Growing Class Action Threat: Breaches of Consumer Personally - - PowerPoint PPT Presentation

Growing Class Action Threat: Breaches of Consumer Personally Identifiable Information

Minimizing Litigation Risk and Maximizing Insurance Coverage

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, MARCH 18, 2014

Presenting a live 90-minute webinar with interactive Q&A

Linda D. Kornfeld, Partner, Kasowitz Benson Torres & Friedman, Los Angeles Tracy D. Rezvani, Shareholder, Rezvani Volin & Rotbert, Washington, D.C. Donna L. Wilson, Partner, Manatt Phelps & Phillips, Los Angeles

Sound Quality If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-869-6667 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Growing Class Action Threat: Breaches of Consumer Personally Identifiable Information

Presented by Donna L. Wilson dlwilson@manatt.com Tracy D. Rezvani trezvani@rvrlegal.com March 18, 2014

6

Roadmap

• Article III standing – actual vs. future damages
• Trends – alternative theories of damages, liability
• Enforcement – by FTC, state AGs
• Class certification issues
• Privacy settlements – sufficient relief to class members
• Statutory claims
• Google – a case study
• California legislative spotlight
• Takeaways

7

Standing in Data Breach Litigation

• Differences among circuits re: sufficiency of injury for purposes of standing

(present v. future injuries)

• Game Changer? - Clapper v. Amnesty International USA, 133 S. Ct. 1138

(Feb. 26, 2013)

– Threatened injury must be “certainly impending” to constitute injury-in-fact – The Court, however, re-affirmed Monsanto Co. v. Geertson Seed Farms, 130 S. Ct. 2743, 2754- 55 (2010) (“reasonable probability” or “substantial risk” sufficient for standing)

• Effect of Clapper on data breach litigation

– Plaintiffs have taken the position Clapper is limited to the facts. Defendants have relied upon Clapper to challenge standing based upon possibility of damages, steps taken to prevent future damages (i.e., future risk of identity theft, incurring costs for credit monitoring services)

• In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3,

2013) – relying on Clapper, dismissing class action for lack of standing. Rejected various theories of injury, including Barnes & Noble’s failure to promptly notify plaintiffs of security breach; increased risk of identity theft; and time and expenses incurred to mitigate risks of identity theft.

• Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013)- relying on Clapper,

dismissing class action for lack of standing. Plaintiffs did not allege either misuse of plaintiffs’ PCI or PHI and court rejected theories of injury including increased risk of identity theft and time and expenses incurred to mitigate risk of identity theft.

8

Standing in Data Breach Litigation

• Yunker v. Pandora Media, Inc., 2013 US Dist LEXIS 42691 (N.D. Cal. Mar. 26, 2013) – Court

found diminution in the value of PII is insufficient to confer standing. Plaintiff argued that because Pandora allegedly sold the plaintiff’s personally identifiable information, that information is now less valuable. The court granted MTD because of the highly speculative nature of this alleged harm.

• Redressability

– Frank v. Neiman Marcus Grp., LLC, 2:14-cv-00233 (E.D.N.Y. February 12, 2014) – Defendant challenges standing, in part, on the theory that Plaintiff cannot meet Article III’s redressability

• requirement. Defendant argues that the complaint fails to allege facts showing how Plaintiff’s past

injuries can be remedied by a judgment in her favor due to Franks’ card issuer’s assurance of zero fraud liability.

• Target breach litigation

– Standing will be a hurdle for claimants

• Plaintiffs will have to show injury in fact i.e. identity theft
• Plaintiffs will have to show a strong enough link between Target hacking and injuries suffered

– Target has promised to pay for credit monitoring services – Similar issues for Michaels Stores and Neiman Marcus Security Breaches

9

Trends in Data Breach Litigation

• Alternative theories of damages?

– i.e., “benefit of the bargain theory”, not getting what was paid for

• In re Linked In User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013). MTD granted for

plaintiffs’ lack of standing. Plaintiffs had alleged their paid premium memberships promised security.

• Expansion of who may be held liable for a data breach?

– Employers of a rogue employee?

• Kiminiski v. Hunt, et al., No. 13-cv-208 (D. Minn. Sept. 20, 2013). State defendants’ MTD DPPA

claim granted because, inter alia, plaintiffs failed to allege that defendants knowingly gave the former employee database access for an impermissible purpose. – In the absence of a contractual relationship?

• Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013).

Reversed district court’s dismissal of negligence claim arising from hackers’ breach of Heartland’s data systems. Held that economic loss doctrine did not bar negligence claim. Payment card issuing banks had sued payment processor; Visa and MasterCard had contractual agreements with the issuing banks.

10

Trends in Data Breach Litigation (continued)

• Focus on statutory claims, rather than common law claims?

– In re Zappos.com, Inc., No. 12-cv-325, 2013 WL 4830497 (D. Nev. Sept. 9, 2013). Court granted MTD in part. Dismissed most of common law claims, allowed MDL to proceed on most of the state statutory claims and negligence claim. – Standing based simply on the availability of statutory injury and damages?

11

Data Breach Enforcement Actions

• FTC jurisdiction to regulate privacy and data security in the private sector

– Many FTC settlements under Section 5 of the FTC Act

• FTC v. Wyndham Worldwide Corp., No. 13-cv-1887 (D.N.J.) – motions to dismiss pending,

parties asked to submit supplemental briefing regarding FTC Commissioners’ testimony at a subcommittee hearing that Section 5 enforcement is “vague” and “formal guidelines” are

• needed. Wyndham contends that Section 5 does not authorize the FTC to regulate data

security standards for the private sector. – Rare challenge to FTC’s enforcement authority – Potential impact on the breadth of FTC authority in the future

• Closely followed. See, e.g., In the Matter of LabMD, Inc., FTC Docket No. 9357 – in answer,

respondent asserted that the FTC lacks subject-matter jurisdiction

• On the horizon in 2014 – FTC to focus on data security, big data, mobile technologies
• State AGs

– Example: Connecticut AG reached a $55,000 settlement with Citibank N.A., where Citibank allegedly delayed in fixing vulnerability and notifying customers.

• Civil penalties, third party information security audit, maintenance of reasonable security

procedures and practices, free credit monitoring for two years for any individual affected by future security incidents

12

Class Certification Issues in Privacy and Data Breach Litigation

• Predominance

– In re Hannaford Bros. Co. Customer Data Sec. Breach Litigation, No. 08-md-1954, 293 F.R.D. 21 (D. Me.

• Mar. 20, 2013)
• Denied motion for class certification. Plaintiffs had failed to offer expert opinion testimony regarding

class wide damages.

• Instructive for plaintiffs in the future on how to overcome issue of individualized damages?
• Class certification rare in privacy litigation

– But see Harris v. comScore, No. 11-cv-5807, 292 F.R.D. 579 (N.D. Ill. Apr. 2, 2013)

• Certified a class based on claims comScore gathered and sold customers’ personal information without

their consent, alleging violations of the Stored Communications Act, Electronic Communications Privacy Act, Computer Fraud and Abuse Act

• Class consisted of all individuals who have downloaded and installed comScore’s tracking software
• nto their computers via one of comScore’s third party bundling partners at any time since 2005

– Largest class ever certified after Schwab v. Philip Morris USA, Inc., 449 F. Supp. 2d 992, 2006 U.S.

• Dist. LEXIS 73196 (E.D.N.Y., 2006), class cert overturned, McLaughlin v. Am. Tobacco Co., 522

F.3d 215 (2d Cir. N.Y. 2008).

• The Seventh Circuit denied comScore’s petition for an interlocutory appeal on June 11, 2013
• Effect: increase number of privacy class actions based on statutory damages?

