CGL Coverage B and Specific Products Covering Data Breaches Primerus Convocation Amelia Island, FL April 2015

Chuck Allen Goodman, Allen & Filetti, PLLC Richmond, VA Frank Nappi Willis Group Pittsburgh, PA Josh Ladeau Allied World Insurance Farmington, CT Tom Paschos Tom Paschos & Associates Haddonfield, NJ

 Variety of risk events  Variety of data at risk  Various studies (all with significant caveats)  Verizon, 2014 Data Breach Investigations Report  Ponemon Institute – 2014 Cost of Data Breach studies  NetDiligence – Cyber Liability & Data Breach Insurance Claims (2014)  Romanosky, etal – Empirical Analysis of Data Breach Litigation

NetDiligence®Ponemon Institute Records per Incident Mean: 2,400,000Mean: 29,087 Median: 3,500 Cost per IncidentMean: $733,109Mean: $5,900,000 Median: $144,000 HC Co Mean: $1,300,000 Cost per RecordMean: $956.21Mean: $201 Median: $19.84HC Ind. Mean: $316 Range: $0 to $33,000Svc Ind. Mean: $223 PHI IncidentsAverage records per incident2769 % of Org with at least 194% % of Org with 5 or more45% Average economic impact$2,400,000

NetDiligence® Range:$600 to $6,500,000 Median payout$144,000 Mean payout$733,109 Median per record payout$19.84 Average per record payout Median cost for legal defense$282,300 Average cost for legal defense$698,707 Median settlement cost$283,300 Average settlement cost$558,520 Median crisis services cost$110,594 Average crisis services cost$366,484 Percent of claims from Co with < $50 M rev23% Percent of claims form Co with < $300M rev75%

 Nine Basic Patterns  Point of Sale Intrusions  Payment Card Skimmers  Physical Theft and Loss  Insider Misuse  Denial of Service Attacks  Crimeware  Web Application Attacks  Cyberespionage  Miscellaneous Errors  The industry may determine the pattern of greatest risk

Commercial Crime Policy  Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012)  U.S. Court of Appeals for the Sixth Circuit held that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy.

 Hacker accessed credit card and checking account information from 1.4 million DSW customers.  AIG’s argued exclusion for “loss of proprietary information, trade secrets, confidential processing methods, or other confidential information of any kind” applied.  Court held exclusion applied only to “secret information of [the policyholders] involving the manner in which business is operated” and did not apply to DSW’s claim  Customers’ banking information was not confidential information of DSW and did not involve the manner in which it operated its business.

Sometimes there is limited D&O coverage available for cyber breaches. Examples:  Some not-for-profit healthcare organizations (e.g., hospitals, large physician practices) may include an extension by endorsement for HIPAA Fines & Penalties.

Examples :  Shareholder lawsuits may follow a data breach event which alleges wrongdoing by a company’s leadership. Such lawsuits may implicate D&O coverage.  Some D&O policies – generally those purchased by private companies – may also provide “entity” or company coverage for a loss like a data breach as well

Zurich Am. Ins. Co. v. Sony Corp. of Am., Case No /2011 (N.Y. Sup. Ct. February 21, 2014)  Hackers attacked Sony’s networks and stole nonpublic personal information of 100M people.  64 class action lawsuits (since consolidated) on behalf of network users followed as well as investigations by a variety of government entities.

 Sony sought coverage from CGL carriers under the personal and advertising injury coverage  Insurer’s position was that the personal and advertising coverage insures only purposeful conduct by an insured. Publication of private information by a third party fell outside the policy's coverage.  NY Court agreed with Insurers.

 General overview  Policy characteristics  Potential Cyber Risk Insurance Problems