Tag Archives: data privacy

Raising the Bar on Data Privacy

With the passage of the California Privacy Rights Act (CPRA), U.S. data privacy law entered a new era. In addition to establishing the first data protection enforcement agency in the U.S., the CPRA ushers in several stringent requirements for insurers and their service providers and is likely to serve as a model for other states considering similar legislation. As we head into 2021, your business should be on notice that data privacy requirements are about to get a lot tougher and ensure that your service providers have put the appropriate safeguards in place to protect your personal information.

While laws like the CPRA require insurers to protect sensitive data, they often give businesses little guidance on how to secure the information systems that process that data. If your business is wrestling with the growing patchwork of data privacy and security requirements, selecting service providers that have certified against an industry-recognized security framework like HITRUST CSF can help you streamline your compliance efforts while providing powerful validation that your service providers have implemented industry standard security programs and best practices.

HITRUST CSF – Not just for healthcare anymore

When vetting service providers, looking at their security certifications is an important starting point. However, not all security certifications are created equal, and relevance will vary depending on your industry and location. In terms of scope, HITRUST CSF offers one of the most comprehensive certifications available. The Common Security Framework consists of 270 requirements spread across 19 domains ranging from access controls and business continuity to risk management and data protection and privacy. Although HITRUST CSF was originally developed to help healthcare organizations address the security requirements of the HIPAA Security Rule, the framework has now been aligned with the controls of other industry standard cybersecurity frameworks, making it an elite certification across multiple industries — like P&C and life insurance — around the globe.

The broad-based appeal of HITRUST CSF is due in large part to its “assess once, report many” approach to certification. HITRUST CSF draws on multiple security frameworks, including ISO 27001, PCI DSS, NIST 800-53 and the NIST Cyber Security Framework. Because so many HITRUST CSF controls align with those of other security frameworks, certification against HITRUST CSF helps businesses comply with a wide range of security and privacy frameworks while streamlining the assessment process. 

Getting certified – What’s involved?

In terms of getting certified, HITRUST CSF offers one of the most rigorous assessments available. Organizations begin the certification process by engaging an external auditor approved by HITRUST to perform a validated assessment. More than other certifications, HITRUST CSF also stresses the importance of developing and implementing the appropriate policies and procedures to safeguard covered information. This combined emphasis on program development and independent third-party assessment place HITRUST CSF in a league of its own when it comes to validating your program to customers concerned about the security of their data.

Once organizations do achieve HITRUST CSF certification, they must demonstrate continuing commitment to data privacy and security through annual assessments. In addition to the biannual validated assessment, organizations must complete an interim assessment that is more limited in scope during intervening years. This annual review cycle ensures that service providers engage in continuous monitoring and improvement of data security and privacy rather than adopting a “one and done” approach to compliance. 

See also: Navigating Security in the Remote Paradigm

One size does not fit all – Which certifications should your service providers carry?

While HITRUST CSF is intended to harmonize requirements across several security and privacy frameworks and legal requirements, many service providers find it useful to maintain multiple certifications. These certifications represent some of the most widely recognized options available to businesses that process sensitive information:

