Articles and Insights
Virginia Judge Requires Capital One to Produce Expert Report on Data Breach
Generally, any company that suffers a security breach is best served by retaining legal counsel to help deal with the legal fallout from the incident. And, usually, such counsel insists that service providers responding to the breach work at the direction of counsel, rather than the client company, to protect communications from disclosure in pre-litigation discovery. Courts have split on whether breach reports are discoverable in litigation and now the Eastern District of Virginia has again weighed in – again in favor of disclosure.
Here Are Five Coverage Traps for Cyber Claims
Recent invocations of the “war exclusion” to avoid liability for a massive wild virus have captured the cyber insurance community’s attention. But what other conditions and exclusions should policyholders consider in preparation for the next “big one”?
Our Top Five CCPA Landmines
California’s landmark Consumer Privacy Act goes into effect on January 1, 2020. We’ve identified the top five “landmines” that could trip up companies looking to comply.
The Expanded Definition of Personal Information
Document Your Approach to Information Security
Keeping Detailed Records of Requests Received and Responses
Documentation of your Methodology in Calculating the Value of Data
Pay Attention to the Privacy Notice
How Will Carriers React to a Cyber Attack by Iran?
By David Chavez, Attorney, CRISC | 1.8.2019
The killing of Iranian General Suleimani has generated speculation that Iran could respond with a cyber-attack. If that happens, expect that insurance claims filed as a result of damage from the attack will be denied by application of the war exclusion. Such denials would follow on the heels of a notable case filed against Zurich for its refusal to pay a property claim, in which Zurich invoked the war exclusion after damage caused by the notorious NotPetya virus.
Many observers are skeptical of Zurich’s position in that case. NotPetya is only one of the many viruses that have circled the globe, and Zurich’s denial is the most notable invocation of the war exclusion for a cyber-attack. Like its forebears, NotPetya has not been claimed by any organization or government claiming credit for the virus, including Russia. While evidence points to Russia, the Russian government has not taken credit. There is evidence however, that the virus began its global infection in the country of Ukraine which was, and still is, at war with Russia for Russia’s asserted annexation of Crimea.
But if a cyber-attack occurs and Iran is fingered as the culprit, denials by carriers invoking the war exclusion will be supported by a different set of facts from the Zurich case. Here are the reasons this one will be different:
AG Hearings on the CCPA to Be Held in December | By David Chavez, Attorney | 11.1.2019
The California Attorney General (AG) has set forth the rules governing compliance with the California Consumer Privacy Act (CCPA) and, starting on December 2d, will hold three hearings for public comment.
The rules and the hearings are of great interest to the InfoSec and privacy community because, while the law basically tells a business what it can and cannot do, it does not really go into detail on how to comply, with some exceptions. That exercise is left to the rule-making authority of the AG. may have some sizzle. I’ll report back after they’ve concluded.
California Consumer Privacy Act Part I | By David Chavez, Attorney | 8.5.2019
California’s new privacy law, the California Consumer Privacy Act (CCPA) which will launch in January 2020, is causing considerable grief among Risk Managers and Privacy Officers. The law’s 24 pages are filled with directives, proscriptions, exceptions, warnings, and, of course definitions (25 of them, in fact). The law won’t be in its final form until the end of the State’s legislative term in September, but preparation needs to start as soon as practicable for businesses that operate in California.
California Consumer Privacy Act Part II | By David Chavez, Attorney | 8.12.2019
California’s new privacy law, the California Consumer Privacy Act (CCPA) which will launch in January 2020, is causing considerable grief among Risk Managers and Privacy Officers. The law’s 24 pages are filled with directives, proscriptions, exceptions, warnings, and, of course definitions (25 of them, in fact). The law won’t be in its final form until the end of the State’s legislative term in September, but preparation needs to start as soon as practicable for businesses that operate in California.
Top 5 Cyber Security Lessons Learned from the Covid 19 Pandemic | By David Chavez, Attorney | 8.12.2019
Some of us have been worried about a virus of global significance for years now. But I expected it to be the electronic kind of virus, not the biological one. Nonetheless, there are plenty of similarities between the two. And because of those similarities, valuable lessons can be learned to prevent wholesale devastation to our daily lives.