October 22, 2011 - In handing down its decision yesterday in Wayne Crookes and West Coast Title Search Ltd. v. Jon Newton, the Supreme Court of Canada struck an important blow for certainty as far as Canadian internet publishers and users are concerned. The case, appealed from the British Columbia Court of Appeal, concerned a website operated by Newton. An article he posted on it contained hyperlinks to other websites, which in turn contained information about Crookes. Crookes sued Newton alleging that two of the hyperlinks connected to defamatory material, and that by using the hyperlinks, Newton was himself “publishing” the defamatory material. Read more...
Trade dress insurance coverage is alive and well. At least in Wisconsin. In Acuity v. Ross Glove Company, 2012 WL 1109035 (Wis. Ct. App. April 4, 2012), the Wisconsin Court of Appeals held that an insurer’s duty to defend was triggered under advertising injury liability coverage where the underlying complaint set forth allegations of trade dress infringement.
In the Acuity case, Ross Glove purchased a commercial general liability policy from Acuity, which included advertising injury liability coverage. The policy at issue defined “advertising injury”, in part, as “infringing upon another‘s copyright, trade dress or slogan in your advertisement.”
The following article was co-written by my Health Care Department colleagues Sal Rotella and Bill Conaboy. Thanks guys!
Rick
On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).
The HITECH Act and HIPAA Enforcement
HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”
Cloud computing is the storage of data on remote computer servers and the sharing and transmittal of such information by way of the internet. Use of the cloud enables both businesses and casual users to maintain as much or as little electronic data as they wish on a third party’s mainframes without the need for or the expense of having to buy and maintain their own hardware systems.
The cloud’s economic benefits are clear. Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.
Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:
The following article was first published by our colleague Michael Schmidt on his blog, Social Media Employment Law Blog. It is part of our continuing effort to keep Cyberinquirer readers on top of decisions relevant to Social Media in the context of litigation. Thanks for the reprint, Mike.
Two weeks ago, I discussed the California case of PhoneDog v. Kravitz, where an employee, who used a company Twitter account as part of his job duties, left the company and continued to use the same Twitter account and tweet to the same followers. The (former) employee claimed that he had the right to continue tweeting, and PhoneDog responded that he was barking up the wrong tree (best I could do at the moment). As I mentioned in my last post, the court had denied the employee’s attempt to dismiss the entire case at inception, and allowed the company to amend its complaint to provide more specificity on some of its claims. Time for an update.
The following article, written by my colleague Nicole Moody, first appeared in the Chicago Daily Law Bulletin. Thanks to Nicole for allowing us to republish it here.
Rick Bortnick
Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request. Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.
Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.
In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation.
The following article was first published by our colleague Michael Schmidt on his blog, Social Media Employment Law Blog. It is part of our continuing effort to keep Cyberinquirer readers on top of decisions relevant to Social Media in the context of litigation. Thanks for the reprint, Mike.
What would you do if your employee continued to use your company’s Twitter account after he stopped working for you?
What if your (former) employee claimed that he, not your company, actually owned the rights to the Twitter followers?
Ever thought about it?
I have posted several times about how social media has not created new causes of action, but rather has provided a new application for traditional claims. One of the areas that I surmised would develop in time was the interplay between social media and post-employment competition and trade secret rights. According to two new decisions, that time has apparently come.
In PhoneDog v. Kravitz (Northern District of California), the company gave its employee (Kravitz) use of a Twitter account as part of his employment. Kravitz tweeted information to promote the company’s services, and generated approximately 17,000 followers. Kravitz left the company, and, while he changed the account “handle”, he continued to use the same account to tweet to the same followers. PhoneDog sued Kravitz for continuing to use the Twitter account, claiming that the “compilation of subscribers and the password used to access the account” constituted company trade secrets. Valuing each of the 17,000 followers at $2.50, the company sought damages of $340,000 for “stealing” each of those followers for 8 months.
We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.
The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.
Rick Bortnick
As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.
To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.
Posted December 16th, 2011 by Rick WelshcloseAuthor: Rick WelshName: Rick Welsh Email: rickwelsh@me.com Site: About: Rick has been a Lead London Market cyber underwriter since 2000 with underwriting and broking experience in Asia Pacific, Australasia and Europe.See Authors Posts (1)
The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.
Rick Bortnick
Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.
The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.
Posted December 15th, 2011 by Scott GodescloseAuthor: Scott GodesName: Scott Godes Email: sgodes@gmail.com Site:http://corporateinsuranceblog.com About: Scott Godes is an experienced trial lawyer who represents corporate policyholders and insureds on all issues relating to insurance coverage and insurance claims. Scott is a computer geek at heart (find him on Twitter at @insurancecvg) and as soon as he saw that there was a need for particular specialized work with respect to ensuring that insurers properly cover claims for cybersecurity, data breach, and privacy claims, he immediately focused on the area in earnest, so that he could join his professional background and personal interests. Scott represents and counsels corporate insurance policyholders regarding insurance coverage for computer data, hardware, and software claims; data breaches; and online services.
