What Your Company Needs to Know about Cybersecurity · cybersecurity disclosures. The guidance in essence states that appropriate disclosures may include four things material cybersecurity

© Copyright 2013 by K&L Gates LLP. All rights reserved.

What Your Company Needs to Know about CybersecurityJune 6, 2013

klgates.com

Introductions

Bruce J. HeimanInformation Technology

Policy Partner

David A. BatemanInternet & Technology

Law Partner

Roberta D. AndersonInsurance Coverage

Partner

klgates.comklgates.com

I. Managing Attacks on Company Information, Technology, Data and Infrastructure



The Spectrum of Cyber Attacks

� Advanced Persistent Threats (“APT”)

� Data Breach and Malware

� Denial of Service attacks (“DDoS”)

� Domain name hijacking

� Corporate impersonation and Phishing

� Employee mobility and disgruntled employees

� Lost or stolen laptops and mobile devices

� Inadequate security and systems: first party and third-party vendors


Advanced Persistent Threats

� targeted, persistent, evasive and advanced

� nation state sponsored

P.L.A. Unit 61398

“Comment Crew”



� United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”

Source: New York Times, June 1, 2013.



� Penetration: Spear Phishing� 67 percent of organizations admit that their current

security activities are insufficient to stop a targeted attack.*

� Duration:� average = 356 days**

� Discovery: External Alerts� 55 percent are not even aware of intrusions*

*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng

es/advance-targeted-attacks/index.html

**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”



� Target Profiles� Industry:

� Information Technology

� Aerospace

� Telecom/Satellite

� Energy

� Engineering/Research/Defense

� Chemical/Pharma

� Activities:� Announcements of China deals

� China presence


The Spectrum of Cyber Attacks

� Advanced Persistent Threats (“APT”)

� Data Breach and Malware

� Denial of Service attacks (“DDoS”)

� Domain name hijacking

� Corporate impersonation and Phishing

� Employee mobility and disgruntled employees

� Lost or stolen laptops and mobile devices

� Inadequate security and systems: first party and third-party vendors


The Practical Risks of Cyber Attacks

� Loss of “crown jewels,” IP and trade secrets

� Compromise of customer information, credit cards and other PII

� Loss of web presence and online business

� Interception of email and data communications

� Loss of customer funds and reimbursement of charges

� Supply chain disruption and outright theft

� Brand tarnishment

� Collateral damage

� Legal and regulatory complications

klgates.com

II. Understanding Legal and Regulatory Risk

klgates.com

II. LEGAL & REGULATORY RISKS

Bad News

� No system of prevention is perfect.

� There will be a data breach.

Good News

� The Law doesn’t require perfection!

� Reasonable prevention measures

� Compliance with specified procedures to mitigate harm

BEST STRONGEST

klgates.com

III. Government Regulations and Legislation

klgates.com

III. APPLICABLE LEGISLATION & REGULATION

We will cover

� FTC Act

� States’ data breach laws

� GLBA

� HIPAA

� NIST standards

� Possible CI standards

klgates.com

Federal: FTC Enforcement & General Standard for Protecting Personal Information

� Enforcement of company commitments

� Reasonable Administrative, Technical, Physical Safeguards appropriate for the …• Size and complexity of company

• Nature and scope of activities

• Sensitivity of personal information

klgates.com

What is Personally Identifiable Information Needing Protection?

� Name

� Address

� DOB

� Email

� Telephone number

� SSN

� Bank account, credit card numbers

� Processor serial number

klgates.com

What Are Reasonable Measures?FTC has focused on process in numerous consent

decrees� Designate responsible employee� Identify reasonable foreseeable risks

• Employee training• Information systems• Prevention, detection, response

� Safeguards -- design & implement, test & monitor� Selection & retention of service providers� Evaluate and adjust� Independent assessments

klgates.com

Additional Guidance from HIPAA

• Evaluation

• Transmission• Workforce training

• Integrity• Rule based access to info

• Audit• Workstation/DeviceSecurity

• Security personnel

• Access• Facility access & control

• Security management

TechnicalPhysicalAdministrative

klgates.com

States: General Standard for Preventing Data Breaches

� Data breach statutes focus on responding to breaches impacting residents of that state

