Since last we visited, your humble Publisher has moved on to the Law Offices of Richard J. Bortnick, where I am Managing Director (very European, if I do say so myself). A number of dedicated readers and friends (you know who you are) have asked what had become of me and why my old email address was no longer effective.

The answer my friend  (apologies to Peter, Paul and Mary) is the Law Offices of Richard J. Bortnick. At the risk of having this viewed as attorney advertising, I will stop there other than to say I also will be signing as a free agent with a Consulting Firm to be named later (but not much later).

So, please feel free to contact me if you want to catch up, engage in intellectual banter (with the exception of Philadelphia sports, where the banter will all be negative) or have some worthwhile humor you’d like to pass along (although it can’t be as good as the material I get from my good friend Jeff). My new email address is rjbortnick@comcast.net (at least for the short term… stay tuned on that too).

Its good to be back. And thanks for all of your kind wishes.

Rick

   Send article as PDF   

I.     Introduction: Insurance Products for Cyber Risks

Increasing reports of cyber intrusions, data theft and computer system malfunctions have led a rapidly-growing number of companies to purchase insurance coverage to protect themselves from technology and cyber privacy risks. Indeed, as our technology-driven economy continues to evolve and businesses become more reliant on electronic communication and data storage, they are developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. As such, prospective policyholders are becoming more cognizant of the necessity for insurance covering such growing exposures.

Read the rest of this entry »

The following column appeared in the September 2012 issue of the Advisen Cyber Journal. I hope it resonates with our legal eagle subscribers. If not, then your brokers (and I) have more work to do.

Cheers.

Rick

Lawyers typically fancy themselves as the smartest people in the room. Many certainly have the largest egos in the room. But when it comes to keeping their own houses in order? Well, not so much. Its akin the shoemaker whose children go barefoot.

The same flaw appears to apply with equal force and effect with respect to accountants. And consultants. And, perhaps most incredibly, insurance brokers.

Perhaps you’ve figured out where I’m going with this. But in case you haven’t, here’s what I’m getting at. Counter-intuitive as it may seem, anecdotal reporting from a number of underwriters I’ve spoken with suggest that intelligent, thoughtful, (sometimes) rational people who bill others hundreds of dollars an hour or make sizable commissions for dispensing professional advice do not abide by their own wisdom and don’t buy cyber/technology/privacy (“CTP”) insurance.

Read the rest of this entry »

The following article was co-written with my colleague Gary Klinger for a Cozen O’Connor client Alert. Gary turned it around in one-day. Then I got it… Hence the delay.

Please let us know if you would like to be added to the Alert e-blast list and receive articles on a variety of cutting-edge professional liability and general liability topics.  Also, be sure to see the Dark Knight Rises. The ending was perfect.

Rick

In a landmark decision, the First Circuit Court of Appeals held in Patco Construction Company, Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012)  that People’s United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 which had been stolen from PATCO’S bank account.  In so doing, the Court reversed the decision of the United States District Court for the District of Maine which had granted summary judgment in the bank’s favor.

The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO.  While the bank’s security system flagged each one of the transactions as “high risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, the bank’s security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not “commercially reasonable” under the Uniform Commercial Code, as codified under Maine Law.

Read the rest of this entry »

A quick google search will reveal thousands of hundreds of thousands of hits for the term cyberstalking. Indeed, as of today, there are over 900,000 posts where the word is used. Perhaps not surprisingly, many of the listings involve teen cyberbullying and child protection issues. There are also large numbers of celebrities who are cyberstalked or otherwise harassed. Beyond juveniles and celebrities, the most frequently stalked demographic are 18-32 year old females, a cohort to which some of our own bloggers (and co-publishers) belong. Curiously, reports indicate that more and more women are also the cyberstalkers, not just the victims. Anecdotal stories suggest many of these women are married but unhappy with their lives.

Read the rest of this entry »

Introduction: Insurance Products for Cyber RisksRecent media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

The following article was first published in Advisen’s inaugural Cyber Liability Journal (here) as my first regular column. The second Journal was published today and is available from Advisen at http://corner.advisen.com/journals.html (here). I will republish my second column in the coming days.

Rick

Many who underwrite or broker insurance, or practice law in the cyber/technology/privacy (“CTP”) realm migrated to this emerging area from the directors and officers liability regime. At the same time, it did not take a crystal ball to recognize that it was only a matter of time before CTP and D&O found a commonality.  And that time is now.

Virtually every public and private company is reliant on computer networks and electronic data. It’s a way of life in the 21^st Century. And there’s no going back. Yet with reliance comes risk. It seems we read about significant CTP breaches involving large, multinational companies almost on a weekly basis.  CTP breaches have become a well-recognized risk of doing business.  Estimates project that over 10 percent of us already have been hacked or had their identities stolen. I am among them.

