What Is the GDPR?
The GDPR (or Regulation) is perhaps the most comprehensive privacy law of its kind in the world, emphasizing the growing social, political and legal concerns about the potential misuse and abuse of individuals’ personal data. This is no surprise given the rapid advances in technology and the impact of the new economic reality of “big data” and data analytics on consumer information.
The GDPR has set a new precedent for the high stakes of protecting individuals’ privacy, which is being watched closely and even shaping the privacy laws in other countries. The GDPR replaced the Data Protection Directive of 1995 and sets stricter standards for companies that collect or process data on citizens and residents of EU member countries. While considered a milestone achievement for individuals’ data protection laws, the GDPR presents complex challenges for companies that must now take steps to become GDPR compliant or run the risk of being subject to audits, lawsuits and/or stiff financial penalties.
Which Organizations Are Subject to the GDPR?
There is a big misconception in the U.S. business community that the GDPR only applies to EU companies. The new Regulation expands the territorial reach of the GDPR to include companies established outside the EU. This means that a company that has no offices, staff or even customers in any EU country may nonetheless need to comply with the GDPR if it processes and stores personal data on EU residents in any way. In other words, U.S. companies may be subject to the GDPR if they control or process data of EU residents.
The GDPR focuses in particular on the activities of data “controllers” and data “processors.” A data controller is an individual or entity that “determines the purposes and means of processing personal data.” A data processor is any individual or entity that processes (i.e., collects, stores, uses) personal data at the direction of the data controller. A positive response (yes) to one or more of the questions below may signal that an organization is subject to the GDPR.
Does your organization process or store data on EU residents?
The GDPR broadly defines the term “data processing” to include “collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.” In reality, virtually any activity involving personal data of EU subjects may be closely scrutinized and classified as a processing activity within the definition of the Regulation, to the extent it is performed at the request of a data controller.
Does your organization offer goods or services to EU residents?
The GDPR expressly states that the Regulation applies to organizations outside the EU that offer goods or services to data subjects within the EU regardless of whether a fee is charged for such goods or services. Thus, an organization should consider whether it:
It is noteworthy that merely having a website that is accessible by EU residents is not conclusive for purposes of determining whether an organization is subject to the GDPR.
Does your organization monitor the behavior of EU residents as that behavior occurs in the EU?
The GDPR also applies to non-EU organizations that monitor the behavior and activities of EU residents within the EU. This includes tracking EU residents on the internet to create profiles or to analyze or predict individual preferences and behavior.
What Is Protected Personal Data Under the GDPR?
The GDPR protects “personal data,” which is broadly defined in Article 4(1) to encompass:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…”
The definition provides a broad range of identifiers, including “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” For example, personal data may include a photo, racial or ethnic data, an email address, bank details, posts on social networking websites, political opinions, health and genetic information, a computer IP address and so on.
The GDPR also refers to sensitive personal data as “special categories of personal data,” which include genetic data and biometric data, where processed to uniquely identify an individual, and data concerning health. Processing of such data is prohibited unless the data subject gives explicit consent. Otherwise there are very few exceptions in which processing of such special categories of personal data also is possible (e. g., if it is necessary to defend or enforce a legal claim).
When a data controller collects personal data from an individual, including a third party, the controller must provide information to the data subject regarding processing activities, including:
What Are Consent Requirements for Processing Personal Data?
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. However, the requirements for validly obtaining consent have been increased to place a higher burden on data controllers. Article 7 sets out what is meant by consent, and the Information Commissioner’s Office (ICO) has published detailed guidance on consent under the GDPR. In brief, consent must be “freely given, specific, informed and unambiguous.” Organizations should review how they seek, record and manage consent, and whether they need to make any changes to their policies and procedures. In evaluating compliance with the GDPR’s expanded consent requirements, organizations should note the following characteristics:
What Rights Do Individuals Have to Protect Personal Data?
One of the key premises of the GDPR is to expand the rights of individuals to protect their personal data. This includes an individual’s right to access, rectify and/or seek erasure of their personal data.
Right to Access
Individuals have the right to access their personal data and request the following information from a data controller:
Right to Rectification
An individual has the right to request the data controller to correct their personal data without undue delay.
Right to Be Forgotten
The GDPR recognizes an individual’s so-called “right to be forgotten,” subject to limited exceptions. In other words, an individual has the right to request the data controller to erase their personal data without undue delay in certain circumstances, including the following:
What Are the Record-Keeping Requirements Under the GDPR?
Data controllers and processors must maintain written documentation of all activities related to the processing of personal data (including documentation of all steps made in order to be GDPR compliant). These records should include the following information:
These records of processing activities must be produced to a Supervisory Authority upon request. Notably, the GDPR’s record-keeping requirement does not apply to organizations with fewer than 250 employees.
What Security Measures Are Required to Safeguard Personal Data?
