Ping Service
Feedback Forms

P.F. Chang’s CGL Insurer Seeks Declaratory Judgement on Data Breach Claim

P.F. Chang’s China Bistro made headlines when it recently reported that 33 of its restaurant locations spanning 18 states suffered a data breach in connection with the restaurant’s point-of-sale payment systems. While the breach was reported in the news media in June of this year, the unlawful access to its systems may have begun months prior to its discovery.

Two putative class action lawsuits were filed in the Northern District of Illinois and a third was filed in the Western District of Washington. These suits allege that personal information of as many as seven million customers may have been stolen as part of the breach.

On notice of these three putative class actions, on October 10, 2014, Travelers Indemnity Company filed a four-count declaratory judgment action in the District Court of Connecticut seeking a declaration that two commercial general liability (CGL) policies issued to P.F. Chang’s in 2013 and 2014 do not afford coverage for the data breach litigation.

Read the rest of this entry »

California District Court Finds Threat of Future Harm Sufficient to Confer Article III Standing in Data Breach Action

In a departure from the mounting body of case law finding that the “increased risk of future harm” is insufficient to confer Article III standing on victims of a data breach, the U.S. District Court for the Northern District of California recently found that such potential future harm is sufficient to allow a putative class of plaintiffs to proceed in Federal Court.

In re Adobe Sys. Privacy Litig., 2014 U.S. Dist. LEXIS 124126 (N.D. Cal. Sept. 4, 2014), involves various claims against Defendant Adobe Systems, Inc. (“Adobe”) arising out of an intrusion into Adobe’s computer network in 2013 and the resulting data breach. According to Plaintiffs, in July 2013, hackers gained unauthorized access to Adobe’s servers and spent several weeks inside Adobe’s network without being detected. Once the breach was eventually detected, Adobe announced that the hackers accessed the personal information of at least 38 million customers, including names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mail addresses. Adobe subsequently disclosed that the hackers were able to use Adobe’s systems to decrypt customers’ credit card numbers, which had been stored in an encrypted form.

Read the rest of this entry »

Ilinois Federal Court Grants Neiman Marcus’ Motion

Standing-Icon-269431Once again, a court finds that data breach plaintiffs do not have the requisite Article III constitutional standing to pursue civil action against a retailer – itself the victim of a cyber attack. Last month, the United States District Court for the Northern District of Illinois, Eastern Division granted high-end retailer Neiman Marcus’ 12(b)(6) motion to dismiss a law suit arising out of a data breach the company suffered in 2013.

In Remijas v. Neiman Marcus Group, LLC, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. Sept. 16, 2014), Plaintiffs brought an action against Neiman Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violations of several state data breach acts.

In 2013, hackers breached Neiman Marcus’ computer network, resulting in the potential disclosure of 350,000 customers’ payment card data and personally identifiable information. Of the payment cards that may have been affected, it appeared that about 9,200 were subsequently used fraudulently elsewhere. Plaintiffs were among the 350,000 customers and alleged that Neiman Marcus failed to adequately protect customer data from breach, and failed to provide timely notice of the breach after it occurred.

Read the rest of this entry »

Congress Proposes Bill Protecting Student Data

While the protection of private data contained within student records is not a new concern, advances in technology and the accompanying headlines of data breach have caused Congress to reconsider the issue.

The Family Educational Rights and Privacy Act (FERPA) currently protects against the unauthorized disclosure of personally identifiable information (PII) contained within student records. PII includes direct identifying information, such as a student’s name, as well as indirect identifying information, such as date or place of birth.

The role computers and networks play in the operation of schools is profound. Like many industries, the issue of data storage for schools is a significant aspect of the information technology infrastructure. Increasingly, schools (mostly public enterprises) migrate and store data in the Cloud, thus placing PII in the hands of third party (mostly private) business associates. Schools also rely on on-line text books, on-line web applications, and software as a service. Much of this did not exist when President Ford signed FERPA into law in 1974. One survey showed only 25 percent of districts notify parents that its students’ data interfaces with the Cloud.

Read the rest of this entry »

Tangible Property Coverage: The Next Frontier in the Tech Insurance Market

In the beginning

The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was In the beginning.

The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was operational, amidst concerns about the impact of a computer virus or the actions of a “Hacker”, a new term to many of us then.

Despite the lack of actuarial data, a few underwriters in the US and London started to devise solutions to indemnify business interruption losses and the costs to restore compromised data. Commonly known as “Hacker Insurance”, we found few buyers beyond large US banks. Clients found the underwriting process both intrusive and expensive as insurers demanded onsite security audits.

On July 1st 2003 everything changed.

Read the rest of this entry »

Cyber at Lloyds: Catching the cyber horse in motion

The following article was written by my good friend Tony Ellwood. Tony is senior executive, underwriting, at Lloyd’s Market Association and a thought leader. We are grateful to Tony for allowing us to republish his article, which first appeared in the July 16th edition of Insurance Day.

