Something to Keep an Eye On: Insurers and Insureds to Duke it Out in Data Breach Coverage Suit

lawsuit

A new Indiana coverage litigation regarding a CGL policy (and umbrella policy) may provide more guidance about how courts will approach data breach coverage under traditional insurance products. In National Fire Insurance Company of Hartford v. Medical Informatics Engineering, Inc. et al. (N.D. Ind., No. 16-cv-152), two CNA companies initiated a declaratory judgment action seeking a ruling they do not have the duty to defend or indemnify Medical Informatics Engineering, Inc. or NoMoreClipboard, LLC (collectively Medical Informatics) in relation to lawsuits filed against Medical Informatics.  The underlying lawsuits allege Medical Informatics, a provider of medical record storage services, failed to protect its databases containing sensitive personal medical information of approximately 3.9 million putative class members.  The insurers allege the underlying lawsuits do not seek “bodily injury,” “property damage,” or “personal ...
Continue Reading...


Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

463151329 In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available for purchase distinct cyber products and sub-products. As background, P.F. Chang’s suffered a data breach, resulting in approximately 60,000 customer credit card numbers falling into the hands of hackers. P.F. Chang’s notified Federal immediately. Federal reimbursed P.F. Chang’s for amounts in excess of $1.7 million as ...
Continue Reading...

Forty Percent Increase in New York State Data Breaches

On Wednesday, May 4, 2016, New York State Attorney General Eric T. Schneiderman announced a 40 percent increase in reports of data breaches during 2016 as compared with the same time frame last year. As in a growing number of states and federal agencies, New York’s Information Security Breach & Notification Act, enacted in 2005, requires all individuals and organizations conducting business in New York to report any unauthorized access to personal information to affected individuals, law enforcement and other government officials. According to the May 4 press release: The office has received 459 data breach notices from the first of the year through May 2, 2016, as compared with 327 through the same time last year. In the year 2015 alone, the office received 809 data breach notices.  The office ...
Continue Reading...

Cybersecurity Down on the Farm

The FBI and Department of Agriculture have issued a Private Industry Notification to increase awareness among farmers that growing reliance on precision agriculture technology, aka “smart farming,” brings increased vulnerability to cyberattacks. While the notification did not suggest attackers could gain control of physical machinery, unauthorized access to farm-level data regarding crop availability and pricing could be used to exploit US agriculture resources and market trends. Earlier this year, for example, the USDA and Microsoft hosted a worldwide competition to design data visualization tools that will allow farms to make sustainable and efficient decisions that may impact the global food supply, based on the information gathered by “smart farm” sensors, drones and other technologies to measure factors contributing to crop growth. In addition to market manipulation, such data may be ...
Continue Reading...

Inadvertent Data Breach May Trigger Insurer’s Duty to Defend

Data Protection As previously posted, in many instances of data breach, information was exposed due to the negligent actions of someone within the organization, as opposed to an external and malicious cyberattack.  This week, the Fourth Circuit held that that the inadvertent disclosure of data from within the company can constitute a “publication” triggering an insurer’s duty to defend. Goldberg Segalla attorneys Colin B. Willmott and Jonathan L. Schwartz provide a complete analysis of the decision in Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. here.
Continue Reading...

A Strong Case for Mobile Device Management

The San Bernardino County government paid for, but never installed, a feature allowing employer access to any employee mobile devices. If the installation of the new feature was done, the current legal and philosophical battle between Apple and the FBI over how to access shooter Syed Rizwan Farook’s iPhone may have been avoided. What’s more, the county not only had the software, but also a longstanding policy eliminating any expectation of privacy by the employee: “No User Should Have an Expectation of Privacy.” Had the county simply installed the technology, public officials could legally and ethically access the relevant data from the mass murderer’s iPhone without court involvement. Two lessons are apparent. First, mobile device management (MDM) is an important part of any information technology system, allowing remote access to phones ...
Continue Reading...

Lessons From a Presidential Campaign Data Breach

iStock_000074739907_Medium It was perhaps the first major allegation of a cyber breach in a presidential campaign when the Democratic National Committee (DNC) claimed that staff members from the campaign of Bernie Sanders accessed unauthorized information from a voter database maintained by DNC. The DNC leases this database to various campaigns and the campaigns supplement it with their own information. However, campaigns are blocked via firewalls from viewing information supplied by rival campaigns. In this case, members of the Sanders campaign are alleged to have accessed information supplied by Hillary Clinton’s campaign due to a software glitch within the database’s firewall. The exact facts surrounding this access are highly disputed by all parties, including the motivation of Sanders campaign, whether the retrieved information was downloaded, and how many times the Clinton information ...
Continue Reading...

New Executive Orders and Budget Proposals Contribute to Federal Cyber Security Efforts

The White House The U.S. Government took several steps on Tuesday, February 9, 2016 to deal with the ever-constant issue of data privacy. First, President Barack Obama issued two Executive Orders. The first Executive Order creates the Commission on Enhancing National Cybersecurity. This new Commission will fall under the U.S. Department of Commerce and be “composed of not more than 12 members appointed by the President” though Congressional leadership can offer recommendations. The order, among other things, requires the Commission to make recommendations in several key areas including: How best to bolster the protection of systems and data, including how to advance identity management, authentication, and cybersecurity of online identities, in light of technological developments and other trends; Ensuring that cybersecurity is a core element of the technologies associated with the Internet of ...
Continue Reading...

Better Late Than Never: U.S. and EU Regulators Reach Data Privacy Agreement

Officials from the United States and European Union have reached a tentative agreement regarding transfers of personal data by European individuals and businesses to the United States. As stated in the agreement, “This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” When finalized, it will replace a previous safe harbor agreement between the U.S. and EU, which was struck down by the European Court of Justice (ECJ) in October 2015. This agreement comes several days after a self-imposed deadline for crafting new terms. The central issue concerns the transfer of personal information from the EU to the U.S. Under the European Data Protection Directive, personal data cannot be sent to a third country unless ...
Continue Reading...

The Danger from Within: Banks Work to Combat Hackers Internally

iStock_000050437260_XXXLarge While many companies work diligently to guard against external cyber threats, a number of banks are taking steps to protect themselves from another dangerous, yet equally damaging source — their own employees. According to the Association of Corporate Counsel, at least 30 percent of data breaches during 2015 were caused by seemingly harmless employee errors. To the unknowing employee, a simple click of the mouse could expose information or clues to those looking for an opportunity to breach even the most high-tech security systems. In response to this staggering risk, banks have developed a number of “internal” cybersecurity protections designed to guard against the unmindful employee, including a ban of all portable USB drives, as such devices can be easily lost or stolen. Employees are now warned to monitor their social media content, and to ...
Continue Reading...