Interactive Workshop Participants Tackle Cyber Risk and Privacy Issues
Updated: May 11, 2018
MReBA’s Seventh Annual Symposium once again featured a popular interactive workshop after the lunch break, which put into practice through a fictional case the topics addressed during the morning data breach panel. The interactive workshop was moderated by William Erickson (Robins Kaplan LLP), Thomas M. Elcock (Prince Lobel Tye LLP), and Kristin Suga Heres (Zelle LLP).
This year’s workshop focused on the hypothetical breach of a data processing cloud for a large online retailer, “Nile.com.” Hackers obtained financial information of all “Nile Alpha Members” who paid a fee for special deals and free shipping.
Nile Alpha Members soon issued demands, and later, filed a class action lawsuit asserting breach of privacy claims, claims for impact to credit ratings, and claims for fraudulent credit card charges. Credit card companies also submitted claims to Nile.com as a result of their cardholders’ refusals to honor fraudulent credit card charges.
Nile carried a commercial general liability policy, which provided $1 million of limits, with coverage for “personal and advertising injury,” including injury arising out of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Nile.com also held two excess layers of liability insurance: The first layer covered $9 million excess of $1 million, and the second excess covered $90 million excess of $10 million.
The first layer excess was reinsured by “Bermuda Re” for all losses in excess of $2 million, and the second layer excess was reinsured by “Internet Re” for all losses in excess of $25 million.
Participants were assigned to play the roles of the captive insurer and the two reinsurers. The primary issues and questions confronted during the workshop included:
Whether and how a hacking event may constitute “publication” of “material that violates a person’s right of privacy” under a CGL policy;
Whether the insured – as opposed to hackers – needed to take affirmative steps in order for there to be “publication”;
What investigation had been done to assess the potential damages in the underlying case;
Whether the occurrence was tied to the hack itself, or the use of stolen information, or something else; and
Whether a cyber policy (discussed as part of the subsequent problems) covered the same – or different – types of losses as the CGL policy.
The workshop demonstrated through a lively debate, and much participation from Symposium attendees, the difficulties in determining whether a data breach falls within the scope of coverage provided by a CGL policy – or whether a cyber policy is better suited to data breach claims – and the factors that both insurers and reinsurers should consider in assessing such claims under those policies.
Ms. Zeidel is an associate in the Boston office of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. She can be reached at RLZeidel@mintz.com.
© 2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All rights reserved.