55
Page 1 Recording of this session via any media type is strictly prohibited. Cyber Liability Food for Thought Moderator: Michael D. Horvath Senior Vice President, Risk Management of Simon Property Group Chairman of the RIMS Real Estate Committee Presenters: Mary T. Pipino, CPCU CEO & President of Donald P. Pipino Company, LTD Kenneth K. Dort Esq. Partner, Intellectual Property Practice Group of Drinker Biddle & Reath LLP

Cyber Liability Food for Thought

  • Upload
    tahir

  • View
    24

  • Download
    6

Embed Size (px)

DESCRIPTION

Cyber Liability Food for Thought. Moderator: Michael D. Horvath Senior Vice President, Risk Management of Simon Property Group Chairman of the RIMS Real Estate Committee Presenters: Mary T. Pipino, CPCU CEO & President of Donald P. Pipino Company, LTD Kenneth K. Dort Esq. - PowerPoint PPT Presentation

Citation preview

Page 1: Cyber Liability Food for Thought

Page 1

Recording of this session via any media type is strictly prohibited.

Cyber Liability Food for Thought

Moderator:Michael D. HorvathSenior Vice President, Risk Management of Simon Property GroupChairman of the RIMS Real Estate Committee

Presenters:Mary T. Pipino, CPCUCEO & President of Donald P. Pipino Company, LTD

Kenneth K. Dort Esq.Partner, Intellectual Property Practice Group of Drinker Biddle & Reath LLP

Page 2: Cyber Liability Food for Thought

Page 2

Recording of this session via any media type is strictly prohibited.

Cyber Liability

“Food for Thought” for

Proactive Planning in Anticipation of the Need for Reactive Execution

Page 3: Cyber Liability Food for Thought

Page 3

Recording of this session via any media type is strictly prohibited.

Q1: Why Do I Need Cyber Liability Coverage?

Page 4: Cyber Liability Food for Thought

Page 4

Recording of this session via any media type is strictly prohibited.

Cyber Liability Coverage

• Covers the compromising of confidential or personal information in your care, custody and control

• Coverage may be limited or excluded from other policies including Commercial General Liability, Employment Practices Liability, Crime, Directors and Officers

• The U.S. Securities and Exchange Commission requires all publicly-traded companies to report any hacking incidents

• Key to remember, if you are responsible for the breach, you are subject to follow the remediation laws set forth by each state in which an affected consumer resides.

• National legislation is pending for the regulation of reporting data breaches• International laws are vastly different than those for the US.

A1

Page 5: Cyber Liability Food for Thought

Page 5

Recording of this session via any media type is strictly prohibited.

• 47 of 50 states have adopted some form of security and data breach notification laws – most are similar with slight variation• Kentucky – new member to the club (last month!)• Still Not Alabama, New Mexico, South Dakota

• All require prompt notification, and some establish penalties and rights of action.

• Statutes typically define “data breach,” the types of protected information, and some set thresholds for the notice requirement, i.e., a reasonable basis to believe the breach will result in harm.

A1

State Notification Statutes

Page 6: Cyber Liability Food for Thought

Page 6

Recording of this session via any media type is strictly prohibited.

Page 6

Breach Causes Malicious/Criminal Attacks – 41 Percent Employee Mistake/Negligence – 33 Percent System Glitches – 26 Percent

Costs By Cause Malicious/Criminal Attacks – $277 Per Record Employee Mistake/Negligence – $159 Per Record System Glitches – $177 Per Record

Poneman Institute – 2013 Study

A1

Page 7: Cyber Liability Food for Thought

Page 7

Recording of this session via any media type is strictly prohibited.

U.S. Privacy LawsFederal Statutes: A “Sectoral” Approach

Financial Industry: Financial Services Modernization Act, a/k/a the Gramm-Leach-Bliley Act (GLBA)

Applies to financial institutions

Imposes security controls

Requires notification

A1

Page 8: Cyber Liability Food for Thought

Page 8

Recording of this session via any media type is strictly prohibited.

