cyber-liability and data loss claims: a clase study from notice of occurrence through conclusion

Cyber Liability and Data Loss Claims: A Case Study From Notice of Occurrence Through Conclusion

Part I – The “Reasonable” Perils of Data Security

Yanai Z. Siegel, Esq.Counsel, Shafer Glazer, LLP

New York, NY

Data Breaches“When we think about data breaches, we often worryabout malicious minded computer hackers exploiting

software flaws, or perhaps Internet criminals seeking toenrich themselves at our expense.

But the truth is that errors and negligence within theworkplace are a significant cause of data breaches that

compromise sensitive personal information.”

Privacy Rights ClearinghouseMarch 6, 2012

3

Privacy Studies

In-depth survey of recent data breach incidents:• 8% due to external cyber attack• 22% due to malicious employees or other insiders• 37% due to malicious or criminal attacks• 39% due to negligence

• Survey permitted attribution of events to two causes.• Loss of laptops or other mobile devices topped survey• Mishandling of data “at rest” or “in motion” were major contributors.

The Human Factor in Data Protection, Ponemon Institute, 2012

Negligent Document Disposal

Rock Bottom Auto Sales, December 7, 2012• 8 Bags of Credit Applications• Contained Names, Driver’s License Info, SSN’s• Found unattended on a dirt road in Hudson, Florida

West Pittsburgh Partnership, December 10, 2012• Job Placement Documents found in a dumpster• All Contained Names and SSN’s

Internal Revenue Service, 2008• Disposed of taxpayer documents as regular waste• Failed to consistently verify that contractors with access to those

documents passed background checks.

Data In Motion

Unencrypted Laptop Lost• Univ. of Mississippi Medical Center,March 22, 2013

• Contained patient names, SSN’s, addresses, diagnoses, PII• Only protected by a password

Unencrypted USB Flash Drive Stolen• Georgia Middle School Teacher’s car on January 8, 2013• Unencrypted flash drive containing student SSN’s

Unencrypted Backup Tapes Missing in Transit• TD Bank, March 2012… reported by Calif. AG March 2013• Contained Customers & dependents SSN’s, account info, credit and debit

card numbers and addresses

Data At Rest

South Carolina Department of Revenue, October 2012• Employee clicked on a link in a “salacious” email.• Compromised computer inside security perimeter• 3.8 Million Tax Records accessed by “international hackers.”

Town of Brookhaven, New York. June 6, 2013• Law Enforcement employee failed to click “No Public Access”

• On post to town website.• SSN’s of 78 Ambulance workers and beneficiaries published

• Attached to town resolution.

State Statutory Law – U.S. 46 States have Data Breach statutes or regulations

• May include provisions mandating notice • To state agencies• To Law Enforcement• To Affected Individuals

Many have additional state-level Data Privacy Laws• New York General Business Law §399-h:

• Disposal of Records Containing Personal Information.• “Record” – Any information kept, held or filed• “Personal Information” – containing SSN, Driver’s License, and more…

• When either data is unencrypted or • Encrypted with key included in the same record as the personal info.

• “Personal Identification Number”• Any number or code which may be used… to assume the identity of another person or

access financial resources or credit of another person.

New York State Record Disposal Requirement

“Business Person”• Any natural person, or agent or employee of such person that is

conducting business for profit. Disposal of Records Containing PII.

• Business Persons may not dispose of a record containing PII unless:• Record is shredded prior to disposal• PII contained within record is destroyed• Records modified to make PII unreadable• Follows commonly accepted industry practice to prevent unauthorized persons to

gain access to PII in records.

Penalty: $5,000 fine per occurrence.

Personal Identifying Information

As defined by NY Gen. Bus. Law §399-h:• SSN, Driver’s License Number or Non-Driver ID Card, or:

• Mother’s Maiden Name• Financial Services Account Number or Code• Savings Account Number or Code• ATM, Debit Card Number or Code• Electronic Serial Number or Personal Identification Number

As defined by Administrative Code of the City of New York § 20-117• Date of Birth, SSN, Driver’s License#, Non-Driver Photo ID

• Mother’s Maiden Name, Personal ID#• Financial Services or Brokerage Account Number or Code• Checking or Savings Account Numbers or Codes• ATM, Credit or Debit Card Number or Code• Computer System Password, Electronic Signature• Unique Biometric data

• Fingerprint, voice print, retinal image or iris image of another person.

