CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

Celeste King to Moderate Panel on Cyber Threats to Medical Profession and Developments in Insurance at 2014 Crittenden Medical Insurance Conference

Posted in Uncategorized
Celeste King will moderate a panel on cyber and privacy threats to the medical profession and developments in cyber/privacy insurance for the medical profession during the 2014 Crittenden Medical Insurance Conference scheduled for March 30-April 1 in San Diego.   Celeste’s panel includes Jeremy Henley, ID Experts, Jean Liu, Director of Compliance Management for Accretive Health and John B. Graham, Professional Liability Product Manager for Zurich North America.  For further information click here(PDF) or visit the Crittenden website:

Meetup.Com Refuses to Pay $300 Ransom to Hackers – Site Struggles to Stay Online

Posted in Uncategorized

From the Chicago Tribune on March 3, 2014:

Social networking website is fighting a sustained battle against cyber attackers who are demanding only $300 to call off a campaign that has kept the site offline for much of the past four days.

The site, which enables strangers to meet for activities of shared interest such as sports and other hobbies, could not be accessed early Monday afternoon.

A Meetup blog said that the company was a victim of a distributed denial of service (DDOS) campaign, a type of attack that knocks websites offline by overwhelming them with incoming traffic. It said that no personal data, including credit card information, had been accessed.Meetup’s co-founder and CEO, Scott Heiferman, said on the company’s blog that it was the first such attack in the site’s 12-year history. He defended the move not to pay the paltry ransom. “We made a decision not to negotiate with criminals,” he said. “Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spread in the criminal world.”

He said the small amount was likely a trick and that the perpetrators of the sophisticated attacks would likely demand more… Heiferman’s blog post said the site should be able to protect itself over time, even though it has struggled to stay online since the attacks began on Thursday morning.  He said Meetup spent millions of dollars a year to secure its systems.

The Meetup site and related mobile apps have been intermittently unavailable since Thursday.

One Beacon Files DJ: No CGL Coverage for Retailers in Zip Code Disputes

Posted in Coverage, Credit Card Transaction, Damages, Declaratory Judgment Litigation, Insurance

OneBeacon  America Insurance Company filed a DJ against retailers Urban Outfitters and Anthropologie in federal court in Pennsylvania on September 10, 2013.  The retailers have been sued in “Zip Code Actions” brought by consumers alleging that the stores request zip codes when completing credit card transactions, a practice that allegedly violates consumer protection and privacy laws in the District of Columbia, Massachusetts and California. OneBeacon Declaratory Judgment Complaint

The complaint seeks a declaration of no coverage for defense or indemnity under the OneBeacon CGL and Umbrella policy primarily because:  (1) the ZIP Code Actions do not allege ‘personal and advertising injury’ as defined in the policy; (2) the policy excludes recording and distributing material information that violates the law; and (3) the policy excludes known violations.

This case comes less than a month after Liberty Mutual filed a DJ in Missouri against Schnuck Markets, also seeking a declaration of no coverage under a CGL policy for the grocery chain’s data breach.

These two coverage disputes arise from different facts but they both demonstrate potential problems when a privacy/data security dispute is tendered under a traditional CGL policy.  Companies that believe they already have coverage for privacy/data disputes may want to take a look at these lawsuits and compare them to their own business risks and their current wordings.

4 Stolen Unencrypted Laptops = 3 Class Actions

Posted in Advocate Health Care, Class Action, Health Records Privacy, HIPAA, Illinois, medical records

At least three class action lawsuits have been filed, two in state court and one in federal court, after Advocate Medical Group in Illinois reported four stolen laptops containing protected health information of 4 million patients.   The breach is believed to be the second largest loss of unsecured PHI since mandatory reporting began in 2009.

On July 15, 2013, four password-protected but unencrypted laptops were stolen from Advocate’s offices outside of Chicago.   The laptops allegedly contained names, addresses, dates of birth, social security numbers, medical diagnoses and health insurance information of 4.03 million patients.

About a month later, Advocate began notifying affected individuals by letters.  Advocate offered credit monitoring, established a call center, created a website and stated that it has enhanced security measures and conducted a thorough review of policies.

The federal complaint was filed August 30, 2013 in the US District Court for the Northern District of Illinois (Advocate Class Action- Federal Court) and the state court actions were filed in Cook County, Illinois on September 4, 2013 (Advocate Class Action State Court (Lozada) and on September 5, 2013 by the Clifford Law Office Advocate Class Action State Court (Petrich)

The breach is also being investigated by the federal OCR and the Illinois Attorney  General’s office.



