The key question under consideration was the evidentiary significance of temporary internet files (or cache files) that are automatically created and stored on a the hard drive of a computer while the user is browsing the internet. The Appellate Court concluded that the act of viewing a web image alone does not, absent other proof, constitute either possession or procurement.

The context of the decision involves the appeal of a conviction of a professor of public administration for possession of child pornography. In 2007, a student employee of the college’s IT department ran a virus scan of Professor James Kent’s computer in response to his complaints that it was performing slowly. This scan and the subsequent investigation by the New York State Police resulted in the discovery of numerous images contained in hard drive’s temporary internet files, also known as the web cache. The Appellate Court found that there was no evidence that Professor Kent “was aware of the cache function of his computer or that any of these files were stored in the cache.”

A web cache contains images or portions of web pages that are automatically stored when a web page is visited by a user. The standard security settings of most internet browsers results in the storing of certain images from a web page in a computer’s web cache. The purpose of caching image files is to speed up the time it takes to load a previously visited web page when the user returns by having certain images stored locally, whereas most current versions of the prominent internet browsers have security (or privacy) settings that permit a user to forgo caching of images, the download of cookies or tracking of history.

The relevant code sections for New York child pornography late provide that, “it is illegal to create, possess, distribute, promote or facilitate child pornography.” New York Penal Code (263.15-16). While New York courts have held on a consistent basis that digital computer images are the equivalent of photographs within the meaning of the law, the Kent ruling dicates that procurement, possession and control in the digital realm cannot be considered as the transient act of merely viewing a webpage or image. Senior Judge Carmen B. Ciparik, writing for the majority, stated that “some affirmative act is required (printing, saving, downloading, etc.) to show that defendant in fact exercised dominion and control over the images that were on his screen.” Going further, the Court stated that a user’ awareness of the cache function has no relevance to the issue of control or possession; rather, it can only demonstrate evidence that the images were previously viewed. Merely accessing and displaying a web page does not constitute procurement under the law, which is defined as having “obtained, acquired . . . to get possession of by particular care or effort.”

The Court’s ruling attempts to distinguish between individuals who see an image of child pornography online versus those who actively download and store such images. The Court cited decisions by a number of federal courts, stating that “where no evidence shows defendant was aware of the presence of the cached files, such files cannot underlie a prosecution for promotion or possession. This is necessarily so because a defendant cannot knowingly acquire or possess that which he or she does not know exists.” Purposefully making an image appear on the screen — for however long the user elects to view the image – was not held to constitute “knowing control.”

Putting the abhorrent circumstances of the Kent case to the side, the need for clear definitions of the legal concepts of procurement, possession and control when it comes to digital files is paramount and not limited to the criminal context. Disputes in the commercial sector, whether over software application development, advertising content creation, or insurance coverage following a cyber-attack, can turn on such issues. The continued expansion of the cloud computing model, where all files are stored remotely and tend to be viewed by users via a web interface, will only increase the potential for these to be critical concepts. Understanding the implications of this ruling should color any discussion of digital assets.

It is worth noting that the Kent ruling only resulted in the dismissal of two counts of Professor Kent’s conviction in the lower court. The Court of Appeals found that there was evidence of additional files having been downloaded which constituted a criminal act under this interpretation of the statutes.

On a side note,” Judge Victoria Graffeo, who concurred in the result only, commented that ” “[t]he purposeful viewing of child pornography on the internet is now legal in New York.”  While certainly frustrated dicta, such an observation does not portend well.

In the Acuity case, Ross Glove purchased a commercial general liability policy from Acuity, which included advertising injury liability coverage. The policy at issue defined “advertising injury”, in part, as “infringing upon another‘s copyright, trade dress or slogan in your advertisement.”

Ross Glove is a manufacturer of cold weather neck and face protectors. In 2009, Seirus Innovative Accessories, Inc. filed suit against Ross Glove for alleged patent infringements and trade dress infringement, alleging that Ross Glove “unlawfully and without license or right, copied, imitated, and otherwise created a collection of” trade dress products. Seirus further alleged that Ross Glove also packaged the accused trade dress products “to emulate, imitate, palm off as, and pass off its products as the Seirus products.”

Ross Glove notified Acuity of Seirus’ claims and requested that it be defended and indemnified under the CGL policy. Acuity denied any obligation to defend or indemnify Ross Glove under the policy and commenced a declaratory judgment action. The trial court found that Acuity did not have a duty to defend. The Wisconsin Court of Appeals reversed, finding that it was reasonable to infer that the Seirus Complaint alleged injury arising from trade dress infringement.

In reversing the trial court, the Court of Appeals analyzed and applied the three conditions set forth in Fireman’s Fund Ins. Co. v. Bradley Corp., 261 Wis.2d 4 (2003) to the facts of this case: “(1) Does Seirus’ complaint state an offense covered under the advertising injury provision of Acuity’s policy? (2) Does Seirus’ complaint allege that Ross Glove engaged in advertising activity? (3) Does Seirus’ complaint allege a causal connection between the injury alleged and Ross Glove’s advertising activity?”

In applying these conditions the Court first held that the Seirus Complaint stated an offense covered under the “advertising injury” provision of Acuity’s policy. The Court reasoned that Seirus alleged trade dress infringement by Ross Glove in violation of the federal Lanham Act, which was “ ‘designed to create a new federal remedy for the particular kind of unfair competition that results from false designation of origin or other false representation used in connection with the sale of a product.’” Seirus’ allegations that Ross Glove’s products emulated and imitated Seirus’ products, therefore causing “confusion, mistake, and deception as to the source and origin” of the products sufficiently alleged an “advertising injury.”

Second, the Court found that the Seirus Complaint alleged that Ross Glove engaged in advertising activity since the Complaint sought to hold Ross Glove liable for infringement in its advertisement—a notice published to the general public about the product in an effort to attract customers. The Court held that the third condition was also satisfied—that the Seirus Complaint alleged a causal connection between its alleged injury and Ross Glove’s advertising activity. Specifically, the Complaint alleges that Ross Glove created packaging for products that misled the public as to their source of origin. The Court found that it was reasonable to infer that a causal connection existed between the alleged injury and the advertising injury.

Insurers providing “advertising liability insurance” should take note of the factors being considered by courts when determining whether their policy obligations have been triggered. The Acuity case provides insight into at least one court’s analysis, and, perhaps, predisposed leanings to find in favor of insurance coverage.

