Are You Covered? CT Businesses Should Double Check Insurance Coverage for Data Loss

The Connecticut Appellate Court recently decided a case involving damages from loss ofAhhhhhhh!! data related to 500,000 IBM employees.  The case is entitled IMB caseRecall Total Information Management v. Federal Insurance Company.  The loss of data included social security numbers and birth dates. The data was lost in the process of transport for storage.  Some 4 years later after the loss, there has been no reported identity theft. 

As I have mentioned on this blog many times, data loss events can cause significant damages to a business.  In this case, IBM incurred 6 million in expenses to provide identify protection to its employees and to address the breach.  The data storage company paid IBM the full amount of its loss.  The storage company, and its subcontractor, tried to get insurance coverage for the IBM claim under a commercial general liability policy.  Obtaining coverage for a data loss breach under the terms of a commercial general liability could pose several challenges and the results have been inconsistent across difference courts and cases.  In this case, the insured party tried the most likely arguments to obtain coverage, but the insurance company denied it.

The litigation that ensured concerned whether the insurance company properly denied coverage.  The trial court agreed that it was proper to deny coverage. On appeal, one of the issues concerned the nature of data loss and whether it triggered coverage under the policy for a personal injury.  The Appellate Court found that the policy did not provide coverage under the personal injury provisions of the policy.  One of the reasons related to the fact that the data was never published to or accessed by anyone. This suggests that the results might have been different had there been dissemination of the data by a thief.  

 

The take away here is that businesses need an annual review of their insurance policies to specifically address the types of exposure they face.  A commercial general liability policy may not cover every circumstance.  In the case of data loss, security breaches, or technology errors, there are specific policies designed to cover these risks.  Seeking coverage for data loss claims under a standard commercial liability policy likely will be problematic, and may result in no coverage as highlighted by this recent case. 

Tips On How To Reduce The Risk Of Intellectual Property Theft

 In my last post, I wrote about the risks facing businesses when there is a departing employee.  It can be fairly argued that in the next 3 years your average business will have to deal with a disgruntled, departing employee.  The employee will have had access to confidential information in digital form.  Studies have shown that greater than 50% of disgruntled employees and 90% of IT employees will take something.  So what can a business do to protect itself from theft of clients, confidential information, and trade secrets?  Here are a few tips:

1.Strong Contracts.  I often say that Legal Zoom = courtroom doom.  Many folks go to online websites to get cheap, low cost non-compete or confidentiality agreements.  There are circumstances where you can get a decent contract that will help your business from these online sites.  However, too many times I have reviewed the low cost, canned contract of a client and found significant problems with the contract.  If you want to have a contract that will have a better chance of standing up in court, you are best served by hiring an attorney well versed in these areas.  Relying on a form contract from a website is not recommended.

2.Strong Policies.  Any workplace policy should include strong electronic monitoring policies prominently posted in break rooms and in the employee handbook.  Ideally, the policy will spell out that the company can and will monitor the company owned computers and all communications and information stored on them.  You also want to have strong password policies, auditing of file access, and guards against deletion. You also should seek to have visibility by your IT department for all activities on work networks.

3. Intake Checklists.  Upon employee intake, your business will want to have a checklist that documents all the necessary items covering confidential information.  You will want to document all the devices issued to the employee, review the details of the contract (non-compete or non disclosure), and review all policies of electronic monitoring.

 4. Internal Procedures.  Essentially, what a business needs to have is an enterprise fraud management plan.  This would include security related technologies for the electronic information and data stored by the company.  You will want to include mobile device management.  Your plan will want to classify data and restrict access based on the classifications.  Your plan will want to include auditing and tracking of data.  

 

5. IT Security Checklist.  This is a checklist designed for the IT department when an employee departs.  This will include shutting down access to the former employee immediately.  The list should also include an inventory of the employee devices, evidence preservation, and possible involvement of a forensics expert.  There should always be a concern about possible spoliation of evidence when attempting to preserve, inspect, or copy electronic data.  Early involvement of an expert in computer forensics is recommended.

6. Strong Exit Interview.  A good exit interview can go a long way towards understanding if the departing employee is a risk for theft or use of confidential information.

7. Severance.  To give or not to give?  A fair severance agreement can be used to create ongoing and continuing obligations for the departing employee with respect to confidential information or intellectual property.  Also, if you failed to have a good contract in place during employment, a severance agreement is a good way to correct previous mistakes in the employment contract.  Further, in some circumstances, a fair severance agreement can reduce the level of hostilities and thereby reduce post employment risks.

