“DATA BREACHES AND COMPUTER HACKING: …

1 *Joshua Goldis a shareholder in the New York office of Anderson Kill & Olick, Mr. Gold regularly represents policyholders,including gaming and hospitality businesses, soft-ware companies, financial institutions, and retailers in insurance coverage matters anddisputes concerning liability, arbitration, time element insurance, electronic data and other property-casualty insurance coverage Gold can be reached at or (212) AdvertisingThis article originally appeared in the Fall 2011 issue of the American Bar Association s Government Law Committee Newsletter. data BREACHES AND COMPUTER hacking : LIABILITY& INSURANCE ISSUESBy:Joshua Gold* data security BREACHES continue to dominate theheadlines, with more and more businesses, governmentalauthorities and other organizations falling victim. Even withthe deluge of news coverage concerning cyber risks, one ofthe more important news stories may have flown under theradar: data BREACHES are actually under-reported.

2 This meansthat despite the daunting news of hacking incidents againstdefense contractors, cloud computing companies,entertainment companies, and even firms specializingthemselves in COMPUTER security, the problem in reality ismuch worse than what is being currently case anyone needed proof that no person orinstitution was immune from these cyber threats, it wasrevealed recently that the COMPUTER systems serving onestate s police force were hacked, revealing sensitiveinformation concerning terrorism suspects, highway routepatrols, illegal immigration, border patrols, and the identitiesof undercover policemen. While dedicated national andinternational efforts are being undertaken to secure Internetand VOIP communications and data transmissions fromcriminal access and misuse, the hacking threat nonethelesswill remain for some below are some of the specific threats andliabilities that can befall a business that ends up the target of asuccessful hacker.

3 Also discussed below are some insuranceand indemnity issues that should be considered in the event ofa hacking Exposure: Statutes, Regulations and NoticeCostsAt the outset, it is important to note that computerhacks, by their nature, entail multi-faceted losses and business that has been attacked by a COMPUTER hacker hasexperienced first-hand the disruption to the business ongoingactivities while also realizing that liabilities may be incurredif sensitive information of third parties gets have obligations under statutes regulatingthe handling and safeguarding of electronically capturedinformation. Presently, there is a patchwork of federal andstate laws and regulations governing the privacy of datastored on computers, including health and personallyidentifying information. If information is hacked, the hackedentity may be accused of violating these statutes and allegedto have mishandled sensitive information in derivation of thelaw.

4 A data breach may also lead to claims that the hackedentity violated commercial agreements it has with otherbusinesses or individuals respecting the handling andmaintenance of electronically stored , the vast majority of states, have allenacted their own versions of customer notification lawsrequiring those hacked to provide notice to affectedindividuals. These laws are of special significance to thosebusinesses that do business with the general public and storecustomer transaction data and have customer reward / loyaltyprograms. The notification process, of course, entails time,money and resources. Since some data BREACHES affectmillions of individuals, notification can become an expensiveand enduring process. Contact information may not always beup-to-date for those entities that need to send mailednotification to each affected customer. Most entities will incurfurther expenses when they engage specialized crisismanagement firms and public relations companies tominimize the damage to goodwill that a firm may havesustained as a result of the theft of sensitive customerinformation.

5 It has also become routine for businesses toestablish call centers and provide other informationalresources for affected customers to learn about what to do inthe event that the hacker, or some other party ultimately,misuses the hacked data . All such measures involve expenseand divert company resources to some , while dealing with its notificationobligations, the hacked entity likely will be dealingNew York, NY Newark, NJ Philadelphia, PA Stamford, CT Ventura, CA Washington, DC2simultaneously with the immediate disruption caused by thehacker to the entity s own online operations. Certaincomputer systems may need to be taken offline for someperiod of time to erase the threat of continued unauthorizedaccess to the company s systems. Additionally, the entity s ITdepartment, along with third-party consultants, will likely bededicated to performing forensic examination of the databreach to measure the loss and plug security holes that mayhave been identified during their analysis.

