1. Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.

2. Starting Point – Advances in Technology Have Fundamentally Changed Commercial Business Practices  Media and technology have become central to commercial life. Virtually all businesses – regardless of size or class of business – engage in many forms of “new media” communications.  All businesses collect and store vast mounts of data about employees, customers, vendors and others.  Standard commercial insurance packages were not designed to address these modern uses of technology and have not kept pace with these changes in business practices or exposures – indeed, have excluded many of them

3. “Traditional” Media/Tech Companies “Main Street” Commercial Marketplace Specialized “Media Liability” or “Tech E&O” Policies “Advertising Injury” Coverage in GL GL Policy ( exclusion for companies “in the business of” publishing, broadcasting, etc.) Old Paradigm – “Media/Technology Companies” and “Standard Commercial” Businesses Such As Restaurants Were Treated As Discrete Industry Segments 2

4. Social Media Viral Videos In-House Publishing Data Collection Behavioral Advertising Blogs Etc. What is the insurance solution? Media Companies Restaurants and other Commercial Enterprises New Paradigm – “Convergence” Due to Rapid Advances in Technology 3

5. The “Advertising Injury” Coverage Grant “Advertising Injury” was added to the GL policy in 1976. The standard ISO CGL policy now provides coverage for four distinct offenses: (a) Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products, or services; (b) Oral or written publication of material that violates a person's right of privacy; (c) The use of another’s advertising idea in your advertising; or (d) Infringing upon another’s copyright, trade dress or slogan in your advertisement 8

6. Problems With This Language As Respects IP/Data Security Claims  First, understand that this is a “throw-in” coverage. Generally the GL carriers aren’t equipped to underwrite these new media exposures and they don’t fully understand them.  No mention of “trademark” in the coverage grant. But it is mentioned in a key exclusion: No coverage for claims “arising out of copyright, patent, trademark, trade secret or other intellectual property rights.”  But... This exclusion does not apply to “infringement, in your advertisement, of copyright, trade dress or slogan.”  What constitutes “advertising”? With respect to websites, only “that part” of site that is “about your goods, products or services.” 8

7. CGL Problems continued  Right of publicity claims are not addressed  Claims arising out of bulletin boards and chat rooms are expressly excluded  As to coverage for data security, many of the same issues:  Is a data breach “publication of material that violates a person's right of privacy”?  On the property side, Is a data breach the result of “physical loss or damage” to “tangible property”? 9

8. Potential Insurance Solutions  “Cyber” insurance – refers generally to insurance for the consequences of a breach of security leading to the release or compromise of data. Sometimes called “data security coverage” or “privacy” coverage.  Still a relatively new product, developed within the last 10 years. Very little standardization in wording, pricing, coverage, etc.  Highly competitive insurance marketplace, pricing has been steadily declining in recent years. 11

9. Two Components to Most “Cyber” Policies  “Third Party” Coverage (also referred to as “Liability” Coverage) for claims against an insured resulting from a breach of data security. Examples include: Class actions for damages by employees or consumers as a result of breach of Personally Identifiable Information (PII) Claims by banks or other impacted businesses to recover their losses resulting from a breach (for example, a bank might need to cancel and re-issue a large number of credit cards if there is a large security breach) Regulatory claims by government agencies (such as the FTC or a state Attorney General) charged with enforcing privacy laws  “First Party” Coverage for costs incurred by the insured organization itself as a result of a breach of data security. There are a number of different components of first party coverage, which are discussed on the following slides. 14

10. First Party Coverages  Notification costs. Coverage for the costs to notify customers that a breach has occurred, in compliance with state laws. This includes the costs of preparing, printing and mailing the letters, and setting up a call response center.  Credit Monitoring. Coverage for costs incurred by the insured to provide credit monitoring services to individuals impacted by the breach.  Crisis Management. Coverage for costs associated with retaining a public relations firm to manage the impact of the breach on the organization’s brand and reputation.  Cyber Investigation. Coverage for costs incurred by the Insured in determining the cause of the breach and taking corrective action.  Data Restoration. Coverage for costs incurred by the Insured to restore any data lost or destroyed in connection with the security breach.  Cyber Extortion. Coverage for costs incurred by the Insured in connection with responding to a threat of a security breach or cyber attack (including payment of ransom demands). 15

11. Important Cyber Coverage Considerations  Does the Policy cover all forms of data – i.e., not limited to electronic data and not limited to PII?  Will the Policy respond in the event of a voluntary notification – i.e., where notification is not strictly required by state law?  Does the Policy cover data maintained by the Insured as well as data maintained by third parties on the Insured’s behalf? This is critical given the prominence of cloud computing and other outsourcing of data management.  Does the Policy cover claims by employees in the event employee data is lost (and make appropriate modification of the Insured vs. Insured exclusion)?  Does the Policy cover regulatory claims as well as private actions, and does the definition of damages include civil fines and penalties (including PCI fines/penalties)?  Does the policy cover media/IP claims as well as data breaches? If not, consider Media Liability policy as well. 21

12. Reference Websites and Other Resources  www.ponemon.org – Research center dedicated to privacy, data protection and information security policy. www.ponemon.org  www.privacyrights.org and www.datalossdb.org – Contains detailed chronological listings of all data breaches. Excellent sources of Loss examples. www.privacyrights.orgwww.datalossdb.org  www.sans.org – Contains information on security training & offers several free resources that may benefit your clients.www.sans.org  www.fbi.gov/about-us/investigate/cyber/cyber FBI’s Cyber Crime Website. Keep up to date E-scams and warnings. Also, report Internet crimes on this site. www.fbi.gov/about-us/investigate/cyber/cyber  www.net-security.org -- Tips for security, updates on latest security threats, summary of state notification laws, etc. www.net-security.org 22

13. Q UESTIONS ?