� But almost all include security requirements

� Mostly some version of reasonable security measures

klgates.com

States: General Standard forResponding to Data Breaches

� What is a breach

� Duty to investigate

� What constitutes a reportable breach

� When do you have to report

� Who to notify

� How to notify

� What does the notice have to say

klgates.com

Federal Requirements of a Breach� GLBA and HIPAA have similar requirements to states

• But recent HIPAA amendments adopt more stringent requirements than GLBA on …

• What is a breach

• Reportable breach

• When mass notice required

� Also, must consider possible violations of the

export control and arms control laws

klgates.com

Selling to the Government …Compliance with NIST Standards

� Federal agencies must meet security standards � De facto requirements for contractors� Sets baseline security controls � Requires adjustment and supplementing based on risk assessment � Just completed 4th revision adopts holistic view, increases focus on privacy,

and addresses new issues • mobile and cloud computing • insider threats • applications security • supply chain risks • advanced persistent threat • trustworthiness, assurance, and resilience of information systems

klgates.com

Possible Standards for Owners/Operatorsof “Critical Infrastructure”

� February Executive Order 13636• CI: Incapacity or destruction would have debilitating impact

o Not commercial IT products or consumer IT services• NIST Lead “Cybersecurity Framework”• Incorporate voluntary consensus standards and

industry best practiceso Internationalo No tech mandates

� Legislative proposals• Arguably define CI more broadly• Adopt greater regulatory approach

o Government (FTC/DHS) sets standards• Mandates > incentives


IV. Litigation Risks and Case Developments


IV. Litigation Risks and Case Developments � Class Action exposure – Data Breach and Privacy Claims

� In Re LinkedIn User Privacy Litigation (N.D. Cal. 2013)(“abstract” harm leads to dismissal)

� Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)("credible threat of real and immediate harm”)

� Grigsby v. Valve Corp. (W.D. Wash. 2013)(promises of security overvalued services)

� Class Action exposure – securities litigation� In re Heartland Payment Systems, Inc. (D. N. J. 2009)(80% stock drop leads to

derivative suit)

� Agency Enforcement� FTC v. Wyndham Hotels (D. Ariz. 2012)(2 year Russian hacking)

� FTC v. RockYou, Inc. (N.D.Cal. 2012)(hackers access PII of 32 million users)

� Mass. v. South Shore Hospital (AG enforcement; $750k settlement)

� Indiana v. Wellpoint, Inc. (AG enforcement; $100k settlement)

klgates.com

V. SEC Disclosure of Cybersecurity Risks

klgates.com

V. SEC Disclosure of Cybersecurity Risks

� SEC Division of Corporation Finance issued guidance on cybersecurity disclosures.

� The guidance in essence states that appropriate disclosures may include four things � material cybersecurity risks—both internal risks and risks

from outsourced functions

� cyber incidents, which individually or in the aggregate pose material risk or cost

� risks of material cyber incidents that may remain undetected for an extended period

� a “[d]escription of relevant insurance coverage” for cyber risks

klgates.com

VI. Insurance Coverage for Cyber Risks

klgates.com

V. Insurance Coverage For Cyber Risks

� Potential coverage under “traditional” third-party CGL policies� Potential coverage for claims alleging damage to, or loss of

use of, third-party data, computers or computer systems (“Coverage A”)

� Potential coverage for data breach and other claims alleging violation of a right to privacy (“Coverage A” and (“Coverage B”)

� Potential coverage for misappropriation and infringement claims

klgates.com

� Coverage A

SECTION I – COVERAGESCOVERAGE A – BODILY INJURY AND PROPERTY DAMAGE LIABILITY1. Insuring Agreement

a. We will pay those sums that the insured 1111

iiiiiiiiiiiiiiii1becomes legally obligated to pay as damages iiiiiiiiiiiiiiii1because of "bodily injury" or "property iiiiiiiiiiiiiiii1damage” to which this insurance applies. *****


