Advising the insurance industry: cyber liability

March 2014

CMS_LawTax_CMYK_28-100.eps

2 | Cyber liability & media capability

Bristol

Dubai

Amsterdam

Brussels

UtrechtLondon

Edinburgh

Aberdeen

Luxembourg

Antwerp

Paris

Leipzig

Lyon

Strasbourg

Madrid

Barcelona

Lisbon

Seville

Casablanca

Algiers

Rome

Milan

Zurich

Ljubljana

ViennaBratislava

Budapest

Zagreb

Sarajevo

Tirana

Belgrade

Sofia

Bucharest

Prague

Warsaw

Kyiv

Moscow

Shanghai

Beijing

Munich

Berlin

Hamburg

Duesseldorf

CologneFrankfurt

Stuttgart

Rio de Janeiro

Istanbul

Mexico City

Geneva

Bristol

Dubai

Amsterdam

Brussels

UtrechtLondon

Edinburgh

Aberdeen

Luxembourg

Antwerp

Paris

Leipzig

Lyon

Strasbourg

Madrid

Barcelona

Lisbon

Seville

Casablanca

Algiers

Rome

Milan

Zurich

Ljubljana

ViennaBratislava

Budapest

Zagreb

Sarajevo

Tirana

Belgrade

Sofia

Bucharest

Prague

Warsaw

Kyiv

Moscow

Shanghai

Beijing

Munich

Berlin

Hamburg

Duesseldorf

CologneFrankfurt

Stuttgart

Rio de Janeiro

Istanbul

Mexico City

Geneva

Bristol

Dubai

Amsterdam

Brussels

UtrechtLondon

Edinburgh

Aberdeen

Luxembourg

Antwerp

Paris

Leipzig

Lyon

Strasbourg

Madrid

Barcelona

Lisbon

Seville

Casablanca

Algiers

Rome

Milan

Zurich

Ljubljana

ViennaBratislava

Budapest

Zagreb

Sarajevo

Tirana

Belgrade

Sofia

Bucharest

Prague

Warsaw

Kyiv

Moscow

Shanghai

Beijing

Munich

Berlin

Hamburg

Duesseldorf

CologneFrankfurt

Stuttgart

Rio de Janeiro

Istanbul

Mexico City

Geneva

Bristol

Dubai

Amsterdam

Brussels

UtrechtLondon

Edinburgh

Aberdeen

Luxembourg

Antwerp

Paris

Leipzig

Lyon

Strasbourg

Madrid

Barcelona

Lisbon

Seville

Casablanca

Algiers

Rome

Milan

Zurich

Ljubljana

ViennaBratislava

Budapest

Zagreb

Sarajevo

Tirana

Belgrade

Sofia

Bucharest

Prague

Warsaw

Kyiv

Moscow

Shanghai

Beijing

Munich

Berlin

Hamburg

Duesseldorf

CologneFrankfurt

Stuttgart

Rio de Janeiro

Istanbul

Mexico City

Geneva

Bristol

Dubai

Amsterdam

Brussels

UtrechtLondon

Edinburgh

Aberdeen

Luxembourg

Antwerp

Paris

Leipzig

Lyon

Strasbourg

Madrid

Barcelona

Lisbon

Seville

Casablanca

Algiers

Rome

Milan

Zurich

Ljubljana

ViennaBratislava

Budapest

Zagreb

Sarajevo

Tirana

Belgrade

Sofia

Bucharest

Prague

Warsaw

Kyiv

Moscow

Shanghai

Beijing

Munich

Berlin

Hamburg

Duesseldorf

CologneFrankfurt

Stuttgart

Rio de Janeiro

Istanbul

Mexico City

Geneva

Our cyber insurance credentialsCyber attacks, data security and system integrity represent a very real danger to business – across all industries and sectors. Cyber is no longer a “tech” issue to be dealt with by the IT department: it is now a board level issue and should be treated as such. The impact of a cyber attack can be considerable, not only for business interruption, but also for reputational damage, PR and regulatory fines and penalties, loss of goodwill, or even claims against directors and other officers.