U.S. Privacy LawsFederal Statutes: A “Sectoral” Approach• Sarbanes-Oxley Act (“SarBox”)

Applies to U.S. publicly traded companies Section 302

Imposes “internal procedures” to ensure accurate financial disclosures Signing officers must certify effectiveness of control procedures and that they

have been evaluated within 90 days prior to report External auditors must issue opinion as to whether effective control procedures

have been implemented Penalties

Civil – same as violations of SEC Act Criminal – up to $1M in fines/10 years in prison

A1

Page 9: Cyber Liability Food for Thought

Page 9

Recording of this session via any media type is strictly prohibited.

U.S. Privacy LawsFederal Statutes: A “Sectoral” Approach• Sarbanes-Oxley Act

Section 404 -- Applies to U.S. publicly traded companies Requires generation of an “internal control report” as part of each

report filed with SEC Report must contain assessment of control procedures as of most

recent fiscal year Wide discretion to management Management must be knowledgeable about the design and operating

effectiveness of the IT control procedures, understand data flows so as to understand points of risk, perform fraud risk assessments, scale any assessments based on the size and complexity of the company

A1

Page 10: Cyber Liability Food for Thought

Page 10

Recording of this session via any media type is strictly prohibited.

U.S. Privacy LawsFederal Statutes: A “Sectoral” Approach• Sarbanes-Oxley Act

Ramifications as to data security?? Questions as to System Security

Undermine certifications of officers Undermine reliability of financial reports

Same Issues – Private CompaniesQuestionable Data Security Systems Undermine Reliability of

Financial Reports“Garbage-In-Garbage-Out”Same Results w/o Federal Overtones

A1

Page 11: Cyber Liability Food for Thought

Page 11

Recording of this session via any media type is strictly prohibited.

Federal Regulatory Agencies

• Federal Trade Commission (FTC)• In re TJX Cos., Inc., FTC File No. 072-3055 (requiring TJX to implement a

comprehensive security program to protect personally identifiable information)

• Consumer Financial Protection Bureau (CFPB)

• Federal Communications Commission (FCC)

• Department of Health and Human Services (HHS)

A1

Page 12: Cyber Liability Food for Thought

Page 12

Recording of this session via any media type is strictly prohibited.

Non-Governmental Regulatory Action

• Financial Industry Regulatory Authority (FINRA)

• Payment Card Industry Council• Designed to establish common security guidelines• PCI - DSS

A1

Page 13: Cyber Liability Food for Thought

Page 13

Recording of this session via any media type is strictly prohibited.

Q2: What are the Initial Steps to Determining Your Organization’s

Vulnerability to Cyber Related Losses?

Page 14: Cyber Liability Food for Thought

Page 14

Recording of this session via any media type is strictly prohibited.

• Theft of Data from a Lost or Stolen Device:• Laptops• Smart Phones• Portable Data Drives & USB Storage Devices

• Disposal of Data• Shred• Torn • Placed in Trash Receptacle

Evaluation of RiskA2

Page 15: Cyber Liability Food for Thought

Page 15

Recording of this session via any media type is strictly prohibited.

• Social Media• The WOW!

• Information or Comments Posted by Employees in Their Personal Social Media Communications:• Facebook• Twitter• LinkedIn

Evaluation of RiskA2

Page 16: Cyber Liability Food for Thought

Page 16

Recording of this session via any media type is strictly prohibited.

Evaluation of Risk• Consumer Data

• Names, Addresses• Credit Card Information• Financial History• Health Information

• Human Resource Records• Compensation• Social Security Numbers• Health Records

• Financial Data• Sales Figures• Purchasing Costs• Inventory Levels• Related Data Tracked Into Financial Reports

A2

Page 17: Cyber Liability Food for Thought

Page 17

Recording of this session via any media type is strictly prohibited.

Q3: What Makes Companies Most Vulnerable to Cyber Threats?

Page 18: Cyber Liability Food for Thought

Page 18

Recording of this session via any media type is strictly prohibited.

Sources of Cyber Threats

• Third Party Vendor Transactions:• Credit/ Debit Card Transactions

• On-line payment processing including PayPal and Bank Card Services.