  • PCI DSS – Companies that process credit card transactions should maintain PCI DSS certification, which is overseen by the Payment Card Industry Security Standards Council (PCI SSC). PCI DSS certification requires businesses to meet stringent requirements and engage in continuous monitoring throughout the year. Requirements address seven critical security controls, including change management processes. Other requirements include biannual penetration testing of internal and external networks by an independent third party, as well as quarterly vulnerability scanning of your organization’s information systems.
  • ISO 9001 & 27001 – The International Organization for Standardization (ISO) publishes international standards that address best practices for a wide range of industries and applications. ISO 9001 is a formal Quality Management Program developed by the USPS and major mailers specifically for the mailing industry. The widely known ISO 27001 standard provides requirements for establishing and maintaining an information security management system (ISMS). While organizations can certify against ISO 27001, it is not obligatory, and many organizations choose to address ISO 27001 requirements without pursuing formal certification.
  • SOC 2 Reporting is not a certification, per se. Rather, it is a report that requires organizations to attest to five Trust Services Criteria: Security, Availability, Confidentiality, Privacy and Processing Integrity. SOC 2 reports are widely accepted across many industries and can be done in conjunction with security certifications. For example, some organizations choose to obtain a SOC 2 report based on HITRUST CSF control requirements.
  • FISMA – The Federal Information Security Management Act (FISMA) is a United States federal law that requires federal agencies and contractors to develop, document and implement an information security and protection program. FISMA certification demonstrates compliance with NIST 800-53 Baseline Security Controls for Federal Information Systems and Organizations. Requirements include maintaining an up-to-date system inventory, data categorization, selection and implementation of NIST security controls, development of a System Security Plan, continuous monitoring and conducting annual risk assessments.
  • USPS Platinum Full-Service Certification – Platinum Full-Service Certification is reserved for mailers who consistently meet USPS mail quality thresholds, have a formal Quality Management Program and pass an internal audit and an independent external audit by a certified Quality Auditor. Only a handful of mailing service providers in the U.S. have achieved USPS Platinum Full-Service Certification. Thus, any vendor that maintains this certification is in select company.

See also: Data Security to Be Found in the Cloud

As more states enact tough data protection legislation, validating the security of your service providers will become increasingly vital. Moreover, while it’s never too late to make a good impression, it can be really tough to earn back the lost trust of your customers following a data breach. Verifying that your service providers maintain rigorous, relevant, industry-recognized certifications is one of the most important steps you can take to protect your data and inspire the confidence of your customers.

Managing Customer Opt-Ins in New Normal

As the pandemic accelerates insurers’ efforts to communicate more efficiently and effectively with customers, two-way texting has emerged as the preferred choice of a new generation of customers, who communicate natively via text with everyone — family, friends and brands included. Two-way texting is more popular than chat, but, unlike chat, it raises new issues around customer opt-ins and opt-outs.

In the new normal, insurers will have to manage customer opt-ins and opt-outs carefully to keep the conversation going. It will take more than having policies on accepting cookies and handling customer data — it requires a better understanding of customer consent, and changes to your data management strategy.

Here’s the good news: It doesn’t have to be hard. 

Unite the Data, Solidify Relationships

Business people understand that customers are willing to share data (including email and mobile phone numbers) in exchange for something of value. In the insurance sector, maybe that “something of value” is a quote on renters’ insurance, a video download of drone-based damage assessment after a storm, the status of a claim or a renewal or payment reminder. The opt-in to communicate could be captured at any point in the customer journey.

While the business unit that captures the opt-in might be a call center, a claims department, a vendor that handles assessments, etc., it’s all the same — your brand. So, the opt-in doesn’t have to apply only for one business unit and specific situation. That’s why it’s so important to unite your data across business units and partnerships. You need a single source of truth on opt-ins and opt-outs to solidify the relationship with the customer. 

With the power of the cloud and APIs, it can be easier than you think to integrate data across systems using the infrastructure you already have in place, including on-premises systems. You may have gotten away with not consolidating opt-in data before, but, in the new normal, customers expect more. It’s time to unite the data and solidify the customer relationship across the organization. 

Opt-In, Opt-Out, Opt-In Again

Have you ever opted-in to a text or email communication with a brand to get something you wanted (a discount, a free ice cream cone, etc.), then opted out again? It happens all the time, and privacy regulations are increasingly putting teeth into consumer preferences about data use. That’s another reason it’s so important to have a single source of truth on opt-in status across all operating units, as well as the ability for everyone to collect and process opt-ins and opt-outs.  

See also: COVID and ‘the Great Reset’

The upside is huge for any business, and maybe especially for a sector that relies as heavily on customer relationships as the insurance industry does. When you create a way to unify and manage opt-in and opt-out data on top of your existing infrastructure, you multiply the opportunities to converse with customers and show respect for their preferences. Your automated text solutions, chat agents, call centers, automated claim submission portals, etc., can all collect an opt-in to start and continue conversations. And everyone can join in the conversation as appropriate. 

