Understandably, there has been a lot of information concerning the novel coronavirus and its impact on insurance, business and, of course, people.  However, there has not been much discussion on what happens if there is a cyber event over the next couple of weeks as the world deals with the COVID-19 pandemic.  A cyber security breach during the novel coronavirus pandemic could sever the one thread connecting remote employees to their place of work.

While it is still early, there should be little dispute that the current pandemic will have a profound impact on the workplace, which, in turn, will have a profound impact on the use of data. Commentators have already offered the following concerning the new workplace:

If the future of work requires restructured workplaces, redefined roles, rapid learning, and reserves of trust—and it does, organizations are being challenged to do all that and more as they address the coronavirus pandemic. While we have long spoken about VUCA (volatile, uncertain, complex, and ambiguous) environments, we are finally and undoubtedly facing one.  In the span of a few weeks, the world’s economy traveled a path from cautious observation and common-sense health advisories to massive cancelations, business shutdowns, and work from home mandates. JPMorgan, AT&T, Google, Amazon, Nike, Facebook, among many, many more are hustling to virtualize business operations as social distancing continues to be the best practice to “flatten the curve” of contagion. 

Coronavirus, it turns out, might be the great catalyst for business transformation. 

Without a doubt, once we get through this pandemic, we will need to address how the new workplace impacts privacy.  The two most immediate concerns may be the opportunities for hackers and how regulations will be impacted by the overwhelming health and economic concerns.

1. The Pandemic May Provide Opportunities For Hackers

While there are a number of uncertainties during this unprecedented situation, we have been able to piece together some information concerning our world in March of 2020:

• We are in pandemic caused by the novel coronavirus;
• In response to the pandemic, people are working from home transferring information without the security measures found in the workplace;
• The pandemic has created turmoil in the world’s financial and employment markets; and
• Workers are feeling not secure, which may lead to snap decisions.

Unfortunately, these four factors give rise to the perfect environment for opportunistic hackers.  Data collectors may want to take the following approach in the coming weeks:

• Protect data transfers. In the coming weeks, as the pandemic unfolds, employee training or discussions on data safety will be key.  Data collectors should remind their new remote workforce of the emerging risks they face in transferring data.

• Prepare for outages. There are new limitations on communicating with a remote workforce.  Data collectors should consider what their business may look like if there is an international, national or local outage that would cut this limited access even further.

• Think about permanent solutions for the new workplace. The remote workforce will be able to return to their traditional workplaces at some point.  Data collectors should think about what safeguards should be put into place if workers start working remotely more frequently.

Not surprisingly, we have already seen hackers target vital businesses that are essential during the coronavirus pandemic.  German newspapers have reported that “Cyber criminals have launched a distributed denial-of-service (DDoS) attack against German food delivery service Takeaway.com (Liefrando.de), demanding two bitcoins (about $11,000) to stop the flood of traffic.”  Commentators warn this may not be the end of cyber attacks:

Security experts anticipate these types of acts, intended to exploit essential services in times of crisis, will continue as restrictions due to COVID-19 remain in place. “Deplorably, we will likely see a further avalanche of cyberattacks targeting most susceptible online businesses,” says ImmuniWeb founder and CEO Ilia Kolochenko. As a result, many organizations may be forced to pay cybercriminals or invest in DDoS protection services to defend against advanced attacks.

Clearly, this will be a continuing threat over the next few weeks.

2. The Pandemic May Cause Privacy Regulations To Get Dialed Back.

A couple of months ago, business, insurers and governments were starting to get the hang of this privacy thing.  Previously, the biggest concern was compliance with privacy regulations such as the California Consumer Privacy Act (“CCPA”).  (By the way, a number of organizations are now calling for the delay of the enforcement of the CCPA: https://www.ciodive.com/news/CCPA-coronavirus-extension/574547/)  That was, of course, until the coronavirus pandemic sent workers home.

