If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.

Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?  

Happy June – the first day of meteorological summer!

In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data.  In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data.  In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information.   Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy. Continue Reading Privacy Monday – June 1, 2015 – Courts Affirm Insurers’ Denial of Coverage for Electronic Data Claims  

File this under: A View Into What the Regulators Deem Important.  The National Association of Insurance Commissioners (NAIC), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories, recently published its “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” (the “NAIC Guidance”).

Continue Reading NAIC Adopts Cybersecurity Regulatory Principles – What’s Important to the Regulators

A new series for Privacy & Security Matters starting on Monday :  “Cyber Risks – Director Liability and Potential Gaps in D&O Coverage” – By Heidi Lawson and Danny Harary

C-suite executives and board members are becoming more concerned about the risks posed to their companies by cyberattacks and data breaches.

Each day next week we are going to explore some of the issues in this rapidly growing area of liability.  We are going to look at the recent increase in focus on privacy issues, why directors should be concerned, the top questions directors should be asking about D&O coverage, what questions directors should ask when it comes to coverage for investigations, and coverage for privacy violations.

Come back and join us – and forward these links to your Board.




If you are in the Boston area (or will be on September 26), please join us for an afternoon discussion on cybersecurity and the growing risk to corporate directors.   It’s no longer just the purview of a company’s IT or compliance personnel.  Cybersecurity needs to be elevated to boardroom discussion and this seminar will cover what directors and advisors to directors need to know and do.      Space will be limited – click here to register now!


  • What every director needs to understand about this enterprise risk
  • Where you, as a director, and your board may be exposed
  • Surprising gaps in your D&O insurance
  • Recent trends in claims and lawsuits


  • Cynthia Larose, CIPP, Chair, Privacy & Security Practice, Mintz Levin
  • Heidi Lawson, Member, Risk Management & Executive Protection Practice, Mintz Levin
  • Peter Foster, Executive Vice President, Willis FINEX North America
  • Jason Straight, CIPP, Managing Director, Kroll Advisory Solutions


Register today!



Written by Nancy Adams

In a ruling that might provide a new path to data breach insurance coverage, DSW Shoe Warehouse, Inc. has prevailed in its attempt to obtain insurance coverage for losses associated with a data breach under a commercial crime policy.

The Sixth Circuit Court Appeals, in Retail Ventures, Inc. et al. v. National Union Fire Ins. Co. ruled last week that DSW was entitled to more than $6.8 million in losses and prejudgment interest under a commercial crime policy in connection with a computer hacking scheme.   The loss occurred between February 1 and February 14, 2005 when hackers used the local wireless network at a DSW store to obtain access to DSW’s main computer system and download credit card and checking account information to more than $1.4 million customers in 108 stores.   Upon learning of the breach, DSW commenced its own investigation and also notified its insurer of the claim.  DSW sought coverage for expenses incurred relating to customer communications, public relations, customer claims and lawsuits and investigations by various state and federal regulatory authorities.  Over $4 million in losses – the single largest share of the loss arising from the data breach – arose from the costs associated with charge backs, reissuance of credit cards, creditor monitoring and finds imposed by the credit card companies.    The breach also resulted in an FTC investigation, resulting in a settlement and consent order for DSW, alleging that the breach was a result of the retailer’s failure to protect sensitive consumer data.

The insurer, National Union Fire Insurance Company of Pittsburgh, PA, denied DSW’s claim for coverage under the Blanket Crime Policy.   The insurer argued, among other things, that the policy was a fidelity bond and, as such, only provided first party coverage.  In other words, the insurer argued that the policy was never intended to provide liability coverage to DSW; rather, coverage was limited to employee dishonesty situations.   Upholding the lower court, the Sixth Circuit held that the phase “fidelity bond” did not appear in the policy and, in any event, coverage does not turn on the label given to a policy but rather the language used in that policy.   The Sixth Circuit also rejected the insurer’s argument that the insuring clause, which provided that the insurer would pay for loss “resulting directly from” any theft of the insured property by computer fraud, limited coverage to the insured’s own loss from the theft.   Applying a proximate cause standard, the Sixth Circuit found that the DSW’s loss was the proximate cause – and “resulted directly from” – the computer breach.   The Sixth Circuit also found that the information obtained did not constitute proprietary information and, as such, the policy’s exclusion for Proprietary Information, Trade Secrets and Confidential Processing Methods was not applicable to bar coverage.

This decision is yet another example of the complexity of evaluating coverage for data breach losses under traditional policies of insurance.   Another court in another jurisdiction could have found for the insurer under these facts. The insurance market is constantly changing with new products becoming available to provide coverage where none existed before or where coverage can be questionable or uncertain.  This decision thus underscores the importance for insureds and insures alike to retain skilled counsel to carefully examine proposed policy language.  And, to avoid unpleasant surprises, insureds should also assess the nature of their data security exposures and then evaluate the likelihood of whether such exposures are covered by their traditional insurance program and, if not, whether such coverage might be available in the marketplace.