Posted November 2nd, 2011 by Scott GodescloseAuthor: Scott GodesName: Scott Godes Email: firstname.lastname@example.org Site:http://corporateinsuranceblog.com About: Scott Godes is an experienced trial lawyer who represents corporate policyholders and insureds on all issues relating to insurance coverage and insurance claims. Scott is a computer geek at heart (find him on Twitter at @insurancecvg) and as soon as he saw that there was a need for particular specialized work with respect to ensuring that insurers properly cover claims for cybersecurity, data breach, and privacy claims, he immediately focused on the area in earnest, so that he could join his professional background and personal interests. Scott represents and counsels corporate insurance policyholders regarding insurance coverage for computer data, hardware, and software claims; data breaches; and online services.
Because of his background and the length of time that he has been focusing on these issues, his peers in the insurance coverage community have made him a co-chair of the ABA’s Computer Technology Subcommittee of the Insurance Coverage Litigation Committee. It’s been said that Scott wrote the book on insurance coverage for these issues, but more accurately, he wrote the book chapter on these issues. He is the author of the insurance coverage for cybersecurity and intellectual property risks chapter in the leading insurance coverage liability treatise (Appleman Law of Liability Insurance) and also wrote the Cyber Security section of the Insurance chapter in the Corporate Compliance Practice Guide (LexisNexis 2009). The net of his experience and writing background is that he is comfortable discussing these issues with insurance coverage lawyers and courts, but more importantly, he can explain potential risks and needs to technologists and corporate officers. Outside of his more formal writing, you can follow his thoughts on coverage issues on Twitter http://twitter.com/insurancecvg or his blog http://corporateinsuranceblog.com (which was one of Lexis’ top insurance blogs for 2009). His bio on LinkedIn is found at http://www.linkedin.com/in/scottgodes.See Authors Posts (2)
The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and first appeared on his personal site, Corporate Insurance Blog. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro. Responsible comment will gladly be published (promptly…). Please feel free to forward them to me at your convenience.
A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.
Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.
The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.
A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.
The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.
The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.
The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.
This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.
Let us say, speaking hypothetically, that a grossly negligent individual (who, since we are speaking hypothetically, is named…”Mr. X”) has accidentally uninstalled my favorite computer game, “Sid Meyers Civilization IV” (for which, by the way, I paid good money and patiently waited three whole hypothetical hours to legally download onto my computer).
Let us further hypothesize that I was twelve hours into a very successful game which has now gone the way of the passenger pigeon. Is the loss of my computer software considered “damage to property” for the purpose of a negligence action, or is it just a form of pure economic loss? “Of course it’s property damage!” I thought to myself, “and a most egregious form at that!”
Yet, in law, as in life, few things are certain. I was compelled to learn more, and so I conducted a brief review of the case law from Canada, the United States and Australia to satisfy my curiosity. What I have learned is that, notwithstanding that we live in the age of the internet, it is far from clear whether we can sue for the loss of electronic data in a negligence action.
Emailing. Instant messaging. Texting. On-line gaming. Ten years ago, even five years ago, such words and concepts were alien to the typical luddite. Now, these terms are not just parts of the common parlance; a vast majority of us actually use these resources on a daily basis (in some cases, with our childrens’ guidance and assistance).
Consider, then, the relatively new concept of “cloud computing.” In lay terms, cloud computing is the on-line or internet-based use of a third-party vendors’ or service providers’ off-site (and hopefully secure) servers for data storage and/or management. Hotmail, Facebook, LinkedIn, YouTube and Google all use cloud computing to serve their members, often at no cost. At the same time, there are a growing number of vendors (like Apple) which “host” or “back-up” at-home and business computer systems by storing a consumer’s data or facilitating their use of cost-effective business solutions for a monthly or annual fee. Users typically do not have to incur fixed costs or purchase hardware or even software programs. All they need is access to a computer and the internet. And with that, voila! Cloud computing is just a click away.
Needless to say, the advent of cloud computing has opened up a world of opportunity for entrepreneurial software developers, hardware providers, and data storage companies around the globe. At the same time, it has created new business segments with a keen need for insurance products. Cyber insurance. Tech insurance. Property/All-Risk insurance. Business Interruption insurance. Professional Services/E&O insurance. Fidelity/Crime insurance. And, in some cases, personal injury/advertising injury coverage.