Read the rest of this entry »

So, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.

Take, for example, Intel (INTC). In the “Risks” section of its 2009 10-K, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. Kudos to Intel for making this disclosure, which predated the October 2011 publication of the SEC Guidance addressing public companies’ cyber risks and exposures (discussed here and elsewhere, including in the March 2012 edition of the Advisen Cyber Journal. Please feel free to contact me for details on how to obtain this must-read issue and subscribe. Advisen has done a masterful job, as it does with all of its publications). As will be discussed in my next post, a significant number of public companies still have not complied with their cyber risk and cyber exposure reporting “obligations” under the SEC Guidance.

As to Intel, the subject 10-K listed several noteworthy risks. The most intriguing stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.”

The adverse economic impact of a cyber-related disclosure is not theoretical, either. Indeed, in the immediate wake of the News Corp./News of the World cell phone hacking scandal in mid-2011, News Corp’s market cap reportedly fell by over 15%, valued at approximately $7 billion, in less than a week. Not surprisingly, News Corp was sued shortly thereafter in a series of securities fraud class actions, which remain pending.

While cyber risks and exposures may or may not have an impact on a stock’s trading price, their potential impact can not be ignored. Google (GOOG) is another example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. By April 25, 2010 Google’s shares were trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyber event can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation (remember News of the World? After 168 years of tremendous success globally, it ceased publishing on July 10, 2011 as a direct result of the hacking scandal), all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

   Send article as PDF   

The occurrence and frequency of cyber breaches are not as transparent as one might expect.  Or hope, for that matter.  To the contrary, the FBI’s chief cyber crimes investigator recently admitted that “thousands” of cyber crimes have gone unreported due to companies’ fears about the impact of adverse publicity on their reputations and bottom lines.

According to Shawn Henry, assistant director of the FBI’s Cyber Division, hackers regularly access computer security systems and steal millions of dollars and credit card numbers without such incidents ever being publicly reported.  Indeed, Mr. Henry has acknowledged that “[o]f the thousands of cases that we’ve investigated, the public knows about a handful…There are million-dollar cases that nobody knows about.”

And the problem is not limited to Fortune 500 and other large companies such as TJX and Heartland, which have voluntarily disclosed cyber intrusions.  Indeed, the incidence of cyber attacks on such companies is growing marginally or even shrinking, as these entities implement more complex security systems.  The more frequent target has become medium-sized and small companies which do not have the resources or perhaps the ability or interest to enhance their cyber protections.  The same goes for private citizens whose personal wealth and, equally troublesome, personal secrets may be at risk as their personally identifiable information is wrongfully retrieved and then used to access their bank and other investment accounts.  Needless to say, no one wants to admit they’ve been hit or that their resources have been stolen.  The stigma alone is a major deterrent to such public disclosures. (“Hey Joe… guess what… I was just robbed of $10 million!! And, they learned that I’ve been cheating on my spouse for the past ten years… How about that!!!”).

For cyber insurers, a prospective policyholder’s unwillingness to disclose such intrusions can be a major problem, both from an underwriting and claims perspective.  As always, the key is proper detailed due diligence up-front.  Underwriters can not take for granted that they would or should know about an intrusion at a potential account.  They must ask the right questions, require the proper warranties, and “pull back the curtain” to ensure that the risks they take on are just that – risks – rather than cyber intrusions waiting to happen.  “Penny-wise, pound foolish” is particularly apt.  Spend the time and money to vet your proposed accounts.  The cost of a claim or related coverage litigation will dwarf the expense of a thorough underwriting investigation.  Unlike the availability of insurance, that is a guarantee.

   Send article as PDF   

Cloud computing is the storage of data on remote computer servers and the sharing and transmittal of such information by way of the internet.  Use of the cloud enables both businesses and casual users to maintain as much or as little electronic data as they wish on a third party’s mainframes without the need for or the expense of having to buy and maintain their own hardware systems.

The cloud’s economic benefits are clear.  Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.

Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:

Read the rest of this entry »

I strongly encourage our many European readers to attend the upcoming Advisen Cyber Liability Insights Conference to be held on 13 March at The Willis Building in the City. The inaugural Cyber Insights Conference which Advisen presented in NYC in October was a smashing success and the program planners are expecting an  equally respectable turnout in London.

Our friends at Advisen have recruited thought leaders from across the European cyber and technology industries (and a certain U.S. lawyer/blogger) to discuss a myriad of topics of interest to underwriters, brokers and risk managers alike. Speakers include luminaries such as Paul Bantick of Beazley, Stephen Boddington of Chartis, Robert Bond of Speechly Bircham, Dan Trueman of ANV, Chris Cotterell of Safeonline, Emily Freeman of Lockton, Simon Milner of JLT Specialty, Joe Trotti and Jeremy Smith of Willis, Tony Dearsley of Kroll Ontrack, Stewart Room of Field Fisher Waterhouse, Andrew Horrocks of Clydes, yours truly, and a host of others.