Rick

LondonThe question of whether a running horse has all four hooves in the air simultaneously was one that perplexed generations. No matter just how closely a horse was observed, the motion of its legs was simply too rapid for the human eye to register accurately. It was not until the advent of photography and an experiment by Eadweard Muybridge in 1878 that the question was answered. He developed a camera that was triggered by wires attached to a horse’s legs allowing him to shoot 24 photographs as the horse ran past, which proved beyond a shadow of doubt that a horse does indeed lose contact completely with the ground in mid-gait.

There are many parallels between Muybridge’s study of the running horse and a new survey the Lloyd’s Market Association (LMA) has launched to understand the full extent of cyber risk being underwritten in the Lloyd’s market. The similarity is the sheer pace with which cyber liability has grown from its beginnings in the mid-1990s to current global premiums in the order of £1.5bn, and still rising sharply. The speed of that growth, combined with the rate at which cyber has evolved as a product, make it a particularly tricky line to pin down. What’s more, the question that has been formulating in the LMA’s collective mind is how much cyber liability is being written at Lloyd’s within other classes of business such as marine or aviation. This survey is the first attempt to comprehensively map that business.

Read the rest of this entry »

CA Court of Appeal: CMIA Is Not All-Inclusive

customLogo.gifIn its recent decision in Eisenhower Medical Center v. Superior Court, 226 Cal. App. 4th 430 (Cal. App. 4th Dist. 2014), the Court of Appeal of California, Fourth District, had occasion to consider whether a medical facility’s disclosure of information concerning a patient that does not contain the medical treatment or history of the patient violates California’s Confidentiality of Medical Information Act (“CMIA”) (Cal. Civ. Code § 1798.82), which requires notification to consumers when security systems are breached.

On March 11, 2011, a computer was stolen from Eisenhower Medical Center (“EMC”) that contained an index of over 500,000 persons to whom EMC had assigned a clerical record number.  The records dated back to the 1980’s.  The information on the index was limited to each person’s name, medical record number, age, date of birth, and the last four digits of the person’s Social Security number.  EMC subsequently advised the patients of the theft, and a number of those individuals filed suit.  The suit was styled as a putative class action and sought nominal damages of $1,000 for EMC’s alleged violations of the CMIA.  The plaintiffs also included a cause of action for violation of the Consumer Records Act (“CRA”).

Read the rest of this entry »

Court Certifies Interlocutory Appeal for the FTC v. Wyndham Matter

TRAUB LIEBERMAN STRAUS & SHREWSBERRY LLP’s Cyber Law Blog previously discussed various aspects of the Federal Trade Commission (“FTC”) action filed against Wyndham Worldwide Corp. (“Wyndham”) under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” Recent developments in the FTC action carry implications for cyber liability and how companies handle cyber security and data breaches.

On April 7, 2014, US District Judge Esther Salas denied Wyndham’s motion to dismiss directly challenging the FTC’s authority to regulate cyber security practices. Wyndham’s motion asserted that Congress had not delegated such authority to the FTC under its Section 5 powers, and even if it did, the FTC failed to publish rules or regulations providing companies fair notice of the protections expected and “legal standards” to be enforced by the FTC.

At the time, Judge Salas unequivocally ruled in favor of the FTC’s authority. However, on June 23, 2014, the Court granted Wyndham’s application and certified the matter for an immediate interlocutory appeal to the Third Circuit Court of Appeals.

The appeal involves two questions of law: (1) whether the FTC can bring an unfairness claim involving data security under Section 5 of the FTC Act and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.

Interlocutory appeals are rarely granted, are in the complete discretion of the trial court, and must meet certain requirements under 28 U.S.C. § 1292(b), including whether there is a substantial ground for difference of opinion on the matter. While Judge Salas’s denial of Wyndham’s motion to dismiss was certain as to the FTC’s Section 5 authority and the issue of fair notice, the Order certifying the matter for interlocutory appeal on the other hand, acknowledged Wyndham’s “statutory authority and fair-notice challenges confront this Court with novel, complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”

The Court further acknowledged that it was dealing with an issue of first impression with “nationwide significance… which indisputably affects consumers and businesses in a climate where we collectively struggle to maintain privacy while enjoying the benefits of the digital age.”
As a result, the Third Circuit will be the first major appellate court to weigh in on the issue of whether the FTC has authority to regulate cyber security practices, and if so whether those regulations require specific legal standards and fair notice to those within the scope of FTC’s enforcement.

- See more at: http://www.traublieberman.com/cyber-law/2014/0710/4801/#sthash.hgIolyzW.dpuf

Fax Online    Send article as PDF   

Best Practices: Protecting Your Firm From The HIPAA Omnibus Rule

The following article was written by my friend Charlie E. Bernier, Esquire of ECBM, L.P. in Conshohocken, PA. Charlie serves as the Principal Consultant in ECBM’s Lawyers Professional Liability Division. Thanks Charlie.

