Ping Service
Feedback Forms

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

I first published this article in 2010. Surprisingly, its as relevant today – perhaps even more relevant – than it was four years ago.

Rick

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

The Insurance Industry and ICANN: The Next Frontier

icann-flagsWe all take the Internet for granted.  Short of a power outage taking down phone lines, cell towers and satellite transmissions, the Internet will always be there. Like death and taxes, you can count on it.

Not that the paradigm will change any time soon, but at some point, it might.

On March 14 and 17, 2014, the Wall Street Journal reported on the decision by the National Telecommunications and Information Administration (“NTIA”), part of the Commerce Department, to cede control of the Internet from the Internet Corporation for Assigned Names and Numbers (“ICANN”) (a U.S. non-profit) to an organization of multinational stakeholders.

As readers of Cyberinquirer, know, ICANN is responsible for managing the core of the Internet by distributing domain names and Web addresses.  It’s been doing so since 1998.

Read the rest of this entry »

Risk Based Security’s 2013 Data Breach QuickView Report

The following was provided by my friend Jake Kouns of Risk Based Security, a leading-edge security and threat intelligence company. that provides comprehensive vulnerability and data breach intelligence services.   Thanks Jake.

Rick

Risk Based SecurityWe  are pleased to release our Data Breach Quick view report that shows 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents.  The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record (2011).

Although overshadowed by the number of exposed records, 2013 is also ranked #2 in total reported  data breach incidents, just behind 2012. “When you analyze the data breach activity in 2013 it’s hard to  find any bright-side, said Barry Kouns, CEO of Risk Based Security. “Four of the “Top 10” data breaches all time, were reported in 2013, including the top spot. “

Read the rest of this entry »

The Target Breach: Show Me The Insurance

The following article was first published by the Advisen Cyber Risk Network. If you haven’t checked it out, you should. Its extremely informative. And I’ll be a regular contributor.

Cheers.

Rick

By now, almost everyone has read or heard about – or even been directly impacted by – the theft of financial data relating to over 40 million credit and debit cards used at Target stores in November and December last year.

However, the insurance coverage aspects of the breach have generally flown under the radar.

To a company like Target (or whoever is affected by the next breach), the availability of insurance coverage is an important component of crisis management and remediation, litigation and regulatory investigation strategies, and reputational/brand/lost income protection.

So assuming Target has purchased potentially applicable insurance products, what coverages might apply?  And how might they respond?

At a minimum, it can be expected that Target will investigate the availability of coverage under four separate lines of insurance: Cyber, privacy and technology (CPT); general liability; crime/fidelity and; directors and officers liability policies.

Read the rest of this entry »

Cyber Security and Data Breaches: Why Directors and Officers Should Be Concerned

Following is an excerpt from the leading chapter in Willis London’s Executive Risks: A Boardroom Guide 2012/2013. If you would like to read the entire chapter, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

sec1

Cyber insurance has become a necessity. Every company that maintains, houses or moves sensitive information is at risk of a data breach, primarily due to the growth and increased sophistication of hackers, malicious software and, most recently, ‘hacktavists’. Even mere employee negligence can lead to a data breach. High-profile companies such as Sony can attest that cyber-intrusions can lead to hundreds of millions, if not billions, of dollars in legal exposure.

Equally troublesome, our expanding online society has introduced new financial risks and exposures that may not be covered under general and professional liability insurance products, including standard directors’ and officers’ (D&O) policies. As such, corporate directors and officers, and their risk-management professionals, must ensure that they buy appropriately tailored policies that provide protection against the rapidly expanding risks to which they could be vulnerable, both personally and professionally.

The risks and costs of a data breach

It has become known as the Year of the Breach: in 2011, companies of all sizes experienced malicious intrusions or employee negligence that affected their operations and/or businesses. For example, in April 2011, computer hacktavists unlawfully accessed the Sony PlayStation Network (PSN) and obtained the personal and financial information of roughly 77 million PSN users. Since then, Sony and its insurers likely have spent tens, if not hundreds, of millions of dollars to remedy and mitigate the resulting security and commercial crises — an amount that grows by the day as lawyers prosecute class action lawsuits on behalf of allegedly affected users whose personal and financial information was improperly accessed.

Equally problematic for Sony, it has been sued by its commercial general liability (CGL) insurer, which sought to avoid coverage by arguing that its general liability policies do not and never were intended to cover data breaches.

The TJX Companies also fell victim to a cyber intrusion that security experts predict will have long-term costs of between US$4 billion and US$8 billion in fines, legal fees, notification expenses and brand impairment. In the TJX case, the retail group reported that 45.6 million credit and debit card numbers were stolen from one of its systems during the period July 2005 to January 2007. Of critical import, the January 2007 intrusion occurred after TJX already had knowledge of the initial breaches.

Of course, big corporations are not the only entities that are vulnerable to hackers and hacktavisits; indeed, half of all companies that have experienced data breaches have fewer than 1,000 employees.

 

PDF24 Creator    Send article as PDF   

Cyber, Privacy and Technology Best Practices and Reputational Harm: Why Legal Professionals Need a Lawyer’s Advice, Counsel and Privileges

BabyB_LPlate_improvedIntroduction

Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CBT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.

Executive Summary

An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is incumbent that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.

Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information (“PII”), personal health information (“PHI”) and/or confidential commercial information (“CCI”). It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).

In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.

In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.

To continue reading, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

Fax Online    Send article as PDF   

Asia-Pacific Cyber Law Risks and Developments

We first published the following White Paper extract in October 2011. While the White Paper might be somewhat dated (and therefore will be refreshed shortly), it remains relevant for our friends interested in learning the basics of Asia Pacific cyber/privacy law. Please let me know if you’d like to see the entire paper. Rick

I. Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity.

At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).

Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies

Read the rest of this entry »

Canadians More Exposed Than One Would Think

canada-flag-stereotypesOkay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.

What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.

Read the rest of this entry »

Power to the People: Social Media Technologies Mediating Corporate Social Governance

The measure of effectiveness of a CEO and its executive board has always been the degree to which the business is achieving its purpose. Whether in Canada, the U.S., Europe or Asia, an executive board’s purpose should be to increase shareholder value, a purpose that is best accomplished by serving the needs of various stakeholders. Somewhere in the pyramid of stakeholders is the consumer or client, whose likes, favorites, and preferences must be met with quality personalized products and services that deliver high competitive value. In an interconnected global knowledge economy, this has meant listening to what consumers are saying online through social media platforms like Facebook and Twitter, and engaging in two-way conversations to respond in real-time to consumer demands.

Read the rest of this entry »

State Privacy Laws Evolve While Congress Campaigns

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

Read the rest of this entry »

First Circuit Court of Appeals Holds Bank’s Online Security Measures “Commercially Unreasonable” in Landmark Decision

In a landmark decision, the First Circuit Court of Appeals held in Patco Construction Company, Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012) that People’s United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 which had been stolen from PATCO’S bank account. In so doing, the Court reversed the decision of the United States District Court for the District of Maine which had granted summary judgment in the bank’s favor.

The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO. While the bank’s security system flagged each one of the transactions as “high risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, the bank’s security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not “commercially reasonable” under the Uniform Commercial Code, as codified under Maine Law.

Read the rest of this entry »

The Implications of a Cyberattack on Your Securities Portfolio: You May Want to Read Your Holdings’ 10-Ks

falling moneySo, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.

Take, for example, Intel (INTC). In the “Risks” section of its 2009 10-K, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. Kudos to Intel for making this disclosure, which predated the October 2011 publication of the SEC Guidance addressing public companies’ cyber risks and exposures (discussed here and elsewhere, including in the March 2012 edition of the Advisen Cyber Journal. Please feel free to contact me for details on how to obtain this must-read issue and subscribe. Advisen has done a masterful job, as it does with all of its publications). As will be discussed in my next post, a significant number of public companies still have not complied with their cyber risk and cyber exposure reporting “obligations” under the SEC Guidance.

As to Intel, the subject 10-K listed several noteworthy risks. The most intriguing stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.”

The adverse economic impact of a cyber-related disclosure is not theoretical, either. Indeed, in the immediate wake of the News Corp./News of the World cell phone hacking scandal in mid-2011, News Corp’s market cap reportedly fell by over 15%, valued at approximately $7 billion, in less than a week. Not surprisingly, News Corp was sued shortly thereafter in a series of securities fraud class actions, which remain pending.

While cyber risks and exposures may or may not have an impact on a stock’s trading price, their potential impact can not be ignored. Google (GOOG) is another example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. By April 25, 2010 Google’s shares were trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyber event can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation (remember News of the World? After 168 years of tremendous success globally, it ceased publishing on July 10, 2011 as a direct result of the hacking scandal), all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

PDF Creator    Send article as PDF   

The Coverage Question

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

An Insurer’s View: Examining the Rising Costs of Breaches

The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

Read the rest of this entry »

And Now, the Maine Event: Mitigation Costs Constitute Damages in Data-Breach Case

Businesses that necessarily require their customers to disclose credit card and personal information, beware. Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for “mitigation damages” arising from alleged negligence and breach of contract were viable. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).

In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported.

Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards. Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer. Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards.

Read the rest of this entry »

Credit Card Hackers’ Favorite Target…Hotels.

We’ve all heard the story of the clerk at the local gas station who was double-swiping credit cards in order to make fraudulent copies. Online banking, restaurants, clothing retailers…every industry is potentially a target. Yet the industry that was the subject of more credit card thefts than any other sector in 2009? Hotels.

To the point, SpiderLabs (an affiliate of Trustwave, a data-security consulting firm) has published a study which reports that 38% of the credit card hacking events in 2009 involved the hospitality industry. Over one-third of all thefts of credit card numbers occurred at hotels. Much to my surprise, given the wealth of reporting on the subject, the financial services industry lagged well behind at a comparatively minor 19%. Retail followed at 14.2% while restaurants and bars were fourth at 13%.

I guess I shouldn’t have been surprised, though, as my own credit card number was stolen several years back while i was staying at a business travelers’ hotel in New York City. I had gone to the City for a Cinco de Mayo event sponsored by a major international insurer. Several days later, I received a call from my credit card company asking if I had bought gasoline on Long Island or a $5000 television at a big box retailer. While I do buy gasoline, I hadn’t been on Long Island. And while I certainly would have loved a $5000 television (or, for economy’s sake, something less pricey), I hadn’t bought that either. The conclusion was simple: my credit card number had been stolen when I used it at the New York hotel.

So, why hotels? According to security analysts, they’re generally easy targets. The large chain hotels may employ sophisticated security technology or other protections. Or they may not. In either case, how about smaller or private owned, non-chain hotels? The next time you check into a hotel, ask what security methods they use to protect credit card information. You probably won’t like the answer. The credit card number that you provide at check-in may sit in a folder or a file maintained right at the front desk. Who would prevent someone from simply lifting the file? Especially in the middle of the night. The single desk clerk on overnight duty?

Read the rest of this entry »

Wake Up and Smell the Threats: Two Recent Examples of Why Municipalities Need Cyber Insurance

Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.

Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post No One is Immune. Even Government Entities Need Cyber/Tech Insurance?

Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.

Read the rest of this entry »

Online Banking and “Reasonable Security” Under the Law: Breaking New Ground?

j0300523With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law.

Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking (Patco Construction Co. v. People’s United Bank (“PATCO”) and JM Test Systems, Inc. v. Capital One Bank (“JMT”)) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case). In short, since the Shames-Yeakel case proceeded past the “damages” pleading phase, it (and possibly these other online breach suits) reveals how some courts view security “standards” and approach the question of whether a company has achieved “reasonable security.” I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.

Read the rest of this entry »