cybersecurity

In Internet of Things Era Cybersecurity for Autonomous Vehicles Will Require Restraint

The vulnerability of America’s physical infrastructure has long been at the top of mind for national security officials, but the growing threat of cyberattacks, both state-sponsored and criminal, has led state and federal officialdom to take note. Their concern has been magnified by the increasing number of significant cyber targets in the nation, including key infrastructure. This has prompted the National Highway Traffic Safety Administration and industry stakeholders to work together to combat potential cyberattacks on automated vehicles. In a rapidly evolving and expanding internet of things environment, federal regulators must be flexible to accommodate change, and must resist the urge to ensconce autonomous vehicle cybersecurity guidance in law.

Please click here to read an overview of their strategy, which appeared in Bloomberg BNA, authored by Orrick’s Darren Teshima and Ian Adams.

Preparing for a Ransomware Attack

Ransomware is one of the rising scourges of the business world, with approximately 50% of U.S. companies reporting being hit with a ransomware attack in the past year, according to a recent study. According to the FBI, a 2016 ransomware type that uses unbreakable key-based cryptography compromised an estimated 100,000 computers a day. New ransomware variants are appearing constantly, and companies need to prepare for the possibility of being victimized by this particular type of cyber-attack. The FBI, as well as other security professionals, has recommended a widely accepted, multifaceted preparation strategy—which includes having key insurance coverage in place—that reduces risks and decreases recovery time. Please click here to read an overview of this strategy that appeared in Law360, authored by Orrick’s Darren Teshima and Aravind Swaminathan.

Early Data Breach Insurance Case Discusses Cyber Policy Coverage for Traditional Risks

shutterstock_287179454Last May, we told you that the “waiting has ended“ for courts to start weighing in on cyber insurance policies, as the District of Utah issued one of the first federal court decisions construing such a policy in Travelers Property Casualty, et al. v. Federal Recovery Services, Inc., et al., No. 2:14-CV-170. Although the claims at issue were not the sort of data breach and cybersecurity liability claims for which policyholders eagerly anticipate guidance, it was, as we noted, an important step in understanding how a court may approach these policies. In the first weeks of 2016, the Travelers court revisited the May 2015 decision, and affirmed its prior findings in favor of the insurer.

In the May decision, the court had found that under the cyber policy at issue, the insurer had no duty to defend its insured, a payment and account processing company, against tort claims alleging that the insured improperly—and intentionally—withheld customer payment and account data from the plaintiff, a gym network, the plaintiff had entrusted to it.

The policy at issue was a Travelers CyberFirst Technology Errors and Omissions Liability Form Policy. Under the policy, the duty to defend attaches when the plaintiff’s suit alleges an action by the insured that, if true, would constitute a covered claim under the policy. The insured sought coverage through an E&O module that provided coverage for “any error, omission, or negligent act.” The plaintiff alleged, however, that the insured acted with “knowledge, willfulness, and malice.” The court held that because the complaint alleged intentional, instead of negligent misconduct, the insurer did not have a duty to defend.

READ MORE

Cyber Insurance: An Overview of an Evolving Coverage

iStock_000019536561XSmallCyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.

Data breaches and cyberattacks occur across all sectors. In the past year there have been highly publicized mega-breaches of technology companies, entertainment companies, retailers, financial services companies, health insurers, manufacturers, and the federal government’s Office of Personnel Management. Even the most sophisticated systems are vulnerable to a data breach. And companies with any potential exposure—which includes any company that maintains employee information—are increasingly looking to cyber insurance as one way to manage the cost of a data breach.

Our article “Cyber Insurance: An Overview of an Evolving Coverage” provides an overview of cyber insurance. The first section (What Is Cyber Insurance?) describes the risks faced by companies and the coverage offered by cyber insurance. The second section (The Development of Cyber Insurance) describes the development of cyber insurance as a specialized coverage, the impact on cyber insurance development of breach notification laws, and the limits of coverage of existing insurance. The third section (Where Is Cyber Insurance Heading?) discusses the key coverage and exclusion battlegrounds in these policies, the emergence of cyber insurance litigation, and the challenges presented by the Internet of Things. We hope that companies will benefit from a better understanding of the scope and value of cyber insurance in making decisions about its value as one among different means of proactively enhancing their IT Security posture.