The GDPR does not dictate specific technical security measures that must be implemented by data controllers or processors to safeguard personal data. However, the Regulation does require organizations to conduct a risk assessment to ensure an appropriate level of security based on a cost-benefit analysis. The size of the organization and the nature and scope of processing activities are key factors to consider. Such security measures may include the pseudonymization of personal data (so that data cannot be linked to a specific individual); encryption of personal data; ability to restore and back up personal data; periodic security audits to test and evaluate processing activities; and adherence to recognized industry standard certification requirements to protect data.
What Is a Data Protection Officer?
The GDPR requires data controllers and processors to appoint a Data Protection Officer (DPO) when an organization’s “core activities” consist of processing personal data on a “large scale.” Germany qualifies this requirement to include instances where there is a minimum of 10 people processing personal data automatically. An organization may designate an employee or hire a third party to serve as a DPO, based on their expert knowledge of data protection laws and regulations. A DPO is responsible for monitoring an organization’s compliance with the GDPR, training employees and staff, oversight of any data protection impact assessments, cooperating with the Supervisory Authority, and acting as the liaison between the organization and the Supervisory Authority. In addition, the DPO may be responsible for responding to inquiries by individuals concerning their personal data.
Is an Organization Required to Report a Data Breach?
The GDPR introduces additional mandatory data breach reporting requirements. A data controller must report security breaches to the relevant Supervisory Authority “without undue delay, and where feasible, not later than 72 hours” after it first becomes aware of the incident. If the notification is made after 72 hours, a reasonable justification for the delay must be provided. The breach only needs to be reported if it is likely “to result in a risk for the rights and freedoms” of data subjects – if, for example, the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.
A data controller also must notify individuals of a security breach “without undue delay” where the breach “is likely to result in a high risk” to the rights and freedoms of data subjects. However, notification to individuals is not required if (1) the organization has implemented appropriate security measures that render the data unintelligible to any unauthorized person (i.e., encryption); (2) the organization has taken subsequent measures to ensure that a high risk to data subjects does not materialize (i.e., remediation); or (3) it would involve a disproportionate effort, in which case a public communication will suffice (i.e., media notice or publication on the organization’s website).
The contents of the breach notification communication should include the following information where available in “clear and plain” language:
Notably, the breach notification requirements set forth above apply to data “controllers.” However, in the event of a breach experienced by a data “processor,” the processor is required to notify the controller “without undue delay.”
Are There Any Repercussions for Failure to Comply with the GDPR?
The most serious infringement of the GDPR can result in administrative fines by a Supervisory Authority of up to €20 million or 4 percent of the offending company’s global annual revenue, whichever is higher. For lesser noncompliance offenses, company audits and a tiered fine structure may be imposed.
Under the GDPR, data controllers and processors also may be subject to liability and damages for legal proceedings commenced by a data subject in a court of law or a complaint lodged with a Supervisory Authority. Such complaints may be filed in the jurisdiction where the data subject resides or works, or the location of the alleged infringement of the Regulation concerning the processing of the individual’s personal data. Data controllers and processors may have joint liability for compensatory damages awarded to an individual to ensure they are made whole.
The GDPR also grants Supervisory Authorities the following powers to:
Summary
In summary, U.S. companies are well advised to consider their compliance obligations, if any, under the GDPR. The extraterritorial reach of the EU’s new privacy Regulation means that non-EU companies may be subject to the law. A critical factor in evaluating the potential application of the GDPR to U.S. companies is whether a company collects, stores, transfers or otherwise processes personal data of EU residents. If so, the company may be required to obtain an individual’s express consent to the use of their personal data, in addition to maintaining internal records of the company’s personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents. Failure to comply with the GDPR’s extensive requirements may result in regulatory investigations, legal proceedings, compensatory damages, injunction orders or hefty administrative fines.
Unless you have been living under a rock for the past few years (without a wireless connection), you are likely familiar with the countless news stories that unfold every day reporting seemingly fantastic tales of cyber espionage, hacker attacks, and myriad other data security and privacy breaches that have affected millions of people and companies across the globe. In fact, you might be one of the victims. As the Heartbleed episode demonstrates, no information on the Internet is truly safe.
According to some news reports, Heartbleed is a major flaw in encryption technology that is used by two-thirds of web servers.[2] Hackers could exploit this bug to gain access to individuals’ sensitive personal and financial information. In short, all personal and corporate data are vulnerable to some extent.
Even as some companies take greater precautions to safeguard their most valuable intangible assets, including sensitive customer and business information, it seems that hackers are employing increasingly sophisticated measures to gain access to the data. Sadly, the likely reality is that, at some point in time, you or your business may experience some form of cyber attack, which comes in various size, shapes, and forms. So what’s a company to do?
The Nuts and Bolts of Cyber Insurance
Fear not; the insurance industry has not one—but numerous—cyber liability insurance policies from which to choose. The real question is what do they cover? And do you really need one?