Take, for example, Intel (INTC). In the “Risks” section of its 2009 10-K, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. Kudos to Intel for making this disclosure, which predated the October 2011 publication of the SEC Guidance addressing public companies’ cyber risks and exposures (discussed here and elsewhere, including in the March 2012 edition of the Advisen Cyber Journal. Please feel free to contact me for details on how to obtain this must-read issue and subscribe. Advisen has done a masterful job, as it does with all of its publications). As will be discussed in my next post, a significant number of public companies still have not complied with their cyber risk and cyber exposure reporting “obligations” under the SEC Guidance.

As to Intel, the subject 10-K listed several noteworthy risks. The most intriguing stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.”

The adverse economic impact of a cyber-related disclosure is not theoretical, either. Indeed, in the immediate wake of the News Corp./News of the World cell phone hacking scandal in mid-2011, News Corp’s market cap reportedly fell by over 15%, valued at approximately $7 billion, in less than a week. Not surprisingly, News Corp was sued shortly thereafter in a series of securities fraud class actions, which remain pending.

While cyber risks and exposures may or may not have an impact on a stock’s trading price, their potential impact can not be ignored. Google (GOOG) is another example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. By April 25, 2010 Google’s shares were trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyber event can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation (remember News of the World? After 168 years of tremendous success globally, it ceased publishing on July 10, 2011 as a direct result of the hacking scandal), all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

Rick

On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).

The HITECH Act and HIPAA Enforcement

HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”

HITECH’s breach notification rule changed the game with respect to HIPAA enforcement; HHS now has the ability to impose previously unheard of civil monetary penalties for violations of HIPAA’s privacy and security regulations. The HITECH Act established a four-tier penalty system, under which the CMP per violation increases along with a covered entity’s culpability for the breach. For instance, as a result of HITECH, HHS can now assign culpability and issue fines ranging from at least $100 per violation, where a person neither knew nor reasonably could have known of the violation, to $50,000 per violation, where a person intentionally failed to remedy a known breach. This range of fines significantly broadened HHS’s enforcement authority. In addition, HITECH carries a maximum $1.5 million penalty for any violation, a far cry from the pre-HITECH maximum penalty of $25,000.

BlueCross BlueShield of Tennessee – The Facts

Shortly after the HITECH Act passed – and before it was officially announced by a HHS press release – BCBST began relocating its Chattanooga offices. After it had relocated its staff, BCBST still needed to move various storage containers, including a “network data closet” housing 57 hard drives. The hard drives contained over 1.3 million video and audio recordings of customer service calls, including the PHI of health plan members, such as member names, member ID numbers, diagnosis codes, dates of birth, and social security numbers. BCBST took various efforts to secure the data closet’s contents. For example, the “closet” was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. BCBST’s former landlord also continued to provide security for the closet. Despite these seemingly extensive security efforts, on Monday, October 5, 2009, BCBST discovered that the 57 hard drives had been stolen. As required by the HITECH Act, BCBST self-reported the breach to HHS.

HHS Applies HITECH’s New Four-Tiered Penalty System

The BCBST case highlights the potential consequences of reporting a breach. The case also demonstrates the significant monetary exposure that results even from apparent mere negligence. Notwithstanding BCBST’s significant efforts to secure the hard drives, the company was still fined $1.5 million because of the sheer number of individuals whose PHI was disclosed.

HHS’s enhanced ability to enforce HIPAA policies under the HITECH Act underscores the importance of developing, maintaining and testing comprehensive privacy and security policies. As the HHS Office for Civil Rights (OCR) commented, the BCBST settlement “sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”

According to Shawn Henry, assistant director of the FBI’s Cyber Division, hackers regularly access computer security systems and steal millions of dollars and credit card numbers without such incidents ever being publicly reported.  Indeed, Mr. Henry has acknowledged that “[o]f the thousands of cases that we’ve investigated, the public knows about a handful…There are million-dollar cases that nobody knows about.”

And the problem is not limited to Fortune 500 and other large companies such as TJX and Heartland, which have voluntarily disclosed cyber intrusions.  Indeed, the incidence of cyber attacks on such companies is growing marginally or even shrinking, as these entities implement more complex security systems.  The more frequent target has become medium-sized and small companies which do not have the resources or perhaps the ability or interest to enhance their cyber protections.  The same goes for private citizens whose personal wealth and, equally troublesome, personal secrets may be at risk as their personally identifiable information is wrongfully retrieved and then used to access their bank and other investment accounts.  Needless to say, no one wants to admit they’ve been hit or that their resources have been stolen.  The stigma alone is a major deterrent to such public disclosures. (“Hey Joe… guess what… I was just robbed of $10 million!! And, they learned that I’ve been cheating on my spouse for the past ten years… How about that!!!”).

For cyber insurers, a prospective policyholder’s unwillingness to disclose such intrusions can be a major problem, both from an underwriting and claims perspective.  As always, the key is proper detailed due diligence up-front.  Underwriters can not take for granted that they would or should know about an intrusion at a potential account.  They must ask the right questions, require the proper warranties, and “pull back the curtain” to ensure that the risks they take on are just that – risks – rather than cyber intrusions waiting to happen.  “Penny-wise, pound foolish” is particularly apt.  Spend the time and money to vet your proposed accounts.  The cost of a claim or related coverage litigation will dwarf the expense of a thorough underwriting investigation.  Unlike the availability of insurance, that is a guarantee.

The cloud’s economic benefits are clear.  Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.

Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:

Evaluate Your Business Needs Before Negotiating A Cloud Contract

It is critical to identify your business needs to successfully negotiate an appropriate cloud computing contract.  First, consider whether the contract should be tailored, as opposed to being a standard boilerplate form.   If you want to have routine, non-sensitive data serviced, it often makes sense to accept a standard, less onerous form of agreement, provided the indemnities and protections are appropriate. 

Alternatively, if your business involves proprietary, confidential or regulated information or data of any sort, you must consider the potential serious legal implications of using cloud storage.  You also will need to ensure that the necessary protections exist before signing on the dotted line.

As a preliminary note, negotiations may be difficult if the bargaining power skews in favor of a cloud service provider.  But in most cases, it does not.  Indeed, there are a myriad of cloud service providers available, affording the potential client greater leverage and bargaining power than the service provider.  This advantage should not be ignored.  As such, be steadfast in negotiations with respect to the storage and protection of your own (or your clients’) business data and personally identifiable information. 

Include Key Provisions In Your Contract To Protect Against Future Risk

Insist on a number of key contract provisions to manage the everyday risks associated with entering confidential business and personal data into the cloud.

As a threshold, you should require the service provider to maintain the utmost confidentiality of your information and be transparent with respect to its security policies and procedures in order to ensure data integrity, availability and confidentiality. In this regard, insist on the same from the service provider’s subcontractors and others with access to the cloud so that you are notified if and when third parties are afforded access to your business and personal data.  In addition, a provision should be included confirming that you are the sole owner of the stored data and identifying the limitations on the scope of the services to be provided under the cloud vendor agreement.

