Whether you are considering cyber insurance, shopping for a policy, and/or have been recently impacted by a cyberattack there are various considerations prior to and post attack.
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Think You’re Covered? Think Again: Cybersecurity, Data Privacy, and Cyber Insurance
1. 12020 WithumSmith+Brown, PC
Think You’re Covered?
Think Again:
Cybersecurity, Data Privacy and Insurance
CapitalOne | Withum | McElroy, Deutsch, Mulvaney & Carpenter, LLP
2. BE IN A POSITION OF STRENGTH
Housekeeping
• This is a CPE session – 1 CPE Credit in Information Technology
• Webinar is being recorded
• 45 minutes session
• 15 minutes Q&A
• Send in your questions!
• Slides and recording will be emailed after the webinar
25. BE IN A POSITION OF STRENGTH
Understanding Data Privacy Considerations and
Reducing Compliance Failures
Ø Why do privacy compliance failures occur?
q No adequate understanding of data flows
§ Know what data you have and who you share it with
q No understanding of regulatory landscape
§ Understand thresholds that can trigger liability under certain privacy laws such
as CCPA, Biometric Information Privacy Act or COPPA
q Institutional Idiosyncrasies
§ Smaller entities are particularly vulnerable
26. BE IN A POSITION OF STRENGTH
Data Privacy
Considerations
Reducing Compliance Failures
Ø Multitude of Federal and State Laws
q Competing compliance requirements
may overtax resources of respondents
§ Regulated entities may focus exclusively on first
tier HIPAA, GLBA and ignore secondary
regulations (e.g., COPPA, CAN SPAM, Model
Insurance Data Security Act, New York DFS
Cybersecurity Regulation).
§ Regional or National Laws (CCPA/CPRA, GDPR)
27. Scalable Universal Compliance Infrastructure
Getting the Basics Right
Triangulation Approach to Multi-Jurisdictional Compliance Requirements
qAvoid institutional conflicts of interest (IT, Marketing)
qMulti layered privacy organization with appropriate KPIs
Organizational Foundation. Privacy Belongs on the C-level
28. Scalable Universal Compliance Infrastructure
Invest in top-notch Privacy Notice
qYour calling card in terms of privacy compliance
qOne step towards § 5 FTC Act Compliance
qUse basic fair processing principals, such as Transparency, choice, limited data
collection for specific purposes
qPrivacy notice can double as a basic check list for a variety of regulatory schemes
Getting the Basics Right
Triangulation Approach to Multi-Jurisdictional Compliance Requirements
29. Scalable Universal Compliance Infrastructure
Ø Invest in a professional risk assessment of your security
risk
Ø Adopt reasonable security measures. FTC considers failure
to do so potentially as “unfair business practice”
Ø Invest in high-end employee training
Getting the Basics Right
Triangulation Approach to Multi-Jurisdictional Compliance Requirements
30. Regulatory Risk Management
ØCompliance as Incremental Process
qAllocate limited compliance resources based
on enforcement risk
§ Who is my primary regulator?
§ Enforcement Priorities
§ Is there a leniency program? What are the criteria to qualify?
Are there cure periods?
§ All politics is local – and so is compliance
§ Use attorneys or consultants with background knowledge of the
regulatory agencies in each state
31. BE IN A POSITION OF STRENGTH
Civil Litigation
Ø Recent trend towards courts holding that
businesses have a common law duty to use
reasonable security measures to protect
personal information
Ø Moreover, businesses may face litigation under
theories such as breach of contract, breach of
fiduciary duty, and consumer fraud in the
event of a cybersecurity incident
Ø For public entities, cybersecurity incidents can
lead to class action shareholder derivative
lawsuits against directors and officers
33. Cyber Insurance
Ø Typically covers business interruption, remediation, and
civil liability.
Ø Doesn’t cover reputational harm and loss of consumer
confidence.
Ø Cyber insurance may be causing a spike in ransomware
since cyber criminals may believe that victims covered by
cyber insurance that potentially covers ransomware
payments will quickly pay demanded ransoms.
34. BE IN A POSITION OF STRENGTH
Acts of War Exception
Ø Some insurers have taken the position that cyberattacks
perpetrated by foreign governments are not covered
pursuant to insurance policies’ exceptions for “Acts of
War.”
Ø There are pending lawsuits challenging insurers’ denial of
coverage for the NotPetya ransomware attack on the basis
that it was an “Act of War” perpetrated by Russia.
35. BE IN A POSITION OF STRENGTH
Cyber
Insurance and
Ransomware
A recent Indiana Court of Appeals case
held that a cyber insurance policy that
covered “property loss” did not cover a
ransom paid to a hacker in order to
unlock the insured’s computer system
after a ransomware attack.
51. 51
SM
Want to Get in Touch?
Withum’s Cyber Team
Wcyber.info@Withum.com
CapitalOne
Edward Dewalters
edward.dewalters@capitalone.com
McElroy Deutsch:
Diane Reynolds
DReynolds@mdmc-law.com