Rick

hipaa2On September 23, 2013 the Department of Health and Human Services (HHS) began enforcing HIPAA Privacy, Security, Beach Notification, and Enforcement rules under the authority of the Omnibus Final Rule. Though the legislation had been in existence since 1996, it was officially expanded to include law firms and firm subcontractors that handle Protected Health Information (PHI) on behalf of their clients who are regulated by HIPAA. The Omnibus Final Rule now requires that these firms and any subcontractor they do business with comply with the Security Rule, Significant Provisions of the Privacy Rule, and the Breach Notification rule.

HHS is now authorized to (1) audit law firms (2) subject law firms to compliance reviews (3) impose civil monetary penalties for violations and (4) make referrals to the Department of Justice for criminal prosecution.

As a practicing attorney and risk management specialist, I know how inconvenient and costly complying with bureaucratic privacy laws can be. Neglecting to address these laws, however, could potentially cost your firm millions of dollars. The omnibus final rule imposes penalties and fines up to $1.5 million per violation, not including defense and indemnity costs. A security breach that exposes multiple patient records could be financially devastating, which is why thoroughly knowing the law and how to protect your firm is paramount to hedging against potential catastrophic losses.

Read the rest of this entry »

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

I first published this article in 2010. Surprisingly, its as relevant today – perhaps even more relevant – than it was four years ago.

Rick

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

The Insurance Industry and ICANN: The Next Frontier

icann-flagsWe all take the Internet for granted.  Short of a power outage taking down phone lines, cell towers and satellite transmissions, the Internet will always be there. Like death and taxes, you can count on it.

Not that the paradigm will change any time soon, but at some point, it might.

On March 14 and 17, 2014, the Wall Street Journal reported on the decision by the National Telecommunications and Information Administration (“NTIA”), part of the Commerce Department, to cede control of the Internet from the Internet Corporation for Assigned Names and Numbers (“ICANN”) (a U.S. non-profit) to an organization of multinational stakeholders.

As readers of Cyberinquirer, know, ICANN is responsible for managing the core of the Internet by distributing domain names and Web addresses.  It’s been doing so since 1998.

Read the rest of this entry »

The Dos and Don’ts of Navigating The Cloud: A Business Guide For Cloud Computing

Cloud computing is the storage of data on remote computer servers and the sharing and transmittal of such information by way of the internet. Use of the cloud enables both businesses and casual users to maintain as much or as little electronic data as they wish on a third party’s mainframes without the need for or the expense of having to buy and maintain their own hardware systems.

The cloud’s economic benefits are clear. Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.

Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:

Read the rest of this entry »

New York Court to Sony: No Personal Injury Coverage for You!

As many of us have been saying since the advent of cyber insurance coverage, cyber policies potentially cover privacy risks and exposures, not Commercial General Liability policies, be it under a property damage or a personal/advertising injury insuring agreement.  In other words, policyholders and their brokers would be mistaken if they deluded themselves into thinking that a standard base CGL policy’s personal injury/advertising injury coverage applies to a typical cyber breach where personally identifiable information is extracted.  Sadly, my good friend Scott Godes falls into this category.

On February 21, 2014, , Judge Jeffrey K. Oing, of the New York Supreme Court, Manhattan Commercial Division ratified this maxim by denying personal injury coverage to Sony for the 2011 breach and theft of personal information from its PS3 gaming platform, among other databases.  Zurich American Insurance Company v. Sony Corporation of America, Index No. 651982/2011 (N.Y. Supreme, filed 7/20/2011). See Complaint here.

Read the rest of this entry »

Cyber class-action litigation: Insurers’ next significant spend?

The following article was first published by my friends at Advisen for their new Cyber Risk Network. For those who haven’t already done so, check it out.

Rick

Virtually every reader is well aware of the decision from the US Court of Appeals for the First Circuit finding that claims by class-action plaintiffs for “mitigation damages” arising from a cyber breach were viable. Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011).

There, the court held under Maine law that, in the abstract, certain claimants whose financial information was stolen could recover certain costs incurred in a reasonable effort to mitigate.

Hannaford Brothers is an extreme outlier in the world of cyber class-action litigation. And—as it should have in my view—the case effectively ended when the District Court, on remand, declined to certify the putative class in light of the claimants’ failure to establish that common issues of law and fact “predominate” over individual issues, a predicate to class certification.

Read the rest of this entry »

Risk Based Security’s 2013 Data Breach QuickView Report

The following was provided by my friend Jake Kouns of Risk Based Security, a leading-edge security and threat intelligence company. that provides comprehensive vulnerability and data breach intelligence services.   Thanks Jake.

Rick

Risk Based SecurityWe  are pleased to release our Data Breach Quick view report that shows 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents.  The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record (2011).