Being just a few weeks into the pandemic, we can be sure that privacy law will be profoundly impacted when deadlines are extended and the data is used by millions of workers that have moved offsite.  After the pandemic, we will need to watch deadlines and be ready to modify compliance with privacy law.

If the adoption or enforcement of privacy regulations is delayed by the coronavirus pandemic, we may see data collectors struggle to find guidance for proper data and storage and collection.  Looking at case law may fill this void left by relaxed deadlines and requirements.  For example, data collectors may look to decisions such as the March 26, 2018 opinion in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) as an example where a court was prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cyber security protocols closely scrutinized after the coronavirus pandemic.

Further, the facts giving rise to the incident in Hopper are instructive to remote workplaces.  On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cyber security and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question.

The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this reasoning, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

It will be interesting to see if courts are going to give data collectors a “pass” for lapses in cyber security once the coronavirus pandemic has come to an end.  Even though cyber security may be in flux, there is still a significant amount of guidance for data collectors.

The post Where Do We Begin? Two Immediate Threats to Cyber Security During the Coronavirus Pandemic appeared first on Privacy Risk Report.

Although cyber litigation is still evolving, there has been little opportunity to consider the value of expert witnesses and consultants in these cases. However, as we begin to see more claims and litigation, there will be no question that expert witness testimony and consultation will play a larger role in cyber security. Consequently, the evidentiary weight given to expert witness testimony and credibility related to cyber litigation will be a growing concern.

In particular, forensic accountants are expected to be called upon to quantify any alleged economic damages caused by a cyber incident. In the whitepaper, “How Forensic Accountants Help In Cyber Breach Cases,” published by the accounting firm HSNO, it states that a forensic accountant may look at documents including, but are not limited to: historical company performance, financial statements, forecasts or projections, interviews with company management, a review of the types of data lost or accessed and a review of laws and obligations following a breach.

In another recent report, “A Guide To Calculating Business Interruption Losses Related To Standalone Cyber Policies,” HSNO addresses considerations to measure Business Interruption (BI) damages related to cyber incidents. In its report, HSNO defines BI as the amount equal to “the loss of net income plus continuing costs not earned.” In measuring BI, the HSNO whitepaper states its experience has indicated that “the top three measurement issues between claimed and calculated BI issues in order of frequency are: sales projections, period of indemnity and saved costs-ordinary payroll” for forensic accountants. The whitepaper analyzes measures for BI claims in the context of cyber claims in the following manner:

• Sales Projections: In general, the first step in a forensic accountant’s calculation is to determine the “But For” sales, which analyzes the amount the sales would have been “but for” the particular event. In determining sales projections related to a cyber incident, the report explains that “forensic accountants will likely be looking at the entire company as opposed to just one particular location or region, which is usually the case with a fire or hurricane.” Further, these calculations may be further impacted when BI is being calculated for “a new business, a vastly changing market or a new product.” In order to limit the impact of these variables, the report recommends taking time to gather sufficient information to obtain “the ‘more correct’ projection.”
• Period of Indemnity: The Period of Indemnity is “the time period for which indemnity or compensation is payable under a business interruption policy.” Here, a forensic accountant can be used to determine the monetary amount of the damages for each day the breach caused a network to be down. However, an accounting expert would not be able to assist with the amount of time or number of days a computer network should reasonably be down. That is a determination to be made by a technical expert.
• Saved Costs-Ordinary Payroll: In the context of a cyber claim, saved (avoided) costs would be incurred for payroll, or if the targeted company decides to “pay non-productive employees during the outage period or have a layoff.”

At present, studies have found that BI related to cyber incidents is a top concern, considering the potential for lost revenue caused by ransomware or some other cyber incident. As a result, expert opinions and testimony related to BI will become imperative for cyber claims in the near future.

It has been clear for some time that insurers, brokers, underwriters and policyholders all need to work together in order to get the full value out of cyber insurance. In the same manner, insurers, counsel and experts will need to coordinate efforts in order to properly value damages related to a cyber claim. While cyber incidents may cause damage differently than traditional perils, such as a hurricane, in the end, the BI damages will be calculated in the same manner.

