[PPT] - Data Security/Privacy Class Actions: Identifying and Mitigating the PowerPoint Presentation

SLIDE 1

Data Security/Privacy Class Actions: Identifying and Mitigating the Expanding and Evolving Risks

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

THURSDAY, DECEMBER 4, 2014

Presenting a live 90-minute webinar with interactive Q&A

Tracy D. Rezvani, Shareholder, Rezvani Volin & Rotbert, Washington, D.C. Linda D. Kornfeld, Partner, Kasowitz Benson Torres & Friedman, Los Angeles Donna L. Wilson, Partner, Manatt Phelps & Phillips, Los Angeles

SLIDE 2

Sound Quality If you are listening via your computer speakers, please note that the quality

f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-869-6667 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

SLIDE 3

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

In the chat box, type (1) your company name and (2) the number of

attendees at your location

Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

SLIDE 4

If you have not printed the conference materials for this program, please complete the following steps:

Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

Double click on the PDF and a separate page will open.
Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

SLIDE 5

Data Security/Privacy Class Actions: Identifying and Mitigating the Expanding and Evolving Risks

Presented by Donna L. Wilson 310.312.4144 dlwilson@manatt.com Tracy D. Rezvani 202.350.4270 x101 trezvani@rezvanivolin.com December 4, 2014

SLIDE 6

6

Outline

Latest litigation developments

– Is Clapper the final word, or a pyrrhic victory, on the issues of standing? – Does standing even matter if you’re faced with (or wielding) a statutory damages claim? – If data is the new oil, will data breach and privacy become the new asbestos? Litigation and settlement trends.

Potential new areas of risk and reward; a defense and plaintiff view

– Will big data lead to big problems for business and big opportunities for plaintiffs? – The Internet of Things: Assessing the risks – Potential game changers: FTC and AG actions and the role of potential new legislation

SLIDE 7

7

Pre-Clapper

Putative Data Security/Privacy Class Actions – risk of harm, cost to mitigate,

loss of value

– Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding standing where plaintiff’s information was posted on a municipal website and then taken by an identity thief, causing actual financial loss fairly traceable to the defendant’s conduct) – Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs had both been identity theft victims) – Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (finding standing in a security breach class action suit against a bank based on the threat of future harm) – Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing in a suit where plaintiffs unencrypted information (unencrypted names, addresses and social security numbers of 97,000 employees) was stored on a stolen laptop, based on possibility of future harm)

SLIDE 8

8

Pre-Clapper (cont’d)

Putative Data Security Class Actions – risk of harm, cost to mitigate, loss of

value (cont’d)

– Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no standing in a suit by law firm employees against a payroll processing firm alleging negligence and breach

f contract relating to the risk of identity theft and costs to monitor credit activity), cert.

denied, 132 S. Ct. 2395 (2012) - distinguished environmental and toxic tort cases – In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013)

SLIDE 9

9

Clapper: The Final Word or the Last Hurrah?

Differences among circuits re: sufficiency of injury for purposes of standing

(present v. future injuries)

Game Changer? - Clapper v. Amnesty International USA, 133 S. Ct. 1138

(Feb. 26, 2013)

– Threatened injury must be “certainly impending” to constitute injury-in-fact – The Court, however, re-affirmed Monsanto Co. v. Geertson Seed Farms, 130 S. Ct. 2743, 2754-55 (2010) (“reasonable probability” or “substantial risk” sufficient for standing)

Effect of Clapper on data breach litigation

– Plaintiffs have taken the position Clapper is limited to the facts. Defendants have relied upon Clapper to challenge standing based upon possibility of damages, steps taken to prevent future damages (i.e., future risk of identity theft, incurring costs for credit monitoring services). With a few exceptions, Defendants are winning…

SLIDE 10

10

Clapper: The Final Word or the Last Hurrah? (cont’d)

In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3,

2013) – relying on Clapper, dismissing class action for lack of standing. Rejected various theories of injury, including Barnes & Noble’s failure to promptly notify plaintiffs of security breach; increased risk of identity theft; and time and expenses incurred to mitigate risks of identity theft

Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014)
Remijas v. Neiman Marcus Group, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014)
Moyer v. Michael’s Stores, Inc., No. 14 C 561 (N.D. Ill. July 14, 2014) (dismissing claims for

breach of implied contract and state consumer fraud statutes based on Michael’s alleged failure to secure their credit and debit card information during in-store transactions)

Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013)- relying on Clapper, dismissing

class action for lack of standing. Plaintiffs did not allege either misuse of plaintiffs’ PCI or PHI and court rejected theories of injury including increased risk of identity theft and time and effort to mitigate

But see, e.g.,:

– In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL 11MD2258 AJB MDD, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) (pre-dating Gallaria) – In re Adobe Systems, Inc. Privacy Litigation, No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2014) (relying on Krottner, and distinguishing Clapper and Gallaria) – In re Google, Inc. Privacy Policy Litigation, 2014 WL 3707508 (N.D. Cal. July 21, 2014)

SLIDE 11

11

Security Breach Litigation

Claims don’t always fit well into existing federal statutes – CL and state

statutes

Is there any damage or loss?
Can the plaintiffs establish causation?
At the same time – expanding concepts of duty and breach

– Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012) (holding defendant’s security procedures to not be commercially reasonable) – Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011)

Allowing negligence, breach of contract and breach of implied contract claims to go forward
Implied contract by grocery store to undertake some obligation to protect customers’ data
Class certification denied: In re Hannaford Bros. Co. Customer Data Sec. Breach Litigation,

293 F.R.D. 21 (D. Me. 2013)

– Lone Star National Bank v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013)

SLIDE 12

12

Security Breach Litigation (cont’d)

Potential MDL treatment

– In re: Target Corp. Customer Data Security Breach Litig., 2014 WL 1338473 (MDL 2014) (50+ cases) – Home Depot: at least 44 civil lawsuits pending, with a motion before the Judicial Panel for Multi-District Litigation seeking to have at least some of the cases heard in the Northern District of GA. Hearing to be held December 4th

SLIDE 13

13

Class Certification Issues in Privacy and Data Breach Litigation

Proving Predominance Is Key

– In re Hannaford Bros. Co. Customer Data Sec. Breach Litigation, No. 08-md-1954, 293 F.R.D. 21 (D. Me. Mar. 20, 2013)

Denied motion for class certification. Plaintiffs had failed to offer expert opinion testimony

regarding class wide damages.

Instructive for plaintiffs in the future on how to overcome issue of individualized damages?
Class Certification Rare But Possible in Privacy Litigation

– Harris v. comScore, No. 11-cv-5807, 292 F.R.D. 579 (N.D. Ill. Apr. 2, 2013)

Certified a class based on claims comScore gathered and sold customers’ personal information

without their consent, alleging violations of the Stored Communications Act, Electronic Communications Privacy Act, Computer Fraud and Abuse Act

Class consisted of all individuals who have downloaded and installed comScore’s tracking

software onto their computers via one of comScore’s third party bundling partners at any time since 2005

The Seventh Circuit denied comScore’s petition for an interlocutory appeal on June 11, 2013

– Welch v. Theodorides-Bustle, 773 F. Supp. 2d 692 (N.D. Fla. 2010) (DPPA case certified)

SLIDE 14

14

Privacy/Data Breach Litigation Settlements

Sufficient relief for class members?

– Fraley v. Facebook, Inc., No. 11-cv-1726, 2013 WL 4516819 (N.D. Cal. Aug. 26, 2013)

Approving $20MM settlement arising from alleged misappropriation of users’ names and/or

likenesses to promote products and services through Facebook’s “Sponsored Stories”

program. Original proposed settlement did not win preliminary approval

– Marek v. Lane, 134 S. Ct. 8 (2013), Chief Justice Roberts, in an opinion denying certiorari, still took the time to explain his views on the limits and applicability of cy pres tools to settle cases

Claims by customers who did not suffer identity theft

– Resnick v. AvMed Inc., No. 10-cv-24513 (S.D. Fla. Feb. 28, 2014)

Granted final approval of $3MM data breach settlement. Claims can be made by both

customers that paid defendant for insurance and customers who suffered identity theft caused by the breach

SLIDE 15

15

Privacy and Data Security Class Action Settlements

Are Settlement Values Going Up, Even for Virtually Worthless Claims?