15. "Property damage" means:a. Physical injury to tangible property,

including all resulting loss of use of that property . All such loss of use shall be deemed to occur at the time of the physical Iinjury that caused it; or

b. Loss of use of tangible property that is not physically injured . All such loss of use shall be deemed to occur at the time of the "occurrence“ that caused it.

klgates.com


� ISSUE: Is data is “tangible property” that can suffer “physical injury”?� Some courts have found coverage

� Retail Systems, Inc. v. CNA Ins. Co. 469 N.W.2d 735, 737 (Minn. Ct. App. 1991) (“data on the tape was of permanent value and was integrated completely with the physical property of the tape … the computer tape and data are tangible property ”)

� Computer Corner, Inc. v. Fireman's Fund Ins. Co., No. CV97-10380, slip op. at 3-4 (2d Dist. Ct. N.M. May 24, 2000) (“computer data is tangible property ”)

klgates.com


� ISSUE: Is data is “tangible property” that can suffer “physical injury”?� Some courts have rejected coverage

� America Online Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459, 467, 468-69 (E.D. Va. 2002) (“the Policy does not cover damage to computer data, software and systems because such items are not tangible property ”)

� State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F.Supp.2d 1113, 1116 (W.D. Okla. 2001) (“Alone, computer data cannot be touched, held, or sensed by the human mind; it has no physical substance. It is not tangible property .”)

klgates.com


� Potential additional hurdles to coverage � “Property damage” definition (ISO 2001 and later forms)

� “Electronic Data” exclusion (ISO 2004 and later forms)

klgates.com

17. "Property damage" means:a. Physical injury to tangible property, including all

resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or

b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the "occurrence" that caused it.

For the purposes of this insurance, electronic data is not tangible property.As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment


� “Property damage” definition

klgates.com

2. ExclusionsThis insurance does not apply to:

*****p. Electronic Data

Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data .However, this exclusion does not apply to liability for damages because of "bodily injury".As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.


� “Electronic Data” Exclusion

klgates.com


� Potential avenues to coverage � Coverage may be added through endorsement

� ISO “Electronic Data Liability Endorsement” adds “electronic data” back to the definition of “property damage”

� Coverage may have been purchased through the ISO “Electronic Data Liability Coverage Form”

� ISO pre-2001 forms do not except “electronic data” from the definition of “property damage” and do not exclude “electronic data”

� Even recently issued policies may not contain such exceptions or exclusions

� Zurich American Ins. Co., et al. vs. Sony Corp. of America, et al., No. 651982/2011 (N.Y. Sup. Ct. New York Cty.)

klgates.com


� Even when the policy contains an exclusion, there may be coverage if a suit alleges damage to or loss of use of a computer or computer systems � Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir.

2010)� The underlying suit alleged injury to the plaintiff’s “computer,

software, and data after he visited [the insured’s] website.” The definition of “tangible property” excluded “any software, data or other information that is in electronic form”

� The court held that the insurer was obligated to defend the insured because the complaint alleged “loss of use of tangible property that is not physically injured” under the second prong of the “property damage” definition

klgates.com


� Potential coverage for data breach and other claims alleging violation of a right to privacy � ISO “Coverage A”

� ISO “Coverage B”

klgates.com

SECTION I – COVERAGESCOVERAGE A – BODILY INJURY AND PROPERTY DAMAGE LIABILITY1. Insuring Agreementa. We will pay those sums that the insured 11111becomes legally obligated to pay as damages 11111because of "bodily injury" or "property 1111damage” to which this insurance applies. *****3. "Bodily injury" means bodily injury, sickness or 11111disease sustained by a person , including death 11111resulting from any of these at any time.


� ISO “Coverage A”

klgates.com


*****p. Electronic Data

Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.However, this exclusion does not apply to liability for damages because of "bodily injury".As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.


