Category Archives: Cybersecurity

Every Dawg Has Its Day – A Report From Philly I-Day 2016

cyber securityGuest Blogger: Emily Breslin Markos, Weisbrod Matteis & Copley PLLC

On Thursday, April 28th, I had the pleasure of attending Philly I-Day, an annual event where insurance professionals gather to network, share ideas and get informed about industry trends.  The attendees had the opportunity to hear from Tom Finan, who previously served as the Senior Cybersecurity Strategist and Counsel with the Department of Homeland Security.  While in this role, he established and led the agency’s Cyber Incident Data and Analysis Working Group (CIDAWG), which I previously blogged about.  I appreciated hearing him speak about the important work that the CIDAWG has done to secure businesses against cyber-attacks.  Mr. Finan shared that the National Protection and Programs Directorate (NPPD) recently held a workshop to focus on the execution of the repository for reporting cyber incidents, as described in my previous blog post.

I was surprised to learn that Mr. Finan invented the acronym CIDAWG for the working group, and intentionally made it, well, awesome.  He boasted that it is the best acronym in the federal government to date, and I tend to agree, at least until we all start calling the President “P-Dawg.”   To learn more about the CIDAWG’s continuing cyber-security efforts, please visit:  www.dhs.gov/cybersecurity-insurance.

While at the event, I also had the opportunity to attend a Presentation given by our own Lee Epstein, with Kevin M. McPoyle of KMRD Partners, on effective communications between brokers and policyholders.  In our work representing policyholders, we have seen our clients rely on brokers as an incredible source of expertise, guidance, and comfort when it comes to our client’s coverage needs.  Unfortunately, we have also had the firsthand experience of having communications between the policyholder and broker unearthed in coverage litigation, and sometimes used against the policyholder.

For example, when a broker gives the unequivocal opinion that a certain claim is not covered, that can come back to haunt the policyholder.  The insurer may rely on that statement as evidence of no coverage, and a court may find the broker’s statement compelling.  In light of that, Lee and Kevin discussed how can brokers strike a balance between providing helpful and definitive advice to their clients, while aware that their statements can carry a great deal of weight if the claim is ever litigated.

Two main themes emerged from the discussion.  First, the broker’s role is to offer business advice, not legal advice, and couching communications in business terms can avoid many problems if the claim ever goes to litigation.  Second, when there is a question as to the scope of coverage, setting forth advice in terms of what the insurer’s position may be provides sound advice to the policyholder, but also protects the policyholder in the event of litigation.  It was an eye-opening Presentation, and fodder for continuing discussion.

To learn more, contact Emily Breslin Markos

Caveat Emptor in the Brave New World of Cyber Insurance Coverage

databreach

Guest Blogger:  Martin Bienstock, Weisbrod Matteis & Copley PLLC

There are two types of entities in the world, goes the adage: those who have learned that their data was breached; and those who just don’t know it yet.  The cost of these data breaches is no laughing matter, however; according to a recent study sponsored by IBM, the average data breach costs a company more than $200 for each record lost.[1]  (In the health-care sector, the cost are even greater, approaching $400 per-record lost record.[2])  The more records that are lost, the greater the per-record expense, so that a large data breach may give rise to exorbitant costs.[3]

Thoughtful executives can mitigate these costs through effective utilization of insurance coverage.  Insurance companies aggressively are marketing new cyber-insurance policies that provide first-party and third-party coverage in the event of a data breach.  Often, the new policies are accompanied by an exclusion in the entity’s Commercial General Liability Policy for losses arising from a data breach.

Entities entering the market for cyber coverage therefore must be vigilant to ensure that, at the end of the day, their efforts not yield less coverage than previously had been available.

Cyber Insurance Policies Are Often Conditioned Upon Maintaining a Particular Level of IT Security.

The new cyber policies typically require an applicant to complete a comprehensive assessment of its cyber security measures, affirming, for example, that it has in place “up-to-date, active firewall technology,” and “updated anti-virus software active on all computers and networks.”[4]   Coverage may be conditioned on the accuracy of these representations.[5]   In the event of a breach, if it turns out that the IT security information represented in the application form was inaccurate, coverage might not be available.

Thus, in one recent case,[6] an insurer sought to deny coverage because, among other things, the insured health-care provider had not maintained the level of IT security described in its application.  The insurer argued that the policy therefore was void.[7]  Under cyber-liability policies, then, an insured might be excluded from coverage in the event that it was negligent in implementing cyber-security measures – hardly the result that the insured had in mind when it purchased the policy.

Traditional CGL Policies Offer Some Protection for Data Breaches Even When the Insured Failed to Maintain Adequate IT Security.

When a data breach arises from an entity’s failure to maintain security, third-party coverage likely would be available under a standard Commercial General Liability Policy.  The standard CGL Policy provides coverage for “advertising injury.”  It defines such advertising injury to include injury caused by “oral or written publication, including publication by electronic means,” which “disclosed information about a person’s private life.”