Although overshadowed by the number of exposed records, 2013 is also ranked #2 in total reported  data breach incidents, just behind 2012. “When you analyze the data breach activity in 2013 it’s hard to  find any bright-side, said Barry Kouns, CEO of Risk Based Security. “Four of the “Top 10” data breaches all time, were reported in 2013, including the top spot. “

Read the rest of this entry »

The Target Breach: Show Me The Insurance

The following article was first published by the Advisen Cyber Risk Network. If you haven’t checked it out, you should. Its extremely informative. And I’ll be a regular contributor.

Cheers.

Rick

By now, almost everyone has read or heard about – or even been directly impacted by – the theft of financial data relating to over 40 million credit and debit cards used at Target stores in November and December last year.

However, the insurance coverage aspects of the breach have generally flown under the radar.

To a company like Target (or whoever is affected by the next breach), the availability of insurance coverage is an important component of crisis management and remediation, litigation and regulatory investigation strategies, and reputational/brand/lost income protection.

So assuming Target has purchased potentially applicable insurance products, what coverages might apply?  And how might they respond?

At a minimum, it can be expected that Target will investigate the availability of coverage under four separate lines of insurance: Cyber, privacy and technology (CPT); general liability; crime/fidelity and; directors and officers liability policies.

Read the rest of this entry »

Cyber Security and Data Breaches: Why Directors and Officers Should Be Concerned

Following is an excerpt from the leading chapter in Willis London’s Executive Risks: A Boardroom Guide 2012/2013. If you would like to read the entire chapter, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

sec1

Cyber insurance has become a necessity. Every company that maintains, houses or moves sensitive information is at risk of a data breach, primarily due to the growth and increased sophistication of hackers, malicious software and, most recently, ‘hacktavists’. Even mere employee negligence can lead to a data breach. High-profile companies such as Sony can attest that cyber-intrusions can lead to hundreds of millions, if not billions, of dollars in legal exposure.

Equally troublesome, our expanding online society has introduced new financial risks and exposures that may not be covered under general and professional liability insurance products, including standard directors’ and officers’ (D&O) policies. As such, corporate directors and officers, and their risk-management professionals, must ensure that they buy appropriately tailored policies that provide protection against the rapidly expanding risks to which they could be vulnerable, both personally and professionally.

The risks and costs of a data breach

It has become known as the Year of the Breach: in 2011, companies of all sizes experienced malicious intrusions or employee negligence that affected their operations and/or businesses. For example, in April 2011, computer hacktavists unlawfully accessed the Sony PlayStation Network (PSN) and obtained the personal and financial information of roughly 77 million PSN users. Since then, Sony and its insurers likely have spent tens, if not hundreds, of millions of dollars to remedy and mitigate the resulting security and commercial crises — an amount that grows by the day as lawyers prosecute class action lawsuits on behalf of allegedly affected users whose personal and financial information was improperly accessed.

Equally problematic for Sony, it has been sued by its commercial general liability (CGL) insurer, which sought to avoid coverage by arguing that its general liability policies do not and never were intended to cover data breaches.

The TJX Companies also fell victim to a cyber intrusion that security experts predict will have long-term costs of between US$4 billion and US$8 billion in fines, legal fees, notification expenses and brand impairment. In the TJX case, the retail group reported that 45.6 million credit and debit card numbers were stolen from one of its systems during the period July 2005 to January 2007. Of critical import, the January 2007 intrusion occurred after TJX already had knowledge of the initial breaches.

Of course, big corporations are not the only entities that are vulnerable to hackers and hacktavisits; indeed, half of all companies that have experienced data breaches have fewer than 1,000 employees.

 

PDF24 Creator    Send article as PDF   

Cyber, Privacy and Technology Best Practices and Reputational Harm: Why Legal Professionals Need a Lawyer’s Advice, Counsel and Privileges

BabyB_LPlate_improvedIntroduction

Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CBT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.

Executive Summary

An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is incumbent that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.

Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information (“PII”), personal health information (“PHI”) and/or confidential commercial information (“CCI”). It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).

In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.

In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.

To continue reading, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

Edit PDF    Send article as PDF   

Canada Update: The Tort of “Intrusion upon Seclusion”

The following was written by my friend Patrick Cruikshank, Underwriting Manager, Specialty Risk – Professional Liability at Northbridge Insurance in Toronto. Thanks to Patrick for his contribution. Relevant articles are always welcome for publication.

Rick

canada-flag-stereotypesIn the 2012 case of Jones v. Tsige, the Ontario Court of Appeal established the new tort of invasion of privacy.  For some, this privacy tort has opened a Pandora’s Box.  For others, it’s considered legal progress in the modern technological world.

Sandra Jones and Winnie Tsige were employees of the Bank of Montreal (BMO).  They worked at different branches and did not know each other.  Tsige was in an intimate relationship with Jones’ ex-husband.

Over a period of 4 years, Tsige used her workplace computer to gain access to Jones’ personally identifiable information and personal financial information 174 times.  Tsige did not disseminate this information.

