We’ve been following the latest on the WannaCry ransomware attack that we first told you about over the weekend.

A feared “second strike” did not materialize today, but victimized firms in over 100 countries are still struggling to recover.

So, what’s next?

If you needed to build the business case for increasing the budget for updates/upgrades and your IT programs, this should provide you with the jump start.    If your IT support and maintenance is outsourced, you should be asking questions.   Now.

  • What versions of operating systems and software are you running?  Obsolete versions of Microsoft Windows are particularly vulnerable, not only to this exploit, but to new variants. There may be very specific circumstances that require you to use versions that are no longer supported (including the cost of upgrade), but now is the time to revisit the topic with the Board of Directors if necessary.
  • Is your company’s patching program up-to-date?   At the very least, have you updated this weekend?  You should make sure that both your personal and business machines running Windows are updated with patches issued by Microsoft.    If you can’t patch directly, follow TrendMicro’s suggestion to use a virtual patch.  If you can’t patch; segregate machines with outdated operating systems.
  • What is your backup and recovery plan?   Do you have one?   If you have a well-thought out data backup and recovery plan, then you may be able to ride out a ransomware attack by restoring your data from clean backups.  Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.
  • Are you following US-CERT alerts?  Sign up here.
  • Review your insurance policies.   Ransomware attacks and the after-effects may be covered by a cyberliability policy.   But, the failure to take preventive action could trigger an exclusion.  Also, look at your other policies —  business interruption, crime, kidnap/ransom — to see if you can stack coverage.

Be vigilant.   Encourage vigilance in your workforce.

We previously reported here that CNA filed a lawsuit against its insured Cottage Health System seeking reimbursement of amounts that it previously paid under Cottage’s cyber liability insurance policy.   On Friday, a federal district court dismissed, without prejudice, CNA’s lawsuit because CNA failed to exhaust the policy’s required non-judicial remedies before filing suit.   The applicable cyber liability insurance policy provided that “[a]ll disputes and differences between the Insured and the Insurer which may arise under or in connection with this policy … shall be submitted to the alternative dispute resolution (“ADR”) process” and, if mediation is chosen, a lawsuit cannot be filed “until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of termination ….”     The federal district court found that  CNA did not allege in the complaint, nor did CNA allege otherwise, that it satisfied the ADR provision.   “That [CNA] has not exhausted the non-judicial remedies required by the contract is therefore apparent on the face of the Complaint.”   Although CNA requested that the court stay the lawsuit pending the parties’ mediation, the federal court dismissed the complaint without prejudice to permit the parties to pursue ADR under the terms of the policy.

 

Happy June – the first day of meteorological summer!

In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data.  In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data.  In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information.   Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy. Continue Reading Privacy Monday – June 1, 2015 – Courts Affirm Insurers’ Denial of Coverage for Electronic Data Claims  

Key takeaway:   The insurance applications and underwriting questionnaires prepared in connection with cyber insurance do matter.

Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions.  This is beginning to change as disputes arise and make through way through the judicial system.

One such suit came last week when CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy.  In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the internet.  Cottage allegedly stored such records on an internet-accessible system but failed to install encryption or use other safeguards.  The California court granted approval of the $4.125 million settlement fund in December 2014.  CNA, which had reserved rights, filed this action. You can read more about the underlying lawsuit here.

In it, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.”  In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures.  CNA asserts that this representation in the application was false.

Insureds and insurers in the cyber space would do well to watch this matter unfold.  The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides.  Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies.  Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week, here.

 

 ..new insurance coverage endorsements

Written by Nancy Adams

A few days ago, media outlets released a video of a kangaroo knocking a drone out of the sky.

Apparently, this “privacy loving” kangaroo was less than pleased with the drone following her family.   While the drone obtained impressive footage of the kangaroos, it was clear that this kangaroo had had enough.   As new technologies enter the stream of commerce, companies using such technologies likewise face new risk and exposures – whether from a kangaroo or other source.    Continue Reading On the Eleventh Day of Privacy, the Drones Brought to Me…..

gaps in my cyber liability coverage……………..

Written by Heidi Lawson and Danny Harary

What can companies and insurers expect in the new year when it comes to cyber liability insurance coverage?  While we wait for some court decisions interpreting these new stand-alone cyber liability insurance policies that are being heavily pushed in the market, there are some steps a company can take now to make sure the scope of their insurance coverage is consistent with their expectations.

