S10 | MONDAY, FEBRUARY 22, 2016 | Litigation
| NYLJ.COM
Privacy Shield
« Continued from page S5
nal. In many cases, organizations have found that they have not fully insulated themselves against hacking, not to mention addressing their likely weakest link: sharing data with outside counsel, cloud providers, and other vendors. According to the American Bar Asso- ciation’s 2015 Legal Technology Survey, one in four law firms with 100 or more attorneys have fallen victim to a data breach. Many times, these breaches go undetected, as the information is often used for clandestine activ- ities, such as trading on inside information, rather than identity theft.
As these outside companies are stewards of an organization’s data, leading data privacy organizations have thoroughly evaluated the data security practices of such outside com- panies, including determining whether the firm or vendor is capable of adhering to the organization’s requirements. Essential data security standards should include certifica- tions such as ISO 27001, security measures that limit physical access to the data, fire- walls, data encryption protocols, monitoring, strict policies governing mobile devices and removable hardware, disaster recovery plans, regular audit procedures, and a robust secu- rity training program. Knowledgeable organi- zations create approved lists of vendors who
Cyber Insurance
« Continued from page S9
answers in Cottage’s application were false. Many policies contain provisions similar to Columbia Casualty’s. Since most cyber liabil- ity results from a risk control system’s failure, the Minimum Required Practices provision often comes into play. An insurance compa- ny has the right to ask objective questions about system security in its application. Such objective questions must be distinguished from subjective exclusions that require the policyholder’s system to be “reasonable,” “current,” or “up-to-date.” Such exclusions
invite insurance coverage litigation.
Conclusion
Certainly, the trajectory of insurance com- pany denials under general liability and other insurance policies raises concerns. However,
offer adequate safeguards, and require that anyone who wants to retain the services of an unapproved third party must obtain the signature of the general counsel.
Ensuring Law Firm and Vendor Compliance.
The most vigilant organizations have required their outside counsel and legal ven- dors to become well versed in data privacy issues and where they conflict with discov- ery obligations. Such organizations demand practical application as well, such as requiring that outside counsel establish a method for flagging legal matters that arise before a U.S. court or government agency that could impli- cate the data of non-U.S.-based custodians and alert the organization. These organiza- tions also require law firms and vendors to follow their protocol, so that requests to col- lect any data for any purpose must be routed through the organization’s cross-border team and are only granted with the requisite level of approval.
Disposing of Data at the End of a Matter.
Organizations have often not realized the extent to which they disseminated their data in discovery, and the lack of transparency makes it difficult to monitor, manage, and secure produced data. Further, organizations have often collected and produced data in discovery and then forgotten about it once the matter closed. Leading organizations have created protocols to obtain commitments from opposing parties and their counsel
cyber policies are designed specifically for these risks. As noted anecdotally, insurance companies have been paying on these claims. However, cyber losses are growing in frequen- cy and intensity. Insurance companies are reportedly tightening underwriting standards and increasing premiums on cyber policies. Will they also issue more coverage denials?
Cyber policies differ in critical ways from general liability policies. Although the insur- ance industry will deny it, they purposely drafted general liability policies broadly to respond to emerging risks, which the policies have failed to do. This phenomenon causes the majority of coverage litigation.
Insurance companies argue that they write cyber policies narrowly on purpose, to expose themselves only to known risks. A policy may contain over 50 definitions and 30 exclusions. As cyber liability grows and transmutes, it may slacken the insurance industry’s appetite for cyber risks. Currently, the coverage battle over phishing best illustrates this trend. The
to dispose of the case-related data at the conclusion of a matter or a representation. These protocols also have addressed whether the opposition or a government agency has shared any information with discovery ven- dors, data processors, or cloud providers.
The extent of protocols has varied based upon the variables of the particular case. Nevertheless, most such protocols involve a checklist, a certification that any parties who received protected information have destroyed that information, and a follow-up security audit of the organization and third parties.
Waiting Out the Storm
Until the Privacy Shield is firmly in place, no one can predict specifically what will hap- pen in the wake of Schrems. For now, data privacy savvy organizations have taken mea- sures to get their data “house” in order and implemented whatever internal framework is necessary to ensure that they know where the data is, who has it, how secure it is and that it is appropriately destroyed or returned at the conclusion of a matter It will be interesting to see how things progress from here.
•••••••••••••••••••••••••••••
1. Case C-362/14, Schrems v. Data Prot. Comm’r, 2015 E.C.R. ---, available at http://curia.europa.eu/juris/docu- ments.jsf?num=C-362/14.
insurance industry was familiar with hacking. It was a known risk that the industry was willing to underwrite. To the corporation, no essential difference existed between hacking and phishing—both resulted in the same loss. To the insurance companies, the difference was crucial. They understood the risk of hacking and intended to write coverage for it. Phishing presented a new risk that they did not intend to cover. This is an example of why cyber insurance litigation may develop in the near future. Policyholders will look for broad constructions of cyber policies to provide coverage for emerging risks, while insurance companies will attempt to hold the line at a narrow construction of the policy limited to enumerated claims.