Because of his background and the length of time that he has been focusing on these issues, his peers in the insurance coverage community have made him a co-chair of the ABA’s Computer Technology Subcommittee of the Insurance Coverage Litigation Committee. It’s been said that Scott wrote the book on insurance coverage for these issues, but more accurately, he wrote the book chapter on these issues. He is the author of the insurance coverage for cybersecurity and intellectual property risks chapter in the leading insurance coverage liability treatise (Appleman Law of Liability Insurance) and also wrote the Cyber Security section of the Insurance chapter in the Corporate Compliance Practice Guide (LexisNexis 2009). The net of his experience and writing background is that he is comfortable discussing these issues with insurance coverage lawyers and courts, but more importantly, he can explain potential risks and needs to technologists and corporate officers. Outside of his more formal writing, you can follow his thoughts on coverage issues on Twitter http://twitter.com/insurancecvg or his blog http://corporateinsuranceblog.com (which was one of Lexis’ top insurance blogs for 2009). His bio on LinkedIn is found at http://www.linkedin.com/in/scottgodes.See Authors Posts (2)
The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and his colleague, Ken Trotter, and appeared on Scott’s personal site, Corporate Insurance Blog, after being published by Hospitality Upgrade magazine. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro.
Rick Bortnick
It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks. A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies. According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves. Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds. Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes. Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability. Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits.
Needless to say, the discoverability of social media posts is an important issue for litigants on both sides of the “v” and will continue to be the subject of fiercely-litigated motion practice. We will monitor the issue and post updates as courts across the country rule on this imporant, oftentimes substantively dispositive, issue.
Rick Bortnick
One of the high-profile battles being fought in the social media world continues to be over the ability of one party in a lawsuit to compel the other party to produce messages, posts, pictures, and other “private” things done over a social networking site like Facebook. The trend continues to reveal that courts are willing to compel disclosure in the right circumstances, and the most recent decision issued by a New York appellate court is no different.
In Patterson v. Turner Construction Company (New York Supreme Court, Appellate Division, First Department, October 27, 2011), the plaintiff sued for personal injury damages that included physical and psychological injuries that he claims to have suffered. During the lawsuit, the defendant asked the court to direct the plaintiff to provide an authorization allowing defendant to obtain “all of plaintiff’s Facebook records compiled after the incident alleged in the complaint, including any records previously deleted or archived[.]” The plaintiff, obviously, fought that request.
Posted December 10th, 2011 by John DoernbergcloseAuthor: John DoernbergName: John Doernberg Email: jdoernberg@wgains.com Site: About: John Doernberg is a Vice President at William Gallagher Associates in Boston and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston.See Authors Posts (1)
As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!
Rick Bortnick
Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.
The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.
Posted December 2nd, 2011 by Andrea CortlandcloseAuthor: Andrea CortlandName: Andrea Cortland Email: acortland@cozen.com Site: About: Andrea Cortland joined Cozen O’Connor’s Philadelphia office in September 2009 as an Associate in the Global Insurance Group. Prior to joining the firm, she participated in the Cozen O’Connor Summer Associate Program.
Andrea earned her law degree, magna cum laude, from the University of Miami School of Law, where she was Symposium Editor of the University of Miami Inter-American Law Review, a member of the Moot Court board, and a Dean's Fellow in the Academic Achievement Program. She organized a symposium entitled "Righting Wrongs? The Inter-American System of Human Rights after 50 Years," in celebration of the 30th anniversary of the Inter-American Court of Human Rights, the 40th anniversary of the American Convention on Human Rights, and the 50th anniversary of the creation of the Inter-American Commission on Human Rights. The symposium discussed the roles the court and commission have played in furtherance of human rights throughout the Americas and addressed current areas of concern. Andrea also wrote a comment note, "United States v. Burns: Canada's Extraterritorial Extension of Canadian Law and Creation of a Canadian 'Safe Haven' in Capital Extradition Cases," which was published in Volume 40 of the University of Miami Inter-American Law Review in Fall 2008.
Andrea earned her undergraduate degree, summa cum laude, from the Rutgers College Honors Program of Rutgers University.See Authors Posts (1)
“Facebook helps you connect and share with the people in your life.” That is the Facebook mantra, as displayed on its homepage, and the opening line of a recent – and extremely thorough! – Pennsylvania trial court decision regarding the discoverability of a plaintiff’s relevant Facebook information. The court’s conclusion: a plaintiff’s Facebook information is discoverable, provided the defendant has a good faith basis for seeking the material, because there is no confidential social networking privilege under Pennsylvania law and because the Stored Communications Act only applies to internet service providers. The take-away for Facebook users: be careful what you post – it’s not as “private” as you think!
We’re only two weeks away from the season’s premier cyber education event: The PLUS Northwest Chapter & IIABKC Cyber Workshop, to be held on December 7 (a date which will live in infamy), 2011 at the Washington Athletic Club in downtown Seattle. This will be my first trip to Seattle, so I’m really looking forward to it, as well as to meeting those of you who attend. The panel is entitled Emerging Issues Surrounding Cyber Privacy and Security Riskand will run for a full three-hours (with a corresponding 3 Washington state CE credits), from 1.30 PM to 4.30 PM, to be followed by the always popular cocktail reception. The cost is to attend is dirt cheap, given the panelists and topic, as its $40 for PLUS members and $60 for non-members.
So, you’re wondering, who are the panelists? Well, PLUS Northwest has assembled a crackerjack lineup of the following special guest speakers:
David Molitano,Vice President/Division Manager, Content Technology & Services at OneBeacon Professional Insurance; Kimberly Horn, Claims Manager for Technology, Media and Business Services at Beazley Group; and Karl Peterson, Senior Vice President, E&O and eRisk Product Team at Willis Executive Risks Practice.
You’ll only get this quality of presenter at the PLUS Northwest Chapter event. Don’t be fooled by pretenders or others promoting cyber conferences with lesser lights. This is THE cyber event to attend. And the post-workshop cocktail reception is an added bonus.
Please feel free to contact PLUS or me if you have any questions or would like further details about the Workshop. We look forward to seeing you there! And, in particular, meeting with you afterwards. Plus (no pun intended), for Cyberinquirer subscribers only, the first cocktail is on me. Just flip an email and let me know you’re coming.
