1. Emerging Legal Trends in
Cyber Insurance
October 2011
René Siemens
John Nicholson
Pillsbury Winthrop Shaw Pittman LLP
2. Are You at Risk for a Data Breach or Other
Cyber-Related Losses?
Does your product have an intensely loyal consumer fan base? (Sony)
Is your organization (or any senior executive) visibly politically active on any
controversial issue? (Koch Industries attacked in response to Wisc. protests)
Does your organization outsource the processing/collection/storage of
personal information to a third party?
Does your organization outsource any IT functions with access to personal
information?
Does your organization ship backup tapes/drives from operational facilities to
a backup/storage provider? (SAIC/Tricare)
Does your organization process/collect/store personal information about your
customers? (SSN, credit card, address, financial information, medical
information …) (Betfair)
Does your organization process/collect/store personal information about your
employees? (SSN, drivers license #, address, insurance information, bank
account information, credit card …)
2 | Trends in Cyberinsurance
3. The Current Legal Landscape
Privacy / Data Security Compliance Obligations (for now)
US Federal
GLBA
HIPAA / HITECH
Red Flags Rules
FTC
US State privacy/consumer protection laws (e.g., Massachusetts)
Canada, EU and many other countries
Other - PCI DSS
US Data Breach Notification Laws (for now)
46 states + DC, Puerto Rico and others
Current trend is addition of medical information
HIPAA / HITECH Act
Other regulations
3 | Trends in Cyberinsurance
4. The Evolving Legal Landscape
US
Personal Data Privacy and Security Act of 2011 (S.1151) (Sen. Leahy)
Personal Data Protection and Breach Accountability Act of 2011 (S. 1535) (Sen. Blumenthal)
Data Breach Notification Act (S. 1408) (Sen. Feinstein)
Among others
Canada - Sept. 29, update to PIPEDA proposed in Bill C-12 to expand
existing privacy law to include data breach notification requirements
"It seems to me that it's time to begin imposing fines--significant, attention-getting fines--on
companies when poor privacy and security practices lead to breaches,"
- Jennifer Stoddart, Canadian Privacy Commissioner (May 2011)
EU - mid-November, EC to publish revised Data Protection Directive which
will include:
Mandatory data breach disclosure law covering public and private sectors
Binding Safe Processor Rules (BSPR) requiring cloud service providers (CSPs) in the EU to be
certified by the EU and making them legally liable for data breaches occurring at CSP data
centers
4 | Trends in Cyberinsurance
5. What Does Cyber-Liability Insurance Cover?
Third-Party:
Data security breaches
Privacy breaches
Content liability (libel, infringement, etc.)
First-Party:
Loss of data
Revenue loss due to interruption of data systems
“E-vandalism,” “e-extortion”
5 | Trends in Cyberinsurance
6. Third-Party Cyber Coverage: What’s Included?
Crisis Management Expenses
Notification costs
Credit monitoring services
Public relations consultants
Forensic investigation
Pursuit of indemnity rights
Regulatory compliance costs
Claim Expenses
Costs of defending against lawsuits
Judgments and settlements
Regulatory Response Costs
Costs of responding to regulatory investigations
Settlement costs
6 | Trends in Cyberinsurance
7. First-Party Cyber Coverage: What’s Included?
Costs of restoring, recreating or re-collecting:
Lost data
Stolen data
Damaged data
Revenue lost due to interruption of your operations due to, e.g.,
Hacking
Virus transmission
Other security failures
7 | Trends in Cyberinsurance
8. Cyber Insurance Market Trends
800
600
400 Total Premiums
Underwritten
200
Source: The Betterly Report
0
2005 2008 2009 2010
Premiums ≈ $15,000 to $35,000 per $1,000,000 of limits, depending on
retention and level of covers
Source: Aon: Cyber Insurance Options Oct. 3, 2011
Soft market: Premiums declined an average of 8.5% during the first half
of 2011
Source: Marsh Insights: Benchmarking Trends July 2011
Large corporations were early adopters
Most growth is among middle market companies
8 | Trends in Cyberinsurance
9. Who Is Buying Cyber Insurance?
Source: Marsh Insights: Benchmarking Trends July 2011
9 | Trends in Cyberinsurance
11. Are Issuers Paying Claims?
Yes, but statistical information is hard to come by
Areas of potential friction:
Adequacy of limits, size of retentions
Consent and panel provisions
Coverage of vendors’ errors and omissions
Loss vs. theft of data
“One size fits all” crisis management expense coverage
Hidden traps
Interplay with vendor indemnity agreements
“Other insurance” provisions
Inadequacy of defense coverage
Cyber policies are highly manuscripted: prevent disputes by
negotiating clear policy language!
