The Rapidly Evolving Nature of Cyber Risk
ReUnderwriting – July 20, 2011
Ellen Farrell
Crowell & Moring LLP
AGENDA
• Overview
• The Reach of Cyber Risk
• Regulatory Framework/Potential Damages
• Insurance & Reinsurance
2
What is Cyber Risk?
Exposures emanatingfrom computer networksand the Internet
Erasure, destruction,corruption, misappropriation,of data
Error in creating, amending, entering, deletingor using data
Inability to receive, transmit or use data
3
Examples
• November 2010 – Stuxnet virus cripples Iran’s nuclearprogram
• March 2011 – Epsilon Data Breach
• April 2011 – Sony PlayStation Breach
• April 2011 – California man indicted for “cyber extortion”
• May 2011 – Lockheed Martin Hacker Attack
• June 2011 – Hackers breached Citigroup’s computersystems
• July 2011 – Pentagon reveals that in March, 24,000 fileswere stolen from a defense industry computernetwork
4
Examples
Viruses/Worms(e.g. Sasser Worm, approx. $18 billion in damages in 2004)
Unauthorized Access(e.g. loss of $12.6 million to Heartland Payment
after hackers install spying software on network)
Data Theft(study says 60 percent of departing employeessteal company data)
Loss of Media(e.g. UPS loses computer tapes containinginformation on 3.9 million customers)
5
Examples
Malicious Insiders(e.g. Fannie Mae employee
inserts “time bomb” intonetwork upon being fired)
Computer Failures(e.g. technical glitch caused
three day disruption atNetflix, $2 million lost)
Human Error(e.g. “A simple typing error brought Google's search engine to a
grinding halt”)
Data Extortion(e.g. hackers demand $10 million for Virginia medical data)
6
Examples
7
Average cost for a data breach: $7.2 million*Average cost per individual record breached: $214
($141 attributed to indirect damages, $73 to direct
damages):• Notification Costs
• Credit Monitoring• Litigation expenses
• Government penalties/fines
• Damage to brand, reputation, etc.
• Administrative expenses (e.g.overtime)
• Share price drop
* Source – Ponemon Institute, LLC
Losses
88
Other cyber losses may include:
Irrevocable loss of data – e.g., power outage disruptsdata processing operations, and data has beendestroyed, even after power has been restored
Business Interruption
Claims of Professional Negligence
Vulnerable Industries
9
Healthcare
Financial Services
Education
Media
Retailers
Cyber Risk
FOCUS ON PRIVACY
10
Federal Laws
11
There is no one comprehensive federal privacy law,but proposed legislation (including the DataSecurity & Breach Notification Act and thePersonal Data Privacy & Security Act) have beenintroduced for consideration.
Federal Laws
12
Instead, there is a patchwork of federal laws which governmaintaining the privacy of information, including:
• Gramm-Leach-Bliley Act (GLB)• Fair & Accurate Credit Transaction Act (FACTA)• Fair Credit Reporting Act (FCRA)• Health Information Portability & Accountability Act
(HIPPA)• Health Information Technology for Economic & Clinical
Health Act (HITECH)• Children’s Online Privacy Protection Act
There is also a host of state laws, including…
States With Notification Laws
Alaska Louisiana Ohio
Arizona Maine Oklahoma
Arkansas Maryland Oregon
California Massachusetts Pennsylvania
Colorado Michigan Puerto Rico
Connecticut Minnesota Rhode Island
Delaware Mississippi South Carolina
District of Columbia Missouri Tennessee
Florida Montana Texas
Georgia Nebraska Utah
Hawaii Nevada Vermont
Idaho New Hampshire Virginia
Illinois New Jersey Washington
Indiana New York West Virginia Iowa Kansas
North Carolina Wisconsin
North Dakota Wyoming
13
1114
Basic Requirements
Generally requires written notification toindividuals in the event of “an unauthorizedaccess to or acquisition of unencrypted,computerized data”
Basic definition of personal information:First name or initial and last name,plus any of the following
- SSN- DL # or state ID #- Account number, credit or debitnumber plus security code, accesscode, or password
15
Difficulty Lies inDifferences Between the Laws
Definition of “personal information” (i.e. triggerinformation)
Standard of harm evaluation before notification isrequired
Applicability to paper documents Exemption for encrypted data Authorities to notify (in addition to individuals) Specific content requirements
Timelines for notification
If one state law triggers notification – difficult not tonotify in all.
Damages
Enforcement Penalties:
Penalties for failure to notify under the statutes (range from $0 to
$750 k for multiple violation)
Injunctive relief
Restitution
Private right of action established by statute in many states
FTC penalties and oversight
Costs associated with notification:
forensic experts
notification letters
credit monitoring (not legally required/but required by regulators)
call centers (certain states and under HIPAA breach law if using
substitute notice)
discounts on future products or services
responding to state/federal investigations and customers
lost customers
16
Litigation
Plaintiffs have historically had a hard time proving any actual damages as theresult of a security breach, with courts insisting on actual damage for negligenceclaims – but this may be changing, at least at the motion to dismiss stage.
