Insight

Cyber School

Cybersecurity and the Claims and Litigation Management Alliance’s School of Cyber Claims

Elizabeth S. Fitch and Theodore M. Schaer

March 31, 2016 12:00 AM

According to the 2015 McAfee Security Paradox Report, 63 percent of midsize U.S. companies have experienced a data breach.

WHY?

Lack of proper cyber education makes them easy targets for hackers. According to the 2015 NetDiligence Study, the average payout was $1.2 million with average legal costs of $434,000 and crisis services cost of $539,000.

THE TAKEAWAY?

All businesses are targets. When it comes to a cyber breach, it’s not “if;” rather, it’s “when.”

WHAT IS THE GREATEST CYBER THREAT?

Ignorance. When thinking of cyber exposures, what comes to mind are systems failures, and the human element is often overlooked, but according to the Poneman Institute, 35 percent of cyber breaches are due to human failings. Eighty-five percent of office workers, for example, have been duped by social engineering.

Employee ignorance is one risk factor, but ignorance at the executive level is even more disconcerting. Most executives are under the misimpression that cyber risk is an IT problem. Yet, system glitches account for only 29 percent of data breaches, so relegating the responsibility of mitigating cyber risk to the IT department fails to address 70 percent of a company’s vulnerabilities.

“DATA SECURITY IS AT THE FOREFRONT OF FEDERAL ENFORCEMENT ACTIONS."

Executives and insurance brokers alike have assumed that traditional insurance policies, such as comprehensive general liability policies (CGL), provide protection for damages flowing from a cyber breach. This is not necessarily true. For instance, in Zurich American Insurance Company v. Sony Corporation of America, Sony sought coverage under its Zurich’s CGL policy for theft of customer personal information by online hackers. Zurich filed a declaratory relief action requesting a ruling that the data breach did not qualify as bodily injury or property damage. Sony countered that the breach fell within the purview of the personal and advertising injury provision of the policy. The New York Supreme Court rejected Sony’s position and found that coverage was not afforded. Despite court rulings favoring insurance companies, the insurance industry has responded to cyber breach claims with sweeping policy exclusions that limit or eliminate coverage under traditional policies. The lesson learned is that executives and insurance brokers need to better understand the cyber threats, company vulnerabilities, and insurance
coverages available.

Although the insurance industry has developed new cyber products, market confusion over the scope of coverage exists. Standalone cyber insurance policies are a complex hybrid of first- and third-party coverage. Because risk is ever-evolving, there are gaps in coverage. This is further complicated by statutes and regulations, inconsistent case law, and procedural peculiarities throughout the United States. Business executives, insurance brokers, underwriters, and claims professionals need to understand technology and the risks it presents, need to know coverage forms and how to analyze cyber applications, and know how regulatory actions and third-party claims trigger coverages.

WHY IS THE LEARNING CURVE SO STEEP?

Technology is rapidly changing, hackers are becoming more sophisticated, and the laws are constantly evolving. Every day hundreds of new apps hit the market. The pending technology patent applications alone evidence the ongoing technology revolution. Real-time client/customer data compounds the problem. While most executives and risk managers profess to understand technological basics, most acknowledge that they have no understanding of the complex security controls used to protect information security systems.

Conversely, hackers have embraced the technology revolution and continue to develop more sophisticated tactics to prey upon people’s trusting nature. Spoofed emails lead users to visit infected websites designed to appear legitimate. Secretly installed spyware then tricks users into divulging personal information such as credit card numbers, passwords, and social security numbers. Hackers are leveraging social media to learn personal details about targeted individuals and then carefully crafting emails to trick employees to turn over valuable data and give access to bank accounts.

Federal and state governments have enacted privacy laws to protect personal information. Congress has passed privacy legislation that governs virtually every industry, from health care to education to the financial sector, but they are complex and difficult to understand. Similarly, federal agencies that have regulatory authority over particular business sectors have promulgated rules and regulations and have increased their regulatory enforcement, seeking fines and penalties. The Federal Trade Commission has been emboldened by a recent Third Circuit opinion in FTC v. Wyndham World Wide Corporation, in which the FTC sued the hospitality company and three subsidiaries, alleging that data security failures led to three data breaches at Wyndham hotels in less than two years. The Third Circuit held that the FTC has the authority to regulate cybersecurity, opening the floodgates to regulatory actions. For example, on February 3, 2016, an administrative law judge ruled in favor of the Office of Civil Rights and levied $239,800 in sanctions against a health care provider for HIPAA violations, showing that data security is at the forefront of federal enforcement actions.

Currently, 47 states have enacted breach notification laws and all 47 mandate notification to individuals whose personal information may be compromised—but key differences do exist. Fifteen states require notification to governmental agencies and 27 states require notification to national credit reporting agencies. Couple this with complex third party litigation, and executives, risk managers, and claims professionals are experiencing information overload.

RIGOROUS TRAINING AND EDUCATION IS MISSION CRITICAL TO MITIGATING THE COST OF CYBER BREACHES.

Cyber risk mitigation poses unique challenges, from adopting best practices in proactive defense against breaches to maintaining appropriate cyber insurance and the management of cyber breach claims. Cyber risk education has typically been segmented and general. What is missing in the cyber education arena is an integrated program.

