by ~ Rebecca L. Zeidel (Email) (Web Site)
MReBA’s Seventh Annual Symposium once again featured a popular interactive workshop after the lunch break, which put into practice through a fictional case the topics addressed during the morning data breach panel. The interactive workshop was moderated by William Erickson (Robins Kaplan LLP), Thomas M. Elcock (Prince Lobel Tye LLP), and Kristin Suga Heres (Zelle LLP).
This year’s workshop focused on the hypothetical breach of a data processing cloud for a large online retailer, “Nile.com.” Hackers obtained financial information of all “Nile Alpha Members” who paid a fee for special deals and free shipping.
Nile Alpha Members soon issued demands, and later, filed a class action lawsuit asserting breach of privacy claims, claims for impact to credit ratings, and claims for fraudulent credit card charges. Credit card companies also submitted claims to Nile.com as a result of their cardholders’ refusals to honor fraudulent credit card charges.
Nile carried a commercial general liability policy, which provided $1 million of limits, with coverage for “personal and advertising injury,” including injury arising out of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Nile.com also held two excess layers of liability insurance: The first layer covered $9 million excess of $1 million, and the second excess covered $90 million excess of $10 million.
The first layer excess was reinsured by “Bermuda Re” for all losses in excess of $2 million, and the second layer excess was reinsured by “Internet Re” for all losses in excess of $25 million.
Participants were assigned to play the roles of the captive insurer and the two reinsurers. The primary issues and questions confronted during the workshop included:
&bull Whether and how a hacking event may constitute “publication” of “material that violates a person’s right of privacy” under a CGL policy;
&bull Whether the insured – as opposed to hackers – needed to take affirmative steps in order for there to be “publication”;
&bull What investigation had been done to assess the potential damages in the underlying case;
&bull Whether the occurrence was tied to the hack itself, or the use of stolen information, or something else; and
&bull Whether a cyber policy (discussed as part of the subsequent problems) covered the same – or different – types of losses as the CGL policy.
The workshop demonstrated through a lively debate, and much participation from Symposium attendees, the difficulties in determining whether a data breach falls within the scope of coverage provided by a CGL policy – or whether a cyber policy is better suited to data breach claims – and the factors that both insurers and reinsurers should consider in assessing such claims under those policies.
Ms. Zeidel is an associate in the Boston office of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. She can be reached at RLZeidel@mintz.com.
© 2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All rights reserved.
« Back to Articles