• WiFi Hotspots which are Data Transmission

• “Hacking” both domestic and foreign

• Consequential damages from a tenant’s breach such as loss of revenue/income

• Retail Tenant• Medical Tenant

A3

Page 19: Cyber Liability Food for Thought

Page 19

Recording of this session via any media type is strictly prohibited.

Q4: What Management Disciplines Should be Active in Determining the

Potential Scope of Your Company’s Cyber Exposures?

Page 20: Cyber Liability Food for Thought

Page 20

Recording of this session via any media type is strictly prohibited.

Evaluating the Risks for Your Firm is an Interdisciplinary Process that Should Involve

Many Departments Including:• Risk Management• Legal• Information Technology • Security• Human Resources• Finance• Audit• Marketing, Sales and Social Media

A4

Page 21: Cyber Liability Food for Thought

Page 21

Recording of this session via any media type is strictly prohibited.

• Pre Loss Safety and Loss Control Plan• Pre-Loss Crisis Management Plan• Contractual Language in Legal Agreements

Addressing Responsibility for Compliant Procedures to Prevent a Breach and Who is Responsible Should a Breach Occur

Key Points

A4

Page 22: Cyber Liability Food for Thought

Page 22

Recording of this session via any media type is strictly prohibited.

Contingency Plans

• Foregoing Efforts Should Be Laid Out In Contingency Plans• Identify Types of Data That Could Be Targeted• Identify Each Permutation of Company Personnel To Involve• Lay Out Team Roles• Identify Third Parties For Contact

• Possible Legal Responses• Anticipate Relevant Jurisdictions• Identify Contact Points

A4

Page 23: Cyber Liability Food for Thought

Page 23

Recording of this session via any media type is strictly prohibited.

Q5: Can You Review Recent Cyber Attacks on Business and Lessons Learned?

Page 24: Cyber Liability Food for Thought

Page 24

Recording of this session via any media type is strictly prohibited.

• 2012• Macro Cost of Breach – $5.4 million• Per Record Cost of Breach – $188 ($128 For Indirect Costs Such As Customer Churn)

• 2011• Macro Cost of Breach – $5.5 million• Per Record Cost of Breach – $194 ($135 For Indirect Costs Such As Customer Churn)

• 2010• Macro Cost of Breach – $7.24 million• Per Record Cost of Breach – $214

Poneman Institute – 2013 StudyA5

Page 25: Cyber Liability Food for Thought

Page 25

Recording of this session via any media type is strictly prohibited.

Fallout From Data BreachesA5

Page 26: Cyber Liability Food for Thought

Page 26

Recording of this session via any media type is strictly prohibited.

Reilly v. Ceridan Corp., 66 F.3d 38 (3d Cir. 2011) (plaintiffs sued on behalf of “customers whose sensitive information was stored on the stolen laptops and a subclass of individuals whose identities have been stolen since the laptop theft”)

Zurich Amer. Ins. Co. v. Sony Corp. of Amer., et al., Index No. 651982/2011, Supreme Court of New York, New York County (Over 65 class actions filed nationwide implicating over 70 million subscribers)

Class ActionsA5

Page 27: Cyber Liability Food for Thought

Page 27

Recording of this session via any media type is strictly prohibited.

Q6: Cyber Liability Coverage:•Who’s Buying?•What Limits are They Buying?•How is the Product Priced?

Page 28: Cyber Liability Food for Thought

Page 28

Recording of this session via any media type is strictly prohibited.

Buying Cyber Liability Insurance

•Every business has a need

•Increased claim activity and rapid advancements in technological communications is rapidly increasing the purchase of cyber liability insurance

A6

Page 29: Cyber Liability Food for Thought

Page 29

Recording of this session via any media type is strictly prohibited.

Cyber-Liability Insurance• Products Becoming More Comprehensive• Know Your Needs• Address Both Short- and Long-Term Costs• Make Sure Outsourcing Processors Are Covered

• Review Insurer Tool Kits• Do They Provide Access to Necessary Responsive Expertise?• Do They Provide Pro-Active Input To Minimize Risks?