The post Expert Witness Testimony Must Be Accounted for While Valuing Damages in Cyber Cases appeared first on Privacy Risk Report.

In 2014, P.F. Chang’s experienced a credit card breach involving a number of its restaurants that culminated in numerous lawsuits nationwide. The ensuing litigation related to this data breach provided significant insight into what would become the important issues in data breach litigation moving forward. For example, the 7th Circuit U.S. Court of Appeals held the class representatives’ allegations of fraudulent credit card charges, credit monitoring costs and potential identity theft were sufficient to establish standing to bring suit against P.F. Chang’s for this data breach.

The impact of P.F. Chang’s data breach on insurance coverage law is becoming apparent two years after the breach and as class action plaintiffs are beginning to prosecute their cases. For instance, on May 31, 2016, in P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., a federal District Court in Arizona issued an order granting Federal Insurance Company’s motion for summary judgment, finding there was no coverage under a cyber policy for P.F. Chang’s breach. The P.F. Chang’s court stated the central issue in its coverage determination as:  “…whether coverage exists under the insurance policy between Chang’s and Federal for the credit card association assessments that arose from the data breach Chang’s suffered….”

Prior to its analysis of the coverage issues, the order granting summary judgment provides the following background related to P.F. Chang’s claim under the Federal Policy:

• Federal issued a cyber policy to P.F. Chang’s, effective January 1, 2014, to January 1, 2015.
• P.F. Chang’s, as with many merchants, cannot process credit card transactions themselves and, therefore, used “Servicers” who process the transactions with banks that issue the credit cards (Issuers). P.F. Chang’s entered into an agreement with Bank of America (BoA) to process these transactions.
• Servicers such as BoA process these transactions and, in turn, must enter into agreements with credit card companies that obligate BoA and banks acting as Issuers to pay fees and assessments to credit card companies if there is a breach.
• Under P.F. Chang’s agreement with BoA, P.F. Chang’s agreed to reimburse BoA for any fees and assessments it was required to pay credit card companies for P.F. Chang’s breach.
• After the breach, Federal reimbursed P.F. Chang’s approximately $1.7 million for costs related to forensic investigations and defense of claims arising out of the breach.

BoA also sought nearly $2 million in fees and assessments from P.F. Chang’s for amounts it incurred from its agreements with the credit card companies pursuant to P.F. Chang’s reimbursement agreement with BoA. P.F. Chang’s reimbursed BoA and then sought to recover this amount from Federal under its cyber policy. P.F. Chang’s initiated this litigation when Federal denied coverage for these amounts. P.F. Chang’s sought coverage under both Insuring Clause A and Insuring Clause B of the cyber policy. The court granted Federal’s motion for summary judgment finding no coverage under either Insuring Clause based on the following reasoning:

• No Coverage Under Insuring Clause A: Under the Federal Policy, Insuring Clause A provided that, “[Federal] shall pay for Loss on behalf of an Insured on account of any Claim first made against such Insured . . . for Injury.” Injury is further defined under the cyber policy to include “Privacy Injury” which “means injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” The Federal Policy also defines “Record” as “any information concerning a natural person that is defined as: (i) private personal information; (ii) personally identifiable information…pursuant to any federal, state…statute or regulation,…where such information is held by an Insured Organization or on the Insured Organization’s behalf by a Third Party Service Provider” or “an organization’s non-public information that is…in an Insured’s or Third Party Service Provider’s care, custody, or control.” The court agreed with Federal’s argument on this point that P.F. Chang’s was not entitled to coverage under Insuring Clause A because BoA itself did not sustain a privacy injury because its records were not compromised during the data breach.
• There May Be Coverage Under Insuring Clause B: Under the Federal Policy, Insuring Clause B provides that “[Federal] shall pay Privacy Notification Expenses incurred by an Insured resulting from [Privacy] Injury.” The court agreed with P.F. Chang’s argument that it was entitled to coverage under this provision because of the amounts P.F. Chang’s paid Issuers to reissue bankcards and new account numbers. Even though these fees and assessments may have been incurred by BoA, the court found it persuasive that P.F. Chang’s was ultimately responsible to pay these amounts under its contracts with BoA.
• Policy Exclusions Bar Coverage: Even if there was coverage under Insuring Clause B, the court held two exclusions in the Federal Policy would bar coverage for any contractual obligations P.F. Chang’s assumed from a third party. Specifically, the court agreed with Federal’s argument that the fees and assessments P.F. Chang’s assumed in its contract with BoA were excluded from coverage.

