On May 8, 2012, the New York Court of Appeals issued a ruling that merely viewing child pornography on the internet is not a criminal act under the New York Penal Code. The People v. James D. Kent, Index 70, NYLJ 1202552838004, at *1 (Ct. of App., Decided May 8, 2012). The rationale behind the decision of the state’s highest court bears discussion on a much broader scale due to its potential bearing on the legal definitions of procurement, possession and control of digital property.

The key question under consideration was the evidentiary significance of temporary internet files (or cache files) that are automatically created and stored on a the hard drive of a computer while the user is browsing the internet. The Appellate Court concluded that the act of viewing a web image alone does not, absent other proof, constitute either possession or procurement.

Read the rest of this entry »

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters. 

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

Read the rest of this entry »

In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as  the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Read the rest of this entry »

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and first appeared on his personal site, Corporate Insurance Blog. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro. Responsible comment will gladly be published (promptly…). Please feel free to forward them to me at your convenience.

Rick Bortnick

On October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.“  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.” Themore recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.

Read the rest of this entry »

Businesses that necessarily require their customers to disclose credit card and personal information, beware.   Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for ”mitigation damages” arising from alleged negligence and breach of contract were viable.  Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011). 

In Anderson, the electronic payment processing  system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes.  Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008.  A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported. 

Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards.  Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer.  Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards. 

Read the rest of this entry »

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…

At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Read the rest of this entry »

We at Cyberinquirer will be taking a break this weekend. I am heading to NYC for a memorial in honor of our dear friend John Keohane, who perished that awful day at the age of 41. Many of you may have known John from his days with CIGNA, ACE and Zurich. He is still missed by his colleagues, friends and family and always will be. What a tragedy.

   Send article as PDF   

The yellow fever outbreak of summer 1798 was the worst in Philadelphia’s history. Over 5,000 residents were infected, and nearly 1,300 died, causing even President Washington to flee. On the night of September 1st, 1798, the vault at Carpenter Hall was breached and the then-massive amount of $162,821 went missing. This first bank robbery in the United States, attributed as an “inside job”, ushered in an era of robberies that turned criminals into celebrities. Jesse James, Bonnie and Clyde, and John Dillinger have become legends. At present, the risk of yellow fever has been mitigated due to vaccines. The risk of bank vaults being physically robbed similarly has been reduced.

Read the rest of this entry »

Computer hacking is a constantly evolving and growing threat.  While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades. 

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry.  Of course, the cost of a security breach may have something to do with that.  According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation. 

One particularly alluring target for hackers has been educational institutions.  While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise. 

In 2007, educational institutions accounted for 25% of all reported data breaches.  This number jumped to 33% in 2008.  See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

Faced with revitalizing a deteriorated economy, formulating a national budget, and the aftermath of Osama Bin Laden’s death, President Barack Obama has his hands full. Yet, in the midst of all the issues commanding the White House’s attention, the Obama Administration somehow has found time to address the threats to our nation’s cyber security.

According to Business Insurance, on Thursday, May 12, 2011, the Obama Administration proposed cyber security legislation to improve protection for individuals and the federal government’s computer and network systems. The proposed legislation would address national data breach reporting by creating simpler and standardized reporting requirements for the 47 states that contain such requirements. The proposal would also synchronize penalties for computer crimes with other crimes. Additionally, the government, through the Department of Homeland Security, would become directly involved in assisting the industry as well as state and local governments in policing and enforcing cyber security. The proposed legislation encourages the state and local governments to share information with the Department of Homeland Security about cyber threats or related incidents by providing them with immunity for doing so.  
 
Read the rest of this entry »

Following the publication of our original post on the implications of a cyber attack on investors’ securities portfolios (see here), we have been asked by scores of readers whether securities fraud litigation arising from cyber crime has ensued. Not surprisingly, the answer is “yes.”

Indeed, we have located at least two such cases, one a putative securities fraud class action against a payment processing company and the second an SEC initiated action against a private investor. The results may (or may not) surprise you, depending on your perspective of trial courts’ levels of judicial activism and willingness to render substantive decisions at early stages of litigation.