– Sony: $15M – Comscore: $14M – Linkedin: $1.25M – Vendini: $3M for unreimbursed losses – Avmed: $3M and no claimed damages – Schnucks: Up to $1.6M. Covers a wide variety of claimed “damages,” including “documented lost time.”

Statutory damages: Where the Real Money Is? But see Spokeo

– comScore: Illinois federal judge granted final approval of a $14 million settlement of putative class claims that comScore, a web measurement firm, violated various privacy statutes by collecting usernames and passwords, search queries, and credit card numbers, among other data, through allegedly bundling its tracker software with free downloadable games and products, and without providing notice or obtaining consent from consumers

SLIDE 16

16

And Will Court Scrutiny of Settlements Increase?

StubHub: CA state court judge on September 25th rejected final approval of a $2

million settlement between StubHub, a ticket reseller, and a class of 69,000 customers, in a putative class action that alleged StubHub unlawfully recorded customer calls in violation of California’s Invasion of Privacy Act. The court noted

nly 1,000 putative class members submitted claims, with class counsel receiving

more than 25% of the total settlement fund

But see Vendini: CA state court judge on October 3 granted final approval of a $3

million settlement by Vendini, an online ticket seller, of putative class allegations arising from a data security breach in 2013 that led to the theft of consumer credit card and other personal information. Plaintiffs asserted false advertising, CRLA, breach of contract, invasion of privacy, Stored Communications Act, and Computer Fraud and Abuse Act claims, alleging that Vendini failed to reasonably protect customer data, and that they lost time and expenses and suffered fear of identity theft as a result. Under the settlement, class counsel will receive $3 million, while members of the putative class will receive compensation for unreimbursed expenses arising from the breach if the claims submitted meet certain criteria. Any money remaining in the fund after payment of counsel and claimants will be cy pres

SLIDE 17

17

Privacy Claims for Statutory Damages (Federal)

E.g., Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”)

– FCC new regulations – effective October 2013

“prior express consent”- Physical or electronic signature and the signing agreement must be
ptional
Elimination of “established business relationship” exception - requires callers to obtain signed

written consent from the recipients, even ones who are established customers

– Large volume of class actions already, potential for increase – Penalties of $500-$1500 per unauthorized call

Large settlements (examples: Domino’s $9.75MM; Papa John’s $16.5MM)
Limitations on class judgments (Holtzman v. Turza, 728 F.3d 682 (7th Cir. 2013))

– Revocation of prior consent

Gager v. Dell Financial Services, LLC, 727 F.3d 265 (3d Cir. 2013) - although TCPA does not

expressly grant a right of revocation, this does not mean that the right to revoke does not exist.

SLIDE 18

18

Privacy Claims for Statutory Damages (Federal) (cont’d)

E.g., Video Privacy Protection Act, 18 U.S.C. § 2710

– VPPA new regulations effective January, 10, 2013

Streamlines the process for consumers to share data regarding their video viewing activities.

Allows consumers to consent via electronic means, and if the consumer chooses, grant consent in advance for up to two years. Customers may withdraw consent on a case by case basis or withdraw consent from ongoing disclosures.

– In re Netflix Privacy Litigation, No. 11-cv-3379, 2013 WL 1120801 (N.D. Cal. Mar. 18, 2013) – granting final approval of class action settlement. $9M settlement fund

Objectors appealed to Ninth Circuit. Netflix argued reasonableness, relying on the Facebook

Beacon settlement.