The potential third-party exposures are endless. Consider, for example, the legal (and regulatory) implications (and concomitant need for insurance) when an unauthorized user hacks into a “cloud” database storing personally identifiable or proprietary business information. Or think about the possibility of liability for a software developer or data storage vendor who has a customer that uses the cloud to host viruses or illegal content. Or who simply release information about their clients to marketers, advertisers or other third-parties without considering the impact or legal ramifications of their doing so. And how about power outages or other crises or service interruptions that prevent customers from accessing their accounts or critical business information that may be the key to closing an all-important business deal (resulting in privacy claims, claims of lost income, lost profits and business interruption expense and other alleged third-party injury).
So too, first-party cyber/tech risks are well known in other contexts and would apply with equal force and effect to cloud computing. The threat of service interruptions, data corruption and the like all necessitate the need for insurance.
The bottom line, as always, is that underwriters need to constantly stay ahead of the curve and tailor their products (and marketing strategies) to address the ever-changing landscape of new and innovative technology resources. Today cloud computing. Tomorrow? Ask me tomorrow night….
In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target.
We may have gotten a good chuckle out of the various messages that were left on the Twitter accounts for Barack Obama, Britney Spears, and Bill O’Reilly, but the implications are serious; with every new technology comes new risk. Viruses can permanently erase an entire system, sensitive system files can be accessed and altered by intruders, computer networks can be infiltrated and used to attack others and credit card information can be absconded and used to make unauthorized purchases.
“Cybersecurity” refers to the protection of that information by preventing, detecting and responding to attacks. Although there may be a tendency to consider cybersecurity to be a technical issue with technical solutions, it may also be useful to think of cybersecurity as an economic issue…with economic solutions.
This is the message that the Internet Security Alliance (“ISA”) has made in a landmark report issued earlier today, December 3, 2009. The ISA is a trade association which represents a gamut of corporate interests ranging from Defence and Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries. In its report, entitled “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,”the ISA emphasizes thatcybersecurity is an economic rather than a technical issue and that both the U.S. government and private industry need to revisit their assessments of cybersecurity by creating economic incentives and other programs to foster broader, and more enhanced, cybersecurity efforts and systems.
At present, the government has been relying on regulations to ostensibly improve cybersecurity. The ISA suggests that this method is not only outdated, but also ineffective in dealing with a 21st Century problem. The report sets forth a number of proposed economic solutions, many of which focus on encouraging companies to educate their executives about the economic and social benefits of cybersecurity. Key among these proposals is the suggestion that businesses should create risk management programs that educate their executives about the growing problem of cyber theft and abuse, and assist them incorporating cybersecurity solutions in their corporate business plans (rather than ceding such responsibilities to computer “geeks” in their IS or IT, as is typically the case today).
The report concludes that most companies underfund their investments in cybersecurity, and suggests that economic and other incentives are needed to prompt businesses to improve their cybersecurity. ISA’s report also suggests that the insurance industry become actively involved in providing a methodology by which returns on securities investments are quantified.
Among the ISA’s recommendations designed to encourage investment is a proposal that cyber insurance be used to promote the development of standards and practices and assist companies in quantifying and managing their cyber risks. At the same time, the ISA proposes that the government create limited liability protections for certified products and processes and recognized industry best practices. Alternatively, liability might be assigned on a sliding scale (comparative liability) such as limiting punitive damages while allowing actual damages and providing affirmative defenses with reduced standards (preponderance of evidence vs. clear and convincing etc.).
The report is long (over 70 pages) and quite detailed. For those interested in reading it, the report can be found here. Irrespective of whether readers choose to take the time to read the entire report, they should familiarize themselves with its purpose and intent, as it is a major step forward in promoting dialogue on the ever-growing problem of cyber crime. At a minimum, insurance underwriters and cyber professionals should study the report and perhaps incorporate some of the ISA’s recommendations in their own due diligence processes to compliment, for example, their existing NetDiligence® cyber risk assessment service (used by many leading US & UK insurers). Only through joint and collaborative efforts can the billion dollar problem of cyber crime be mitigated. It is incumbent on the insurance industry to be among the leaders in these efforts. We can begin by collecting comments on the ISA’s proposal and submitting them to its members, including those representing the insurance industry. Please feel free to comment below. As appropriate, we will forward them to the ISA with the author’s name and contact information, if so authorized.