Renew your subscription by phone!
Call the New York Law Journal at 1-877-256-2472.
Class Action
« Continued from page S7
subject to the Federal Trade Commission Act, 15 U.S.C. §41, et seq., which requires dis- closure of a company’s auto-renewal policies.
•••••••••••••••••••••••••••••
1. See Cabala v. Crowley, 736 F.3d 226, 228 (2d Cir. 2013) (citing McCauley v. Trans Union, 402 F.3d 340, 342 (2d Cir. 2005) (where a Rule 68 offer of judgment af- fords a plaintiff complete relief, the proper disposition “is for the district court to enter judgment against the defendant for the proffered amount and to direct pay- ment to the plaintiff consistent with the offer.”); Bank v. Carribean Cruise Line, 606 Fed. Appx. 30, 31-32 (2d Cir. 2015)) (entering judgment consistent with Rule 68 offer); O’Brien v. Ed Donnelly Enters., 575 F.3d 567, 574-75 (6th Cir. 2009) (noting that, as regards an unaccepted offer of judgment, “the better approach is to enter judgment in favor of the plaintiffs in accordance with the defen- dants’ Rule 68 offer of judgment.”). See also Greif v. Wil- son, Elser, Moskowitz, Edelman & Dicker, 258 F. Supp. 2d 157, 161 (E.D.N.Y. 2003) (granting motion to compel acceptance of offer of judgment and entering judgment for plaintiff); Ambalu v. Rosenblatt, 194 F.R.D. 451-52 (E.D.N.Y. 2000) (same).
2. 74 Fed. Reg. 59033 (Nov. 17, 2009) and 75 Fed. Reg. 31665 (June 4, 2010).
3. “CFPB Study of Overdraft Programs,” CONSUMER FINANCIAL PROTECTION BUREAU, at 17 (June 2013), available at http://files.consumerfinance.gov/f/201306_ cfpb_whitepaper_overdraft-practices.pdf.
4. Complaint at 6, McDermott v. Bethpage Federal Credit Union, No. 2:15-CV-05922 (E.D.N.Y. Oct. 14, 2015) (decision pending).
5. Id.
6. Those challenging these extended overdraft fees have unsuccessfully tried to claim they amount to ille- gal excessive interest under federal banking laws. See, e.g., Shaw v. BOKF, No. 15-00173, 2015 WL 6142903 (N.D. Okla. 2015) (bank’s assessment of a second overdraft fee on a customer who did not timely remedy an overdrawn account does not constitute an assessment of interest under federal banking law).
7. See Wells Fargo Bank v. Zankich, No. 15-90024 (11th Cir. Dec. 1, 2015).
8. “Fall 2015 Rulemaking Agenda,” CONSUMER FINAN- CIAL PROTECTION BUREAU (Nov. 20, 2015, available at http://www.consumerfinance.gov/blog/fall-2015-rule- making-agenda/).
9. These include California (Cal. Bus. & Prof. Code §§17600-17606), Connecticut (Conn. Gen. Stat. §42-126b), Florida (Fla. Stat. §501.165), Georgia (O.C.G.A. §13-12- 3), Illinois (815 ILCS 601/10), Louisiana (La. Rev. Stat. §9:2716), Maryland (Md. Code Com. Law §14-12B-06), New Hampshire (N.H. Rev. Stat. §358-I:5), New York (N.Y. Gen. Oblig. Law §5-903), North Carolina (N.C. Gen. Stat. §75-41), Oregon (Or. Rev. Stat. §§646A.293, .295), Rhode Island (R.I. Gen. Laws §6-13-14), South Carolina (S.C. Code §44-79-60), South Dakota (S.D. Codified Laws §49- 31-116), Tennessee (Tenn. Code §§62-32-325, 47-18-505) and Utah (Utah Code §15-10-201).
10. For example, California’s automatic renewal law prohibits retailers from charging consumers’ credit card, debit card or bank account for ongoing orders without their explicit consent and requires that the terms of the practice be disclosed in a “clear and conspicuous” manner before the order is finalized. In January 2015, New York introduced legislation, S.B. 40, similar to the California law, which would require customers’ express consent before charging them for a renewal.
11. http://files.consumerfinance.gov/f/201512_cfpb_ ezcorp-inc-consent-order.pdf.
12. See supra n. 7.
P
P
P
o
o
oi
i
in
n
n
t
t
tY
Y
Yo
o
o
t
th
h
he
u
u
ur
r
r
C
C
Ca
a
a
r
r
r
e
e
e
e
e
e
r
r
ri
i
i
n
n
t
n
e
e
R
R
Ri
i
ig
g
g
h
h
h
t
t
tD
D
D
i
i
i
r
r
r
e
e
e
c
c
c
t
t
ti
i
io
o
on
n
n
.
.
.
Find the right position today.
Visit Lawjobs.com Your hiring partner