The cyber agenda is a key area of focus for European and national policy, resulting in rapidly changing law and regulation, which has also been the subject of significant lobbying and negotiation. A core focus of data security is privacy and data protection, and the new European Data Protection Regulation, when it does come into force, will be a “game changer” for the industry. On the original draft, corporates would be required to notify the relevant Data Protection authority of any breach of security and personal data, and, where feasible, may have as little as 24 hours to do so. Many breaches would also require notification of affected data subjects without “undue delay”. This

issue, as much as any other, is driving the current growth in the cyber insurance market in Europe. In our experience, few clients have the technical or operational systems already in place to comply with this change in law.

Within this document we present our credentials in the field of cyber insurance. We offer a “best in class” insurance sector focus, with a leading IP/IT/privacy offering, all combined in a European footprint unrivalled in quality and breadth of coverage. Cyber insurance in our experience can be as much about process and support as it is about policy coverage. Does your policy offer IT support, out of hours contact, PR, or credit monitoring for individuals?

Our European Cyber team is already advising leading insurers who are writing such risks and we have a unique understanding of the issues being faced. Contact details of our specialist lawyers in jurisdictions where CMS has offices are to be found at the back of this document. Further details of firms with whom we regularly associate on cyber matters are also available if required.

3

Bristol

Dubai

Amsterdam

Brussels

UtrechtLondon

Edinburgh

Aberdeen

Luxembourg

Antwerp

Paris

Leipzig

Lyon

Strasbourg

Madrid

Barcelona

Lisbon

Seville

Casablanca

Algiers

Rome

Milan

Zurich

Ljubljana

ViennaBratislava

Budapest

Zagreb

Sarajevo

Tirana

Belgrade

Sofia

Bucharest

Prague

Warsaw

Kyiv

Moscow

Shanghai

Beijing

Munich

Berlin

Hamburg

Duesseldorf

CologneFrankfurt

Stuttgart

Rio de Janeiro

Istanbul

Mexico City

Geneva

Bristol

Dubai

Amsterdam

Brussels

UtrechtLondon

Edinburgh

Aberdeen

Luxembourg

Antwerp

Paris

Leipzig

Lyon

Strasbourg

Madrid

Barcelona

Lisbon

Seville

Casablanca

Algiers

Rome

Milan

Zurich

Ljubljana

ViennaBratislava

Budapest

Zagreb

Sarajevo

Tirana

Belgrade

Sofia

Bucharest

Prague

Warsaw

Kyiv

Moscow

Shanghai

Beijing

Munich

Berlin

Hamburg

Duesseldorf

CologneFrankfurt

Stuttgart

Rio de Janeiro

Istanbul

Mexico City

Geneva

Information security and privacy breach liability

Our team of international lawyers across 32 jurisdictions provides expert advice on all information security and privacy breach matters.

Our expertise in insurance, data protection, regulatory, IP, IT and general commercial law is applied across our key sectors; financial services, healthcare and lifesciences, TMT, energy, consumer products and retail, among others.

Our experience includes advising:

— A major multinational on a breach of confidence allegation from a customer, arising from the posting of sensitive data on an Internet chat board by the insured’s outsourced IT provider.

— German offices of international insurance companies on data protection and other regulatory and IP issues, including representation in various data breach notification cases vis-à-vis supervisory authorities.

— An online retailer in relation to a data security breach arising from the disclosure of customer account information.

— A Swiss Bank, acting as their representative before the Courts to obtain an order guaranteeing that data stolen by an employee and provided to the French government would not leave the EU.

— An insurer in relation to a data security breach by its insured, of sensitive information held by governmental authorities.

— Romanian branch of Diageo on various data protection issues and with regard to the notification of data processing and data transfer operations by the local regulator.

— A well known UK entity in relation to a claim made by a data subject. We advised on drafting a response to the individual and assessing the company’s position under the Data Protection Act.

— A major insurer and life and pensions provider on its multinational outsourcing of sales, customer relationship management, and complaints handling to a leading financial services outsourcing provider.