When Jones discovered this unauthorized access, she made a formal complaint to her employer, who upon investigation determined that Tsige had accessed Jones’ information and had no legitimate reason to do so.  Jones subsequently sued Tsige for invasion of privacy and breach of fiduciary duty.  She sought $70,000 in general damages plus $20,000 in punitive damages.

Jones’ claim was dismissed by the Ontario Superior Court because there was no law in Ontario that recognized an invasion of privacy tort.

The Court of Appeal overturned the decision and granted summary judgment in favor of Jones.

Read the rest of this entry »

Asia-Pacific Cyber Law Risks and Developments

We first published the following White Paper extract in October 2011. While the White Paper might be somewhat dated (and therefore will be refreshed shortly), it remains relevant for our friends interested in learning the basics of Asia Pacific cyber/privacy law. Please let me know if you’d like to see the entire paper. Rick

I. Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity.

At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).

Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies

Read the rest of this entry »

Protecting Our Children from Internet Predators, Marketers and Information Aggregators: The Need for Aggressive Government Intervention

As everyone knows, the Internet has dramatically altered (read: simplified) the way we communicate, do business and satisfy our intellectual and social curiosities. Indeed, Internet-based sales topped the trillion dollar mark for the first time in 2012 and are projected to increase 18.3% to 1.298 trillion in 2013. I’d take that rate of growth any day, particularly in the current world economy.

Read the rest of this entry »

Canadians More Exposed Than One Would Think

canada-flag-stereotypesOkay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.

What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.

Read the rest of this entry »

The Insurance Industry: In Regulators’ Sights

If you’re an insurance company, it may be time to open your cyber-related checkbooks if you haven’t done so already. New York Governor Andrew Cuomo’s Department of Financial Services (“NYSDF”) soon may be watching you. They’re already asking questions as if certain insurers were “persons of interest,” just as it did earlier this year with certain of the larger banks.

On May 28, the NYSDF sent what are referred to as “308 letters” to 31 regulated health, life and general liability insurance companies (seemingly those with the highest premium revenue). The NYSDF’s letters request information on (1) the insurers’ existing IT-related management policies and procedures with respect to the prevention of cyber attacks, (2) actual cyber attacks occurring within the past three years, (3) the quantum of funds and resources dedicated to cybersecurity, and (4) how they safeguard customers’ and business entities’ health and personally identifiable information (the letters specifically identify financial information as a subject category).

Read the rest of this entry »

The Posts have Come Back… To Cyberinquirer


Since last we visited, your humble Publisher has moved on to the Law Offices of Richard J. Bortnick, where I am Managing Director (very European, if I do say so myself). A number of dedicated readers and friends (you know who you are) have asked what had become of me and why my old email address was no longer effective.

The answer my friend (apologies to Peter, Paul and Mary) is the Law Offices of Richard J. Bortnick. At the risk of having this viewed as attorney advertising, I will stop there other than to say I also will be signing as a free agent with a Consulting Firm to be named later (but not much later).

So, please feel free to contact me if you want to catch up, engage in intellectual banter (with the exception of Philadelphia sports, where the banter will all be negative) or have some worthwhile humor you’d like to pass along (although it can’t be as good as the material I get from my good friend Jeff). My new email address is rjbortnick@comcast.net (at least for the short term… stay tuned on that too).

Its good to be back. And thanks for all of your kind wishes.

Rick

Create PDF    Send article as PDF   

Cyber Liability Insurance: Ensuring Adequate Coverage in the Age of E-Commerce

I. Introduction: Insurance Products for Cyber Risks

Increasing reports of cyber intrusions, data theft and computer system malfunctions have led a rapidly-growing number of companies to purchase insurance coverage to protect themselves from technology and cyber privacy risks. Indeed, as our technology-driven economy continues to evolve and businesses become more reliant on electronic communication and data storage, they are developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. As such, prospective policyholders are becoming more cognizant of the necessity for insurance covering such growing exposures.

Read the rest of this entry »

Power to the People: Social Media Technologies Mediating Corporate Social Governance

The measure of effectiveness of a CEO and its executive board has always been the degree to which the business is achieving its purpose. Whether in Canada, the U.S., Europe or Asia, an executive board’s purpose should be to increase shareholder value, a purpose that is best accomplished by serving the needs of various stakeholders. Somewhere in the pyramid of stakeholders is the consumer or client, whose likes, favorites, and preferences must be met with quality personalized products and services that deliver high competitive value. In an interconnected global knowledge economy, this has meant listening to what consumers are saying online through social media platforms like Facebook and Twitter, and engaging in two-way conversations to respond in real-time to consumer demands.

Read the rest of this entry »

Who Owns Patient Data in Electronic Health Records?

Following is a guest post by Doug Pollack, CIPP/US, chief strategy officer at ID Experts, a leading provider of healthcare privacy and data breach solutions. The article explores the thorny issue of “ownership” as it applies to patient data stored in and shared by electronic health record systems.

