NSAP Insurance Full Policy Limits Must Cover First Party Data Breach Costs

A recently disclosed $10 million data breach expense bill raises an issue that has been percolating the network security and privacy (NSAP) insurance marketplace for several years now.  The publicly disclosed expenses involve BlueCross BlueShield of Tennesee (BCBST).

According to BCBST, in October 2009, “57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a [BCBST] call center.”  And, as of June 11, 2010, the total number of current and former compromised BCBST members is 998,936.  Although there has been no documented incident of identity theft or credit fraud of BCBST members as a result of this theft, BCBST has incurred to date $10 million in costs.  These expenses are driven by its retention of Kroll to investigate the theft, e.g., determine which members were impacted, Equifax credit monitoring, LifeLock services, notification costs, and call center expense. 

The key takeaway from incidents such as this one turns on the fact there is no lawsuit to defend – and no NSAP liability policy trigger to set in motion.  The only trigger is first-party driven, namely the internal expenses incurred to deal with a data breach incident. 

As with most NSAP insurance buyers, the growing number of Blues who have actually purchased NSAP insurance have agreed to sub-limits on their first-party expenses that are usually a fraction of the full liability limit.   This is unacceptable given victims such as BCBST are often forced to expend millions of dollars without seeing a single lawsuit or regulatory complaint.  In fact, the goal of spending so much on the front end is to avoid litigation. 

The good news is that there are a few NSAP insurers who are willing to offer full limits for first-party expenses incurred as a result of a data breach.   These insurers should be evaluated when looking at NSAP insurance for the first time.  And, upon renewal, if your current insurer does not provide the limits you need for the expenses you are most likely to incur, either have your current broker evaluate other insurers or turn to a new broker who can help locate better options.

9th Circuit: GL Policy Provides Patent Coverage

As reported by Wilson Elser, the Court of Appeals for the Ninth Circuit has ruled against a GL insurer looking to avoid picking up the tab for a patent suit.  After being sued for patent infringement for its online “build your own” car feature, Hyundai sought GL coverage under the “advertising injury” clause – specifically alleging that the patent infringement suit triggered the “misappropriation of advertising ideas” coverage grant.  The suit was ultimately rebuked in the lower court and Hyundai appealed.  In reversing the dismissal, the Ninth Circuit found that “the advertising itself constituted the (injurious) use of the patented method.”

Specifically, the Circuit Court reasoned:

The third-party patent infringement claims here alleged that Hyundai’s web-based advertisement violated the third party’s advertising-method patents. We hold that, in the context of the facts of this case, the third-party patent infringement claims constituted allegations of “misappropriation of advertising ideas” for purposes of the insurance policy.

Although the decision was decided on narrow grounds and the recent Bilski decision likely narrows the field of future online business method patents, the ruling remains a wakeup call to insurers who want nothing to do with patent suits.

Tech Vendors Need Strong Hybrid Mix of Legal and Risk Management Counsel to Avoid Fraud Lawsuits

A growing list of technolgy vendor settlements should be a wake up call to tech vendors both large and small.   For example, last month, HP resolved a legacy EDP lawsuit to the tune of $460 million.  The facts of the case are not very complicated.  A decade ago, British firm BSkyB retained EDS to provide a CRM system for BSkyB’s help centers.  Two years later the contract was terminated and BSkyB completed the job using its own IT staff.  It also filed an action against EDS for misrepresention regarding its capabilities.  Although the initial contract included a liability clause that capped damages, the clause was ultimately rendered invalid due to fraud.

