Tag Archives: securities and exchange commission

Ready to Comply With Fiduciary Standard?

Recent actions by the U.S. Department of Labor (DOL) are causing insurance and other financial services brokers to rethink their business models and how they communicate with their customers. That’s because the DOL recently finalized a controversial new standard broadening the definition of who constitutes a “fiduciary” under the Employee Retirement Income Security Act (ERISA).

Essentially, the rule, with an applicability date of April 10, 2017, heightens the duty of financial advisers for 401(k) plans and IRAs who are considered “brokers,” defined as registered representatives of a broker dealer paid commissions by the investments they recommend. Before the new rule, brokers were held to a standard of suitability, which meant that, when a broker recommended that a client buy or sell a particular security, the broker must have a reasonable basis for believing that the recommendation is suitable for that client. That standard allowed brokers to recommend an investment product that paid them a higher commission as long as it was suitable for the client, even though it may not be the best choice. Under the new fiduciary standard, brokers must put their clients’ interests ahead of their own in recommending investments.

See also: Do Brokers, Agents Owe Fiduciary Duty?  

The new standard for brokers puts them on par with investment advisers registered with the Securities and Exchange Commission or individual states, who were already required to meet the fiduciary standard. The change presents a challenge to the business model of brokers, who typically get paid from commissions, unlike registered investment advisers, who are paid a percentage fee based on the amount of plan assets under management.

New challenges for broker customer communications

The challenges the new rule poses for brokers don’t end with compensation. The new duty will directly affect any information brokers provide to customers in print or digital form that might be deemed a “recommendation” under the rule. A fact sheet provided by the DOL describes a “recommendation” as follows:

“A ‘recommendation’ is a communication that, based on its content, context and presentation, would reasonably be viewed as a suggestion that the advice recipient engage in or refrain from taking a particular course of action. The more individually tailored the communication is to a specific advice recipient or recipients, the more likely the communication will be viewed as a recommendation.”

A holistic view of the customer communications ecosystem

In short, every broker customer communication will now need to be audited to determine whether it constitutes a recommendation and modified if it would violate the new standard. This could be an onerous task.

Customer communications management (CCM) processes will be essential for complying with this new rule. Adding personalization to communications is a huge advantage to the adviser, but it is now critical to have a process for reviewing these personalized communications to confirm that they conform to the new legal reality.

CCM becomes even more critical considering the efficiency and control that can be gained by centrally managing this content. Scattered, decentralized communications processes will make it far more likely that an adviser will send noncompliant content to a customer, exposing the company and the adviser to considerable risk.

Many insurance agencies and other brokers use legacy systems to generate their customer communications, which makes it costly and time-intensive to modify them to ensure compliance with the new rule. IT departments have the skills to make the needed changes, but not the time or full expertise to review and audit the updated customer communications. Insurance organizations should give careful consideration to the following to identify potential obstacles to compliance:

  • Determine where customer information is stored. If it resides in multiple departmental systems, there is greater risk that advisers will send noncompliant communications to customers unless these systems are coordinated.
  • Consider whether existing CCM processes and systems are flexible enough to incorporate compliance review for today’s wide range of communications channels, including mobile, email, web pages and social media.
  • Analyze how customer activities are supported by different channels in the organization. Channel communications may be intertwined from a customer’s perspective, but managed separately within the organization. Achieving compliance will require understanding how communications appear to the customer.
  • Ensure that compliance officers and other regulatory personnel are engaged early in communications creation and automate approval processes to speed time-to-market and create audit trails.

With the new DOL rule, brokers want to know what constitutes a recommendation, and they want to know how to effectively communicate with customers in a compliant way. Ideally, insurance organizations will find strategies that allow brokers the freedom to personalize their customer communications so that they can differentiate from the competition, while at the same time receive the timely guidance they need to avoid making an unintentional recommendation.

See also: Fiduciary Liability Insurance in the Nonprofit Sector – What You Need to Know  

Accomplishing this will require a careful look at the current customer communications ecosystem and taking the necessary steps to ensure that compliance review is integrated into workflows in the most effective, yet least intrusive, way.

7 Stakeholders for Cyber Risk

Imagine you’re the CFO at a firm involved in sensitive M&A discussions with your bankers, and you receive an email asking for a small bit of non-public information on your company, the kind you’ve passed on before. You send the information – and later find you were the victim of a sophisticated cyber-attack.

Now imagine you’re in charge of operations at a manufacturing facility. Out of the blue, your employees report that they have lost control of key systems. It’s impossible to shut down a blast furnace correctly, endangering the safety of employees and others and threatening massive damage. You, too, have been the subject of a cyber-attack.

These events underscore the new reality in cyber risk management: It is no longer just an IT issue. Everyone – from individual employees to risk managers to your board of directors – now has a stake in managing cyber risk comprehensively, across the enterprise.

