Cyber pirates prey and profit on the vulnerable. Most people think of cyber piracy only in the context of malicious hackers intercepting or stealing confidential company data. However, the truth of the matter is that data breaches routinely occur in far less complex scenarios. Lost laptops, smart phones, notebooks, PDAs, or the improper disposal of documents containing personally identifiable information (“PII”) are the culprit for data breaches just as costly, if not more costly, than breaches by an unwanted cyber intruder. Many times, employees do not realize they have lost an item containing valuable information until it is too late. It is crucial to your company’s success that sufficient protections and contingency plans are put into place now.
A simple first step is to ensure that all employee electronic equipment is password protected and that all employees adequately secure paper copies of data. Encryption, intrusion detection systems, and employee education are equally important. While inconvenient, requiring employees to routinely change their passwords and having password format requirements in place can add additional layers of protection. Even if these methods do not completely prevent a breach, such will generally deter thieves and may provide a company with liability defenses in the event a data breach nonetheless occurs.
The harsh reality is that plaintiff lawyers are becoming increasingly clever in filing claims against companies for data breaches and are gaining traction in their methodologies. Cyber piracy related claims are becoming more and more likely to survive the motion to dismiss stage, and thus proceeding into the discovery stage, ultimately leading to exponentially more costs for companies. Plaintiff lawyers are targeting breaches reported by an outside third party or self-reported by the company that experienced the breach. For example, the HITECH Amendment to HIPAA requires a company that has lost private healthcare information of more than 500 people to notify the Health and Human Services Department. As discussed below, several state legislatures are also now passing laws with not only notification requirements, but other requirements as well.
Aside from the practical policies and procedures a company can put into place, company insurance policies are typically evaluated for potential coverage. Many companies are now securing cyber liability policies in addition to traditional commercial general liability policies (“CGL policies”) in order to provide additional security. While most CGL policies do not cover third-party liability, cyber liability policies routinely cover third-party liability for stolen credit card numbers, social security numbers and other private data, the forensic costs to investigate a data breach, and the notification expenses resulting from a company having to inform all involved parties of a breach. And while having a cyber liability policy in place is paramount to a company’s longevity and sustainability, having the right policy in place is even more important as insurers are challenging company cyber liability claims as being non-covered losses.
One such instance occurred in Vonage Holdings Corp. v. Hartford Fire Ins. Co., Civ. No. 11-6187, 2012 WL 1067694, (D.N.J. Mar. 29, 2012), where the insurer filed a motion to dismiss the insured’s data breach claim under the express policy language. Vonage made a claim to 2 Hartford under its policy upon learning that hackers outside of its premises fraudulently accessed its servers to effectively transfer the use of the servers to themselves. Id. at 1. After gaining control of Vonage’s server, the hackers routed telephone calls to Cuba through one of Vonage’s telecommunication carriers resulting in an alleged loss in excess of $1 million due to loss of use of the server capable of handling approximately 2,000 simultaneous calls. Id. The policy language at issue stated in relevant part that “We [Hartford] will pay for the loss of and loss from damage to ‘money’, ‘securities’ and ‘other property’ following and directly related to the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: 1. to a person (other than a ‘messenger’) outside those ‘premises’; or 2. to a place outside those ‘premises’.” Id. at *1. Under the policy at issue, “other property” is defined as “any tangible property other than ‘money’ or ‘securities’ that has intrinsic value” and “premises” is defined as “the interior of that portion of any building which you occupy in conducting your business.” Id. In reaching its decision, the court denied Hartford’s motion to dismiss finding that Vonage’s interpretation was “plausible” and that the policy must be read as a whole where Hartford’s argued interpretation would have made certain sections of the policy “superfluous”. Id. at *3. While such was a favorable result for the insured, an important lesson must be taken from the Vonage opinion: having a policy in place is not the same as having the correct policy in place.
The unfortunate fact remains that most companies do not have a cyber liability policy in place until it is too late and they must proceed to file a claim under their CGL policy which is often times not going to afford coverage. Insurers are routinely denying and filing declaratory actions seeking a determination of coverage for cyber intrusions being claimed as a covered loss under CGL policies, arguing that a cyber intrusion loss is not covered because the underlying action does not allege property damage, bodily injury, or advertising injury, as required by policies. To further reduce insureds’ chances of success in bringing cyber breach claims under CGL policies is that such policies often contain electronic data and breach of contract exclusions. This exclusionary language often states that “for purposes of this insurance, electronic data is not tangible property,” or expressly excludes “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.” Thus, it is critical when analyzing your company’s policy, CGL or otherwise, to specifically examine all exclusions and definitions (i.e. “computer system” and “computer network”) to make sure you know what is, and is not, covered.