With the help of our readers, Cyberinquirer has again been named as one of LexisNexis’s Top Insurance blogs 0f 2011. We are obviously flattered, particularly in view of the quality of the other blogs selected to this august list. It shows that people are reading what we have to say. And that, perhaps, they are interested in what we have to say. We sure hope that to be the case. We love thinking, reading and talking about tech, privacy and cyber related issues (yeah, admittedly we’re geeks). And we hope that you, our readers, gain from our insights, even if you don’t always agree with them.
So now that we’ve been recognized by LexisNexis for the second straight period, maybe some of you, our readers, will be more comfortable authoring a piece we can post. Remember, this blog is open to all relevant, responsible submissions, be they articles, commentaries, or just comments on something we have said that strikes a chord. If you’ve got something to say that may be of interest to others in the community, email it to me at rbortnick@cozen.com and I will get back with you promptly. We strive to publish fresh, interesting content on a regular basis, but its not always easy, as we do maintain law practices. And have other commitments. So flip your authored pieces. We’d actually appreciate it.
Needless to say, we couldn’t have done this on our own. So the honor is not just for us, but for you too. Thanks.
In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.
And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).
Posted November 2nd, 2011 by Scott GodescloseAuthor: Scott GodesName: Scott Godes Email: sgodes@gmail.com Site:http://corporateinsuranceblog.com About: Scott Godes is an experienced trial lawyer who represents corporate policyholders and insureds on all issues relating to insurance coverage and insurance claims. Scott is a computer geek at heart (find him on Twitter at @insurancecvg) and as soon as he saw that there was a need for particular specialized work with respect to ensuring that insurers properly cover claims for cybersecurity, data breach, and privacy claims, he immediately focused on the area in earnest, so that he could join his professional background and personal interests. Scott represents and counsels corporate insurance policyholders regarding insurance coverage for computer data, hardware, and software claims; data breaches; and online services.
Because of his background and the length of time that he has been focusing on these issues, his peers in the insurance coverage community have made him a co-chair of the ABA’s Computer Technology Subcommittee of the Insurance Coverage Litigation Committee. It’s been said that Scott wrote the book on insurance coverage for these issues, but more accurately, he wrote the book chapter on these issues. He is the author of the insurance coverage for cybersecurity and intellectual property risks chapter in the leading insurance coverage liability treatise (Appleman Law of Liability Insurance) and also wrote the Cyber Security section of the Insurance chapter in the Corporate Compliance Practice Guide (LexisNexis 2009). The net of his experience and writing background is that he is comfortable discussing these issues with insurance coverage lawyers and courts, but more importantly, he can explain potential risks and needs to technologists and corporate officers. Outside of his more formal writing, you can follow his thoughts on coverage issues on Twitter http://twitter.com/insurancecvg or his blog http://corporateinsuranceblog.com (which was one of Lexis’ top insurance blogs for 2009). His bio on LinkedIn is found at http://www.linkedin.com/in/scottgodes.See Authors Posts (2)
The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and first appeared on his personal site, Corporate Insurance Blog. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro. Responsible comment will gladly be published (promptly…). Please feel free to forward them to me at your convenience.
A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.
Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.
Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that ”the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s ”recommendations.”
Businesses that necessarily require their customers to disclose credit card and personal information, beware. Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for ”mitigation damages” arising from alleged negligence and breach of contract were viable. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).
In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported.
Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards. Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer. Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards.
On October 17, 2011, the U.S. Court of Appeals for the Tenth Circuit issued a much-anticipated decision addressing the scope of “Advertising Injury” (“AI”) coverage for patent infringement claims. Dish Network Corp. v. Arch Specialty Ins. Co., No. 10-1445, __ F.3d __ , 2011 U.S. App. LEXIS 20955 (10th Cir. 2011), rev’g, 734 F. Supp. 2d 1173 (D. Colo. 2010). The court, applying Colorado law, reversed a decision from the District of Colorado in which that court granted summary judgment to the insurers. In the underlying action, the plaintiff alleged that Dish Network Corp. (“Dish”) had infringed one or more of twenty-three patents by “making, using, offering to sell, and/or selling . . . automated telephone systems, including . . . the Dish Network customer service telephone system, that allow[s] Dish’s customers to perform pay-per-view ordering and customer service functions over the telephone.” The Tenth Circuit concluded that the record was unclear about how Dish actually used the technologies at issue, but that some of the patent-holder’s most well-known innovations involved interactive call processing.
I recently attended a CLE that had a panel of social media experts who were discussing the role of Facebook, Twitter and MySpace in litigation. During a lull in the question and answer session, the Facebook attorney quipped: “you know, Facebook has already given you everything that you’ve ask for…” Immediately, the audience lifted their heads from their Blackberries and newspapers and started paying attention after this cryptic remark.
Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.
The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity. At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers.
75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011). Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies.
Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…
At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.
First published on September 22, 2011 at e-Discovery Law Review Monetary sanctions, attorneys fees, and adverse inference jury instructions are the more common type of sanctions imposed on litigants for the spoliation of evidence, or not producing relevant documents. Recently, however, a court has increased the severity and impact of sanctions by applying them not only to current litigation, but also to a party’s future litigation, with the effects lingering for years to come.
