Engima Forensics CEO & President Lee Neubecker and Tressler, LLP, Cyber Insurance Coverage Attorney Todd Rowe sit down for a video discussion. These experts stress the importance of understanding the full scope of your data risk in case of a cyber attack. Both agree cyber attacks are getting more and more sophisticated and urge every company no matter the size to take the necessary steps to protect themselves before a date breach occurs. Prepare your company by working with computer forensics experts and legal counsel and create a game plan to lessen the potential threat posed by a cyber attack. Tune in to find out more about cyber insurance and maximizing your potential for coverage when a cyber attack strikes.
The transcript on Cyber Insurance Coverage follows:
Lee Neubecker: Hello, today I have Todd Rowe on the show. Todd is a specialist in cyber insurance related litigation and data breach litigation Todd, thanks for being on the show.
Todd Rowe: No, thank you, this is great. I appreciate it.
Lee Neubecker: And so, Todd, can you tell us a little bit about how cyber has evolved over the last five years?
Todd Rowe: It’s wide open, I mean, we’ve seen everything. First, I think, when we look at the threats, and the evolution of a cyber threat or a privacy threat, we’ve seen things from the classic data breach, which would have been the target data breaches move into more of a social engineering component and tricking users that way, by emails and things like that. Getting around the technology safeguards a little bit and getting in there and tricking people is the biggest development I think we’ve seen in the evolution of threats.
Lee Neubecker: And, how has coverage evolved for cyber insurance over the last five years?
Todd Rowe: Yeah, I mean, we’ve seen huge leaps in insurance coverage and what the policies look like and what we would call cyber policies. We’ve seen the developments first in what would be considered first party insurance coverage, which would be actually responding to the damage that happens. And then, the third party liability piece, responding and giving a defense in the case of an incident. While we’ve seen a lot of developments, I think, with cyber insurance, we still don’t see the uniform policy language. So, there’s still a lot of uncertainty there, but we’ve seen some big developments recently.
Lee Neubecker: So, when a company suspects that they have a data breach incident, what’s your first role on the ground, talking with the client in terms of what you’re advising them?
Todd Rowe: Yeah, all things being equal, we would have loved to have been in there before there was an incident. Preparation is always the best scenario, and what preparation should look like is a corporation or a business working with forensics and legal and getting a game plan together, assessing what those threats might be, and what to do if there are those threats. But, afterward, hopefully you have the game plan. If you don’t, it’s pretty much all boots on ground, getting in there with forensics and legal, and understanding what the threat was, and making sure that the threat is extinguished, and moving on and notifying people that were involved in the threat.
Lee Neubecker: I know from experience that companies that take the time to proactively assemble their team before something happens, and bring in legal, forensics, and outside help, are often in a much better situation when something goes down. They face less downtime, their business can be back up and running. I think the biggest challenge I’ve seen is when companies have no idea what is legitimately their, what their devices are, because when you’re trying to assess are we still compromised, you need to know what good looks like. And if you haven’t mapped out your organization’s IT resources, that really creates a problem.
Todd Rowe: From our point, there’s always been, it’s been a tough sell to go in and try to get in before there’s an incident. A lot of corporations don’t want to think about something until it actually happens. But, the sort of, the wisdom in getting in there beforehand is getting that game plan together, figuring out what data you’re storing and what data you can get rid of. And so, the more data you can get rid of, the better you do on cutting down your liability in the end. Also, working on technology safeguards and having those in place. So, working with forensics, legal, and even PR a little bit really helps in the long run, no doubt about it.
Lee Neubecker: So, if you have cyber insurance, does that mean that you don’t have to worry about a cyber incident?
Todd Rowe: The thought right now, I think, and it has been for a number of years, is an incident’s going to happen, and it just, you need to go in and do things to prep. And while we were discussing earlier, the preparation that you need to do to get sort of an inventory, cyber insurance is another piece of that preparation that needs to be in place. Once again, working with professionals, insurance professionals, brokers, forensics, legal, on what that cyber product that best suits your needs, is the best situation to have that in place once something happens. It will happen, it’s just a matter of having all the right pieces in place when it does happen.
Lee Neubecker: So, if a company has, is storing biometric information, which could even include video cam footage of a certain resolution, what are some of the unique challenges that are raised by some of the laws here in Illinois and elsewhere?