13

Privacy/Data Breach Litigation Settlements

• Sufficient relief for class members

– Fraley v. Facebook, Inc., No. 11-cv-1726, --- F. Supp. 2d ----, 2013 WL 4516819 (N.D. Cal. Aug. 26, 2013)

• Approving $20MM settlement arising from alleged misappropriation of users’ names and/or

likenesses to promote products and services through Facebook’s “Sponsored Stories” program. Original proposed settlement did not win preliminary approval

• Claims by customers who did not suffer identity theft

– Resnick v. AvMed Inc., No. 10-cv-24513 (S.D. Fla. Oct. 25, 2013)

• Granted preliminary approval of $3MM data breach settlement. Claims can be made by both

customers that paid defendant for insurance and customers who suffered identity theft caused by the breach – Data breach plaintiffs will likely attempt to follow this model in the future

14

Privacy Claims for Statutory Damages (Federal)

• E.g., Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”)

– FCC new regulations – effective October 2013

• “prior express consent”- Physical or electronic signature and the signing agreement must be
• ptional
• Elimination of “established business relationship” exception - requires callers to obtain signed

written consent from the recipients, even ones who are established customers – Large volume of class actions already, potential for increase – Penalties of $500-$1500 per unauthorized call

• Large settlements (examples: Domino’s $9.75MM; Papa John’s $16.5MM)
• Limitations on class judgments (Holtzman v. Turza, 728 F.3d 682 (7th Cir. 2013))

– Revocation of prior consent

• Gager v. Dell Financial Services, LLC, 727 F.3d 265 (3d Cir. 2013) - although TCPA does not

expressly grant a right of revocation, this does not mean that the right to revoke does not exist.

15

Privacy Claims for Statutory Damages (Federal)

– Availability of New York as a forum for TCPA class action

• Bank v. Independence Energy Grp. LLC, 736 F. 3d 660, 661 (2d Cir. 2013)- Holding that

Federal Rule of Civil Procedure 23, not state law, governs when a federal TCPA suit may proceed as a class action.

• E.g., Video Privacy Protection Act, 18 U.S.C. § 2710

– VPPA new regulations effective January, 10, 2013

• Streamlines the process for consumers to share data regarding their video viewing activities.

Allows consumers to consent via electronic means, and if the consumer chooses, grant consent in advance for up to two years. Customers may withdraw consent on a case by case basis or withdraw consent from ongoing disclosures. – In re Netflix Privacy Litigation, No. 11-cv-3379, 2013 WL 1120801 (N.D. Cal. Mar. 18, 2013) – granting final approval of class action settlement. $9MM settlement fund

• Objectors appealed to Ninth Circuit. Netflix argued reasonableness, relying on the Facebook

Beacon settlement.

• Issue: no monetary relief for class members despite high statutory damages

16

Privacy Claims for Statutory Damages (State: Focus on California)

• California’s Shine the Light Law, Cal. Civ. Code § 1798.83 - 1798.84

– Game changers: Boorstein, King, Miller and Baxter affirming dismissals on basis of lack of standing because plaintiffs failed to allege that they had submitted a request for information as permitted under the statute, or that they would have submitted such a request had accurate contact information been provided

• California’s Confidentiality of Medical Information Act (CMIA), Civ. Code § 56

– Expect continued and increased class action activity in the area – Recent cases filed, including against Kaiser, Sutherland Healthcare Solutions and Los Angeles County, and numerous settlements. – But see Platter v. UCLA (narrowing the scope of the CMIA through the term “release”)

17

Privacy Claims for Statutory Damages (State)

• E.g., California’s Song-Beverly Credit Card Act, Cal. Civ. Code § 1747.08

– Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011) – finding that a ZIP code constitutes PII under the Song-Beverly Credit Card Act. – Apple Inc. v. Superior Court, 56 Cal. 4th 128, 133 (2013) – holding section 1747.08 does not govern online purchases of electronically downloadable products because electronic transactions do not fit within the statutory scheme. – Capp v. Nordstrom, Inc., 2013 WL 5739102 (E.D. Cal. Oct. 22, 2013) – predicting that the California Supreme Court will decide that an email address constitutes PII under § 1747.08

• But see: Bell v. Blizzard Entertainment, Inc., 12-CV-09475 BRO (PJWx) (C.D. Cal July 11,