The Underlying Suit
“Any competent electronic discovery effort would have located this email.” These words were written in an opinion by a United States District Judge in the Eastern District of Texas in Green v. Blitz U.S.A., Inc., No. 2:07-CV-372 (E.D. Tex., Mar. 1, 2011) Green involved a product liability suit in which the requirement of a flame arrester was in dispute. The jury returned a defense verdict, and the plaintiff collected a low settlement amount as part of a high-low settlement agreement. During discovery in a subsequent case with the same defendant and plaintiff’s counsel, counsel learned of documents that were not produced in Green. The plaintiff then filed a motion for sanctions against the defendant in Green and a motion to re-open the Green case. While the court denied the motion to re-open because the statute of limitations had expired, the court did impose sanctions for the discovery abuse.
The protracted copyright infringement class action by freelance writers seeking compensation for pieces published without authorization in various online databases has hit another roadblock.
In re Literary Works in Electronic Databases Copyright Litigation involves claims for infringement of works as to some of which the copyrights are registered and the vast majority are unregistered. This detail – the registered/non-registered distinction – keeps stymieing resolution of the case. In 2007, after the parties had spent years negotiating a settlement and gaining district court approval, the Second Circuit threw out the settlement, holding that the district court lacked subject matter jurisdiction to approve the settlement because many of the claims to be resolved were based on unregistered works, and registration is a jurisdictional predicate to a copyright infringement suit. The Supreme Court finally reversed in 2010, and the parties went back to the district court and again gained approval of the settlement.
The ABA has issued a formal ethics opinion that provides guidance to lawyers whose clients use an employer’s email account to send or receive email from counsel. In Formal Opinion 11-459, the Standing Committee on Ethics and Professional Responsibility urges lawyers to warn their clients that the confidentiality of electronic communications may be jeopardized if the employer or other third party, such as a hotel or library, has the potential to access email or other correspondence hosted on the third party’s computer system.
When clients use an employer’s computer, smartphone or other telecommunications device, or an employer’s email account, the employer may be able to obtain access to the communications and take advantage of that opportunity in various contexts, such as when the client is engaged in an employment dispute or when the employer is responding to a subpoena or document discovery in litigation.
A recent Ninth Circuit opinion on class certification demonstrates both the potentially fact-intensive nature of class action “typicality” issues and the importance of substantive law in determining whether common issues predominate over individual issues.
In Stearns v. Ticketmaster Corp., the Ninth Circuit Court of Appeals reviewed several decisions denying class certification to various plaintiffs challenging an allegedly deceptive internet scheme involving Ticketmaster and its one-time affiliate, Entertainment Publications, Inc. (“EPI”). At issue is a link on Ticketmaster’s website to EPI’s Entertainment Rewards program, which allows members paying a monthly fee to download printable coupons.
I. Introduction: Insurance Products for Cyber Risks
Increasing reports of cyber intrusions, data theft and computer system malfunctions have led a rapidly-growing number of companies to purchase insurance coverage to protect themselves from technology and cyber privacy risks. Indeed, as our technology-driven economy continues to evolve and businesses become more reliant on electronic communication and data storage, they are developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. As such, prospective policyholders are becoming more cognizant of the necessity for insurance covering such growing exposures.
The Clerk for the U.S. District Court for the Eastern District of Pennsylvania recently ruled that there is a heavy presumption that prevailing parties may recover certain e-discovery costs under 28 U.S.C. § 1920. Federal Rule of Civil Procedure 54(d)(1) allows prevailing parties to submit bills of costs for certain expenses, enumerated in 28 U.S.C. § 1920, for taxation by the Clerk against the non-prevailing parties. For example, that statute provides for the taxation of costs related to obtaining copies of transcripts and printing. More significantly, the statute provides for the taxation of “[f]ees for exemplification and the cost of making copies of any materials where the copies are necessarily obtained for use in the case.” 28 U.S.C. § 1920(4). While the term “exemplification” is undefined, federal district clerks have traditionally awarded, as exemplification and copying costs, those costs related to the production of paper documents, photographs, models, maps, blow-ups, charts, and diagrams.
In addition to being a trademark geek, I could be accurately accused of also being a tech geek. A “geek” is someone who loves using, and helping other people use, technology to help simplify his or her life. Best Buy, capitalizing on this endearing term for electronic lovers, created the Geek Squad, a tech support service. Their distinctive orange and black cars marked with their trademarked logo can be called out to provide in-home support or they are just a phone call away to help you with your technological needs.
There’s not too many other words other than geek that convey the nerdy type of people who love technology, but Best Buy is taking action against others who use “geek” for this purpose in their slogans. In a recent lawsuit against Newegg.com, Best Buy claimed trademark infringement over Newegg’s slogan “Geek On,” saying that the similarity between the motto, in addition to using orange and black in their logo, breaches their rights. And this is neither the first, nor the last, time that Best Buy will sue companies over this issue.
During the last decade, individuals and business have changed the way they manage their data by moving this data management offsite – otherwise known as cloud computing. This differs from the old model of information management that, more or less, mirrored the pre-computing era, meaning that an employee’s file might be kept in a cabinet in a Human Resources (“HR”) office or stored on a company’s in-house server. With cloud computing, however, that same employee file may be stored hundreds or thousands of miles away from the HR officer who needs to review it – or the IT officer tasked with preserving that data for potential litigation.
As discussed more fully in Rick Bortnick’s prior posts (here and here), cloud computing outsources data and software management, migrating it from the local to the global by providing instant access over the internet. According to the National Institute of Standards and Technology, cloud computing has five primary characteristics: (1) “on-demand self-service,” or the ability to call up stored data or capabilities as needed; (2) broad network access through a variety of platforms; (3) pooling resources providing “location independence”; (4) “rapid elasticity” in the distribution of computing capabilities, and (5) “measured service,” or service-appropriate control and optimization by the cloud system manager rather than the local user. It is the pooling of resources and the measured service managed by third-parties that pose the greatest risks during e-discovery. Read the rest of this entry »
Faced with revitalizing a deteriorated economy, formulating a national budget, and the aftermath of Osama Bin Laden’s death, President Barack Obama has his hands full. Yet, in the midst of all the issues commanding the White House’s attention, the Obama Administration somehow has found time to address the threats to our nation’s cyber security.
According to Business Insurance, on Thursday, May 12, 2011, the Obama Administration proposed cyber security legislation to improve protection for individuals and the federal government’s computer and network systems. The proposed legislation would address national data breach reporting by creating simpler and standardized reporting requirements for the 47 states that contain such requirements. The proposal would also synchronize penalties for computer crimes with other crimes. Additionally, the government, through the Department of Homeland Security, would become directly involved in assisting the industry as well as state and local governments in policing and enforcing cyber security. The proposed legislation encourages the state and local governments to share information with the Department of Homeland Security about cyber threats or related incidents by providing them with immunity for doing so. Read the rest of this entry »
Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.
If anyone still harbors the notion that video games are simple distractions from the age of Pong, they haven’t seen the latest statistics. One of the most popular games released last year, “Call of Duty: Black Ops”, generated $650 million in the first five days of sales and exceeded $1 billion in record time. The achievement put the game in the company of Michael Jackson’s “Thriller” album and James Cameron’s movie “Titanic.” As a whole, the video game industry has been valued at over $100 billion. That massive size and scope makes the impact of a cyber attack all the more devastating.
Following the publication of our original post on the implications of a cyber attack on investors’ securities portfolios (see here), we have been asked by scores of readers whether securities fraud litigation arising from cyber crime has ensued. Not surprisingly, the answer is “yes.”
Indeed, we have located at least two such cases, one a putative securities fraud class action against a payment processing company and the second an SEC initiated action against a private investor. The results may (or may not) surprise you, depending on your perspective of trial courts’ levels of judicial activism and willingness to render substantive decisions at early stages of litigation.
In re: Heartland Payment Systems, No. 09-1043 (D.N.J. Dec. 07, 2009) remains the paradigm for such litigation. To facilitate its payment processing services, Heartland Payment Systems (“Heartland”) stored millions of credit and debit card numbers on its internal computer network. In December 2007, hackers launched a Structured Query Language Attack (“SQL attack”) on Heartland’s payroll management system. To its credit, Heartland was able to successfully avert the attack before any personally identifiable information was stolen. At the same time, however, the company failed to detect malicious software (“malware”) which had been placed on the network by the SQL attack. The malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers. Heartland did not discover the breach until January 2009, at which time it notified government authorities and publicly disclosed the event. Over the course of the following month, Heartland’s stock price dropped over $15 per share. Perhaps not surprisingly, shareholder class actions ensued.
In their complaint, plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. Specifically, plaintiffs claimed that the defendants concealed the SQL attack and misrepresented the general state of Heartland’s data security. Plaintiffs further alleged that the defendants’ conduct was fraudulent because they were aware that Heartland’s network had been breached, yet they had not fully remedied the problem Read the rest of this entry »
Posted April 16th, 2011 by Daisy KhambattacloseAuthor: Daisy KhambattaName: Daisy Khambatta Email: dkhambatta@cozen.com Site:http://www.cozen.com/attorney_detail.asp?d=1&atid=1265 About: Daisy Khambatta is an associate in Cozen O’Connor’s Chicago office and a member of the Global Insurance Group. Daisy focuses on representing client’s in all aspects of the insurance and reinsurance business, including claims counseling, litigation and arbitration, regulatory issues and government relations, and formation of captive insurers and risk retention groups. Her practice includes the handling of issues involving commercial, primary, umbrella, excess and surplus lines, and reinsurance.
Daisy devotes a substantial portion of her practice to defending companies against toxic tort claims. Currently, she serves as national coordinating counsel for a manufacturer of heat processing equipment involved in asbestos lawsuits. Her experience includes implementing the defense strategy and overseeing the handling of lawsuits through all phases of litigation. She has represented a wide range of companies against various types of mass tort claims, including asbestos, silica, benzene, and coal workers pneumoconiosis suits throughout Illinois and the state of Texas.
Daisy was named by Law & Politics Magazine as an Illinois Super Lawyers’ Rising Star 2010 in the area of Insurance Coverage. Daisy earned her law degree from South Texas College of law and her bachelor's degree from the University of Texas at Austin.
Publications & Speeches:
• Co-author, “Reforming the Asbestos Question: State Ventures Where Congress Fears to Tread,” ABA Litigation Mass Tort Newsletter, Fall/Winter 2005.
• Co-uuthor, “Illinois Nationwide Litigation Post-Avery: Are Times Really Changing,” ABA Litigation Mass Tort Newsletter, Spring/Summer 2006.See Authors Posts (2)
Cyber crime is costing the United Kingdom more than £27 billion a year ($43.5 million), according to a recent study published by Britain’s Office of Cyber Security and Information Assurance. The report, entitled “The Cost of Cyber Crime,” concluded that digital crime was a widespread, pervasive threat to U.K. businesses.
Theft of intellectual property, such as designs, formulas and other company secrets from businesses costs £9.2 billion, with firms specializing in pharmaceuticals, biotechnology, electronics, IT and chemicals being hit hardest. The pharmaceutical industry loses about £1.8 billion a year in IP theft, followed by electronics and electrical equipment makers and the software sector. In terms of non-IP industrial espionage, financial services are the biggest loser, with yearly losses of more than 2 billion, followed by mining and aerospace.
