PROTECTING YOUR COMPANY FROM A DATA PRIVACY OR CYBERSECURITY BREACH

Robert P. Thavis and Stephen J. Cosentino

CYBERSECURITY AND PRIVACY

• How will the Cybersecurity Framework affect consumer privacy?

• Consumer privacy law continues to focus on disclosure

• Those working in privacy compliance will need to determine whether the disclosure focus should extend to cooperative exchanges of data within the Cybersecurity Framework

CYBERSECURITY AND PRIVACY

• California Privacy Law Changes for 2014

▫ Operators must disclose how they respond to web browser Do Not Track signals

▫ Operators must disclose whether third parties collect PII about consumer online activities over time and across networks

▫ Intended to target tracking in ad networks like Facebook FBX and Google AdSense

• The focus is on disclosure and awareness

CYBERSECURITY AND PRIVACY

• Children’s Online Privacy Protection Act Changes for 2013

▫ similar focus on information sharing with third parties

▫ close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent

CYBERSECURITY AND PRIVACY

• Financial industry privacy requirements focus on disclosure and choice

• Emphasis on distinguishing between the company and third parties

• Uniformity of the GLB Policy is very important• Cybersecurity Framework related disclosures

don’t fit well

CYBERSECURITY AND PRIVACY

• Cybersecurity-related disclosures continue to be broad and vague

• GLB Model Policy

▫ “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law”

• Typical website disclosures

▫ We work to protect your information in transmission using secure socket layers

▫ We strive to keep your information safe and secure

▫ Obligatory disclaimer

CYBERSECURITY AND PRIVACY

• COPPA Amendments do address data security

▫ covered website operators and online service providers must take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential

▫ continues to lack any detail

HIPAA DATA BREACH REQUIREMENT

• Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act

• Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information

HIPAA DATA BREACH REQUIREMENT

• Definition of Breach

▫ Impermissible use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual

• Breach Notification Requirements for CE’s

▫ If CE has insufficient or out-of-date contact information for 10 or more individuals, provide substitute individual notice by either posting the notice on the home page of its web site or provide notice in major print or broadcast media where the affected individuals likely reside

HIPAA DATA BREACH REQUIREMENT

• Breach Notification Requirements for CE’s

▫ If the CE has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. 

▫ The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

IOWA DATA BREACH REQUIREMENT

• Scope of Iowa Law (Iowa Code 715C)• First name/initial and last name with

unencrypted:

▫ SSN/DL#

▫ Financial account, credit card number, debit card number + security code that would allow access

▫ Unique electronic identifier or routing code + security or access code

▫ Unique biometric data (fingerprint, retina image, etc.)

IOWA DATA BREACH REQUIREMENT

• Scope of Iowa Law• Breach of Security is unauthorized acquisition of

personal information maintained in computerized form by a person that compromises the security, confidentiality or integrity of information

• Exception for good faith acquisition by a person who is not a threat

IOWA DATA BREACH REQUIREMENT

• Consumer Notice▫ Made in the most expeditious manner possible without

unreasonable delay

▫ Consistent with measures necessary to determine the contact info of consumers, scope of breach, and restore integrity, security and confidentiality

▫ Does contain exception for law enforcement investigation

▫ Some discretion. Notice not required . . . If the entity conducts an appropriate investigation

or consultation with law enforcement determines that there is no reasonable likelihood of financial harm to consumers.

However, the entity must maintain documentation supporting this determination for five years.

IOWA DATA BREACH REQUIREMENT

• Notice▫ Methods for Notice.

Written notice or electronic notice if the person’s customary method of communication is electronic or as consistent with ESIGN Act.

Substitute notice if cost would exceed $250,000 or the class is more than 350,000 people or insufficient contact information

– email, posting on the entity's website, or notice to major statewide media.

If breach impacts more than 500 Iowa residents at one time, notice must be provided to the State AG office within 5 days of notice.

Violations are an unlawful practice under Iowa’s Consumer Fraud Statute subject to a fine of up to $40,000 per violation.

COVERAGE FOR CYBER RISKS

• Cyber-related risks are perhaps both the most likely, and the most significant, risks to develop over the past 25 years

• One of the most difficult risks to manage:

▫ Difficult to anticipate what insurer will agree is covered Every case sets a precedent Good rule of thumb — big losses not covered

▫ Difficult to anticipate what will be found covered under existing policies Not much case law Early case law muddled

FIRST-PARTY CYBER COVERAGE

• Property/Casualty Coverage▫ Physical injury to tangible property

Compromised equipment (heat, water exposure, warranty)?

▫ Hacking/attacks covered? Strangers only, or are disgruntled employees’ acts

covered? Definition of insured/insured v. insured exclusion Military action/EMP exclusion?

• Business Interruption▫ Is it covered?

▫ Source of shutdown covered? Power, water

▫ Slow-down versus shut-down/working from home?

▫ Limits and proof of loss

FIRST-PARTY CYBER COVERAGE

• Valuable Papers/Data Restoration

▫ Do you have it/limits

▫ Backup required?• Crime

▫ One from Column A not enough

▫ Remote access excluded or required?

▫ Theft by employees/versus outsiders?• Ultimately, Need Express Cyber Language

CYBER LIABILITY COVERAGE

• General Liability Coverage

▫ Physical damage to tangible property DOS, data loss, exclusivity of data lost, data

corrupted — perhaps not covered

▫ Loss of use of tangible property not physically damaged Impact on computers and computer-run

equipment/operations– Slow-down versus shut-down

▫ Personal injury Defamation Loss of privacy

CYBER COVERAGE

• Errors &Omissions Coverage

▫ Tailoring required — “professional services” definition is heart of coverage

▫ Nothing is certain — Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (2010) “Arising out of” contract Intended act versus intended injury Every case sets a precedent

CYBER COVERAGE

• Directors &Officers (and Entity) Coverage

▫ Any significant company event, including breach, can give rise to shareholder class suits, derivative suits, consumer class suits, competitor suits and regulatory actions

▫ Disclosure obligations SEC’s Division of Corporate Finance

Disclosure Guidelines (October 13, 2011)– Disclosures from private companies?

▫ Entity coverage and Side A protections

CYBER LIABILITY COVERAGE

• Regulatory Aftermath

▫ Historically most data breaches in financial and healthcare industries

▫ Data breaches trigger enforcement actions under FCRA, HIPAA, numerous other consumer protection statutes

▫ Regulatory actions can, but may not, be covered Violation of statutes Claim for “damages”

CYBER COVERAGE

• Specialty Cyber Policies▫ Different Historical Antecedents and Approaches

Replacements for advertising injury coverage Specialized E&O coverage Utilities approach Crime/fraud approach Terrorism/extortion coverage

▫ Reason for piecemeal approach is no insurer willing to provide blanket coverage

Can’t gauge risks today Cyber risks have short half-life; certainly can’t predict

risks tomorrow

▫ Caveat Emptor/do your homework — No standardization until market matures

THANK YOU

Robert P. ThavisStephen J. Cosentino