Confidential Information and the Departing Employee

I recently ran a seminar for the Human Resources Association of Central CT on "Effectively Managing Your Departing Employees."  The issues concerned  how attorneys can help to eliminate, prevent, or mitigate the risks of intellectual property theft.  In this post, I will define the basics of the problem.  In the next post, I will cover how to address the problem.  

  • Employees will Leave (Millennials average job tenure is 2.5 years)
  • Employees will be disgruntled (Wall Street Journal: 75% of departing employees are disgruntled)
  • Employees will have access to electronically stored data (UC Berkeley study shows 90% of critical business data is digital)
  • Digital is portable, easy to copy, saved in seconds, and transferred to multiple locations
  • Employees do take confidential information, even if by mistake. (Ponemon Institute says 59% of departing employees take information, and 90% of IT professionals)

Based on the these numbers, you could fairly argue that in a three year time frame an average business will likely have to deal with an unhappy, departing employee that will copy accessible confidential information.   This paints a pretty grim picture.  Nevertheless, it is a fair way to think about the problem to manage risks appropriately. 

One of the biggest risks is financial loss from theft of intellectual property and confidential information.  This might cover any of the following:

  • Trade secrets (confidential client lists, formulas, data)
  • Patents (fully or partially disclosed inventions)
  • Copyrights (original works such as software code)
  • Trademarks (counterfeit goods, brand damage) 
  • Proprietary information (anything you do not want in hands of a competitor)

How does employee or insider theft typically happen?  Here are a few examples:

  • Email (with or without attachments)
  • Portable drives (thumb or flash drives)
  • Smartphone 
  • File Transfers (FTP sites)
  • Remote access programs (GoToMyPC)
  • File Synching programs (Dropbox)
  • Old fashion printing and copying

In the next post, I will cover what you can do to help stop or reduce the risks of intellectual property theft. 

New Update to Connecticut Data Breach Law

 Connecticut Updates Its Data Breach Statute by Attorney David Benoit.

A month after Vermont made substantive amendments to its Security Breach Notice Act to address a number of consumer protections, Connecticut followed suit on June 12th with a similar amendment to Connecticut General Statutes Sec 36a-701b to include a notice to the State’s Attorney General.

 

Going into effect on October 1, 2012, Connecticut’s amended breach notification requirements will now include an obligation to notify the Connecticut Attorney General’s office pursuant to a new subsection (b)(2):

“If notice of a breach of security is required by subdivision (1) of this subsection, the person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information, shall not later than the time when notice is provided to the resident also provide notice of the breach of security to the Attorney General.”

Regarding when notice is to be made (both to the Connecticut resident and the Attorney General), the statute allows the notifying party a reasonable amount of time to accommodate delays resulting from law enforcement and company-led investigations meant to: (i) determine the nature and scope of the data breach, (ii) identify the individuals affected by the breach, and (iii) restore the reasonable integrity of the data system.

Additionally, subsection (c) was amended to clarify that the state’s notification requirements are applicable only to personal information of “a resident of this state.” 

Furthermore, pursuant to Section (g), failure to comply with the statute will continue to be deemed an unfair trade practice under Connecticut’s Unfair Trade Practices Act (“CUTPA “), however, enforcement is still limited to the Attorney General with no private right of action.

Small Business Insurance For Data Loss and Security Breach

The Hartford has recently announced a new insurance product specially tailored to fit small business for data loss and security breach. It has been touted as more affordable for the smaller business owner.  More and more small businesses are experiencing the devastating effects of a security breach incident or data loss.  The statistics and stories are well reported from various sources.  Experts agree that costs can exceed $200 per lost page of data.  This can cripple a small business and leave it exposed to lawsuits and litigation.

The front line defense to data loss and security breach risks should always be a good security and privacy plan. A technology attorney working in conjunction with your IT support can develop and help implement an effective security and privacy plan. The process of developing and implementing such plans often reveal the problem areas for any business.  Nevertheless, at the end of the day, there is no 100% fail safe plan to secure data, whether the data is on the cloud or in a server in the office.  There are also unavoidable risks associated with paper documents.  Likewise, there is no plan to provide 100% protection to paper documents.  That is why insurance is a good choice to cover the unavoidable risks.