11 | Trends in Cyberinsurance
12. Ten Tips For Buying Cyber Insurance
#1 – Make sure your limits and sub-limits are adequate
• Average remediation cost is $7.2 million per data breach event
• Average remediation cost is $214 per record
Source: Symantec Corp. and Ponemon Institute: Global Cost of a Data Breach (2010)
• Warning! Many policies impose inadequate limits on “crisis management
expenses” and “regulatory action” expenses
12 | Trends in Cyberinsurance
13. Ten Tips For Buying Cyber Insurance
#2 – Watch out for “panel” and “consent” provisions
• Policies often provide that you must use the insurance company’s pre-
approved forensic consultants, defense counsel, etc.
• Make sure that yours are pre-approved!
• Forensic, notification and defense costs are often covered only if you obtain
the insurer’s “prior consent”
• Make sure you get it – and obtain policy language confirming that post-
tender costs will be covered or at least that the insurer’s consent “shall not
be unreasonably withheld”
13 | Trends in Cyberinsurance
14. Ten Tips For Buying Cyber Insurance
#3 – Make sure you are covered for your vendors’ errors
and omissions
Example:
● Bad
“The Insurer shall pay all Loss that an Insured incurs as a result of
your actual or alleged breach of duty to maintain security of
confidentiality Confidential Information”
● Good
“The Insurer shall pay all Loss that an Insured incurs as a result of
any alleged failure to protect Confidential Information in the care,
custody and control of the Insured or a third party to which an
Insured has provided Confidential Information”
14 | Trends in Cyberinsurance
15. Ten Tips For Buying Cyber Insurance
#4 – Make sure you are covered for loss of data, not just
theft or unauthorized access
Example:
● Bad
“A covered breach shall include the unauthorized acquisition,
access, use, or disclosure of confidential information”
● Good
“A covered breach shall include the unauthorized acquisition,
access, use, disclosure or loss of confidential information”
15 | Trends in Cyberinsurance
16. Ten Tips For Buying Cyber Insurance
#5 – If you handle data for others, make sure your liability to them is covered
Example:
● Bad
“The Insurer will not make any payment for any claim alleging or
arising from … your performance of services under a contract
with your client”
● Better
“The Insurer will not pay for Claims arising out of breach of contract;
provided, however, that this exclusion shall not apply to
liabilities that the Insured would have in the absence of contract,
or arising out of breach of a confidentiality agreement or a
professional services agreement for the handling of confidential
information”
● Best
“The Insurer will pay on behalf of the Insured all Damages and Claim
Expense which the Insured becomes legally obligated to pay because
of liability imposed by law or Assumed Under Contract”
16 | Trends in Cyberinsurance
17. Ten Tips For Buying Cyber Insurance
#6 – Avoid “one size fits all” coverage
Example:
● Bank suffers loss of thousands of customer credit card numbers
● Insurance policy covers cost of providing notice and credit monitoring
● Bank would rather just cancel and re-issue the cards
Lesson: When procuring insurance, negotiate for the coverage you
will need
17 | Trends in Cyberinsurance
18. Ten Tips For Buying Cyber Insurance
#7 – Beware of hidden traps
Example:
● Bad
“The Insurer shall pay Crisis Management Expenses incurred by an
Insured arising out of a Claim”
● Good
“The Insurer shall pay Crisis Management Expenses incurred by an
Insured in response to an actual or alleged security breach”
18 | Trends in Cyberinsurance
19. Ten Tips For Buying Cyber Insurance
#8 – Harmonize cyber insurance with your indemnity
agreements
● Bad
“The Insurer’s liability applies only to amounts in excess of the policy’s
Self-Insured Retention. Such Retention Amount shall be borne by
the Insured’s uninsured and at their own risk”
● Good
“The Insurer’s liability applies only to amounts in excess of the policy’s
Self-Insured Retention. Such Retention Amount may be paid
either by the Insured, or by the Insured’s other insurance or
indemnified by third parties”
19 | Trends in Cyberinsurance
20. Ten Tips For Buying Cyber Insurance
#9 – Harmonize cyber insurance with your other insurance
• Review your agreements with vendors
Make sure your vendors are required to have adequate insurance
Ask to be added as an additional insured on their policies
Make sure your policy’s “other insurance” clause specifies that their policy will
apply first
• Example:
“This Policy shall be primary, unless the Insured is also covered for the loss under the
insurance of a third party, in which case this insurance shall apply excess of amounts
actually paid by that other insurance”
20 | Trends in Cyberinsurance
21. Ten Tips For Buying Cyber Insurance
#10 – Negotiate favorable defense provisions
• “Pay defense costs on behalf of” vs. “duty to defend”
Will you control your own defense?
