One of the hot topics for mainstream P&C insurers these days is dealing with “silent cyber” – that is, the coverage for cyber-related losses in traditional property and casualty insurance policies. There are a number of initiatives underway in the insurance underwriting community as insurers try to address silent cyber. However, as noted in an interesting January 14, 2020 memo from the Covington law firm entitled “The Noise About ‘Silent Cyber’ Insurance Coverage” (here), these initiatives have important implications for policyholders. Among other things, these initiatives potentially could result in a gap in policyholders’ coverage for cyber-related losses, as discussed below.
Continue Reading Addressing “Silent Cyber” and the Risk of Coverage Gaps

Plaintiffs seeking to pursue negligence claims for the disclosure of their personal information in a data breach often face hurdles in pleading a sufficient injury. The claimants’ failure to plead a sufficient injury frequently is the basis for dismissal. However, in a very interesting recent decision, the Georgia Supreme Court reversed the intermediate appellate court’s affirmance of the dismissal of the plaintiffs’ data breach claims, finding that the claimants had sufficient standing to assert their claims where they alleged that the disclosure of their personal information left them at an “imminent and substantial risk of identity theft.” As discussed below, the Court’s holding arguably makes data breach claims under Georgia law less susceptible to dismissal. However, as also discussed below, there are important limitations to the Court’s holding.
Continue Reading Georgia Supreme Court: Risk of Future Identity Theft Sufficient to Support Data Breach Negligence Claim

John Reed Stark

In the following guest post, John Reed Stark takes a look at the troubling rise of ransomware attacks, and the disturbing relationship between ransomware attacks and bitcoin. John is the President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Ransomware’s Year-End Thank You Note to Bitcoin

Umesh Pratapa

As many insurance industry observers know, one of the great concerns within the industry now is the possible impact of “silent cyber” – that is, the potential for cybersecurity-related coverage outside of purpose-built cyber insurance policies. In the following guest post, Umesh Pratapa takes a look at the silent cyber phenomenon.  A version of this article previously was published on Umesh’s website (here). Umesh is an independent insurance consultant based in India. I would like to thank Umesh for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Umesh’s article.
Continue Reading Guest Post: Silent Cyber – Is it Deafening?

Paul Ferrillo

As regular readers of this blog know, one of the many consequences that may follow for a company that experiences a cybersecurity incident is that it could get hit with a D&O claim. In the following guest post, Paul Ferrillo examine whether the increasing move toward cybersecurity-related D&O claims could in turn lead to an increase in prior Delaware Section 220 books and records inspection demands. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. I would like to thank Paul for allowing me to publish his guest post as an article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Board Cyber Oversight Duties and Delaware Section 220 Demands

As I have noted in prior posts, a recurring challenge many organizations face these days is the threat of “payment instruction fraud,” also sometimes called “social engineering fraud” or “payment impersonation fraud.” In these schemes scammers use official-seeming email communications to induce company employees to transfer company funds to the imposters’ account. Among the many issues arising when these kinds of scams occur is the question of insurance coverage for the loss. Some victims may expect that their cyber liability insurance will cover their loss.

However, as Lauri Floresca of Woodruff-Sawyer points out in her December 5, 2019 post on her firm’s blog entitled “Payment Impersonation Fraud: Why is This Common Cyber Problem Not a Valid Cyber Claim” (here), these  claims rarely involve the kind of cyber security breach required to trigger cyber insurance coverage. Accordingly, there are other steps well-advised companies may want to take to try to protect themselves from these kinds of losses.
Continue Reading Payment Instruction Fraud and Cyber Insurance Coverage

Many of you probably saw the news this past week that Target has filed a lawsuit against one of its insurers over losses the company sustained in connection with the company’s 2014 data breach. The Target lawsuit is the latest in a series of high profile insurance battles in which companies are seeking to recoup losses resulting from cybersecurity incidents. However, as my friend, colleague, and Cyber insurance maven Mickey Estey pointed out to me, in its lawsuit Target is in fact not seeking to recover its claimed losses under a cyber insurance policy; rather, in its latest lawsuit, Target is seeking to recover for certain of its losses under its general liability policy. The Target lawsuit is only the latest in a series of high-profile insurance disputes in which companies that have sustained losses from a cybersecurity event are seeking coverage under a variety of different types of policies.
Continue Reading Seeking Insurance for Cybersecurity-Related Losses

One of the more challenging issues businesses must confront as wrongdoers have turned Internet tools into criminal devices has been the rising threat of payment instruction fraud, or, as it is sometimes called, social engineering fraud. Along with these crimes have come vexing questions of insurance coverage for the ensuing losses. Courts have struggled to determine whether or not payment instruction fraud losses are covered under Crime policies. A recent case in the Southern District of New York raises the question whether a payment instruction fraud loss is covered not under a Crime policy but rather under insurance policy containing both E&O and Cyber coverages.
Continue Reading Insurer’s Bid to Dismiss Complaint Seeking Coverage for Payment Instruction Loss Denied

John Reed Stark

As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Some Good News for the Cybersecurity Class Action Bar

Paul Ferrillo
Chris Veltsos

As this blog’s readers know, there have been a number of management liability claims that have been raised against companies that have experienced cybersecurity incidents. In the following guest post by Paul Ferrillo and Chris Veltsos, the authors argue that cyber risk is in fact D&O risk and that the risk is growing. The authors also suggest a 10-step plan to grapple with the risk. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. My thanks to thank Paul and Chris for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chris’s article.
Continue Reading Guest Post: Time to Face the Music – Cyber Risk is D&O Risk – And Things Are Getting Worse!