In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.

These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records. 
Continue Reading Lookout for Luddites: Don’t Overlook the Risk of a Non-Electronic Data Breach When Evaluating Your Cyber Insurance Program

The European Union’s sweeping Global Data Protection Regulation (GDPR), which took effect on May 25, 2018, dramatically expanded the compliance obligations of companies collecting or using European Union citizens’ personal information. It also substantially increased regulatory exposure for companies due to its strict requirements and draconian penalties for non-compliance, including potential fines of greater than 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. See Perkins Coie’s GDPR Resources for an overview of the regulation, and Will Your Cyber Policy Provide Coverage for GDPR Violations? for a discussion of insurance coverage issues arising from the regulation. Yet the new regulatory landscape facing companies that collect, use, or manage consumers’ personal information has expanded far beyond the GDPR, and many United States jurisdictions have enacted or are in the process of enacting regulations governing the collection, storage, and use of consumer information. As a result, any company that handles consumer personal information must have a thorough understanding of these regulations and must make sure that its insurance program aligns with its regulatory exposure in order to effectively manage the risks arising out of burgeoning cybersecurity and privacy regulations.
Continue Reading Beyond GDPR: Insurance Coverage for Emerging Cybersecurity and Privacy Regulatory Exposure

Despite the increase in data breaches and cyberattacks involving large corporations, efforts to hold directors and officers personally liable for these events have largely been unsuccessful. However, recent developments in two high-profile data breach cases suggest that the relative safety directors and officers have previously experienced from cybersecurity-related suits may be coming to an end. On January 4, 2019, the Superior Court of California approved a $29 million settlement in consolidated derivative litigation brought against directors and officers of Yahoo, Inc. arising out of two data breaches compromising sensitive information of over one billion Yahoo users. See In re Yahoo! Inc. Shareholder Litig., Case No. 17-CV-307054, (Cal. Supp. Ct Jan. 4, 2019). This settlement, which includes a court-approved plaintiff’s counsel’s fee of $8.6 million, represents the first significant recovery in a data-breach related derivative lawsuit targeting directors and officers for breach of fiduciary duty.
Continue Reading Recent Developments in Yahoo and Equifax Data Breach Litigation Suggest Increased Risk of Personal Liability for Directors and Officers for Cybersecurity Incidents