The CIO for the Office of Personnel Management is one of 4 defendants recently sued by the federal workers’ union for failing to correct known deficiencies in the system. The CIO is a frequent casualty of cyber breaches: Target, AOL, the Utah Department of Health, Ohio University. It is no surprise then that a CIO’s average tenure is about 5 years, much shorter than other C-suite executives.
Where is the coverage for a CIO named in a privacy-related lawsuit? There may not be any if the CIO falls in a gap between privacy and traditional D&O coverage.
On the D&O side, if a CIO who acts in his official capacity is sued because a data breach causes the stock to drop or shareholders allege breach of fiduciary duty or an agency fines the company for improper data protection, then a D&O policy could respond. But many D&O policies contain exclusions for invasion of privacy and loss of or damage to tangible property. And we have already seen several instances where a CGL policy does not respond cyber incidents.
The typical cyber policy covers first and third party claims such as notification costs, credit monitoring services, forensic investigations, crisis management expenses, regulatory proceedings and third party liability. A cyber liability policy will not cover shareholder derivative suits. Additionally, the limits of a cyber policy may be insufficient for the amount of damages claimed against a CIO.
Among the two, the D&O policy is probably better suited to be amended to cover a CIO’s cyber-related loss.
There is no shortage of headlines about the massive data breach at the Office of Personnel Management, which reportedly involves about 25 million former and current federal workers, their spouses and those who applied for government background checks.
There was also no shortage of headlines this past spring when both the House of Representatives and the Senate passed cyber security legislation, although the bills have not been reconciled. So how would the federal legislation apply to the OPM data breach?
It wouldn’t. The House and Senate measures push U.S. companies to voluntarily share “cyber threat data” and access to networks by federal investigators. There is limited protection from liability if personal data is disclosed while being shared.
But neither the House nor Senate legislation requires increased protection of data to prevent or minimize a breach or any notice or monitoring after a breach. “Non-federal entities” do not appear involved in the OPM breach, so a threshold trigger for the legislation does not exist. And buried deep in the House bill is this limitation: the NCCIC which receives the shared data shall not have more than 50 permanent positions including contract employees. Even if the laws did apply to the OPM breach, how much could a 50-person staff accomplish in the face of 25 million involved individuals?
The federal government may have taken a step forward with the legislation, but it would have no effect on a data breach among its own.
Business Blackout is a joint report just issued by Lloyd’s and the University of Cambridge’s Centre for Risk Studies. It analyzes the insurance impact of a hypothetical attack on power grids that serve 93 million people in the U.S. The fall-out is worse than any disaster movie: financial markets close, products in ports remain unloaded, people cannot get to work, food goes bad from lack of refrigeration, water runs low, hospital generators fail, ATMs run out of cash, tourism halts, social unrest intensifies. The indirect losses continue for years around the globe.
Loss aggregation has emerged as one of the great uncertainties because insurers may have multiple businesses lines affected and reinsurers may have multiple cedants involved in one occurrence. The variety of insurance lines may include property, liability, business interruption, D&O, event cancellation, workers comp, homeowners and auto.
The risk is not just an accumulation of expected cyber losses, but also what the report calls “silent cyber” exposure – when insurers’ portfolios are hit with cyber losses that were neither expected nor priced.
The Blackout scenario is an exaggerated one and unlikely to occur. But the report effectively demonstrates that cyber losses are not restrained by territory or time. Those insurers writing cyber losses need wordings to protect themselves from the falling domino, and those who think they do not insure cyber losses may want to look again.
Let us know if you will be spending time at RIMS.
From the Chicago Tribune on March 3, 2014:
Social networking website Meetup.com is fighting a sustained battle against cyber attackers who are demanding only $300 to call off a campaign that has kept the site offline for much of the past four days.
The site, which enables strangers to meet for activities of shared interest such as sports and other hobbies, could not be accessed early Monday afternoon.
A Meetup blog said that the company was a victim of a distributed denial of service (DDOS) campaign, a type of attack that knocks websites offline by overwhelming them with incoming traffic. It said that no personal data, including credit card information, had been accessed.Meetup’s co-founder and CEO, Scott Heiferman, said on the company’s blog that it was the first such attack in the site’s 12-year history. He defended the move not to pay the paltry ransom. “We made a decision not to negotiate with criminals,” he said. “Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spread in the criminal world.”
He said the small amount was likely a trick and that the perpetrators of the sophisticated attacks would likely demand more… Heiferman’s blog post said the site should be able to protect itself over time, even though it has struggled to stay online since the attacks began on Thursday morning. He said Meetup spent millions of dollars a year to secure its systems.
The Meetup site and related mobile apps have been intermittently unavailable since Thursday.