Most are claiming damages based on the risk of identity theft becausetheir information has been compromised.
Actual damages caused to individuals due to identity theft are minor, sincemost credit cards cover fraudulent purchases.
What has been recovered, usually through settlement, has been the cost ofcredit monitoring, or other out of pocket expenses required to rehabilitateafter identity theft.
Big expenses in this arena fall to credit card companies and banks whocover any fraudulent expenses and incur the costs associated withchanging credit card or account numbers.
Third party liability has been the real battleground in recently proposedlegislation, with banks and credit card companies pushing for legislationthat requires the entities who cause the data breach (generally retailers) tobear these costs. Minnesota has passed such a law.
In other states, this shifting of costs is currently being handled vianegligence lawsuits, or contractual clauses such as indemnification,warranties, limitations of liability.
17
Litigation
Recent class action settlements:
• TJX – Settled 2007
• Facebook – Settled 2009
• Countrywide Financial – Settled 2009
• Google – Settled 2010
• Quantcast Corp., Clearspring Technologies, VideoEgget al. – Settled 2011 (“Flash Cookie” class action)
18
Litigation
Active Class Action Law Suits Include:
• Suits arising from the Sony PlayStation breach
• Against Google, involving the collection of personalWiFi data
• Against RockYou, which develops applications for socialmedia sites
• Against NetFlix, which allegedly maintains data of itscustomers’ viewing habits
19
Insurance & Reinsurance
20
Traditional Insurance Policies
Trigger for Traditional Policies is Physical Loss orDamage to Tangible Property
Does this include Data?
21
Traditional Insurance Policies
In some older cases, courts held that damage to data doesconstitute physical loss or damage to tangible property:
Centennial Ins. Co. v. Applied Health CareSystems, Inc., 710 F.2d 1288 (7th Cir 1983) – CGLPolicy
Retail Systems, Inc. v. CNA Ins. Co., 469 N.W.2d735 (Minn. App. 1991) – General Liability Policy
American Guarantee & Liability Ins. v. IngramMicro, Inc., Civ. 99-185, 2000 WL 726789 (D. Ariz. Apr. 18,2000) – All Risk Policy – the court held that “‘physicaldamage’ is not restricted to the physical destruction or harmof computer circuitry but includes loss of access, loss of use,and loss of functionality.”
22
Traditional Insurance Policies
More recently, some courts have come to this sameconclusion:
E.g., Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797(8th Cir. 2010) – The insured was sued by a computeruser, claiming the insured’s website injured hissoftware and data. The insurer denied coverage underCGL and E&O policies. The 8th Circuit reversed thedistrict court and held that the CGL policy applied(more on the E&O policy later), as the underlyingclaimant alleged loss of use of his computer, andcomputers are tangible property.
23
Traditional Insurance Policies
On the other hand, some courts have held that loss of data is notphysical damage. . .
In America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89,96 (4th Cir. 2003), the court held that America Online’s CGL policydid not provide coverage for a class action lawsuit alleging thatAOL 5.0 caused consumers’ computers to malfunction, crash, orfreeze:
Injuries to computer data, software, and systems were notdamage to tangible property, and thus were not covered. Thecourt analogized hardware to a tangible pad lock and data to theintangible combination. The lock is unusable without thecombination, but the lock is not physically damaged. Thus, the courtheld that a computer with damaged data is not usable by the end-user, but it is not physically damaged for purposes of CGLcoverage.
This is seen as a seminal case.
24
Traditional Insurance Policies
See also:
Greco & Traficante v. Fidelity & Guarantee Ins. Co., unpublished(Cal. Super. Ct. 2009) – The insured (a law firm) sued its insurer
for denying its claim for $57,000 sustained when billing databecame unavailable as a result of a power anomaly. The courtheld that lost billing data was not physical property, since noevidence was produced that the data was ever stored in a physicalmedium (the computer system); the loss occurred while thesecretary was inputting the information at issue.
Ward Gen’l Ins. Servs. v. Employers Fire Ins. Co., 7 Cal. Rptr.3d844 (Cal. Ct. App. 2004) – The insured sued its insurer for adeclaration that its commercial policy covered losses incurredwhen data in its computer was inadvertently deleted. The courtheld that the policy did not cover these losses, since the loss didnot qualify as a direct material loss.
25
Traditional Insurance Policies
Some Newer CGL Policies Now ExpresslyDo Not Cover Cyber Risk
In 2001, ISO added the following tothe definition of “property damage”in the CGL standard form:
For the purposes of this insurance, electronic data is not tangible property. As used inthis definition, electronic data means information, facts or programs stored as or on,created or used on, or transmitted to or from computer software, including systems andapplications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processingdevices or any other media which are used with electronically controlled equipment. SeeComprehensive General Liability Coverage Form, § V (17)(b).