— An Austrian IT company on various projects concerning data security and transfer of sensitive data for various clients (amongst them Uniqa Insurance).

— A global energy company in relation to a data security breach and working with forensic experts to seize and analyse the data on laptops.

— A Croatian provider of internet services in relation to regulatory (betting industry related), data protection, and corporate (private equity investor related topics).

— The Belgian website of the successful Friendscout24 company on such aspects as drafting general terms and conditions for website data protection.

— Major national and international companies including: Novo Nordisk Pharma GmbH, Securitas, Scout24, Deposit Security International GmbH, Mercateo AG and Prochema, on various cross- border data transfer, data security, data protection and consumer protection issues.

— A client on obtaining an authorisation from the Bulgarian Personal Data Protection Commission for transferring personal data.

— A consumer credit provider on an inspection run by the Czech Data Protection Authority and in related first and second instance administrative proceedings.

— The Italian division of a leading global insurance company on the design and implementation of internal procedures for data protection compliance.

— A leading Polish IT company on data protection issues, including the implementation and registration of a new database system, registration of a data protection officer and advice on the transfer of personal data to countries which cannot ensure an adequate level of data protection.

— A global internet retailer on different aspects of regulatory requirements and personal data protection in Russia.

— IBM Slovakia on general commercial matters including advice on transfer of personal data.

— A Swiss bank in a data security case, involving cooperation with forensic lT experts.

4 | Cyber liability & media capability

Advisory – prudential and authorisation

We also have significant experience and expertise in advising in relation to computer forensic investigations, including online infringement issues and ISP defences, online and computer fraud, criminal actions and domain parking. Some “hot issues” we currently advise on include the misuse of data, cyber crime, forgery/passing off/individual and corporate identity theft.

In determining which cases to fight, and which are best promptly settled, a team with highly rated litigation credentials is required. In addition to our proven track record as a market leader in the insurance sector, we have one of the top-rated technology teams, as evidenced by our award in the UK for “TMT team of the Year 2010” at the Legal Business Awards. Our close working relationship means we are able, quickly, to call upon the appropriate expertise to best service our clients.

Our team includes specialists in litigation, commercial, outsourcing and intellectual property, which ensures that we are able to consider solutions for our clients from all angles. We have significant experience and expertise in a wide range of data protection, security and related matters, including IT-outsourcing and off-shoring, software licensing, software copyright (including ‘look and feel’), computer implemented inventions/software patents, database protection and extraction, ecommerce and online contracts, online infringement issues and ISP defences, online and computer fraud (including criminal actions and domain names), cyber-squatting, typo-squatting and other domain parking, hardware implementation, software design and implementation, systems integration and development projects.

Our experience includes advising:

— Insurers in respect of a multi-million pound dispute between software suppliers and users concerning alleged breaches of the contract for supply and installation of software, including advice on complex policy coverage issues.

— The prime contractor in arbitration arising out of the late delivery of poor quality software by a subcontractor in a major PFI project.

5

— A global IT outsourcing company on a dispute relating to the integration and licensing of address data verification software for a nationally implemented information platform.

— A global IT outsourcing company on a dispute with a software developer subcontractor relating to the software developer’s failure to design and implement the software solution in accordance with an agreed specification.

— A leading IT and business services company on a dispute with a national energy provider arising from allegations of faulty design and implementation of a management and distribution network for the supply of gas.

— A major Czech-based technology company in data theft issues, including advice in respect to relating criminal proceedings.

— On a dispute relating to a contract for the development of a global portfolio management system and defending our client against a claim for failure to complete the development within the contractual timescales.

— Representing Russian clients in police raids, civil, administrative, customs and criminal cases.

— On a dispute with a data storage subcontractor relating to the subcontractor’s failure to meet the service levels required by the contract.

— A leading Italian telecommunications company on the management of all the requests for information coming from the Italian data protection authority and regarding possible unlawful data processing in the scope of telemarketing activities (from gathering information and submission to the Authority to possible litigation).

