New technologies and the expansion of the Internet of Things have allowed children of this generation to experience seamless interactive technologies through microphones, GPS devices, speech recognition, sensors, cameras and other technological capabilities. These advancements create new markets for entertainment and education alike and, in the process, collect endless amounts of data from children–from their names and locations to their likes/dislikes and innermost thoughts.

The collection of data through this Internet of Toys is on the tongues of regulators and law enforcement, who are warning parents to be wary when purchasing internet-connected toys and other devices for children. These warnings also extend to connected toy makers, urging companies to comply with children’s privacy rules and signaling that focused enforcement is forthcoming.

Federal Trade Commission Makes Clear That Connected Toy Makers Must Comply with COPPA

On June 21 2017, the Federal Trade Commission (FTC) updated its guidance for companies required to comply with the Children’s Online Privacy and Protection Act (COPPA) to ensure those companies implement key protections with respect to Internet-connected toys and associated services. While the FTC’s Six Step Compliance Plan for COPPA compliance is not entirely new, there are a few key updates that reflect developments in the Internet of Toys marketplace. Continue Reading Regulating the Internet of Toys

“No,” says U.S. Assistant Attorney General Leslie R. Caldwell.  At the most recent Cybersecurity Law Institute held at Georgetown University Law Center in late May, the head of the U.S. Department of Justice’s (DOJ) Criminal Division offered guidance to attendees on how to prevent and combat cybercrime. She also spoke about significant victories that the Criminal Division had achieved with the help of private sector and foreign collaboration. In the last year or so alone, the U.S. government extradited about a dozen high-level cybercriminals from around the world.

In her speech, Caldwell urged the private sector to work more closely with the government, explaining that “the Criminal Division is better positioned than ever before” to help organizations bring intruders to justice, defend networks and prevent cybercrimes from happening in the first place. Among other things, she reported that the new DOJ Cybersecurity Unit has broken new ground, including recently releasing well-received guidance called “Best Practices for Victim Response and Reporting of Cyber Incidents,” which we discussed on this blog post earlier this month  – and made the case for why businesses should not take defensive measures such as “hacking back” against attackers in an effort to punish an attacker or to retrieve or delete stolen data.

Caldwell summed up the Division’s legal position on hacking back: “based on a simple, plain-text reading of the Computer Fraud and Abuse Act, such conduct is generally unlawful.” If that were not reason enough, she explained, businesses should still avoid hacking back for these legal, policy and practical reasons:

  1. Hacking back tactics pose a significant threat to innocent third parties whose infrastructure may be hijacked by cybercriminals, in order to more easily commit crimes and to mask the hacker’s identity during subsequent investigations;
  2. Hacking back can interfere with and irreparably harm ongoing government investigations;
  3. Hacking back carries the danger of dramatic escalation against unknown and potentially sophisticated adversaries who may have powerful and destructive technical capabilities;
  4. Such activities may be illegal in foreign jurisdictions;
  5. Hacking back may have serious effects on international relations and could have foreign policy consequences; and
  6. There is a low likelihood that such activities would be beneficial and yield anything other than the momentary pleasure that comes with taking action.

Caldwell’s points are well taken. From our perspective, one of the best ways for a company to prevent, detect, respond to, remediate, survive and even thrive following a cyberattack is to have in place an effective Incident Response Plan that has been tested, adapted and improved over time to reflect changing technology, business circumstances and emerging threats to the organization. Companies that want to incorporate strategies for hacking back into their plans should carefully consider the legal and practical risks and consult with legal counsel prior to taking any action.

Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL) policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of insurance coverage for data breaches, court decisions about whether insureds can force their insurance companies to cover costs for data breaches under the broad language of CGLs have been mixed, and little appellate-level authority exists.

On May 18, 2015, the Connecticut Supreme Court unanimously affirmed a state appellate court decision that an IBM contractor was not insured under its CGL for the $6 million in losses it suffered as the result of a data breach of personal identifying information (PII) for over 500,000 IBM employees. The contractor lost computer backup tapes containing the employees’ PII in transit when the tapes fell off of a truck onto the side of the road. After the tapes fell out of the truck, an unknown party took them. There was no evidence that anyone ever accessed the data on the tapes or that the loss of the tapes caused injury to any IBM employee. Nevertheless, IBM took steps to protect its employees from potential identity theft, providing a year of credit monitoring services to the affected employees. IBM sought to recover more than $6 million dollars in costs it incurred for the identity protection services from the contractor, and negotiated a settlement with the contractor for that amount.

The contractor filed a claim under its CGL policy for the $6 million in costs it had reimbursed to IBM. The insurer refused to pay. In subsequent litigation with the contractor, the insurer made two main arguments. First, it argued that it only had the duty to defend against a “suit,” and that the negotiations between the contractor and IBM were not a “suit.” Second, the insurer argued that the loss of the tapes was not an “injury” covered by the policy.

The Connecticut Supreme Court adopted both of the insurer’s arguments, and the decision highlights two key areas for any company considering whether it needs additional insurance coverage for data breaches: what constitutes an “injury” under a CGL, and when an insurer is required to reimburse a company for costs associated with an injury. First, the court held that the loss of the computer tapes was not a “personal injury” under the CGL, because there had been no “publication” of the information stored on the tapes. In other words, because there was no evidence that anyone accessed or used the stolen PII, the court found that the data breach did not constitute a “personal injury” under the policy—even though the contractor spent millions of dollars reimbursing IBM for costs associated with the data breach.

Second, the court found that the CGL policy only required the insurer to reimburse costs stemming from a lawsuit or “other dispute resolution proceeding.” The contractor’s voluntary negotiations with IBM to reimburse it for the cost of data protection services were not a “suit” or “other dispute resolution proceeding” under the policy. Thus, the court reasoned that the insurer was not obligated to cover the contractor’s costs under the CGL policy.

Even with the recent decision from the Connecticut Supreme Court, however, some companies have been able to get compensation from their insurance providers even without appellate-level precedent. Sony recently settled with its insurers in a dispute over whether the insurers would cover data-breach losses under Sony’s CGL. Sony had sought insurance coverage when it was sued by customers after hackers stole confidential data of millions of Sony PlayStation users. Its insurance claim was based on policy language covering costs for “personal advertising injury,” which the policy defined specifically as “oral or written publication in any manner of the material that violates a person’s right to privacy.” The insurers refused to provide coverage, arguing that under the policy and case-law precedent, an insurer would only be obligated to provide coverage if the insured party caused the data to be published. Because third-party hackers, not Sony, stole the data (and arguably “published” it), the insurers claimed they had no duty to provide coverage.

A New York trial court judge ruled from the bench in favor of the insurance companies, concluding that the policy language only covered injuries stemming from publication of data by the insured, not by a third party such as a hacker. Sony appealed the decision, but prior to a decision from the appellate court, the parties settled for undisclosed terms. The settlement seems to suggest that the insurers were not convinced the appellate court would uphold the trial court’s decision.

While some companies have been successful in obtaining coverage for data-breach liability under their CGL, there are no guarantees. As these cases illustrate, insurers may not willingly provide such coverage under CGLs, requiring companies to engage in expensive legal battles with their insurers about coverage while they are simultaneously defending themselves in litigation arising directly from data breaches. As companies continue to experience major—and costly—data breaches at an increased rate, it is imperative for companies to understand exactly what their CGL insurance policy will cover and to consider obtaining a cyber-specific insurance policy to specifically address data breaches and other cyberattack risks.