Cyber Liability Insurance Counseling and Breach Response

@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE Cyber Liability Insurance Counseling and Breach Response

Elizabeth RogersGreenberg Traurig, LLP

[email protected]@Lonestar_Lawyer

Shawn TumaScheef & Stone, LLP

[email protected]

@shawnetuma

@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE

Breach! Immediate Priorities

• Leadership!

• Assess the situation

• Be a counselor

• Instill confidence

• Bring peace

• Facilitate rational thought & rational behavior


Data Breach Foundations

Is the cyber event an incident or a breach?

▪ Event: any occurrence.

▪ Incident: an event that actually or potentially jeopardizes the confidentiality, integrity, or availability of the system, data, policies, or practices.

▪ Breach: actual loss of control, compromise, unauthorized disclosure, acquisition or access of data.

▪ Ransomware? Encryption safe harbor?



Is the cyber event caused by criminal or negligent actions?

▪ Hacker stealing IP from network.

▪ Employee misplaces unencrypted USB drive with PII.

▪ Focus on the action – why was it done?

▪ Report criminal events to law enforcement, not usually with negligent.



The difference between reporting, disclosing, notifying?

▪ Used interchangeably, not official – just used for clarity.

▪ Reporting: to report a crime to law enforcement.

▪ Disclosing: to disclose (notify) to a state or federal regulator of a data breach.

▪ Notification: to notify the data subjects of a data breach.


Disclosure to Government Regulators

▪ Remember our fiction: reporting / notifying / disclosing

▪ What type of data was breached? (PII, PHI, Fin. Data, PCI)

▪ Which laws apply?

▪ Regulated industry? (HHS, SEC, FDIC, FINRA)

▪ i.e., Health → HHS, then ≥ 500 = 60 days to report< 500 = annual report

▪ State jurisdictions?


Data Breach Response

The difference between reporting, disclosing, notifying?

▪ Used interchangeably, not official – just used for clarity.

▪ Reporting: to report a crime to law enforcement.OPTIONAL, MAYBE.

▪ Disclosing: to disclose (notify) to a state or federal regulator of a data breach. NOT OPTIONAL.

▪ Notification: to notify the data subjects of a data breach. NOT OPTIONAL.



Breach Notification Laws

▪ No national breach notification law

▪ 47 States w/ laws + DC, PR, VI (≠ AL, NM, SD)

▪ Data subjects’ residence determines + state doing bus.

▪ Some consistency but some not (e.g., MA & CA)

▪ Review each time – constantly changing.



▪ Is it a triggering “breach” under each relevant states’ laws?

▪ Which states’ laws require disclosure to their AG?

▪ Most, under certain circumstances (not TX).

▪ Which require pre-notice of a breach notification?

▪ CA, CT, NH, NJ, NY, NC, PR, WA

▪ When must disclosures be made? (w/ notif. 30/45/reas.)

▪ How must disclosure be made? (template / portal)


Texas Breach Notification Law

Notification Required Following Breach of Security of Computerized Data, Tex. Bus. Comm. Code § 521.053

▪ “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” (See Appendix B)


Texas Breach Notification Law

▪ Breach of System Security: “unauthorized acquisition ... compromises the security, confidentiality, or integrity of” SPI. Employee leaving with customer data?

▪ Applies to anyone doing business in Texas.

▪ Notify any individual whose SPI “was, or is reasonably believed to have been, acquired by an unauthorized person.”

▪ When: “as quickly as possible” but allows for LE delay

▪ Penalty: $100 per individual per day for delayed time, not to exceed $250,000 for a single breach (AG / no civil remedy)


first name or

first initial

last name

SSN

DLN or

GovtID

data breach

first name or

first initial

last name

Acct or Card #

Access or Security

Code

data breach

Info that IDs

Individ.

Health-care,

provided, or pay

data breach

Duty to notify when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053

CIVIL PENALTY $100.00 per individual per day for notification delay, not to exceed $250,000 for single breach §521.151


Reporting to Law Enforcement

▪ Role of law enforcement.

▪ When to report to law enforcement?

▪ Federal, state, or local law enforcement?

▪ When will law enforcement not get involved (usually)?



▪ Is it mandatory to report to law enforcement?

▪ State breach notification presume reporting.

▪ DOJ, NIST, FTC (“we’d view that company more favorably than a company that hasn’t”)

▪ US Senate (Yahoo) – when did you report to law enforcement or other government authorities?

▪ Credibility – the “state sponsored” “unprecedented” game.



Benefits of reporting to law enforcement.

▪ Agencies can compel info from 3rd parties.

▪ Can work with foreign counterparts.

▪ Viewed favorably by regulators, shareholders, public.

▪ Can request delay of reporting.

▪ Result in successful prosecution.

▪ Resources, expertise, institutional knowledge, your $$$



Dispelling myths of reporting to law enforcement.

▪ Reporting to law enforcement is not same as disclosing to regulators.

▪ Doesn’t “take over” your operations, not like regulatory enforcement action.

▪ Law enforcement uses discretion, doesn’t tattle on you.

▪ Company is still viewed as the victim.

▪ Use hypotheticals, if needed.

Cyber Insurance


Cyber Insurance – Key Questions

• Even know if you have it?

• What period does the policy cover?

• Are Officers & Directors Covered?

• Cover 3rd Party Caused Events?

• Social Engineering coverage?

• Cover insiders intentional acts (vs. negligent)

• Contractual liability?

• What is the triggering event?

• What types of data are covered?

• What kind of incidents are covered?

• Acts of war?

• Required carrier list for attorneys & experts?

• Other similar risks?

10 Key Issues in Cybersecurity Insurance Policies


1. What period does the policy cover?


2. Will Officers & Directors fall into the gap?


3. Does policy exclude liability for injuries arising from breach of contract?


4. Does policy cover actions caused by your vendors and contractors?


5. Does policy provide excess coverage with a drop-down provision?


6. Does policy provide coverage for insiders’ intentional acts – as opposed to negligent acts?


7. What is the triggering event for coverage?

Data

Sources

Company Data

Workforce Data

Customer / Client Data

Other Parties’

Data

3rd Party Business

Associates’ Data

Outsiders’ Data

8. What types of data are covered?

Threat Vectors

Network

Website

Email

BYOD

USBGSM

Internet Surfing

Business Associates

People

9. What kinds of breach events are covered?


10. How are exclusions for “cyber acts of war” and “cyber terrorism” treated?

Additional Cybersecurity Insurance Considerations


Contracts

• 3rd party liability

• Healthcare (BA)

• Software license audit

• Permissible access & use in policies, BYOD

• EULA / TOS

Marketing

• FTC Act § 5

• SPAM laws

• NLRB rules

• CDA § 230

• Website audits

• IP issues

• Acct ownership

Privacy

• Privacy policies

• Privacy & data practices

• Destruction policies

• Monitoring workforce

• Business intelligence

Industry Regulation

• PCI (Payment Card Industry)

• FFIEC (Federal Financial Institution Examination Council)

• FINRA (Financial Industry Regulatory Authority)

• SIFMA (Securities Industry and Financial Markets Association)

What other cyber risks events are covered?


What coverage do you need, and how much?


Should you agree to using the carrier’s list of attorneys and experts?


QUESTIONS?


Shawn TumaScheef & Stone, LLP

Frisco, Texas214.472.2135

[email protected]

www.shawnetuma.com (blog)@shawnetuma

Elizabeth RogersGreenberg Traurig, LLP

Austin, Texas512.320.7256

[email protected]

@Lonestar_Lawyer