— Portugal Telecom and Portuguese Yellow Pages regarding a breach of private data base by Google, Inc., which was settled out of court through an amicable agreement.

— Working with Spanish computer forensics providers on administrative procedures and criminal trials.

‘ They (CMS) know the (insurance) market and they know the law,” making it a “real heavyweight firm” in this field.

Chambers and Partners, 2013

‘

6 | Cyber liability & media capability

Website media content, media and advertising liability

We have a particular focus on the consumer products, TMT and financial services sectors, and act for many of the largest names in the industry, with portfolios including confectionery, health and beauty, food and drink, alcohol, pet care, cleaning and household products, telecommunications, electronics, banking, e-commerce and retail.

Our experience includes advising:

— A leading company on proceedings in the UK High Court and OHIM to recover ownership of a key CTM.

— INTEL on the INTELMARK dilution dispute.

— Eagle in Datacard v Eagle, a successful case on trade mark and patent infringement.

— A world leading drinks business on compliance of contemplated campaigns in social networks with data protection rules.

— Clients in all sectors on advertising and marketing complaints and disputes, including as to copy advice and dealings with the Advertising Standards Authority and the Committee of Advertising Practice.

— An international media company on advertising matters, in particular as to comparative advertising, both in terms of its own advertisements and those of its major competitors, including as to advising on threatened injunction proceedings.

— A broadcaster on investigations by Ofcom into a premium call TV quiz show and on potential claims against the production programme company and the supplier of the interactive response technologies for the programme.

— On media law and related regulatory aspects relating to the implementation of a DVB-H platform and, in particular, the acquisition of respective exploitation rights.

— On all legal issues relating to the launch and operation of a multi-access portal for PCs, mobile phones and PDAs and the introduction of new business models with regard to chargeable content, the acquisition of content, issues concerning technical infrastructure and data privacy protection for end users.

— On negotiations for the use of the venue for the tennis event at the London 2012 Olympic Games. Including, in particular, reversionary rights in respect of use of broadcast footage of the event for the club, and the depiction of the venue in online and offline game environments.

— The world’s largest sheet music distributor on devising and implementing a parallel trade enforcement strategy.

— In relation to notice and takedown policies and liability for content under the E-Commerce Directive.

— On all copyright and broadcasting law aspects of a multi-access portal for IPTV and MobilTV (‘Vodafone Live’) and the acquisition of IPTV and VoD rights of, for example, the German national football league (DFL), Formula 1 races and Major Studio Movies.

7

Policy drafting and risk management

Our team has expertise in insurance, coverage and risk management

Our team has extensive knowledge and expertise in advising insurers on both contentious and non-contentious matters such as policy wordings, product development and risk management. We understand the insurance market and how it operates and have an excellent understanding of the issues you face.

We are a recognised market leader in providing legal services to the insurance and reinsurance industry. We are consistently ranked among the top insurance practices in the legal directories with many of our partners ranked as leaders in their fields.

In Western and Central Europe and Russia, CMS provides excellent service delivery for insurance solutions. The insurance market is constantly evolving and there continue to be new opportunities for companies who are looking to expand operations. We have gained solid industry know-how working in the insurance and reinsurance market for over half a century and our long-term involvement in providing insurance expertise across Europe and beyond means that we can support clients to make the most of new opportunities. We have made it our business to know the insurance and reinsurance market inside out and our clients tell us that we have the in-depth knowledge they need to support their businesses across Europe. We speak the industry’s language and our cross- regional insurance practice advises many of the sector’s major players and representatives.

Our experience includes:

— Advising a number of international insurance companies on the development of cyber policies across multiple jurisdictions in Europe.

— Advising the legal team of a major insurer in relation to the wording of consumer insurance policies, including travel, death plans, sports cover and credit card products. We were also asked to provide input on regulatory issues and to draft Key Features Documents.

— Advising on numerous solicitors’ PI policy wordings.

— Preparing a major insurer’s standard brokers’ E&O wording.

— Drafting a security consultant’s all risks policy (covering PA, liability, medical expenses etc) for a new Lloyd’s Syndicate.