 Among other cutting-edge topics, we will discuss Privacy and Data Security Regulation, Coverages and Coverage Issues, CyberSecurity Disclosures and Exposures, and Data Breach Responses and Strategies.

Equally important, the program is priced at a level that firms and companies will find extremely attractive. And did I mention that there is no cost at all for Risk Managers to attend?

For program and registration information, please visit https://www.signup4.net/Public/ap.aspx?EID=CYBE21E. Or, feel free to drop me a line at rbortnick@cozen.com.

I look forward to seeing everyone there!

   Send article as PDF   

We’re only two weeks away from the season’s premier cyber education event: The PLUS Northwest Chapter & IIABKC Cyber Workshop, to be held on December 7 (a date which will live in infamy), 2011 at the Washington Athletic Club in downtown Seattle. This will be my first trip to Seattle, so I’m really looking forward to it, as well as to meeting those of you who attend. The panel is entitled Emerging Issues Surrounding Cyber Privacy and Security Risk and will run for a full three-hours (with a corresponding 3 Washington state CE credits), from 1.30 PM to 4.30 PM, to be followed by the always popular cocktail reception.  The cost is to attend is dirt cheap, given the panelists and topic, as its $40 for PLUS members and $60 for non-members.

So, you’re wondering, who are the panelists? Well, PLUS Northwest has assembled a crackerjack lineup of the following special guest speakers:

David Molitano,Vice President/Division Manager, Content Technology & Services at OneBeacon Professional Insurance; Kimberly Horn, Claims Manager for Technology, Media and Business Services at Beazley Group; and Karl Peterson, Senior Vice President, E&O and eRisk Product Team at Willis Executive Risks Practice.

You’ll only get this quality of presenter at the PLUS Northwest Chapter event. Don’t be fooled by pretenders or others promoting cyber conferences with lesser lights. This is THE cyber event to attend. And the post-workshop cocktail reception is an added bonus.

Please feel free to contact PLUS or me if you have any questions or would like further details about the Workshop. We look forward to seeing you there! And, in particular, meeting with you afterwards. Plus (no pun intended), for Cyberinquirer subscribers only, the first cocktail is on me. Just flip an email and let me know you’re coming.

Rick

   Send article as PDF   

With the help of our readers, Cyberinquirer has again been named as one of LexisNexis’s Top Insurance blogs 0f 2011. We are obviously flattered, particularly in view of the quality of the other blogs selected to this august list.  It shows that people are reading what we have to say. And that, perhaps, they are interested in what we have to say. We sure hope that to be the case. We love thinking, reading and talking about tech, privacy and cyber related issues (yeah, admittedly we’re geeks).  And we hope that you, our readers, gain from our insights, even if you don’t always agree with them.

So now that we’ve been recognized by LexisNexis for the second straight period, maybe some of you, our readers, will be more comfortable authoring a piece we can post. Remember, this blog is open to all relevant, responsible submissions, be they articles, commentaries, or just comments on something we have said that strikes a chord.  If you’ve got something to say that may be of interest to others in the community, email it to me at rbortnick@cozen.com and I will get back with you promptly. We strive to publish fresh, interesting content on a regular  basis, but its not always easy, as we do maintain law practices. And have other commitments. So flip your authored pieces. We’d actually appreciate it.

Needless to say, we couldn’t have done this on our own. So the honor is not just for us, but for you too. Thanks.

   Send article as PDF   

In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as  the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Read the rest of this entry »

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that ”the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s  ”recommendations.”

Read the rest of this entry »

I.                    Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders.  While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions.  The Asia-Pacific region typifies such a lack of uniformity.  At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 

75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months.  Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined.  Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009.  See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).  Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program.  Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies.   

Read the rest of this entry »

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…

At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Read the rest of this entry »

We are pleased to announce that Cyberinquirer is among the group of initial nominees for the Top Insurance Law Blogs of 2011!

Each year, LexisNexis honors a select group of blogs that set the online standard for a given industry.  And, as we write this, LexisNexis is in the process of selecting the Top 50 Blogs for the LexisNexis Insurance Law Community.   The selection will be based on LexisNexis’s review of various insurance law-related sites as well as comments from its members. And here’s where the shameless plug for Cyberinquirer come in…

In order to vote forCyberinquirer (and for those of you who will, thanks in advance for doing so!), you will need to be a registered LexisNexis Community member and be logged in. If you have not registered previously, follow this link to create a new registration or use the sign-in credentials from your favorite social media site. Registration is free. Once you have logged in, scroll to the very bottom of the page. Then add a comment in the box to vote for Cyberinquirer. That’s all there is to it! Please note that voting ends on October 7, 2011.

And, thanks again for supporting us and our geeky hobby.

   Send article as PDF   

We at Cyberinquirer will be taking a break this weekend. I am heading to NYC for a memorial in honor of our dear friend John Keohane, who perished that awful day at the age of 41. Many of you may have known John from his days with CIGNA, ACE and Zurich. He is still missed by his colleagues, friends and family and always will be. What a tragedy.

   Send article as PDF   

Computer hacking is a constantly evolving and growing threat.  While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades. 

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry.  Of course, the cost of a security breach may have something to do with that.  According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation. 

One particularly alluring target for hackers has been educational institutions.  While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise. 

In 2007, educational institutions accounted for 25% of all reported data breaches.  This number jumped to 33% in 2008.  See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

Following the publication of our original post on the implications of a cyber attack on investors’ securities portfolios (see here), we have been asked by scores of readers whether securities fraud litigation arising from cyber crime has ensued. Not surprisingly, the answer is “yes.”

Indeed, we have located at least two such cases, one a putative securities fraud class action against a payment processing company and the second an SEC initiated action against a private investor. The results may (or may not) surprise you, depending on your perspective of trial courts’ levels of judicial activism and willingness to render substantive decisions at early stages of litigation.

 In re: Heartland Payment Systems, No. 09-1043 (D.N.J. Dec. 07, 2009) remains the paradigm for such litigation. To facilitate its payment processing services, Heartland Payment Systems (“Heartland”) stored millions of credit and debit card numbers on its internal computer network. In December 2007, hackers launched a Structured Query Language Attack (“SQL attack”) on Heartland’s payroll management system. To its credit, Heartland was able to successfully avert the attack before any personally identifiable information was stolen. At the same time, however, the company failed to detect malicious software (“malware”) which had been placed on the network by the SQL attack.  The malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers.  Heartland did not discover the breach until January 2009, at which time it notified government authorities and publicly disclosed the event.  Over the course of the following month, Heartland’s stock price dropped over $15 per share. Perhaps not surprisingly, shareholder class actions ensued.

In their complaint, plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. Specifically, plaintiffs claimed that the defendants concealed the SQL attack and misrepresented the general state of Heartland’s data security.  Plaintiffs further alleged that the defendants’ conduct was fraudulent because they were aware that Heartland’s network had been breached, yet they had not fully remedied the problem Read the rest of this entry »

I am proud to be a Co-Chair of the 2nd Annual NetDiligence Cyber Risk & Privacy Liability Forum which will take place June 9-10, 2011, at the historic Philadelphia Union League. Last year’s program was a huge success and the program planners are expecting the turnout to be even bigger this year.

NetDiligence and HB Conferences have teamed up to pull together thought leaders in the cyber/privacy industry to address the most urgent subjects. The program is fully accredited for continuing education and is priced at a level firms and companies will find attractive.

Over the course of a day an a half, we will present 45 industry-leading experts. I will help moderate the Conference, together with my Co-Chairs, Oliver Brew of Hiscox USA, Toby Merrill of ACE Professional Risk and Meredith Schnur of Wells Fargo Insurance Services USA. Also featured will be a keynote address by Jeffrey L. Seglin, nationally syndicated columnist of The Right Thing and author of The Right Thing: Conscience, Profit and Personal Responsibility in Today’s Business.

 For program and registration information, go to http://litigationconferences.com/?p=17865. I look forward to seeing you there!

   Send article as PDF   

Are you a Member of the Cyberinquirer community? If so, do you receive the Cyberinquirer RSS feeds by email?

We’ve received reports from a number of Cyberinquirer Members lamenting that they do not receive the Cyberinquirer feeds and do not know when a new article is posted. If you’d like to receive these notifications, you need to sign up in the “Subscribe” box to the right of this post. Joining as a Member, while laudatory, isn’t enough if you want the feeds.

As to those of you who read our blog but haven’t signed up as a Member, well, what are you waiting for? Please join us and feel free to publish constructive substantive comments in the Members’ Forum or with respect to a particular posting. Or, even better, submit your own cyber articles for publication. The more people who get involved, the better for all of us. This is a community blog, not just Pamela’s and mine. Let’s make good use of it! To those of you who already participate, thank you kindly and cheers.

Rick

   Send article as PDF   

On July 23, 2010, the United States Court of Appeals for the Eighth Circuit issued an important decision in Eyeblaster, Inc. v. Federal Ins. Co., 2010, U.S. App. LEXIS 15152, No. Civ. A. 08-3640, finding concurrent coverage under both a General Liability (“CGL”) insurance policy and a separate Information and Network Technology Errors and Omissions Liability (“E&O”) policy in circumstances where an online marketing company installed software on a consumer’s computer system, allegedly corrupting the computer’s software operating system.