Todd Rowe: Really, being in Illinois is, and I don’t want to use a cliche, but is on the cutting edge of biometric data. And we have BIPA, which is the Biometric Information Protection Act. And what that does is it protects a lot of things like face scans, and finger and thumbprint templates. And, I think one of the biggest issues we see is recently, now BIPA’s been around for 10 years or so, it’s been around for a long time. But we’re seeing a huge uptick in BIPA cases right now, because a number of businesses went in and put in timekeeping systems for their employees that work on thumb and finger scans rather than the old punch card systems. So, the law didn’t change, but the technology did, and so now, there was warnings that should have been put in place before you take that biometric data with those systems. So, they put the systems in, and they didn’t necessarily have the law in place. That’s a perfect scenario where we could’ve had forensics and legal all working together beforehand to avoid a lot of liability, so.
Lee Neubecker: So, what do you see happening in the future with the insurance coverage laws? Especially, you know, one of the concerns I have is, you know, there’s this act of war exclusion, and if you have cyber insurance and you’re hacked by someone outside of the country, what happens there, is that covered?
Todd Rowe: It depends, really, on the policy form. So, we’ve seen, once again, Illinois is on the cutting edge of that law as well. A lot of insurance policies, CGL, commercial liability policies, and even some cyber policies to some extent, have terrorism or war exclusions, excluding acts of war. And that was fine when we were looking at Pearl Harbor, perhaps, or something like a real act of war where a government might declare war on a country, and some damage that results of that would be an act of war. But, with privacy and hackers, and hackers sitting in nation states, but maybe not being an agent of that nation state. So, the case that we have right now that gives a good example of this is a Zurich case, insurance case with Mondelez, they’re a snack food maker. And, Zurich denied coverage, and it looks like the hacker may have come from perhaps China or North Korea. So, what do you do with that, as far as, if you’re going to exclude coverage for that, nobody’s declared war on any of those countries, so that’s going to be a struggle. And I think that demonstrates some of the strengths and weaknesses of cyber coverage right now, as it stands.
Lee Neubecker: And, what do you see happening, what’s the likelihood that the federal government stops in, steps up to the plate should a major data breach happen that could be considered an act of war?
Todd Rowe: Yeah, I mean, well first off, the government brings up another point, as far as right now as it stands, privacy and data laws, we just have a patchwork of things here in the U.S. Of course, there’s frameworks that have been adopted in, for example, the E.U. with GDPR, and we don’t really have that in the U.S. So, we first don’t really have a clear idea of who would do the response in the government. Would it be the Federal Trade Commission, or who would handle that type of situation? So, we have a lot of state laws, so we have a lot of problems like that. And, we have California, which is adopting some stronger guidelines as well. So, what would happen there as far, it’s going to be really left to ironing things out with the insurers and the insurance. Once again, what a great opportunity to sort of look at this issue before an incident happens. You really wouldn’t want to get into this complex of an issue when you’re trying to respond to an incident. So, another reason is, to go and prep a little bit, would be exactly what we’re discussing right now.
Lee Neubecker: Yeah, I know from experience that clients of ours that have had data breach incidents, if they’re working with someone that’s experienced litigation professional in the area of cyber and insurance, the likelihood that, you know, my firm’s fees get covered goes way up, and there are, there’s a potential for coverage of that forensic response. But ideally, you want to have your own team. You want to be picking your team. You don’t want the insurance companies assigning your people, if you can avoid it.
Todd Rowe: Yeah, a lot of insurers do have panels, and there are a lot of insurers that prefer that, because they don’t know where to go. So, that actually, if there’s an incident, that helps out. But, the best scenarios, and we’ve been involved in a lot of responses, and the best scenario is when we’ve had an opportunity to sit down, and maybe you and I talk, the forensic side of things and the legal side of things, and figuring out exactly how we can cooperate and what that response would look like. So, absolutely, if you can sit down and chat beforehand, you’re going to really save yourself a lot of stress and pressure.
Lee Neubecker: Well, thanks a bunch Todd, for being on the show. This has been great.
Todd Rowe: Absolutely, thank you so much, I appreciate it.
More articles that relate to data breach response and cyber insurance coverage follow: