Earlier today Kari Timm moderated a panel on cyber risk and insurance for law firms and other professional firms during the 2013 PLUS Professional Risk Symposium. To see a short video discussion on cyber risks for professional services firms from the 2013 PLUS Professional Risk Symposium please visit the PLUS Blog (http://plusblog.org/2013/04/10/cyber-risk-and-professional-firms/).
Walker Wilcox Matousek Partner Kari Timm will moderate a panel on cyber risks and insurance for law firms and other professional firms during the 2013 PLUS Professional Risk Symposium. The session, “The Verdict is In: Cyber Threats a Risk for Professional Firms,” will take place on April 10, 2013 at 10:00. For further information, please visit the PLUS website (http://plusweb.org/event/PRS2013).
The influential Ninth Circuit Court of Appeals recently issued an important decision in a “watershed case” regarding the expectation of privacy in password protected electronic devices. US v Cotterman
Handed down on March 8, 2013, US v Cotterman involved the border search of a registered sex offender entering the US from Mexico. When they were unable to override password protected files, the DHS shipped the laptop to a forensics office 170 miles away. Once opened, the protected files showed evidence of criminal behavior leading to Cotterman’s arrest.
In upholding the search, the Court of Appeals deveoted much of its 82-page opinion to the issue of electronic data. The court found that the uniquely sensitive nature of data on an electronic device carries with it a significant expectation of privacy, rendering an exhaustive exploratory search more intrusive than with other forms of property.
There are many distinct aspects to this case including its criminal, not civil, nature and the “border exception” to search and seizure rules. But the case has implications for civil privacy-related litigation because it acknowledges the inherent value to data stored on electronic devices, equating data with “personal pages in the words of the Constitution.” The court noted that data exists well beyond the point of erasure because browsing histories can be tracked, and that storing data on the cloud is particularly problematic when addressing expectations of privacy.
Many civil actions are dismissed because plaintiffs cannot establish an injury to a legally protected right or damages when data is lost or breached. Many courts see loss of data as a hypothetical or future loss that is not recoverable in the here-and-now.
What the US v Cotterman case gives plainitffs is a legally protected right, an expectation of privacy deserving of constitutional protection. Civil cases may still fail due to the lack of demonstrable harm, but cases like US v Cotterman show a heightened judicial awareness of the value of electronic data.
The Seventh Circuit Court of Appeals ruled on January 11, 2013 that there is no coverage under a homeowner’s policy for an employee of an accounting firm who had a CD stolen from her car. The CD contained financial information and other PII of 30,000 members of a pension fund and client of the accounting firm. The pension fund incurred more than $200,000 for credit monitoring and related mitigation expenses. It sued the accounting firm but also named the employee individually for negligently safeguarding the data. The employee tendered the claim to her homeowner insurer, Nationwide Insurance, which denied coverage on grounds that the policy excludes coverage for (i) damage to property “in the care of” the insured and (ii) a claim arising out of or related to a “business” engaged in by the insured. Applying Illinois law, the Court of Appeals affirmed the finding of no coverage based upon the two policy exclusions.
A company seeking to recover all the costs that come with loss or theft of PII such as credit monitoring, notice, etc. will “follow the money” by looking to as many insurers as possible. In this case, the pension fund also sued the accounting firm, but the employee’s coverage dispute would have been expensive. Who paid to pursue the DJ through the court of appeals? Are employers at risk to defend employees for coverage disputes arising out of work-related cyber breaches? The fact pattern in Nationwide is a common, probably daily occurrence. And a scenario employers and their insurers should consider in advance.
Nationwide Insurance v Central Laborers’ Pension Fund (Case No. 12-1784).
In addition to the near-daily reports of more breaches, new laws and controversial workplace privacy issues, there have been 3 significant developments involving cyber and privacy already in 2013.
1. On January 17, 2013 the Department of Health and Human Services released its final “omnibus” rule in relation to HIPAA, effective March 26, 2013. The sweeping rule implements privacy regulations, increases penalties for HITECH violations, modifies breach notification rules, restricts disclosure of genetic information and expands the definition and responsibilities of business associates.
2. In his State of the Union address on February 14, 2013 President Obama unveiled an Executive Order on Cybersecurity. An executive order does not carry the same effect of law, and it mostly encourages voluntary conduct among federal agencies and the private sector. But the order raises awareness of threats to critical infrastructures, balanced against the preservation of privacy and civil liberties.
3. On February 17, 2013 Mandiant, a US security company, released a report detailing massive espionage into US companies by hackers associated with the Chinese military under the mysterious name “Unit 61398.” The scope and pervasiveness of this type of hacking reminds all businesses that they must take cyber threats seriously and implement preventative measures. Because the risk is not only to third parties but also to their intellectual property.
Looking further at the crystal ball and what may catch our attention in 2013, let’s consider Privilege.
Assume a breach of PII from an organization. The internal investigation team is likely to consist of in-house counsel, an IT group and a “C-suite” executive. Are communications with in-house counsel privileged?
As with most things, it depends – on the jurisdiction and whether the communications allow the attorney to provide a legal service to the corporation. This is a narrowly construed test because most courts consider the mixed legal and business functions of in-house counsel. So, communications about a data breach with in-house counsel may not be privileged.
Are documents created during an internal investigation of a privacy breach privileged? Generally no. Ordinary business documents that would have been prepared regardless of whether the recipient is an attorney are not protected.
What about work product? If a business hires outside counsel to advise on legal issues in a breach, then the advice may be protected as attorney client privilege and/or work product. The difference between them is whether the work of outside counsel was performed “in anticipation of litigation.”
What if an insurance policy names a data forensic company to immediately help control a breach. Is their report privileged? Unlikely.
