300 likes | 701 Vues
Cyber Liability and Insurance Coverage. Matthew L. Jacobs Partner, Jenner & Block LLP. Data Breach: A Minefield of Liability. First-Party Expenses Response Costs: Investigation, Notification, Correction Business Interruption Losses Costs to Restore Reputation: Defamation, Loss of Faith
 
                
                E N D
Cyber Liability and Insurance Coverage Matthew L. Jacobs Partner, Jenner & Block LLP
Data Breach: A Minefield of Liability • First-Party Expenses • Response Costs: Investigation, Notification, Correction • Business Interruption Losses • Costs to Restore Reputation: Defamation, Loss of Faith • Cyber Extortion Threats • Third-Party Liability • Regulatory Fines & Penalties • Legal Liability (Customers, Vendors, Business Partners)
A Growing Body of Regulation • Federal Statutes and Regulations • Data Protection Statutes • E.g. Regulation S-K (disclosure of data security risks); Gramm-Leach-Bliley (financial data); Health Insurance Portability and Accountability Act (HIPAA) • EO 13,636 (2013) • Minimum security standards for critical infrastructure industries (voluntary) • Sharing of threat information between public and private sectors • State Statutes and Regulations • Breach Notification Statutes (most states) • Encryption/Security Mandates (e.g. NY, CA, MA) • International Regulation • E.U. Data Protection Directive
A Gap Left by Existing Products • Uncertain success in pursuing coverage under more traditional policies for cyber loss • First-Party Property Policies • Claims may fail absent some indication of physical damage • Commercial General Liability Policies – Third-Party Claims • Courts may find electronic data is not tangible property • Fines & penalties for cyber-loss may not fall within scope of covered damages • Exclusions and definitions tightened to limit exposure • Revised specifically to exclude coverage for electronic data
Types of Cyber Coverage:Security and Privacy Liability Coverage • Theft, misappropriation, or other unintentional disclosure of confidential, private, or personal information • Failure adequately to protect confidential, private, or personal information • Failure to disclose, or notify victims of, a breach incident • Associated violations of federal, state, local, or foreign laws governing protection of confidential, private, or personal information • Potential Issue: Electronic data may not included in definition of property damage
Types of Cyber Coverage:Security and Privacy Incident Management Coverage • Costs associated with detection and investigation following an incident, including forensic or other expert analysis • Repair, restoration, or replacement costs for affected data and systems • Disclosure and/or notification costs in response to an incident • Remedial measures to protect affected consumers (e.g. identity theft education, credit monitoring, etc.) • Public relations costs to preserve corporate image and reputation • Potential Issue: Incurred costs subject to consent or reasonableness standard?
Types of Cyber Coverage:Information Asset Coverage • Loss of information assets resulting from system security failures in response to a cyber attack (e.g., viruses, unauthorized access, etc.). • Information assets include electronic data such as customer information, financial data, and corporate proprietary information. • Information assets also include the system’s functionality and capacity, including memory, bandwidth, and processing time. • Costs to restore or re-collect the impacted information assets • Potential Issue: May raise complex valuation issues
Types of Cyber Coverage:Business Interruption Coverage • Business interruption costs sustained during period of recovery following a material interruption to systems or service, including: • Income Loss • Extra Expense • ConingentBusiness Interruption Loss • Extended Business Interruption Loss • Material interruption must be caused by system security failures • Potential Issue: How is loss is measured – hours or days?
Types of Cyber Coverage:Cyber Extortion Coverage • Security threats against the company’s network systems, including hardware, software, data storage, etc. • Can include costs paid by the company in response to such threats, such as “extortion” or “ransom” payments • Can include investigation costs following an incident • Potential Issue: Raises trigger of coverage issues as to seriousness and/or credibility of the threat required to justify payment
Types of Cyber Coverage:Technology Errors & Omissions Coverage • Acts, errors, and omissions in connection with performance of technology-related services, including: • Systems analysis and programming • Data processing • System integration • Outsourcing development and design • Network and systems maintenance and repair • Product training • Consulting services • Acts, errors, and omissions in connection with creation, development, manufacture, distribution, licensing, sale of technology-related products, including: • Computer hardware, firmware, or software • Related products, equipment, or devices
Key Provisions To Consider • Claims-made coverage versus occurrence-based coverage • Sufficiency of limits of liability and sub-limits • Retentions in the event multiple coverages apply • Broad definition of “Claim,” “Privacy Event,” and “Security Failure” • Broad scope of “Loss,” including statutory and regulatory fines and penalties where insurable • Narrow the scope of any exclusions • Bodily Injury or property damage • Intellectual property violations, products liability claims • Misconduct committed by employees • Infrastructure failures • Unlawfully collected personal information • Liability based on content created by third parties • Review scope of any causation or “relatedness” language