With many insurers now entering the market looking to make a profit on this new coverage, the question is: how broad is this new coverage – really? Continue Reading On the Fourth Day of Privacy, My Insurance Carrier Gave to Me…..

Our series last year was a reader favorite, so we decided to put our prognosticator hats on again and present:

 

Rather than look back at 2014, starting tomorrow, the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2015 and what we might be talking about in the year to come.

Don’t miss a day starting tomorrow!

Day One – 12/9 – Does Santa Claus Have to Comply  with EU Data Protection Laws: 2015 Compliance Considerations for Non-EU Companies

Day Two – 12/10 – Through the Looking Glass: Privacy Litigation

Day Three – 12/11 -What the 2015 Proxy Season Might Bring……

Day Four – 12/12 – Cyberliability Policies: What to Expect in 2015

Day Five – 12/15 – California Dreaming … New Legislation Effective January 1

Day Six – 12/16 – Hacks and the State Actor:  What Sony Portends…

Day Seven – 12/17 — Questions of Authority:  Who is “the cop” on the Privacy and Data Security Beat?

Day Eight – 12/18 – Health Data Sharing – How much is too much?

Day Nine – 12/19 — OCR Corrective Action Planning in 2015:  The Gift That Keeps on Giving

Day Ten – 12/22 —Wearables:  What will that new gadget be spilling about you?

Day Eleven – 12/23 –ISO and the Courts:  How Your Coverage is Likely to Narrow in 2015 (and why….)

Day Twelve – 12/24 –On the Twelfth Day…..

 

Join us each day as we celebrate the 12 Days of Privacy, v.2014!

Written by Heidi Lawson, CPCU and Danny Harary 

“Cyber liability insurance” is often used to describe a range of insurance policies, in the same way that the word cyber is used to describe a broad range of information security related tools, processes and services. Everyone is talking about the need for “stand alone” cyber liability insurance policies.  These stand-alone cyber liability insurance policies basically cover expenses related to the management of a breach, e.g., the investigation, remediation, notification and credit checking. However, cyber liability coverage is also found in some existing insurance policies, including kidnap and ransom and professional liability coverage.  There may also be some limited coverage through a crime policy if electronic theft is added to that policy.

Continue Reading Cyber Liability Insurance: Where’s the Beef?

Written by Nancy Adams, CPCU

There are only a handful of decisions addressing whether a commercial general liability (CGL) policy provides coverage for lawsuits brought against retailers allegedly collecting their customers’  ZIP code information.   Thus, when a decision is issued in this area, particularly a decision denying coverage, it is noteworthy.

Recently, in OneBeacon American Ins. Co. v. Urban Outfitters, Inc..,  Case 2:13-cv-05269-SD (E.D.Pa.) (May 15, 2014), a federal district court found that two primary insurers (One Beacon and Hanover) did not have a duty to defend two retailers (Urban Outfitters and  Anthropologie) against three ZIP code cases.   In One Beacon, the parties cross-moved for summary judgment seeking a declaration regarding  OneBeacon’s and Hanover’s duty to defend (or not) Urban Outfitters and Anthropologie under the applicable CGL policies’ “personal and advertising injury” coverage.   (One Beacon and Hanover issued virtually identical policies to the retailers over a five-year period.)    The court found that there was no duty to defend the retailers against the three lawsuits.

Continue Reading “May I have your ZIP Code?” Retailers may want to read this….

The last installment in our series – “Coverage for Privacy Violations”

Written by Heidi Lawson and Danny Harary

Part 5 of 5:  Coverage For Privacy Violations

As we previously noted, recent SEC actions on the topic of cybersecurity indicates increased SEC focus and likely heralds the coming of enforcement actions against public companies for cyber breaches. On the front end, companies can mitigate their risk by ensuring their cyber preparedness in the event of an attack, which, increasingly,  appear to be all but inevitable. In the event that a company does suffer a data breach, it will quickly look to its insurance policy to help defray the costs. In theory, litigation arising out of a data breach should be covered under a D&O policy. However, given the rise in hacking and cyber breaches, cyber liability policies have grown in popularity. As a result, D&O policies are increasingly drafted with a standard exclusion for privacy violations and data breaches, some of which has recently changed. Thus companies cannot simply assume that their D&O policy will respond to a cyber breach.  Also, the board of directors cannot assume a cyber policy will protect them.  Cyber policies may provide some protections, but certainly not for derivative suits or shareholder class actions.  Continue Reading Cyber Risks for the Boardroom Part 5: Coverage for Privacy Violations