What if the forensic company is retained by the insurer’s counsel? Then the report may be work product and protected, unless for example they were to testify.
But having the forensic company controlled by a lawyer may frustrate the goal of identifying and fixing a breach as soon as possible, if the lawyer must first vet their decisions and analyses.
Born December 19, 2012 to Krista (our blog co-author and webinar master) and Josh Figlewicz. Congratulations!
Last week we looked at three issues we believe will be prominent in 2013: consequences of Hurricane Sandy, cyber terrorism and federal legislation. In Part II of our analysis, we look at an additional issue we expect to be important in 2013:
The Cloud. One commentator described the cloud’s development path as entering its “teenage” years in 2013. This seems about right. Simply put, the cloud is a web-based, third party site that hosts data for another. If you use G-Mail or Google docs, then you use the cloud. Its attraction is easy to understand because the cloud:
•avoids the expense of individual servers and licensees;
•eliminates the physical presence of servers on-site, and with them, security and maintenance; and
•permits data to be portable, transferable and instantly accessible.
The understanding and usage of the cloud is increasing. For example, the EPA plans to move 25,000 employees and contractors to Microsoft’s could-based office for emails, calendars and collaboration by early 2013. According to one financial publisher, nearly one-third of private companies’ IT budgets were allocated to the cloud in 2012.
So what does this mean for insurers in 2013?
First, it means insurers need to be aware of the increased use of cloud. Some insurers view the cloud as a simple variation on the out-sourcing theme and therefore covered under a typical cyber risk policy. But the cloud may be more complicated from an insurer’s perspective. For example, oftentimes a cyber policy refers to a “computer network.” But the question the cloud raises is whose computer network? Some policies refer to “the organization’s network”, defined simply as the named insured. Others specifically cover “outsourced IT service providers” that may include cloud-like hosting issues. It is critical for insurers to understand exactly what the cloud is, what it encompasses, and what it means to their specific insured.
In 2013 we also may see more “cloud-only” policies. In that case, some may argue “if the general cyber policy covers the cloud, then why do we need a cloud-specific policy?”
Second, it means insurers must be aware of the consequences if there is a failure of the cloud, by way of beached data security, technological glitches or even the financial stability of the cloud provider. If there is a cloud failure, the most important document will be the service contract between the insured and the cloud provider. Insurers need to know (before they write the coverage) what their insureds have agreed to do in the event of cloud failure. There may be an indemnification obligation on the part of the insured – so not only has the insurer insured the policyholder but also some acts of the cloud provider. All parties need to be sure the insurance matches up to whatever indemnification protections may exist.
Third, it means insurers need to be aware of the concept of “aggregation.” Imagine a dozen policyholders who have entrusted their data to a single server provider. If there is a cloud failure, there may be problems for all the companies that outsourced their data to that cloud provide – and how many of those insureds placed their own risks with a single insurer? Or, if multiple cloud servers go down because of a single lightning bolt (as happened in 2011 when lightning struck a transformer at a power utility station in Dublin, affecting the back systems for Amazon and Microsoft) then how many policyholders of a single insurer are impacted?
Part III (and final) of our 2013 prediction to follow.
Predicting the future is a risky business (not entirely unlike insurance) but here are a few of the issues we think will be significant in 2013.
1. Hurricane Sandy: With acknowledgement of the human suffering this disaster caused, we believe it also will impact cyber/privacy and insurance in several ways. First, it should provide a heightened awareness of the chaos that results when a densely populated, commercially vibrant area is crippled by downed computer network systems, leading to increased demand for insurance. The hurricane likely will bring an increase in fraud – phishing emails linked to fraudulent charities, photos of the disaster containing malware, identity theft because PII was scattered and mail is not collected at homes or businesses. In addition, there may be fines for HIPAA violations when medical centers evacuated suddenly or lost power. The HHS Secretary declared a state of emergency that relaxed some of the HIPAA requirements, but the “Section 1135 waivers” applied for a limited time, to a limited area and for limited purposes. Finally, we should expect first party claims for cyber-related losses, some made against cyber-specific policies and others against traditional first party policies.
2. Cyber Terrorism: There was a time when acts of terrorism, war and extortion appeared distinct from one another. But now, the lines separating these acts are blurring. For example, the Secretary of Defense recently warned of a “cyber Pearl Harbor” and the Secretary of Homeland Security testified that large US financial institutions are “actively under attack” from cyber hackers. Many cyber policies, even though a relatively new product, are drafted as if the traditional distinctions between terrorism, war and extortion are still distinct. Policies may cover extortion (some do not require financial gain – just a threat of damage or corruption to data) but exclude terrorism and war. Yet in today’s world, malicious acts can be seen as any or all of these.
3. Federal Legislation: Few questions have invited as much speculation as to whether there will be comprehensive federal legislation controlling cyber security and privacy. The federal government has a complex role – securing federal and non-federal systems. Under the current law, federal agencies are responsible for securing their own systems, answering to more than 50 federal statutes that address cyber issues. But there is no single, overarching federal law in place, and no major cyber legislation has been enacted since 2002. Various legislative proposals were introduced in the 111th and 112th Congress but none passed. The most sweeping federal legislation was the Cyber Security Act of 2012 but on November 14, 2012 the proposed law failed for the second time to muster the necessary votes in the US Senate. The White House is expected to issue an Executive Order within the next few months that implements a voluntary protection system of power plants, water systems and other critical infrastructure, but excludes ”commercial information technology products” from the definition of critical infrastructure. Will the much-discussed federal legislation pass in 2013? Our prediction is no – at least not a comprehensive bill, and not unless the US suffers a catastrophic cyber loss.
Part II will include additional predictions of cyber-significant issues in 2013.