In 1964, futurist Arthur C. Clarke predicted that in 50 years, people “will no longer commute—they will communicate.” For a significant portion of the American workforce, the future is now. COVID-19 has fundamentally changed how we communicate: The virtual meeting is suddenly our primary means of interaction with coworkers. Video conferencing platforms like Zoom, Microsoft

Most customers of companies using the internet to reach their suppliers of goods and services agree that digital access provides enormous convenience and often reduced cost. But along with that, it also seems to provide an unending stream of lawsuits and regulations over storage and use of data and hacking into data bases. The latest addition to this stream of lawsuits is SS&C Tech. Holdings v. AIG Specialty Insurance Co., 2019 U.S. Dist. Lexis 194196 (S.D.N.Y. Nov. 5, 2019).
Continue Reading Update On Coverage For Privacy Lawsuits—Although Traditional Policies May Provide Some Coverage, Comprehensive Coverage Requires Cyber Insurance

Insurance coverage lawyers and commentators have drawn considerable attention to state and federal data protection statutes in recent years. E.g., Freya K. Bowen, “Beyond GDPR: Insurance Coverage for Emerging Cybersecurity and Privacy Regulatory Exposure,” Perkins Coie Tech Risk Report (April 10, 2019), available here. Statutes governing the collection and use of biometric data have received much less attention, even though several states have passed such statutes and other states presently have some version under consideration. As previously noted in this blog, Jim Davis, “Biometrics Liability on the Rise: Are you Covered?” Perkins Coie Tech Risk Report (May 8, 2019), available here, these statutes apply to data as diverse as fingerscans DNA swabs, and even, potentially, facial recognition scans. Companies may be subject to regulatory actions or private litigation for violations, and, naturally, may seek insurance coverage for the resulting exposure. Some of these insurance claims will be subject to the same issues arising with claims relating to other data protection or privacy statutes, while other claims will raise specific insurance concerns unique to biometric data. Although these statutes are quite new, several recent cases help give policyholders a good indication of where the key risks may lie. Policyholders with exposure to these statutes should ensure that the appropriate insurance coverage is in place. 
Continue Reading Employee Biometric Data: Are You Covered for Collecting or Using It?

One of the best features of the digital age is the improved utility of access to data, allowing customers, employees, vendors, and business partners to synthesize large amounts of information and remain connected in real time. This previously-unimaginable level of access has been augmented by the invention of easy-to-use security features that enable businesses to simultaneously protect their data and maximize the utility of that data by making it widely available. But with this improved utility also comes a risk of being hacked, even if protections are in place, and of resulting liability for unauthorized access to data.

A promising technology for improving security and mitigating the substantial risks associated with password-based data security are biometric-enabled access controls. This technology limits access to data by verifying authorized users’ biometric identifiers, such as by recognizing users’ faces, fingerprints, voices, and/or irises. Biometric access control technology can also provide easy-to-use access to secure physical facilities. In today’s physical security environment, which has been informed by the rise in terror attacks and mass shooting events, the demand for secure facilities has increased dramatically. Use of complex numeric passwords provides too many barriers to entry and opportunities for compromise as individuals tend to select easy-to-remember, and hence easy-to-crack, passwords. And where physical access cards are required, those are equally easy to compromise as cards are frequently lost or even loaned. Biometric access control systems, therefore, appear to provide a simpler and more effective method of securing both data and physical premises without the same level of risk. 
Continue Reading Biometric Access Control Systems Offer Great Utility but Create Associated Risks Requiring the Right Insurance Coverage

Data breaches are up significantly in 2019, exposing billions of confidential records and costing companies millions of dollars on average per breach. Security experts counsel their clients that data breaches are inevitable as even the largest, most secure systems may be breached. In spite of this environment, many tech companies are woefully unprepared to respond to a cyber intrusion, data breach, or other cyber-related event. Are you ready?