OneBeacon America Insurance Company filed a DJ against retailers Urban Outfitters and Anthropologie in federal court in Pennsylvania on September 10, 2013. The retailers have been sued in “Zip Code Actions” brought by consumers alleging that the stores request zip codes when completing credit card transactions, a practice that allegedly violates consumer protection and privacy laws in the District of Columbia, Massachusetts and California. OneBeacon Declaratory Judgment Complaint
The complaint seeks a declaration of no coverage for defense or indemnity under the OneBeacon CGL and Umbrella policy primarily because: (1) the ZIP Code Actions do not allege ‘personal and advertising injury’ as defined in the policy; (2) the policy excludes recording and distributing material information that violates the law; and (3) the policy excludes known violations.
This case comes less than a month after Liberty Mutual filed a DJ in Missouri against Schnuck Markets, also seeking a declaration of no coverage under a CGL policy for the grocery chain’s data breach.
These two coverage disputes arise from different facts but they both demonstrate potential problems when a privacy/data security dispute is tendered under a traditional CGL policy. Companies that believe they already have coverage for privacy/data disputes may want to take a look at these lawsuits and compare them to their own business risks and their current wordings.
At least three class action lawsuits have been filed, two in state court and one in federal court, after Advocate Medical Group in Illinois reported four stolen laptops containing protected health information of 4 million patients. The breach is believed to be the second largest loss of unsecured PHI since mandatory reporting began in 2009.
On July 15, 2013, four password-protected but unencrypted laptops were stolen from Advocate’s offices outside of Chicago. The laptops allegedly contained names, addresses, dates of birth, social security numbers, medical diagnoses and health insurance information of 4.03 million patients.
About a month later, Advocate began notifying affected individuals by letters. Advocate offered credit monitoring, established a call center, created a website and stated that it has enhanced security measures and conducted a thorough review of policies.
The federal complaint was filed August 30, 2013 in the US District Court for the Northern District of Illinois (Advocate Class Action- Federal Court) and the state court actions were filed in Cook County, Illinois on September 4, 2013 (Advocate Class Action State Court (Lozada) and on September 5, 2013 by the Clifford Law Office Advocate Class Action State Court (Petrich)
The breach is also being investigated by the federal OCR and the Illinois Attorney General’s office.
There is an increasing number of reported breaches in our school systems. Just this past July:
•Ferris State University in Michigan reported that PII for 39,000 students and employees was briefly available after an unauthorized entry into its system. Ferris State Breach
•high school in North Carolina’s Guildford County inadvertently disclosed the PII of 456 students in a mailing to one student. North Carolina High School Breach
•University of Delaware may be looking at upwards of $19M to handle a network breach that exposed the PII of an estimated 72,000 individuals. University of Delaware Breach
Data breaches at schools seem to be shrugged off even by those writing and selling insurance:
–schools do not have enough money to secure networks or train personnel;
–identity theft is not a concern for students who grew up in a cyber world and expect breaches;
–breaches do not happen at the high school or elementary school levels and even if they did, only Higher Ed stores PII.
This thought process – a data breach cannot happen to me – has dotted the cyber/privacy field since the beginning: it is a problem for the big players like Sony; or, if the Pentagon can be hacked, then how does the SME protect itself; or, it is not a concern unless your data is regulated by the government, like a bank or hospital.
But even the brief history of data breaches has taught us this lesson – no entity or industry is immune from cyber breach, and the cost of doing nothing will be much higher than the cost of preparing. Expenses of a breach and damage to reputation are difficult to control, especially for the unprepared. Even if college students are complacent about a data breach, the faculty, alumni and parents are not, especially if the parent’s bank account is the one breached. Many school administrators recognize that data security is an important issue but they need help dealing with it.
Liberty Mutual has sued Schnuck Markets, denying indemnification obligations under a CGL policy for Schnuck’s data breach involving 2.4 million credit and debit cards.
In April 2013 Schnuck reported a data breach involving approximately 2.4 million credit and debit cards used at 79 grocery stores that occurred between December 2012 and March 29, 2013. Since then, 8 lawsuits (including class actions) have been filed against Schnuck as well as a number of demands for damages. The grocery chain tendered the lawsuits and notices of claims to Liberty Mutual.
On August 16, 2013 Liberty Mutual filed a DJ against Schnuck in federal court in Missouri denying it owes coverage under an excess CGL policy effective July 1, 2012-2013. The complaint, portions of which are redacted, asserts no coverage exists under either Coverage A or B of the Liberty Mutual policy because:
•there is no allegation of “bodily injury” or “property damage” in the lawsuits or demands;
•the “expected or intended” exclusion applies;
•the relief sought by claimants does not constitute “damages”;
•the “contractual liability exclusion” applies;
•the damages are not the result of oral or written publication or materials;
•Schnuck violated the “known loss and fortuity doctrine” when it delayed reporting the breach ;
•the “offense” was not committed during the policy period; and
•the claims arose out of first publication before the policy period.
This coverage litigation is a good example of what may happen if a business does not have “cyber” coverage because it believes a breach is covered under a CGL policy. Even if there is eventually a finding of coverage, how much does a company pay out-of-pocket in the meantime to correct the breach, notify customers, defend against class actions lawsuits, respond to notices of claims and litigate a Dec action? Companies may find themselves out of cash before they can even start to repair damage to their reputation or market brand.