• Coverage Amounts• Responsive Costs• Overall Damage $$$ and Legal Fee -- Class Actions

A6

Page 30: Cyber Liability Food for Thought

Page 30

Recording of this session via any media type is strictly prohibited.

Exposure/Costs• Immediate Response Actions• Forensic Investigations• Identify Breach Cause• Address Breach Gap – Fill the Hole ASAP• Public Relations Efforts – Control the Message and Stay Ahead of the Curve• Contact Law Enforcement Authorities

• Legal Responses• Identify Notification Obligations• Affected Persons• Legal Authorities• Credit Monitoring• Reporting – Law Enforcement, Regulatory

A6

Page 31: Cyber Liability Food for Thought

Page 31

Recording of this session via any media type is strictly prohibited.

Cyber Liability Limits to BuyReview various deductibles, limits and premiums for your

particular risk and evaluate the cost benefit for your risk profile.

Robust market with a strong market capacity

Increase in loss activity will create ongoing changes in the marketplace.

• Adjustments will occur due to loss activity

• The marketplace will evolve and adapt to the loss

• Keep abreast of the market in your particular industry

A6

Page 32: Cyber Liability Food for Thought

Page 32

Recording of this session via any media type is strictly prohibited.

Key Factors When Pricing Cyber Liability

• Well Organized Submission

• A Well Thought Out and Communicated Crisis Management Plan

• Claims Experience for the Specific Industry

• Pre-Loss Control Services

A6

Page 33: Cyber Liability Food for Thought

Page 33

Recording of this session via any media type is strictly prohibited.

Q7: What Advantage Does a Cyber Liability Policy Provide Beyond Risk

Transfer?

Page 34: Cyber Liability Food for Thought

Page 34

Recording of this session via any media type is strictly prohibited.

• Loss Prevention Services• Training• Compliance• IT Security Assessment

• Responding to a Breach• Legal• Forensic• Notification• Crisis Communication• Experienced Claims Personnel

Advantages of Cyber Liability Beyond Risk Transfer

A7

Page 35: Cyber Liability Food for Thought

Page 35

Recording of this session via any media type is strictly prohibited.

Data Security Policies• Identify Key Data and Protect It• Internal Operations• Outsourced Processing

• Segregate Systems on “Need To Know” Basis• Customer Data• HR Data• Business Financial Data

• Address Usage of Various Hardware• PCs/Laptops• Smart Phones/Tablets/Flash Drives

• Remote Wiping• Encryption of Data• Storage• Transit

A7

Page 36: Cyber Liability Food for Thought

Page 36

Recording of this session via any media type is strictly prohibited.

Costs – Immediate/Near-Term• Internal IT Evaluations• Reviews of Third-Party Processors

• External Forensic Reviews• System “Fix” Resolution• Industry Regulation – PCI-DSS• Audits

• Law Enforcement Notifications• Affected Person Notifications• Credit Monitoring Services

A7

Page 37: Cyber Liability Food for Thought

Page 37

Recording of this session via any media type is strictly prohibited.

Costs – Long-Term• Legal Fees – Third Party Actions• Expert Reviews/Evaluations – Third Party Actions• Damages• Identity Theft (Customers)• Fraudulent Credit Card Charges (Customers)• Credit Card Changes (Banks)

• Settlement Costs/Payments• Penalties/Fines• Industry Standards – Card Brands, PCI-DSS• Legal Authorities – SEC, HHS, FTC, State AGs

A7

Page 38: Cyber Liability Food for Thought

Page 38

Recording of this session via any media type is strictly prohibited.

Q8: What are the Initial Steps Companies Should Take When They Confirm a

Breach?

Page 39: Cyber Liability Food for Thought

Page 39

Recording of this session via any media type is strictly prohibited.

• Implement Predesigned Crisis Management Plan• Engage Cyber Experts to Work with You on:• Investigating• Remediation• Notifications• Public Relations• Response to Inquiries

*Cyber Liability Coverage often includes access to cyber experts in these respective areas.