There have been a recent flurry of blog posts and media stories warning internet users about the potential dangers of posting their whereabouts on social networking sites, as such personal information is being used by opportunists to facilitate crimes. For example, just in the last month, three men in Nashua, New Hampshire allegedly used information they obtained from users’ Facebook status updates to learn when the users would not be home and thereupon broke into their vacant and vulnerable residences. Although Facebook has denied any link between its site and the crimes, the Nashua police believe that detailed information about the posters’ travel plans provided the thieves with sufficient information to know when the homes would be unoccupied.
Of course, the incidence of such crimes has not been widely disseminated through traditional media sources, such as newspapers, radio and television. As such, most Americans are unaware of this increasing phenomena. At the same time, internet users are more widely and more frequently publishing their personal information, including their travel and vacation plans, on social networking and other public sites. Moreover, beyond the routine “tweets” and run-of-the-mill social networking status updates, new applications for cellular phones and PDAs are being created to facilitate geographical updates. These applications such as “Foursquare,” “Gowalla” and “Facebook Places,” enable users to instantly identify their current physical location on the profiles they have created on social networking sites. Needless to say, allowing geographical information to freely be disclosed to the public can provide opportunists with even more accurate information about the whereabouts of their victims and their distance from an unoccupied and vulnerable residence.
Data security breaches pose a serious threat to a corporation’s financial stability as well as to its credibility in the marketplace. Most notably, the 2007 TJX data security breach, where 45 million credit card and debit card numbers were stolen, cost the company over $4 billion. For many corporations, the solution is to purchase a cyber liability insurance policy, which provides insurance coverage in the event of such a breach.
The risk of data security breaches has also affected students of universities throughout the nation. In June of last year, Cornell University officials informed 45,000 members of the school’s community that their personal information, including their names and social security numbers, was stolen after a University-owned laptop was stolen. Due to such breaches, college officials nationwide have begun purchasing cyber liability insurance policies to offset the financial burdens of a data security breach.
Posted August 27th, 2010 by Daisy KhambattacloseAuthor: Daisy KhambattaName: Daisy Khambatta Email: dkhambatta@cozen.com Site:http://www.cozen.com/attorney_detail.asp?d=1&atid=1265 About: Daisy Khambatta is an associate in Cozen O’Connor’s Chicago office and a member of the Global Insurance Group. Daisy focuses on representing client’s in all aspects of the insurance and reinsurance business, including claims counseling, litigation and arbitration, regulatory issues and government relations, and formation of captive insurers and risk retention groups. Her practice includes the handling of issues involving commercial, primary, umbrella, excess and surplus lines, and reinsurance.
Daisy devotes a substantial portion of her practice to defending companies against toxic tort claims. Currently, she serves as national coordinating counsel for a manufacturer of heat processing equipment involved in asbestos lawsuits. Her experience includes implementing the defense strategy and overseeing the handling of lawsuits through all phases of litigation. She has represented a wide range of companies against various types of mass tort claims, including asbestos, silica, benzene, and coal workers pneumoconiosis suits throughout Illinois and the state of Texas.
Daisy was named by Law & Politics Magazine as an Illinois Super Lawyers’ Rising Star 2010 in the area of Insurance Coverage. Daisy earned her law degree from South Texas College of law and her bachelor's degree from the University of Texas at Austin.
Publications & Speeches:
• Co-author, “Reforming the Asbestos Question: State Ventures Where Congress Fears to Tread,” ABA Litigation Mass Tort Newsletter, Fall/Winter 2005.
• Co-uuthor, “Illinois Nationwide Litigation Post-Avery: Are Times Really Changing,” ABA Litigation Mass Tort Newsletter, Spring/Summer 2006.See Authors Posts (2)
Fifty years ago, a superhero leaped tall buildings in a single bound and used x-ray vision to catch evil criminals. Today, some of the world’s most threatening criminals are computer hackers. Superman may not be able to save us from cataclysmic cyber attacks, but we can rest a little easier knowing seven cyber guardians are holding keys to one of society’s most valuable commodities—the internet.
ICAAN, the Internet Corporation for Assigned Names and Numbers, has provided “keys” to the internet to seven members of the global community. As discussed in prior posts, ICAAN is a non-profit watchdog group that helped establish Domain Name System Security Extensions, or DNSSEC. The DNSSEC—which just became enabled this year— is a critical security technology that lies at the core of the internet’s global addressing system. It protects the very heart of the internet by ensuring that users reach the intended web address.
Google, Facebook, Twitter, Foursquare—millions of Americans, including myself, depend on these cyber sites as their gateway to information and communication in the outside world. What we may not realize, or choose to ignore for convenience’s sake, is that this gateway lies on a two-way street. The information that we seek using websites such as Google and what we communicate on Facebook and Twitter provide companies with vital data to better market their products to us. This use of information is referred to as “data mining. ”
An example of data mining can be seen in the advertisements that pop up on the side of your Facebook home page. Such ads are often relevant to the information posted on your “Profile” page, such as advertisements promoting products from your college alma mater.
At the outset, data mining seems like a win-win situation for both the consumer and the seller—the consumer is marketed with a product in which they are seemingly interested and the company has utilized its advertising budget in an informed, cost-effective manner. At the same time, however, the threat of an invasion of privacy is real and has the attention of members of Congress and federal officials to create legislation regulating the way in which, and the extent to which, our personal information is shared with third parties.
One of the difficult things to predict with regard to the use of social media in the employment setting continues to be the extent to which traditional legal claims apply equally to new social media outlets. We continue to advise employers that it is imperative to ensure that care is also taken to create policies and train employees on the use of social media in and out of the office setting, and not to let the informality and ease of the Internet lull employers into a false sense of security. On July 22, 2010, a New York Supreme Court Judge applied the tort of defamation to statements on Facebook in a case that offers an important message to employers.