The good news is that cyber insurance policies have become increasingly comprehensive in terms of the cyber protection they afford. The bad news is no one seem to understand them. Given the rapid evolution of this relatively young insurance product, the cyber liability policy terms seems to change almost as frequently as the latest form of malware employed by hackers. Unfortunately, many of the policies are too unnecessarily complex for their own good. Fortunately, there are some key commonalities and concepts in cyber policies that are relatively simple for the average layperson or professional to grasp.
Cyber policies typically cover claims or incidents first made and reported to the insurer during a 12-month policy period. Key coverages may include cyber-risk management tools; first-party coverage for the insured to respond to the breach; and third-party coverage for claims against the insured by third parties, including regulatory authorities and customers whose personal data have been affected. Of course, the devil is in the details with these policies—particularly the defined terms, which can read like a technical manifesto for the uninitiated.
An Ounce of Prevention with Cyber-Risk Management.
According to a Carnegie Mellon University report examining how corporate boards and senior executives are managing cyber risk, directors and officers have a fiduciary duty to protect the assets of their organization. “This duty extends to digital assets, and has been expanded by laws and regulations that impose specific privacy and cybersecurity obligations on companies.”[3]Nonetheless, many companies have not given much, if any, thought to cyber-risk management or prevention. As noted by Larry Ponemon, chairman and founder of the Ponemon Institute, “only a few executive officers understand security and the rest are clueless. . . . This causes a big disconnect between the people performing information security to protect an organization’s data and the top level executives at the organization.”[4]
Indeed, according to a 2014 survey by the New York Stock Exchange, only 11 percent of boards are “very confident” of their ability to manage cyber risk.[5] As a result, many boards are reassessing their skills in cyber-risk management. Experience in overseeing the growing threat of cybersecurity risk, along with information technology (IT) expertise, is fast becoming one of the key attributes that boards will consider when appointing new directors.
To increase boards’ effectiveness at managing and reducing cyber risk, Carnegie Mellon developed a corporate governance best practices checklist, which includes some of the following suggestions:
| Establish a dedicated Board Cyber Risk Committee, separate from the Audit Committee, and assign it responsibility for oversight of cybersecurity; Recruit directors with security and IT expertise; Conduct an annual audit and testing of security and breach response programs and controls (including incident response, breach notification, disaster recovery, and crisis communication plans); Require management—preferably a chief information or security officer—to give the board periodic updates on privacy and security risks and the effectiveness of existing security measures and controls to ensure that any vulnerabilities are addressed; Require annual board reviews of budgets for privacy and security risk management; Evaluate potential liabilities and losses for cyber risk; and Review the adequacy of cyber-risk insurance coverage.[6] |
Public companies in particular should have a solid grasp of their potential cyber liability exposure because they are required under federal securities laws to publicly disclose any material risks to their business and operations. The U.S. Securities and Exchange Commission (SEC) has issued cybersecurity risk disclosure guidance encouraging companies to disclose actual or potential cyber risks that might be viewed as material to investors.[7] The SEC’s sample of cyber-risk disclosures include the following topics:
| Discussion of aspects of the company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; To the extent the company outsources functions that have material cybersecurity risks, a description of those functions and how the company addresses those third-party risks; Description of any material cyber incidents that company has experienced in the past; Risks related to cyber incidents that might remain undetected for an extended period; and A description of relevant insurance coverage.[8] |
On March 26, 2014, the SEC hosted a roundtable on cybersecurity risk.[9]As noted by SEC Chair Mary Jo White and SEC Commissioner Luis Aguilar, the SEC is continuing to study the impact of its prior cybersecurity risk disclosure guidance and whether the agency should be more proactive in this area to protect investors and the integrity of the U.S. financial markets. The SEC is already stepping up its efforts to police Wall Street’s cybersecurity preparedness by announcing the agency’s plans to conduct an in-depth examination of 50 registered broker-dealers and investment advisers. The SEC intends to use the information gleaned from the securities industry to identify potential vulnerabilities, the industry’s current efforts to address cyber risk and areas for potential cooperation between the SEC and Wall Street to mitigate the threat of cyber risk.[10]
SEC Commissioner Luis Aguilar recently emphasized the oversight role of corporate boards with respect to cyber risk. He cautioned that “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”[11] At the New York Stock Exchange conference entitled Cyber Risks and the Boardroom, on June 10, 2014, Commissioner Aguilar proposed a series of recommendations on what boards should do to ensure that their companies are adequately addressing cyber risk.
