Cyber Liability & Technology Law

Cybersecurity Insurance: Circuit Courts Weigh in on Insurers’ Liability for an Insured’s Losses Stemming from a Data Breach


Takeaway: When a cybersecurity-related incident occurs, an insured should not automatically assume a standard commercial general liability (CGL) policy issued by an insurer will cover their losses, as CGL policies generally afford coverage to an insured for losses resulting from bodily injury and property damage. An insured’s cybersecurity losses can encompass much more, such as losses arising from a data breach concerning confidential or personal information of a client or customer, i.e., third parties who fall outside of the scope of an insured’s traditional CGL policy. Therefore, to ensure cyber coverage exists in the wake of a cyber incident, an insured should make certain that potential cyber-related losses are included within the “four corners” of the underlying insurance policy to secure a defense and, more importantly, coverage from an insurer. Key Point: In determining whether there is a duty to defend, a court must follow the “Eight Corners” Rule and look at the “four corners” of the complaint and the “four corners” of the underlying insurance policies.[1] In other words, an insurer is obligated to defend its insured if the factual allegations of the complaint, on its face, encompass an injury that is actually or potentially within the scope of the policy.[2] Discussion: Recently, an increasing number of legal battles over whether losses related to cybersecurity incidents are covered by an insured’s policy have tested the applicability of the underlying policy. For example, an Eleventh Circuit panel addressed whether a ‘computer fraud’ policy issued by Great American Insurance Company to Interactive Communications International, Inc. and HI Technology Corp. (together, “InComm”) excluded coverage for losses involving fraud.[3] InComm sold “chits” – each of which had a specific monetary value – to consumers, who can then “redeem” them by loading their value onto a debit card.[4] Between November 2013 and May 2014, InComm lost $11.4 million when fraudsters manipulated a glitch in InComm’s computerized interactive-telephone system that enabled them to redeem chits multiple times, with each duplicative redemption of an already-redeemed chit defrauding InComm of the chit’s value.[5] Read More

Labeling Devices for Cybersecurity Protection


Takeaway: Security labels on internet-connected devices are on the horizon for companies that manufacture and want to sell such devices worldwide. Last week, the White House National Security Council announced plans for a consumer products cybersecurity labeling program aimed at improving digital safeguards on internet-connected devices. On October 19, 2022, 50 representatives from different industries including tech, consumer product, and manufacturing convened to discuss the cybersecurity labeling program that is planned to launch in the Spring of 2023. In conjunction with its announcement, the White House also released a fact sheet outlining various cybersecurity initiatives. In its fact sheet, the White House recommends three or four cybersecurity standards that manufacturers can use as the basis for labels that communicate the risks of using internet-connected devices. Additionally, the administration is working with the European Union to align its Cybersecurity Act standards with those of the cybersecurity labeling program.  The White House envisions that products with cybersecurity labels will be sold globally. The idea is for the standards under consideration to rate products based on how often manufacturers deploy patches for software vulnerabilities or whether a device connects to the internet without a password. The White House hopes this program will incentivize companies to invest in cybersecurity because they will be rewarded for participating in the program whilst customers are provided with safer products. Part of the process will include using the National Institute of Standards and Technology to create labels according to the specifications of a product. The initial stage of the program includes the creation of bar-like labels on products that consumers can scan with their phones for updated security details. The remaining stages will be released as the White House continues to develop the program. Protecting connected devices has been an ongoing issue for some time now. Companies should stay alert as the White House releases more information in the coming year. Read More

Uncharted waters: The University of Pittsburgh’s football team forays into newly available name, image and likeness opportunities


