Registration and Continental Breakfast

Co-Chairs’ Welcoming Remarks

The Politics and Policy of Cyber Security: Examining Agency Agendas and Enforcement Initiatives Relative to Breach and Disruption

• Examining coordination between state and federal agencies for addressing and combating cyber attacks and data breaches
• Anticipating federal national breach notification laws and the resulting state law pre-emption challenges
• Analyzing the proposed NAIC model cyber security legislation
  • Examining the controversy over the proposed requirement that insurers report breaches to the Commissioner of Insurance of the state where individuals have been affected
• Interpreting the impact of proposed federal legislation allowing businesses to fight hackers and “hack back” without any legal implications
• Preparing for and responding to state and federal agencies’ security assessments
  • Reviewing security assessments from a cost-benefit analysis in light of different findings from various agencies
• Identifying the type of breaches agencies are targeting
• Assessing agency breach priorities
• Exploring the latest fines and penalties from state and federal agencies regarding incidents of breach
• Understanding what causes regulators to bring enforcement actions
• Taking the appropriate steps to avoid regulatory enforcement actions

Morning Coffee Break

HOT TOPICS IN DATA BREACH & CYBER SECURITY

Case Study
Too Big to Breach: Lessons in Privacy Protection and Security from the Cyber Breach of A Major Credit Bureau

News of the recent data breach of a major credit bureau has caused quite a stir in the cyber security community. This breach’s threat to half of the U.S. population’s personal and protected information is shocking enough. However, privacy and security stakeholders are questioning what consequences have yet to emerge from this event. The implications are far reaching and highlight the need for stronger cyber security and protection of data.

While this session will focus on this incident of a major credit bureau’s security breach of protected data, the lessons learned from this incident are also applicable to other industries. This session will provide an analysis of potential new cyber coverage options as well as D&O liabilities that might ensue as a result of this incident. Points of discussion will include:

• Examining the recent wave of data breaches relative to credit bureaus and the industries they service
• Identifying the new threats to personal information, including social security numbers and driver’s license numbers and resulting liabilities
• Exploring new types of cyber coverage options
• Analyzing potential D&O litigation

GDPR: Preparing for Privacy Controls in International Business Dealings

• Evaluating the effects on privacy when the GDPR is implemented in May 2018
• Determining the effect of the GDPR on US companies doing business in the EU
  • Tracking citizens through IP addresses, geolocation, biometrics, and email addresses
  • Analyzing web traffic
• Examining the scope of cyber coverages and whether it will cover fines and penalties from failing to adhere to the GDPR
• Incorporating privacy protection both by design and default into your data protection plan

Analyzing the Growth of Biometric Data Collection and Resolving Related Privacy Breach Concerns

In 2008, Illinois was one of the first states to pass a stringent law called the Biometric Information Privacy Act (BIPA). BIPA prohibited companies from taking biometric information such as iris scans, fingerprints, or facial recognition without consent. A recent surge of lawsuits throughout the country alleges that companies and employers have taken biometric information without proper consent. In this session, the speakers will explore the new wave of privacy litigation and strategies to manage it.

Topics of discussion will include:

• Interpreting recent case law on biometric litigation
• Exploring the latest wave of cases brought by Plaintiffs firms
• Analyzing BIPA and cases specific to Illinois regarding the collection of information
• Reviewing cases where companies take consumer information without their consent for cyber use
• Determining whether BIPA is violated where employees take fingerprint scans of employees when they arrive to “punch in” their time card at work
• Developing strategies for managing defenses and limiting liability

Networking Luncheon

Exploring the Cyber Threat of Social Engineering

The recent wave of phishing attacks promulgated by email scams has exposed the vulnerabilities and weaknesses of the information super highway. The email scam risk is now a global threat as UK hospitals and other entities abroad have been targeted. These threats, whether they are from sanctioned countries or fraudulent hackers within the United States, are wreaking havoc on the Web. Anyone with personal or protected information is affected on some level or another. This session will explore the new wave of social engineering and the catastrophic nature of its risks.

Topics of discussion will include:

• Exploring the new wave of social engineering threats, both in the U.S. and abroad
• Training employees to better understand the risk when opening a link or a demand for transfer of funds
• Implementing tighter internal controls within the company to avoid attacks
• Raising awareness of risk to policyholders who are the most affected (law firms, CPA’s, realtors, etc.)
• Recognizing the gaps in cyber policies for social engineering

Afternoon Refreshment Break

Cyber Stress Test for the Internet of Things: Identifying Vulnerabilities, Assessing Threats, and Mitigating Liabilities

• Examining the surge of the internet of things and its impact on exposing cyber security weaknesses
• Exploring the growing use of wearable cyber products that keep track of healthcare data and other personal information
• Identifying the cyber security threats to appliances, thermostats, baby monitors, refrigerators, and other smart devices for the home
• Evaluating the industrial internet of things and the threat of cyber-attacks to energy companies and other critical infrastructure
• Assessing liabilities related to these categories and the whole Internet of Things
• Identifying coverage options, if any, and the related risks

Managing Cyber Liability Claims and Related Class Action Litigation

• Identifying the latest plaintiff’s theories and laws advanced in cyber liability findings
• Using recent cases and class action claims to assess breaches and determining the value of resulting claims
• Assessing class action trends following Spokeo and reviewing recent court decisions
• Developing cases based on negligence in cyber liability litigation
  • Assessing third party damage
  • Developing a standard of review
• Data breach litigation involving statutes that cover privacy concerns including FDCPA and TCPA
  • Determining whether plaintiffs have suffered any harm
  • Assessing statutory penalties
• Analyzing recent cookie litigation in California and exploring claims companies improperly flagged cookies and tracked data inappropriately

Exploring the Link Between Cyber Risk, Data Breach and D&O Liability

• Raising more attention to D&O litigation after the result of some major data breaches and security risks
• Understanding the due diligence required to protect consumer information
• Examining the wave of plaintiffs, firms encroaching into the D&O litigation space for data breaches
• Reviewing D&O litigation as a result of data breaches from the perspective of the board of directors and shareholders

Conference Adjourns to Day 2

Continental Breakfast

Co-Chairs’ Recap of Day 1

FOCUS ON COVERAGE AND INSURANCE

Developing Strategies and Devising Coverages to Combat Ransomware Threats

• Understanding the newest risk in ransomware attacks
• Addressing system failures and inability to access computers and data
  • Assessing system failures from the vendor perspective
  • Building and testing proper business continuity
• Exploring the method of demanding ransom in the form of bitcoins
• Utilizing blockchain technology to trace ransom attacks
• Re-drafting cyber policies and tightening exclusions in cyber policies after the surge in ransomware attacks
• Analyzing kidnapping and ransomware coverage to include ransomware attacks and the resulting litigation that follows
• Retaining the appropriate forensic experts to identify the vulnerabilities and strengthen the weaknesses in an internal system
• Implementing risk management and better training for employees to reduce cyber attacks, phishing emails, viruses, and other data breaches

Cyber Coverages for Property Damage, Bodily Injury, and Crime: Assessing the Gaps, Exclusions, and Policy Options

• Examining coverage options, exclusions, or limitations for property and bodily damage
  • Evaluating the need for more connectivity between policies
• Providing clarifications on cyber-crime coverage involving loss of money and securities
• Educating policyholders of the awareness of risk
• Addressing concerns for manufacturers and critical infrastructure elative to claims for damages outside of the scope of what cyber policies cover
• Assessing options for insurers pairing with reinsurers to offer property and bodily injury coverages for large facilities
• Analyzing the St. Paul case on whether personal injury can be covered in a CGL policy
• Examining case law on crime policies including the InComm case
  • Identifying the circumstances where the crime policy would be triggered
  • Explaining the surge of business email compromises cases and how it does/does not fit under a crime policy

Morning Coffee Break

Business Interruption Coverages and Contingencies in Cyber Policies

• Broadening triggers for business interruption claims
• Identifying the differences between cyber coverage for business interruption claims vs. business interruption for property damage
  • Examining how policies are triggered
• Understanding what carriers are willing to cover for business interruption claims
  • Determining the factors underwriters are looking for when underwriting business interruption
• Analyzing the recent surge in contingent business interruption claims
  • Evaluating third party risks, resulting claims coverage, and underwriting challenges
• Realizing the need for more data and modeling to interpret risks for business interruption/contingent business interruption

Special Considerations for Sourcing Cyber Policies for the Small to Middle Market

• Pricing and selling cyber policies for the small to middle market
• Examining underwriting considerations for the small to middle market
• Understanding the lack of data which results in the difficulty to price policies
• Comparing existing coverages in the market
• Closing in on the gaps in coverage for the small to middle market
• Analyzing the claims in the small to middle market to better understand pricing models

Cyber Aggregation: Assessing Exposure for Multiple Insureds and Third Parties

• Understanding the potential for a single cause of loss impacting many policies within a company’s portfolio
• Assessing exposure for risk when several insureds are attacked
• Managing third parties and evaluating whether cyber coverage is necessary
• Evaluating hold harmless agreements
• Examining aggregation from the underwriting perspective
• Handling claims when multiple insureds and vendors are affected

Conference Ends; Lunch for Speakers and Attendees Registered for Post-Conference Workshop