26
323232
Traditional Insurance Policies
Commercial Property Policies May Provide “Additional Coverage”
With a de minimis Limit For Interruption ofComputer Operations
As of 2007, the ISO standard formprovides coverage for such business
interruption losses up to a $2,500 limit
The provision covers – up to $2,500 per year – the actual loss of business incomeand/or extra expense incurred when the insured must suspend operations becauseof an interruption in computer operations caused by destruction or corruption ofelectronic data due to a covered cause of loss. This does not include “interruptionrelated to manipulation of a computer system (including electronic data) by anyemployee, including a temporary or leased employee, or by an entity retained byyou or for you to inspect, design, install, maintain, repair or replace that system.”See Commercial Property Extra Expense Coverage Form, § A(4)(c)(3).
Traditional Insurance Policies
Personal/Advertising Injury clauses provide coveragefor damages resulting from the publication of materialwhich violates a right to privacy.
Does this include data?
28
Traditional Insurance Policies
Contrast…
• Penzer v. Transportion Ins. Co., 29 So. 3d 1000 (Fla. 2010) –The insured sent unsolicited fax advertisements. The courtheld that sending faxes constituted a “publication” under itscommercial liability policy; the faxed paper constituted“material;” and the right of privacy includes the right toseclusion.
• Netscape Comm. v. Federal Ins Co., 2007 U.S. Dist. LEXIS78400 (N.D. Cal. Oct. 10, 2007), rev’d, 343 Fed. Appx. 271 (9th
Cir. 2009) – The insured allegedly intercepted anddisseminated private online communications. Court reversedthe district court’s holding that the personal/advertising coverdid not apply and remanded for further proceedings.
29
Traditional Insurance Policies
And…
• Tamm v. Hartford Fire Ins. Co., 16 Mass. L. Rep. 535 (Mass.Super Ct. 2003) – The insured sued its insurer for failing todefend claims against it under a CGL policy, which coveredpersonal and advertising injury. The insured was a formeremployee of a company which alleged that he interceptedprivileged emails and threatened to distribute personal emails.The court held that the allegations that the insured sent outprivate communications over email satisfied the policy, since itwas “oral or written publication” of “materials that violate aperson’s right of privacy.” The court reasoned that even thoughthe underlying plaintiff did not expressly claim invasion ofprivacy, the request for an injunction from acquiring anddistributing this information was an implicit claim of privacy.
30
Traditional Insurance Policies
With…
• Auto-Owners Ins. Co. v. Wesolv Computing, 580 F.3d 543 (7th
Cir. 2009) – The insured was sued for sending an unsolicitedfax to a dental office; the insurer refused to defend. The courtreserved the district court and held that the advertising injuryclause did not apply, as it covers the privacy right to secrecy,not seclusion (the right to be left alone).
31
323232
Traditional Insurance Policies
Other potential coverage issues include:
• Expected/Intended Exclusion – Does this apply to data because of ahacker invasion? E.g., Lambrecht & Assocs. v. State Farm Lloyds ,119 S.W.3d 16 (Tx. Ct. App. 2003) – The exclusion did not applywhere there was no evidence that the insured engaged in anyvoluntary conduct or took action causing its damage.
• Impaired Property Exclusion – Even if CGL policies may cover lostdata, this exclusion may come into play if the destroyed data wasaccompanied by a loss of hardware. See Eyeblaster, 613 F.3d 797 –The Eighth Circuit held that this exclusion did not apply.
• Willful Violation of Law – What if the insured intentionally sendsspam email? See Greenwich Ins. Co. v. Media Breakawy, LLC et al. –No coverage where insured was held to have engaged in intentionallydishonest/illegal activity.
33
Standalone Policies
Cyber Risk Policies
Many Different Unique Products
20-40 insurers provide standaloneproducts. Examples:
ACE: Digital DNA Network RiskInsurance Program/ACE Digitech/ACEPrivacy Protection
Beazley Syndicate: Information Security & Privacy;Breach Response
Chubb: CyberSecurity; Forefront Portfolio3.0
CNA: NetProtect, NetProtect Essential Great American: Cyber Risk The Hartford: CyberChoice 2.0 Markel: DatabreachSM
34
Cyber Risk Policies
3535
Who is Purchasing These Policies?
• Managed care companies
• Hospitals
• Technology companies
• Hotel chains
• Cloud providers
Cyber Risk Policies
Statistics
Premium estimates for standalone policies range from $500to $800 million annually.