Issue: no monetary relief for class members despite high statutory damages

SLIDE 19

19

Privacy Claims for Statutory Damages (State: Focus on California)

California’s Shine the Light Law, Cal. Civ. Code § 1798.83 - 1798.84
California’s Confidentiality of Medical Information Act (CMIA), Civ. Code § 56
California’s Song-Beverly Credit Card Act, Cal. Civ. Code § 1747.08

– Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011) – finding that a ZIP code constitutes PII under the Song-Beverly Credit Card Act – Apple Inc. v. Superior Court, 56 Cal. 4th 128, 133 (2013) – holding section 1747.08 does not govern online purchases of electronically downloadable products because electronic transactions do not fit within the statutory scheme – Capp v. Nordstrom, Inc., 2013 WL 5739102 (E.D. Cal. Oct. 22, 2013) – predicting that the California Supreme Court will decide that an email address constitutes PII under § 1747.08

But see: Bell v. Blizzard Entertainment, Inc., 12-CV-09475 BRO (PJWx) (C.D. Cal July 11,

2013) –holding email addresses, secret question answers, and cryptographically scrambled passwords are not PII within the meaning of Delaware’s Data Breach notification Law

– Leebove v. Wal-Mart Stores, Inc., No. 13-cv-01024 (C.D. Cal. Oct. 4, 2013) - denying motion for class certification. Questions common to the class do not predominate

ver questions affecting only individual members (i.e., whether Wal-Mart was justified

in requesting the personal information)

SLIDE 20

20

Privacy Claims for Statutory Damages (State)

Massachusetts General Laws, ch. 93, § 105(a)

– Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013)

District of Columbia Code, § 47-3153

– Hancock v. Urban Outfitters, Inc. et. al, cv-13-939, 2014 U.S. Dist. LEXIS 33324 (D.D.C. Mar. 14, 2014)

Kansas Consumer Protection Statute § 50-669a
New Jersey Statute § 56:11-17
New York General Business Laws § 520-A(3)
Rhode Island General Laws § 6-13-16
Wisconsin Statute § 423.401

SLIDE 21

21

Avoiding Class Action Suits – Arbitration Provisions

Contract Formation - Hostility to implied contracts with consumers

– In re Zappos.com, Inc. Customer Data Securities Breach Litig., 893 F. Supp. 2d 1058 (D. Nev. 2012) (links to TOU on every page) – Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010)

Arbitration and Class Action Waivers

– AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011) – American Express Co. v. Italian Colors Restaurant, 133 S. Ct. 2304 (2013) – Kilgore v. KeyBank, Nat’l Ass'n, 718 F.3d 1052 (9th Cir. 2013) (en banc) – Mortensen v. Bresnan Communications, LLC, 722 F.3d 1151, 1157-61 (9th Cir. 2013) – Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012)

SLIDE 22

22

Avoiding Class Action Suits – Arbitration Provisions (cont’d)

Arbitration and Class Action Waivers (cont’d)

– Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to cancel = consent to arbitration” not a binding agreement to arbitrate disputes)

But see Hancock v. AT&T, 701 F.3d 1248 (10th Cir. 2012) (enforcing click through contract and

arbitration provision contained in subsequent email that afforded the plaintiff the opportunity to cancel service within 30 days and obtain a partial refund if it did not agree with the provision)

– In re CarrierIQ, Inc. Consumer Privacy Litig., No. C-12-MD-2330 (EMC), 2014 WL 1338474 (N.D. Cal. Mar. 28, 2014)

Reservation of Unilateral Rights

– Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory and unenforceable.”), appeal dismissed, 733 F.3d 900 (10th Cir. 2013)

SLIDE 23

23

Avoiding Class Action Suits – Arbitration Provisions (cont’d)

Reservation of Unilateral Rights (cont’d)

– In re Zappos.com, Inc. Customer Data Securities Breach Litig., 893 F. Supp. 2d 1058 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement illusory)

Recent cases:

– Knutson v. Sirius XM Radio, Inc., 2014 WL 5802284 (9th Cir. Nov. 10, 2014) (rejecting arbitration clause in “shrink wrap” agreement where the consumer received the agreement with satellite radio provider after being provided with a trial subscription and allowing TCPA claim to proceed) – Nguyen v. Barnes & Noble, 763 F.3d 1171, 1176 (9th Cir. 2014) (consumers use of website did not constitute agreement to its terms of use where no reasonable notice

f its terms were provided and consumer could not assent: the TOS was available
nly through a hyperlink and there was no notice or prompt to allow consumer to take

affirmative action to assent

SLIDE 24

24

Does Big Data Make For Big Problems (or for Plaintiffs, Big Opportunities?)

