Drinker Biddle Cyber Bulletin June 2015

Federal Legislative Update

House Passes Bills Encouraging Sharing of Information about Cyber Threats

On April 22 the House passed H.R. 1560, the Protecting Cyber Networks Act (“PCNA”), “to improve cybersecurity … through enhanced sharing of information about cybersecurity threats.”  The law would permit companies to share information concerning known cyber threats with the recently-created Cyber Threat Intelligence Integration Center (“Center”).  The Center, which is overseen by the Office of the Director of National Intelligence, would be responsible for establishing procedures for sharing information on cyber threats between the federal government and other entities.

Prior to sharing information, companies would be required to remove personal identifying information (“PII”) of its customers.  After receiving the information, the government would be required to conduct a second scrub of PII.  In return for sharing, the PCNA would provide companies liability protection from regulatory enforcement and private actions as long the information is shared in “good faith.”  Such protection would not attach however, if a plaintiff or regulator could show the company committed “willful misconduct.”

On April 23, the House also passed H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 (“NCPA”).  The NCPA shares the same purpose of the PCNA and contains many of the same liability protections.  Under the NCPA, however, responsibility for overseeing the sharing of cyber threat information would lie with the U.S. Department of Homeland Security’s (“DHS”) National Cybersecurity and Communication Integration Center.

The bills were packaged together and sent to the Senate, which is also considering similar legislation, entitled the Cybersecurity Information Sharing Act of 2015 (S. 754).  Given the strong bipartisan support for both House bills, as well as support from the White House, industry representatives are hopeful that some form of legislation encouraging sharing information about cyber threats will make its way to the President this year.

Advocates of H.R. 1560 and H.R. 1731 predict that the legislation will lead to better defenses to cyber threats.  If successful, such legislation could reduce the incidences of breaches and, consequently, the number of insurance claims for data breach.  The increased sharing of information should also provide underwriters more experience to better understand cyber risks and more accurately price cyber liability insurance policies.  Simply put, the success of these bills, if passed, could reduce the cost of cyber insurance policies and entice small-to-medium sized businesses to purchase cyber liability insurance—many of which consider find cyber insurance too expensive.

State Legislative Update

North Dakota, Montana and Washington expand their breach notification acts to require notice to the attorney general 

North Dakota’s breach notification act (N.D. Cent. Code Ann. § 51-30-02) will soon apply to any entity holding personal information about North Dakota residents without regard to whether the entity does business in North Dakota.  Thus, in the event of a breach, if the impacted entity holds the personal information of North Dakota residents, the entity is now subject to the act.  The act will also require entities experiencing a data breach involving more than 250 North Dakota residents to report the breach to the state attorney general.  North Dakota’s law will be effective August 1, 2015.

Washington’s breach notification act (Wash. Rev. Code Ann. § 19.255.010) will soon (i) provide a private right of action in connection with violations; (ii) call for notice to the state attorney general in the event of a breach involving greater than 500 Washington residents; (iii) apply to information in electronic and paper forms.  On April 23, 2015, Washington Gov. Jay Inslee signed H.B. 1078 into law, expanding and enhancing the state’s breach notification act.  The act will provide a private right of action to consumers “injured by a violation” of the act, but applies only to those entities conducting business in Washington.  As amended, the Washington Attorney General is granted enforcement authority to bring actions for violations of the act on behalf of consumers or in the name of the state.  If the breach affects more the 500 individuals the act now requires notice to the attorney general, not just affected individuals, as soon as possible (i.e., “without delay”), but within 45 days after the breach is discovered.  Also, the act now applies to both electronic and hard copy personal information.  Additional amendments include a safe harbor for data that was “secured,” which means “encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard,” as long as the means to decipher the secured information was not also acquired during the breach.  The amendments become effective July 24, 2015.

Montana’s breach notification act (Mont. Code Ann. § 33-19-104) now requires notice to the Attorney General’s Consumer Protection Office and Insurance Commissioner in the event of the breach.  House Bill No. 74 was signed into law on February 27, 2015 and will go in effect on October 1, 2015.

At least twenty five states now require notice to the state attorney general (many, but not all states, set a threshold of 250 or 500 affected individuals before notice is required), marking a clear trend in states attorneys general taking on data security and consumer privacy issues.  North Dakota and Montana are the two most recent additions, and several other states have pending legislation with similar amendments.  See, e.g., AL S.B. 106; IL H.B. 3188, 1833; OR S.B. 601.

Wyoming and Nevada broaden scope of personal information, expanding reach of breach notification laws

Wyoming followed a trend of recent amendments to state breach notification laws that broaden the definition of personal information and increase the minimum requirements for the content of a breach notification.  On March 2, 2015, Wyoming Gov. Matt Mead signed Senate Files 35 and 36 into law.  As amended, Wyoming’s definition of personal information now includes data containing the first name or first initial and last name of an individual combined with at least one of the following:  SSN; driver’s license number or other government identification number; a financial account number paired a security code that would allow access; “shared secrets or security tokens that are known to be used for data based authentication”; a username or email address paired with a password to permit access; birth or marriage certificate; medical information; health insurance information; unique biometric data for identification purposes; and individual taxpayer identification numbers.  Beyond amending the definition of personal information, Senate File 35 requires breach notifications to include “clear and conspicuous” notice of a wider range of information, including the “actions taken by the company to prevent further breaches” and the type(s) of personal affected. 