As seen on prior occasions, the court’s coverage determination went back to basic coverage law. In the P.F. Chang’s decision, the court discusses its reliance on existing coverage law: “In reaching this decision, the court turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”

It is important to note that Federal paid approximately $1.7 million for P.F. Chang’s damages related to forensic investigations and defense costs. These damages were not at issue under the cyber insurance policy. In short, the cyber policy worked exactly as it was intended to work when there was a data breach. While struggling with the more difficult question (whether the costs P.F. Chang’s became responsible for in its contract with BoA), the court went back to fundamental insurance concepts to find cyber coverage was barred by exclusions for liability assumed from a third party. Therefore, while this decision provides guidance on how courts may be expected to interpret the specific language of a cyber policy, it also demonstrates the importance of the existing body of law related to CGL coverage.

The post The Future Is Now: Court Finds No Coverage Under Cyber Policy for P.F. Chang’s Data Breach appeared first on Privacy Risk Report.

On May 20, 2016, the U.S. Court of Appeals for the 8th Circuit affirmed a District Court decision finding coverage for a loss under a financial institution bond issued by BancInsure, Inc. (BancInsure) to the State Bank of Bellingham (Bellingham). Bellingham made a claim under the bond when one of its computers became infected with malware that allowed criminals to transfer $485,000 held at Bellingham to an account at a foreign bank. By the time the illegal transfer was discovered, the funds were not recoverable. The District Court granted Bellingham’s motion for summary judgment finding coverage under the financial bond.

Before reaching its decision, the 8th Circuit examined the “concurrent-causation doctrine” as adopted under Minnesota law, which holds that “[a]n insured is entitled to recover from an insurer when the cause of the loss is not excluded under the policy. This is true even though an excluded cause may have contributed to the loss.” In its decision, the 8th Circuit applied Minnesota’s concurrent-causation doctrine as follows:

[W]here an excluded peril “contributed to the loss,” an insured may recover if a peril is… “the efficient and proximate cause” of the loss.  Conversely, it follows that if an excluded peril is the efficient and proximate cause of the loss, the coverage is excluded.  An “efficient and proximate cause,” in other words, is an “overriding cause.” 

BancInsure first argued that the concurrent-causation doctrine does not apply to financial institution bonds. Specifically, BancInsure took the position that “despite the general applicability of the concurrent-causation doctrine to Minnesota insurance contracts, the doctrine is not similarly applicable to financial institution bonds because a financial institution bond requires the insured initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.” In rejecting BancInsure’s argument, the 8th Circuit found “[n]o Minnesota case precludes application of the concurrent-causation doctrine to financial institution bonds.” Therefore, under Minnesota law, the 8th Circuit found no reason to treat financial bonds differently than any other insurance contract.

Next, BancInsure asserted the language in the bond “contracted around the doctrine.” In an argument relying heavily on the exclusions in the bond, BancInsure argued the policy language was intended to “contract[] around the concurrent-causation doctrine because [the] exclusions also apply to ‘indirect’ causation.” The 8th Circuit held the provisions BancInsure relied on for this argument were not sufficiently direct to get around the concurrent-causation doctrine. In acknowledging parties can contract around the doctrine, the 8th Circuit held that Minnesota law requires such language to be “clear and specific.” The court held there was no provision that was sufficiently clear or specific in the bond at issue in this case.