The case of Finkel v. Dauber (New York Supreme Court, Nassau County) centered on statements posted by a Facebook group known as “90 Cents Short of a Dollar.” Plaintiff alleged that she was defamed by the group’s postings that stated “unbeknownst to many, [plaintiff] acquired AIDS while on a cruise to Africa” and then “persisted to screw a baboon which caused the epidemic to spread.” The postings further defamed plaintiff, she alleged, by stating “[w]hile in Africa she was seen fucking a horse.” And other intelligent banter.
On July 23, 2010, the United States Court of Appeals for the Eighth Circuit issued an important decision in Eyeblaster, Inc. v. Federal Ins. Co., 2010, U.S. App. LEXIS 15152, No. Civ. A. 08-3640, finding concurrent coverage under both a General Liability (“CGL”) insurance policy and a separate Information and Network Technology Errors and Omissions Liability (“E&O”) policy in circumstances where an online marketing company installed software on a consumer’s computer system, allegedly corrupting the computer’s software operating system.
Eyeblaster Inc. (“Eyeblaster”), the policyholder, is a company that creates, delivers and manages online interactive advertising. For the period December 5, 2006, to December 5, 2007, it was insured under two concurrent policies issued by Federal Insurance Company (“Federal”): (1) a CGL policy covering occurrences which cause damage to tangible property, and (2) an E&O policy which covered claims for financial loss caused by a wrongful act in connection with a product’s failure to perform its intended function or serve its intended purpose, resulting in damage to intangible property. As to the latter policy, intangible property included software, data and other electronic information. Both policies were “duty to defend” forms.
Interviewing for your first job as a teenager is as exciting as it is intimidating. Thoughts of what to do with your first paycheck consume your mind as you rehearse your best “do-you-want-fries-with-that” smile. The interview proceeds flawlessly and you start to count the dollar signs as you await the job offer. But imagine your surprise when you are informed that you did not get the job because your background check revealed that you are over $75,000 in debt and five years behind in your child support payments for your eleven year old child…a terrifying thought considering you are only 16 years old.
Adults aren’t the only victims of identity theft. Child identity theft is an increasing and understated crime. A child’s Social Security Number (“SSN”) is the perfect target, as the theft typically goes undetected until years after the crime has taken place. Indeed, the crime might not be discovered until the rightful owner/victim uses his or her SSN for the first time years later. This revelation often occurs when the victim applies for his or her first job or financial aid before college.
The scheme works as follows: businesses are using various techniques to search the Internet for dormant SSNs. These numbers often belong to long-term inmates, dead people or children. Obtaining them is not as difficult as one may think, as SSNs are distributed systematically depending on age, geographical location and when the number is issued. Once it has been determined that no one is actively using the number to obtain credit, the numbers are offered for sale.
We’ve all heard the story of the clerk at the local gas station who was double-swiping credit cards in order to make fraudulent copies. Online banking, restaurants, clothing retailers…every industry is potentially a target. Yet the industry that was the subject of more credit card thefts than any other sector in 2009? Hotels.
To the point, SpiderLabs (an affiliate of Trustwave, a data-security consulting firm) has published a study which reports that 38% of the credit card hacking events in 2009 involved the hospitality industry. Over one-third of all thefts of credit card numbers occurred at hotels. Much to my surprise, given the wealth of reporting on the subject, the financial services industry lagged well behind at a comparatively minor 19%. Retail followed at 14.2% while restaurants and bars were fourth at 13%.
I guess I shouldn’t have been surprised, though, as my own credit card number was stolen several years back while i was staying at a business travelers’ hotel in New York City. I had gone to the City for a Cinco de Mayo event sponsored by a major international insurer. Several days later, I received a call from my credit card company asking if I had bought gasoline on Long Island or a $5000 television at a big box retailer. While I do buy gasoline, I hadn’t been on Long Island. And while I certainly would have loved a $5000 television (or, for economy’s sake, something less pricey), I hadn’t bought that either. The conclusion was simple: my credit card number had been stolen when I used it at the New York hotel.
So, why hotels? According to security analysts, they’re generally easy targets. The large chain hotels may employ sophisticated security technology or other protections. Or they may not. In either case, how about smaller or private owned, non-chain hotels? The next time you check into a hotel, ask what security methods they use to protect credit card information. You probably won’t like the answer. The credit card number that you provide at check-in may sit in a folder or a file maintained right at the front desk. Who would prevent someone from simply lifting the file? Especially in the middle of the night. The single desk clerk on overnight duty?
His name is Ghyslain Raza, but you may know of him as “Star Wars Kid”, a portly 15-year-old student at a Quebec private high school who had filmed himself wielding a mock light saber, pretending to be a Star Wars character in combat. The two-minute video was supposed to be private, but he left it lying around at his school where three students, who did not know the teenager, came across the video, posted it on the Internet on April 14, 2003, adding a message inviting people to make insulting remarks about the clip.
Unfortunately for him, it wasn’t just his friends who found the footage so amusing. The video went ‘viral’. One Web log that posted the video was allegedly downloaded 1.1 million times, and by October 2004 one Internet site dedicated to the video had recorded 76 million visits. According to UK marketing firm The Viral Factory, it became the most downloaded video of 2006. So mortified was the teenager that he dropped out of school and finished the semester at a psychiatric ward. According to the student, “It was simply unbearable, totally. It was impossible to attend class.” More than 35 other revised versions of the video clip, created by other people, have found their way to the Internet, with additional sound and visual effects.