Eyeblaster Inc. (“Eyeblaster”), the policyholder, is a company that creates, delivers and manages online interactive advertising. For the period December 5, 2006, to December 5, 2007, it was insured under two concurrent policies issued by Federal Insurance Company (“Federal”): (1) a CGL policy covering occurrences which cause damage to tangible property, and (2) an E&O policy which covered claims for financial loss caused by a wrongful act in connection with a product’s failure to perform its intended function or serve its intended purpose, resulting in damage to intangible property. As to the latter policy, intangible property included software, data and other electronic information. Both policies were “duty to defend” forms.

Read the rest of this entry »

Lest one question the severity of the evolving challenges in our rapidly growing cyber world, President Obama has crystallized it succinctly: (1) “cyber threat is one of the most serious economic and national security challenges we face as a nation;” and (2) “America’s economic prosperity in the 21st century will depend on cybersecurity.” In other words, President Obama has declared cybersecurity to be a national security priority.

While that’s obviously good news, the follow-up question is “how are we doing in meeting the associated demands?” Regrettably, not so well, it seems.

Speaking before cybersecurity and privacy experts from government, law enforcement, the private sector, academia and privacy and civil liberties groups, President Obama, Homeland Security Secretary Janet Napolitano, Commerce Secretary Gary Locke, Cyber Coordinator Howard Schmidt and other Administration officials uniformly acknowledged that far more work needs to be done to protect digital communications and information infrastructure and make it more difficult and costly for cybercrimimals.

Read the rest of this entry »

Apparently feeling that they’ve resolved the longstanding issue of illegal immigration and can move on to the next crisis, Immigration and Customs Enforcement (“ICE”) and the U.S. Justice Department have identified a new enemy in their ongoing stuggle to protect truth, justice and the American way: Internet sites that sell counterfeit goods and pirated movies.

Indeed, just this month, government officials announced that they have shut down nine websites as part of their newly announced initiative, “Operation In Our Sites,” which is intended to protect Hollywood’s intellectual property. Officials estimated that nearly 7 million pirated movies and shows per month were downloaded from the offending websites.

The announcement was held on a soundstage at The Walt Disney Studios in Burbank, CA. Neither Johnny Depp nor Captain Hook reportedly was present.

Read the rest of this entry »

We’ve all heard the story of the clerk at the local gas station who was double-swiping credit cards in order to make fraudulent copies. Online banking, restaurants, clothing retailers…every industry is potentially a target. Yet the industry that was the subject of more credit card thefts than any other sector in 2009?  Hotels.

To the point, SpiderLabs (an affiliate of Trustwave, a data-security consulting firm) has published a study which reports that 38% of the credit card hacking events in 2009 involved the hospitality industry.  Over one-third of all thefts of credit card numbers occurred at hotels. Much to my surprise, given the wealth of reporting on the subject, the financial services industry lagged well behind at a comparatively minor 19%. Retail followed at 14.2% while restaurants and bars were fourth at 13%.

I guess I shouldn’t have been surprised, though, as my own credit card number was stolen several years back while i was staying at a business travelers’ hotel in New York City. I had gone to the City for a Cinco de Mayo event sponsored by a major international insurer. Several days later, I received a call from my credit card company asking if I had bought gasoline on Long Island or a $5000 television at a big box retailer. While I do buy gasoline, I hadn’t been on Long Island. And while I certainly would have loved a $5000 television (or, for economy’s sake, something less pricey), I hadn’t bought that either. The conclusion was simple: my credit card number had been stolen when I used it at the New York hotel.

So, why hotels? According to security analysts, they’re generally easy targets. The large chain hotels may employ sophisticated security technology or other protections. Or they may not. In either case, how about smaller or private owned, non-chain hotels? The next time you check into a hotel, ask what security methods they use to protect credit card information. You probably won’t like the answer. The credit card number that you provide at check-in may sit in a folder or a file maintained right at the front desk. Who would prevent someone from simply lifting the file? Especially in the middle of the night. The single desk clerk on overnight duty?

Read the rest of this entry »

We are pleased to announce that Cyberinquirer has been nominated by LexisNexis’s Insurance Law Community Staff as one of the Top 50 Insurance Blogs for 2009. According to the LexisNexis site, “When [LexisNexis] considers a blog for membership in ILC’s annual Top 50, we look for frequent posts, timely topics, and quality writing. Only the best may gain admission. Our readers have come to expect nothing less, and we wouldn’t have it any other way.”