Finally, BancInsure claimed the trial court incorrectly held hacking by a criminal third party into the bank’s computer system was the overriding or efficient and proximate cause of the loss. Rather, BancInsure argues this question should have been resolved by a jury. In rejecting BancInsure’s argument, the 8th Circuit relied on its decision in Friedberg v. Chubb & Son, Inc., where Minnesota’s concurrent-causation doctrine was closely examined in a first-party property case where the insureds’ home suffered extensive water damage. During an investigation of the water intrusion, it was determined that defective construction of the home caused the water damage. In finding the policy in Friedberg did not provide coverage, the 8th Circuit held that “although the water intrusion played an essential role in the damage to the [] house, it was a foreseeable and natural consequence that water would enter.”

Based on the reasoning in Friedberg, the 8th Circuit held the trial court correctly opined that “the efficient and proximate cause of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures.” Specifically, the court held that “[u]nlike the water damage in Friedberg, an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.” That is, even if the employee’s actions are found to have played an essential role in a virus attacking the bank’s system, “the intrusion and the ensuing loss…suffered remains the criminal activity of a third party.”

This decision demonstrates that courts are going to go back to the well-established concepts even when technology gives rises to new factual backgrounds and circumstances. For example, in this decision, the court goes back to fundamental first-party insurance concepts with the concurrent-causation doctrine. Consequently, while the facts are unique with technology, hacking and cyber claims, we can expect courts to first look to establish law to solve coverage issues.

The post Something Old, Something New: Well-Established First-Party Property Concepts Used in Computer Hacking Coverage Case appeared first on Privacy Risk Report.

It appears that large retailers and hospitals are no longer the only targets for hackers as evidenced by the hack at the Panamanian law firm, Mossack Fonseca, generally referred to as the “Panama Papers.” While the identity of the hackers is still unknown, the extent of these crimes is starting to be fully realized. Reports indicate the hackers took millions of documents, including emails belonging to the law firm’s clients. There has already been substantial fallout from this hack including the resignation of Iceland’s prime minister and uncertainty for a number of other world leaders.

Perhaps the most startling fact about this crime is the lack of sophistication needed to steal sensitive client information. The combination of outdated safeguards and highly-sensitive information provides a ripe target for hackers. Specifically, commentators believe this attack originated when the law firm failed to update its web servers:

The fact that Mossack Fonseca’s web servers were many months out of date was particularly egregious, especially considering the sensitivity of their clients’ information. “They seem to have been caught in a time warp,” says Alan Woodward, a cybersecurity expert from University of Surrey and consultant to Europol’s European Cybercrime Centre. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”

In addition to the “Panama Papers” incident, there should be little question law firms hackers are looking to exploit vulnerability at law firms. It has recently come to light that hackers have launched “phishing” attacks aimed at law firm employees and personnel. In an attempt to gain access to documents related to corporate mergers, authorities recently learned of a scheme offering to pay hackers $100,000 in addition to half the profits of the first $1 million taken from law firms. In particular, after gaining access to law firm networks, the hackers were instructed to conduct key word searches to find documents related to pending mergers or other transactions that the hackers could use to turn a profit.

In response to this scheme, the FBI recently issued an alert through the American Bar Association warning law firms of this threat. The FBI alert describes the scheme as follows:

A financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures. The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information (MNPI). This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit.

The evolution of the hacker threat from large (highly secured) targets to smaller (lacking security) targets has not been a surprise. What has been surprising is the fact that the smaller targets did not see the threat evolve to put them in the crosshairs. Further, the fact that a number of international law firms have found themselves to be targets demonstrates difficulties in protecting against hackers. The threat to law firms should also provide insight to accounting firms, real estate brokers and any other smaller operation about the value of cyber security.

The post Law Firms’ Work Product Has No Privileges Against Hackers appeared first on Privacy Risk Report.