First, he suggested that companies adopt the National Institute of Standards and Technology Cybersecurity Framework, which is intended to provide companies with a set of industry standards and best practices for managing cyber risk.[12] At its core, this framework sets forth five governing principles: (1) Identify critical IT systems and electronic data assets; (2) protect these systems and assets by implementing adequate security measures; (3) detectcybersecurity threats through continuous monitoring; (4) respond to cyber attacks pursuant to a written and tested breach response plan; and (5) recover lost, stolen, or impaired assets and services pursuant to a business continuity and recovery plan.[13]
Second, Commissioner Aguilar encouraged boards to retain directors with IT and security expertise in order to evaluate whether a company’s management is taking appropriate steps to address cybersecurity issues.[14] Third, he noted that companies should have dedicated employees whose primary responsibility is managing day-to-day privacy and security, ideally including a chief information security officer.[15] Fourth, he emphasized that companies should have a tested and well-thought-out breach response and recovery plan in place. These plans should address when and how a company should publicly disclose a cyber attack—both internally within the company and externally to customers and investors.[16]
Some cyber insurers in the market today offer sophisticated technology tools that can be used by companies to block and monitor unwarranted attacks and access to a company’s computer systems and network. Not so coincidentally, this technology is also a benefit to the insurer because it helps to reduce the risk of loss to its insured. However, this is by no means a standard feature of cyber coverage, and it is likely intended for larger companies in particular industries with greater perceived exposure.
More commonly, carriers offer their insureds one or more hours of complimentary access to a consultant or professional to discuss and review a company’s cyber readiness plan, which may include corporate data security and privacy policies; whether the company uses third-party providers that may have access to sensitive data; whether the company is compliant with industry standard data protection safeguards; whether the company conducts periodic audits of its network security and routinely upgrades its security measures as needed; training for employees to detect cyber threats or attacks; and identifying the company’s core team of individuals, dedicated responsibilities, and chain of command for reporting and responding to a data breach. In addition, carriers may provide companies with access to online cyber risk management tools and training. At a minimum, these risk management tools offer companies an invaluable opportunity to assess their risks and vulnerabilities before an attack.
First-Party Cyber Coverage: Investigating and Containing the Loss
Of course, access to cyber-risk management tools does not replace thecomfort that comprehensive first-party coverage can provide in the event of an actual data breach. This is the touchstone of cyber liability insurance and likely the reason companies will consider buying the coverage in the first place. Many companies simply do not have the time, money, or resources to devote to developing a full-scale cyber readiness plan and team to respond to cyber attacks. Fortunately, many cyber insurers today offer companies a one-stop solution for data breach response and mitigation. This is critical because time is of the essence in identifying and reporting a breach.
To put things into perspective, companies should consider the potential out-of-pocket costs they may incur as a result of a data breach. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, the average cost to a company is $201 for every stolen record. The total average organizational cost of a data breach for U.S. companies is $5.85 million. This amount can be broken down as follows: $417,000 for detection costs (including forensic and investigative activities and crisis team management); $509,237 for breach notification costs; $1,599,996 for post-breach remediation costs (including help desk activities, product discounts, identity theft protection services, and dealing with regulators); $3,324,959 in lost business costs (including reputational injury, diminished goodwill, and loss of business).[17]
Notably, Ponemon’s survey is limited to data breaches affecting fewer than 100,000 records. For that reason, these figures can be dramatically higher for large data breaches. For instance, according to Target’s SEC filings for the period ending May 3,2014, the company had incurred $88 million in costs attributed to the data breach it experienced during the 2013 year-end holiday season, which affected more than 100 million customer records, including stolen credit and debit card information. While Target purchased $100 million in dedicated cyber liability insurance coverage (subject to a $10 million deductible), the company expects to receive only $52 million from its insurers to offset the $88 million loss.[18] Meanwhile, Target’s losses from the data breach continue to accrue, with some pundits predicting the company’s total losses to be as high as $1 billion. A company’s ability to absorb uninsured losses arising from a cyber attack is, of course, dependent in part on the size of the company, its financial situation, and myriad other factors. While a large company like Target might be able to withstand losses upwards of hundreds of millions of dollars, a $5 million loss might put a small company without cyber insurance coverage out of business.
It is important to understand what constitutes a triggering event for purposes of first-party coverage under a cyber liability insurance policy. In very basic terms, this usually includes unauthorized access to a company’s computer systems that results in the disclosure of customers’ nonpublic personal information (including financial or personal health information) that is in the possession or control of the insured. This is an important point because the policy may or may not cover data breach incidents when a third-party provider maintains the personal information that is exposed. The insured may be notified of a breach by its own IT department, vendors, customers, or even government authorities such as the Federal Bureau of Investigation (FBI).
How Cyber Carriers Can Assist Companies in the Event of a Breach
Oftentimes, a company is in panic mode when it first discovers that a data breach may have occurred and has no idea what to do. This is where the experience of a seasoned carrier and its team of vendors and law firms may step in to provide critical guidance and support to help mitigate and contain any potential loss.
First, the carrier may direct the insured to a preapproved data breach coach or breach response team with crisis management experience—similar to dialing 9-1-1 in the event of an emergency. This is typically an outside consultant, professional, or law firm that works hand-in-hand with the insured and coordinates all of the fast-moving parts in the event of a breach.