One survey* indicated that:
• 15% of respondents had cyber liability coverage withlimits between $1 and $4.9 million;
• 13% had limits between $5 and $9.9 million;
• 61% had limits between $10 and $49.9 million;
• 8% had limits of more than $50 million*Source – Towers Watson 2011 Risk and Finance Manager Survey
36
37
Internet Media LiabilityClaims arising out of content of a website (libel, slander,trademark infringement, false advertising, etc.
Internet Professional LiabilityClaims arising out of performance of professionalservices (web publishing, ISP, web designer, etc.)
Data Privacy and Network Security CoverageClaims arising out of failure to prevent unauthorizeduse or access of network (transmission of a computervirus, theft of client data, etc.), identity theft, etc.
Types of Cyber Coverage
383838
Types of Cyber Coverage
Intellectual Property CoverageTheft/use/disclosure of proprietary, advertising,technology, trademarks, etc.
Information Asset CoverageCoverage for restoration or recreation of data,computer system resources, and information assetsthat are damaged by a computer attack
Network Business Interruption CoverageCoverage for business interruption losses arisingfrom interruption or suspension of a computernetwork / website (e.g. denial of service attacks)
Types of Cyber Coverage
Cyber Extortion CoverageCoverage for investigation costs and extortion demand
Crime/Insider CoverageEmployees using company e-mail/internet for illegalpurposes, deceptive practices (FTC), etc.
Errors & Omissions CoverageInadvertent loss or disclosure of data, employeeerror resulting in deletion of data or spreading ofvirus, etc.
Cyber Terrorism CoverageCovers those terrorist acts covered by the TerrorismRisk Insurance Act of 2002 and, in some cases, may befurther extended to terrorist acts beyond thosecontemplated in the Act.
39
Focus on Privacy Coverage
Privacy cover includes:
Liability for loss or breach of the data – failure tosafeguard the data
Remediation costs – response costs, includinginvestigation, public relations, customer notification,credit monitoring
Government fines & penalties – costs to investigate,defend and settle fines & penalties
* Source – The Betterley Report, June 2011
40
Exclusions
Common Exclusions in Standalone Policies:
• Coverage Territory Restrictions
• Losses from “named viruses”
• Failure to take reasonable security measures
• Blogs
• Hostilities & Warlike Operations Exclusions
41
Back to Eyeblaster:
The insured had also sought coverage under anInformation and Network Technology Errors orOmissions policy, which covered intangible data.
The insurer contended that policy did not applybecause the insured allegedly acted intentionally inplacing its software in the underlying plaintiff’scomputer.
The court held that there was no evidence that theinsured acted intentionally.
42
See also i-Frontier v. Gulf Underwriters, 2005 U.S. Dist.LEXIS 19149 (E.D. Pa. June 3, 2005):
The insured’s employee was sued for allegedly stealing amanual and uploading it to the insured’s website. Theinsured had obtained a policy which covered “errors,omissions, and negligent acts; committed by the Insuredduring the Policy Period in performing Cyberspace Activities. . . Including obtaining, processing, uttering, ordisseminating Content in or for the Cyberspace Activities,regardless of when Claim is made or suit is brought.”
The insurer denied coverage, and the court held that therewas no coverage because the intentional acts exclusionapplied, as the underlying complaint alleged intentionalwrongful conduct in each count.
43
Standalone v. Add-On Policies
44
Standalone Policies v. Add-ons
• Some commentators believe cyber liabilities willbecome covered by standard policies; others thinkthis is unrealistic
• Some carriers already offer endorsements toprovide coverage for cyber insurance
• Hartford has a privacy liability endorsementwhich can be made part of its traditional policy
• One medical professional liability insurer offerscyber liability coverage as part of its physician’and surgeons’ policies at no additional charge
45
Initial Reinsurer Responses
Following 9/11, Reinsurers Became Concerned About a“Cyber Hurricane”
Cyber Attacks Might Be Globally Correlated and Interdependent
"It could affect thousands of companies simultaneously with nogeographic locus," potentially causing too much exposure toindividual insurance companies, says Jeffrey Grange, seniorvice president and global manager of fidelity and professionalliability products for The Chubb Group.
See Daintry Duffy. Safety at a premium. CSO Magazine, December 2002. Online available athttp://www.csoonline.com/article/217739/Cybersecurity_Insurance_Safety_at_a_Premium
46
Initial Reinsurer Responses
Uncertainty
Lack of actuarial data
Scarcity of past claims/plausibility offuture attacks
Geographic scope of losses/accumulation
Last year the cyber reinsurance market wasabout $350 – $400 million in premiums(compared with global reinsurance capacity ofabout $400 billion).
47
Underwriting Considerations
“Traditional” Property/Casualty/E&O treaties:
Breadth of coverage/underlying policies/stateof the law
Exclusions
Stand alone Cyber/Data Risk Reinsurance:
What can brokers offer?
Modeling/limits/premium
48