Other key terms to be considered are ones which:

(1) establish protocols dictating how and when the service provider must respond to a security breach incident, including one or more provisions requiring the service provider to immediately inform you of a breach, assist you with the investigation, containment and mitigation of the breach, and allow you to conduct your own investigation;

(2) set forth how and when the service provider must respond to legal process such as complaints, subpoenas or other requests for your clients’ data, including requiring that the service provider notify the affected client(s), preferably within hours, of such developments;

(3) afford full transparency with respect to the service provider’s data retention and destruction policies, coupled with a mandate enabling you to create your own data retention and preservation programs (for both data and meta-data);

(4) provide you with an efficient means of authenticating data to ensure that no information has been modified, changed or corrupted; and

 (5) require limitations on the service provider’s right to move data within the cloud from one jurisdiction to another to avoid application of multi-jurisdictional rules and regulations.

Finally, and perhaps just as important as the provisions governing the confidentiality and security of your data, a cloud contract should include an indemnification agreement protecting and holding you harmless if the confidentiality, security or other key provisions are breached by the service provider, its subcontractors or others.   Such an indemnity agreement ensures that you are defended and compensated for any claims resulting from the provider’s or its agents’ acts, errors or omissions, including with respect to confidential data, intellectual property and otherwise.

For example, in the city of Los Angeles’s service contract with Google, Los Angeles is entitled to a minimum of $10,000 if its data is compromised.  The city also has the power to seek unlimited damages if it determines that the breach was egregious. Such monetary damages will help remediate any loss or penalties incurred by the city as a result of the breach.

Ensure Your Provider is Diligent

Identifying the threats facing cloud service providers will not only help you more successfully negotiate the contractual provisions noted above, but also enable you to make an informed decision when selecting a service provider.

Make sure that your provider has strong security procedures and controls in place to thwart daily (and oftentimes real) threats of accidental and malicious attempts to breach weak or insecure interfaces. Specifically, a cloud’s registration process can allow anyone with a credit card (or technical savvy) to instantly gain cloud entry and corrupt it with viruses, Trojan horses and the like. Confirm that the cloud service provider continually enhances and upgrades its initial registration procedures system and proactively monitors the cloud to detect unauthorized and oftentimes dangerous activity.

The provider also should set-up a firewall at each network location and between each security zone within the cloud. Firewall configuration should deny access to non-trustworthy sources, avoid vendor supplied defaults for passwords, restrict access from systems that have direct external connections and those which contain confidential data, and so on. Among other tools, data protection can be provided through the use of encryption keys.  

  In short, a cloud computing contract must contain well-tailored provisions to protect your business, reputation and assets at all turns.   Armed with an appropriately structured contract and a vigilant provider, you, as an actual or prospective cloud user, will be able to effectively benefit from the cloud’s infrastructure and maximize its unrivaled and cost-effective level of efficiency.

Cozen O’Connor member and cyberinquirer.com blogger Rick Bortnick advises clients on cyber risks and remediation efforts. Nicole Moody, an associate at the firm, has counseled insurers on technology professional liability policies.

Two weeks ago, I discussed the California case of PhoneDog v. Kravitz, where an employee, who used a company Twitter account as part of his job duties, left the company and continued to use the same Twitter account and tweet to the same followers. The (former) employee claimed that he had the right to continue tweeting, and PhoneDog responded that he was barking up the wrong tree (best I could do at the moment). As I mentioned in my last post, the court had denied the employee’s attempt to dismiss the entire case at inception, and allowed the company to amend its complaint to provide more specificity on some of its claims. Time for an update.

Since that decision, PhoneDog amended its complaint to re-allege claims for intentional interference with prospective economic advantage and negligent interference with prospective economic advantage. Then, the employee filed another request to dismiss those two claims, demonstrating that he was up for a dog fight (I’m trying). Three days ago, on January 30th, the court again denied the employee’s dismissal request, ruling that the company had now sufficiently clarified – at least for pleading purposes – how it did have economic relations with the 17,000 followers of the Twitter account, and how those relations were disrupted by the employee’s post-resignation conduct. The impact of that ruling is that PhoneDog can now proceed with the case, and the significant time and money that the employee will be forced to spend responding to requests for information and documents, and appearing at depositions.

Employer Take Away: What should you as an employer take away from this development?

In the dog-eat-dog world of competition between companies and their employees (I’m gaining some momentum here), the outcome of this case may provide our first definitive guidance on the questions of how we should define a “trade secret” when it comes to social media, and the extent to which social media forums and networks belong to the employer or the employee. In the meantime, those issues can be addressed to a large extent by having your employees sign appropriate agreements that define these ownership issues.

We will continue to monitor the PhoneDog case for you, and update you on any significant developments. Until then (I’m ready for a big finish)… We may not learn much before the dog days of summer, but it may just be that, in the end, the former employee can’t be running with both hounds and hares when it comes to being provided access to a Twitter audience by his employer and then trying to keep that audience when he leaves.

Rick Bortnick

Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request.  Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation. 

Not surprisingly, in coverage litigation, insurance companies are requesting access to information contained in their insured’s social media accounts, such as Facebook. Currently, courts are divided as to whether insurers or other involved entities are entitled to non-public portions of the social media account, requiring disclosure of usernames and passwords. As the cases suggest below, whether an insurer or other entity may view privately-held information depends on whether the publicly-shared information provides a factual predicate for further discovery into the insured’s social media account.

Several cases have upheld an insurer’s right to subpoena its insured’s Facebook or other social media account in coverage litigation. In Beye v. Horizon Blue Cross Blue Shield of New Jersey, the plaintiffs, parents of children who allegedly suffer from anorexia or bulimia, sued their health insurer for denying claims for benefits for their children. The plaintiffs asked the court to reconsider ordering them to produce information contained on their children’s social media accounts.  While declining to vacate its order, the court modified the information that must be disclosed.  To alleviate privacy concerns, the court required only production of the entries made on Facebook or MySpace that the beneficiaries shared with others. The court explained that “[t]he privacy concerns are far less where the beneficiary herself chose to disclose the information.”

A recent New York Supreme Court case demonstrates both the impact that information posted on Facebook has on an insurer’s coverage analysis as well as the Court’s hesitation to provide unfettered access into a personal Facebook account. The insured sought underinsured motorist benefits after he allegedly suffered personal injuries as a result of a car accident. The insured claimed that “he was unable to work, had difficulty walking, and was unable to lift heavy objects, run, ski, dance, or walk up stairs.” The insurance company argued that no coverage existed as the insured breached its contract by misrepresenting material facts in violation of the insurance policy. In support of its argument, the insurer pointed to pictures of the insured posted on “publicly available portions” of his Facebook account. These photographs depicted the insured participating in numerous activities, including standing on top of a pool slide, climbing the pool’s ladder, and bending over a boat trailer. Several of the photographs were included in an album entitled, “Another day of play . . . . I gotta get a job.” 