This past May, SAP and Waste Management announced the settlement of a lawsuit involving a failed ERM implementation.   Waste Management sued SAP for fraud in March 2008 over an allegedly failed waste and recycling revenue management system.   Waste Management allegedly sustained direct damages of over $100 million.   SAP responded in its original Answer that Waste Management didn’t “timely and accurately define its business requirements” nor provide “sufficient, knowledgeable, decision-empowered users and managers” to work on the project.  Much of Waste Management’s allegations turned on representations made by salespersons who were allegedly only concerned about licensing software that would create larger year-end bonuses.   According to its revised complaint, if a newer version had been used, “the multi-million dollar sales price for the software could not be immediately recognized as revenue under the accounting rules for revenue recognition,” and those salespeople involved in the deal would not receive bonuses.  According to its quarterly earnings filing regarding the reported settlement, Waste Management received “a one-time cash payment” in accordance with the settlement. The terms of the settlement were not disclosed.     

The price of a tech suit goes down steeply after fraud charges are dismissed.  For example, a lawsuit brought by a county government went from $10 million in alleged damages to an eventual settlement of $575,000 given there were only breach of contract claims remaining  after the fraud claims were earlier dismissed from the action.   Another action brought by yet another county government may not go as well for the tech vendor (Deloitte Consulting) given the fraud claims remain front and center throughout the complaint filed on May 28, 2010.

Claims are not only brought against tech vendors for millions of dollars.  Last year, Epicor was sued after a client spent $244,656.42 on an ERP implementation.  Again, the complaint sounded in contract breach but had negligent representation as well as fraud claims.  Here’s a list of similar suits

Moreover, tech vendors can include those who sell products such as iPhones rather than license software.   Earlier this month, Apple was hit with numerous suits seeking damages arising from the fact the latest iPhone has significant reception issues depending on how the phone is held.  Specifically, one suit accuses Apple of “general negligence, breach of warranty, deceptive trade practices, intentional misrepresentation, negligent misrepresentation, and fraud by concealment.”

For over twenty-five years, courts have allowed fraud claims to mingle with the negligence and breach of contract claims typically brought against technology vendors.  It is so much easier to prove (as was done in the EDP suit) that someone lied when contracting as opposed to showing how a contracted for systems implementation was not technically performing as promised.  Moreover, if fraud is proven, it will not only vitiate the limitation of liability and exclusion of consequential damages found in nearly all tech agreements, punitive damages may also become available.  In other words, a fraud claim is the magic bullet used by most plaintiffs to go around iron-clad contracts and the bar against awarding punitive damages in a contract dispute.

To best combat fraud claims, there are certain things that a tech vendor should do before, during and after a contract is negotiated.  For counsel on that front and for access to related risk management and contracting tools, please reach out.

HHS Issues Proposed New HIPAA Regulations and Breach Portal

Using a lavish press conference as the backdrop, HHS officials announced yesterday proposed changes to the HIPAA regulations as well as an updated web page listing those breaches impacting more than 500 individuals.  The purpose of the new Rules issued yesterday is to align the HIPAA rules with the HITECH Act passed last year.   Specifically, the press announcement states: 

The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Under the proposed Rules (which are 234 pages in length), (1) individuals would have more convenient access to their protected health information (PHI) if available in electronic format; (2) covered entities would only need to protect the health information of decedents for 50 years after their death, as opposed to protecting the information in perpetuity as is required by current HIPAA requirements; and (3) the definition of who constitutes a business associate is expanded.

If these proposed rules are adopted, the expanded view of what constitutes a business associate will include the following:

We propose to add language in paragraph (3)(iii) of the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” in §160.103 to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person.

During the coming weeks there will be much analysis given to these proposed Rules but when it is all sorted out, it is anticipated that the above-listed three changes will be deemed to be among the more significant.  Giving individuals the ability to access their PHI in a particular electronic format will drive up costs, limiting record keeping to 50 years will reduce costs given current encryption technologies, and expanding the definition of business associates to a vague circular definition will throw a monkey wrench to just about any entity looking to comply with HIPAA.  These proposed Rules are certainly a nice gift to privacy lawyers looking to boost their summer hourly billing.

