The Development of the Privacy Practice Group
Tressler’s Privacy Practice Group developed in distinct phases over the last eight years. First, while working in insurance coverage it became clear that data storage and privacy issues would give rise to claims that would not be covered as bodily injury, property damage or advertising injury under commercial general liability policies and may not constitute a peril under a traditional property insurance policy. Initially, there were not many cyber claims and insurers were paying most claims tendered under cyber policies. During this time, the Privacy Practice Group was able to gain valuable experience by shifting its focus from insurers and working with small governments and school districts on data retention and storage issues.
Next, by the time insurers needed assistance on cyber issues, Tressler’s Privacy Practice Group had the unique experience in responding to privacy issues and insurance coverage expertise. Early on, the Privacy Practice Group’s insurer clients requested assistance in policy drafting. As cyber policies became more widely available, insurers relied on Tressler’s Privacy Practice Group to assist in responding to insureds’ cyber incidents. During this time, Tressler’s Privacy Practice Group developed a network of forensic and notification vendors and public relations specialists to assist in incident response. While working on insurers’ panels, Tressler’s Privacy Practice Group assisted on a number of matters in government, health care, manufacturing and financial institutions. At this point, Tressler’s Privacy Practice Group has responded to cyber incidents involving everything from sophisticated data breaches to basic phishing incidents and ransomware.
Over the last year, insurers have increasingly called upon Tressler’s Privacy Practice Group to monitor responses to cyber incidents by other law firms. In this capacity, Tressler’s Privacy Practice Group has reviewed coverage issues, legal expenses, forensic responses, notification costs and public relations. Additionally, Tressler’s Privacy Practice Group has worked with brokers to serve their clients in a variety of industries that have had a cyber incident but may not have obtained cyber insurance. This work will be on the decline as more of their clients are expected to obtain cyber insurance.
Tressler’s Privacy Practice Group serves Tressler’s clients in the following manner:
State and federal laws require “Data Collectors” to notify individuals that have information exposed in a breach. To date, breaches range from large scale cyber attacks to small incidents caused by negligent employees. We have been able to use lower cost paralegal and associate attorneys to review the incidents and prepare notification letters.
Insurance Claims Monitoring
Cyber insurance is one of the few areas in the insurance industry that has seen significant growth over the last few years. Consequently, we have seen exponential growth in insurance coverage questions in the last two years. These questions range from whether an incident triggers coverage under a cyber policy to whether an insured’s response to an incident was reasonable under the policy.
The Illinois Personal Information Protection Act (“PIPA”) requires Data Collectors to take “reasonable measures” to protect data. There is no clear guidance as to what constitutes “reasonable measures.” Our Practice Group offers employee/staff training which, coupled with proper technological safeguards, may be considered “reasonable measures” under PIPA. This training is targeted for corporate and government clients.
Tressler's Privacy Practice Group runs a popular blog, the Privacy Risk Report, providing insight into the latest privacy, cyber and technology news.