Initial Steps a Company Should Take When They Discover a Breach

A8

Page 40: Cyber Liability Food for Thought

Page 40

Recording of this session via any media type is strictly prohibited.

Q9: What Litigation has Surfaced from Breaches and What is the Plaintiff’s

Theory of Negligence?

Page 41: Cyber Liability Food for Thought

Page 41

Recording of this session via any media type is strictly prohibited.

Civil Exposure -- Data Breaches

Civil Lawsuits

• State Attorneys General

• Lawsuits by consumers, businesses, banks, or other private entities affected by breach

A9

Page 42: Cyber Liability Food for Thought

Page 42

Recording of this session via any media type is strictly prohibited.

Civil Action Considerations

Civil Lawsuits• Standing

•“The complainant must allege an injury to himself that is ‘distinct and palpable,’ as distinguished from merely ‘abstract,’ and the alleged harm must be actual or imminent, not ‘conjectural’ or ‘hypothetical.’”

Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) cert. denied, 132 S. Ct. 2395, 182 L. Ed. 2d 1021 (U.S. 2012)

A9

Page 43: Cyber Liability Food for Thought

Page 43

Recording of this session via any media type is strictly prohibited.

Civil Action Considerations

Civil Lawsuits• Standing• Cases continue to be

dismissed for lack of standing.

No Standing

•Reilly v. Ceridian Corp., 664 F.3d 38, 41 (3d Cir. 2011) cert. denied, 132 S. Ct. 2395, 182 L. Ed. 2d 1021 (2012)•Key v. DSW, Inc., 454 F. Supp. 2d 684, 688 (S.D. Ohio 2006)•Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1053 (E.D. Mo. 2009)•Hammond v. The Bank of New York Mellon Corp., 08 CIV. 6060 RMB RLE, 2010 WL 2643307 (S.D.N.Y. June 25, 2010)•Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 8 (D.D.C. 2007)•Worix v. MedAssets, Inc., 857 F. Supp. 2d 699, 705 reconsideration denied, 869 F. Supp. 2d 893 (N.D. Ill. 2012)

A9

Page 44: Cyber Liability Food for Thought

Page 44

Recording of this session via any media type is strictly prohibited.

Civil Action Considerations

Civil Lawsuits• Standing• However, trend among

appellate courts towards finding standing, particularly where stolen data is actually misused or hackers were sophisticated, indicating increased risk of harm.

Standing

•Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012)•Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010)•Ruiz v. Gap, Inc., 380 F. App'x 689, 691 (9th Cir. 2010)•Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 634 (7th Cir. 2007)•Lambert v. Hartman, 517 F.3d 433, 438 (6th Cir. 2008)

A9

Page 45: Cyber Liability Food for Thought

Page 45

Recording of this session via any media type is strictly prohibited.

Civil Action Considerations

Civil Lawsuits• Causes of Action

• Significant issue regarding whether there is cognizable injury, risk of harm, or reasonably foreseeable damage

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 46: Cyber Liability Food for Thought

Page 46

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal TheoriesCivil Lawsuits• Requirements:

(1) the existence of a duty to exercise due care, (2) breach of that duty, (3) causation, and (4) damages. Ruiz v. Gap, Inc., 380 F. App'x 689, 691 (9th Cir. 2010)

• Economic Loss Doctrine“Massachusetts, which is not alone, holds that purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage.” In re TJX Companies Retail Sec. Breach Litig., 564 F.3d 489, 498 (1st Cir. 2009); see also Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162, 175 (3d Cir. 2008)

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 47: Cyber Liability Food for Thought

Page 47

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal TheoriesCivil Lawsuits• Causation• Did the defendant’s alleged harm cause plaintiff’s alleged

damages?• Did the failure to secure information cause the

loss/identify theft?• Allegation: “Plausible”, not “merely possible.” Resnick v.

AvMed.• Nexus between the breach and the loss/identity theft –

beyond time and sequence. (Resnick: sensitive info on stolen laptops was same info used to steal plaintiff’s identity.)

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 48: Cyber Liability Food for Thought

Page 48

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal TheoriesCivil Lawsuits• Hypothetical Damages

Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 639 (7th Cir. 2007) - “Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.”