Second, the carrier or breach coach may contact a carrier-approved forensics expert to investigate the cause and scope of the breach and attack on the company’s computer system, in addition to working to contain the breach. The initial forensics investigation may be one of the most crucial to determine whether, in fact, personal information was accessed by unauthorized intruders and how widespread the breach might be.
Third, the carrier or breach coach may also retain another carrier-approved vendor to send out the appropriate notifications to individuals, customers, or patients whose data may have been stolen. This is not as easy as it seems because the insured is required to comply with a panoply of breach notification statutes, which vary from state to state. Some states have particularly onerous notice laws. For instance, California’s breach law requires that certain health care entities and affiliates notify individuals of a breach involving unencrypted health information in as few as five business days after discovering the breach, in addition to notifying the California Department of Health.[19] Moreover, the insured must comply with the notice statutes in every state in which it does business—not simply where it is officially domiciled. The insured is also required to provide notice to certain government and regulatory authorities, including various state attorneys general and the Federal Trade Commission (FTC).
Because data breach notification statutes continue to evolve, keeping up with the changes and requirements can be a full-time job. For instance, in April 2014, Kentucky became the forty-seventh state to enact a breach notification law, which requires companies transacting business in the state to promptly notify all affected Kentucky residents whose personally identifiable information (PII) is or may be compromised. Under Kentucky law, PII is defined as an individual’s name in combination with a Social Security number, driver’s license number, or debit or credit account number, along with any security code, access code, or password required to access an individual’s financial account.[20]
On July 1, 2014, the Florida Information Protection Act went into effect.[21] The new Florida act strengthens existing state breach notification laws by shortening the time frame for providing notice to affected consumers (from 45 to 30 days) and imposing stiff monetary fines (up to $500,000) on companies that fail to comply with the new notice provisions. In addition to expanding the definition of protected personal information, the Florida act requires companies to notify the state’s attorney general of all data breaches potentially affecting more than 500 Florida residents—regardless of whether the breach adversely affected such individuals.
Earlier this year, in an effort to streamline the patchwork of state breach notification requirements, the United States Senate introduced a federal Data Security and Breach Notification Act.[22] However, unless and until such federal legislation in enacted, companies will have to comply with the complex web of individual state notification laws. For many companies, it may be easier to use the services of a carrier-approved third party to send out notices in the event of a breach.
Last, but not least, the carrier or breach coach may also retain a carrier-approved public relations PR firm to minimize the effect of any negative publicity in the media as a result of the data breach. This is valuable because many customers’ gut reaction might be to stop doing business with a company that has been the subject of a large-scale breach, at least for a while. This translates into lost dollars and revenue for the company. In addition, the company’s stock price could take a hit.
In theory, a company could independently hire a forensics expert, notification vendor, PR firm, etc. In reality, few companies have the experience or resources to efficiently manage all of the moving parts on short notice. Immediate 24/7 accessibility to a carrier’s pre-vetted data breach experts can ease some of the immediate pressure on management so they can strategize about how best to handle the breach from a business perspective.
Other bells and whistles in first-party coverage may include remediation costs associated with setting up and manning a call center to answer customer inquiries about the breach, credit monitoring services, identity theft monitoring services, or a combination of these.
Some cyber policies may also provide valuable business interruption coverage for an insured’s economic losses sustained as a result of a temporary shutdown of its computer systems in the wake of a cyber incident or attack. The insured may be required to submit a proof of loss to the insurer detailing the company’s estimated loss of business, revenue, and continuing operating expenses during the relevant time period. The policy may provide a sub-limit of liability for business interruption loss, including a per diem limit for a specified time frame.
In addition, cyber policies may afford “cyber extortion” coverage. While this sounds like something that might be found in a kidnap and ransom (K&R) policy—or science fiction movie—the threat of cyber extortion is becomingly increasingly common. There has been a recent rise in the form of malware also known as “ransomware” used by hackers. One such example is “CryptoLocker,” a type of malware that encrypts and locks computer files. The hacker then sends a message demanding that the owner pay a “ransom” to regain access to the electronic information. Of course, there is no guarantee that even if the ransom is paid, the files will be unlocked.
On June 2, 2014, the U.S. Department of Justice (DOJ) announced that it worked closely with the FBI and foreign law enforcement officials in Canada, Germany, Luxembourg, the Netherlands, the United Kingdom, and Ukraine to seize computer servers acting as command and control hubs for the CryptoLocker malware, which began appearing in September 2013. Security researchers estimated that as of April 2014, CryptoLocker had infected more than 234,000 computers worldwide seeking ransom payments exceeding $27 million.[23]
Third-Party Cyber Coverage for Unavoidable Litigation
Of course, even the most aggressive steps to contain and mitigate the loss resulting from a breach cannot stem the tide of complaints or lawsuits filed by angry customers whose data may have been lost or stolen. In the event of a large breach, plaintiffs’ attorneys may get in on the action by filing nationwide consumer class actions against the insured for alleged violations of various state and federal laws.