The comment period for nominations closes on July 9. Once the nominees have been set, LexisNexis will open a voting period of undisclosed length.  Needless to say, Pamela and I are thrilled to have been considered, and we hope we continue to meet the standard described by LexisNexis’s assessment of the Top 50 Blogs.  One of our important aims is to promote recognition of the enhanced exposures and liabilities inherent in a technological society and the role of cyber/tech insurance products.  Again, thank you to our readers and members for your support!

   Send article as PDF   

Please join us for HB Litigation Conference’s NetDiligence® Cyber Risk & Privacy Liability Forum in Philadelphia on June 7-8. Over 40 industry experts are set to speak and, to date, representatives of 50 companies have registered. I’ll be speaking on “Are You Covered When Hackers Get Through?”

You’ll learn everything you need to know about cyber risk and privacy liability and earn 6-8 CLE credits, while enjoying sophisticated networking opportunities. The conference will take place at The Union League on Broad Street, conveniently located so you can train to/from the event. HB’s announcement, a complete agenda, a faculty listing, and registration information is available at http://litigationconferences.com/?p=11598, by calling 484-324-2755, or by emailing at info@litigationconferences.com. Hope you can join us!

   Send article as PDF   

Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.

Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post “No One is Immune. Even Government Entities Need Cyber/Tech Insurance?”

Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.

Read the rest of this entry »

As the cyber war of words heats up between the U.S. and China, the rest of the world is taking notice….and proposing action.

Most recently, the head of the United Nations’ communication and technology agency, Secretary General Hamadoun Toure of the International Telecommunications Union, proposed a treaty whereby member countries agree not to precipitate a cyber attack against other member countries. “The framework would look like a peace treaty before a war,” he is reported to have said.

Secretary Toure’s proposal follows a series of concerns expressed at last month’s World Economic Forum in Davos-Klosters, Switzerland, including a harsh warning that cyber attacks could amount to a declaration of war. According to Secretary Toure, “[a] cyber war would be worse than a tsunami – a catastrophe.” Because of the potential devastating consequences of a cyber war, the Secretary strongly recommended that countries agree not to harbor cyber criminals and “commit themselves not to attack another.” Of course, nothing is quite as simple as that. For example, John Negroponte, the former director of U.S. intelligence, cautioned that intelligence agencies would “express reservations” about such a treaty. Given the breadth and scope of China’s, Russia’s and other countries’ intelligence operations and their reported limits on information disclosures, Mr. Negroponte’s remarks likely would be echoed by other nations.

Read the rest of this entry »

Join the forum discussion on this post - (1) Posts

Pamela Pengelley, our resident expert on Facebook, is now internationally recognized for her expertise. 

Most recently, Pamela was quoted in an article published by Law 360 entitled “Poking Around Facebook Could Win Your Case.” According to Pamela, “‘Lawyers are realizing [Facebook] is a gold mine of information…it’s pretty much standard that you subpoena Facebook when you get a personal injury action. It’s not a substitute for having a private investigator, but people will put up incriminating photos online without realizing that there can be consequences in a lawsuit.’”

Pamela further observed that Facebook is “most effective in lawsuits where plaintiffs are claiming an injury, such as when their health or ability to work has allegedly been impaired”.

Kudos to Pamela. Where will her sage words of wisdom appear next?

   Send article as PDF   

The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.

A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.

The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.

The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.

The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.

This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.

   Send article as PDF   

As recognized below in Pamela’s post discussing whether the loss of computer data is “property damage” in the eye of tort law, the issues surrounding cyber/tech/privacy liability and the attendant insurance coverages are not the exclusive province of the United States or U.S. courts.

To the contrary, virtually every country worldwide is increasingly faced with the problem of having to deal with the hard social and legal issues presented by a rapidly evolving cyber world.  So too, policyholders and the insurers who typically grant worldwide coverage under their policies must recognize that the risks faced are not exclusive to the U.S. or our Canadian cousins. The risks are global in nature and policyholders and insurers alike need to stay current with what’s happening outside our cocoon of the Western Hemisphere.

I am certain every reader is aware of the socio-political dispute whereby Google has threatened to withdraw from China amid claims that the Chinese government has hacked into Google’s and other third-parties’ databases, spied on Google email accounts, and tightened blocks on tens of thousands of internet sites, including Facebook, Twitter and YouTube. U.S. Secretary of State Hillary Clinton has spoken on the subject, advocating that companies such as Google refuse to support “politically motivated censorship.” Secretary Clinton also accused China, Tunisia and Uzbekistan of boosting censorship and called on Beijing to investigate the recent cyber attacks on Google and others. (On a side note, just last week, Europe’s principal security and human rights watchdog accused Turkey of blocking 3700 internet sites for “arbitrary and political reasons.”).