Following are seven key stakeholders to consider as you look at your cyber risk management strategy:

  1. Risk manager: Risk managers can ensure various stakeholders are connected in terms of assessing, managing and responding to cyber risk. Understanding the evolving cyber insurance market and overall risk finance options is also important.
  2. CFO: Concerns range from the potential costs of a cyber event and what the impact could be on the bottom line to the security of the office’s sensitive information.
  3. CEO/board of directors: Accountable for overall business and company performance, they have a fiduciary duty to assess and manage cyber risk. Regulators, including the Securities and Exchange Commission and Federal Trade Commission, have made clear they expect companies’ top leadership to be engaged on the issue.
  4. Legal/compliance: As regulations around cyber develop, legal and compliance roles become increasingly important in keeping other stakeholders informed and engaged. And, if a cyber incident occurs, lawsuits often follow within hours.
  5. Operations: Maintaining daily operations, business processes and workplace stability is critical during a cyber event.
  6. Human resources/employees: Simple errors – or deliberate actions – by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated “spear phishing” attacks targeting specific employees.
  7. Customers/suppliers: Interactions with customers and vendors can open you up to an attack. You need to understand the protections they have in place so they don’t become the weak point in your cyber defenses.

Protecting your organization’s data and individuals’ privacy is becoming more difficult by the day. Successful cyber-defense strategies are comprehensive and multi-pronged. A critical component is understanding and defining the roles and responsibilities of all key stakeholders.

To participate in a webcast on how to assess cyber risk, click here.

Next Up for Cyber: Class Action Suits

Last fall, I wrote about board oversight of cybersecurity and derivative litigation in the wake of cybersecurity breaches.  In this post, I’d like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches.  In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action.  But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches and the impact of threats and breaches on companies’ business models.  When the market is better able to analyze these matters, there will be stock drops.  When there are stock drops, the plaintiffs’ bar will be there.

When plaintiffs’ lawyers arrive, what will they find?  They will find companies grappling with cybersecurity disclosure.  Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC’s Oct. 13, 2011, “CF Disclosure Guidance: Topic No. 2” (“guidance”) and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Sen. Rockefeller and follow-up by the SEC, including an SEC Cybersecurity Roundtable on March 24, 2014.  But, as the SEC noted in the guidance, and Chair White reiterated in October 2013, the guidance does not define companies’ disclosure obligations.  Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures.

Indeed, plaintiffs’ lawyers will not even need to mention the guidance to challenge statements allegedly made false or misleading by cybersecurity problems. Various types of statements — from statements about the company’s business operations (which could be imperiled by inadequate cybersecurity), to statements about the company’s financial metrics (which could be rendered false or misleading by lower revenues and higher costs associated with cybersecurity problems), to internal controls and related CEO and CFO certifications, to risk factors themselves (which could warn against risks that have already materialized) — could be subject to challenge in the wake of a cybersecurity breach.

Plaintiffs will allege that the challenged statements were misleading because they omitted facts about cybersecurity (whether or not subject to disclosure under the guidance). In some cases, this allegation will require little more than coupling a statement with the omitted facts. In cybersecurity cases, plaintiffs will have greater ability to learn the omitted facts than in other cases, as a result of breach notification requirements, privacy litigation and government scrutiny, to name a few avenues. The law, of course, requires more than simply coupling the statement and omitted facts; plaintiffs must explain in detail why the challenged statement was misleading, not just incomplete, and companies can defend the statement in the context of all of their disclosures. But in cybersecurity cases, plaintiffs will have more to work with than in many other types of cases.

Pleading scienter likely will be easier for plaintiffs, as well. With increased emphasis on cybersecurity oversight at the senior officer (and board) level, a CEO or CFO will have difficulty (factually and in terms of good governance) suggesting that she didn’t know, at some level, about the omitted facts that made the challenged statements misleading. That doesn’t mean that companies won’t be able to contest scienter. Knowledge of omitted facts isn’t the test for scienter; the test is intent to mislead purchasers of securities. However, this important distinction is often overlooked in practice.  Companies will also be able to argue that they didn’t disclose certain cybersecurity matters because, as the guidance contemplates, some cybersecurity disclosures can compromise cybersecurity. This is a proper argument for a motion to dismiss, as an innocent inference under Tellabs, but it may feel too “factual” for some judges to credit at the motion to dismiss stage.

As this analytic overview shows, cybersecurity securities class actions, on the whole, likely will be virulent. Companies, of course, are talking about cybersecurity risks in their boardrooms — and they should also think about how to discuss those risks with their investors. The best way for companies to lower their risk profile is to start to address this issue now, by thinking about cybersecurity in connection with all of their key disclosures, and enhancing their disclosures as appropriate.

Perfection and prescience are not required. Effort matters most. Companies that don’t even try will stand out. As I’ve written in the context of the Reform Act’s Safe Harbor for forward-looking statements, judges are skeptical of companies whose risk factors remain static over time, and look favorably on companies that appear to try to draft meaningful risk factors. I thus construct a defense of forward-looking statements by emphasizing, to the extent I can, ways in which the company’s risk disclosures evolved, and were tailored and focused. I predict that the same approach will prove effective in cybersecurity cases.