• “Real” DamagesAnderson v. Hannaford Bros. Co., 659 F.3d 151, 164, 167 (1st Cir. 2011) – “The data was used to run up thousands of improper charges across the globe to the customers' accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse . . . Plaintiffs’ claims for identity theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse.”

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 49: Cyber Liability Food for Thought

Page 49

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal TheoriesCivil Lawsuits• Requirements

Requires (1) a contract between the plaintiff and the defendant; (2) rights of the plaintiff and obligations of the defendant under the contract; (3) breach of the contract by the defendant; and (4) damages suffered by the plaintiff. Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1055 (E.D. Mo. 2009)

• Implied Contract“[A] jury could reasonably find an implied contract between Hannaford and its customers that Hannaford would not use the credit card data for other people's purchases, would not sell the data to others, and would take reasonable measures to protect the information.” Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011)

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 50: Cyber Liability Food for Thought

Page 50

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal TheoriesCivil Lawsuits• Requirements

1) the plaintiff conferred a benefit on the defendant; 2) the defendant has knowledge of the benefit; 3) the defendant accepted or retained the benefit conferred; and 4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying fair value for it. Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012)

• Unjust Enrichment PermittedPlaintiffs claimed that their premium payments were partially in exchange for keeping their information secure, and that defendant should not be permitted to retain the money because it failed to protect plaintiffs’ information. The Eleventh Circuit permitted the claim to proceed. Resnick, at 1328

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 51: Cyber Liability Food for Thought

Page 51

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal TheoriesCivil Lawsuits• Requirements

“One who . . . in any [] transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information.” In re TJX Companies Retail Sec. Breach Litig., 564 F.3d 489, 494 (1st Cir. 2009)

• Misrepresentation Claim (Barely) Permitted:Plaintiffs alleged that doing business as a credit card company misrepresented that the defendant complied with security requirements; the court was skeptical, but ultimate found that claim “survives, but on life support.” In re TJX, at 495

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 52: Cyber Liability Food for Thought

Page 52

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal TheoriesWhere are the Courts going…?

• Resnick v. AvMed (Feb. 2014)• Negligence, Breach of Contract & Unjust Enrichment claims

survive MTD.• Court approved $3 million dollar settlement.• Settlement Terms:

o Individuals on laptops, but no identity theft = $10 for each year paid for coverage (max $30). Intended to compensate for premiums paid relating to security.

o Actual losses from ID theft “more likely than not” stemming from breach – deferred resolution to mediator.

o Internal policy/training requirements.o Attorneys’ Fees

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 53: Cyber Liability Food for Thought

Page 53

Recording of this session via any media type is strictly prohibited.

Civil Action – Legal Theories

Civil Lawsuits

• Any number of state or federal statutes may be applicable in every case.• FTC Act• SEC• HIPAA• Graham-Leach-Bliley• State Unfair Trade Practice Acts

Causes of Action

• Negligence

• Breach of Contract

• Unjust Enrichment

• Negligent Misrepresentation

• Statutory

A9

Page 54: Cyber Liability Food for Thought

Page 54

Recording of this session via any media type is strictly prohibited.

Take-Aways

• Legal Landscape Is Much More Precarious• Obligations Are More Pervasive and Rigid• Legal Authorities Are More Strict and Demanding• Business Associations Are More Strict• Courts Are Becoming More Accepting of Plaintiffs’

Claims/Theories• No Difference Between Internal Systems and

Outsourced Processing As To Liability• Exposures Are Increasing

Page 55: Cyber Liability Food for Thought

Page 55

Recording of this session via any media type is strictly prohibited.

Q&AModerator:Michael D. HorvathSenior Vice President, Risk Management, Simon Property GroupChairman of the RIMS Real Estate Committee

Presenters:Mary T. Pipino CPCU, CEO & President of Donald P. Pipino [email protected](330) 629-2992

Kenneth K. Dort Esq., Partner Intellectual Property Practice Group, Drinker Biddle & Reath [email protected](312) 569-1458