6 Last, a hackedentity may find itself working with law enforcement,including the United States Secret Service, to secure andfurnish evidence of the hacking incident in the hopes ofcorralling those LiabilityNot only do hacking incidents precipitate a host ofcustomer-relations issues and costs, but such incidents alsooften lead to litigation. Class action suits alleging invasion ofprivacy, negligence and other counts often follow asignificant hacking incident. While such suits may notultimately be successful, the target of the COMPUTER hack stillhas the significant expense of defending such suits anddedicating internal resources to the litigation , businesses that have been hacked mayface claims from governmental authorities, such as stateattorney generals and consumer protection departmentscharged with protecting the public from practices that areasserted to have imperiled consumers. For example, theFederal Trade Commission may seek a multi-million fineagainst a business that has failed to adequately protectedcustomer data from hackers.

7 In one COMPUTER hackingincident, the FTC imposed a $10 million fine on a businessthat had 160,000 customer records stolen by a computerhacker. Even if a fine is not sought, the FTC may still seek toimpose remedial measures against the hacked firm orotherwise have it agree to take certain data security measuresgoing , a serious hacking incident will likely draw thescrutiny of state officials, including attorney generals whomay investigate the incident, may seek some form ofstipulated redress for affected individuals, or who may bringlitigation against the hacked entity for state law violationsresulting (or in connection with ) the COMPUTER hack. Whetherdealing with an informal inquiry, an investigation, proceedingor litigation commenced by regulators or attorney generals,there will be some level of expense and diversion of resourcescaused by the hacking event which will be borne by thehacked entity. While insurance coverage or indemnificationmay help to offset or cover such losses, the hacking event willstill cause a significant disruption to the entity in almost Coverage for Cyber LossesOne or more often purchased commercial policies mayrespond to a data breach loss and provide partial or completeinsurance coverage for the loss suffered.

8 Insurance policies tobe checked include the following: Property insurance policies(including those promising business interruption insurancecoverage), liability insurance policies (including E&O, D&O,general liability and umbrella insurance), crime insurancepolicies (including financial institution bonds, COMPUTER crimepolicies, and fidelity insurance), and business owner package policies (which may include two or more of theabove mentioned insurance coverages).A hacking loss may trigger more than one policy or mayeven trigger overlapping coverage, where two or morepolicies combine to cover different (or even similar) aspectsof the loss. As noted above, depending upon the nature andscope of the data breach, a policyholder could end-up facingan array of losses and claims, including: lawsuits seekingdamages for invasion of privacy, negligence, violation offederal statutes governing the handling of customer, employeeor health information, lawsuits over the misappropriation ofsensitive or secret business information, investigations bygovernmental authorities, and potentially other may also experience business interruptions ifthey must shut down certain online systems or websites inorder to contain the (or determine the method of) costs may be covered where the hacked entity incurredcosts informing customers and third-parties of data breachespursuant to state notification laws, establishing call centersand providing guidance to those affected by the data insurance policies also cover crisis management expenses, including the hiring of PR firms.

9 Some insurancepolicies also will pay part or all of the forensic expensesordinarily incurred when addressing the who, how, what, whyand when of a COMPUTER hacking may have such insurance coverage forthese types of losses under existing insurance policies andalso under more recent stand-alone insurance products. Nomatter what, policyholders should steer toward selectinginsurance policy forms that are devoid of as many coverageexclusions (aka the fine print) as , those hacked should also check theirrelevant contracts with third parties to see if anyindemnification obligations exist. This will be an importantstep to see if there is indemnification either in favor of oragainst the hacked entity. It will be important to know if theindemnification right provide a potential additional sources ofrecovery or, alternatively, provides additional obligations onthe part of the hacked Requirements (Once Again)Almost all insurance policies call for the timely noticeof insurance claims.

10 Many indemnification agreements alsoset forth notice conditions. Policyholders and indemniteeswould be wise to treat these notice provisions , some policyholders do not always do this often due to a fear that a serious security incident willadversely harm the business on a going forward basis if it wasmade known outside the organization. Failing to providenotice on this basis is almost always a mistake. The fact of thematter is that such information will almost always be revealedin any event due to public reporting requirements, lawNew York, NY Newark, NJ Philadelphia, PA Stamford, CT Ventura, CA Washington, DC3enforcement investigations aimed at apprehending thecomputer hackers, or leaks within the hacked , given state requirements involving noticeto affected individuals after a hacking incident, there is verylittle basis to ever refrain from providing notice of claims toinsurance companies and it is certainly understandable that somebusinesses are reticent to reveal a security breach due to ahacker, dealing with the matter in a proactive and cooperativemanner with the insurance company is almost always a wiseway to proceed.