— Advising an insurer on global schemes, differences between master policy and local policies, status of DIL/DIC clauses.

— We have for a number of years advised insurers and intermediaries with regard to issues arising out of travel insurance and books of travel business. This includes scheme business and direct consumer business, as well as advising the bond market who participate in ABTA /IATA business.

— We have advised and represented clients in respect of regulatory proceedings issued by Lloyds in connection with travel insurance disputes.

— We have advised insurers regarding liabilities and resolution of issues, including travel bond matters, arising out of the issue of fraudulent bonds.

— Advising a major insurer in relation to legal, regulatory and tax issues involved in structuring a multinational programme co-ordinated across eight jurisdictions and calling upon the expertise of CMS offices in Germany, Italy, Spain, the Netherlands and Switzerland.

— The French division of ATRADIUS on IT and data breach insurance policies.

— Several large international insurers and brokers on their incorporation into the Spanish market and the licensing and authorisation issues arising.

8 | Cyber liability & media capability

Crisis Management and PR

Managing a time of crisis requires a joined up approach: dealing with the underlying issues and the cause of the crisis, as well as ensuring that communications and external response remain appropriate and constructive. Too often the two streams are not joined up, and in many cases each can serve to undermine the effectiveness of the other. A PR response without proper legal input can be inaccurate or misleading, or even contain harmful admissions. A legal response without PR considerations may not be informative or put customers at ease, or may inflame the situation.

Your insured may require advice in relation to managing corporate reputation, or simply to embark on damage limitation. We work closely with our clients in relation to adverse, inaccurate or unfair media reports and assist with the development and implementation of long term strategies to enable decisive and timely responses to negative media. We regularly advise companies on how to use the law and the regulatory codes to protect their reputations as far as possible and on how to deal with adverse media attention, whether in broadcasts or in the press.

We regularly work with in-house communications teams and independent PR advisers.In advising on these issues, we have guided many clients through the maze of relevant codes, guidelines, laws and statutes across multiple industries. We particularly specialise in exploiting the measures that can prevent damage before broadcast or publication, but also have wide experience of conducting complaints and libel actions as a form of “offence/defence”.

9

Our experience includes advising:

— One of the UK’s best known logistics providers on reputation management, PR response and negotiations with the ICO arising from the publication of customer details on the track and trace service of their website.

— An Internet registry on co-ordinating substantive legal response and external communication strategy in relation to fraudulent renewal letters, blackmail, threats, computer misuse and distributed denial of service attacks.

— One of the major broadcasters on a dispute relating to the management of premium rate phone-in quiz show and the successful settlement of the dispute.

— A major high street bank on various media issues including threatened newspaper coverage, which resulted in successfully preventing publication, and advising on its media strategy in relation to its activities and involvement in the Middle East.

— A leading international finance company on a number of media matters including long-running exchanges with ITV over the proposed broadcast of a significant documentary and a GMTV feature, including successful complaint to Ofcom.

— A private hospital group in respect of a documentary featuring undercover recording; making serious and potentially damaging allegations about the services being provided.

‘ They (CMS) know the (insurance) market and they know the law,” making it a “real heavyweight firm” in this field.

Chambers and Partners, 2013

‘

10 | Cyber liability & media capability

CMS Contacts

AUSTRIAJohannes JuranekCMS Reich-Rohrwig HainzT +43 1 40443 2450 E johannes.juranek@cms-rrh.com

ENGL AND & WALESTom ScourfieldCMS Cameron McKenna LLPT +44 20 7367 2707E tom.scourfield@cms-cmck.com

CZECH REPUBLICTomáš MatějovskýCMS Cameron McKenna v.o.s.T +420 2 967 98 852E tomas.matejovsky@cms-cmck.com

ENGL AND & WALESMonica LesnyCMS Cameron McKenna LLPT +44 20 7367 2873E monica.lesny@cms-cmck.com

GERMANYMichael Kamps CMS Hasche SigleT +49 221 7716 270E michael.kamps@cms-hs.com