The “Creepy” Factor
Issues of Discrimination
Using Big Data to Prove Your Case as a Plaintiff – a Better Way?
World’s Biggest Data Breaches, a visual presentation:

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data- breaches-hacks

SLIDE 25

25

The Internet of Things and the Risks

Would Internet of Things cases lend themselves more easily to class action

litigation?

– Products liability (pacemakers and cars) – Violations of Privacy – Statutory discrimination

SLIDE 26

26

The FTC, The AGs, and The Legislators

FTC is increasingly active – but most of the cases are not in a gray area

– Wyndham and LabMd will be pivotal in determining FTC’s enforcement powers – Looking ahead to Big Data and IoT issues, applying long-held principles to new technology

The AGs of many states are also increasingly active

– Pushing for credit card monitoring where none is required – Settlements reached: Eg., Aaron’s Inc.: a rent-to-own furniture and appliance company, agreed this year to pay $28.4 million to settle allegations by the CA AG that Aaron’s had violated various consumer protection and privacy laws by, among other things, installing software that could track the keystrokes of people who rented computers and activate the webcams or microphones on those computers.

Increased activity expected on state legislative level but hard to see where

Congress is going (if anywhere)

SLIDE 27

27

Takeaways

Privacy and Data Security should be top areas of focus for enterprise risk

management and information governance

– Settlement values are arguably rising, and more plaintiffs’ counsel are getting into the game – Regulatory attention also is increasing – Risks are rising

“Bake” privacy and data security into your corporate culture and business
Review your risks regularly, and devise strategies to avoid or minimize them

SLIDE 28

Data Security/Privacy Class Actions: Identifying and Mitigating the Expanding and Evolving Risks

December 4, 2014 Linda D. Kornfeld Kasowitz Benson Torres & Friedman LLP lkornfeld@kasowitz.com / (424) 288-7902

SLIDE 29

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Biography

Linda D. Kornfeld is a nationally recognized insurance coverage litigator whom Chambers USA has described as one of “the best attorneys in California” for coverage litigation. Ms. Kornfeld has extensive trial and appellate experience representing corporate and individual policyholders in high-stakes litigation in California and across the country.

Ms. Kornfeld has assisted clients in recovering hundreds of millions of

dollars over the years in a variety of types of claims. Ms. Kornfeld has been repeatedly cited as an exceptional insurance litigator and one of the top women lawyers in California by leading legal publications and directories, including Chambers USA, Lawdragon in its top 500 “leading lawyers” in America, Benchmark Litigation as a “Litigation Star” both nationally and in California, the Daily Journal as one of California’s top 75 women litigators, Business Insurance as one of the country’s “50 Women to Watch” in insurance, and Southern California Super Lawyers, as one

f the top 50 women lawyers in Southern California.

29

SLIDE 30

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

WHICH POLICIES MAY APPLY?

Review potentially applicable policies
Traditional coverages:
General Liability
Errors & Omissions
Directors & Officers

30

SLIDE 31

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Specialty Coverages

Has the company purchased data

breach/privacy policies?

Has the company’s traditional coverage been

endorsed to add some form of data breach protection?

Does that coverage match the ever evolving

data breach exposures?

31

SLIDE 32

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Audit traditional coverages to see what may be triggered

32

SLIDE 33

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

CGL Policies: Is There a Potential For Coverage?

“Oral or written publication, in any manner, of

material that violates a person’s right of privacy.”

Does the claim involve some form of

“publication”?

Does the claim involve a “privacy” violation?

33

SLIDE 34

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Zurich v. Sony, Case No. 651982/2011 (N.Y. Sup.

Ct. Feb. 24, 2014)
No “personal injury” coverage for 2011

Sony PlayStation breach because “third party” hackers and not Sony committed the offense.

The decision is faulty because it adds

words to the “personal injury” coverage not contained in standard form policies.

It also is one state court and is contra to

law in other states.