You can set your insurance company up for success in the post-COVID-19 world right now by enabling all business units to manage consumer consent for communication on their preferred channels, and it will be a lot easier than you think with cloud technologies and APIs. So, what are you waiting for? Disconnected communication data might have worked before, but the new normal is here, and it’s time for your customer data management strategies to reflect it.

In Race to AI, Who Guards Our Privacy?

Way back in 1975, geochemist Dr. Wallace Broecker of Columbia University published his article “Climatic Change: Are We on the Brink of a Pronounced Global Warming?” Today, almost 45 years later, the debate has intensified but still rages, even as some believe the clock is running out. The U.N. Intergovernmental Panel on Climate Change warns that we have only 11 years to limit the chances of a climate change catastrophe.

I see very strong parallels between Dr. Broecker’s warnings and those related to our loss of personal data privacy. Society is facing the threat of climate change, which some experts say will reach a tipping point; we may be reaching a similar tipping point with privacy and cyber security.

In their paper presented at the 1965 Fall Joint Computer Conference titled “Some Thoughts About the Social Implications of Accessible Computing,” E. E. David, Jr. of Bell Labs and R. M. Fano of MIT warned that “the same technology which has given us new dimensions in communication has been used to implement eavesdropping equipment.” They went on to say that “the very power of advanced computer systems makes them a serious threat to the privacy of the individual”.

See also: Untapped Potential of Artificial Intelligence  

Just as we continued to contribute to climate change, we continue to surrender personal privacy in exchange for the lure of instant gratification delivered through simple, easily accessible technologies.

Insurance Industry Opportunity

The insurance industry is uniquely positioned to take the lead in safeguarding data privacy; few other industries have the same depth and breadth of personal information or the same level of dependency on the trust and loyalty of their customers.

Many insurers of property, life and health, along with numerous supply chain intermediaries, are employing a wide range of connected digital technologies to gather individual data and store, analyze and use it to train AI and use it to offer new, different and attractive products and services. And, as of now, there is no easy way for customers to reclaim their data. People may consciously understand the trade-offs of using digital services, but few understand how extensively their data is captured, used and shared. And that data exists in digital form and therefore virtually forever, most certainly long after we are gone.

Without applicable data laws, we’re left with a decentralized patchwork system, devoid of human control. Privacy concerns are surfacing almost daily now, but successful, high-profile applications of analytics are drowning out the cautionary voices. Facial recognition, which is not unlike taking your fingerprints without your permission, is being used by China to keep track of all of their citizens and has been deployed by law enforcement agencies all over the world.

Too Little, Too Late

In a relatively small victory for opponents of this rapid adoption, San Francisco recently became the first U.S. city to ban the use of facial recognition by local agencies. And California’s tough new law, the California Consumer Privacy Act, which takes effect in January 2020, will significantly limit how companies handle, store and use consumer data. The law will require businesses to be more transparent, give consumers the ability to delete and download collected data and give them the chance to opt out of the sale of their information. Still, according to a new survey by TrustArc, most companies still aren’t ready to comply.

See also: 3 Steps to Demystify Artificial Intelligence  

Elsewhere, the European Union’s General Data Protection Regulation (GDPR), a set of new privacy laws, went into effect in May 2018. And Hawaii, Massachusetts and Washington are all considering their own state privacy laws, while Brazil passed its own regulations, which will take effect in 2020.

Insurance Industry Call To Action

What we really need, however, is a standardized, global set of rules and regulations on the permissible uses of personal data and a process governing and enforcing them. The global insurance industry would gain much by taking the lead in this effort – and sooner than later.