In light of this information, the insurer sought additional discovery and an order compelling the insured to provide unlimited access to his Facebook account. The Court held that additional discovery, including unlimited access to the insured’s Facebook account, was unwarranted at that time. The Court found that this discovery request was overly broad and that there was no showing that the material sought was necessary and not cumulative. Significantly, however, the Court left the door open to a narrower discovery request for such information.

Due to Facebook’s global presence, the issue concerning discoverability of information contained on Facebook is not only a concern in the United States.  In 2009, a Canadian woman’s disability benefits were discontinued after the insurance company found pictures of her seemingly having a good time on vacation. She had been on leave from her job and receiving disability benefits for severe depression. While the insurance company claimed that the Facebook pictures were only a “piece of the puzzle,” they undoubtedly played a significant role in the insurance company’s decision to discontinue her disability benefits. 

Discoverability of social media information is not only of interest to an insurer in coverage litigation, but is also significant for insurers who are providing a defense for their insureds in litigation. In Zimmerman v. Weis Markets, Inc., a Pennsylvania court was not deterred by privacy concerns when it compelled access to social media accounts.  The plaintiff sued the defendant after he allegedly suffered injuries while operating a forklift at the defendant’s warehouse. The court ordered the plaintiff to disclose his username and passwords for any and all MySpace or Facebook accounts to the defendant. 

Accordingly, the court permitted discovery into the non-public portions of the plaintiff’s Facebook and MySpace accounts to determine whether the insured suffered the physical injuries claimed in his complaint. The court reasoned that “Facebook’s privacy policy explains that users post any content on the site at their own risk and informs users that this information may become publicly available.” At the same time, the court clarified that it did not support “a carte blanche entitlement to Facebook and MySpace” as part of discovery requests. Rather, the court noted that review of the publicly available information warranted further discovery into the privately-held information.

In both coverage litigation against the insured and defending the insured in underlying litigation, discoverability of information contained in social media accounts is significant in assessing liability and preparing litigation strategy.  As these cases illustrate, in addition to publicly-available information, access to an insured’s privately-held information in its social media account may be compelled, especially if the discovery request is properly supported by facts casting doubt on the genuineness of the insured’s representations. In today’s world, it seems as though the information previously only attainable by an accepted “friend request” can just as likely be attained by a “discovery request.”

Our friends at Advisen have recruited thought leaders from across the European cyber and technology industries (and a certain U.S. lawyer/blogger) to discuss a myriad of topics of interest to underwriters, brokers and risk managers alike. Speakers include luminaries such as Paul Bantick of Beazley, Stephen Boddington of Chartis, Robert Bond of Speechly Bircham, Dan Trueman of ANV, Chris Cotterell of Safeonline, Emily Freeman of Lockton, Simon Milner of JLT Specialty, Joe Trotti and Jeremy Smith of Willis, Tony Dearsley of Kroll Ontrack, Stewart Room of Field Fisher Waterhouse, Andrew Horrocks of Clydes, yours truly, and a host of others.

 Among other cutting-edge topics, we will discuss Privacy and Data Security Regulation, Coverages and Coverage Issues, CyberSecurity Disclosures and Exposures, and Data Breach Responses and Strategies.

Equally important, the program is priced at a level that firms and companies will find extremely attractive. And did I mention that there is no cost at all for Risk Managers to attend?

For program and registration information, please visit https://www.signup4.net/Public/ap.aspx?EID=CYBE21E. Or, feel free to drop me a line at rbortnick@cozen.com.

I look forward to seeing everyone there!

The following article was first published by our colleague Michael Schmidt on his blog, Social Media Employment Law Blog. It is part of our continuing effort to keep Cyberinquirer readers on top of decisions relevant to Social Media in the context of litigation. Thanks for the reprint, Mike.

What would you do if your employee continued to use your company’s Twitter account after he stopped working for you?

What if your (former) employee claimed that he, not your company, actually owned the rights to the Twitter followers?

Ever thought about it?

I have posted several times about how social media has not created new causes of action, but rather has provided a new application for traditional claims. One of the areas that I surmised would develop in time was the interplay between social media and post-employment competition and trade secret rights. According to two new decisions, that time has apparently come.

In PhoneDog v. Kravitz (Northern District of California), the company gave its employee (Kravitz) use of a Twitter account as part of his employment. Kravitz tweeted information to promote the company’s services, and generated approximately 17,000 followers. Kravitz left the company, and, while he changed the account “handle”, he continued to use the same account to tweet to the same followers. PhoneDog sued Kravitz for continuing to use the Twitter account, claiming that the “compilation of subscribers and the password used to access the account” constituted company trade secrets. Valuing each of the 17,000 followers at $2.50, the company sought damages of $340,000 for “stealing” each of those followers for 8 months.

The court denied Kravitz’s request for immediate dismissal of the entire case, finding that the complaint sufficiently alleged (for initial, liberal allegation purposes) a trade secret/misappropriation claim, and, thus, that the parties would have to further develop their positions through discovery. The court also refused to dismiss the company’s claim that the Twitter account (and not just the “handle”) constituted company property and should have been surrendered at termination.

Similar issues were raised in Eagle v. Edcomm, Inc. (Eastern District of Pennsylvania), though this time involving LinkedIn. Dr. Eagle had a Ph.D in communication and psychology, and co-founded Edcomm, Inc. to provide financial and related training services. Eagle established a LinkedIn account (with the assistance of company administration, who knew the password), which she used in part to promote the company’s services, as well as to develop her professional reputation and network. After the company was purchased by a third party, Eagle and others were terminated, and the company later changed Eagle’s password and her account profile to display the name and photo of the company’s new chief executive officer.

Eagle sued the company, alleging violations of the Computer Fraud and Abuse Act, and identity misappropriation/theft. The company asserted a counterclaim, arguing that the LinkedIn account was created using the company’s e-mail addresses and substantive templates to provide certain information, which rendered the accounts company property. In its decision on Eagle’s request for the immediate dismissal of the counterclaim, the court ruled that certain company claims could advance. Of note, the court found that the company is entitled to develop through discovery that it was its own staff that “developed the [LinkedIn] accounts and maintained the connections, which are the route through which” the company has its relationships with client contacts to provide services. In the end, as with the PhoneDog case, the court was not willing to make a determination as to ownership of the social media account at the early stages of the case.

