By

Like a brown-paper-bag-wrapped birthday present, the Fifth Circuit’s June 25th decision in Spec’s v. Hanover arrived in my in-box with a resounding ‘meh.’  You see, I get daily emails from Westlaw attaching opinions that may or may not implicate cyberinsurance coverage law.  I use the broadest search terms imaginable to make sure I don’t miss anything by being under-inclusive.  And when you ask for everything, you get, well, everything.  Most days I can tell from the caption of the attachment whether it’s a case I should read.  Most days, it isn’t.

But today the Fifth Circuit redefined the fairly typical contractual liability exclusion in the cyberinsurance context.  The fact pattern is common.  Retailer hires credit card processor.  The processor says, ‘ok, we’ll take your business, but you’ll sign a contract that makes you responsible if anything goes wrong.’  The retailer has no choice because you need a processor and they all use the same liability shifting language in their contracts.  Then the data breach…

Following the breach, the Payment Card Industry (PCI) comes down on the processor with considerable fines and enhanced security requirements.  The processor passes both along to the retailer.  The retailer is in the hole, big time.

Continue reading

By

The 2018 Verizon Data Breach Investigations Report indicates that in the education industry (yes, it’s an industry), the most prevalent type of data breach is “social attacks.”  What’s a social attack?

Phishing is a social attack.  That’s when you get an email with a link or attachment that just begs to be clicked.  And clicking is the functional equivalent of leaving your front door open when you go on vacation.

A more nuanced social attack is now referred to as “pretexting.”  This is sort of like phishing, though it involves more detailed back-and-forth dialogue with the malicious actor, who often takes on a specific persona to facilitate the scheme.  As Verizon more eloquently explains, pretexting is the “creation of a false narrative to obtain information or influence behavior.”  Think impersonating executives or your Facebook friends.

Continue reading

By

Since 2016, Verizon has annually declined to estimate the average cost of a data breach.  Verizon reasons that since there are many variables that can determine breach cost, there is no reliable “average” data point.  There are, however, identifiable factors that we know impact breach cost, like industry sector, threat actor, number of records, impacted data type etc.  So, the more we know about a particular entity’s risk profile, there better equipped that entity is not only to protect itself but also to predict the potential cost of a breach.

Enter Chubb’s Cyber Risk Index.  It’s 20 years of claims data, organized by industry, annual revenue and time period.  Since industry sector and company size are significant differentiators in the context of data breach analyses, this tool lets companies hone in on meaningful data about the nature and extent of their data breach risk.  And it’s free, whether you’re insured by Chubb or not.

I played with the interactive index a bit and here are a few interesting data points:

Continue reading

By

On May 18, 2018, the Colorado legislature sent HB 18-1128, an Act Concerning Strengthening Protections for Consumer Data Privacy, to the governor’s desk for execution.  The bill is one of a number of recent efforts by states to respond to a slew of high profile breaches announced this year, including Equifax, Facebook, Panera Bread, Under Armour and – well, you get it.

The bill mimics a trend of inching toward the heightened and more specific standards employed by the EU’s General Data Protection Regulation.  For example, HB-18-1128 replaces an ‘as soon as practicable’ breach notification requirement with a deadline of not later than 30 days from the date a breach is determined to have occurred.  That’s more latitude than GDPR’s seemingly impossible 72-hour time limit (where feasible, of course), but it is another indication of regulators’ insistence on firm, identifiable timelines.

Also like the GDPR, the Colorado bill explicitly mandates that data is maintained “no longer than needed,” an example of the growing trend toward data minimization.  With respect to security measures themselves, the bill requires “reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations,” a ‘commercially reasonable’ standard of sorts that also mirrors the GDPR (appropriate technical and organizational measures in light of a host of factors).  Want one more similarity?  The bill requires covered entities to mandate implementation of reasonable security measures by third party service providers, another trend reflected both in the GDPR and newer legislation being passed or proposed around the country.

Continue reading

By

In Spec’s Family Partners v. The Hanover Insurance Company, the Southern District of Texas became the second court to grapple with the interaction among Payment Card Industry (PCI) fines, payment card processor contracts and the infamous contractual liability exclusion that is still present in many cyberinsurance policies.

You can read about the first court to do so here.  Spoiler: also no coverage.

Spec’s, a family-owned retail chain, suffered two data breaches of its payment card system resulting in the loss of customer information and credit card numbers.  Spec’s processed its credit transactions through a third party, First Data Merchant Services.  Following the breaches, First Data was fined almost $10 million by MasterCard and Visa.  First Data invoked the indemnification provision in its processor agreement and demanded that Spec’s pay the fines.

Continue reading

By

Solvency.  It means you can pay your tab.  Cyber attacks are occurring with greater frequency and effectiveness, resulting in an ever-increasing bill.  The cyberinsurance market is booming, but will policy premiums and carrier reserves keep pace with the cost of claims?

It’s a fair question.

