Cyber/Data Privacy

Subscribe to Cyber/Data Privacy via RSS

The SEC public company cyber disclosure rule raises issues that companies should consider in reviewing existing insurance coverage and in assessing overall risk. 

The SEC recently adopted a new cybersecurity disclosure related rule (the “SEC Cyber Disclosure Rule”)[1] in response to increasing risks associated with cyber incidents and a perceived need for investors to receive more fulsome corporate disclosures about cybersecurity risks, governance, and material incidents.  In prior efforts to improve consistency and accuracy of public company cybersecurity risk disclosures, the SEC issued interpretive guidance explaining how cybersecurity risk and incidents should be communicated based on long-standing requirements to periodically—and as needed—disclose material information to shareholders.[2]  But in spite of this guidance, in the SEC’s view corporate disclosure practices remained inconsistent, under-disclosure persisted, and investors lacked consistent information by which they could evaluate public companies’ cybersecurity risk.  In July 2023, the SEC adopted the SEC Cyber Disclosure Rule, which mandated new disclosures among other things, and which became effective in December 2023.Continue Reading The SEC’s Cybersecurity Incident, Governance, and Management Reporting Requirements: What you Need to Know to Avoid Cyber and D&O Coverage Gaps

Following record-shattering data breaches, there has been a major push for increased transparency and regulation in the insurance industry regarding consumer data privacy. With an increase in consumer data collection, the threat of ransomware attacks can expose companies to potential litigation or regulatory action if not handled properly.

Read on to learn about the National

Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. The coverage litigation, Merck & Co. v. ACE American Insurance Co., focused on the key question of whether the policies’ “hostile/warlike” exclusion applied to the NotPetya attack, which some intelligence agencies have attributed to Russian government attempts to destabilize Ukraine. The settlement was announced just a few days before the New Jersey Supreme Court was set to hear oral arguments during an appeal of the New Jersey state appeals court’s affirmance of a 2021 trial court ruling in Merck’s favor. Merck’s insurers had argued that Merck’s losses were barred by a war exclusion, but the New Jersey trial court found that the exclusion did not apply to malware and cyberattacks and instead was intended to apply only to physical acts of warfare between the armed forces of two or more countries. The terms and the amount of the settlement have not yet been disclosed.Continue Reading Merck-Settlement of $1.4 Billion Coverage Dispute Over NotPetya Cyberattack Places Renewed Spotlight on War Exclusions in 2024

Cyberattacks on corporate networks are on the rise, and the ramifications from such an attack can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across various industries aimed at preventing breaches jumping 51%.[1] Although companies

In a unanimous decision, the Ohio Supreme Court found that appellee EMOI Services, LLC’s (“EMOI”) businessowners insurance policy does not cover losses resulting from a ransomware attack on EMOI’s computer software systems.Continue Reading Ohio Supreme Court Holds that Insurance Policy Does Not Cover Ransomware Attack on Software

In May 2022, the Illinois Supreme Court heard oral arguments in Cothron v. White Castle System, Inc. — a case that will have a substantial impact on the liability for violating the Illinois Biometric Information Privacy Act (“BIPA”).  BIPA is considered to be among the most robust law in the U.S. governing biometric privacy, and Illinois is among the few jurisdictions permitting private suits for the unlawful collection, storage of such data.  Since its inception in 2008, BIPA has been the source of a flurry of lawsuits, many of which have resulted in substantial settlements.  The court is set to determine how to calculate the number of individual BIPA violations, whether damages accrue each time an employee scans her fingerprint, or whether the first recorded scan is the sole violation.  If the Illinois high court determines that damages accrue with each scan and BIPA violations are ongoing, then the potential damages for BIPA lawsuits would increase exponentially and open a flood of new claims.  Fortunately, insurance policyholders have had recent success arguing that coverage exists for BIPA violations under Commercial General Liability (“CGL”) policies.  A plaintiff-friendly ruling in the Cothron case would make the ability to recover under these policies even more important, and potentially open additional avenues for recovery.  In anticipation of this important ruling, this article provides a brief background on BIPA and summarizes the key decisions relating to insurance recovery of BIPA damages.
Continue Reading Update on Case Law Developments for BIPA Damages and Insurance Recovery for BIPA Claims

On May 7, 2021, the operator of a major pipeline system that transports fuel across the East Coast fell victim to a ransomware attack that resulted in a six-day shutdown. Over the following week, East Coast stockpiles of gasoline dropped by about 4.6 million barrels and gas prices surged to their highest levels in six and a half years. The 5,500-mile-long pipeline provides roughly 45 percent of the fuel supplies for the East Coast, representing critical infrastructure for consumers from the Gulf Coast to Linden, New Jersey. Under mounting public pressure to respond and devastating losses to the company’s operational income, the operator authorized a ransom payment of $4.4 million to hackers. On May 31, 2021, one of the world’s largest meat suppliers disclosed that it was targeted by a ransomware attack that forced the company to shut down its meat processing plants in North America. As the meat processing plants depend on automation and computers for the production process, as well as processing of orders, billing and shipping, the company had no choice but to shut down operations. The company has not disclosed if it paid a ransom as part of its efforts to get back online.
Continue Reading Cyber-Insurance Considerations for Healthcare Providers Related to Ransomware Attacks