Data Breaches in Schools Should Not Be Dismissed

Posted in Cyber Breach, Education, Schools, Uncategorized

There is an increasing number of reported breaches in our school systems.  Just this past July:

•Ferris State University in Michigan reported that PII for 39,000 students and employees was briefly available after an unauthorized entry into its system. Ferris State Breach

•high school in North Carolina’s Guildford County inadvertently disclosed the PII of 456 students in a mailing to one student. North Carolina High School Breach

•University of Delaware may be looking at upwards of $19M to handle a network breach that exposed the PII of an estimated 72,000 individuals. University of Delaware Breach

Data breaches at schools seem to be shrugged off even by those writing and selling insurance:

–schools do not have  enough money to secure networks or train personnel;

–identity theft is not a concern for students who grew up in a cyber world and expect breaches;

–breaches do not happen at the high school or elementary school levels and even if they did, only Higher Ed stores PII.

This thought process – a data breach cannot happen to me – has dotted the cyber/privacy field since the beginning: it is a problem for the big players like Sony; or, if the Pentagon can be hacked, then how does the SME protect itself; or, it is not a concern unless your data is regulated by the government, like a bank or hospital.

But even the brief history of data breaches has taught us this lesson – no entity or industry is immune from cyber breach, and the cost of doing nothing  will be much higher than the cost of preparing.    Expenses of a breach and damage to reputation are difficult to control, especially for the unprepared.   Even if college students are complacent about a data breach, the faculty, alumni and parents are not, especially if the parent’s bank account is the one breached.   Many school administrators recognize that data security is an important issue but they need help dealing with it.




Liberty Mutual Sues Schnuck Markets: Asserts No Coverage for Data Breach under CGL Policy

Posted in Coverage, Declaratory Judgment Litigation, Insurance

Liberty Mutual has sued Schnuck Markets, denying indemnification obligations under a CGL policy for Schnuck’s data breach involving 2.4 million credit and debit cards.

In April 2013 Schnuck reported a data breach involving approximately 2.4 million credit and debit cards used at 79 grocery stores that occurred between December 2012 and March 29, 2013.   Since then, 8 lawsuits (including class actions) have been filed against Schnuck as well as a number of demands for damages.   The grocery chain tendered the lawsuits and notices of claims to Liberty Mutual.

On August 16, 2013 Liberty Mutual filed a DJ against Schnuck in federal court in Missouri denying it owes coverage under an excess CGL policy effective July 1, 2012-2013.  The complaint, portions of which are redacted, asserts no coverage exists under either Coverage A or B of the Liberty Mutual policy because:

•there is no allegation of “bodily injury” or “property damage” in the lawsuits or demands;

•the “expected or intended” exclusion applies;

•the relief sought by claimants does not constitute “damages”;

•the “contractual liability exclusion” applies;

•the damages are not the result of oral or written publication or materials;

•Schnuck violated the “known loss and fortuity doctrine” when it delayed reporting the breach ;

•the “offense” was not committed during the policy period; and

•the claims arose out of first publication before the policy period.

This coverage litigation is a good example of what may happen if a business does not have “cyber” coverage because it believes a breach is covered under a CGL policy.   Even if there is eventually a finding of coverage, how much does a company pay out-of-pocket in the meantime to correct the breach, notify customers, defend against class actions lawsuits, respond to notices of claims and litigate a Dec action?    Companies may find themselves out of cash before they can even start to repair damage to their reputation or market brand.



Cyber Risk and Professional Firms

Posted in 2013 Issues, Business Practices, Coverage, Cyber Breach, Cyber Costs, Damages, Data Breach, Insurance

Earlier today Kari Timm moderated a panel on cyber risk and insurance for law firms and other professional firms during the 2013 PLUS Professional Risk Symposium.  To see a short video discussion on cyber risks for professional services firms from the 2013 PLUS Professional Risk Symposium please visit the PLUS Blog (

Kari Timm will Moderate Panel at the 2013 PLUS Professional Risk Symposium

Posted in Coverage, Cyber Breach, Insurance

Walker Wilcox Matousek Partner Kari Timm will moderate a panel on cyber risks and insurance for law firms and other professional firms during the 2013 PLUS Professional Risk Symposium. The session, “The Verdict is In: Cyber Threats a Risk for Professional Firms,” will take place on April 10, 2013 at 10:00. For further information, please visit the PLUS website (