 In re: Heartland Payment Systems, No. 09-1043 (D.N.J. Dec. 07, 2009) remains the paradigm for such litigation. To facilitate its payment processing services, Heartland Payment Systems (“Heartland”) stored millions of credit and debit card numbers on its internal computer network. In December 2007, hackers launched a Structured Query Language Attack (“SQL attack”) on Heartland’s payroll management system. To its credit, Heartland was able to successfully avert the attack before any personally identifiable information was stolen. At the same time, however, the company failed to detect malicious software (“malware”) which had been placed on the network by the SQL attack.  The malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers.  Heartland did not discover the breach until January 2009, at which time it notified government authorities and publicly disclosed the event.  Over the course of the following month, Heartland’s stock price dropped over $15 per share. Perhaps not surprisingly, shareholder class actions ensued.

In their complaint, plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. Specifically, plaintiffs claimed that the defendants concealed the SQL attack and misrepresented the general state of Heartland’s data security.  Plaintiffs further alleged that the defendants’ conduct was fraudulent because they were aware that Heartland’s network had been breached, yet they had not fully remedied the problem Read the rest of this entry »

Cyber crime is costing the United Kingdom more than £27  billion a year ($43.5 million), according to a recent study published by Britain’s Office of Cyber Security and Information Assurance.  The report, entitled “The Cost of Cyber Crime,” concluded that digital crime was a widespread, pervasive threat to U.K. businesses.

Theft of intellectual property, such as designs, formulas and other company secrets from businesses costs £9.2 billion, with firms specializing in pharmaceuticals, biotechnology, electronics, IT and chemicals being hit hardest.  The pharmaceutical industry loses about £1.8 billion a year in IP theft, followed by electronics and electrical equipment makers and the software sector.  In terms of non-IP industrial espionage, financial services are the biggest loser, with yearly losses of more than 2 billion, followed by mining and aerospace. 

Read the rest of this entry »

Whether you own a website where you allow blogs and comments to be posted, or if you are the blogger/poster, listen up. 

For those of you who haven’t heard of Righthaven LLC, they are to the blogging world what editors are to the Law Review world…cite-checking and anti-plagiarism “proponents” (let’s call ‘em that, for argument’s sake).  Righthaven’s been making quite a splash and has gained popularity among news chains since its coming into existence in the spring of 2010.  According to David Kravets’ article, “Righthaven Expands Troll Operation With Newspaper Giant”[1], Righthaven has filed over 180 lawsuits and has settled over 70 of them already.  Its major suppliers of copyrighted material include Stephens Media (owners of Las Vegas Review-Journal), MediaNews Group (owners of San Jose Mercury News and the Denver Post), and WEHCO Media (owners of Arkansas Democrat-Gazette and Chattanooga Times Free Fress), to name a few.[2] Owned by Net Sortie Systems LLC and SI Content Monitor LLC, Righthaven is the brain-child of Las Vegas-based IP attorney, Steven Gibson.[3] Righthaven’s clients assign their rights in the content to Righthaven, who then sues for copyright infringement.[4] 

In order to analyze the problems faced by the parties to such lawsuits, we’ll have to discuss the U.S. Copyright Act, as well as the Digital Millennium Copyright Act (“DMCA”).

Read the rest of this entry »

There have been a recent flurry of blog posts and media stories warning internet users about the potential dangers of posting their whereabouts on social networking sites, as such personal information is being used by opportunists to facilitate crimes. For example, just in the last month, three men in Nashua, New Hampshire allegedly used information they obtained from users’ Facebook status updates to learn when the users would not be home and thereupon broke into their vacant and vulnerable residences. Although Facebook has denied any link between its site and the crimes, the Nashua police believe that detailed information about the posters’ travel plans provided the thieves with sufficient information to know when the homes would be unoccupied.

Of course, the incidence of such crimes has not been widely disseminated through traditional media sources, such as newspapers, radio and television. As such, most Americans are unaware of this increasing phenomena. At the same time, internet users are more widely and more frequently publishing their personal information, including their travel and vacation plans, on social networking and other public sites. Moreover, beyond the routine “tweets” and run-of-the-mill social networking status updates, new applications for cellular phones and PDAs are being created to facilitate geographical updates. These applications such as “Foursquare,” “Gowalla” and “Facebook Places,” enable users to instantly identify their current physical location on the profiles they have created on social networking sites. Needless to say, allowing geographical information to freely be disclosed to the public can provide opportunists with even more accurate information about the whereabouts of their victims and their distance from an unoccupied and vulnerable residence.

Read the rest of this entry »