I. University of Pittsburgh’s Handing of NIL Change The University of Pittsburgh (Pitt) has taken a progressive stance on its Name, Image, and Likeness (NIL) policy; choosing to assist its student-athletes rather than hinder them in pursuit of these newfound opportunities. The recent change in the NCAA’s stance on student-athlete compensation has given the players the opportunity for personal financial gain and the ability to partner with charities. “As it relates to providing our student-athletes with the most extraordinary experience at Pitt, our goal is to be progressive, innovative and helpful in every aspect of their student-athlete experience and the world of name, image and likeness is no different…We look forward to helping our student-athletes learn more about this topic and build a transparent relationship with them and their families so we can assist in their efforts or aspirations to maximize compensation and opportunities involving their name, image and likeness,1” said Heather Lyke, Pitt’s Athletic Director. One of Pitt boosters’ first major foray into NIL came in the form of a traditional NIL collective, Alliance 412. Per NCAA guidance, Alliance 412 seeks to support all Pitt athletics without a formal relationship with the University itself. Instead, the collective hopes to connect Pitt student-athletes with businesses and strategic partners while maintaining transparency and compliance.2 On Aug. 10, 2021, the Steel City NIL Club began operation through a partnership with YOKE. This organization offers a unique approach for members of Pitt’s football team to engage in a variety of NIL opportunities. In contrast to Alliance 412, which engages in more traditional NIL deals, the Steel City NIL Club is a more direct revenue stream for the players. The YOKE platform creates a paywalled community granting paying members special access to the participating players in the form of Q and A’s, and exclusive player created content.3 The profits from these memberships are then split evenly among the participating players. Read More

Pietragallo Welcomes Three New Associates


Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce the addition of three new associates to the firm’s Pittsburgh and Philadelphia Offices. Michael O. Bethune joins our Commercial Litigation team in our Pittsburgh Office. Michael was a law clerk at a regional law firm who specialized in personal injury, legal malpractice, and employment litigation cases. He also served as an extern for the Honorable Helena Barch-Kuchta of the U.S. District Court, Eastern District of California. He is a graduate of Duquesne University School of Law. Megan E. Young joins our Employment & Labor team in our Philadelphia Office. Megan completed an externship in the City of Philadelphia’s Law Department where she handled a multitude of aspects of the litigation process including initial responsive pleadings, written discovery, depositions, pre-trial motions, municipal court, and arbitration hearings. She also spent time at a public healthcare technology company. Megan is a graduate of Temple University Beasley School of Law. Harrison Zelt joins our Litigation and Cybersecurity & Privacy teams in our Pittsburgh Office. Harrison spent time as a law clerk at several large nationally leading law firms where he assisted in various aspects of case research and client interviews in different areas, including healthcare, commercial litigation, workers compensation, personal injury, class action, and employment litigation. He is a graduate of Duquesne University School of Law. About Pietragallo Pietragallo Gordon Alfano Bosick & Raspanti, LLP is a multi-disciplined business and litigation law firm headquartered in Pittsburgh and Philadelphia with six offices throughout Pennsylvania, Florida, Ohio, and West Virginia from which we are able to serve our clients in all 50 states and the District of Columbia. Read More

CISA Announces New Binding Operational Directive to Manage Federal Civilian Agency Threats


Takeaway: The latest directive from CISA will enhance federal agencies’ ability to identify vulnerabilities in their networks to prevent and respond to cybersecurity incidents. On October 3, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) announced Binding Operational Directive (BOD) 23-01 entitled Improving Asset Visibility and Vulnerability Detection on Federal Networks.[1] The aim of BOD 23-01 is “to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”[2] A binding operational directive is a compulsory direction to the executive branch, departments and agencies for purposes of safeguarding federal information and information systems.[3] BOD 23-01 applies to any agencies operating as a Federal Civilian Executive Branch (FCEB) agency such as the Department of Justice, the Department of Education, and the Department of Health and Human Services.[4] The directive also applies to any entity acting on behalf of a FCEB agency that “collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”[5] BOD 23-01 focuses on (1) asset discovery, or identifying what IP-assets reside on an agency’s networks and detecting their associated IP addresses and (2) vulnerability enumeration, or detecting and reporting vulnerabilities on those assets such as outdated software or missing updates. The directive lists mandatory actions and reporting requirements that FCEB agencies must implement by April 3, 2023. For example, each FCEB agency must perform automated asset discovery every 7 days. FCEB agencies have discretion in determining the method and technology to complete this task, but BOD 23-01 requires that the discovery must cover the entire IPv4 space at minimum. Additionally, each agency must initiate vulnerability enumerations every 14 days. All FCEB agencies must initiate the collection and reporting of performance data within 6 months of the publication of BOD 23-01 in order to allow CISA to automate oversight and monitoring. Collectively, these actions enhance an agency’s ability to automatically detect vulnerabilities and prevent exploitation of any weaknesses in their networks. Read More