Consider the magnitude of loss problem first.  Once upon a time, to steal from a bank, you had to ride a horse, drive a car, take an Uber – whatever – and enter the bank.  Now, automated cyber attacks can launch innumerable attempts per hour, with likely anonymity and without the constraints of physical travel or the risks that follow telling everyone to get on the ground.  I suppose you could still create a hostage scenario to shut down a casino for a while, but a distributed denial of service attack targeting an online gaming platform is easier, less risky and potentially far more damaging.  In the Dyn, WannaCry and the recent Petya (or not Petya) attacks, we saw how far-reaching a ‘single’ attack can be.  Fact: It’s easier and less risky to do more damage now than ever before.  Insureds are more vulnerable as a result.

Continue reading

By

On Tuesday, I was privileged to be part of a panel discussing cyberinsurance for public pension funds at Kessler Topaz’s Evolving Fiduciary Obligations for Institutional Investors conference, joining Victoria Hale, General Counsel of the Denver Employees Retirement Plan, and pension attorney Chris Waddell.  We emphasized that the cyberinsurance procurement process is unique as compared to the renewal of traditional lines.  The coverage is highly negotiable and definitely not one-size-fits-all.  Here are a few pension-fund specific tips.

First, make sure intentional employee misconduct is covered.  Insider misuse is among the most prevalent causes of data breaches for financial and public institutions.  Yet, because cyberinsurance forms largely trace their roots back to commercial general liability policies, some of them still contain the traditional ‘intentional acts’ exclusion that bars coverage for an insured’s intentional misconduct.  To make sure that your policy covers one of the most common breach causes, push back on this exclusion.  Carriers will typically agree to a carve-out for ‘rogue employees,’ or will limit the definition of “insured” to employees only when acting within their scopes of employment.  Either should leave coverage in tact when employees purposefully misbehave.

Second, be wary of cyber-endorsements to E&O and D&O policies.  These endorsements are presented as low-cost alternatives to stand-alone cyberinsurance, but, as I covered here, you may be purchasing dangerously limited coverage.  Many of these endorsements cover only third party risks – i.e., the class action lawsuit filed by individuals whose data has been compromised.  This is likely not the most significant risk faced by funds.  In fact, the most expensive elements of a data breach for public and financial institutions are legal advice for breach notification, forensic IT work to identify the problem and fix it and the breach notification itself, which generally costs $2-3 per notice recipient.  Cyber-endorsements can be inexpensive, but they are only valuable if they contain an appropriate mix of first and third party coverages, the former of which must include breach coaching, IT response and breach notification.

Continue reading

By

There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people.  The first known event involved the 2008-2010 infiltration of a computer virus called “Stuxnet” into Iranian networks that controlled nuclear subterfuges.  The virus caused them to spin out of control, destroying about 20% of them.  Another involved a hacking attack on a German steel mill in 2014, causing a blast furnace to malfunction and resulting in massive damage.  Last year, an Iranian petrochemical company suffered a series of fires and explosions believed to have been caused by a hacking attack.  And for each of these types of events, there have been innumerable other attacks on that could have but did not result in physical harm.

While underwriters still struggle to accurately quantify this risk, there is an increased willingness to enter the cyber-physical coverage market in different, and sometimes fairly creative, ways.  But this risk doesn’t only impact cyber-coverage.  Cyber-physical attacks can have enormous consequences, with damages likely to exponentially exceed the coverage provided by these new products.  These attacks can be coordinated across multiple geographic regions, they can impact many people and businesses across numerous economic sectors and they appear to be easier than ever to anonymously effectuate.

The increased ease with which these attacks can be carried out coupled with the unprecedented level of harm they can cause requires likely targets to carefully explore the cyber-physical risk market.  These circumstances, however, also require renewed consideration of traditional coverages by those who may be impacted downstream and by those who might find themselves defendants when even cyber-physical coverage purchased by the targets of these attacks proves woefully insufficient in light of the extent of harm.  In fact, there are likely few companies that don’t need to revisit their entire insurance programs in light of the emerging cyber-physical risk.  Consider whether coverages and limits are still appropriate for cyber and traditional coverages.  This will get physical.

 

By

Stand-alone cyberinsurance is a critical component of enterprise risk management.  But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve referred to as the ‘hot potato’ problem.  This is when neither the cyber policy nor the relevant traditional coverage is truly designed for a relatively new kind of risk.

One example is physical damage caused by cyber events.  Particularly as the Internet of Things increases the connectivity of physical devices, cyber attacks can hurt people and property.  Cyberinsurance likely covers network security failures and unauthorized access to these devices, but ‘standard’ cyber policies typically exclude coverage when these events result in physical damage.  And property and casualty policies that would otherwise cover physical harm generally exclude damages arising out of cyber events.  Rock, meet hard place.

Gap, meet AIG’s Cyber Edge products.  These products are designed to fill this gap by, in addition to covering the relatively standard range of cyber risks, including the ability to add coverage for cyber events that cause physical damage to people or property.

Continue reading

By

This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional investors and classes in securities, shareholder and other complex litigation.  I’ve included the full publication on my Resources page.

Find me a centralized repository of personal, financial and health information, and I will find you millions of attempts per day to access, steal or corrupt it. Even absent a malicious actor, there is an increasing likelihood that private data will be inadvertently made public.  This is our world.

Continue reading