The Claims and Litigation Management Alliance’s School of Cyber Claims is the first of its kind in that the three-year program has a rigorous curriculum integrating technical, legal, and insurance courses with real world scenarios. The school was specifically designed to provide participants with technical and practical knowledge to proactively and effectively manage cyber claims arising under traditional insurance policies and stand-alone cyber insurance policies. The program will cover the unique security risks associated with mobile computing, teleworking, and cloud and website technologies. Students will learn about authentication, intrusion, detection, and prevention techniques such as biometric encoding, security socket layers, firewalls, virus protection, and cryptography. With this solid technical foundation, the program provides an in-depth analysis of costs and damages arising out of first-party claims and third-party claims, coverage litigation of insurance policies, and the practical implications for cyber claims handling and coverage analysis.

The school’s faculty comprises cyber insurance and risk management industry leaders, whose experience and innovative curriculum arm the students with the tools necessary to evaluate, interpret, and apply traditional insurance policies, cyber insurance policies to claim scenarios, along with the skills to proactively and cost-effectively manage those claims.

A Startup Accelerator Program Sets Cuatrecasas Apart

by Best Lawyers

Miguel de Almada and Frederico Bettencourt Ferreira from the Portuguese firm discuss their 2019 "Law Firm of the Year" award for Litigation and Arbitration.

Opening Pandora's Box in Portuguese Tax Law

by Best Lawyers

Diogo Ortigão Ramos discusses Cuatrecasas' 2019 "Law Firm of the Year" award for tax law in Portugal.

Cuatrecasas Law Firm of the Year Interview

Supreme Court Opens New Door for Personal Injury Claims Under RICO

by Bryan Driscoll

The litigation landscape is rapidly shifting

Personal injury RICO claims marijuana hed

The Litigation Finance Mass Tort Gold Rush

by Justin Smulison

Third-party litigation funding is transforming mass torts, propelling the high-risk area into a multi-billion-dollar industry

IN PARTNERSHIP

Trial Lawyers Fight to Protect Individuals from Abuse

by Esquire Bank

With Esquire Bank's financial support, Elise Sanguinetti was able to challenge and end the Forced Arbitration Act. Her legislation continues to help other trial lawyers attain justice for abuse survivors.

Lawyer Elise Sanguinetti Fights to Protect People from Abuse

Combating Nuclear Verdicts: Empirically Supported Strategies to Deflate the Effects of Anchoring Bias

by Sloan L. Abernathy

Sometimes a verdict can be the difference between amicability and nuclear level developments. But what is anchoring bias and how can strategy combat this?

Lawyer speaking in courtroom with crowd and judge in the foreground

Tampa Hospital Suffers Recent Data Breach

by Gregory Sirico

Tampa General Hospital, a non-profit research based medical center, suffered a sizeable data breach that put 1.2 million patients' information at risk.

Laptop reading hacked with translucent medical model in foreground

Protecting Small Business Owners: Trial Experts Connick Law LLC Notoriously Successful with Fire Litigation

by Justin Smulison

When small business owners become the target of insurance companies in fire-related lawsuits, hiring a firm with a reputation for understanding the science of fire suppression trials can save their livelihoods.

Gold Indoor Sprinkler Heads on Red Background

Will Recent Boeing Settlements Create Tailwinds In Corporate Law?

by Justin Smulison

Prominent litigation against Boeing is setting a precedent of accountability, professionalism and commitment among company boards as well as ushering ESG further into the courtroom to help monitor and prevent safety issues.

Recent Boeing Settlements and Corporate Law

Colorado's Best Lawyers 2022

by Best Lawyers

Our 2022 Colorado's Best Lawyers publication features top-ranked legal talent in Boulder, Denver and Western Colorado.

Newly Launched COVID-19 Litigation Project Offers Open Access To Pandemic-Related Court Judgments From Over 70 Countries

by Sara Collin

A worldwide database of COVID-19 cases is uniting more than 70 countries as judges, lawmakers and lawyers continue to navigate pandemic related litigation and the ways in which it’s evolving amid year three.

Look for the Zoom Label

by Anne R. Yuengert and Matthew C. Lonergan

Will the virtual platforms that got such a boost during the pandemic replace how you interact with your employees, unions, and lawyers?

Virtual Platforms Replacing Work Interactions

Discovery in the Time of COVID-19

by H. Barber Boone

The pandemic has affected the vital process of legal discovery in ways both good and bad. Which changes are likely to become widely accepted in the years ahead?

Busting a Trust

by Joseph Marrs

The rules governing trusts and asset distribution are often much more flexible than many might assume. Here’s a primer.

The Next Chapter

by Patrick M. Shelby

Among its uncountable other disruptions, the pandemic upended U.S. bankruptcy procedures. Congressional relief, legislative changes, amended legal provisions: What lies ahead for those looking to file?

COVID-19's Impacts on Bankruptcy Procedures

Phoning It In

by Crystal S. Wildeman, Ashley C. Pack and Alyson M. St. Pierre

It’s not easy for employers to weigh requests from employees to work from afar, even in the wake of the pandemic. Considerations include COVID-19, vaccinations, the Americans with Disabilities Act and the nature of the job itself.