As previously reported here, (Nov. 8, 2017), companies falling victim to electronic impersonation (“spoofing”) schemes have frequently turned to “computer fraud” coverage found in typical crime policies. In this type of fraud, someone impersonates a vendor, contract partner, or company executive via email or other electronic means, and directs the transfer of funds to

I have several times discussed the need for cyber insurance that will actually cover reasonable claims; a need that still seems to exist. The case of Hub Parking Technology USA v. Illinois National Insurance Company (https://www.law360.com/articles/1170778/parking-tech-co-says-aig-must-defend-it-in-privacy-row) that was brought in Pennsylvania District Court in June of this year illustrates this problem. Hub bought security and privacy insurance that was intended to cover security breaches and disclosure of personal data in violation of privacy rules. Hub was then sued in underlying litigation for printing parking receipts at the Cleveland Airport that showed eight digits of credit card numbers instead of the standard last four digits permitted under various state statutes and case law. When Hub submitted the claim to its cyber insurer, the cyber insurer rejected the claim based on its conclusion that there had been no loss of privacy or security information, as well as on several exclusions, such as those for contractually assumed liability and intentional acts. Although the insurer may have had a legitimate complaint that there really was no damage from this alleged violation (and the plaintiffs had not alleged that anyone suffered actual damage or identity theft arising from the parking receipts at issue; they rather relied on an FTC study showing that similar incidents have caused actual damage, so that the potential for damage existed), that should not have prevented the insurer from providing at least a defense.  
Continue Reading

In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.

These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records. 
Continue Reading

The consequences of a data breach can be far-reaching. While the initial issues in the wake of a breach often involve investigation into the cause of the breach and sending notification to those affected (both of which are covered by most cyber insurance policies), coverage for certain types of third-party claims stemming from cyber breaches may be available under Commercial General Liability (“CGL”) insurance policies.

CGL insurance policies provide coverage for claims of “Bodily Injury,” “Property Damage,” and “Personal and Advertising Injury.” Bodily Injury and Property Damage claims are covered under Coverage A of CGL policies, while Personal and Advertising Injury claims are covered under Coverage B. This blog post briefly summarizes the major issues policyholders encounter when seeking coverage for Personal and Advertising Injury (Coverage B) under CGL policies that arise out of a cyber incident. 
Continue Reading

The European Union’s sweeping Global Data Protection Regulation (GDPR), which took effect on May 25, 2018, dramatically expanded the compliance obligations of companies collecting or using European Union citizens’ personal information. It also substantially increased regulatory exposure for companies due to its strict requirements and draconian penalties for non-compliance, including potential fines of greater than 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. See Perkins Coie’s GDPR Resources for an overview of the regulation, and Will Your Cyber Policy Provide Coverage for GDPR Violations? for a discussion of insurance coverage issues arising from the regulation. Yet the new regulatory landscape facing companies that collect, use, or manage consumers’ personal information has expanded far beyond the GDPR, and many United States jurisdictions have enacted or are in the process of enacting regulations governing the collection, storage, and use of consumer information. As a result, any company that handles consumer personal information must have a thorough understanding of these regulations and must make sure that its insurance program aligns with its regulatory exposure in order to effectively manage the risks arising out of burgeoning cybersecurity and privacy regulations.
Continue Reading

Many businesses rely upon social media to raise awareness and enhance visibility of a new product or new line of business.  Social media platforms such as Facebook are often used to generate buzz around an opening or a launch before it takes place.  Anticipatory use of social media, however, can complicate insurance coverage if the right policies are not already in place.  The Idaho Supreme Court recently upheld the denial of coverage to a business that had published a preview of a new logo prior to opening.  Scout, LLC v. Truck Ins. Exch., 434 P.3d 197 (2019).  The court held that a Facebook post by the insured pub showing a close facsimile of the anticipated logo constituted a “prior publication,” triggering an exclusion under the pub’s subsequently purchased commercial general liability policy.  Although some other courts have reached different conclusions in relatively similar circumstances, the case stands as a cautionary tale for new businesses.
Continue Reading

In my last posting on this blog, I opined that cyber incursions and the resulting lawsuits, defense costs, and damages payments are as inevitable as death and taxes. Thus, most companies are now trying to purchase some type of cyber insurance to cover these risks. The next question is whether your insurance will really cover a particular risk you face. My last article discussed a single product that would provide security and guarantee coverage for any breach up to a specified limit.

Today I want to discuss other defensive measures that a company might take against the inevitable, and how that might make coverage in the event of a breach more likely under a standard cyber insurance policy. Our last posting by Ms. Del Prete discussed the standard exclusions and conditions in the most common cyber policies. Those policy provisions require, e.g., that the insured follow industry standard security practices and take reasonable precautions against data breaches before coverage will attach for an incursion.  Subject to the purchase of an extended retroactive date, they also exclude breaches that occurred long before the beginning of the policy or which were facilitated by an incursion that occurred prior to the beginning of the policy. 
Continue Reading

Often called the “wild west,” the cyber insurance marketplace offers a wide variety of policy forms that vary drastically in the scope of coverage provided.  This is further compounded by the relatively small amount of case law analyzing cyber policies and the quickly-evolving cyber risks that companies face.  Insurers are quick to deny coverage based on the many exclusions in cyber policies, often leaving policyholders with the option of either spending money to fight their insurer in court or accepting the carrier’s denial.  If your company is insured by a cyber policy (or, for that matter, any type of an insurance policy), you should carefully review the policy, understand its exclusions, and, where possible, take steps to implement practices and procedures to ensure that your company’s activities do not fall within the enumerated exclusions.  Cyber insurers are often willing to modify exclusions in cyber policies to carve back certain coverages, but only when asked to do so.  Analyzing the policy and negotiating with the carrier on the front end, before a claim occurs, can save your company both time and money on the back end if a claim arises. 
Continue Reading

Despite the increase in data breaches and cyberattacks involving large corporations, efforts to hold directors and officers personally liable for these events have largely been unsuccessful. However, recent developments in two high-profile data breach cases suggest that the relative safety directors and officers have previously experienced from cybersecurity-related suits may be coming to an end. On January 4, 2019, the Superior Court of California approved a $29 million settlement in consolidated derivative litigation brought against directors and officers of Yahoo, Inc. arising out of two data breaches compromising sensitive information of over one billion Yahoo users. See In re Yahoo! Inc. Shareholder Litig., Case No. 17-CV-307054, (Cal. Supp. Ct Jan. 4, 2019). This settlement, which includes a court-approved plaintiff’s counsel’s fee of $8.6 million, represents the first significant recovery in a data-breach related derivative lawsuit targeting directors and officers for breach of fiduciary duty.
Continue Reading

Selecting an appropriate cyber insurance policy can seem daunting. There are a number of different cyber events that have the possibility to impact businesses differently based on a number of factors, including the company’s network design and cyber security readiness. The market for cyber insurance policies does not have a widely-accepted form that is predominantly used by carriers, brokers, or policyholders, resulting in approximately 70 carriers drafting their own cyber insurance policies, many of which are negotiable. Lastly, the risks and technology at issue evolve quickly, adding uncertainty and the potential for a “new” event that may not be covered appropriately by your company’s current policies.
Continue Reading