others. He serves as an expert witness in insurance Ms. Masters served as lead trial counsel for policyhold- coverage litigation matters. er Hoechst Celanese Corporation in its action enforcing Mr. Oshinsky maintains an active pro bono practice. general liability insurance coverage for hundreds of thou- He is lead counsel in three pro bono immigration sands of product liability claims against the policyholder appeals, including a matter pending before the Board in what the press called the largest property damage class of Immigration Appeals and two matters before the action settlement ever. Th e National Law Journal called US Court of Appeals for the Ninth Circuit. Also, he is the jury’s verdict in Hoechst Celanese’s coverage case handling an insurance coverage case for a veteran of the one of the “most signifi cant jury verdicts of 1997.” Most Armed Forces relating to health benefi ts and numerous recently, Ms. Masters obtained an award of more than $92 matters relating to the 2008 California Tea Fire. million to cover product liability claims against a major Mr. Oshinsky is a 1967 cum laude graduate of pharmaceutical and chemical manufacturer in an arbitra- Columbia Law School, where he was a Harlan Fiske Stone tion conducted in London under the English Arbitration Scholar and editor of the Columbia Journal of Law and Act, 1996. Social Problems, as well as a 1964 cum laude graduate of Ms. Masters is co-author of Insurance Coverage Litiga- Brooklyn College. He is admitted to practice in California, tion, an in-depth legal treatise fi rst published in 1997 and the District of Columbia, and New York, in addition to updated annually, and Liability Insurance in International the United States Supreme Court and federal, district, and Arbitration: Th e Bermuda Form. Ms. Masters serves on appellate courts throughout the country. the Litigation Steering Committee for the District of Columbia Bar and on the Committee on Admissions, Lorelie S. Masters is a partner in which administers and oversees applications and examina- Jenner & Block’s Washington, DC, tions for admission to the District of Columbia Bar. Ms. offi ce. She is a member of the fi rm’s Masters was president of the Women’s Bar Association of Litigation Department and Climate the District of Columbia from 2007-2008. She is a past and Clean Technology Law and policyholder chair of the Insurance Coverage Litigation Insurance Litigation and Counseling Committee of the Section of Litigation of the American Practices. Ms. Masters is AV Peer Bar Association and continues to serve in the Section of Review Rated, Martindale-Hubbell’s Litigation’s Leadership. Ms. Masters serves on the Ameri- highest peer recognition for ethical standards and legal can Bar Association’s Commission on Women in the ability. Profession. She chaired the Insurance Coverage Litigation Prior to joining Jenner & Block, Ms. Masters spent Committee’s Midyear CLE Meeting in 1999 and is a for- 17 years at Anderson Kill & Olick, LLP, in its nationally mer editor of the committee’s award-winning, bimonthly recognized insurance coverage group. Since 1983, she has journal, Coverage. Ms. Masters is a member of the Ameri- advised and represented companies and individuals seek- can Law Institute. ing to enforce insurance coverage under general liability, Ms. Masters received the National Association of directors and offi cers, fi rst-party property, health, and Women Lawyer’s 2005 Service Award for her work as other types of insurance. Ms. Masters also has extensive chair of NAWL’s Amicus Committee. Ms. Masters was experience in e-commerce issues and related records man- also recognized in the 2007, 2008, 2009, and 2010 edi- agement and electronic discovery issues that arise from the tions of Washington DC Super Lawyers for insurance increasing reliance on technology and computers. coverage litigation and by Th e Best Lawyers in America Ms. Masters has handled, tried, and settled cases for insurance law in 2008, 2009, and 2010. Since 2005, in state and federal trial and appellate courts across the Chambers & Partners USA has named Ms. Masters one of

