So, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.

Take, for example, Intel (INTC). In its 2009 10-K, released in late February, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. This revelation, contained in the “risk” section of Intel’s 10-K was intended to comply with U.S. Securities and Exchange Commission mandates which require public companies to disclose risks which could cause them to fall short of their profitability projections.

While Intel listed several such risks, the most intriguing was the one which stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google.”

While such disclosed risks may or may not have an impact on a stock’s trading price, the potential impact can not be ignored. Google (GOOG) is a perfect example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. As of the date of this publication, April 25, Google’s shares are trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyberbreach can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million. At the same time, other well-known companies like Adobe, Juniper Networks and Rackspace have been hacked and had their information and technology compromised.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

A man and a lion were arguing about who was best, each one seeking evidence in support of his claim. They came to a tombstone on which a man was shown in the act of strangling a lion, and the man offered this picture as evidence. The lion replied, “It was a man who painted this; if a lion had painted it, you would instead see a lion strangling a man. But let’s look at some real evidence instead.” The lion then brought the man to the amphitheater and showed him so he could see with his own eyes just how a lion strangles a man. The lion then concluded, “A pretty picture is not proof: Facts are the only real evidence!”

The moral of the story has indeed changed since the times of Aesop, at least in today’s courtroom. Social networking websites such as Facebook, MySpace, and Twitter invite attorneys and their clients into a lion’s den of pictures and postings, creating a haven for evidentiary consequences that can be unexpected obstacles if attorneys are unprepared to counter them.

INTRODUCTION

With claims such as “Facebook is a great place to keep in touch with friends,” “Using Twitter is going to change the way you [stay] in touch,” and “MySpace lets you meet your friends’ friends,” social networking websites are, admittedly, enticing. This article surveys recent evidentiary issues involving these sites across multiple practice areas and counsels how to avoid some of the adverse rulings discussed herein.

Read the rest of this entry »

Please join us for HB Litigation Conference’s NetDiligence® Cyber Risk & Privacy Liability Forum in Philadelphia on June 7-8. Over 40 industry experts are set to speak and, to date, representatives of 50 companies have registered. I’ll be speaking on “Are You Covered When Hackers Get Through?”

You’ll learn everything you need to know about cyber risk and privacy liability and earn 6-8 CLE credits, while enjoying sophisticated networking opportunities. The conference will take place at The Union League on Broad Street, conveniently located so you can train to/from the event. HB’s announcement, a complete agenda, a faculty listing, and registration information is available at http://litigationconferences.com/?p=11598, by calling 484-324-2755, or by emailing at info@litigationconferences.com. Hope you can join us!

WHOIS databases often contain valuable information including the contact information for a registrant of a domain name. Although private registrations are increasingly more popular, and hide the name and location of a registrant, such private registration services nonetheless are required to provide an e-mail address for a registrant, which effectively allows the public to correspond with a registrant.

Rather than choosing to utilize a private registration service, some registrants choose instead to provide false WHOIS information in an effort to mask their true identity and to prevent consumers from contacting them. However, all accredited registrars have agreed with ICANN (Internet Corporation for Assigned Names and Numbers) to obtain contact information from registrants, to provide it publicly by a WHOIS service, and to take reasonable steps to investigate and correct any reported inaccuracies in contact information for domain names registered through them.

Many registrars have provided mechanisms for the reporting cases of invalid WHOIS information, which are then investigated by the registrar, and updated with valid information in appropriate cases. The registrar GoDaddy.com, for example, provides a form for reporting invalid WHOIS information at the following web address:

http://who.godaddy.com/ReportInvalidWhois.aspx?k=FV7XH2u6rpuEgY6i18fBGg==&domain=choruss.com&prog_id=godaddy

Consumers who are initially unsuccessful in submitting invalid WHOIS notifications directly to a registrar, may also try submitting such notifications through ICANN as well at the following web address:

http://wdprs.internic.net/