This is where the third-party cyber coverage kicks in. The triggering event is usually a claim by a third party against the insured as a result of the breach. The policy definition of a claim may include a written demand or civil proceeding seeking monetary damages or non-monetary relief. It is possible that regulatory authorities such as the FTC, in addition to customers, may bring suit against the insured for failing to adequately safeguard customer information.
In a blow to companies that have been the victims of hacker attacks, a New Jersey federal court held in FTC v. Wyndham Worldwide Corp. that the FTC can bring suits under section 5(a) of the FTC Act, 15 U.S.C. § 45(a), against companies for failure to maintain reasonable data security for consumers’ sensitive personal information.[24] The FTC, the nation’s consumer privacy watchdog, filed suit against hotel operator Wyndham in connection with a data breach for violation of section 5(a) of the FTC Act, which prohibits unfair and deceptive acts or practices. The FTC alleged that Wyndham failed to implement reasonable security measures, which compromised consumers’ personal information and caused substantial consumer injury. Wyndham challenged the FTC’s ability to assert a claim under section 5(a) in the data security context. Nonetheless, the court declined to “carve out a data security exception” to the FTC’s broad statutory authority. Unless the ruling is reversed on appeal, companies can expect to see more suits filed by the FTC in the wake of a data breach.
Of course, the insured should promptly notify the insurer in the event of a lawsuit. Such claims may trigger the insurer’s duty to defend the insured. The insurer may have a list of preapproved panel counsel firms that have demonstrated experience defending privacy claims and class actions. The insurer may appoint defense counsel and pay defense costs and other approved claims expenses on behalf of the insured in defense of the claims. If a suit is not quickly disposed of early in the litigation by a motion to dismiss, the litigation can become exceedingly costly, time-consuming, and long-lived. Indeed, defense costs alone for multiple, large-scale litigation could be millions of dollars.
In addition to paying defense costs, third-party coverage may include other types of loss incurred by the insured as a result of a claim, including damages, judgments, or settlements. However, once again, it is important to review the policy definition of “damages” or “loss,” which may exclude certain amounts such as salaries or other overhead incurred by the insured’s employees; civil, criminal, or regulatory fines or penalties; and payments that represent restitution or disgorgement of ill-gotten gain by the insureds.
The latter concept excluding coverage for restitutionary payments could be tested under the recent settlement in Curry v. AvMed, Inc.,[25] filed in the Southern District of Florida. In that case, a Florida federal judge approved a $3 million class action settlement against health insurer AvMed for failing to properly safeguard plaintiffs’ personal health information in accordance with the standards set forth by the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. § 164.320 et seq. The plaintiffs alleged that AvMed was “unjustly enriched” because the plaintiffs paid AvMed higher health insurance premiums so that AvMed would take adequate measures to protect the plaintiffs’ data. Instead of litigating, AvMed agreed to pay the settlement whereby class members whose personal information was stolen would receive $10 for every year they were an AvMed customer, not to exceed $30. While it is not clear whether AvMed sought or obtained insurance coverage for the settlement, some insurers could argue that a settlement of a claim based on a theory that the insured was unjustly enriched is not a covered loss under an insurance policy because the insured is simply returning something (i.e., excess premium) to which it was not entitled. Courts have repeatedly held that this is not a covered loss under an insurance policy.[26]
Coverage Exclusions and Traps for the Unwary
Of course, like all insurance policies, cyber policies have a host of terms, conditions, and exclusions that warrant close scrutiny. Some common exclusions to consider include the following:
First, the policy may contain a prior notice exclusion that bars coverage for claims or potential claims that were reported by the insurer under a prior policy. For instance, an insured may have reported a potential claim under a prior policy of a network intrusion. At the time, the insured did not believe that the attempted attack on its computer systems resulted in the disclosure of any sensitive customer information. However, several months later, after the insured purchased cyber insurance from a different insurer, the insured discovered that the prior network intrusion had in fact resulted in the loss or theft of customers’ personal information. In that situation, the insurer under the second cyber policy might deny coverage for any claims subsequently arising out of the network intrusion pursuant to the prior notice exclusion.
Second, the policy may contain a prior knowledge exclusion that bars coverage for any facts or circumstances known to the insured prior to the inception of the policy that could reasonably be expected to give rise to a claim under the policy. Using the example above, the new cyber insurer could deny coverage on the basis that the insured obviously had knowledge of a circumstance that could lead to a claim because the insured reported this fact under a prior policy. Or perhaps, during the course of a forensics investigation of a breach, it might come to light that the insured was aware of an existing vulnerability in its computer systems that compromised its firewalls or anti-virus protection, which the insured failed to rectify. Similarly, in that instance, the insurer might deny coverage based on a prior known incident that could give rise to a claim under the policy.
