Ping Service
Feedback Forms

Cyber Liability Insurance for Universities: Incentivizing Best Practices as a Condition to Coverage (a.k.a “Reverse Underwriting”)

Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.

One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.

In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

Righthaven’s Ba-aaaaack….but its Aim Falls Short

It seems Righthaven hasn’t been able to catch a break since my December 2010 post. Righthaven LLC is a copyright holding company founded in early 2010, which acquires newspaper content from its partner newspapers after finding that the content has been copied to online sites without permission, in order to engage in litigation against the site owners for copyright infringement.

Just last week, in a suit filed against Democratic Underground (“D.U.”), Righthaven sought damages because D.U. used four paragraphs of a 34 paragraph Las Vegas Review Journal article (recall that the Journal and its contents belong to Stephens Media). The post included a link to the full article, as well as citing the Journal.

U.S. District Court Judge Roger Hunt dismissed the lawsuit, holding that a “copyright owner [here, Stephens Media] could not assign a bare right to sue.” In addition, the court came down hard on Righthaven because it failed to advise, as required by law, that Stephens Media had a pecuniary interest in the lawsuits (Righthaven and Stephens Media were sharing the profits received from these lawsuits). Judge Hunt seemed disgusted with Righthaven’s behavior and gave Righthaven two weeks “to show cause … why [Righthaven] should not be sanctioned for this flagrant misrepresentation to the court.” Judge Hunt accused Righthaven of trying to “manufacture standing” in all of its cases. (Click here for the Court’s full decision.) Read the rest of this entry »

Credit Monitoring vs. Identity Monitoring

Today, data breaches are a frequent occurrence. Often with the disclosure of each breach comes an announcement of credit report monitoring for affected individuals for a certain time period. So what does credit monitoring really provide? Identity protection, peace of mind or simply customer goodwill?

Credit report monitoring is the checking of one’s credit history in order to detect suspicious activity or changes. Companies that provide credit monitoring typically will alert the individual to activity tied to his or her social security number, such as credit inquiries, delinquencies, negative information, employment changes and new accounts. So why does credit monitoring fail to provide identity theft protection?

1. First, individuals can receive a free credit report on an annual basis. The three credit reporting agencies, Equifax, Experian and TransUnion, have set up the following internet website, through which individuals can request free copies of their annual credit reports: https://www.annualcreditreport.com/cra/index.jsp.

2. Secondly, criminals will wait at least one year and one day in the brokering or use of stolen data if the company that sustained the privacy breach offers one year credit monitoring.

3. Third, credit monitoring primarily serves to alert, after the fact, the opening of new accounts. In turn, it typically does not warn the individual of changes with their existing credit. Hence, to the extent the persons’ current credit ratings have been adversely affected by the malicious acts of a third-party, they may go unreported and be unknown to the person whose credit has been impacted.

4. Fourth and most importantly, credit monitoring fails to protect against the malevolent conduct listed below, as outlined by the non-profit Identity Theft Resource Center:

Read the rest of this entry »