Nevada also expanded the definition of personal information under its breach notification and data security/safeguarding laws, which now includes information such as e-mail addresses and passwords, driver’s authorization card numbers, medical and health insurance identification numbers.  See Nev. Rev. Stat. Ann. § 603A.040, as amended by 2015 Nevada Laws Ch. 55 (A.B. 179).  Nevada Gov. Sandoval signed A.B. 179 into law on Wednesday, May 13, 2015.  The definition of personal information is incorporated into the state’s breach notification laws and safeguarding rules.  Nev. Rev. Stat. Ann. § 603A.220 (Breach Notification Rule); Nev. Rev. Stat. Ann. § 603A.210 (Security Measures).  Thus, under Nevada’s safeguarding rule, data collectors must, for example, encrypt e-mail addresses, identification numbers, and passwords prior to transferring them outside of the company’s secure system.  Nev. Rev. Stat. Ann. § 603A.215 (2)(a)-(b).

Wyoming and Nevada’s broadened definition of personal information will significantly increase the potential scope of what constitutes a breach requiring notification to consumers.  The broadened reach of breach notification acts will likely lead to an increase in breach-related litigation as more breaches are publicized. 

Florida enacts the Unwarranted Surveillance Act, the country’s first private drone privacy law.

Florida has enacted the first law banning the private use of drones for the purpose of recording images of privately owned real property or owners and occupants of such property, or, for the purpose of conducting surveillance “in violation of the person’s reasonable expectation of privacy.”  Gov. Rick Scott signed the Unwarranted Surveillance Act (the “Act”) into law on Thursday, May 14, 2015.  The statute provides several limited exceptions, including the use of a drone by a person “licensed by the state … if the drone is used only to perform reasonable tasks within the scope of practice or activities permitted under such person’s or entity’s license.”  Thus, the act works to shift the regulatory power surrounding the use of drones in Florida away from the FAA and into the hands of state agencies, who may now issue licenses for the use of drones to conduct, for example, site assessments in disaster areas.  However, the license exception specifically excludes individuals whose profession involves, for example, obtaining information about the identity, habits, whereabouts, or character of a person. 

After the passage of the Unwarranted Surveillance Act, commercial use of drones in Florida will present a significant litigation risk.  The law creates a private right of action for those aggrieved by violations of the act.  Although the act does not provide for statutory damages, it does provide for attorney’s fees and punitive damages.  Due to potential liability, the act will likely stymie the commercial use of drones in Florida at a time when the FAA has issued limited use permits and appears ready to consider more widespread approval of drone activity.  This is especially true for insurers that have received approval to use drones in connection with claims evaluations.

Cyber Litigation Update

Federal District Court Issues one of the First Decisions Construing Cyber Policy in Travelers Prop. Cas. Co. of American et al. v. Federal Recovery Services et al., No. 2:14-cv-00170 (D. Utah)

On May 11, 2015, the United States District Court in Utah concluded that Travelers did not have a duty to defend its insured under a Technology Errors and Omissions Liability Form of a CyberFirst Policy.  Travelers insured Federal Recovery Services, Inc. (“FRS”) and several related companies, which stored and processed electronic data for their customers.  One customer, Global Fitness Holdings, LLC (“Global Fitness”), requested that FRS return all customer data to Global Fitness pursuant to an asset purchase agreement between Global Fitness and L.A. Fitness.  Despite multiple requests, FRS continued to withhold certain customer data until Global Fitness paid FRS for its services.

As a result, Global Fitness sued FRS for “conversion, tortious interference and breach of contract.”  The gravamen of the complaint alleged FRS purposely, and wrongfully, withheld data to extract additional money from Global Fitness.  FRS tendered the case to Travelers, which defended FRS under a reservation of rights.  Travelers then brought an action seeking a declaration of no coverage.

The Technology Errors and Omissions Liability Form at issue in the case provided coverage to FRS if the loss was caused by an “errors and omission wrongful act.”  The policy further defined a wrongful act as “any error, omission or negligent act.” The Court highlighted that Global Fitness alleged FRS had withheld the information requested by Global Fitness knowingly, willfully, and with malice; the complaint was devoid of any allegations sounding in negligence.  Accordingly, the Court found Travelers did not owe FRS a duty to defend.

Although the rationale of the Court rested on humdrum general insurance principles – i.e., the principle that insurance policies generally do not provide coverage for intentional acts – the decision is significant because it represents one of the first to construe a cyber-specific policy.

Connecticut Supreme Court Affirms Ruling Denying Coverage for IBM Data Breach in Recall Total Information Management Inc. et al. v. Federal Insurance Co. et al., Connecticut Supreme Court Case Number AC34716

On May 18, the Connecticut Supreme Court held that Federal Insurance Company and Scottsdale Insurance Company did not have to provide coverage under a CGL policy for losses attributed to a data breach that occurred when a full cart of computer tapes containing IBM employees’ Social Security numbers, birth dates and contact information fell out of the back of a van.  The tapes contained information on 500,000 past and present IBM employees and about 130 of the tapes were taken after the spill by an unknown person.  There was no evidence however, that any person accessed the information on the tapes.

The appellants, IBM contractor Recall Total Management, Inc. and subcontractor Executive Logistics, Inc., argued coverage should be provided because there was an injury caused by “electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The appellants argued that whoever removed the tapes from the roadway would have seen the employees’ sensitive information, and therefore that information was publicized under the terms of the Policy.

In opposition, the insurers contended that appellants failed to present any evidence that anyone accessed the information or that any IBM employee ever suffered damages resulting from the information contained on the tapes.  Therefore, the insurers argued that there was no evidence of publication that could trigger coverage under the Policy.

The Connecticut Supreme Court agreed with the insurers, affirming the Connecticut Appeals Court’s holding that “[r]egardless of our precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information.  In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.”  The Court also rejected the appellants’ arguments that settlement negotiations that pre-dated the filing of the lawsuit counted as a “suit” that triggered coverage for defense costs.

Coverage battles in the breach context are sure to continue in the days ahead.  Cases like Recall Total Information Management and federal recovery services are good indicators that carriers are not without ammunition.