Let us know if you will be spending time at 2014 RIMS.
From the Chicago Tribune on March 3, 2014:
Social networking website Meetup.com is fighting a sustained battle against cyber attackers who are demanding only $300 to call off a campaign that has kept the site offline for much of the past four days.
The site, which enables strangers to meet for activities of shared interest such as sports and other hobbies, could not be accessed early Monday afternoon.
He said the small amount was likely a trick and that the perpetrators of the sophisticated attacks would likely demand more… Heiferman’s blog post said the site should be able to protect itself over time, even though it has struggled to stay online since the attacks began on Thursday morning. He said Meetup spent millions of dollars a year to secure its systems.
The Meetup site and related mobile apps have been intermittently unavailable since Thursday.
OneBeacon America Insurance Company filed a DJ against retailers Urban Outfitters and Anthropologie in federal court in Pennsylvania on September 10, 2013. The retailers have been sued in ”Zip Code Actions” brought by consumers alleging that the stores request zip codes when completing credit card transactions, a practice that allegedly violates consumer protection and privacy laws in the District of Columbia, Massachusetts and California. OneBeacon Declaratory Judgment Complaint
The complaint seeks a declaration of no coverage for defense or indemnity under the OneBeacon CGL and Umbrella policy primarily because: (1) the ZIP Code Actions do not allege ‘personal and advertising injury’ as defined in the policy; (2) the policy excludes recording and distributing material information that violates the law; and (3) the policy excludes known violations.
This case comes less than a month after Liberty Mutual filed a DJ in Missouri against Schnuck Markets, also seeking a declaration of no coverage under a CGL policy for the grocery chain’s data breach.
These two coverage disputes arise from different facts but they both demonstrate potential problems when a privacy/data security dispute is tendered under a traditional CGL policy. Companies that believe they already have coverage for privacy/data disputes may want to take a look at these lawsuits and compare them to their own business risks and their current wordings.
At least three class action lawsuits have been filed, two in state court and one in federal court, after Advocate Medical Group in Illinois reported four stolen laptops containing protected health information of 4 million patients. The breach is believed to be the second largest loss of unsecured PHI since mandatory reporting began in 2009.
On July 15, 2013, four password-protected but unencrypted laptops were stolen from Advocate’s offices outside of Chicago. The laptops allegedly contained names, addresses, dates of birth, social security numbers, medical diagnoses and health insurance information of 4.03 million patients.
About a month later, Advocate began notifying affected individuals by letters. Advocate offered credit monitoring, established a call center, created a website and stated that it has enhanced security measures and conducted a thorough review of policies.
The federal complaint was filed August 30, 2013 in the US District Court for the Northern District of Illinois (Advocate Class Action- Federal Court) and the state court actions were filed in Cook County, Illinois on September 4, 2013 (Advocate Class Action State Court (Lozada) and on September 5, 2013 by the Clifford Law Office Advocate Class Action State Court (Petrich)
The breach is also being investigated by the federal OCR and the Illinois Attorney General’s office.
There is an increasing number of reported breaches in our school systems. Just this past July:
•Ferris State University in Michigan reported that PII for 39,000 students and employees was briefly available after an unauthorized entry into its system. Ferris State Breach
•high school in North Carolina’s Guildford County inadvertently disclosed the PII of 456 students in a mailing to one student. North Carolina High School Breach
•University of Delaware may be looking at upwards of $19M to handle a network breach that exposed the PII of an estimated 72,000 individuals. University of Delaware Breach
Data breaches at schools seem to be shrugged off even by those writing and selling insurance:
–schools do not have enough money to secure networks or train personnel;
–identity theft is not a concern for students who grew up in a cyber world and expect breaches;
–breaches do not happen at the high school or elementary school levels and even if they did, only Higher Ed stores PII.
This thought process – a data breach cannot happen to me – has dotted the cyber/privacy field since the beginning: it is a problem for the big players like Sony; or, if the Pentagon can be hacked, then how does the SME protect itself; or, it is not a concern unless your data is regulated by the government, like a bank or hospital.
But even the brief history of data breaches has taught us this lesson - no entity or industry is immune from cyber breach, and the cost of doing nothing will be much higher than the cost of preparing. Expenses of a breach and damage to reputation are difficult to control, especially for the unprepared. Even if college students are complacent about a data breach, the faculty, alumni and parents are not, especially if the parent’s bank account is the one breached. Many school administrators recognize that data security is an important issue but they need help dealing with it.
Liberty Mutual has sued Schnuck Markets, denying indemnification obligations under a CGL policy for Schnuck’s data breach involving 2.4 million credit and debit cards.
In April 2013 Schnuck reported a data breach involving approximately 2.4 million credit and debit cards used at 79 grocery stores that occurred between December 2012 and March 29, 2013. Since then, 8 lawsuits (including class actions) have been filed against Schnuck as well as a number of demands for damages. The grocery chain tendered the lawsuits and notices of claims to Liberty Mutual.
On August 16, 2013 Liberty Mutual filed a DJ against Schnuck in federal court in Missouri denying it owes coverage under an excess CGL policy effective July 1, 2012-2013. The complaint, portions of which are redacted, asserts no coverage exists under either Coverage A or B of the Liberty Mutual policy because:
•there is no allegation of “bodily injury” or “property damage” in the lawsuits or demands;
•the ”expected or intended” exclusion applies;
•the relief sought by claimants does not constitute “damages”;
•the “contractual liability exclusion” applies;
•the damages are not the result of oral or written publication or materials;
•Schnuck violated the ”known loss and fortuity doctrine” when it delayed reporting the breach ;
•the “offense” was not committed during the policy period; and
•the claims arose out of first publication before the policy period.
This coverage litigation is a good example of what may happen if a business does not have “cyber” coverage because it believes a breach is covered under a CGL policy. Even if there is eventually a finding of coverage, how much does a company pay out-of-pocket in the meantime to correct the breach, notify customers, defend against class actions lawsuits, respond to notices of claims and litigate a Dec action? Companies may find themselves out of cash before they can even start to repair damage to their reputation or market brand.
Earlier today Kari Timm moderated a panel on cyber risk and insurance for law firms and other professional firms during the 2013 PLUS Professional Risk Symposium. To see a short video discussion on cyber risks for professional services firms from the 2013 PLUS Professional Risk Symposium please visit the PLUS Blog (http://plusblog.org/2013/04/10/cyber-risk-and-professional-firms/).
Walker Wilcox Matousek Partner Kari Timm will moderate a panel on cyber risks and insurance for law firms and other professional firms during the 2013 PLUS Professional Risk Symposium. The session, “The Verdict is In: Cyber Threats a Risk for Professional Firms,” will take place on April 10, 2013 at 10:00. For further information, please visit the PLUS website (http://plusweb.org/event/PRS2013).