What should an employer take away from this development?

There are a few issues that were not addressed by both of these inception-stage decisions, including the extent to which the account’s user agreements should play a role in determining appropriate expectations and true ownership rights between employer and employee. Nevertheless, your company should consider creating policies and agreements that address, not only the substance of what is posted or done through social media, but also the important ownership and access issues that may arise during, and particularly after, an employee’s employment. That is especially true for any employees whose job duties include engaging in social media activities on behalf of your company.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Additionally, companies are assessing their contractual relationships with vendors with respect to protecting sensitive data, confirming that the company is fully indemnified and also enjoys the status of an additional insured under a vendor’s own insurance.

Cyber-risk insurance goes by various names, most of which include one or more terms such as “data,” “cyber,” “network” and “privacy.” This insurance has evolved over the past decade to become a standalone product rather than the assortment of special cyber-endorsements that had been tacked onto traditional policies covering commercial general liability, employer practices, directors and officers, commercial crime, fidelity bond, professional liability, and errors and omissions.

These endorsements had provided tailored coverage that otherwise may have been excluded, such as losses from “digital asset replacement expense,” “electronic data processing hardware and software,” “computer and funds transfer fraud,” “computer extortion,” and “crisis management and public relations,” as well as third party losses from “breach of privacy and security,” “media liability,” and “governmental fines and penalties.” The current offerings include some or all of these coverages, but unlike the many traditional policies, are not necessarily built off of standardized ISO forms and are far from interchangeable in terms of both coverage provisions and exclusions.

Litigation involving insurance coverage for data breaches is becoming increasingly prevalent, with a number of courts addressing the reach of various traditional business policies. Clear guidance from the courts is somewhat elusive, however. So before drawing too many conclusions from one or two high-profile examples, it is essential to consider specific policy language and weigh the significance or prior judicial interpretations.

For example, an insured business that tenders a data breach claim against its existing CGL policy could get push-back from its carrier, as Sony recently discovered when it sought coverage against privacy litigation after its PlayStation Network was breached in April and the personal data of approximately 77 million customers was stolen. The typical CGL policy includes complex and debatable definitions of several key terms, as well as potentially ambiguous exclusions relating to electronic data. Commercial crime and E&O policies have also been the subject of coverage disputes arising from data breaches, with varying outcomes and ongoing cases now in the appellate courts.

It is still too early to predict the extent of coverage disputes relating to standalone cyber policies, but risk managers should expect the courts to begin hearing these cases in the near future. In short, great care should be taken before making any assumptions about whether coverage will or will not be found in a given case.

A risk manager thus faces the daunting task of assessing a highly technical set of security risks. He or she must weigh all the potential legal, financial, competitive and reputational consequences, compare those against existing insurance policies and determine if there is a need for specialized coverage. A mistake could devastate the company in the event of a data breach. Additionally, once an appropriate cyber-risk policy is selected, the company may undergo a technical audit by underwriters and may need to invest in additional security measures.

Due to the gravity and complexity of this process, it should involve a series of discussions among members of a team that includes well-informed risk, insurance, legal and information security professionals. Together, this partnership of experts will attempt to place the company’s needs somewhere along a spectrum of possible exposures and outcomes.

At one end of the spectrum, no new coverage may be needed. For example, a software maker that already carries “tech E&O” insurance may already be sufficiently insured against the peril of a customer’s damage claims for negligence arising from a data breach incident. At the other end, some coverage may be impossible to obtain, such as insurance for punitive damages, which is largely prohibited as a matter of public policy. Most companies face potential outcomes that fall in the middle of the spectrum, where the decision is most complex.

Certain questions can provide a framework for the team to exchange information and reach a consensus on appropriate coverage. Here are 10 that every company should ask:

1. What is the nature of the data that may be compromised in a network security breach incident?
2. What is the scope of the business risk that would arise from an attack on the network that involves the loss of data, the corruption of its integrity or the inability to access that data?
3. What technology controls have we used to mitigate this risk?
4. To what extent will our existing insurance policies cover this exposure?
5. What are the features and limits of cyber-risk policies available to address the residual risk, and how much do they cost?
6. Could we implement additional controls now to qualify for cyber-risk insurance at a lower cost?
7. Are there any additional controls the insurance underwriters would require as a condition for coverage?
8. Are there other steps we can take to reduce exposure to data breaches involving vendors and independent contractors who handle our data?
9. Until the courts address and resolve potential cyber policy coverage issues, what legal uncertainties will we continue to face, and can those be addressed by negotiating endorsements?
10. Whatever our decision today, under what circumstances should we revisit these issues?

By raising and responding to these questions, the management and advisory team will be able to navigate the company’s course through this largely uncharted territory and provide critical protection against evolving cyber-risk exposures.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

The study takes into account a wide range of business costs, including expenses for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyses the economic impact of lost or diminished customer trust as measured by customer churn or turnover rates. The insurers however, are convinced that the true cost, and therefore exposure, is far higher.

To illustrate, the Study provides a cost-calculator which for the purposes of this article, was used to provide a sample cost-analysis for a fictitious company with the following attributes:

- part of the financial services industry;
- a formal privacy and data protection security data policy has been implemented across the entire enterprise;
- handles consumer and customer data, including credit card information;
- handles employee records;
- the company is unsure of the most likely cause of a data breach;
- employees store sensitive data on laptops or removable storage;
- sensitive data on all laptops or removable storage is encrypted;
- there is a dedicated information security officer;
- global headcount is between 25,001 and 75,000;
- operations in all global regions;
- is headquartered in the UK; and
- an estimated 100,000 records are at risk in the event of a data breach.

Based on these inputs and the Ponemon Institute’s trend data, the risk exposure is as follows:

- Companies in the financial services industry with that risk profile have a likelihood of experiencing a data breach in the next 12 months of 9.3%.
- The average cost per record is $66.
- The average cost per breach is $7,906,667.

This is a necessarily subjective test, with obvious limitations. However, all of the recent large breaches and new regulatory focus – in the EU, US and globally – suggest that this cannot be a true measure of exposure, nor any true measure of the cost of a breach.

We believe that the true exposure faced by our clients necessitates a deeper understanding and more aggressive costing of reputational risk, shareholder/stakeholder risk and intellectual property risk.

The persistence and sophistication of the new corporate threats are significant, with attacks seeking more attractive payloads than credit card and personal health information (PHI) data. Although by its very nature accurate breach data is difficult to obtain, a secret report by the Canadian government published in November 2010 stated that 86 % of all large Canadian corporations had been attacked. The report also read that espionage hacking of the private sector has doubled in two years.