FRANCEAnne-Laure VilledieuCMS Bureau Francis LefebvreT +33 1 47 38 40 19E anne-laure.villedieu@cms-bfl.com

BELGIUMTom HeremansCMS DeBackerT +32 2 743 69 73E tom.heremans@cms-db.com

BULGARIANevena RadlovaCMS Cameron McKennaT +359 2 923 48 66E nevena.radlova@cms-cmck.com

ITALYItalo de FeoCMS Adonnino Ascoli & Cavasola ScamoniT +39 06 478 151E italo.defeo@cms-aacs.com

CROATIA Marija MušecCMS Reich-Rohrwig HainzT +385 1 4825 600E marija.musec@cms-rrh.com

THE NETHERLANDSWouter SeinenCMS Derks Star BusmannT +31 30 2121 191E wouter.seinen@cms-dsb.com

HUNGARYDr. Péter Mitták CMS Cameron McKenna LLPT + 36 1 483 4846 E peter.mittak@cms-cmck.com

11

SCOTLANDHarriet MunroCMS Cameron McKenna LLPT +44 131 220 8993 E harriet.munro@cms-cmck.com

RUSSIALeonid ZubarevCMS, RussiaT +7 495 786 4000E leonid.zubarev@cmslegal.ru

SWITZERLANDDr. Robert G. Briner CMS von Erlach Henrici T +41 44 285 13 37E robert.briner@cms-veh.com

SPAINBlanca Cortės CMS Albiñana & Suárez de LezoT + 34 91 451 93 00 E blanca.cortes@cms-asl.com

ROMANIALoredana Ralea CMS Cameron McKenna SCAT +40 21 40 73 870E loredana.ralea@cms-cmck.com

POLANDTomasz KoryzmaCMS Cameron McKenna LLPT +48 22 520 8479E tomasz.koryzma@cms-cmck.com

SLOVAKIAJán AzudCMS Reich-Rohrwig HainzT +421 2 544 33 431E jan.azud@rc-cms.sk

PORTUGALJosė Luis Arnaut CMS Rui Pena & ArnautT +351 210 958 132E joaquim.macedo@cms-rpa.com

SERBIAĐorđe PopovićCMS Reich-Rohrwig HainzT +44 381 11 3 208 930 E djordje.popovic@cms-rrh.com

© C

MS

Lega

l Ser

vice

s EE

IG (M

arch

201

4)

CMS Legal Services EEIG (CMS EEIG) is a European Economic Interest Grouping that coordinates an organisation of independent law firms. CMS EEIG provides no client services. Such services are solely provided by CMS EEIG’s member firms in their respective jurisdictions. CMS EEIG and each of its member firms are separate and legally distinct entities, and no such entity has any authority to bind any other. CMS EEIG and each member firm are liable only for their own acts or omissions and not those of each other. The brand name “CMS” and the term “firm” are used to refer to some or all of the member firms or their offices.

CMS member firms are:CMS Adonnino Ascoli & Cavasola Scamoni, Associazione Professionale (Italy);CMS Albiñana & Suárez de Lezo S. L. P. (Spain);CMS Bureau Francis Lefebvre S. E. L. A. F. A. (France);CMS Cameron McKenna LLP (UK);CMS DeBacker SCRL / CVBA (Belgium);CMS Derks Star Busmann N. V. (The Netherlands);CMS von Erlach Poncet (Switzerland);CMS Hasche Sigle, Partnerschaft von Rechtsanwälten und Steuerberatern (Germany);CMS Reich-Rohrwig Hainz Rechtsanwälte GmbH (Austria) andCMS Rui Pena, Arnaut & Associados RL (Portugal).

CMS locations: Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Geneva, Hamburg, Istanbul, Kyiv, Leipzig, Lisbon, Ljubljana, London, Luxembourg, Lyon, Madrid, Mexico, Milan, Moscow, Munich, Paris, Prague, Rio de Janeiro, Rome, Sarajevo, Seville, Shanghai, Sofia, Strasbourg, Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich.

www.cmslegal.com