2013) –holding email addresses, secret question answers, and cryptographically scrambled passwords are not PII within the meaning of Delaware’s Data Breach notification Law. – Leebove v. Wal-Mart Stores, Inc., No. 13-cv-01024 (C.D. Cal. Oct. 4, 2013) - denying motion for class certification. Questions common to the class do not predominate over questions affecting

• nly individual members (i.e., whether Wal-Mart was justified in requesting the personal

information)

18

Privacy Claims for Statutory Damages (State)

• E.g., Massachusetts General Laws, ch. 93, § 105(a)

– Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013)

• E.g., District of Columbia Code, § 47-3153

– Hancock v. Urban Outfitters, Inc. et. al, cv-13-939, 2014 U.S. Dist. LEXIS 33324 (D.D.C. Mar. 14, 2014)

• E.g., Kansas Consumer Protection Statute § 50-669a
• E.g., New Jersey Statute § 56:11-17
• E.g., New York General Business Laws § 520-A(3)
• E.g., Rhode Island General Laws § 6-13-16
• E.g., Wisconsin Statute § 423.401

19

Google: a case study

• Cookies, tracking the subject of privacy class actions

– In re Google Inc. Cookie Placement Consumer Privacy Litigation, No. 12-md-2358, 2013 WL 5582866 (D. Del. Oct. 9, 2013) – MTD granted.

• Court found plaintiffs had not alleged injury in fact (ability to monetize their PII had been

diminished or lost by virtue of Google’s previous collection of it) and therefore lacked Article III standing

• Example of trend requiring actual harm
• Sufficient relief for class?

– In re Google Referrer Header Privacy Litig., No. 10-cv-4809, N.D. Cal.

• Plaintiffs allege Google divulged user search queries to third parties without user knowledge or
• consent. Motion for preliminary approval of class action settlement filed on July 19, 2013;

$8.5MM proposed settlement to be used for payment of settlement administration expenses, cy pres distributions, fee awards and incentive awards

20

Google, a case study (continued)

• Interpretation of the Wiretap Act

– In re Google Inc. Gmail Litigation, No. 13-md-2430, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013) – MTD granted in part, denied in part

• Plaintiffs alleged Google has intercepted, read and acquired content of emails sent or received

by Gmail users to provide target advertising. Among other things, district court rejected theory based upon “ordinary course of business” exception to Wiretap Act; rejected contention that plaintiffs consented to interception of their emails

• Google is seeking certification of the order for interlocutory appeal
• Plaintiffs filed motion for class certification on October 24, 2013
• Judge Koh stated that she foresaw a “huge hurdle” to showing that non-Gmail users should be

allowed to participate in class action lawsuit on February 27, 2014 – Joffe v. Google, Inc., ---F.3d ---- (2013) WL 6905957 (9th Cir. 2013)

• Plaintiffs brought suit under federal and state law, including the Wiretap Act, based on

collection of data from unencrypted Wi-Fi networks in connection with its Street View

• photographs. District court rejected argument that data collection did not violate the Wiretap

Act because data transmitted over a Wi-Fi network is an “electronic communication” “readily accessible to the general public” and therefore exempt. Ninth Circuit affirmed.

21

California Spotlight

• AB 370 (Do Not Track disclosures)

– But lack of clarity about meaning of do not track; does not actually require that websites do not track, but just that they disclose how they respond to do not track signals; unclear whether applies to mobile apps

• SB 46 (expanding definition of PI to include customers' passwords, user

names, security questions or answers)

– Other states may follow CA lead

• SB 568 signed, allows minors to delete social media content

– Likely to spawn similar state and federal legislation, activity by FTC

• AB 648 (expands confidentiality of Medical Information Act to businesses that
• ffer hardware or software to consumers that is designed to manage medical

information)

22

Takeaways

• Review of how data is collected, managed, stored, destroyed, etc.
• Data breach incident response plan
• Review privacy policies, compliance with privacy policies; revise as

appropriate

• Monitor legal developments

Growing Class Action Threat: Breaches of Consumer Personally identifiable Information

March 18, 2014 Linda Kornfeld Kasowitz Benson Torres & Friedman lkornfeld@Kasowitz.com (424) 288-7902

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Biography

Linda D. Kornfeld is a nationally recognized insurance coverage litigator whom Chambers USA has described as one of “the best attorneys in California” for coverage litigation. Ms. Kornfeld has extensive trial and appellate experience representing corporate and individual policyholders in high-stakes litigation in California and across the country.

