Advisen Cyber Risk Insights Conference

I, along with three of my partners in Goldberg Segalla’s Cybersecurity and Data Privacy Practice Group, recently attended the Advisen Cyber Risk Insights Conference in New York City and came away with some terrific nuggets.  They include the importance of “silent cyber” to reinsurers and regulators, the fragmentation of the cyberinsurance market and the difficulty in driving change even for industry leaders, and continuing perceptions about coverage for cyber-related losses under stand-alone cyberinsurance policies and traditional insurance policies. One of the best resources I picked…
Continue reading...

Security Breach Compromises 50 Million Facebook Accounts

In the wake of concerns that the social media giant collects too much personal data, Facebook, Inc. discovered a security breach on September 25, 2018 that affected almost 50 million accounts. Recent privacy regulations, including those recently enacted in the European Union, may have forced Facebook into promptly reporting the breach just three days after it was discovered. Based on the breaking-news reports, the FBI is working with Facebook to investigate the breach to determine the extent of the breach, what information was accessed, whether…
Continue reading...

Cyber Survey Underscores Perspective of In-House Lawyers

In May, the Association of Corporate Counsel (ACC) Foundation released its “State of Cybersecurity Report: An In-House Perspective,” This report conveys the results of the organization’s far-ranging survey on this topic. In addition to the statistics elicited from 617 in-house lawyers (based in 33 countries), the report also includes many comments from the respondents. This report is full of interesting statistics.  Some of the highlights include:
  • One in three respondents indicated that either their current company or a previous employer had experienced a

Continue reading...

New York Cybersecurity Regulations Extended to Credit Reporting Agencies

This week, Governor Cuomo has directed the Department of Financial Services to issue a final regulation requiring credit reporting agencies to comply with cybersecurity regulations applied to financial service companies, previously adopted in 23 NYCRR 500, et seq. The new regulation, 23 NYCRR 201, et seq., obligates credit agencies reporting on 1,000 or more New York consumers to register annually with the DFS, and, beginning November 1, 2018, to comply the previously adopted standards, including adoption of a cybersecurity program and CISO, and other controls.…
Continue reading...

Chili’s Carefully Announces Limited Data Breach

On May 11, 2018, Chili’s Grill & Bar learned that “some of [their] guest’s payment card information was compromised at certain Chili’s restaurants” as the result of a “data incident,” according to a press release on the company’s website. Preliminary investigations suggest malware was used to gather payment card information for purchases between March and April 2018. While such data incidents are increasingly common, Chili’s press release is notable for two reasons. Firstly, The release, presented as a letter to “valued guests,” provided…
Continue reading...

Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available…
Continue reading...

On the Rise: Cyber Breach Actions Take Center Stage

Yet another class action lawsuit has been filed following a cyber attack, this time against Excellus Health Plan Inc. and Lifetime Healthcare Inc. in federal court for the Western District of New York. The lawsuit was brought by self-proclaimed “New York City’s largest personal injury and mass-tort plaintiffs’ law firm” and the former employer of New York’s disgraced Assembly Speaker Sheldon Silver, who reportedly collected about $4 million in bribes and kickbacks during his employment, Weitz & Luxenberg P.C., as co-counsel with Faraci Lange LLP.…
Continue reading...

Data Breach “Sky Is Falling”

Much like Chicken Little, data breach vendors and pundits continue to decry that the data breach sky is falling!  But is it?  A group of researchers set out to answer this very question. “Neither size nor frequency of data breaches has increased over the past decade,” concludes a new statistical analysis by Benjamin Edwards, Steven Hofmeyr and Stephanie Forrest presented during the June 2015 Workshop on the Economics of Information Security in the Netherlands. Instead, the three argue, the increases that have attracted recent media…
Continue reading...

Connecticut Supreme Court Makes Significant Ruling in Data Breach Case

The Connecticut Supreme Court made a very significant ruling yesterday in Recall Total Information Management, Inc. v. Federal Insurance Co., adopting wholesale the Appellate Court’s well-reasoned ruling that an insured’s loss of sensitive records, without more, does not constitute a “publication” of material that violates a person’s right of privacy. Notably, the Appellate Court held that absent proof of an unauthorized third party’s access to the personal identification information, the “publication” element of the Privacy Offense (under the definition of “personal and advertising injury”…
Continue reading...