Read the rest of this entry »

Emailing. Instant messaging. Texting. On-line gaming. Ten years ago, even five years ago, such words and concepts were alien to the typical luddite. Now, these terms are not just parts of the common parlance; a vast majority of us actually use these resources on a daily basis (in some cases, with our childrens’ guidance and assistance).

Consider, then, the relatively new concept of “cloud computing.” In lay terms, cloud computing is the on-line or internet-based use of a third-party vendors’ or service providers’ off-site (and hopefully secure) servers for data storage and/or management. Hotmail, Facebook, LinkedIn, YouTube and Google all use cloud computing to serve their members, often at no cost. At the same time, there are a growing number of vendors (like Apple) which “host” or “back-up” at-home and business computer systems by storing a consumer’s data or facilitating their use of cost-effective business solutions for a monthly or annual fee. Users typically do not have to incur fixed costs or purchase hardware or even software programs. All they need is access to a computer and the internet. And with that, voila! Cloud computing is just a click away.

Needless to say, the advent of cloud computing has opened up a world of opportunity for entrepreneurial software developers, hardware providers, and data storage companies around the globe. At the same time, it has created new business segments with a keen need for insurance products. Cyber insurance. Tech insurance. Property/All-Risk insurance. Business Interruption insurance. Professional Services/E&O insurance. Fidelity/Crime insurance. And, in some cases, personal injury/advertising injury coverage.

The potential third-party exposures are endless. Consider, for example, the legal (and regulatory) implications (and concomitant need for insurance) when an unauthorized user hacks into a “cloud” database storing personally identifiable or proprietary business information. Or think about the possibility of liability for a software developer or data storage vendor who has a customer that uses the cloud to host viruses or illegal content. Or who simply release information about their clients to marketers, advertisers or other third-parties without considering the impact or legal ramifications of their doing so. And how about power outages or other crises or service interruptions that prevent customers from accessing their accounts or critical business information that may be the key to closing an all-important business deal (resulting in privacy claims, claims of lost income, lost profits and business interruption expense and other alleged third-party injury).

So too, first-party cyber/tech risks are well known in other contexts and would apply with equal force and effect to cloud computing. The threat of service interruptions, data corruption and the like all necessitate the need for insurance.

The bottom line, as always, is that underwriters need to constantly stay ahead of the curve and tailor their products (and marketing strategies) to address the ever-changing landscape of new and innovative technology resources. Today cloud computing. Tomorrow? Ask me tomorrow night….

   Send article as PDF   

Cyber breaches occur on a daily basis. Or at least it seems like they do…but consider the  breaches that we don’t hear about.

Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.

What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.

The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response,  both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:

Read the rest of this entry »

The roads traveled by non-profit entities have never been easy ones to negotiate. Indeed, the time, expense and, dare I say, risk of doing good deeds and raising capital has been fraught with potholes and impediments from the get-go. Now, that road has become even more treacherous for non-profits and their cyber/tech insurers alike.

1.  An Overview of Massachusetts’ New Data Security Law

Effective March 1, 2010, a new data security breach law will become effective in the Commonwealth of Massachusetts. Described by some as the toughest data security law in the U.S., the law and corresponding regulations applies to all entities, including non-profits, that employ or serve Massachusetts residents and which store, own or license “personal information” about a Massachusetts resident. Here is the Press Release from the Office of Consumer Affairs and Business Regulation. Here is the Final Version of The Regulations.

2.  What is Meant by “Personal Information”?

The term “personal information is defined in the law to mean a Massachusetts resident’s first and last name, or first initial and last name, together with:

1. The resident’s driver’s license number or state identification card;
2. Bank/financial account or credit/debit account number; or
3. Social Security number.

In other words, personal information will, generally speaking, include anything uniquely identifiable about a Massachusetts resident.

Read the rest of this entry »

In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target.

We may have gotten a good chuckle out of the various messages that were left on the Twitter accounts for Barack Obama, Britney Spears, and Bill O’Reilly, but the implications are serious; with every new technology comes new risk. Viruses can permanently erase an entire system, sensitive system files can be accessed and altered by intruders, computer networks can be infiltrated and used to attack others and credit card information can be absconded and used to make unauthorized purchases.

“Cybersecurity” refers to the protection of that information by preventing, detecting and responding to attacks. Although there may be a tendency to consider cybersecurity to be a technical issue with technical solutions, it may also be useful to think of cybersecurity as an economic issue…with economic solutions.

This is the message that the Internet Security Alliance (“ISA”) has made in a landmark report issued earlier today, December 3, 2009.  The ISA is a trade association which represents a gamut of corporate interests ranging from Defence and Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries. In its report, entitled “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” the ISA emphasizes that cybersecurity is an economic rather than a technical issue and that both the U.S. government and private industry need to revisit their assessments of cybersecurity by creating economic incentives and other programs to foster broader, and more enhanced, cybersecurity efforts and systems.