In addition to providing valuable financial protection in the event of a covered incident, the underwriting and application process for data loss insurance will often require best practices.  This process alone will substantially reduce the likelihood of a significant data loss incident. Accordingly, small businesses should consider a three step process for data loss and security breach:

1. Develop and implement a security and privacy plan

2. Implement best practices as part of insurance application process

3.  Purchase and maintain data loss insurance

Unfair and Deceptive Trade Practices in Connecticut

Each state generally has some type of consumer protection or trade protection law that seeks to prohibit and punish unfair conduct and deceptive acts in trade or commerce.   Most states, including Connecticut, model their laws after section 5 of the Federal Trade Commission Act.  Section 5 of the FTC Act prohibits unfair or deceptive acts and unfair competition in the marketplace. 

Connecticut’s Unfair Trade Practices Act (commonly referred to as CUTPA by attorneys and judges), is codified at Connecticut General Statutes section 42-110b.  CUTPA states, in relevant part, that:

(a) No person shall engage in unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce.

(b) It is the intent of the legislature that . . . the courts of this state shall be guided by interpretations given by the Federal Trade Commission and the federal courts to Section 5 . . . .

(c) The commissioner may . . .establish by regulation acts, practices or methods which shall be deemed to be unfair or deceptive. . . Such regulations shall not be inconsistent with the rules, regulations and decisions of the federal trade commission and the federal courts . . .

(d) It is the intention of the legislature that this chapter be remedial and be so construed.

CUTPA’s provisions can be far reaching for businesses and consumers.  For example, under section 42-110g, attorneys who successfully prove a CUTPA violation in Connecticut business litigation may be able to recover attorneys fees, punitive damages, and costs for their clients.  CUTPA’s provisions also provide for the ability of attorneys to bring class action lawsuits in Connecticut for unfair or deceptive acts. Additionally, courts can order injunctive relief or other equitable remedies for CUTPA violations.

CUTPA’s provisions may be enforced by the various State’s Attorneys and the Attorney General, such as the AG’s recent lawsuit against Net Health over its loss or exposure of personal identifiers (date of birth, social security number) of Connecticut residents.  Private citizens and businesses may also bring actions for unfair competition or deceptive acts under CUTPA, including class action lawsuits such as the recent case against AT&T over Internet access.

To establish a violation of CUTPA, attorneys in Connecticut have to prove that their clients suffered "any ascertainable loss of money or property, real or personal, as a result of the use or employment of a method, act or practice prohibited by section 42-110g. . ." Generally speaking, this requirement means Connecticut attorneys have to show that their clients sustained damages as a result of an unfair or deceptive act in trade or commerce. 

To determine what constitutes an unfair or deceptive act, Connecticut courts specifically refer back to the Federal Trade Commission and what is commonly referred to as the "cigarette rule."  The cigarette rule defines what type of conduct may qualify as unfair and deceptive justifying an award of compensatory or punitive damages.   This rule dates back to 1964 and comes from legislative policy making by the Federal Trade Commission concerning requirements for warning labels on cigarette packages. 

 The three prongs of the cigarette rule are as follows:

  1. whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise-in other words, it is within at least the penumbra of some common law, statutory, or other established concept of unfairness;
  2. whether it is immoral, unethical, oppressive, or unscrupulous;
  3. whether it causes substantial injury to consumers, [competitors or other business persons]. . . .

All three criteria do not need to be satisfied to support a finding of unfairness. A practice may be unfair because of the degree to which it meets one of the criteria or because to a lesser extent it meets all three.


It is important to note that not every act or conduct that might seem to fit the criteria will be a violation of CUTPA. For example, generally speaking, mere negligent acts or simple breaches of a contract do not constitute unfair or deceptive acts under CUTPA. It is also important to note that some conduct automatically violates CUTPA or is considered a per se violation, such as failure to follow the Home Improvement Act or to register a trade name.


There are many nuances to CUTPA and the above is only a brief summary. Any business or consumer trying to determine whether they were damaged by conduct constituting a violation of CUTPA should contact a business litigation attorney or the Attorney General’s office.

 

Health Net’s Data Loss In Connecticut Was Theft

Attorney General Richard Blumenthal issued a scathing press release related to Health Net’s recent data loss and security breach.  Blumenthal called Health Net’s story on it "sanitized" and its six month delay in reporting "unconscionable."  Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members.  A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted.  Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed.  Thus far, there has been no report of identity theft or misuse of the information.

 

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company’s insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

 

Technology Tips For Connecticut Businesses To Avoid Litigation

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal’s Etechnology Summit concerning technology bombs that can sink a business.

Here’s todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the“Act Concerning the Confidentiality of Social Security Numbers.”  Connecticut’s Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For “do it yourselfers” there is the Federal Trade Commision’s Guide for Business and Protecting Personal Information.  The FTC’s guide is a 5 step plan from identifying your risk exposure to implementing procedures.

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit.