Tech Law

SPOTLIGHT ON SECURITY

Insurance Industry Buzzes Over Data Breach Ruling

If the rash of data breaches in recent months has done anything for businesses, it’s raised their awareness of cyber liability insurance.

The market for cyber liability insurance is expected to increase dramatically as businesses become more aware that their current policies don’t adequately cover cyber-risks, according to theNational Association of Insurance Commissioners.

However, a three-judge federal appeals panel last week threw into question just how inadequately existing insurance products cover cyber-risks.

Portal’s Pleasant Surprise

The case before the appeals court involves a class-action lawsuit about a data breach at Portal Healthcare Solutions.

Portal has a form of insurance that’s de rigueur for most businesses called a “commercial general liability policy.” It’s a kind of umbrella policy that’s supposed to cover a variety of unforeseen mishaps.

Portal argued that its CGL policy, issued byTravelers Indemnity, should cover the court costs of the data breach lawsuit.

A lower court agreed with Portal, and the appeals court agreed with the lower court.

What makes the decision important, particularly for small businesses that may not be able to afford cyber liability insurance, is that they may have some data breach coverage that they didn’t know they had.

That could cover some gaps in existing coverage, too. Although 64 percent of companies have already gone the cyber liability route, many small breaches fall below policy deductibles, leaving companies to pick up the tab, according to a survey released last month byAdvisen.

Decision’s Limitations

Despite the appellate court’s decision, businesses should not be too optimistic about their CGLs providing a large measure of cyber liability coverage, noted Collin Hite, an insurance recovery attorney withHirschler Fleischer.

Those types of cases very much depend on the language in the policy involved in the case, he told TechNewsWorld.

Moreover, Hite added, the court did not rule on whether Portal’s policy would pay for damages if the healthcare provider lost the case — it only said Traveler’s had to pay the legal costs in the case.

“The court is not saying that Travelers has to pay the verdict or not. All it’s saying is Travelers must pay for the insured’s defense counsel and to defend the case,” he said.

“A lot of times, though, the defense of the case in the most expensive component of the lawsuit because the plaintiffs may not be able to prove any damages,” Hite added.

Short-Lived Victory

Cases like Portal’s are more likely to involve older CGL policies because newer ones specifically exclude anything related to data breaches in the coverage.

“What you see now in most standard liability insurance policies like CGLs is that insurance companies are excluding coverage for liability that arises from a data breach,” said Alex Purvis, an attorney withBradley Arant Boult Cummings.

“What’s unique about the Portal decision is that the policy did not have that type of exclusion,” he told TechNewsWorld. “It may be one of the few remaining policies without that exclusion.”

When Portal’s CGL is up for renewal, it likely will include a cyber exclusion. “This is probably a short-lived victory,” Hite predicted. “The insurers will rally to close what they see as a potential loophole.”

Nevertheless, all companies can learn a valuable lesson from the case.

“If you are a company that faces liability from a data breach, you should not forget some of your standard liability policies, particularly if do not have cyber coverage,” Purvis said.

Cyber Insurance Still Best Buy

Even if some of a company’s cyber exposures are covered in a CGL, it makes more sense to get a cyber liability policy, maintained Jeremy Henley, director of breach services atID Experts.

“I would absolutely recommend companies buy cyber insurance in almost every case,” he told TechNewsWorld.

“The type of policy and the amount can change a lot, but every company has private information and technology involved in their organization, even if it’s just payroll,” Henley continued.

“A cyber policy is a prudent step,” he said. “It’s frankly much safer for a policyholder to look at and consider a standalone cyber policy. It’s really in their best interest.”