• At least negotiate the right to choose your own counsel if the policy has a
“panel” provision
• Negotiate specific deadlines for payment by the insurer (e.g., within 30 days
of invoicing)
• If rates are an issue, negotiate them up front!
21 | Trends in Cyberinsurance
22. Preparing for/Responding to an Incident
1. Know what information you collect. Conduct an audit to identify what
you have and what you really need. Determine whether you can
encrypt what you must have. Securely dispose of information when it
is no longer required -
You can’t lose what you don’t have!
2. Create an incident response team including: IT, HR, Legal,
CEO/CIO/CFO, Media relations
3. Develop incident response plan BEFORE you have an incident
Plan for different scenarios (DDOS, insider breach, hacking attack, etc.)
Know which third parties you plan to contact – computer security forensics,
external legal, law enforcement, crisis communications
Conduct practice exercises
4. Acquire insurance based on risks and potential losses
22 | Trends in Cyberinsurance
23. What If You Don’t Have Cyber Insurance?
Insurance industry and brokers assert that there is no
coverage under conventional insurance, but many courts
disagree.
Therefore, tender to all of your other insurers!
23 | Trends in Cyberinsurance
24. General Errors &
Liability Property Omissions Crime Cyber
Data security breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Privacy breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Media liability POSSIBLE NONE POSSIBLE NONE COVERAGE
Professional services NONE NONE POSSIBLE NONE COVERAGE
Virus Transmission POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Damage to data POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Breach notification
POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE
Regulatory investigation POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE
Extortion POSSIBLE NONE NONE NONE COVERAGE
Virus/hacker attack
POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Denial of service attack
POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Business interruption
NONE POSSIBLE POSSIBLE NONE COVERAGE
loss
24 | Trends in Cyberinsurance
25. Case Study – Sony PSN Attack
Sony PS3 user posts code to “jailbreak” Sony PSN consoles and Sony sues
user in US federal court
April 4 - Members of Anonymous launch attack on Sony
April 20 – Sony takes PSN and Qriocity networks offline
April 26 - Sony announces that 77 million names, addresses, email
addresses, birthdates, PlayStation Network/Qriocity passwords and logins,
handle/PSN online ID, profile data, purchase history and possibly credit cards
obtained
April 27 – Sony shares fall 2%
April 28 – Sony shares fall 4.5%; 1st class action lawsuit filed
May 2 – Sony Online Entertainment attacked; 24.6 million customer dates of
birth, email addresses and phone numbers, including 12,700 non-U.S. credit
or debit card numbers and expiration dates and about 10,700 direct debit
records including bank account number breached
25 | Trends in Cyberinsurance
26. Case Study – Sony PSN Attack (cont)
May 14 – Sony brings PSN/Qriocity back online; Offline for a total of 24 days
May 23 – Sony estimates that PSN breach and restoration cost $171M
At least 58 class action lawsuits filed against Sony
Numerous additional attacks from other hacking groups target various Sony
companies and online properties. Full timeline
July 20 – Zurich Insurance filed suit seeking a declaration that various
Zurich policies do not provide coverage for hacking claims
Zurich issued:
Primary CGL policy to Sony Online Computer Entertainment America LLC (“SCEA”)
Excess liability policy to Sony Corp. of America. Policy attaches above a lead umbrella policy
issued by National Union
Primary CGL policy to SCEA for its Canadian operations
Zurich policies provide coverage for “bodily injury,” “property damage” and
“personal and advertising injury” arising out of an “occurrence.”
Zurich argues Sony claims do not allege any such injury or damage and
therefore Zurich does not owe a defense or indemnification to Sony under any
of its policies
26 | Trends in Cyberinsurance