URMIA Journal 2010 25 the country’s leading lawyers in insurance law. He previously practiced for several years at Wachtell, Ms. Masters graduated in 1981 from Notre Dame Law Lipton, Rosen & Katz in New York and was also a clerk School, where she was editor-in-chief of the Journal of to Judge Emilio Garza of the US Court of Appeals for the Legislation and a scholar with the Th omas J. and Alberta Fifth Circuit. Mr. Lee has written widely for both legal White Center. She graduated cum laude from George- and non-legal publications, including Th e New Republic town University in 1977. and Th e Weekly Standard. He has also authored a book on immigration policy and law titled, “Huddled Masses, Kenneth K. Lee is a partner in the Muddled Laws,” Praeger Publishers, 1998. Firm’s Litigation Department. He is a He is a 2000 magna cum laude graduate of Harvard member of the Complex Commercial Law School. He is also a 1997 summa cum laude and Phi Litigation Practice. Mr. Lee’s prac- Beta Kappa graduate of Cornell University. Mr. Lee is tice crosses a wide range of subject admitted to practice in California and New York. areas, including health care, securities, corporate control, and insurance Cherylyn J. Briggs is a staff attorney coverage litigation. In addition to civil in Jenner & Block’s Litigation litigation and arbitration matters, Mr. Lee has experience Department. with federal appeals and internal corporate investigations. Prior to joining Jenner & Block, Before joining Jenner & Block, Mr. Lee was an associ- Ms. Briggs spent 14 years at Dick- ate counsel to the President of the United States. In this stein Shapiro, LLP, as a research capacity, he represented the White House in various in- attorney and director of knowledge vestigations and other sensitive matters and served as the management. She has signifi cant ex- White House’s legal liaison to the Department of Health perience in corporate, academic, and law fi rm research and and Human Services, the Offi ce of Science and Technolo- risk management. Management of research services in- gy Policy, and the Small Business Administration. Mr. Lee cludes the development of a full service law fi rm research coordinated with the Department of Justice on numerous department consisting of targeted and substantive legal litigation matters involving White House interests. In research support, competitive intelligence and business addition, he assisted in the selection of district and circuit development research, and implementation of a fi rm-wide court judges for the Ninth Circuit and with Presidential work product retrieval system. Risk management services pardons. He also served as special counsel to the staff of include supervision of confl icts and records departments, the Senate Judiciary Committee for the confi rmation of including implementation of an automated new matter John Roberts to the US Supreme Court. intake system, and development of fi rm-wide lateral and His private practice experience includes serving as a departing attorney workfl ow. member of the trial team that represented the leaseholder Ms. Briggs graduated from William Smith College, of the World Trade Center in a multi-billion dollar insur- receiving a BA in history. She received her MS in library ance coverage dispute in the aftermath of September 11th, science from Long Island University. She earned a Juris defending Fortune 500 companies against securities fraud Doctor from New York Law School in 1982. and shareholder derivative suits, and conducting internal Ms. Briggs is a member of the District of Columbia investigations relating to accounting issues at large fi nan- and New York Bars. cial institutions. Mr. Lee has an active pro bono practice. He has, in the past, won reversal of a drug conviction of an indigent client, fi led a Second Circuit amicus brief on behalf of a slain police offi cer’s widow, and written an amicus petition for certiorari in a capital criminal case.

26 URMIA Journal 2010 24 State Auto Prop., 147 F.Supp. 2d 1113. Endnotes 25 Ibid. at 1116-18. The court further said that the loss of use of a computer 1 Ponemon Institute, “Study: Cost of a Data Breach,” April 28, 2010, http:// would have been covered because a computer is clearly a tangible www.ponemon.org/blog/post/global-data-breach-costs-examined-for-fi rst- property but for an applicable policy exception. time. 26 America Online, 207 F.Supp. 2d at 459. 2 Michael E. Jones, “Data Breaches: Recent Developments in the Public and 27 Ibid. at 467. Private Sectors,” A Journal of Law and Policy for the Information Society 28 NMS Servs., Inc. v. Hartford, 62 F. App’x. 511, 514 (4th Cir. 2003). (Winter 2007-2008): 556, 567. 29 Ibid. at 515. 3 See Gramm-Leach-Bliley Act, Pub. L. No. 106-103, 113 Stat. 1338 30 Magnetic Data, 442 N.W. 2d at 156. (November 2, 1999), as codifi ed at 15 U.S.C. §§ 6801-09. 