� “Electronic Data” exclusion

klgates.com

COVERAGE B – PERSONAL AND ADVERTISING INJURY LIABILITY1. Insuring Agreement

a. We will pay those sums that the insured iiiiiiiiibecomes legally obligated to pay as damages iiiiiiiiibecause of "personal and advertising injury"iiiiiiiiito which this insurance applies.*****14. "Personal and advertising injury" means injury iiiii1111including consequential "bodily injury", arising out iiiii1111of one or more of the following offenses:*****

e. Oral or written publication, in any manner, iiiiiiiiiiii of material that violates a person's right of iiiiiiiiiiii privacy ;



klgates.com


� ISSUE: Has there been a “publication” that violates a “right of privacy”?� Some courts have found coverage

� Park Univ. Enters., Inc. v. American Cas. Co. Of Reading, PA, 442 F.3d 1239, 1250 (10th Cir. 2006) (Kansas law) (“the [district] court correctly determined that in layman's terms, ‘[t]he plain and ordinary meaning of privacy includes the right to be left alone.’ … We likewise agree with the district court's broad cons truction of the term “publication” in favor of [the insured] ”)

� Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460, at *5 (D.Md. 2007) (Maryland law) (“Of the circuits to examine ‘publication’ in the context of an ‘advertising injury’provision, the majority have found that the publication need n ot be to a third party .”)

klgates.com


� ISSUE: Has there been a “publication” that violates a “right of privacy”?� Some courts have rejected coverage

� Resource Bankshares Corp. v. St. Paul Mercury Ins. Co., 407 F.3d 631, 642 (4th Cir. 2005) (Virginia law) (“[T]he TCPA's unsolicited fax prohibition protects ‘seclusion’ privacy, for which content is irrelevant. Unfortunately for [the insured, it did not buy insurance policies for seclusion damages ; instead, it insured against, among other things, damages arising from violations of content-based privacy.”)

� Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 2012 WL 469988, at *6 (Conn. Super. Ct. Jan. 17, 2012) (no coverage for loss of employee information because “there [wa]s no evidence of communication to a third party ”)

klgates.com


� Potential hurdles to coverage � Exclusions relating to internet activities and breach of

privacy-related laws� “Insureds In Media And Internet Type Businesses”

� “Electronic Chatrooms Or Bulletin Boards”

� “Recording And Distribution Of Material Or Information In Violation Of Law”

� New 2013 ISO “Amendment Of Personal And Advertising Injury Definition” endorsement

klgates.com


*****j. Insureds In Media And Internet Type

Businesses"Personal and advertising injury" committed by an insured whose business is:(1) Advertising, broadcasting, publishing or

telecasting;(2) Designing or determining content of web sites

for others; or(3) An Internet search, access, content or service

provider.However, this exclusion does not apply to Paragraphs 14.a., b. and c. of "personal and advertising injury" under the Definitions section.

For the purposes of this exclusion, the placing of frames, borders or links, or advertising, for you or others anywhere on the Internet, is not by itself, considered the business of advertising, broadcasting, publishing or telecasting.


� “Insureds In Media And Internet Type Businesses”

klgates.com


*****k. Electronic Chatrooms Or Bulletin Boards

"Personal and advertising injury" arising out of an electronic chatroom or bulletin board the insured hosts, owns, or over which the insured exercises control.


� “Electronic Chatrooms Or Bulletin Boards”

klgates.com


*****"Personal and advertising injury" arising directly or indirectly out of any action or omission that violates or is alleged to violate:(1) The Telephone Consumer Protection Act (TCPA),

including any amendment of or addition to such law;

(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;

(3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or

(4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.


� “Distribution Of Material Or Information In Violation Of Law ”

klgates.com

This endorsement modifies insurance provided under the following:

COMMERCIAL GENERAL LIABILITY COVERAGE PART

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. [“Oral or written publication, in any manner, of material that violates a person'sright of privacy”] of the Definitions section does not apply.


� “Amendment Of Personal And Advertising Injury Definition”

klgates.com


� Potential coverage for misappropriation and infringement claims


klgates.com

COVERAGE B – PERSONAL AND ADVERTISING INJURY LIABILITY1. Insuring Agreement

a. We will pay those sums that the insured iiiiiiiiibecomes legally obligated to pay as damages iiiiiiiiibecause of "personal and advertising injury"iiiiiiiiito which this insurance applies.*****14. "Personal and advertising injury" means injury iiiiiincluding consequential "bodily injury", arising out iiiiiof one or more of the following offenses:*****11111if. The use of another's advertising idea in your iiiiiiiiiiii "advertisement" ; or 11111g. Infringing upon another's copyright, trade iiiiiiiiiiiiidress or slogan in your "advertisement" .



klgates.com

SECTION V – DEFINITIONS1. "Advertisement" means a notice that is broadcast or

published to the general public or specific market segments about your goods, products or services for the purpose of attracting customers or supporters . For the purposes of this definition:a. Notices that are published include material

placed on the Internet or on similar electronic means of communication; and

b. Regarding web sites, only that part of a web site that is about your goods, products or services for the purposes of attracting customers or supporters is considered an advertisement.