In Arch Ins. Co. v. Michaels Stores Inc., No. 1:12-cv-00786, 2012 WL 6045395, (N.D. Ill. May 31, 2012), Michaels filed a counterclaim in response to a coverage challenge denying a data breach claim under its CGL policy. Class suits had been brought against Michaels for allegedly failing to safeguard PIN pad terminals at its stores and thereby allowing criminals access to consumers’ financial information. Id. at ¶8. In support of its coverage denial, the insurer cited to electronic data and breach of contract exclusions contained within the policy and argued that the customer suits do not claim property damage, bodily injury, or advertising injury, as required by the CGL policy. While the matter was ultimately resolved through a joint stipulation for dismissal prior to the court ruling on the parties’ cross motions for summary judgment, such forewarns insureds that should you file a cyber claim under a CGL policy, anticipate litigation.
A similar challenge was made in Zurich American Insurance Co. v. Sony Corp. of America, Case No. 651982/2011, New York State Supreme Court (Manhattan). In Zurich the insurer denied Sony’s tender of defense and filed a declaratory judgment action seeking a ruling that it had no such duty to defend or indemnify. In a February 2014 bench ruling, Justice Oing agreed with Zurich and found that because the act was committed by a third-party hacker, and not “conducted or perpetuated by the policyholder”, there was no basis for coverage. This ruling has been appealed to the Supreme Court of New York. To further muddy the waters, in Hartford Cas. Ins. Co. v. Corcino & Associates, et al., Case No. 2:13-cv-3728-GAF-JC, 2013 WL 5687527, (C.D. Cali. Oct. 7, 2013), the United States District Court for the Central District of California granted defendants’ motion to dismiss the insurer’s complaint seeking a declaratory judgment as to coverage regarding the dissemination of some 20,000 patients’ confidential medical information on a public website. The Corcino court found convincing the insured’s argument that the insurer’s advanced exclusion under the CGL policy at issue applied only to violations of rights that were created by statute, and the right to medical privacy at issue was not created by statute but rather by existing constitutional and common law right. Id. at 4. While this ruling was also appealed, the parties later stipulated to the dismissal of the appeal prior to it being heard. These two cases demonstrate that reliance on a company’s CGL policy for cyber liability is far from a sure thing. Moreover, even if a party has coverage for computer-related losses, such does not mean a claimed loss will not result in litigation.
In DSW Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821, 828 (6th Cir.2012), even though DSW had an endorsement for “Computer & Funds Transfer Fraud Coverage,” the insurer challenged the loss as non-covered. The U.S. Court of Appeals for the Sixth Circuit affirmed the lower court’s granting of DSW’s summary judgment motion regarding hackers obtaining access to more than 1.4 million DSW customers’ credit card and checking account information, despite the insurer’s challenge due to several exclusions. Id. at 821-824. Such contentions and arguments have become common place and are magnified in the franchise context because franchisees are typically hardwired into the franchisor’s computer system and thereby have access to vast amounts of confidential and proprietary information.
For example, the Wyndham Worldwide Corporation and several of its hotel service- oriented entities suffered multiple data breaches resulting in their being named as defendants in an action brought by the Federal Trade Commission (“FTC”). In Federal Trade Commission v. Wyndham Worldwide Corporation, Case No. 13-cv-01887, (D.C. Ariz. June 26, 2012), Wyndham’s motion to dismiss was denied affirming the FTC’s ability to enforce data security laws under the Federal Trade Commission Act. The FTC has alleged that Wyndham’s inadequate security practices have enabled intruders to gain unauthorized access to the entire company’s computer system, including payment systems, on three separate occasions. Id. at ¶25. The totality of these three breaches due to Wyndham’s alleged “failure to implement reasonable and appropriate security measures” compromised more than 619,000 customer payment card account numbers and more than $10.6 million in fraud loss as many of the account numbers were exported to Russia. Id. at ¶40. Because this action was brought against not only Wyndham but also its affiliated entities, franchisees must evaluate their own commuter systems that link to larger shared networks.