Third, many claims-made policies contain interrelated acts language to the effect that all claims or events arising out of the same wrongful act or interrelated wrongful acts may be treated as a single claim deemed to be first made at the time the earliest claim or event was first reported by the insured to the insurer. Interrelated acts language can be a double-edged sword. The analysis is extremely fact-intensive and has not yet been tested in the cyber arena. Consider, for example, an insured that has been the subject of a hacker attack during one policy period. The insured is again subject to an attack during a second policy period. Are both policies triggered? Or are both attacks considered interrelated for purposes of coverage? It is in the insured’s best interest to treat these attacks as unrelated to benefit from two separate policies with two separate limits of liability. Conversely, it might be in the insurer’s best interest to treat these attacks as a single interrelated act or event for purposes of limiting coverage to a single policy. Some policies do not specify the parameters for interrelatedness. Factors to consider may include temporal proximity, the source of the attack, the nature of the attack, and the methods used by the attacker to access the insured’s computer systems.
Fourth, cyber policies typically restrict coverage for mechanical or electrical failures that affect a company’s computer systems or infrastructure, or “acts of God” such as fire, flood, earthquakes, or other natural disasters. For example, a tsunami that shuts down a power grid and all computer systems connected to that grid is not likely a covered event. Cyber policies may also contain a “war and terrorism” exclusion. It is important to note whether the policy addresses coverage for acts of cyber terrorism or cyber espionage by foreign governments, particularly in light of the purported rise of cyber attacks by the Chinese government and its state-owned or state-controlled businesses and enterprises.
Fifth, cyber policies may contain a property damage exclusion that bars coverage for any damage to tangible property—but not including the damage, corruption, or loss of the insured’s intangible electronic data. The purpose of such property damage exclusions is to avoid duplicating coverage afforded under a standard commercial general liability (CGL) policy that typically affords coverage for bodily injury and property damage. There has been a growing debate as to whether or not CGL policies should cover claims involving cyber attacks and loss of electronic data. Courts have adopted competing views as to whether a loss of data gives rise to a property damage claim.[27] As a result, many CGL carriers may begin to include new endorsements to their policy forms that expressly exclude coverage for damages or other losses resulting from a data breach.
In May 2014, new Insurance Services Office (ISO) cyber exclusions for CGL policies went into effect. These exclude coverage for damages arising out of
| 1) any access to or disclosure of any person’s or organization’s confidential or personal information, including . . . financial information, credit card information, health information or any other type of nonpublic information; or (2) the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.[28] |
In that event, is the insured covered for physical damage to its computer systems, hardware, and other electronic devices as result of an unauthorized attack or disabling of its systems? What if a cyber attack causes a company’s computer systems to ship physical inventory that is not recoverable? The answer will depend on the precise policy wording.
The foregoing list is not exhaustive and is only a sampling of a few coverage issues to consider under cyber policies.
Conclusion
The best defense is a good offense when it comes to cyber insurance. Without a doubt, insurance coverage is a risk management tool and one way to mitigate potential losses stemming from a data breach. As noted above, even the SEC has promulgated guidelines suggesting that companies consider disclosing to investors whether the company has insurance coverage for cyber security risks. Moreover, recent high-profile data breach incidents have put a spotlight on corporate boards and their management for alleged failure to ensure that companies have appropriate safeguards and internal controls in place to minimize the risk of loss from cyber attacks. As demonstrated by the Target breach, the fallout from a widespread data breach can have serious adverse consequences for a company, including costly litigation by customers and shareholders; expensive government investigations by state and federal authorities, including state attorneys general and the FTC; loss of business and revenue; decline in the company’s stock price; reputational injury; resignations or terminations of top-level management; and a demand for the ouster of board members by activist shareholders.
While not every breach incident will have the same magnitude, the potential consequences are relative to the size of the company and its business. A cyber incident that might be considered relatively insignificant by one company may be devastating to another. To lessen the effect, companies and their boards should consider the widespread, if somewhat dizzying, array of cyber insurance products on the market today, which can often be tailored to meet the needs of a particular insured.
__________________________________________________________________________________________________________
[1] Anjali C. Das is a partner with Wilson Elser, LLP, Chicago, where her practice focuses on professional liability and insurance coverage matters. She is member of the firm’s Insurance Coverage and Data Security and Privacy practice groups.
[2] Heather Kelly, “The Heartbleed Security Flaw That Affects Most of the Internet,” CNN.com, Apr. 9, 2014.
[3] Jody R. Westby, Governance of Enterprise Security: CyLab 2012 Report—How Boards and Senior Executives Are Managing Their Cyber Risks 5 (Carnegie Mellon Univ. May 16, 2012).