Over the last couple of years, courts have struggled with whether cyber claims could trigger coverage under commercial general liability (CGL) insurance policies. While courts have found most cyber claims will not be covered as “bodily injury” or “property damage” under the typical CGL policy, some courts have struggled with whether cyber claims constitute “publication” under the advertising and personal injury coverage of a typical CGL policy.

Travelers Indemnity Co. v. Portal Healthcare Decision

On April 11, 2016, the 4th U.S. Circuit Court of Appeals issued its unpublished decision in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C. In Portal, the 4th Circuit held medical records posted on the Internet could potentially give rise to coverage under a CGL policy.

This coverage action originates with a class action complaint filed against Travelers’ insured, Portal, alleging that Portal’s conduct resulted in the underlying plaintiffs’ medical records being posted on the Internet for more than four months. Travelers initiated the declaratory judgment action seeking a determination that there was no coverage for the class action complaint under two CGL policies it issued to Portal.

In affirming the decision by the U.S. District Court for the Eastern District of Virginia, the 4th Circuit held “that the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The 4th Circuit further held “[s]uch conduct, if proven, would have given ‘unreasonable publicity to and disclose[d] information about patients’ private lives,’ because any member of the public with an Internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Based on this reasoning, the 4th Circuit held Travelers had a duty to defend Portal in the class action. This decision highlights the importance of what happens to the sensitive information and whether there is a “publication” as that term is defined under the typical CGL policy.

Putting the Portal Decision in Context

In contrast, on May 18, 2015, the Connecticut Supreme Court affirmed a lower court’s decision finding there was no insurance coverage for more than $6 million in losses related to the exposure of private information belonging to nearly 500,000 IBM employees. In Recall Total Info. Management, Inc. v. Federal Ins. Co., the insured sought coverage under its CGL policy when it lost data storage tapes storing its customer’s private information. The tapes fell off the back of the insured’s van and it was believed that about 130 of the tapes were taken from the road by an unknown person. The CGL policy at issue provided coverage for “personal injury” which included “publication of material that…violates a person’s right to privacy.”

In analyzing this provision and the facts of this case, the Recall Total court first held there was no dispute that the information on the tapes was private, and, second, that the threshold was whether the information on the tapes had been “published.” In finding there was no coverage, the lower court held there was no evidence that the information on the tapes had been found or used after the tapes fell off the van. In reviewing the evidence, the Court found “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.” Specifically, the Recall Total lower court decision addressed the personal injury provision in the following manner:

On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief. The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation. See, e.g., Norse Systems, Inc. v. Tingley Systems, Inc., supra, 49 Conn.App. at 591, 715 A.2d 807 (speculation or conjecture will not overcome motion for summary judgment). As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.

In its concise decision, the Connecticut Supreme Court said there was no purpose in repeating the discussion in the superior court’s “well-reasoned” January 2014 ruling.

While these decisions may arguably not involve a data breach or a classic cyber claim, many commentators believed that the Recall Total court’s reasoning would shed light on how data breach might be viewed from a coverage perspective when there is no evidence that the private or confidential information was actually published to third parties.

Portal’s Contribution to Current State of the Law

Undoubtedly, the Portal decision provides significant guidance on the issue of whether data breaches will be covered under traditional CGL policies. Prior to this decision, the body of law was limited to the reasoning of the Recall Total decision, which was in harmony with the trial court’s decision in Sony’s coverage action against Zurich. In the Sony case, which was settled before the appellate court could render its decision, the New York trial court ruled Zurich had no duty to defend because there was no “publication” under Coverage B of the CGL policy.

When the dust settles, we may see that the Portal decision has little impact with extent to medical records placed on the internet. Not all cyber claims result in information or data posted on the Internet, or in another manner, to third parties. Rather, many cyber claims involve information being taken and used for criminal acts. That is, a court may not find the information taken in the Target breach (credit card information stolen) or similar cyber incidents includes this “publication” element required to trigger CGL coverage.

The post Early Observations in Portal Healthcare Decision: CGL Coverage for Cyber Claims? appeared first on Privacy Risk Report.