The Cyber Coverage Jungle: How to Cut Your Way Through

shutterstock_79378630What’s a risk manager to do? The “cyber” insurance marketplace can seem like an impenetrable thicket filled with a baffling array of disparate, disconnected coverages, a lack of any uniformity in policy wording, vast disparities in cost, and little available guidance. Comparing the quality and cost-effectiveness of competing products is a daunting task. It’s enough to make a risk manager’s headache: How do I choose among the products the broker has presented to me? Am I buying the right types of coverage, in the right amounts, and at the right price? How can I demonstrate to my management that I am making the right choice?

The challenge is often compounded because the company approaches the purchasing decision from the wrong direction. When a company decides it needs cyber coverage, it generally starts by asking its broker: What’s available in the marketplace?  What’s the broadest coverage I can get at the best price? The broker then collects basic information about the company’s business and finds some insurers willing to quote. The broker comes back to the company with several proposals—each consisting of a policy form, a schedule of coverage limits the insurer is willing to offer, and the corresponding premiums at which the insurer is willing to sell. Although the policy forms are not standard vis-à-vis one another, each one is standard for that insurer. Consequently, each insurer’s receptiveness to changes to the form may range from minimal to non-existent. The package may include a few endorsements designed to address issues specific to the individual company, but the policy as a whole can hardly be said to be tailor-made.

All too frequently, the company doesn’t start by asking itself the most important questions: Why do we need cyber coverage? What is our risk in relation to cyber events? Without knowing the answers to these questions, selecting from among the often widely differing options becomes an even more bewildering process. The result can be a cyber package including a hodgepodge of coverages, many of which are not responsive to the company’s risk profile—providing unnecessary coverages for which the company nevertheless must pay premiums, and leaving important gaps in coverage.

By contrast, the more rigorous the company is in analyzing its own risk factors before approaching the marketplace, the better job the broker can do in identifying the right insurers with the right policy forms, the better job the insurers can do in assessing the risk and pricing the coverage, and the better job the risk manager can do in evaluating the products being offered.

READ MORE

Does the Schrems Decision Open the Door to New Cyber Insurance Exclusions?

shutterstock_57724609-2The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.

The Safe Harbor program has been in place since 2000 and was meant to bridge the gap between the regulatory requirements for handling of personal data in the EU and U.S. The Safe Harbor created a self-certification mechanism by which companies in the U.S. could opt into a set of rules governing the handling of EU personal information in order to meet EU privacy law requirements. If a company opted in, it was then able to receive data transfers from the EU to the U.S. without further approval.

The Schrems ruling, explained in detail here by our privacy team, found that the Safe Harbor protections afforded were in fact not adequate. The CJEU noted that the protections required to meet Safe Harbor obligations could actually be disregarded for a number of reasons, including at the request of certain government entities or where preempted by U.S. law. The CJEU held that a company’s decision to opt into the Safe Harbor therefore does not necessarily protect the personal data of EU citizens and it would no longer consider such Safe Harbor participation by a U.S. company sufficient to meet the requirements of EU privacy laws.

Although the sharing of information between the EU and U.S. will not be immediately halted – the ruling allows an EU nation’s supervisory authorities to evaluate the treatment of data in a particular case – if no resolution is reached by January, there is a possibility (discussed here) that at least some EU nations will follow the CJEU’s lead and commence regulatory investigations and proceedings to evaluate specific data transfers to U.S. companies. For companies that once relied on the Safe Harbor program, there may be implications for their purchase or renewal of cyber insurance.

READ MORE

Cybersecurity and Schools: A Learning Opportunity

shutterstock_98385038Data breach here, date breach there, data breach everywhere? Every day we are learning about the importance of and risks associated with cybersecurity. Those risks are not limited to big corporations or even the private sector. Schools, of all levels, are increasingly faced with cybersecurity-related questions and potential for liability, and they are beginning to seek coverage for those risks. But educational institutions as policyholders have issues in addition to those affecting large, company-wide databases that are usually considered when procuring cyberinsurance policies. Educational institutions as policyholders must ensure that any coverage they procure covers these risks.

READ MORE