[4] Cyber Security & Data Breaches Checklist, http://blog.turner-associations.com/cyber-security-data-breaches-checklist.
[5] NYSE Governance Servs., What Directors Think 2014 Survey.
[6] Carnegie Mellon CyLab 2012 Report, supra note 3, at 8.
[7] SEC CF Disclosure Guidance: Topic No. 2 on Cybersecurity (Oct. 13, 2011).
[8] SEC CF Disclosure Guidance: Topic No. 2 on Cybersecurity (Oct. 13, 2011).
[9] A Public Statement by SEC Commissioner Luis A. Aguilar, The Commission’s Role in Addressing the Growing Cyber-Threat (Mar. 26, 2014).
[10] SEC Office of Compliance Inspections & Examinations, OCIE Cybersecurity Initiative, Risk Alert, Vol. IV, No. 2 (Apr. 15, 2014).
[11] Adam Veness, “Calling All Boards of Directors: Four Recommendations from the SEC,” Cyber Risks Boardroom Series, Privacy and Security Matters (June 13, 2014).
[12] SEC Commissioner Luis Aguilar, Remarks at the New York Stock Exchange Cyber Risks and the Boardroom Conference (June 10, 2014).
[13] NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014).
[14] SEC Commissioner Luis Aguilar, Remarks at the New York Stock Exchange Cyber Risks and the Boardroom Conference (June 10, 2014).
[14]NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014).
[15] SEC Commissioner Luis Aguilar, Remarks at the New York Stock Exchange Cyber Risks and the Boardroom Conference (June 10, 2014).
[15]NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014).
[16] SEC Commissioner Luis Aguilar, Remarks at the New York Stock Exchange Cyber Risks and the Boardroom Conference (June 10, 2014).
[16]NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014).
[17] Ponemon Inst., 2014 Costs of Data Breach Study: Global Analysis (May 2014).
[18] See Target’s Form 10-Q for the quarterly period ending May 3, 2014.
[19] California Health & Safety Code § 1280.15.
[20] See House Bill 232, §§1(1)(b) and (c), et seq., 2014 Gen. Assemb., Reg. Sess. (Ky. 2014).
[21] The Florida Information Protection Act of 2014 (Senate Bill 1524) repeals section 817.5681 of the Florida Statutes and replaces it with section 501.171 under the Consumer Protection Chapter of the Florida Statutes.
[22] S. 1976, 113th Cong., 2d Sess. (Jan. 30, 2014).
[23] Press Release, DOJ, U.S. Leads Multi-National Action Against Gameover Zeus Botnet and Cryptolocker Ransonware, Charges Botnet Administrator (June 2, 2014).
[24] FTC v. Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 84914 (D.N.J. June 23, 2014).
[25] 2014 U.S. Dist. LEXIS 48485 (S.D. Fla. Feb. 28, 2014).
[26] See, e.g., Bank of the West v. Superior Court, 2 Cal. 4th 1254, 10 Cal.Rptr.2d 538, 833 P.2d 545, 552–53 (Cal. 1992) (“It is well established that one may not insure against the risk of being ordered to return money or property that has been wrongfully acquired.”); Republic W. Ins. Co. v. Spierer, Woodward, Willens, Denis & Furstman, 68 F.3d 347, 351–52 (9th Cir. 1995) (finding that restitutionary payments by an insured was not covered under the insurance policy); Level 3 Commc’ns v. Fed. Ins. Co., 272 F.3d 908 (7th Cir. 2001); Vigilant Ins. Co. v. Credit Suisse First Boston Corp., 10 A.D.3d 528, 782 N.Y.S.2d 19 (2004) (“The risk of being directed to return improperly acquired funds is not insurable. Restitution of ill-gotten funds does not constitute ‘damages’ or a ‘loss’ as those terms are used in insurance policies”); Vigilant Ins. Co. v. Bear Stearns Cos., Inc., 814 N.Y.S.2d 566, 2006 N.Y. Misc. LEXIS 63, at *10-11) (“In general, a party may not recover disgorged funds through insurance because to do so would enable that party to retain the proceeds of its wrongful acts and shift the burden of the loss to its insurer [citations omitted]. Such a result would also eliminate the party’s incentive for obeying the law”).
[27] See, e.g., Nationwide Ins. Co. v. Central Laborers Pension Fund, 704 F.3d 522 (7th Cir. 2013) (finding that the theft of a compact disc containing data was property damage but that the loss of data itself was not property damage); Eyeblaster v. Fed. Ins. Co., 613 F.3d 797(8th Cir. 2010) (finding that interference with use of a computer was property damage); AOL v. St. Paul Mercury, 347 F.3d 89 (4th Cir. 2003) (finding that damage to software was not property damage); Am. Guarantee v. Ingram Micro, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. 2000) (finding that loss of data was property damage).
[28] ISO Endorsement CG 21 07 05 14 (2013).