Smarter, Faster Trades — and Without Fraud

New York Times senior economic correspondent Neil Irwin did great public service in his Upshot column provocatively titled, “Why Can’t the Banking Industry Solve Its Ethics Problems?

While Irwin addressed the issue for investors in general, his column should hold particular interest for those in the insurance business because insurers are such large investors and generate such a high percentage of their operating profit from investments. In terms of commercial and multifamily real estate mortgages alone, insurers hold more than $900 billion of investments, according to the Mortgage Bankers Association’s Q4 2013 report. (That’s $343 billion in commercial and multifamily mortgage debt plus $567 billion in commercial mortgage-backed securities, collateralized debt obligations and asset-backed securities.) The Federal Reserve tallies life insurance companies’ holdings of residential mortgage-backed securities (RMBS) at $365 billion as of the end of the first quarter, 2014. Insurers need the investment industry to clean up its problems if they are to get maximum value from these huge investments.

Why does fraud occur so repeatedly? Irwin ponders.

The answer: gamed markets.

Since the Great Depression, investments systems have relied on enforcement after the fact. If companies were investigated, prosecuted and found to have done something wrong, they were punished. Typically, this is now done through fines and stricter monitoring, meaning that current and future staff – not those in place at the time of the fraud – and shareholders bear the costs. Sometimes, individual perpetrators are forced to retire (with pensions). Only in the past few years have the Department of Justice, Federal Housing Finance Administration and Securities and Exchange Commission begun extracting hefty fines and settlements with the largest banks, such as: Citigroup’s $7 billion, JPMorgan Chase’s $13 billion and Bank of America’s $6.3 billion with FHFA and the reported $17 billion with DOJ in connection with residential mortgage-backed securities.

As Irwin notes, fraud continues to occur despite extensive efforts to address the problems that led to the near-collapse of the financial system that spawned the Great Recession.

Gaming the system through high-speed trading remains legal. As long as there is no insider trading, traders can greatly increase the speed of their transactions with network equipment, software and advantageous location of their computers.

Insider trading is illegal but hard to root out. Successful prosecution almost always entails a whistleblower coming forward to provide regulators with precise information. And coming forward as a whistleblower entails consequential career risks.

Two innovations address these systemic challenges by providing better information for the market in real time and creating a feedback loop that improves that information – rather than waiting until after the fact to police bad guys. The innovations are interactive finance and confidence accounting.

First, Interactive finance rewards institutions and individuals with financial or strategic advantage for revealing information that details risk. That information could be, for instance, about the changing value of a house, about the payment history of the mortgagee, other financial information about the borrower, etc. That information would stay with the mortgage even if it became part of a pool that was sliced and diced into mortgage-backed securities, so that a potential buyer could probe and could track changes in real time, rather than rely on a single-point-in-time evaluation by a ratings agency. Interactive finance – not enforcement – would keep agencies from giving their highest ratings to securities whose underlying assets were suspect, as happened with sub-prime mortgages in the buildup to the Great Recession.

Marketcore, an intellectual property firm I advise, offers such interactive finance technology. It supports the determination of risk for financial products, continuous revaluation and analysis of components of pooled securities, among other capabilities that make markets and clear them.

Its technology diminishes incentives for fraud by making opacity and concealment anachronistic and replacing them with transparency. The IP also charts effective pathways to employ crowd data and meta data for timely detection of risk, building on the growing availability of information in a “big data” world and allowing for a generational improvement in detecting risk and rating credit.

Second, confidence accounting yields greater transparency and accuracy than traditional, prudential valuation. In confidence accounting, you don’t just set a value for an asset. You say there is an xx% chance that the valuation will fall within a certain range. You then roll up all the assessments and have a probability-based understanding of the likely range of total value. You can also use the estimations as a feedback loop and identify people or institutions that consistently overstate value – if someone says asset values will fall within a certain range 95% of the time, do those values, in fact, fall within that range 95% of the time?

As risk expert David M. Rowe explains in a current Risk blog (citing work by Ian Harris, Michael Mainelli and Jan-Peter Onstwedder) confidence accounting can illuminate “the degree of uncertainty around valuation estimates…including how to partition uncertainty surrounding current valuation from the more familiar concept of risk from uncertain future events, and the messy issue of how to aggregate valuation uncertainty for specific positions into the implied uncertainty of net worth.”

Through these two innovations, interactive finance and confidence accounting, banks would have much easier times detecting rogues and suppressing rascals. In the process, banks would not only increase their own wellbeing but that of their shareholders, employees and the investing public, including insurance companies.

Going forward is now a simple business decision for us all. We must pick up the pieces of what we have learned and refashion and rebuild data-refreshing business models in which everyone can participate as an information merchant. We must deliver a common architecture in which data is consistently revalued, in a system that continually rewards disclosures about risks and values.

Interactive finance and confidence accounting are emergent technologies poised to  play key roles shaping and defining smarter, faster, ethical trades in 21st century finance.

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.