Requirements of Cybersecurity Expert Testimony in the Third Circuit


Takeaway: In many data breach cases, a cybersecurity expert may evaluate whether the company’s security measures were reasonable and appropriate or, alternatively, if the company lacked the requisite technology to detect a breach. In some circumstances, however, a party’s proposed expert may be challenged on the basis of unfair prejudice. Yet, under the Third Circuit’s “generally liberal standard of qualifying experts”, such a challenge was recently overcome by a party whose expert had advanced IT credentials, 20+ years of relevant professional experience, and offered an opinion with probative evidentiary value that outweighed any danger of unfair prejudice. Key Points: Rule 702 of the Federal Rules of Evidence sets forth the standards for admissible expert testimony. As explained by the Third Circuit Court of Appeals: “Rule 702 has three major requirements: (1) the proffered witness must be an expert, i.e., must be qualified; (2) the expert must testify about matters requiring scientific, technical or specialized knowledge [, i.e., reliability]; and (3) the expert’s testimony must assist the trier of fact [, i.e., fit].”[1] Regarding the first requirement, qualification, the Third Circuit has stated that it has “a generally liberal standard of qualifying experts.”[2] “Rule 702 requires the witness to have ‘specialized knowledge’ regarding the area of testimony. The basis of this specialized knowledge can be practical experience as well as academic training and credentials.”[3] When addressing the second requirement, reliability, the Third Circuit has derived from the seminal case of Daubert the following non-exclusive factors for determining reliability: “(1) whether a method consists of a testable hypothesis; (2) whether the method has been subject to peer review; (3) the known or potential rate of error; (4) the existence and maintenance of standards controlling the technique’s operation; (5) whether the method is generally accepted; (6) the relationship of the technique to methods which have been established to be reliable; (7) the qualifications of the expert witness testifying based on the methodology; and (8) the non-judicial uses to which the method has been put.”[4] Read More

Bad Actors Continue to Exploit Log4Shell Vulnerabilities


Takeaway: CISA and CGYBER recommend all organizations who did not immediately apply available patches to assume Log4Shell compromise and initiate threat hunting activities. In December 2021, the world was held hostage by hackers who found certain vulnerabilities in Log4Shell and exploited them. As part of this exploitation, suspected and advanced threat actors implanted loader malware on compromised systems with embedded directives enabling remote command and control. A confirmed compromise showed that these actors were able to infiltrate a disaster recovery network and collect sensitive data. Cybersecurity agencies and governmental policy bodies acted immediately against these threats and released patches and Malware Analysis Reports MAR-10382580-1 and MAR-10382254-1 detailing hack workarounds. But the threat was omnipresent. The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGYBER) recently released a warning in July to network defenders that cyber threat actors continue to exploit CVE-2021-4423 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to infiltrate organizations that failed to apply patches. Organizations are encouraged to read MAR-10382254-1 which provides examples of malware samples including indicators of comprise (IOCs) and detection signatures. What organizations must do now is: Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, organizations must treat all affected VMware systems as compromised. Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services. For the full article and specific examples of Log4Shell threat events, go to: * This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. Read More

Decoding the Recent Apple Security Updates


Takeaway: The recent vulnerabilities in Apple software has exemplified the importance of patch management and keeping devices up to date with the latest operating systems and software in order to protect the security of devices. The recent data breach reported by Apple, Inc. (“Apple”) has once again brought global attention to privacy threats caused by security flaws and vulnerabilities.[1] On Wednesday, August 17, 2022 Apple released two emergency updates in response to zero day threat, or an attack that targets a previously unknown security vulnerability. The updates affected the following products: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)” as well as Safari and Mac computers running macOS Monterey.[2] Given that there are over 1.5 billion active Apple products in use worldwide, the vulnerability had potentially significant reach.[3] The vulnerabilities have the following CVE-IDs: CVE-2022-32893 and CVE-2022-32894.  The aim of the Common Vulnerabilities and Exposures (CVE) program is to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.”[4] Publishing consistent descriptions of security vulnerabilities allows organizations around the world to coordinate their efforts to prioritize and respond to the vulnerabilities, which maintains the integrity of devices and systems.[5] CVE is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Apple described the security updates as an “out-of-bounds write issue was addressed with improved bounds checking.”[6] This means that the attacker could write data before the beginning or after the end of the intended buffer which can cause a crash, corruption of data, or code execution.[7] The issue was addressed by procedures meant to catch errors and protect the integrity of operations by ensuring that certain variables are within the bounds of an array before use. Read More