The Devil Is in the Details of Cyber

There’s a tempest amid the recent spring shower of cyber insurance cases. It isn’t the Recall Total case,[1] or the Travelers v. Federal Recovery Services case reported the week before.[2] Although those two cases have garnered a great deal of media and other attention from those seeking, and seeking to provide, guidance surrounding insurance coverage for cybersecurity and data privacy-related liability, those cases are, by and large, relatively insignificant.

The tempest case is Columbia Casualty Company v. Cottage Health System.[3] In Columbia Casualty, CNA’s non-admitted insurer, Columbia Casualty, seeks to avoid coverage under a cyber insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a cyber insurance policy that has resulted in litigation.

Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyber insurance, as well as by those insurance intermediaries, outside coverage counsel and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil is in the details when placing cyber insurance coverage. Although this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully.

Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices and (2) the misrepresentation defense.

The Facts

Underlying Data Breach Litigation and Regulatory Investigation

Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained or used by the insured, Cottage Health System (Cottage).[4]

In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet.”[5] The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.[6]

The lawsuit settled in April 2015 for $4.1 million.[7] Cottage’s cyber insurer, CNA, funded the settlement pursuant to a reservation of rights.[8]

Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,”[9] and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”[10]

The Cyber Insurance Policy

CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million.[11] The policy provides coverage for, among other things, “privacy injury claims.”[12]   Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise.

The Coverage Issues

CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn.

Exclusion for “Failure to Follow Minimum Required Practices”

CNA relies upon an exclusion in the NetProtect360 policy, titled “Failure to Follow Minimum Required Practices,” which states:

Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:

  • Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving:
  • Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…[13]

Citing this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems” and to “enhance risk controls,” among a host of “other things”:

  1. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol[14] settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.
  2. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings, its failure to ensure that its information security systems were securely configured, among other things.
  3. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.
  4. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding and that coverage for the claims and potential damages at issue in the Underlying Action and the DOJ Proceeding is precluded pursuant to the Columbia Policy’s Failure to Follow Minimum Required Practices” exclusion.[15]

CNA does not allege that its insured acted willfully, that it acted recklessly or even that it was grossly negligent.

The Misrepresentation Defense

In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:

  1. Application
  • The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.
  • This Policy shall be null and void if the Application contains any misrepresentation or omission:
  • made with the intent to deceive, or
  • which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.[16]

Citing this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:

  1. The Columbia Policy’s “Application” condition provides that the Columbia Policy “shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.”
  2. The Columbia Policy’s “Minimum Required Practices” condition provides that, as a “condition precedent to coverage,” Cottage warrants that it shall “maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.”
  3. Upon information and belief, Cottage’s application for coverage under the Columbia Policy contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage’s data breach risk controls.
  4. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to maintain the risk controls identified in its application, including, but not limited to, its failure to replace factory default settings to ensure that its information security systems were securely configured.
  5. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding based on Cottage’s breaches of the Columbia Policy’s “Application” and “Minimum Required Practices” conditions.[17]

Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.”

The Takeaway Tips

  1. Beware Of Broadly Worded Cybersecurity/Data Protection Exclusions

The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction,[18] and broad exclusions that would render coverage illusory are not permitted in California[19] or elsewhere.[20] Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy,[21] which, as represented by CNA in its marketing materials, offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

Cyber Liability and CNA NetProtect Products

CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.[22]

To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing cyber liability coverage.

Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as the Columbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage.

The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cyber insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them — and often this does not cost additional premium.

  1. Guard Against a Misrepresentation Defense

We have seen it in the D&O context for years, and it’s coming to cyber: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to cyber insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. Cyber insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage.[23]  So what can be done? One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed. But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.

 

[1] Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., — A.3d —-, 2015 WL 2371957 (Conn. May 26, 2015).

[2] Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., No. 2:14-CV-170 TS (D. Utah May 11, 2015)).

[3] No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015).

[4] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶2-3. Cottage operates a network of hospitals located in Southern California. See id.

[5] Kenneth Rice, et al. v. INSYNC, Cottage Health Sys., et al., Case No. 30-2014-00701147-CU-NP-CJC (Ca. Super. Ct. Jan. 27, 2014), ¶1.

[6] Id. ¶¶68, 80.

According to CNA’s complaint, Cottage also faces an ongoing investigation by the California Department of Justice regarding potential HIPAA violations. See Complaint For Declaratory Judgment And Reimbursement, ¶¶6, 22. In its declaratory judgment action, CNA also disclaims coverage for this proceeding. See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶46-49.

[7] See Order Granting Final Approval of Proposed Class Action Settlement and Judgment (Apr. 15, 2015), Findings in Support of Final Settlement Approval ¶2.B.; see also Class Action Settlement And Release Agreement, § 3.1.

[8] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶5.

[9] Id. ¶8.

[10] Id. ¶9.

[11] Id. ¶22-23.

[12] Id. ¶25.

[13] Id. ¶26. A separate policy “condition” states as follows:

  1. Minimum Required Practices

The Insured warrants, as a condition precedent to coverage under this Policy, that is shall:

  1. follow the Minimum Required Practices that are listed in the Minimum Required Practices endorsement as a condition of coverage under this policy, and
  2. maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.

Id. ¶27.

[14] This is used to transfer files between computers on a network.

[15] Id. ¶¶41-44 (footnote reference and emphasis added).

[16] Id. ¶27. CNA also cites to a “Warranty” provision in the insurance application, stating as follows:

Applicant hereby declares after inquiry, that the information contained herein and in any supplemental applications or forms required hereby, are true, accurate and complete, and that no material facts have been suppressed or misstated. Applicant acknowledges a continuing obligation to report to the CNA Company to whom this Application is made (“the Company”) as soon as practicable any material changes…all such information, after signing the application and prior to issuance of this policy, and acknowledges that the Company shall have the right to withdraw or modify any outstanding quotations and/or authorization or agreement to bind the insurance based upon such changes.

Further, Applicant understands and acknowledges that:

2) If a policy is issued, the Company will have relied upon, as representations, this application, any supplemental applications and any other statements furnished to this Company in conjunction with this application.

3) All supplemental applications, statements and other materials furnished to the Company in conjunction with this application are hereby incorporated by reference into this application and made a part thereof.

4) This application will be the basis of the contract and will be incorporated by referenced into and made a part of such policy.

Id. ¶31.

[17] Id. ¶¶51-55 (emphasis added).

[18] See, e.g.,. 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”); see also 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses.”).

[19] See, e.g., Armstrong World Indus., Inc. v. Aetna Cas. & Sur. Co., 52 Cal. Rptr. 2d 690, 705 (Cal. Ct. App. 1996) (rejecting the insurers’ approach where “the insurers’ approach would essentially render the asbestos manufacturers’ insurance coverage illusory”).

[20] See, e.g., Allan D. Windt, 2 Insurance Claims and Disputes § 6:2 (6th ed. updated Mar. 2015) (“a court will not allow an exclusion to eliminate coverage that is expressly and specifically provided for in the same policy form. More generally stated, a policy will not be interpreted to create illusory coverage. For example, in the context of analyzing the absolute pollution exclusion, discussed in § 11:11, some courts have refused to apply the exclusion as written based upon what was, in effect, the conclusion that the exclusion would cause the coverage to be illusory.”).

[21] See, e.g., 2 Couch on Insurance § 22:11 (“the rule is that the objectively reasonable expectations of applicants and intended beneficiaries regarding the terms of insurance contracts will be honored even though a painstaking study of the insurance provisions would have negated those expectations”).

[22] https://www.cnapro.com/html/Our_Products/OurProducts_CNANetProtect.html

[23]See, e.g., Rafi v. Rutgers Cas. Ins. Co., 872 N.Y.S.2d 799 (N.Y. App. Div. 2009) (“although misrepresentations made by an insured must be material, they may be innocently or unintentionally made”).

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.

 

[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).