This definition of “advertising injury” is ill-suited for costs arising from a data breach since it depends upon “publication.”  In the event of a data breach, many of the costs are unrelated to the actual publication of private data; the costs arise from the mere possibility of publication, not its actuality.  Conditioning data-breach coverage upon an irrelevant “publication” standard makes little sense.

Two recent cases highlight the limitation of relying on the “publication” standard to provide protection against data-breach claims.  In one case, electronic data concerning 50,000 employees fell out of a transport van and never was recovered.  The Connecticut Supreme Court held that the data had not been “published,” since there no factual support for the conclusion that the data, which was not in a readily usable format, ever was accessed by anyone.[8]  In contrast, in another recent case, the Fourth Circuit Court of Appeals affirmed a district court decision that damages resulting from a data-breach did constitute “advertising injury” because the information had been made available on the internet, and therefore was “published.”[9]

Cyber-data and Cyber-security policies can be better designed than the CGL “advertising injury” coverage, so that coverage is not dependent on publication.  But as some insureds have learned to their dismay, cyber-liability policies may be drafted to shift the costs of negligence back to the insured, and to make coverage unavailable for the very data breaches for which the insured purchased the insurance in the first place.

Caveat Emptor

Cyber-risk insurance therefore may serve a useful purpose by providing coverage that is targeted specifically towards data breaches, and that covers damages that go beyond the scope of the traditional CGL Policy. Buyers must beware however that the extra financial and administrative burden they assume in buying such policies not leave them worse-off than before.

For more information, please contact Marty at mbienstock@wmclaw.com or 202.751.2002.

 

[1] IBM 2015 Cost of Data Breach Study United States, conducted by Ponemon Institute LLC (May 2015) at 1.

[2] Id. at 7.

[3] Id. at 7.

[4] A sample cyber-risk policy issued by Travelers Group and containing these representations (last accessed on the date of publication) is available here .

[5] Id., Cyber-Risk Policy at III.M. (p. 22).

[6] Columbia Cas. Co. v. Cottage Health Sys., 15-cv-3432 (2015 C.D. Cal.).

[7] Id., Dkt No. 22.

[8] Recall Total Info. Mgmt., Inc. v. Fed. Ins., 317 Conn. 46, 115 A.3d 458 (2015).  The Connecticut Supreme Court adopted the reasoning of the appellate court in Recall Total Information Management, Inc. v. Federal Ins. Co., 147 Conn.App. 450, 465, 83 A.3d 664 (2014).

[9] Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C No. 14-1944, 2016 WL 1399517, at *2 (4th Cir. Apr. 11, 2016).

Sharing is Caring: A Proposed National Data Repository for “Cyber Incidents” to Benefit Policyholders

Guest Blogger: Emily Breslin Markos, Esq., Weisbrod Matteis & Copley PLLC

It has become commonplace for the news to be peppered with accounts of data breaches affecting a wide range of entities, from large retailers, to motion picture studios, to the federal government.  Unfortunately, the increasing frequency of the events has not yet led to an insurance industry standard for affordable, robust and effective coverage for cyber incidents. cyber security

To address the gap in insurance coverage, as well as the broad spectrum of harms arising from cyber incidents, the Department of Homeland Security (DHS) has established the Cyber Incident Data and Analysis Working Group (CIDAWG).  The CIDAWG recently published the first of a series of white papers on the possibility of establishing a national data repository where cyber incidents can be reported and collected in a uniform and central way.

Such a data repository would increase information sharing among the “Federal government, enterprise risk owners, and insurers” with the goal of enhancing risk mitigation strategies and “also improve and expand upon existing cybersecurity insurance offerings.”  One of the obstacles to establishing insurance coverage for cyber incidents is a lack of data needed to inform “actuarial calculations and related underwriting considerations by insurers.”  The repository would seek to close that information gap.  As it stands, certain industry groups have methods to share information about cyber incidents within the industry group, but there is no centralized way to share the wealth of information that companies have about hacking activity, but are understandably reticent to share.

The CIDAWG’s first white paper concludes that there is value to policyholders if the repository is structured the right way. Its next white paper will address what cyber incident “data points” should be included for evaluation.

Interestingly, though perhaps not surprisingly, the white paper notes that “[t]here are currently no plans for DHS or other Federal departments or agencies to build or manage such a repository. A resulting repository could potentially be managed by a private organization.”

If this idea continues to gain traction, it will be a positive development for policyholders as a productive step in allowing insurers to provide informed and effective cyber incident insurance protection.

Emily Breslin Markos is an associate at Weisbrod Matteis & Copley PLLC, where she focuses her practice on commercial litigation and insurance coverage counseling and litigation for policyholders. She received a B.A. from Brywn Mawr College in 2004 and graduated magna cum laude from Rutgers University School of Law – Camden in 2010. She can be reached at emarkos@wmclaw.com or 267.262.5589.

%d bloggers like this: