Ping Service
Feedback Forms

Congress Proposes Bill Protecting Student Data

While the protection of private data contained within student records is not a new concern, advances in technology and the accompanying headlines of data breach have caused Congress to reconsider the issue.

The Family Educational Rights and Privacy Act (FERPA) currently protects against the unauthorized disclosure of personally identifiable information (PII) contained within student records. PII includes direct identifying information, such as a student’s name, as well as indirect identifying information, such as date or place of birth.

The role computers and networks play in the operation of schools is profound. Like many industries, the issue of data storage for schools is a significant aspect of the information technology infrastructure. Increasingly, schools (mostly public enterprises) migrate and store data in the Cloud, thus placing PII in the hands of third party (mostly private) business associates. Schools also rely on on-line text books, on-line web applications, and software as a service. Much of this did not exist when President Ford signed FERPA into law in 1974. One survey showed only 25 percent of districts notify parents that its students’ data interfaces with the Cloud.

Read the rest of this entry »

Cyber at Lloyds: Catching the cyber horse in motion

The following article was written by my good friend Tony Ellwood. Tony is senior executive, underwriting, at Lloyd’s Market Association and a thought leader. We are grateful to Tony for allowing us to republish his article, which first appeared in the July 16th edition of Insurance Day.

Rick

LondonThe question of whether a running horse has all four hooves in the air simultaneously was one that perplexed generations. No matter just how closely a horse was observed, the motion of its legs was simply too rapid for the human eye to register accurately. It was not until the advent of photography and an experiment by Eadweard Muybridge in 1878 that the question was answered. He developed a camera that was triggered by wires attached to a horse’s legs allowing him to shoot 24 photographs as the horse ran past, which proved beyond a shadow of doubt that a horse does indeed lose contact completely with the ground in mid-gait.

There are many parallels between Muybridge’s study of the running horse and a new survey the Lloyd’s Market Association (LMA) has launched to understand the full extent of cyber risk being underwritten in the Lloyd’s market. The similarity is the sheer pace with which cyber liability has grown from its beginnings in the mid-1990s to current global premiums in the order of £1.5bn, and still rising sharply. The speed of that growth, combined with the rate at which cyber has evolved as a product, make it a particularly tricky line to pin down. What’s more, the question that has been formulating in the LMA’s collective mind is how much cyber liability is being written at Lloyd’s within other classes of business such as marine or aviation. This survey is the first attempt to comprehensively map that business.

Read the rest of this entry »

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

I first published this article in 2010. Surprisingly, its as relevant today – perhaps even more relevant – than it was four years ago.

Rick

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

The Insurance Industry and ICANN: The Next Frontier

icann-flagsWe all take the Internet for granted.  Short of a power outage taking down phone lines, cell towers and satellite transmissions, the Internet will always be there. Like death and taxes, you can count on it.

Not that the paradigm will change any time soon, but at some point, it might.

On March 14 and 17, 2014, the Wall Street Journal reported on the decision by the National Telecommunications and Information Administration (“NTIA”), part of the Commerce Department, to cede control of the Internet from the Internet Corporation for Assigned Names and Numbers (“ICANN”) (a U.S. non-profit) to an organization of multinational stakeholders.

As readers of Cyberinquirer, know, ICANN is responsible for managing the core of the Internet by distributing domain names and Web addresses.  It’s been doing so since 1998.

Read the rest of this entry »

The Dos and Don’ts of Navigating The Cloud: A Business Guide For Cloud Computing

Cloud computing is the storage of data on remote computer servers and the sharing and transmittal of such information by way of the internet. Use of the cloud enables both businesses and casual users to maintain as much or as little electronic data as they wish on a third party’s mainframes without the need for or the expense of having to buy and maintain their own hardware systems.

The cloud’s economic benefits are clear. Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.

Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:

Read the rest of this entry »

Canadians More Exposed Than One Would Think

canada-flag-stereotypesOkay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.

What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.

Read the rest of this entry »

The Insurance Industry: In Regulators’ Sights

If you’re an insurance company, it may be time to open your cyber-related checkbooks if you haven’t done so already. New York Governor Andrew Cuomo’s Department of Financial Services (“NYSDF”) soon may be watching you. They’re already asking questions as if certain insurers were “persons of interest,” just as it did earlier this year with certain of the larger banks.

On May 28, the NYSDF sent what are referred to as “308 letters” to 31 regulated health, life and general liability insurance companies (seemingly those with the highest premium revenue). The NYSDF’s letters request information on (1) the insurers’ existing IT-related management policies and procedures with respect to the prevention of cyber attacks, (2) actual cyber attacks occurring within the past three years, (3) the quantum of funds and resources dedicated to cybersecurity, and (4) how they safeguard customers’ and business entities’ health and personally identifiable information (the letters specifically identify financial information as a subject category).

Read the rest of this entry »

First Circuit Court of Appeals Holds Bank’s Online Security Measures “Commercially Unreasonable” in Landmark Decision

In a landmark decision, the First Circuit Court of Appeals held in Patco Construction Company, Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012) that People’s United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 which had been stolen from PATCO’S bank account. In so doing, the Court reversed the decision of the United States District Court for the District of Maine which had granted summary judgment in the bank’s favor.

The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO. While the bank’s security system flagged each one of the transactions as “high risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, the bank’s security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not “commercially reasonable” under the Uniform Commercial Code, as codified under Maine Law.

Read the rest of this entry »

Insurers: Assert Your Subrogation Rights

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

Insurance Recovery for Loss or Liability Arising from Cyberattacks: Obtain and Preserve Insurance for Your Company’s Protection

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and his colleague, Ken Trotter, and appeared on Scott’s personal site, Corporate Insurance Blog, after being published by Hospitality Upgrade magazine. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro.

Rick Bortnick

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks. A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies. According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves. Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds. Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes. Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability. Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits.

Read the rest of this entry »

Would Your Company’s Insurance Cover a Cyberattack?

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and first appeared on his personal site, Corporate Insurance Blog. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro. Responsible comment will gladly be published (promptly…). Please feel free to forward them to me at your convenience.

Rick Bortnick

On October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.” Would your insurance policies cover those events? Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story. These attacks and threats do not appear to be on a downward trend. They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend. The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.” Themore recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.

Read the rest of this entry »

Discovery in the Age of Cloud Computing

During the last decade, individuals and business have changed the way they manage their data by moving this data management offsite – otherwise known as cloud computing. This differs from the old model of information management that, more or less, mirrored the pre-computing era, meaning that an employee’s file might be kept in a cabinet in a Human Resources (“HR”) office or stored on a company’s in-house server. With cloud computing, however, that same employee file may be stored hundreds or thousands of miles away from the HR officer who needs to review it – or the IT officer tasked with preserving that data for potential litigation.

As discussed more fully in Rick Bortnick’s prior posts (here and here), cloud computing outsources data and software management, migrating it from the local to the global by providing instant access over the internet. According to the National Institute of Standards and Technology, cloud computing has five primary characteristics: (1) “on-demand self-service,” or the ability to call up stored data or capabilities as needed; (2) broad network access through a variety of platforms; (3) pooling resources providing “location independence”; (4) “rapid elasticity” in the distribution of computing capabilities, and (5) “measured service,” or service-appropriate control and optimization by the cloud system manager rather than the local user. It is the pooling of resources and the measured service managed by third-parties that pose the greatest risks during e-discovery.
Read the rest of this entry »

Cloud Computing: What Every Underwriter Should Know. And Why They Should Care. Now. Today. This Minute.

j0284068Emailing. Instant messaging. Texting. On-line gaming. Ten years ago, even five years ago, such words and concepts were alien to the typical luddite. Now, these terms are not just parts of the common parlance; a vast majority of us actually use these resources on a daily basis (in some cases, with our childrens’ guidance and assistance).

Consider, then, the relatively new concept of “cloud computing.” In lay terms, cloud computing is the on-line or internet-based use of a third-party vendors’ or service providers’ off-site (and hopefully secure) servers for data storage and/or management. Hotmail, Facebook, LinkedIn, YouTube and Google all use cloud computing to serve their members, often at no cost. At the same time, there are a growing number of vendors (like Apple) which “host” or “back-up” at-home and business computer systems by storing a consumer’s data or facilitating their use of cost-effective business solutions for a monthly or annual fee. Users typically do not have to incur fixed costs or purchase hardware or even software programs. All they need is access to a computer and the internet. And with that, voila! Cloud computing is just a click away.

Needless to say, the advent of cloud computing has opened up a world of opportunity for entrepreneurial software developers, hardware providers, and data storage companies around the globe. At the same time, it has created new business segments with a keen need for insurance products. Cyber insurance. Tech insurance. Property/All-Risk insurance. Business Interruption insurance. Professional Services/E&O insurance. Fidelity/Crime insurance. And, in some cases, personal injury/advertising injury coverage.

The potential third-party exposures are endless. Consider, for example, the legal (and regulatory) implications (and concomitant need for insurance) when an unauthorized user hacks into a “cloud” database storing personally identifiable or proprietary business information. Or think about the possibility of liability for a software developer or data storage vendor who has a customer that uses the cloud to host viruses or illegal content. Or who simply release information about their clients to marketers, advertisers or other third-parties without considering the impact or legal ramifications of their doing so. And how about power outages or other crises or service interruptions that prevent customers from accessing their accounts or critical business information that may be the key to closing an all-important business deal (resulting in privacy claims, claims of lost income, lost profits and business interruption expense and other alleged third-party injury).

So too, first-party cyber/tech risks are well known in other contexts and would apply with equal force and effect to cloud computing. The threat of service interruptions, data corruption and the like all necessitate the need for insurance.

The bottom line, as always, is that underwriters need to constantly stay ahead of the curve and tailor their products (and marketing strategies) to address the ever-changing landscape of new and innovative technology resources. Today cloud computing. Tomorrow? Ask me tomorrow night….


PDF Editor    Send article as PDF