Cheers.

Rick

I recently began exploring the question of who, or what entity, owns the data that is incorporated in our patient electronic health records (EHRs). I originally began thinking about this because I was imagining that the “owner” would be responsible under circumstances where there was an unauthorized disclosure of such protected health information (PHI), in other words a data breach. It seemed like such a simple question, I had assumed I would find the answer to be just as straightforward. As it turns out, many have pondered this question and suggest that the question of “ownership” of medical data may be a misplaced one, an unanswerable question, and that the more relevant question is what control the patient, and other members of the health ecosystem, have relative to accessing, modifying, appending and transmission of this data. In other words, how is patient privacy provided for within the new EHR universe?

Read the rest of this entry »

The Queen v. Cole: Privacy Protection for Employer-Issued Equipment in Canada

The recent decision The Queen v. Cole by the Supreme Court of Canada touches upon interesting issues regarding information privacy in the digital age.

The facts are simple. An information technologist working at the same high school as Mr. Cole, a teacher, remotely accessed Cole’s history of internet access and one of his drives and found a hidden file which contained nude photographs of a student. The photographs and internet file were copied onto a disc and given to the police, which determined that a search warrant was unnecessary. Cole was subsequently charged with possession of child pornography and fraudulently obtaining data from another computer hard drive. The trial judge excluded the computer material under Sections 8 and 24(2) of the Charter. In overturning the decision, the summary conviction appeal court found no breach of Section 8. This decision was set aside by the Ontario Court of Appeal, which concluded that the evidence of the disc containing the temporary internet files and the laptop computer and its mirror image was excluded. A 6-1 majority ruling by the Supreme Court concluded that the police infringed upon Cole’s rights but upheld the Court of Appeals’ finding that the evidence should not have been excluded from trial.

Read the rest of this entry »

It’s Time for Professionals to Practice What They Preach

The following column appeared in the September 2012 issue of the Advisen Cyber Journal. I hope it resonates with our legal eagle subscribers. If not, then your brokers (and I) have more work to do.

Cheers.

Rick

Lawyers typically fancy themselves as the smartest people in the room. Many certainly have the largest egos in the room. But when it comes to keeping their own houses in order? Well, not so much. Its akin the shoemaker whose children go barefoot.

The same flaw appears to apply with equal force and effect with respect to accountants. And consultants. And, perhaps most incredibly, insurance brokers.

Perhaps you’ve figured out where I’m going with this. But in case you haven’t, here’s what I’m getting at. Counter-intuitive as it may seem, anecdotal reporting from a number of underwriters I’ve spoken with suggest that intelligent, thoughtful, (sometimes) rational people who bill others hundreds of dollars an hour or make sizable commissions for dispensing professional advice do not abide by their own wisdom and don’t buy cyber/technology/privacy (“CTP”) insurance.

Read the rest of this entry »

State Privacy Laws Evolve While Congress Campaigns

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

Read the rest of this entry »

Human Error: The Greatest Risk and Root Cause of Data Security

Whether discussing data encryption, network security, or internal data privacy management practices and policies, the most sophisticated IT security protocols, the most learned team of specialists, and the most compliant of data management practices and policies cannot escape, prevent, or remedy what many businesses and organizations have rightly labeled as the root cause of data security failures: human error. While they tend to possess greater network security than smaller organizations, the risk of human error should be of particular a concern to medium and large size organizations whose internal controls over data and employees are inevitably diluted by their size and numbers.

Read the rest of this entry »

Data Privacy and Unauthorized Non-Hackers: the Rise and Risk of Accountability and Breach Notifications in Canada

Recent unauthorized access to British Columbia Institute of Technology’s computer network, which contained personal medical information of approximately 12,680 individuals, is yet another reminder of risks of exposure to data breaches. That none of the data on BCIT’s computer network was compromised or misused is reflective of a low-profile non-hacker intrusion, and of the ease with which computer networks can be infiltrated. Indeed, a sophisticated hacker would know better than to leave massive amounts of data, rightly labeled by some as the “oil” of the 21st century, uncompromised. More curious than uncompromised data, however, is BCIT’s notification in the absence of an actual data breach, and mandatory breach notification provisions under B.C. privacy law.

Read the rest of this entry »

First Circuit Court of Appeals Holds Bank’s Online Security Measures “Commercially Unreasonable” in Landmark Decision

In a landmark decision, the First Circuit Court of Appeals held in Patco Construction Company, Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012) that People’s United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 which had been stolen from PATCO’S bank account. In so doing, the Court reversed the decision of the United States District Court for the District of Maine which had granted summary judgment in the bank’s favor.

The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO. While the bank’s security system flagged each one of the transactions as “high risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, the bank’s security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not “commercially reasonable” under the Uniform Commercial Code, as codified under Maine Law.

