On June 28, 2018, California passed a historic privacy bill (AB 375) that mirrors some of the privacy obligations that recently came into effect in Europe under the General Data Protection Regulation (“GDPR”). The new California Consumer Privacy Act of 2018 (the “Act”) will go into effect on January 1, 2020. The new law requires greater transparency in information practices and gives individuals powerful new rights with respect to their personal information. Complying will be a challenge for many American businesses, in particular those that have not had to grapple with GDPR. Continue reading “California Corner: California Passes Historic Privacy Law: What to Consider Now to Reduce Future Financial Exposure”
The General Data Protection Regulation (“GDPR”) goes effective tomorrow. Companies are considering the consequences and attempting to determine whether they are compliant or how to get there, whatever “compliant” ultimately will be determined to mean as time progresses under GDPR. In considering the consequences of failure to comply, companies are, or should, also be thinking about whether they can transfer risk, including to insurance, and whether their current insurance policies will do the trick. Many companies now have cyber insurance, but cannot presume that their current cyber policy will protect against GDPR exposures. So, as we welcome in GDPR, the internal corporate conversation should include discussion of whether existing cyber policies are enough, or what needs to be done to fortify insurance protection against unknown future GDPR financial exposures.
As cybersecurity incidents continue to mount and as the issue of data security becomes increasingly important and a source of potential liability, companies should consider whether their standard commercial general liability (“CGL”) policies provide adequate coverage. The case law, although limited, suggests that policyholders might face an uphill battle in obtaining coverage.
In Innovak International, Inc. v. The Hanover Insurance Company, No. 8:16-cv-2453-MSS-JSS, — F. Supp. 3d —, 2017 WL 5632718 (M.D. Fla. Nov. 17, 2017), the Court found that the insurer was not required to provide a defense to the policyholder because the underlying complaint did not allege that the policyholder published the private data. Innovak develops and markets accounting and payroll software and maintains a database accessible via Internet portals. The complaint alleged that as a result of Innovak’s negligence, hackers were able to access class members’ personal information, including social security numbers, addresses, dates of birth, telephone numbers, employment information, and spousal information. The complaint included claims for negligence, breach of implied contract, gross negligence, unjust enrichment, and fraudulent suppression. The claimants alleged that they suffered psychic injuries including stress, nuisance, loss of sleep, worry, and the annoyance of dealing with the data breach. Continue reading “CGL Coverage for Cyber Data Breaches: Court Finds No Coverage unless the Policyholder Itself Publishes the Private Information”
In Part I of this two-part series, I identified first-party and third-party insurance claims that could result from a cyber event or attack on the Smart Grid. In this part, I examine how insurance policy language governs resolution of these claims and how to minimize gaps in coverage.
Examine Your Insurance Policies
Traditionally, third-party losses are covered by a company’s commercial general liability (“CGL”) policy. To qualify for coverage under a CGL policy, the policyholder typically must be confronted with a claim for “bodily injury” to another person or “physical injury to tangible property” (collectively known as “Coverage A”), or with a claim for “personal and advertising injury” (injury arising out of certain enumerated offenses such as malicious prosecution or invasion of privacy) (“Coverage B”). Various disputes have arisen as to whether cyber-related losses fit within these coverages. Continue reading “Be Smart about Insurance for the Smart Grid: Coverage for Losses from Cyber Events—Part II”
In this part of our two-part series, I identify the types and breadth of insurance claims that can result from a cyber breach or cyberattack on technologies deployed in the Smart Grid industry. These claims can affect a full range of entities and individuals, including electric utilities implementing Smart Grid technology, energy consumers, Smart Grid technology suppliers, and their individual officers and directors. Continue reading “Be Smart about Insurance for the Smart Grid: Coverage for Losses from Cyber Events—Part I”
At the beginning of 2017, many publications predicted that ransomware would be one of the most significant cyber threats of the year. The year is not even half over and that prediction appears to be coming true.
On Friday, May 12, 2017, tens of thousands of organizations and companies across the world fell victim to a virulent form of ransomware known as “WannaCry.” The global event has been recognized as one of the largest cyberattacks ever. Continue reading “Ransomware and Cyberinsurance”
This blog post is Part Two of our blog series and highlights several strategies for maximizing the value of a cyber insurance purchase. Part One of the blog series, highlighted the need for an organization to reevaluate its insurance coverage as part of a comprehensive strategy for addressing emerging cyber risks and outlined several ‘‘big picture’’ considerations relevant to any organization contemplating a cyber insurance purchase. This second part focuses on several strategies to consider when negotiating a cyber insurance purchase and seeking to customize a policy to align with an organization’s particular business needs. Continue reading “Managing Cyber Risks: Tips for Purchasing Insurance That Works for Your Business (Part 2)”