Case Study I – McLoughlin v. People’s United Bank(August 31, 2009) People’s United Bank (“PUB”), based in Connecticut

• Contracted with Bank of New York Mellon (“BNY Mellon”) for data services BNY Mellon, based in New York

• Maintained unencrypted backups for data services provided• Contracted with 3rd Party to provide PUB Data Backup Transport

• Feb. 27, 2008, Transport Truck with broken lock left unattended• Box of six to ten unencrypted backup tapes went missing, in New Jersey

PUB and BNY Mellon sued in class action by PUB depositors• Negligence in backup practices• Deception in statements of standard of care of data• Increased Risk of Identity Theft• Failure to properly notify depositors of data breach

Case dismissed for failure to prove damages. State AG settled.


Part II – Cyber Liability Claims, Regulatory Structure and Enforcement of Data Privacy Laws

Bruce H. Raymond, Esq.Partner, Raymond Law Group LLC

Glastonbury, Connecticut

Case Study II – Atteberry v. Schnuck Markets

Defendant Schnuck Markets, Inc., a Missouri corporation• Supermarket Chain operating in Missouri, Wisconsin, Iowa and Illinois• Computer System Compromised, breach discovered on March 15, 2013• Credit/Debit Card info and other PII accessed by unauthorized user• Notice to customers provided via press release on March 30.

Class Action Complaint filed May 22, 2013 filed against Schnuck• Alleging:

• Violation of Illinois Consumer Fraud & Deceptive Business Practices Act• Breach of Implied Contracts• Invasion of Privacy• Negligence• Third Party Beneficiary Claims

Questions of Law & Fact

Common questions of law and fact to all claimed Class Members:• Whether Schnuck failed to adequately secure and protect PII• Whether Schnuck violated state data breach notifications statutes

• Schnuck waited two weeks before issuing Press Release.• Whether Schnuck breached an implied contract with its customers• Whether Schnuck breached customers’ privacy by disclosing private facts• Whether Schnuck was negligent.

Private Cause of Action

Damage Claims alleged:• Failure to notify appropriately is a private cause of action in Illinois• Implied contract breach by Schnuck

• Customer obligated to provide card & PIN• Schnuck obligated to protect and reasonably safeguard customer info

• Customers needed to devote time to cancel prior cards, set up new ones• “To mitigate now heightened risk of further and future identity theft”• Thereby causing tangible damages.

• Disclosure of Customers’ PII constitutes Invasion of Privacy• Third party beneficiary of Schnuck’s Payment Card Industry agreements

• And Schnuck’s failure to comply with PCI DSS.• Negligence if not Intentional Conduct by Schnuck

U.S. Federal Regulatory Infrastructure

Sector-Based Federal Statutes, enforced by:• FEDERAL TRADE COMMISION:

• Deceptive Trade Practices: Commercial conduct that includes false or misleading claims or claims that omit material facts. Consumer injury not required to be actionable.

• Unfair Trade Practices: Commercial conduct that causes (or is likely to cause) substantial injury to consumers that Consumers cannot reasonably avoid themselves without offsetting benefits to consumers or competition.

• U.S. DEP’T OF HEALTH AND HUMAN SERVICES• HIPAA, HI-TECH and Personal Health Information (“PHI”)• Office of Civil Rights: HIPAA Privacy Rule• Center for Medicaid Services: HIPAA Security Rule

Other Regulatory Infrastructure

State statutes on data breach notification and other areas of data privacy are enforceable either by:• State Attorney General• If so provided, by Private Cause of Action directly from affected Consumer

International Law• Comprehensive Model: European Union• Sectoral Model: Japan (and United States)• Co-Regulatory and Self-Regulatory: Industry sets standards

• Co-Regulatory: With governmental support (Australia and New Zealand)• Self-Regulatory: Without governmental support (eg. PCI DSS)

Reducing Exposure

Preparing for a data security incident• Data Security Risk Assessment PRIOR to events• Address potential security issues• Set up Response Team and Plan, just in case…

Managing a data security incident• Technical Support for data forensics and remediation• Legal Support for compliance and defense preparation• Management Support and Communications

Defending against Cyber Liability Claims


Part III – Privacy and Network Security Insurance

Josh LadeauAssistant Vice President

Technology, Privacy and Network SecurityAllied World Assurance Company

Financial Impact of a Breach

Industry Class/Type of Information Stored or Processed Determining Extent of Breach Volume/Sensitivity of Information – Mass General, BCBS TN Notification to Clients and Credit Monitoring Regulatory Reaction Public Relations Potential for Liability Suits Lost Income and Costs to Restore Information Reputation/Long-term Impact

How Can Insurance Help?

Policy Structure Reimbursement/Pay-on-Behalf for 1st Party Costs Vendor Relationships Regulatory Coverage Defense and Settlement Business Interruption

Proactive Underwriting

Application Process as a Risk Management Tool Policies and Procedures Technical Controls Most Needed And Most Effective for Small and Mid-market Risks Awareness Key Impact to Premium/Coverage