A March 2010 Forrester Research report found that proprietary knowledge and company secrets are twice as valuable as custodial data which refers to payment card information, and customer and medical data.

Media coverage after a data breach can affect a company’s brand reputation and shareholder value and therefore breaches are underreported. McAfee’s 2009 report on the Unsecured Economies, the first global study on the security of information economies, found that companies worldwide lost more than an estimated $1 trillion in 2008 due to data leaks, the cost of remediation and reputational damage.

The Report suggests that:

- One in seven companies has not reported data breaches to outside government agencies or authorities, or stockholders.
- Only three in ten companies report all data breaches suffered, while one in ten companies will only report breaches that they are legally obliged to, and no more.
- Six in ten companies currently ‘pick and choose’ the breaches they report, depending on how they feel about them.
- Almost half of surveyed companies experienced a small data breach, and almost a quarter of companies suffered a data breach in the last year.
- Around a quarter of companies have had a merger and acquisition (M&A) or a new product/solution rollout stopped or slowed by a data breach, or the credible threat of a data breach.

The admission of a significant vulnerability could flag other attackers so very few companies are willing to be public about intellectual capital losses. M&A activity, partnerships, product rollouts are all potential victims of cyber theft and the miscreants of the underground economy.

Perhaps this is why only a quarter of companies conduct forensic analysis of a breach, and only half of them take steps to remediate and protect systems for the future after a breach or attempted breach. More than half of companies have, at some point in their history, decided not to investigate a security incident because of the cost of such an investigation. Companies are more likely to investigate a small data breach internally, rather than bringing in external help. This lack of investigation means that potential vectors of attacks are not shored up and future threat persists: insiders are not identified, and incongruities are not investigated to identify a larger threat. This lack of remediation may open up companies to the risks of future breaches.

It is believed that this underground economy will continue to fuel rising exposure for companies. Yet, as difficult as it is for insurers and companies to measure this nebulous cost, there are new, more estimable exposures, and therefore costs, being added to the risk landscape: broader analysis includes the wider effects of a data breach such as:

- loss of brand or reputation, potential for regulatory actions, investigations, fines or penalties;
- loss of customer goodwill, whether this is measured by turnover, client retention or balance sheet intangible assets;
- claims against company directors and senior officers by customers and/or shareholders, including class actions or representative proceedings in the US, EU or Australia;
- supply chain disruption or other contingent business interruption to the company’s operations;
- loss of tangible assets such as monetary instruments or financial securities;
- potential for future extortion against the company or its directors and senior officers;
- claims for breach of confidentiality, copyright and intellectual property; and
- industry-specific fines and penalties (such as for financial services, payment-card industry, healthcare).

Although insurers provide products to cover many of these exposures, the newest spectres are claims by shareholders and stakeholders against company directors, and class actions. The recent $ 4.9 billion lawsuit – stemming from a breach of back-up tapes containing personal information of almost five million US soldiers – confirms that the likelihood of consumers winning such a claim is still not high, unless they are able to show that the breach led to personal damages, such as non-reimbursed credit card fraud charges. Most case law torts in the US (and Australia) require the claimants to suffer some type of harm.

But legal sentiment may be changing: an appeals court in Boston last month ruled that a lawsuit could continue against grocery chain Hannaford Bros., which lost more than four million credit and debit card numbers in 2007. A three-judge panel ruled that fees paid by consumers for identity theft insurance and new cards, taken as a proactive measure following the breach, could constitute financial damages.

More worryingly, this is not confined to the US; we believe that this development will spread eventually to Australia, Canada and the EU. The possible introduction of a statutory cause of action for breach of privacy in these jurisdictions, will likely increase liability exposure to data breaches. A cause of action obviously increases the potential financial exposure to companies. Coupled with a large-scale privacy breach, it also increases the possibility of class actions.

Are class actions far away?

If a security breach is attributable to a failure by a company to take reasonable steps to implement robust e-security architecture, shareholders may want to know what steps (if any) the directors took to prevent the breach. After all, directors have a duty to exercise fiduciary care and due diligence in the protection of corporate assets and loss minimisation. Therefore claims against directors and officers should be considered as part of the true cost of data breaches.

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and his colleague, Ken Trotter, and appeared on Scott’s personal site, Corporate Insurance Blog, after being published by Hospitality Upgrade magazine. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro.

Rick Bortnick

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks.  A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies.  According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves. Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds.  Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes.  Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability.  Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits. Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information.  Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack. Involving Technology and Privacy Managers in Insurance-related Matters Because of the variation in cyberinsurance coverages and the underwriting inquiries that often go along with the purchase of such insurance policies, companies may find the process to be a great opportunity for a company’s risk managers, technology managers and privacy managers to work together to help understand potential risks to the company and what risk transfers are being purchased through the insurance policies offered.  Working together aligns the risk managers’ understanding of specific insurance-related issues, the technology managers’ technical expertise regarding the companies’ systems and protections that will be helpful to understand any technical requirements in an application or insurance policy, and the privacy managers’ knowledge of the potential privacy risks that the company faces in light of the information held and how and where it is used.  Indeed, given their understanding of the technical and practical considerations involved in protecting a company’s data from a cyberattack, technology and information managers may be in a unique position to assist the company’s risk managers in understanding the technical implications of specific policy language. Insurance Coverage Considerations When considering what coverages may apply or purchasing cyberinsurance coverage, it is essential to consider many types of coverage, as coverages often are written and offered in different modules and on varying insurance policy forms.  On a regular basis, insurers are writing and introducing new policies marketed as being tailored specifically to cover data breaches and cyberattacks.  In addition, coverage may be available under traditional forms of insurance.  Indeed, policyholders may have overlapping coverage for data breaches and certain cyberrisks, with the potential for coverage under cybersecurity policies as well as traditional insurance policies.  When analyzing the coverage afforded by such policies, it is critical to understand the impact of exclusions on coverages and any sublimits on the amount of coverage afforded by the policy.  Because of the variety of coverages being offered, as discussed below, technology managers can assist the company by providing a careful review of the technical language used in the policy to help determine the scope and limitations of the coverage being purchased with respect to a specific company’s operations. Cybersecurity and Data Breach Policies The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Such policies are relatively new to the marketplace and are constantly changing. Specific policies for cybersecurity and data breach have been known as Network Risk, Cyberliability, Privacy and Security or Media Liability insurance.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the Internet Liability and Network Protection Policy, and insurance companies may base their coverages on this basic insuring agreement or they may provide their own company-worded policy form.  Because these policies are frequently updated and changed, it is important to compare the coverages offered across companies and within a company’s offerings. Traditional Forms of Insurance  Although it is ideal to purchase a policy designed specifically for cybersecurity risks, more traditional forms of insurance may also provide overlapping coverage for data breaches and cyberrisks, depending on the particular coverage terms and exclusions in the individual policy.  Coverage may be provided by the following types of policies:  commercial general liability; first-party property and business interruption; directors and officers or errors and omissions; crime; kidnap, ransom and extortion.  Insurance companies, however, have been fighting their obligations to pay claims for cyber-related loss under such traditional insurance policies.  A major insurer recently sued a corporate policyholder in New York, asking the court to rule that traditional insurance policies do not cover a series of high-profile data breaches, cyberattacks and cyberrisks. Making a Claim for Coverage   If a cyberevent occurs, such as a data breach, then it is vital that risk managers, technology managers and privacy managers work together to seek recovery under all potentially available insurance policies.  It is recomended that policyholders send notice of the claim or occurrence to all potentially applicable insurers, whether under a special cybersecurity policy or under the more traditional forms of insurance. After an insurance claim is tendered to insurers, they may raise various defenses to coverage. Companies, however, should not assume that such defenses will defeat coverage. Whether an event is covered will often depend on careful analysis of the specific policy language involved, the facts of a company’s particular losses and the law of the applicable jurisdiction. Insurance carriers may take a hard line regarding the application of the exclusions in their policies.  For example, under certain insurance policies, there is coverage for property damage and insurers have asserted that there has been no property damage as a result of a cyberattack. Technology managers, however, may be able to assist the company in marshalling evidence to prove that a cyberattack has damaged the company’s computer equipment, or that there has been a loss of use of computer equipment (another way of demonstrating property damage under certain insurance policies).  Technology managers should stay involved throughout the insurance recovery process to help assure that any representations and statements about the company’s technology and the cyberevent are accurate and properly characterized. Beyond in-house technology personnel, companies that have sustained losses due to a data breach or cyberattack should consider speaking with an attorney who represents policyholders and has familiarity with this area. Because of the assistance of such lawyers, some policyholders have been able to obtain substantial recovery even after the insurer initially denied the policyholder’s claim. This article appeared on the Hospitality Upgrade website on 1 October 2011—link to article: http://www.hospitalityupgrade.com/_magazine/magazine_Detail-ID-694.asp