• Ms. Kornfeld has assisted clients in recovering hundreds of millions of

dollars over the years in a variety of types of claims. Ms. Kornfeld has been repeatedly cited as an exceptional insurance litigator and one of the top women lawyers in California by leading legal publications and directories, including Chambers USA, Lawdragon in its top 500 “leading lawyers” in America, Benchmark Litigation as a “Litigation Star” both nationally and in California, the Daily Journal as one of California’s top 75 women litigators, Business Insurance as one of the country’s “50 Women to Watch” in insurance, and Southern California Super Lawyers, as one

• f the top 50 women lawyers in Southern California.

24

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

WHICH POLICIES MAY APPLY?

• Review potentially applicable policies
• Traditional coverages:
• General liability
• Errors & Omissions and D&O

coverages

25

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Specialty Coverages

• Has the company purchased data

breach/privacy policies?

• Has the company’s traditional coverage been

endorsed to add some form of data breach protection?

• Does that coverage match the ever evolving

data breach exposures?

26

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Audit traditional coverages to see what may be triggered

27

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

CGL Policies: Is There a Potential For Coverage?

• Where’s the coverage for alleged “privacy”

violations?

• Is the “personal injury” or “advertising injury”

coverage potentially triggered?

28

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

What is Covered?

• “Oral or written publication, in any manner, of

material that violates a person’s right of privacy.”

• Does the claim involve some form of

“publication”?

• Does the claim involve a “privacy” violation?

29

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Publication”?

• What is required to constitute “publication”?
• Some form of “public” dissemination?
• Term not defined in many policies.
• “In any manner” language allows for broad

interpretation—courts have concluded that any form of third-party dissemination is sufficient.

30

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“PUBLICATION”

• Still a “live” issue.
• 2013—Ohio: coverage litigation re

“unlawful recording without consent” under California Privacy Act: Insurer had duty to defend even though no dissemination to 3P’s or public at large.

• According to the court, recording the

conversation itself invades privacy and is a “publication” of material.

WWW.KASOWITZ.COM

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

PUBLICATION, con’t

• 2014—Connecticut: Recall v. Federal:

– 130 tapes containing 500,000 IBM employee PII fell of a transport truck and removed from roadside by unknown person. – No “publication” because plaintiffs did not prove that the PII on the tapes ever was accessed by anyone—no evidence that the information could or was accessed. – No impact if evidence exists that even one person reviewed. –

WWW.KASOWITZ.COM

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Violation of a “Right of Privacy”?

• “Privacy” often is not defined in CGL policies
• “Where an insurance policy does not define

privacy” policy can be broadly interpreted “to include aspects of privacy protected by…privacy statutes.”

• The theory underlying data breach claims is a

privacy violation.

33

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Sony v. Zurich

• No “personal injury” coverage for 2011

Sony PlayStation breach because “third party” hackers and not Sony committed the offense.

• The decision is faulty because it adds

words to the “personal injury” coverage not contained in standard form policies.

• It also is one state court and is contra to

law in other states.

WWW.KASOWITZ.COM

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

CGL POLICY EXCLUSIONS

35

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Statutory” Exclusions

• An exemplar exclusion excludes, “Personal Injury…

arising directly or indirectly out of any action or

• mission that violates or is alleged to violate: …any

statute, ordinance or regulation…that prohibits or limits the sending, transmitting, communicating or distribution of material or information.”

• Insurers assert as a broad-based excuse to avoid

coverage for alleged violations of privacy statutes.

36

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Statutory Exclusions, Con’t

• Carefully read the underlying complaint: Song Beverly

and Massachusetts cases, as an example:

• What if it solely alleges that you “requested and

recorded” customer’s zip information?