At present, the government has been relying on regulations to ostensibly improve cybersecurity.  The ISA suggests that this method is not only outdated, but also ineffective in dealing with a 21^st Century problem.  The report sets forth a number of proposed economic solutions, many of which focus on encouraging companies to educate their executives about the economic and social benefits of cybersecurity. Key among these proposals is the suggestion that businesses should create risk management programs that educate their executives about the growing problem of cyber theft and abuse, and assist them incorporating cybersecurity solutions in their corporate business plans (rather than ceding such responsibilities to computer “geeks” in their IS or IT, as is typically the case today).

The report concludes that most companies underfund their investments in cybersecurity, and suggests that economic and other incentives are needed to prompt businesses to improve their cybersecurity.  ISA’s report also suggests that the insurance industry become actively involved in providing a methodology by which returns on securities investments are quantified.

Among the ISA’s recommendations designed to encourage investment is a proposal that cyber insurance be used to promote the development of standards and practices and assist companies in quantifying and managing their cyber risks. At the same time, the ISA proposes that the government create limited liability protections for certified products and processes and recognized industry best practices. Alternatively, liability might be assigned on a sliding scale (comparative liability) such as limiting punitive damages while allowing actual damages and providing affirmative defenses with reduced standards (preponderance of evidence vs. clear and convincing etc.).

The report is long (over 70 pages) and quite detailed.  For those interested in reading it, the report can be found here. Irrespective of whether readers choose to take the time to read the entire report, they should familiarize themselves with its purpose and intent, as it is a major step forward in promoting dialogue on the ever-growing problem of cyber crime.  At a minimum, insurance underwriters and cyber professionals should study the report and perhaps incorporate some of the ISA’s recommendations in their own due diligence processes to compliment, for example, their existing NetDiligence® cyber risk assessment service (used by many leading US & UK insurers).  Only through joint and collaborative efforts can the billion dollar problem of cyber crime be mitigated.  It is incumbent on the insurance industry to be among the leaders in these efforts.  We can begin by collecting comments on the ISA’s proposal and submitting them to its members, including those representing the insurance industry.  Please feel free to comment below.  As appropriate, we will forward them to the ISA with the author’s name and contact information, if so authorized.

   Send article as PDF   

Personal information and data can be captured and aggregated in the most unlikely of ways. Take, for example, television viewing habits.

In the past, data aggregators such as A.C. Neilson have used a variety of techniques to measure television audiences’ viewing habits in order to assemble ratings and assist networks and advertisers in identifying viewership and demographic rankings. It began with people compiling viewing information in journals. As technology progressed, Neilson and other data aggregators used “black boxes” attached to televisions to compile the all-important viewership and demographic information. Some people equated these activities to a form of “Big Brother” watching over us, but in virtually all cases, the “Neilson families” did so willingly and were compensated for their voluntary participation.

Just as everything else, we have now progressed well beyond the activities of yesteryear.  The latest news on the viewership and demographic aggregation front comes from Google, which has announced that it is teaming up with TiVo, the digital video recording company, to assist advertisers in measuring how and when their ads are viewed by consumers.  As most people know, TiVo and its progeny allow viewers to “fast forward” through commercials so that they can view only the content they elect to watch. While a boon to viewers who hate commercials, this capability frustrates advertisers who pay tens of thousands if not tens of millions of dollars to television and cable networks to promote their services and products.  According to Google, this new service is an attempt to re-create its AdWords and AdSense models on the small screen.

The hitch is that most TiVo users typically catch the beginning or end of a commercial or other unwanted programming as they attempt to watch their selected shows.  Only the most prolific of remote controllers can precisely fast forward their recorded programming to view only what they want and not what they don’t want. Having now had TiVo for 7-1/2 years, I still suffer the fate of imperfect fast forwarding and consequent rewinding.  I just can’t totally avoid those pesky commercials, no matter how hard I try.  And believe me, I try.

Google is of the view that even that momentary viewership of the undesirable commercials, while not a full ad impression, is meaningful to advertisers.  Thus, it plans to use “anonymous second-by-second DVR viewing data” to track how viewers see ads placed through Google TV Ads and to assemble data on viewers’ television habits.

So, what can we as TiVo users do about it?  Google has not yet announced if viewers can “opt-out” of this service.  If that option is not available, then the only options seem to be that we participate as willing or unwilling (and uncompensated) participants, or give up our TiVo.  Needless to say, that latter option is not realistic.  I love my TiVo.  I won’t give it up.  But at what cost?  The price of my privacy, it seems.

   Send article as PDF