Exposure to Software Copyright Claims

Claims arising out of internally-used software continue to be a significant retained IT risk factor.  When President Obama picked the Business Software Alliance’s General Counsel Neil MacBride for a senior Justice Department post, it was a clear message that we will see increased software compliance audits – and possible new penalties.  The increasing use of open source software is also leading to unanticipated software copyright exposures. In other words, the reasons continue to mount why users of desktop software should carefully monitor their use of software and maintain careful records of each license.

CT AG Successfully Uses HITECH Act to Settle HIPAA Breach

Taking advantage of a federal law passed last year, Connecticut’s Attorney General, Richard Blumenthal, announced yesterday a settlement with HMO Health Net that includes a corrective action plan, a $250,000 payment to the State of Connecticut (with an additional potential pot of $500,000), and increased credit monitoring and ID theft insurance to potential victims.  According to Blumenthal’s original lawsuit, Health Net lost or had stolen a disk drive last year containing sensitive information from 1.5 million persons – including 446,000 Connecticut residents.  The drive contained names, addresses, social security numbers, HIPAA-protected health information and financial information. 

The underlying federal statute relied upon by Blumenthal when bringing suit against Health Net is Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).  The HITECH Act not only offers financial incentives to prod the use of electronic health records (EHR) but also greatly expands the protections afforded such information.  For example, it creates the first federal breach notification law.   Covered Entities and Business Associates that “access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose” unsecured personal health information must disclose to the owner notice of a breach.  See Sections 13402(a) and (b) of the HITECH Act.    

In obtaining yesterday’s settlement, Blumenthal was the first Attorney General to take advantage of the HITECH Act’s grant of HIPAA compliance jurisdiction to state Attorney Generals.   It is entirely likely that other states will now jump on this bandwagon – especially those with AGs seeking higher political office.   In fact, last month AG’s from across the country were scheduled to receive training on HIPAA compliance from Booz Allen Hamilton

As for the Health Net settlement, the amounts paid to Connecticut are small compared to what has been spent to date dealing with the breach.  According to the settlement agreement, Health Net allegedly has already spent more than $7 million to investigate what happened to the disk drive, notify members and provide credit monitoring and identity-theft insurance to those potentially impacted.   It is incidents like these that showcase the value of requiring strong indemnification language backed by an equally strong requirement of data breach insurance coverage for those firms managing or holding your patients’ or members’ sensitive medical information.

Business Method Patents Live on Another Day: Bilski Decided by SCOTUS

Today’s Bilski v. Kappos decision rejected having a Federal Circuit test for determining patentable subject matter as a “knock out” test for business methods.  If affirmed, this Machine-or-Transformation Test (if applied as the sole test) would have likely rejected all business method patent applications.  As it stands, the United States is the only country that allows for business method patents.  After today’s United States Supreme Court decision, that remains the case.

In today’s decision, the Court ruled that “business methods” can be patentable if they meet the requirements set forth in longstanding precedent notwithstanding the fact they do not “recite a particular machine or apparatus, nor transform any article into a different state or thing.”  Although the Court ruled that the Machine-or-Transformation Test remains as a helpful tool when resolving patentable subject matter questions, it should not be considered a “knock-out” test.

This is a huge win for financial institutions and software companies with strong patent portfolios — as well as those law firms who help build and protect those portfolios.

No Need to Pierce Corporate Veil Under NJ Consumer Fraud Act

A New Jersey Appellate Division panel ruled on June 23, 2010 that principals of a company can be found personally liable under New Jersey’s Consumer Fraud Act (CFA) even without actual knowledge about alleged unlawful practices sufficient to pierce the corporate veil.   As well, the court ruled that there was no need to prove intent before triggering the treble damages regulations under the statute. 

The case involved a poorly constructed landscape project.  The lower court allowed the claims against the landscaping company to go to a jury because, in violation of CFA regulations, there was no written contract and the workers accepted final payment without obtaining permission from the plaintiffs after the construction plans were changed.   The claims against the principals of the defendant company were dismissed because the lower court found they did not directly participate in the project sufficient to pierce the corporate veil.