WWW.KASOWITZ.COM

34

SLIDE 35

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

CGL POLICY EXCLUSIONS

35

SLIDE 36

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Hartford v. Corcino, Case No. 13-3728, 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013)

Personal/Advertising Injury defined to include,

“electronic publication of material that violates a person’s right of privacy.”

But, the policy excluded, injury “arising out of

violation of a person’s right to privacy created by any state or federal act.”

Held the exclusion did not apply to common law

violations of the right to privacy.

36

SLIDE 37

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

New ISO Form Exclusions

For example, CG 21 06 05 14: This insurance does not apply to damages arising out of: (1) Any access to or disclosure of any person's or

rganization's confidential or personal information, including

patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or (2) The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.

37

SLIDE 38

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Errors & Omissions Coverage

Also review E&O policies.
Cover “claims” for allegations of “professional”

misconduct.

Must act within “professional” capacity as

defined by policy.

Some cover “damages arising from violation
f ‘privacy’ laws.”

38

SLIDE 39

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Directors & Officers Coverage

Covers certain claims for “wrongful acts, errors or
missions” by company and its executives.
If executives have not done what may be

reasonably necessary to protect against a data breach event, including purchasing adequate insurance, coverage may apply.

Target class actions address failures to have

adequate protective procedures in place to prevent data breach events.

39

SLIDE 40

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

What to Purchase?

What is your risk of exposure?
Involve privacy and other in-house counsel, CIO,

CTO, in the purchase/renewal process.

Policies are complex with multiple definitions—

carefully review to confirm that definitions match business risks.

Sony ruling, new ISO exclusions, evolving risk

and associated expenses mean companies need to think about buying specialty coverage.

40

SLIDE 41

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

What to Purchase?

Are limits/sub-limits adequate?
Does the policy provide adequate notification,

credit monitoring, consultant, lawyer, public relation, and other mitigation cost coverage.

Have you reviewed your trading partners’

coverage?

41

SLIDE 42

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Statutory Damages/fines/penalties”

Watch out for “fines/penalties” exclusions, or loss

definition restrictions.

Corcino court rejected Hartford’s argument that

statutory penalties are not covered “damages”: “[t]he statutes … permit …recover[y of] damages for breach of an established privacy right, and as such, fall squarely within the Policy’s coverage.”

42

SLIDE 43

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Statutory Damages/fines/penalties”

Standard Mutual Insurance v. Lay, 989 N.E.2d 591

(Ill. 2013): In TCPA action, court rejected insurer argument that statutory damages were punitive and uninsurable.

Congress identified harms caused by a TCPA breach

and made them compensable by a liquidated sum per violation.

Such liquidated damages intended by Congress to

be “an incentive for private parties to enforce the statute.”

43

SLIDE 44

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Statutory Damages/fines/penalties”

Columbia Casualty v. HIAR Holdings, 411

S.W.3d 258 (Mo. 2013).

Court found that fixed TCPA damages

encompassed compensable harms that were covered as “damages.”

44

SLIDE 45

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Cyber liability Policies May protect against various risks, including:

Hacking/Electronic Theft
Network Security Liability
Privacy Injury (disclosure of personal info)
Content Injury (IP infringement, defamation,
r unfair competition based on same)
Regulatory Liability
Public Relations Expenses

WWW.KASOWITZ.COM

45

SLIDE 46

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Regulatory Liability

For example, a policy may cover loss

stemming from “a civil, administrative or regulatory proceeding against an Insured by a federal, state or foreign governmental authority alleging violation of . . . a Security Breach Notice Law.”

Beware of exclusions that purport to apply

to fines and penalties.

WWW.KASOWITZ.COM

46

SLIDE 47

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Minimum Security Requirements

Many Cyber Liability Policies may require

the insured to follow “minimum required practices” spelled out in an endorsement to ensure network security.

Exclusion does not necessarily apply to

“negligent circumvention of controls.”

WWW.KASOWITZ.COM

47

SLIDE 48

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

CONCLUSION

Understand the evolving nature and extent of

risks in order to properly insure.

Audit traditional coverages.
Scrutinize necessary coverage each year to

match to evolving risks and consider purchasing specialty coverage.

WWW.KASOWITZ.COM

48