Needless to say, the discoverability of social media posts is an important issue for litigants on both sides of the “v” and will continue to be the subject of fiercely-litigated motion practice. We will monitor the issue and post updates as courts across the country rule on this imporant, oftentimes substantively dispositive, issue.

Rick Bortnick

One of the high-profile battles being fought in the social media world continues to be over the ability of one party in a lawsuit to compel the other party to produce messages, posts, pictures, and other “private” things done over a social networking site like Facebook.   The trend continues to reveal that courts are willing to compel disclosure in the right circumstances, and the most recent decision issued by a New York appellate court is no different.

In Patterson v. Turner Construction Company (New York Supreme Court, Appellate Division, First Department, October 27, 2011), the plaintiff sued for personal injury damages that included physical and psychological injuries that he claims to have suffered.   During the lawsuit, the defendant asked the court to direct the plaintiff to provide an authorization allowing defendant to obtain “all of plaintiff’s Facebook records compiled after the incident alleged in the complaint, including any records previously deleted or archived[.]”   The plaintiff, obviously, fought that request.

The first level court granted the defendant’s request, but the appellate division modified that ruling slightly, though still indicating that requests for social networking information are not per se improper.   First, the court on appeal rejected plaintiff’s privacy argument, stating that “[t]he postings on plaintiff’s online Facebook account, if relevant, are not shielded from discovery merely because plaintiff used the service’s privacy settings to restrict access.”  

The operative phrase there is “if relevant”, as the appeals court still held that “it is possible that not all Facebook communications are related to the events that gave rise to plaintiff’s cause of action.”   So, in light of the fact that defendant’s request was overbroad, the appellate division directed that the matter go back to the first level court to provide:

“a more specific identification of plaintiff’s Facebook information that is relevant, in that it contradicts or conflicts with plaintiff’s alleged restrictions, disabilities, and losses, and other claims.”

Employer Take Away:   What should you as an employer take away from this development?   

The Patterson decision involves a personal injury action, yet the principles apply equally to employment litigation.   The fundamental premise is that employers can and should seek discovery from plaintiff employees in the context of a lawsuit.  However, the request must be made in the right kind of case, at the right stage of the case, and have the right scope.  

It is often difficult to identify with precision the relevant information that will be gleaned through social networking discovery before you see what is there (that’s partly the point of seeking the discovery in the first place).  There is a fine line between a mere fishing expedition and a reasonable likelihood of discovering relevant facts.   By showing that you (through your attorney) have crafted a reasonable, narrowly-tailored request for information that is “relevant” because it has a good chance of contradicting or conflicting with actual positions taken by the employee in the case, you will have a far greater likelihood of success in getting potentially helpful information for your defense

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

The Guidelines mention both intentional and unintentional breaches of cybersecurity, but mostly focus on deliberate attacks. They note that such attacks may involve money or other financial assets, intellectual property, or other sensitive information belonging to a company, its customers or its business partners. The Guidelines list some of the many adverse consequences of successful cybersecurity attacks, including:

 Remediation expenses, such as the cost of providing notice of breach, credit monitoring and call center services;

 Increased cybersecurity protection costs such as the hiring of additional personnel and third-party experts and consultants, and the purchase of additional protective technologies;

 Lost revenues resulting from unauthorized use of stolen proprietary information or the failure to retain or attract customers following an attack;

 Litigation; and

 Reputational damage adversely affecting customer or investor confidence.

The federal securities laws are designed to provide disclosure about “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” The Guidelines state that the potential consequences cited above may in particular cases be sufficiently material, because of the nature of a company’s business or the magnitude of a cyber incident, to require disclosure. The bulk of the Guidelines describe the principal places in federal securities filings that such disclosures should be considered.

The Guidelines remind companies to consider, on an ongoing basis, whether they must disclose the nature and extent of their particular cybersecurity risks. Some early commentary has referred to the Guidelines as rules or regulations. They are not yet characterizing them as nonbinding suggestions likely understates their importance.

Each company determines what it must disclose by applying the rules to its own business and circumstances. When important new developments arise, it can be difficult for companies to know how these developments affect their disclosure obligations under rules that don’t appear to address them. So the Division of Corporation Finance periodically issues guidelines explaining how it believes the existing disclosure rules should be interpreted with respect to these new developments. This happened with Y2K, with climate change — and now with cybersecurity. The Guidelines say that they are intended to be “consistent with the relevant disclosure considerations that arise in connection with any business risk.” Guidelines are not intended to break new ground; they represent what the Division thinks the existing disclosure rules already require.

