As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.
Beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain’s National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as “WannaCry,” disables the user’s computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through “phishing attacks,” which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spread to other computers on the network. One infected computer can spread this virus network-wide, and quickly.
As posted earlier today on Hunton & Williams’ Retail and Privacy blogs, and as reported in Law360, Hunton & Williams announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions.
Hunton and Williams LLP has published its 2016 Retail Industry Year in Review. The Review discusses the key legal and regulatory developments that affected the retail industry last year. In the Review, Hunton insurance coverage attorneys Syed Ahmad, Mike Levine and Jenn White discuss the lessons learned from insurance coverage cases that promise to have a lasting impact on retail cyber security and product contamination insurance. As they explain, “Last year’s decisions are critical reminders that having the right insurance is key, and even unintentional missteps can jeopardize coverage.” Read their commentary here.
As reported in the Privacy & Information Security Law blog, on October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page guide details steps businesses should take once they become aware of a potential breach. The guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.
Hunton & Williams insurance lawyers, Mike Levine and Sergio Oehninger, were quoted today in a Law360 article analyzing the impact of the recent decision in P.F. Chang’s bid for coverage for certain losses stemming from a 2013 cyber breach. In a June 1, 2016 blog post, Levine and Oehninger criticized the court’s decision and forewarned policyholders that disputes of this sort are likely to be common, given the continually evolving nature of cyber coverages. According to Levine in a subsequent comment, “until insurance markets arrive at policy language that clearly sets forth the coverage being marketed and sold, policyholders will be left to question whether denials or limitations on claims are justified.” Levine and Oehninger remind policyholders, therefore, that they should consult with knowledgeable coverage lawyers both when procuring cyber coverage and when submitting cyber-related claims, so that the policyholder’s unique circumstances are adequately addressed under their insurance program and that any claims are properly considered and paid by their insurers.
In a May 31, 2016 decision, a federal court in Arizona rejected P.F. Chang’s attempt to recover an additional $2 million it paid following a 2013 breach in which hackers obtained and posted on the Internet approximately 60,000 credit card numbers belonging to P.F. Chang’s customers. P.F. Chang’s was insured under a “CyberSecurity by Chubb Policy,” which it had purchased from Federal Insurance Company for an annual premium of $134,000. On its website, Federal marketed the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” including “consequential loss resulting from cyber security breaches.”