The bottom line is that a franchise system is only as strong as its weakest link. All franchise systems must consider implementing data protection policies for all franchisees to better enable a common understanding of the franchisee obligations to keep data protected. This likely entails updating franchise agreements to include contractual safeguards such as confidentiality provisions and other restrictive covenants that expressly include electronic data and PII. If such safeguards are not contained within the franchise agreement, issues often emerge, such as whether a franchisee is allowed to use customer PII after the franchise agreement expires, what does or does not constitute electronic data, and what data is or is not private. These questions can place a franchise at great risk if a franchisee should allow private data to fall into the wrong hands. The best practice to deal with these questions is to have language already in place, even if such requires an overhaul of a company’s existing franchise agreement.
Beyond the courts, state legislatures are now getting involved in revamping state Information Protection Acts. For example, earlier this year the Florida House of Representatives unanimously passed the Florida Information Protection Act of 2014, Senate Bill 1524, and such became effective July 1, 2014. See F.S. § 501.171. The Act’s purpose is to protect Florida citizens’ data by requiring businesses and governmental entities to not only protect this data, but also to report data breaches to the Florida Department of Legal Affairs and consumers earlier than previously required. In addition to the reduction of a company’s breach reporting time period by 15 days, the new statute also expands on the previous definition of “personal information” to include insurance, medical, and financial information; requires notification to the Florida Department of Legal Affairs of any breach effect more than 500 people unless good cause is provided; and authorizes the Florida Office of Attorney General to bring enforcement actions under Florida’s Deceptive and Unfair Trade Practices Act (“FDUTPA”), among other requirements. State legislatures’ response to the cost and damage of data breaches are affecting individuals, companies, and governmental agencies everywhere through creating new duties and obligations required by law. It is important that each company evaluate its particular state Information Protection Act to ensure compliance.
While a single hack is able to cripple an entire company, its clients, and its employees, one well-drafted and thought-out liability policy can offer protection. Every software and computer upgrade, every remote device accessing company information, and every incoming email places a company at risk. In 2010, some 16 million confidential records were exposed through more than 662 reported security breaches, according to the national nonprofit Identity Theft Resource Center. Examples of entities suffering data breaches can be found across the board: Heartland Payment Systems suffering a hack of its payment card transaction processing system exposing 130 million people and costing upwards of $145 million; Sony Corp. exposing over 100 million people and costs upwards of $170 million; the U.S. Department of Veteran Affairs exposing 26 million from an employee’s stolen laptop costing upwards of $20 million; the Bank of New York exposing 12 million and costing $50 million due to data storage tapes lost in transit; E Trade Financial costing $22 million resulting from identify theft and unauthorized stock sale by system hacker; ChoicePoint costing $442 million for the unauthorized sale and/or distribution of personal and financial consumer data. The message is clear: if your company possesses confidential data, you are a target. And if you think that only large companies are at risk, think again. According to a study conducted by Verizon in conjunction with the U.S. 5 Secret Service, 63% of cyber attacks in 2010 were committed against businesses with 100 or fewer employees. Breaches also routinely occur in the medical industry, government sector, universities, and yes, even state bar examiners have fallen victim. The Nevada State Bar has recently confirmed that Nevada Bar applicants’ confidential information was compromised when criminals forced their way into a storage facility containing old applications.
There are dozens of cyber liability policies currently being offered but not all are created equal. Some policies are drafted narrowly so that little coverage may be afforded, and other policies are drafted very broadly thereby allowing sweeping coverage disputes and wide ranging interpretations. Another consideration when choosing a cyber liability policy is forum selection and choice of law provisions. While New York is considered an unfavorable jurisdiction for insureds, many policies contain New York choice of law provisions and further require an insured to submit to alternative dispute resolution prior to litigation. Moreover, some policies are written outside the United States and will require an insured to have disputes heard overseas.
Due to the ever-evolving sophistication of the cyber criminal, all companies should take a hard look at their insurance coverage. And while the Insurance Services Office (ISO) has begun revising its standard CGL form to make it clear that such coverage will not cover third-party hackers, the fact of the matter remains that several data breach events occurred under old CGL forms that do not expressly limit losses from third-parties. The ISO has also promulgated a standard policy form entitled “Internet Liability and Network Protection Policy,” which insurers may use as a template for cyber risk coverage. Nonetheless, when implementing these policies, insurers often require would-be policyholders to provide an inventory of their computer software, past cyber threats, documentation of their employee hiring policies, and answers to a multitude of IT-related questions. Insurers may require changes in policies and procedures, in addition to added safeguards to further hinder cyber attacks, prior to offering coverage.
The simple truth is that data breaches cannot be predicted. The damages caused, however, can be mitigated, and protections can be put into place.
Copyright © 2014, Ansa Assuncao LLP