Breach Diary

  • April 11. The Washington Post reports data for 44,000 customers of the Federal Deposit Insurance Corp. is at risk after information inadvertently was downloaded to a personal storage device.
  • April 11. Three school districts in Mississippi report dozens of employees have complained about problems filing their federal tax returns due to a data breach at a third-party provider.
  • April 11. Palm Beach County Health Department in Florida announces the U.S. Justice Department has provided it with a list of 1,000 clients who were victims of a data breach at the healthcare provider.
  • April 12. JMW Solicitors announces 5,954 current and former employees of supermarket chain Morrisons have joined a lawsuit against the company seeking damages for data breach that exposed on the Internet personal information of 99,998 staffers.
  • April 12. The Identity Theft Resource Center reports that since 2005, there have been 6,013 reported data breaches in the United States exposing 851 million records.
  • April 13. Facebook announces Account Kit SDK, a method for developers, websites and Web apps to eliminate usernames and passwords to authenticate users.
  • April 13. Wandera reports CBS failed to properly use encryption on its March Madness apps and exposed users’ data to risk of theft. CBS denies apps were vulnerable.
  • April 13. Olympia School District in Washington announces it will offer 2,164 employees free credit monitoring services after their sensitive information was emailed to a fraudster posing as the superintendent of the school district.
  • April 13. American College of Cardiology announces it has notified 1,400 institutions some of their patient data is at risk after it was accidentally posted to a test site. [*Correction – April 22, 2016]
  • April 13. Rockhurst University states it has notified 1,300 people employed by the school in 2015 that their tax information was emailed to a third party posing as a university administrator.
  • April 14. European Parliament gives final approval to the General Data Protection Regulation, which includes a requirement that companies report a data breach within 72 hours of discovering it.
  • April 14. The city of Baltimore announces it is warning all it employees their tax information may have been compromised because of a data breach of its payroll and tax information systems.
  • April 14. U.S. Appeals Court overturns lower court ruling to revive a US$5 million lawsuit stemming from 2014 data breach at restaurant chain P.F. Chang’s.
  • April 14. Market research firm Kantar Worldpanel ComTech reports a 3.2 percent increase in new customer during first quarter for TalkTalk, which last year suffered a data breach affecting 157,000 customers.
  • April 15. Softpedia reports more than 179,000 records from the Fappening Forum, a website known for its nude photos of celebrities, have been posted by Troy Hunt to the Have I Been Pwned? website.

Upcoming Security Events

  • April 20-22. CSA Summit 2016. Lichtstr. 43i, first floor, Cologne, Germany. Registration: 500 euros.
  • April 23. B-Sides ROC. B. Thomas Golisano College of Computing and Information Sciences, Rochester Institute of Technology, 20 Lomb Memorial Drive, Rochester, New York. Free with registration.
  • April 23-24. B-Sides Charm City. Baltimore Convention Center, One West Pratt St., Baltimore. Tickets: $15 to $60.
  • April 25. “Some Musings on Cyber Security by a Cyber Iconoclast.” 1:30-3 p.m. ET. University of New Haven, Tagliatela College of Engineering, Buckman Hall, Schumann Auditorium, room B120, 300 Boston Post Road, New Haven, Connecticut. Presentation by Professor Gene Spafford, Purdue University. Free with registration.
  • April 26. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
  • April 27. Chilling Effects: Insights on How Laws and Surveillance Impact People Online. Noon ET. Berkman Center for Internet & Society, Harvard University, 23 Everett St., Second Floor, Cambridge, Massachusetts. Lecture by Jon Penney, Oxford Internet Institute. Free with RVSP.
  • April 28-29. B-Sides Calgary. SAIT Polytechnic (Orpheus Theater), 1301 16 Ave. NW, Calgary, Alberta. Tickets: students, CA$20; professional, CA$50; VIP, CA$150.
  • April 28. Ransomware Resurgence: Locky and Other “New Cryptolockers.” 2 p.m. ET. Webinar by Cyphort. Free with registration.
  • May 3. Dallas Cyber Security Summit. Omni Dallas Hotel, 555 S. Lamar, Dallas. Registration: $250.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 7. B-Sides Chicago. Concord Music Hall, 2047 N. Milwaukee Ave., Chicago. Free.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • May 20-21. B-Sides Boston. Microsoft NERD, 1 Memorial Drive, Cambridge, Massachusetts. Tickets: $20.
  • May 21. B-Sides Cincinnati. University of Cincinnati, Tangeman University Center, Cincinnati. Tickets: $10.
  • May 21. B-Sides San Antonio. St. Mary’s University, One Camino Santa Maria, San Antonio, Texas. Tickets: $10.
  • June 1-2. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), Atlanta. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 22. Combatting Targeted Attacks to Protect Payment Data and Identify Threats. 1 p.m. ET. Webinar by TBC. Free.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.

*ECT News Network editor’s note – April 22, 2016: Our original published version of this story incorrectly stated that patient data was accidentally posted to a test site on the Internet. However, the test site was NOT on the Internet, the American College of Cardiology’s Beth Casteel informed us. Further, our original story stated that the incident occurred “during a redesign of its national cardiovascular data registry.” The software being developed wasn’t a “redesign” of the National Cardiovascular Data Registry, according to Casteel, but just related software. We regret the errors.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Tech Law

Technewsworld Channels