• Does that constitute “sending, transmitting

communicating or distributing”?

• What if in addition to alleged statutory violations the

complaint also contains common law privacy claims?

37

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Hartford v. Corcino (c.d. cal oct. 7, 2013)

• Personal/Advertising Injury defined to include,

“electronic publication of material that violates a person’s right of privacy.”

• But, the policy excluded, injury “arising out of

violation of a person’s right to privacy created by any state or federal act.”

• The exclusion did not apply to “liability for

damages that the insured would have in absence

• f such state or federal act.”

38

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Hartford v. Corcino (c.d. cal Oct. 7, 2013)

• Motion to dismiss granted: exclusion inapplicable

to “liability for damages that the insured would have in absence of such state or federal act.”

• “Since . . .1931, California has recognized both a

constitutional privacy right and a common law tort cause of action for [privacy] violations.”

39

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Hartford v. Corcino (c.d. cal Oct. 7, 2013)

• “The statutes … permit an injured individual to

recover damages for breach of an established privacy right, and as such, fall squarely within the Policy's coverage. If Hartford had intended to include a specific distinction in its exclusion, it could have done so when drafting its Policy. However, the Court cannot read restrictive language into the Policy that is not actually there.”

40

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Mitigation Costs

• Average “expense” of data breach event can

be in the multi-millions.

• Can company’s look to CGL policy to pay for

these expenses?

• Are they “necessary” to prevent covered

personal or advertising injury claims?

41

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Errors & Omissions Coverage

• Also review E&O policies.
• Cover “claims” for allegations of “professional”

misconduct.

• Must act within “professional” capacity as

defined by policy.

• Some cover “damages arising from violation
• f ‘privacy’ laws.”

42

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

Directors & Officers Coverage

• Covers certain claims for “wrongful acts, errors or
• missions” by company and its executives.
• If executives have not done what may be

reasonably necessary to protect against a data breach event, including purchasing adequate insurance, coverage may apply.

• Target class actions address failures to have

adequate protective procedures in place to prevent data breach events.

43

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

What to Purchase?

• What is your risk of exposure?
• Involve privacy and other in-house counsel, CIO,

CTO, in the purchase/renewal process.

• Policies are complex with multiple definitions—

carefully review to confirm that definitions match business risks.

• Sony ruling, new ISO exclusion, evolving risk and

associated expenses mean companies need to think about buying specialty coverage.

44

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

What to Purchase?

• Are limits/sublimits adequate?
• Does the policy provide adequate notification,

credit monitoring, consultant, lawyer, public relation, and other mitigation cost coverage.

• Have you reviewed your trading partners’

coverage?

45

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Statutory Damages/fines/penalties”

• Watch out for “fines/penalties” exclusions, or loss

definition restrictions.

• Corcino court rejected Hartford’s argument that

statutory penalties are not covered “damages”: “[t]he statutes … permit …recover[y of] damages for breach of an established privacy right, and as such, fall squarely within the Policy’s coverage.”

46

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Statutory Damages/fines/penalties”

• Standard Mutual Insurance v. Lay (Illinois S. Ct. May

2013): In TCPA action, court rejected insurer argument that statutory damages were punitive and uninsurable.

• Congress identified harms caused by a TCPA breach

and made them compensable by a liquidated sum per violation.

• Such liquidated damages intended by Congress to

be “an incentive for private parties to enforce the statute.”

47

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

“Statutory Damages/fines/penalties”

• Columbia Casualty v. HIAR Holdings (S. Ct.

Missouri August 2013).

• Court found that fixed TCPA damages

encompassed compensable harms that were covered as “damages.”

48

kasowitz benson torres & friedman llp

KASOWITZ BENSON TORRES & FRIEDMAN LLP

CONCLUSION

• Understand the evolving nature and extent of

risks in order to properly insure.

• Audit traditional coverages.
• Scrutinize necessary coverage each year to

match to evolving risks.

49

WWW.KASOWITZ.COM