As insurance coverage lawyers, we often work with clients to confront this organization-wide challenge after a breach has occurred. The better approach, however, is to prepare in advance by understanding your risks, building a team, securing and monitoring your data, having a well developed and rehearsed response plan, and tailoring your insurance program to a possible breach. Additionally, having counsel involved throughout the preparation and response process is critical to protect privilege, minimize legal liability, and maximize insurance coverage. 
Continue Reading Preparing for Data Breaches: Data Mapping, Response Team and Insurance

Directors & Officers liability insurance—commonly known simply as D&O insurance—is meant to protect corporate directors and officers from, among other things, claims alleging breaches of duty and management failings that adversely affect the value of the company’s stock. And any event in which directors or officers are deemed to have had an oversight function could ultimately result in a claim that floats up to the director- or officer-level if the company’s stock suffers. 
Continue Reading D&O Coverage for Tech Risks – Don’t Let the “Invasion of Privacy” and “Professional Services” Exclusions Take You by Surprise

Biometric Privacy Lawsuits

In early 2019, the Illinois Supreme Court opened the floodgates for advancing private causes of action under the state’s 2008 Biometric Information Privacy Act (“BIPA”), 740 ILCS 14 et seq. In Rosenbach v. Six Flags, the Court found that no proof of actual injury or damage beyond technical infringement was necessary to state a claim under the BIPA. Now, Illinois courts are seeing a wave of BIPA class action lawsuits, even though the Six Flags case merely concluded that a biometric plaintiff had standing to sue and did not resolve the legal requirements necessary to prove a negligent or intentional violation of BIPA.
Continue Reading Biometrics Liability on the Rise: Are you Covered?

Social engineering and electronic impersonation scams have increased in recent years, as have cases involving resulting claims for insurance coverage. Claims typically involve the impersonation of a company executive, employee, or client and a fraudulent electronic communication directing an employee of the policyholder to transfer funds to another account. As outlined in our update of November 8, 2017, courts differ significantly as to whether or not this situation triggers coverage under a standard crime policy or fidelity bond. For example, some courts have held that the scheme does not produce a loss “resulting directly” from the “use of a computer” as required for certain “computer fraud” coverage. E.g., Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252, 258 (5th Cir. 2016); Incomm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-cv-2671-WSD, 2017 WL 1021749, at *8-*10 (N.D. Ga. Mar. 16, 2017). Other courts have reached the opposite conclusion and found coverage. E.g., Principle Solutions Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS, 2016 WL 4618761, at *2, *5 (N.D. Ga. Aug. 30, 2016).

Continue Reading False Pretense Exclusion No Bar to Coverage of Fraudulent Impersonation Scams

The recent series of significant hacks to Marriott, Target, Anthem, Home Depot, and other businesses make it clear that there is now another inevitable event to add to death and taxes, namely intrusions to businesses’ on-line databases of their customers’ personal information. These intrusions include outside vigilante hackers who are simply trying to sell their services and then try to incite the government or private plaintiffs to assert damage claims against the targeted businesses from the exploited vulnerabilities. To counteract the inevitability of such intrusions, cyber-security providers and insurance companies are now considering offering a new product that would combine guarding against unwanted intrusions with guaranteed coverage for the cost of the inevitable hack. The product would basically warrant that there will be no damaging access or release of on-line data, and would provide a specified but limited payment to compensate for any damages should an intrusion and/or release of data nonetheless occur.
Continue Reading Developments in Cyber-Coverage Options

The European Union’s Global Data Protection Regulation (GDPR) took effect on May 25, 2018, and drastically expanded the compliance obligations of companies involved in the collection, use, and management of any European Union citizens’ data. The GDPR imposes a strict regulatory scheme with steep penalties for non-compliance, with maximum fines set at the greater of 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. Please refer to Perkins Coie’s GDPR Resources for a more comprehensive overview.
Continue Reading Will Your Cyber Policy Provide Coverage for GDPR Violations?