data breaches
Subscribe to data breaches's Posts

When Seeking Cyber Coverage, Preparation is Key

In 2014, major data breaches were reported at retailers, restaurants, online marketplaces, software companies, financial institutions and a government agency, among others.  According to the nonprofit Privacy Rights Clearinghouse, 567 million records have been compromised since 2006.  Companies with data at risk should consider purchasing so-called cybersecurity insurance to help them weather storms created by assaults on their information infrastructure.  A company’s insurance broker and insurance lawyer can be of significant help in procuring insurance that meets a company’s need.

As an additional benefit, preparation for the cybersecurity insurance underwriting process itself likely will decrease the risk of a debilitating cyber incident.  The underwriting process for cybersecurity insurance is focused on the system that a company employs to protect its sensitive data, and can be detailed and exhaustive.  Like other insurance carriers, cybersecurity insurance carriers use the underwriting process to investigate prospective policyholders and ascertain the risks the carriers are being asked to insure.  Before applying for cybersecurity insurance, companies should perform due diligence on their information systems and correct as many potential risks as possible before entering the underwriting process.

Applicants for cybersecurity insurance may expect to answer questions about prior data breaches, information-technology vendors, antivirus and security protocols, and the species of data in their custody.  Carriers might also ask about “continuity plans” for the business, the company’s security or privacy policies, whether those policies are the product of competent legal advice, whether the company’s networks can be accessed remotely and, if so, what security measures are in place.  The investigation might even extend to a company’s employment practices, such as password maintenance and whether departing employees’ network access is cancelled prior to termination.  If a company has custody of private health information, carriers might delve into a company’s compliance with the Health Insurance Portability and Accountability Act of 1996.  Anything that makes a company more or less at risk for a data breach is fair game in the cybersecurity underwriting process.

Due diligence and corrective action prior to approaching an insurance company should yield three related results.  First, it should reduce the company’s risk of a data breach.  Because the insurance carriers are focused on what makes a company a larger or smaller risk to underwrite, companies can use carriers’ underwriting questions as a roadmap to improving the security of their information-technology systems.  Second, it should make the company more attractive to the prospective insurance company.  Insurance companies obviously prefer policyholders that do not present substantial risk of claims.  A company’s ability to present its systems as safe and secure will give a carrier a greater degree of comfort in reviewing and approving the application for insurance.  Finally, it should reduce the company’s premium for cybersecurity insurance.  Premium rates have a simple, direct relationship with risk.  As a policyholder’s risk profile increases, so too does the premium.  Shoring up gaps in a company’s security profile therefore should pay dividends in lower insurance costs.

Companies with sensitive data in their care should investigate options for cybersecurity insurance.  In [...]

Continue Reading

read more

California Continues to Lead with New Legislation Impacting Privacy and Security

At the end of September, California Governor Edmund G. Brown, Jr. approved six bills designed to enhance and expand California’s privacy laws. These new laws are scheduled to take effect in 2015 and 2016.  It will be important to be mindful of these new laws and their respective requirements when dealing with personal information and when responding to data breaches.

Expansion of Protection for California Residents’ Personal Information – AB 1710

Under current law, any business that owns or licenses certain personal information about a California resident must implement reasonable security measures to protect the information and, in the event of a data or system breach, must notify affected persons.  See Cal. Civil Code §§ 1798.81.5-1798.83.  Current law also prohibits individuals and entities from posting, displaying, or printing an individual’s social security number, or requiring individuals to use or transmit their social security number, unless certain requirements are met.  See Cal. Civil Code § 1798.85.

The bill makes three notable changes to these laws.  First, in addition to businesses that own and license personal information, businesses that maintain personal information must comply with the law’s security and notification requirements.  Second, in the event of a security breach, businesses now must not only notify affected persons, but also provide “appropriate identity theft prevention and mitigation services” to the affected persons at no cost for at least 12 months, if the breach exposed or may have exposed specified personal information.  Third, in addition to the current restrictions on the use of social security numbers, individuals and entities now also may not sell, advertise to sell, or offer to sell any individual’s social security number.

Expansion of Constructive Invasion of Privacy Liability – AB 2306

Under current law, a person can be liable for constructive invasion of privacy if the person uses a visual or auditory enhancing device and attempts to capture any type of visual image, sound recording, or other physical impression of the person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy.  See Cal. Civil Code § 1708.8.

The bill expands the reach of the current law by removing the limitation requiring the use of a “visual or auditory enhancing device” and imposing liability if the person uses any device to capture a visual image, sound recording, or other physical impression of a person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy.

The law will also continue to impose liability on those who acquire the image, sound recording, or physical impression of the other person, knowing that it was unlawfully obtained.  Those found liable under the law may be subject to treble damages, punitive damages, disgorgement of profits and civil fines.

Protection of Personal Images and Videos (“Revenge Porn” Liability)– AB 2643

Assembly Bill 2643 creates a private right of action against a person who intentionally distributes by any means, without consent, material that exposes a person’s intimate body parts or the [...]

Continue Reading

read more




2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law