� “Advertisement” (1998 and subsequent ISO forms)

klgates.com

SECTION V – DEFINITIONS1. "Advertising injury" means injury arising out of one or more of the following offenses:

a. Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;

b. Oral or written publication of material that violates a person's right of privacy;

c. Misappropriation of advertising ideas or style of doing business ; or

d. Infringement of copyright, title or slogan .


� “Advertisement” (1996 and prior ISO forms)

klgates.com


� ISSUE: Has there been an “advertisement”?� May turn on the relevant definition

� Oglio Entm't Group, Inc. v. Hartford Cas. Ins. Co., 132 Cal.Rptr.3d 754, 763 (Cal. Ct. App. 2011) (“There is no description of any advertisement used by [the insured] … This is especially clear, given that the policy defines advertisement as the widespread dissemination of information or images with the purpose of selling a product[.]”) (1998 and prior language)

� Sentex Systems, Inc. v. Hartford Acc. & Indem. Co., 93 F.3d 578(9th Cir. 1998) (“Hartford's principal contention is that the district court erred … because ‘advertising injury,’ defined in part in the policy as arising out of the ‘misappropriation of advertising ideas,”’includes only alleged wrongdoing that involves the text, words, or form of an advertisement. This policy's language … does not limit itself to the misappropriation of an actual advertising text. It is concerned with ‘ideas,’ a broader term.”)

klgates.com


� Potential hurdles to coverage � Same “Coverage B” exclusions discussed in the previous

section

� Additional exclusions� “Knowing Violation Of Rights Of Another”

� “Unauthorized Use Of Another's Name Or Product”

klgates.com


*****a. Knowing Violation Of Rights Of Another

"Personal and advertising injury" caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and would inflict "personal and advertising injury".


� “Knowing Violation Of Rights Of Another”

klgates.com


*****l. Unauthorized Use Of Another's Name Or

Product "Personal and advertising injury" arising out of the unauthorized use of another's name or product in your e-mail address, domain name or metatag, or any other similar tactics to mislead another's potential customers


� “Insureds In Media And Internet Type Businesses”

klgates.com


� Potential coverage under “traditional” first-party property policies� Potential coverage for loss of data, computers or computer

systems

� Potential coverage for “time element” losses� Business interruption

� Extra expense

klgates.com


� Potential coverage for loss of data, computers or computer systems� The 2007 standard-form ISO commercial property policy

covers “direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.”

� Such policies may be in the form of broadly worded “all risk,”“difference in conditions,” “multiperil” or “inland marine”policies.

klgates.com


� Potential coverage for “time element” losses� “Business Interruption” coverage generally reimburses the

insured for its loss of earnings or revenue resulting from covered property damage.

� ISO’s “Business Income (and Extra Expense) Coverage Form”covers the loss of net profit and operating expenses that the insured “sustain[s] due to the necessary ‘suspension’ of [the insured’s] ‘operations’ during the ‘period of restoration.’”

� “Extra Expense” coverage generally covers the insured for certain extra expenses incurred to minimize or avoid business interruption and to resume normal operations.

� ISO’s form covers “Extra Expense” to “[a]void or minimize the ‘suspension’ of business and to continue operations at the described premises or at replacement premises or temporary locations….”

klgates.com


� ISSUE: is there “direct physical loss of or damage”?� See cases above

� A couple other examples� NMS Services Inc. v. Hartford, 62 Fed.Appx. 511, 514(4th Cir.

2003) (upholding coverage for business interruption and extra expense, finding “no question that [the insured] suffered damage to its property.”)

� Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W.3d 16, 23, 25 (Tex. App. Ct. 2003) (findingn that “the personal property losses alleged by Lambrecht were ‘physical’as a matter of law” and holding that “the business income [the insured] lost as a result of the virus [wa]s covered under the policy.”)

klgates.com


� Potential limitations to coverage� Some standard forms seek to shift data loss from the principal

coverage grant by excluding electronic data from the definition of “Covered Property” and instead providing coverage under “additional coverage” that may be subject to relatively low—presumptively inadequate—coverage sublimits

� 2007 ISO Commercial Property Form excepts “electronic data”from the definition of “Covered Property” and provides coverage under an “Additional Coverage” that is limited to “$2,500 for all loss or damage sustained in any one policy year….”

� 2007 ISO standard-form Business Income (and Extra Expense) Coverage Form excludes coverage for electronic data under the main coverage part and provides coverage under an “Additional Coverage” subject to a $2,500 limit for “all loss sustained and expense incurred in any one policy year….”

klgates.com


� Potential coverage under other “traditional” policies� Directors’ and Officers’ (D&O)

� Errors and Omissions (E&O)

� Employment practices liability (EPL) � Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010)

(Network Technology E&O policy)

� Professional liability

� Fiduciary

� Crime� Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa.,

691 F.3d 821(6th Cir. 2012) (blanket crime policy)

klgates.com


� New “Cyber” Policies� There will be gaps in “traditional programs”

� Types of coverages offered by many insurers� Third-Party Coverages

� Privacy And Network Security

� Media Liability

� Regulatory Liability

� First-Party Cyber Coverage

� Damage To Computer Systems

� Business Interruption And Extra Expense

� Remediation� Extortion

� “Cyber” coverage can be extremely valuable

klgates.com


� Types of claims and losses that may be covered:� In the event of a data breach

� defense and indemnity costs associated with third-party claims against a company

� response costs associated with post-breach remediation, including notification requirements, credit monitoring, call centers, public relations efforts, forensics and crisis management

� regulatory investigations, fines and/or penalties

� misappropriation of intellectual property or confidential business information

� the receipt or transmission of malicious code, DoS attacks, and other security threats to networks

� the cost to restore or recover data that is lost or damaged� business interruption� extortion from cyber attackers who have stolen data

klgates.com


� New “Cyber” Policies� Come under names like “Privacy and Security,” “Network

Security,” and names that incorporate “Cyber,” “Privacy,”“Media” or some form of “Technology” or “Digital”

� As noted, they can be extremely valuable

� This makes successful placement a real challenge

� We will end with some tips for a successful placement

� But they are like snowflakes

klgates.com

I. INSURING AGREEMENTS.(A) Data Privacy and Network

Security Liability InsuranceWe will pay Damages and Defense Costs on behalf of the Insuredwhich the Insured shall become legally obligated to pay as a result of a Claim … alleging a Data Privacy Wrongful Act or a Network Security Wrongful Act by the Insured [.]


� Privacy And Network Security� Typically covers against liability from data breaches,

transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats

klgates.com


� Data Privacy Wrongful Act� “Data Privacy Wrongful Act” is defined to include “any negligent

act, error or omission by the Insured that results in: the improper dissemination of Nonpublic Personal Information” or “any breach or violation by the Insured of any Data Privacy Laws.”

� “Nonpublic Personal Information” is defined as a natural person’s first name and last name combination with a social security number, medical or healthcare information or data, financial account information that would permit access to that individual’s financial account; or a natural person’s information that is designated as private by a Data Privacy Law.

� “Data Privacy Laws” is defined to include “any Canadian or U.S., federal, state, provincial, territorial and local statutes and regulations governing the confidentiality, control and use of Nonpublic Personal Information including but not limited to” key laws.

klgates.com


� Network Security Wrongful Act� “Network Security Wrongful Act” is defined to include “any

negligent act, error or omission by the Insured resulting in Unauthorized Access or Unauthorized Use of the Organization’s Computer System, the consequences of which include, but are not limited to:(1) the failure to prevent Unauthorized Access to, use of, or tampering with a Third Party’s computer systems;(2) the inability of an authorized Third Party to gain access to the Insured’s services;(3) the failure to prevent denial or disruption of Internet

service to an authorized Third Party;(4) the failure to prevent Identity Theft or credit/debit card

fraud; or(5) the transmission of Malicious Code.

klgates.com

I. INSURING AGREEMENTS.

(B) e-Media Liability Insurance We will pay Damages and Defense Costs on behalf of the Insuredwhich the Insured shall become legally obligated to pay as a result of a Claim … alleging a e-Media Wrongful Act by the Insured[.]