31 Zurich Am. Ins. Co. v. Fieldstone Mort. Co., No. 06-2055, 2007 U.S. Dist. LEXIS 4 See 42 U.S.C. § 1320. 81570 (D. Md. 2007). 5 See Pub. L. No. 105-277, 112 Stat. 2681-728, as codifi ed at 15 U.S.C. §§ 32 Netscape Communc’s Corp. v. Federal Ins. Co., No. 08-15120, 2009 WL 6501-6506. 2634945 (9th Cir. 2009) (unpublished). 6 See 18 U.S.C. §§ 1030 et seq. 33 In re Heartland Payment Sys., Inc. Securities Litigation, Civ. No. 09-1043, 7 National Conference of State Legislatures, “State Security Breach 2009 WL 4798148 (D. N.J. 2009). Notifi cation Laws,” April 12, 2010, http://www.ncsl.org/programs/lis/cip/ 34 Greenwich Ins. Co. v. Media Breakaway LLC, et al., No. CV08-937, 2009 U.S. priv/breachlaws.htm. Dist. LEXIS 63454 (C.D. Cal. 2009). 8 Cal. Civ. Code § 1798.29. Conn. Gen. Stat. Ann. § 36a-701b(a). Fla. Stat. Ann. § 817.5681(5). Mass. Ann. Laws Ch. 93H § 1(c). 9 These states include California, Hawaii, Illinois, Louisiana, Maryland, New Hampshire, North Carolina, Tennessee, and Washington. 10 Guin v. Brazos Higher Education Service Corp., No. Civ. 05-668 RHK/JSM, 2006 WL 288483 at *4 (D. Minn. 2006). 11 ISO form CG 00 01 01 96, Commercial General Liability Form. 12 American Guar. & Liab. Ins. v. Ingram Micro, Inc., No. 99-185, 2000 WL 726789 at *3 (D. Ariz. 2000). Retail Sys. Inc. v. CNA Ins. Co., 469 N.W. 2d 735, 737 (Minn. Ct. App. 1991). Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W. 3d 16, 25-26 (Tex. App. Tyler 2003). 13 America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F.Supp. 2d 459, 466-67 (E. D. Va. 2002), aff’d., 347 F.3d 89 (4th Cir. 2003). State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F.Supp. 2d 1113, 1115-1116 (W.D. Okla. 2001). Ward Gen. Ins. Servs., Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556-57, 7 Cal. Rptr. 3d 844, 851 (4th Dist. 2003). 14 NMS Servs., Inc. v. Hartford, 62 F. App’x 511, 514 (4th Cir. 2003) (unpublished). American Guar., 2000 WL 726789 at *3 (D. Ariz. 2000); Retail Sys., 469 N.W. 2d at 737 (Minn. Ct. App. 1991). Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P. 3d 1264, 1266 N.M. Ct. App. 2002, cert. denied (May 9, 2002). Lambrecht, 119 S.W. 3d at 25-26 (Tex. App. Tyler 2003). 15 Magnetic Data, Inc. v. St. Paul Fire & Marine Ins. Co., 442 N.W. 2d 153, 156 (Minn. 1989) (avoiding deciding whether property is tangible and ruling that “control of property” exclusion applies). 16 Lambrecht, 119 S.W. 3d at 23-25. 17 American Guar., 2000 WL 726789 at *2 (D. Ariz. 2000). 18 Ibid. at *2-4. 19 Ibid. at *2. 20 Retail Sys., Inc., 469 N.W. 2d at 737. 21 Ibid. at 737-38. 22 Computer Corner, 46 P. 3d at 1266. 23 Ward General, 114 Cal. App. 4th at 556.

URMIA Journal 2010 27 The URMIA Journal is published annually by the University Risk Management and Insurance Association (URMIA), PO Box 1027, Bloomington, IN 47402- 1027. URMIA is an incorporated non-profi t professional organization. The 2010 URMIA Journal was edited by Christie Wahlert, URMIA, Blooming- ton, Indiana; the covers were designed by Ellen Rising Morris of Eighth Day Creations, Wheaton, Illinois; and the URMIA Journal was printed at Indiana University Printing Services, Bloomington, Indiana. There is no charge to members for this publication. It is a privilege of membership, or it may be distributed free of charge to other interested parties. Membership and subscription inquiries should be directed to the National Offi ce at the address above. © LEGAL NOTICE AND COPYRIGHT: The material herein is copyright July 2010 URMIA; all rights reserved. Except as otherwise provided, URMIA grants permission for material in this publication to be copied for use by non-profi t educational institutions for scholarly or instructional purposes only, provided that (1) copies are distributed at or below cost, (2) the author and URMIA are identifi ed, (3) all text must be copied without modifi cation and all pages must be included; and (4) proper notice of the copyright appears on each copy. If the author retains the copyright, permission to copy must be obtained from the author. Unless otherwise expressly stated, the views expressed herein are attributed to the author and not to this publication or URMIA. The materials appear- ing in this publication are for© information purposes only and should not be considered legal or fi nancial advice or used as such. For a specifi c legal or fi nancial opinion, readers should confer with their own legal or fi nancial counsel. URMIA National Offi ce P.O. Box 1027 Bloomington, Indiana 47402 www.urmia.org