This is an extreme but far from unique example of the devastation wrought by cyber-bullying, the term given to internet conduct in which students harass other students by e-mail and on the internet. Given the potentially devastating consequences of cyberbullying, should schools have the power to discipline their students engaging in this form of harmful conduct?
A major issue confronting school boardsis that cyberbullying usually does not take place at school, although its effects can later reverberate among students during school hours. Students may post offensive material from home, or other times outside of school hours, but the targets are fellow classmates. Is it appropriate for a school board to discipline a student for posting such material simply because the postings are being accessed by other students at school or target other students? At the same time, with power comes responsibility – if school boards have the power to discipline students for their behavior outside of school, are schools then to be mandated with the responsibility to essentially monitor and censor the world-wide web? Just how far should a school board’s jurisdiction extend regarding inappropriate off-school student e-conduct?
Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.
Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post “No One is Immune. Even Government Entities Need Cyber/Tech Insurance?”
Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.
Pamela Pengelley, our resident expert on Facebook, is now internationally recognized for her expertise.
Most recently, Pamela was quoted in an article published by Law 360 entitled “Poking Around Facebook Could Win Your Case.” According to Pamela, “‘Lawyers are realizing [Facebook] is a gold mine of information…it’s pretty much standard that you subpoena Facebook when you get a personal injury action. It’s not a substitute for having a private investigator, but people will put up incriminating photos online without realizing that there can be consequences in a lawsuit.’”
Pamela further observed that Facebook is “most effective in lawsuits where plaintiffs are claiming an injury, such as when their health or ability to work has allegedly been impaired”.
Kudos to Pamela. Where will her sage words of wisdom appear next?
The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.
A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.
The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.
The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.
The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.
This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.
Emailing. Instant messaging. Texting. On-line gaming. Ten years ago, even five years ago, such words and concepts were alien to the typical luddite. Now, these terms are not just parts of the common parlance; a vast majority of us actually use these resources on a daily basis (in some cases, with our childrens’ guidance and assistance).
Consider, then, the relatively new concept of “cloud computing.” In lay terms, cloud computing is the on-line or internet-based use of a third-party vendors’ or service providers’ off-site (and hopefully secure) servers for data storage and/or management. Hotmail, Facebook, LinkedIn, YouTube and Google all use cloud computing to serve their members, often at no cost. At the same time, there are a growing number of vendors (like Apple) which “host” or “back-up” at-home and business computer systems by storing a consumer’s data or facilitating their use of cost-effective business solutions for a monthly or annual fee. Users typically do not have to incur fixed costs or purchase hardware or even software programs. All they need is access to a computer and the internet. And with that, voila! Cloud computing is just a click away.
Needless to say, the advent of cloud computing has opened up a world of opportunity for entrepreneurial software developers, hardware providers, and data storage companies around the globe. At the same time, it has created new business segments with a keen need for insurance products. Cyber insurance. Tech insurance. Property/All-Risk insurance. Business Interruption insurance. Professional Services/E&O insurance. Fidelity/Crime insurance. And, in some cases, personal injury/advertising injury coverage.
The potential third-party exposures are endless. Consider, for example, the legal (and regulatory) implications (and concomitant need for insurance) when an unauthorized user hacks into a “cloud” database storing personally identifiable or proprietary business information. Or think about the possibility of liability for a software developer or data storage vendor who has a customer that uses the cloud to host viruses or illegal content. Or who simply release information about their clients to marketers, advertisers or other third-parties without considering the impact or legal ramifications of their doing so. And how about power outages or other crises or service interruptions that prevent customers from accessing their accounts or critical business information that may be the key to closing an all-important business deal (resulting in privacy claims, claims of lost income, lost profits and business interruption expense and other alleged third-party injury).
So too, first-party cyber/tech risks are well known in other contexts and would apply with equal force and effect to cloud computing. The threat of service interruptions, data corruption and the like all necessitate the need for insurance.
The bottom line, as always, is that underwriters need to constantly stay ahead of the curve and tailor their products (and marketing strategies) to address the ever-changing landscape of new and innovative technology resources. Today cloud computing. Tomorrow? Ask me tomorrow night….
Cyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.
Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.
What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.
The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response, both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:
LawPRO Magazine is published by the Lawyers’ Professional Indemnity Company (LPIC), the wholly Canadian owned insurance company that provides mandatory professional liability insurance to lawyers in private practice in Ontario.
In the December 2009 issue, LawPRO Magazine has run a “Social Media” theme, dealing with “Why, What and How to Do It Right”, including an article that sets out a useful summary of Canadian case law on the use of social networking sites in litigation: “Litigation and Online Social Networking Sites“.
Other articles that may be of interest include:
“Social Media: Why?” - An overview of how social media are changing the legal landscape.
“Social Media: What?” – A guide through the many social media tools available PLUS interviews with five lawyers who walk the social media talk.
“Social Media: How?” – A primer on social media as marketing and networking tools in law practice.
“Social media pitfalls to avoid” - A discussion of some of the dangers inherent in using social networking tools, and how to safely exploit the marketing opportunities they do offer.
LawPRO Magazine also offeres a number of technology-related articles with practical information for lawyers and businesses, all of which are freely available online.
Trade dress insurance coverage is alive and well. At least in Wisconsin. In Acuity v. Ross Glove Company, 2012 WL 1109035 (Wis. Ct. App. April 4, 2012), the Wisconsin Court of Appeals held that an insurer’s duty to defend was triggered under advertising injury liability coverage where the underlying complaint set forth allegations of trade dress infringement.
With the help of our readers, Cyberinquirer has again been named as one of 
I. 
.gif)
Join the forum discussion on this post
The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.
Cyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.