In other words, the Division’s position is that the current disclosure rules already require registrants to consider cybersecurity risks and to disclose them as necessary to provide “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”

The Guidelines cite several places in public filings where such disclosure may be required. Here’s a summary of the key provisions:

Risk Factors

Each public company must disclose the most significant factors that make investment in it speculative or risky. Companies assessing the need for a risk factors disclosure should consider the probability of cyber incidents and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. Generic risk factor disclosure should be avoided; the rules are intended to elicit information about the material risks affecting the particular company making the disclosure, not a listing of risks that can affect any company. According to the Guidelines, appropriate disclosure may include the following:

 Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;

 To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

 Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;

 Risks related to cyber incidents that may remain undetected for an extended period; and

 Description of relevant insurance coverage.

Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A)

Companies need to disclose cybersecurity risks and past incidents “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” The theft of key corporate intellectual property is cited as the kind of cyber incident that might materially affect future revenues and/or cybersecurity protection expenditures and therefore should be disclosed.

Description of Business

A company must disclose in the ‘Description of Business” section of its SEC filings if cybersecurity incidents materially affect its products, services, relationships with customers or suppliers, or competitive conditions.

Legal Proceedings

If a company is involved in legal proceedings involving a cyber incident, it may need to make disclosures about the proceedings. The Guidelines give the example of the theft of a material amount of customer information that result in litigation.

Financial Statement Disclosures

Cybersecurity incidents and risks may materially affect a company’s financial statements in ways that must be disclosed. The Guidelines provide various examples, such as payments to customers as incentive to maintain business relationships, losses from asserted and unasserted claims related to warranties, breach of contract, product recall and replacement, and indemnification obligations.

Disclosure Controls and Procedures

Companies are required to assess and disclose the adequacy their disclosure controls and procedures. Companies must disclose if cyber incidents and risks may compromise their ability to record, process, summarize, and report information in SEC filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. For example, if information might not be recorded properly because a cyber incident has affected a company’s information systems, a company may conclude — and have to disclose — that its disclosure controls and procedures are ineffective.

How might the Guidelines affect securities claims?

Guidelines are not entitled to formal deference by courts in disclosure cases, but judges give varying degrees of informal deference to Division guidance when they adjudicate disclosure cases. Plaintiffs will likely point to the Guidelines when arguing that defendant companies haven’t complied with the disclosure rules. On the other hand, companies often try to use Division guidelines defensively, asserting that in following the guidelines they have satisfied the disclosure rules.

How will the Guidelines affect disclosure and risk management and insurance?

Some early commentary suggests the Guidelines will not significantly change disclosure practices. Public companies will certainly take the Guidelines seriously and more fully describe their material cybersecurity exposures — without providing a roadmap for exploiting any security weaknesses. Some companies will try to inoculate themselves from securities claims by providing the kind of broad, generic statements often seen in the Risk Factors section of SEC filings. The Guidelines will lead many companies to confront the nature and extent of their cybersecurity risks more forcefully than they have in the past. In order to assess the materiality of their cybersecurity risks, companies will have to quantify them — and quantifying risks unmasks previously vague or fuzzy judgments about them. Corporate executives will have more useful information about their cybersecurity risks, which may in turn lead to increased efforts to forestall the operational and financial disruption that breaches cause. Companies will almost certainly review and strengthen their cybersecurity risk management practices.

After being forced to quantify the potential financial impact of cybersecurity breaches, many companies will also reassess the adequacy of their insurance protection. That is rarely a simple task. Among many other things, it requires an in-depth and nuanced understanding of what various types of insurance policies do and do not cover with respect to cybersecurity breaches.

Here are a few of the issues that companies and their advisors will have to consider as they determine how to respond to the Guidelines:

How should a company quantify cybersecurity risks? Cybersecurity breaches can have wide-ranging consequences. A company will probably spend large sums on matters such as forensic investigation into the cause and extent of the breach, legal fees, notice to affected individuals, credit monitoring, identity theft and call center services where appropriate, public relations and communications, government and PCI DSS fines and penalties, and indemnification to corporate clients and others if their proprietary information is compromised. The company may also incur business interruption expenses, the loss of customers, management distraction, opportunity costs, discounts and other customer retention costs, and many other direct and indirect costs. Some of these exposures will be relatively easy to estimate based on currently available data, while others will be extremely difficult to gauge. How should a company estimate these exposures in assessing the materiality of cybersecurity breaches? Will widely cited studies into the costs of data breaches (such as the Ponemon Institute’s annual study) become the de facto standard for estimating exposure? How should a company weigh the many potential indirect costs of a data breach in determining the materiality of cybersecurity risks?

Which policies may provide at least some coverage for cybersecurity-related breaches? A company may have several different types of insurance policies — some commonly considered “cyber” policies, others not — that could provide coverage for at least some of the costs it would incur after a breach. The company will have to determine which policies might provide any coverage and which wouldn’t; which cybersecurity exposures each policy addresses and which it doesn’t; and whether and to what extent various policies can be aggregated to provide additional protection. And as the insurance coverage dispute in the Sony PlayStation breach matter demonstrates [See blog post here http://wp.me/pFoTv-LU], the availability of coverage under non-cyber policies is far from clear.

How should a company that accepts payment cards (such as credit cards) address the special bundle of risks that are related to the evolving Payment Card Industry Data Security Standards and the rules imposed by the payment card brands? It can be expected that over time there will develop fairly standard ways of disclosing payment card-related risks, but it may be a rocky road.

What will be the impact of more extensive disclosure on the availability and cost of insurance to indemnify cybersecurity losses? Insurers routinely review a public company’s SEC filings as part of the underwriting process. Many stipulate that a company’s SEC filings constitute part of the application for insurance (usually a negotiable issue to some degree). At least two adverse possibilities come to mind: (1) that extensive descriptions of cybersecurity risks and incidents, crafted by lawyers to overcome allegations of inadequate disclosure, will scare insurers into curtailing coverage and/or charging higher prices, and (2) that some insurers will use these disclosures to try and deny coverage in subsequent claims, on the grounds that a disclosure later shown to be inadequate constitutes a breached warranty that therefore voids coverage. The D&O (Directors and Officers) insurance sector has dealt with this issue for a long time and seems to have largely worked things out. The cyber insurance sector will probably get to a similar equilibrium, although it may take a while and cause some pain in the process.

The new cybersecurity guidelines therefore may have raised as many questions as they answer, and they will certainly require careful and nuanced navigation by companies and their advisors. Companies will need to undertake a fresh and detailed analysis, with each SEC filing, to make sure that their disclosures adequately reflect the cybersecurity risks they face in their then-current business operations.