Read the rest of this entry »

Past the Point of No Return: Jones v. Tsige and the “New” Tort of Invasion of Privacy in Canada

Jeremy Bentham used to refer to the common law as the “dog law”. As he explains it, “whenever your dog does anything you want to break him of, you wait till he does it, and then beat him for it. This is the way you make laws for your dog: and this is the way the judges make law for you and me.” .

Insofar as the tort of invasion of privacy in Canada is concerned, Jeremy Bentham was arguably right. Aside from the province of Quebec, which is governed by a civil law system, and a few other provinces in Canada which have benefited from a statutorily enacted tort of invasion of privacy, lower Courts have been divided over the existence of a free-standing tort of invasion of privacy at common law. The recent decision Jones v. Tsige (2012) by the Ontario Court of Appeal is the first to confirm that what used to be an embryonic tort of invasion of privacy is now alive and well in Canada

Read the rest of this entry »

Cyber-security in a Hyperconnected World

The cyber-attacks recently launched by six individuals from the group Anonymous, an international hacktivist collective, against 13 Quebec government and police websites are but a fleeting glimpse of a much broader problem associated with the cyber world, most of which remains largely unseen. Succinctly stated, the cyber-attacks were a response to the Quebec Liberal party’s constitutionally questionable Bill 78 that was recently passed as a response to the student crisis sparked three months ago over the government’s planned 75% tuition increase. That six individual were arrested by law enforcement agencies and charged with mischief, conspiracy, and unlawful use of a computer should hardly be reassuring.

Read the rest of this entry »

Insurers: Assert Your Subrogation Rights

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

Will SEC Guidance Awaken Private Companies To Cyber Insurance Needs?

The following article was first published in Advisen’s inaugural Cyber Liability Journal (here) as my first regular column. The second Journal was published today and is available from Advisen at http://corner.advisen.com/journals.html (here). I will republish my second column in the coming days.

Rick

Many who underwrite or broker insurance, or practice law in the cyber/technology/privacy (“CTP”) realm migrated to this emerging area from the directors and officers liability regime. At the same time, it did not take a crystal ball to recognize that it was only a matter of time before CTP and D&O found a commonality. And that time is now.

Virtually every public and private company is reliant on computer networks and electronic data. It’s a way of life in the 21st Century. And there’s no going back. Yet with reliance comes risk. It seems we read about significant CTP breaches involving large, multinational companies almost on a weekly basis. CTP breaches have become a well-recognized risk of doing business. Estimates project that over 10 percent of us already have been hacked or had their identities stolen. I am among them.

Read the rest of this entry »

FAA v. Cooper and the Federal Privacy Act: Narrow Interpretation, Broad Consequences

With its March 28, 2012 decision in Federal Aviation Administration, et al. v. Cooper, 132 S. Ct. 1441 (U.S. 2012), the United States Supreme Court restricted the scope of a federal privacy law, ruling that the law – which allows recovery for “actual damages” – only authorizes damages for monetary losses. Accordingly, a San Francisco pilot was not permitted to recover humiliation and emotional distress damages from government agencies that disclosed his HIV-positive status without his consent.

In 1964, Stanmore Cooper (“Cooper”) obtained his pilot’s license from the Federal Aviation Administration (“FAA”). In 1985, Cooper was diagnosed with HIV and began taking antiretroviral medication. At that time, the FAA did not issue medical certificates to persons with HIV, so Cooper gave up his pilot’s license, knowing that he would not qualify for renewal of his medical certificate. However, in 1994, Cooper re-applied for a pilot’s license and, to receive a medical certificate, purposefully withheld his HIV-positive status and medication from the FAA. He renewed his certificate four more times and as recently as 2004, each time withholding information about his condition. When Cooper’s health began to deteriorate, he applied for long-term disability benefits and, to substantiate his claim, disclosed his HIV-positive status to the Social Security Administration (“SSA”), which awarded him disability benefits.

Read the rest of this entry »

If the Glove Fits, You Must Defend

Trade dress insurance coverage is alive and well. At least in Wisconsin. In Acuity v. Ross Glove Company, 2012 WL 1109035 (Wis. Ct. App. April 4, 2012), the Wisconsin Court of Appeals held that an insurer’s duty to defend was triggered under advertising injury liability coverage where the underlying complaint set forth allegations of trade dress infringement.

In the Acuity case, Ross Glove purchased a commercial general liability policy from Acuity, which included advertising injury liability coverage. The policy at issue defined “advertising injury”, in part, as “infringing upon another‘s copyright, trade dress or slogan in your advertisement.”

Read the rest of this entry »

WARNING: HHS Now Combating HIPAA Violations With HITECH Weaponry

On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).


The HITECH Act and HIPAA Enforcement

HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”

Read the rest of this entry »

Access to Insured’s Social Media Accounts: No Friend Request Necessary

The following article, written by my colleague Nicole Moody, first appeared in the Chicago Daily Law Bulletin. Thanks to Nicole for allowing us to republish it here.

Rick Bortnick

Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request. Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation.