A jury found in favor of the plaintiffs and trebled damages to $490,000.  The plaintiffs appealed seeking to get the principals to pay the award.  The Appellate Division reversed the lower court’s decision and remanded to determine if the principals had any personal participation in any of the two regulatory violations.  In other words, there was no need to determine if there was culpable conduct sufficient to pierce the corporate veil but there was the need to at least show they participated in the conduct that gave rise to the regulatory violations.

This is a significant decision.  It evaporates by way of the New Jersey CFA the protections normally afforded directors and officers of a company.  The corporate immunity protecting principals of a company is usually only tossed aside for fraudulent conduct that is sufficient to pierce the corporate veil.   By allowing treble damages against principals without any such showing, this decision becomes yet another loud wake-up call for New Jersey private companies as to the benefits of Directors and Officers insurance.

Symantec Survey: SMBs Invest in Addressing Data Security Threats

In the recently published Symantec survey of 2,500 executives with responsibility for IT security – half from companies of less than 100 employees – cyber-attacks were ranked as their top business risk.  And, of those polled by Symantec, 74 percent said they were “somewhat or extremely concerned” about losing sensitive electronic data.  In fact, 42 percent lost confidential or proprietary information sometime in the past and 73 percent of the respondents were victims of cyber-attacks just this past year.  

Addressing this challenge, SMBs are now spending an average of $51,000 a year, or about two-thirds of IT staff time, working on “information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.”  This seems like a sound investment given that the average cost of a breach to these SMBs was $188,242.

All of this fear seems to be somewhat well placed given that 95 percent of security and compliance professionals recently polled by nCircle believe that data breaches have been and will continue to increase in 2010. Knowing what to do in the event of a data breach is not necessarily intuitive.

CyLab Survey: Corporate Protection of Digital Assets Not a Priority

The recently released Carnegie Mellon CyLab 2010 Corporate Governance survey confirms that there is little change in senior management’s views towards data security – it’s not really a priority.   The CyLab annual survey, which measures board and management attitudes towards the protection of digital assets, is based upon results received from respondents at the board or senior executive level from Fortune 1000 companies.   Given public filing requirements, you would think protection of digital and related intangible assets – which now comprise the bulk of a firm’s value – would be a top of mind issue.  It’s not. 

When asked to identify their boards’ three top priorities, “improving computer and data security” was not selected by 98% of the respondents.  The respondents also indicated that their boards were not “actively addressing” IT operations or vendor management.  In essence, privacy and security of data inside or at outside vendors is receiving little oversight from management.  

Interestingly, 65% of the respondents also indicated that their boards were not reviewing their companies’ insurance coverage for data risks even though most standard policies offer little or no coverage.   Standing alone, this approach may not be an example of sound business judgment given the availability of specific insurance policies able to cover loss or destruction of digital assets. 

Not quite sure if this survey is a real wake up call or not.  The only thing for certain is that these attitudes are hardly what one would consider a best practice.  Sarbanes Oxley Section 404 requires a “top down” audit on internal controls which should provide some guidance on how digital assets are protected.  Indeed, under 15 U.S.C. § 7262(a), the Section 404 report must “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”  It is difficult to see how management can in good conscious sign off on these assessments while still maintaining that “improving computer and data security” is not a priority.  

Notwithstanding how firms may perceive their Section 404 obligations, recognizing the potential “materiality” of computer security failings, Google, Intel, Symantec and Northrop Grumman recently added new warnings to their SEC filings informing investors of such risk.  The fact that some companies have come forward to detail recent breaches and the possibility of future breaches should indicate to other companies the need to address this reporting issue in a more proactive manner.  And, once risk disclosures are publicly made, the next obvious step is to ensure that proper protections are in place to address the risk.   Reporting uncoupled with affirmative preventive action is simply fodder for class action litigation the next time an event takes place.  What may be even worse is completely turning a blind eye to the entire problem.

Legal and Business Advocacy