23 Pietragallo Lawyers Named in 2023 The Best Lawyers in America and Ones to Watch


Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce that 23 lawyers have been named as 2023 The Best Lawyers in America and 2023 Ones to Watch, including Tama Beth Kudman who was recognized as 2023 Lawyer of the Year in West Palm Beach for Criminal Defense: White-Collar. Best Lawyers employs a sophisticated, conscientious, rational, and transparent survey process designed to elicit meaningful and substantive evaluations of the quality of legal services. Recognition by Best Lawyers is based entirely on peer review. The following were chosen as The Best Lawyers in America: Gaetan Alfano Pamela Coyle Brecht Phillip R. Earnest Mark Gordon James W. Kraus Tama Beth Kudman – Lawyer of the Year James F. Marrion Shelly R. Pagac Richard J. Parks William Pietragallo, II Francis E. Pipak, Jr. Kevin E. Raphael Marc Stephen Raspanti Douglas K. Rosenblum Eric G. Soller Clem C. Trischler Peter St. Tienne Wolff The following were chosen as The Best Lawyers in America: Ones to Watch: Lee K. Goldfarb John Kettering Alexander M. Owens Stephen F. Raiola Mark T. Sottile Frank H. Stoy About Pietragallo Pietragallo Gordon Alfano Bosick & Raspanti, LLP is a multi-disciplined business and litigation law firm headquartered in Pittsburgh and Philadelphia with six offices throughout Pennsylvania, Florida, Ohio, and West Virginia from which we are able to serve our clients in all 50 states and the District of Columbia. Read More

What Practices Should a Small Vendor Consider When Applying for Cyber Insurance


Takeaway: As cybersecurity risk increases, large enterprises and government agencies are, increasingly, forcing smaller vendor companies to obtain cyber insurance to help manage the risk of a data breach. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer. Although cybersecurity risk is a persistent concern for law makers and regulators, a national regulatory standard in the United States does not appear imminent. If, however, your company has applied for cybersecurity insurance recently, the application process may have seemed like a compliance audit. Cybersecurity insurance questionnaires, as complex as they have become, are usually inquiring about common practices that most businesses should feel confident investing in and implementing. For the most part, the cybersecurity practices desired by insurance underwriters – in the ever-changing world of cyber risk management – are the same, or similar in nature, to the administrative and technical safeguards required under various State and federal security standards. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer and, perhaps even, reduce the insurance premium. Implement Written Information Security Policy (WISP) and Incident Response Plan (IRP) – The objective of a WISP is to guide the implementation of the proper technical, administrative, and physical safeguards needed to protect an organization’s data. An IRP helps reduce the impact of a breach by creating a structured and systematic plan of response in the event of an incident affecting an organization’s systems, network, or data, including any data held by outside vendors or service providers. The IRP will also govern contingency plans like encrypted backups of your IT system and data. Password Management and Multi-Factor Authentication (MFA) – Anyone accessing a system, network or data should be asked to provide multiple methods of validating their identity. Read More

News & Events

Related News

Pietragallo earns the ACBA ALLY Certification
November 29, 2022
On November 10, 2022, Pietragallo was a part of the Allegheny County Bar Association’s first graduating class of the ALLY Initiative Cohort. Read More
Pietragallo Adds Cybersecurity Lawyer Martin T. Shepherd
October 7, 2021
Martin T. Shepherd, a well-known and respected litigation lawyer, has joined Pietragallo Gordon Alfano Bosick & Raspanti, LLP in the firm’s Commercial Litigation team and as head of the firm’s Diversity Initiative. Read More

Upcoming Events

Eric Soller to moderate 33rd Annual Academy of Trial Lawyers Federal Court Program
December 16, 2022
On Friday, December 16, 2022, Pietragallo partner Eric Soller will moderate the 33rd Annual Academy of Trial Lawyers Federal Court Program. Read More
Tama Beth Kudman to present at National Association of Criminal Defense Lawyers’ Advanced Criminal Law Seminar
January 23, 2023
Pietragallo partner Tama Beth Kudman will be presenting at the National Association of Criminal Defense Lawyers’ (NACDL) Advanced Criminal Law Seminar. Read More
View More News & Events