Read the rest of this entry »

The Coverage Question

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

An Insurer’s View: Examining the Rising Costs of Breaches

The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

Read the rest of this entry »

Insurance Recovery for Loss or Liability Arising from Cyberattacks: Obtain and Preserve Insurance for Your Company’s Protection

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and his colleague, Ken Trotter, and appeared on Scott’s personal site, Corporate Insurance Blog, after being published by Hospitality Upgrade magazine. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro.

Rick Bortnick

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks. A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies. According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves. Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds. Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes. Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability. Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits.

Read the rest of this entry »

New Cybersecurity Disclosure Guidance for Public Companies: Focusing Attention, Raising Questions

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

Keep Your Friends Close, But Your Facebook Posts Closer

“Facebook helps you connect and share with the people in your life.” That is the Facebook mantra, as displayed on its homepage, and the opening line of a recent – and extremely thorough! – Pennsylvania trial court decision regarding the discoverability of a plaintiff’s relevant Facebook information. The court’s conclusion: a plaintiff’s Facebook information is discoverable, provided the defendant has a good faith basis for seeking the material, because there is no confidential social networking privilege under Pennsylvania law and because the Stored Communications Act only applies to internet service providers. The take-away for Facebook users: be careful what you post – it’s not as “private” as you think!

Read the rest of this entry »

Join Us At The Upcoming PLUS Northwest Chapter Cyber Workshop

We’re only two weeks away from the season’s premier cyber education event: The PLUS Northwest Chapter & IIABKC Cyber Workshop, to be held on December 7 (a date which will live in infamy), 2011 at the Washington Athletic Club in downtown Seattle. This will be my first trip to Seattle, so I’m really looking forward to it, as well as to meeting those of you who attend. The panel is entitled Emerging Issues Surrounding Cyber Privacy and Security Risk and will run for a full three-hours (with a corresponding 3 Washington state CE credits), from 1.30 PM to 4.30 PM, to be followed by the always popular cocktail reception. The cost is to attend is dirt cheap, given the panelists and topic, as its $40 for PLUS members and $60 for non-members.

So, you’re wondering, who are the panelists? Well, PLUS Northwest has assembled a crackerjack lineup of the following special guest speakers:

David Molitano,Vice President/Division Manager, Content Technology & Services at OneBeacon Professional Insurance; Kimberly Horn, Claims Manager for Technology, Media and Business Services at Beazley Group; and Karl Peterson, Senior Vice President, E&O and eRisk Product Team at Willis Executive Risks Practice.

You’ll only get this quality of presenter at the PLUS Northwest Chapter event. Don’t be fooled by pretenders or others promoting cyber conferences with lesser lights. This is THE cyber event to attend. And the post-workshop cocktail reception is an added bonus.

Please feel free to contact PLUS or me if you have any questions or would like further details about the Workshop. We look forward to seeing you there! And, in particular, meeting with you afterwards. Plus (no pun intended), for Cyberinquirer subscribers only, the first cocktail is on me. Just flip an email and let me know you’re coming.

Rick

www.pdf24.org    Send article as PDF   

Cyberinquirer Named As One of LexisNexis’s Top Insurance Blogs of 2011

With the help of our readers, Cyberinquirer has again been named as one of LexisNexis’s Top Insurance blogs 0f 2011. We are obviously flattered, particularly in view of the quality of the other blogs selected to this august list. It shows that people are reading what we have to say. And that, perhaps, they are interested in what we have to say. We sure hope that to be the case. We love thinking, reading and talking about tech, privacy and cyber related issues (yeah, admittedly we’re geeks). And we hope that you, our readers, gain from our insights, even if you don’t always agree with them.

So now that we’ve been recognized by LexisNexis for the second straight period, maybe some of you, our readers, will be more comfortable authoring a piece we can post. Remember, this blog is open to all relevant, responsible submissions, be they articles, commentaries, or just comments on something we have said that strikes a chord. If you’ve got something to say that may be of interest to others in the community, email it to me at rbortnick@cozen.com and I will get back with you promptly. We strive to publish fresh, interesting content on a regular basis, but its not always easy, as we do maintain law practices. And have other commitments. So flip your authored pieces. We’d actually appreciate it.

Needless to say, we couldn’t have done this on our own. So the honor is not just for us, but for you too. Thanks.

PDF Creator    Send article as PDF   

The Hospitality Industry Revisited: Does Your Company Have Proper Coverage?


101387303-a0006-000338.530x298In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Read the rest of this entry »

Would Your Company’s Insurance Cover a Cyberattack?

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and first appeared on his personal site, Corporate Insurance Blog. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro. Responsible comment will gladly be published (promptly…). Please feel free to forward them to me at your convenience.

Rick Bortnick

On October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.” Would your insurance policies cover those events? Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story. These attacks and threats do not appear to be on a downward trend. They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend. The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.” Themore recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.

Read the rest of this entry »