Equifax Inc. recently announced that it has agreed to pay up to $700 million to settle numerous government investigations and consumer claims arising out of a 2017 breach that exposed Social Security numbers, addresses and other personal data belonging to over 148 million individuals. Following the breach, Equifax faced investigations from the Federal Trade Commission, the Consumer Financial Protection Bureau, all 50 state attorneys general and consumers prosecuting nationwide multidistrict litigation. As part of the deal, Equifax will contribute approximately $300 million to compensate consumers, with the potential to increase to $425 million depending on the number of claims filed. Equifax also agreed to pay $175 million to state governments, plus another $100 million in civil penalties to the CFPB.
Continue Reading

The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.

Continue Reading

Hunton Andrews Kurth insurance partner Michael Levine was recently interviewed by LegalTech News concerning Ohio’s recent adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law, modeled after the New York State Department of Financial Services Cybersecurity Requirements for Financial Service Companies Act, seeks to provide a framework for

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.
Continue Reading

In a recent post, we discussed the Sixth Circuit’s holding in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), where the Sixth Circuit reversed the district court’s summary judgment for the insurer, finding coverage under its policy for a fraudulent scheme that resulted in a $834,000.00 loss. The insurer, Travelers, has now asked the Court to reconsider its decision.

Continue Reading

The Sixth Circuit, in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), reversed the District Court’s grant of summary judgment in favor of the insurer in a dispute over coverage for a social engineering scheme. The policyholder, American Tooling, lost $800,000 after a fraudster’s email tricked an American Tooling employee into wiring that amount to the fraudster.

Continue Reading


The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks.  Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance.  In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.


Continue Reading

May 25, 2018 should be a day circled on many company calendars. On that day, the European Union’s long-awaited Global Data Protection Regulation (“GDPR”) will go into effect.  It is crucial for U.S. companies to prepare for the GDPR, as they, too, will be required to comply with a new set of data privacy rules if they are handling data from EU-based customers, suppliers, or affiliates. As long as you collect personal or behavioral data from someone in the EU, you must comply with the GDPR.

Continue Reading

As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.

Continue Reading

In what has been described as a “watershed” cyber incident, hackers recently used sophisticated malware—dubbed Triton—to take control of a key safety device installed at a power plant in Saudi Arabia. One of the few confirmed hacking tools designed to manipulate industrial control systems, this new breach is part of a growing trend in hacking attempts on utilities, production facilities, and other critical infrastructure in the oil and gas industry. The Triton malware attack targeted the Triconex industrial safety technology made by Schneider Electric SE. The attack underscores the importance of mitigating this and other similar risks through cyber and other traditional liability insurance as part of a comprehensive cybersecurity program.

Continue Reading