� Media Liability� Typically covers against liability from claims for alleging

infringement of copyright and other intellectual property rightsand misappropriation of ideas or media content

klgates.com


� “ e-Media Wrongful Act”� e-Media Wrongful Act” is defined to include “any negligent act,

error or omission by the Insured that results in the following:(1) infringement of copyright, service mark, trademark, or

misappropriation of ideas or any other intellectual property right, other than infringement of patents or trade secrets; defamation,libel, product disparagement, trade libel, false arrest, detention or imprisonment, or malicious prosecution, infringement or interference with rights of privacy or publicity; wrongful entry or eviction; invasion of the right of private occupancy; and/or plagiarism, misappropriation of ideas under implied contract Invasion or other tort related to disparagement or harm to the reputation or character of any person or organization in the Insured Entity’s Electronic Advertising or in the Insured Entity’s Advertising; or

(2) misappropriation or misdirection of lnternet based messages or media of third parties on the Internet by the Insured, includingmeta-tags, web site domains and names, and related cyber content.

klgates.com


� Regulatory Liability� Many “third-party” cyber risk policies include defense and

indemnity coverage for claims for civil, administrative or regulatory proceedings, fines and penalties

klgates.com


� Damage To Computer Systems� “First-party” cyber coverage may include damage to or

theft of the insured’s own computer systems and hardware, and may cover the cost of restoring or recreating stolen or corrupted daat.

klgates.com


� Business Interruption And Extra Expense� Coverage for business interruption and extra expense

caused by malicious code (viruses, worms, Trojans, malware, spyware, etc.), DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks.

klgates.com


� Remediation� costs associated with post-data breach notification—

notification required by regulation and voluntary notification

� credit monitoring services

� forensic investigation to determine the existence or cause of a breach

� public relations efforts and other “crisis management”expenses

� legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem

klgates.com


� Extortion� Cyber policies often cover losses resulting from extortion

(payments of an extortionist’s demand to prevent network loss or implementation of a threat)

klgates.com


� Beware The Fine Print

klgates.com

Where We Can Help

klgates.com

Prevent and deter attacks

� Provide advice on the recognized security standards by the USG and industry standard setting organizations

� Assist in drafting security policies and procedures

� Training and employee education

� Prophylactic domain name registration

Aggressively pursue perpetrators

� Experienced cyber-forensic investigation team and lab

� Civil litigation to unmask perpetrators

� Collaboration with law enforcement

Respond to problems

� Advice on best practices and policies to establish to manage an identified attack

� Assistance in responding to an active attack (K&L Gates Rapid Response Team)

� Help in responding to a data breach after the fact

Our Cyber Law and Cybersecurity Approach

klgates.com

Avoid liability

� Review of company's cybersecurity policies and standards� Ensure physical, administrative and technical measures are reasonable

� Review of company’s data breach policies and procedures against applicable state, federal and international laws

� Review of contractual provisions � Partner, customer, employee

� Review of SEC reporting

� Advice on establishing best practices

� Asses litigation exposure

� another company's proprietary or confidential information accessed

� consumer class action

Mitigate risk and loss through insurance

� We counsel clients regarding insurance coverage for data security breach liability

� Traditional policies may respond to cyber liabilities, but there are limitations

� New “cyber” insurance products can be valuable as part of a company’s overall strategy to mitigate cyber risk

Our Cyber Law and Cybersecurity Approach

klgates.comklgates.comklgates.com

81

Questions

5

Documents

What Your Company Needs to Know about Cybersecurity · cybersecurity disclosures. The guidance in essence states that appropriate disclosures may include four things material cybersecurity