Ping Service
Feedback Forms

Cyber at Lloyds: Catching the cyber horse in motion

The following article was written by my good friend Tony Ellwood. Tony is senior executive, underwriting, at Lloyd’s Market Association and a thought leader. We are grateful to Tony for allowing us to republish his article, which first appeared in the July 16th edition of Insurance Day.

Rick

LondonThe question of whether a running horse has all four hooves in the air simultaneously was one that perplexed generations. No matter just how closely a horse was observed, the motion of its legs was simply too rapid for the human eye to register accurately. It was not until the advent of photography and an experiment by Eadweard Muybridge in 1878 that the question was answered. He developed a camera that was triggered by wires attached to a horse’s legs allowing him to shoot 24 photographs as the horse ran past, which proved beyond a shadow of doubt that a horse does indeed lose contact completely with the ground in mid-gait.

There are many parallels between Muybridge’s study of the running horse and a new survey the Lloyd’s Market Association (LMA) has launched to understand the full extent of cyber risk being underwritten in the Lloyd’s market. The similarity is the sheer pace with which cyber liability has grown from its beginnings in the mid-1990s to current global premiums in the order of £1.5bn, and still rising sharply. The speed of that growth, combined with the rate at which cyber has evolved as a product, make it a particularly tricky line to pin down. What’s more, the question that has been formulating in the LMA’s collective mind is how much cyber liability is being written at Lloyd’s within other classes of business such as marine or aviation. This survey is the first attempt to comprehensively map that business.

Read the rest of this entry »

Court Certifies Interlocutory Appeal for the FTC v. Wyndham Matter

TRAUB LIEBERMAN STRAUS & SHREWSBERRY LLP’s Cyber Law Blog previously discussed various aspects of the Federal Trade Commission (“FTC”) action filed against Wyndham Worldwide Corp. (“Wyndham”) under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” Recent developments in the FTC action carry implications for cyber liability and how companies handle cyber security and data breaches.

On April 7, 2014, US District Judge Esther Salas denied Wyndham’s motion to dismiss directly challenging the FTC’s authority to regulate cyber security practices. Wyndham’s motion asserted that Congress had not delegated such authority to the FTC under its Section 5 powers, and even if it did, the FTC failed to publish rules or regulations providing companies fair notice of the protections expected and “legal standards” to be enforced by the FTC.

At the time, Judge Salas unequivocally ruled in favor of the FTC’s authority. However, on June 23, 2014, the Court granted Wyndham’s application and certified the matter for an immediate interlocutory appeal to the Third Circuit Court of Appeals.

The appeal involves two questions of law: (1) whether the FTC can bring an unfairness claim involving data security under Section 5 of the FTC Act and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.

Interlocutory appeals are rarely granted, are in the complete discretion of the trial court, and must meet certain requirements under 28 U.S.C. § 1292(b), including whether there is a substantial ground for difference of opinion on the matter. While Judge Salas’s denial of Wyndham’s motion to dismiss was certain as to the FTC’s Section 5 authority and the issue of fair notice, the Order certifying the matter for interlocutory appeal on the other hand, acknowledged Wyndham’s “statutory authority and fair-notice challenges confront this Court with novel, complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”

The Court further acknowledged that it was dealing with an issue of first impression with “nationwide significance… which indisputably affects consumers and businesses in a climate where we collectively struggle to maintain privacy while enjoying the benefits of the digital age.”
As a result, the Third Circuit will be the first major appellate court to weigh in on the issue of whether the FTC has authority to regulate cyber security practices, and if so whether those regulations require specific legal standards and fair notice to those within the scope of FTC’s enforcement.

- See more at: http://www.traublieberman.com/cyber-law/2014/0710/4801/#sthash.hgIolyzW.dpuf

Edit PDF    Send article as PDF   

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

I first published this article in 2010. Surprisingly, its as relevant today – perhaps even more relevant – than it was four years ago.

Rick

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

The Insurance Industry and ICANN: The Next Frontier

icann-flagsWe all take the Internet for granted.  Short of a power outage taking down phone lines, cell towers and satellite transmissions, the Internet will always be there. Like death and taxes, you can count on it.

Not that the paradigm will change any time soon, but at some point, it might.

On March 14 and 17, 2014, the Wall Street Journal reported on the decision by the National Telecommunications and Information Administration (“NTIA”), part of the Commerce Department, to cede control of the Internet from the Internet Corporation for Assigned Names and Numbers (“ICANN”) (a U.S. non-profit) to an organization of multinational stakeholders.

As readers of Cyberinquirer, know, ICANN is responsible for managing the core of the Internet by distributing domain names and Web addresses.  It’s been doing so since 1998.

Read the rest of this entry »

The Dos and Don’ts of Navigating The Cloud: A Business Guide For Cloud Computing

Cloud computing is the storage of data on remote computer servers and the sharing and transmittal of such information by way of the internet. Use of the cloud enables both businesses and casual users to maintain as much or as little electronic data as they wish on a third party’s mainframes without the need for or the expense of having to buy and maintain their own hardware systems.

The cloud’s economic benefits are clear. Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.

Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:

Read the rest of this entry »

Cyber class-action litigation: Insurers’ next significant spend?

The following article was first published by my friends at Advisen for their new Cyber Risk Network. For those who haven’t already done so, check it out.

Rick

Virtually every reader is well aware of the decision from the US Court of Appeals for the First Circuit finding that claims by class-action plaintiffs for “mitigation damages” arising from a cyber breach were viable. Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011).

There, the court held under Maine law that, in the abstract, certain claimants whose financial information was stolen could recover certain costs incurred in a reasonable effort to mitigate.

Hannaford Brothers is an extreme outlier in the world of cyber class-action litigation. And—as it should have in my view—the case effectively ended when the District Court, on remand, declined to certify the putative class in light of the claimants’ failure to establish that common issues of law and fact “predominate” over individual issues, a predicate to class certification.

Read the rest of this entry »

Risk Based Security’s 2013 Data Breach QuickView Report

The following was provided by my friend Jake Kouns of Risk Based Security, a leading-edge security and threat intelligence company. that provides comprehensive vulnerability and data breach intelligence services.   Thanks Jake.

Rick

Risk Based SecurityWe  are pleased to release our Data Breach Quick view report that shows 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents.  The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record (2011).

Although overshadowed by the number of exposed records, 2013 is also ranked #2 in total reported  data breach incidents, just behind 2012. “When you analyze the data breach activity in 2013 it’s hard to  find any bright-side, said Barry Kouns, CEO of Risk Based Security. “Four of the “Top 10” data breaches all time, were reported in 2013, including the top spot. “

Read the rest of this entry »

The Target Breach: Show Me The Insurance

The following article was first published by the Advisen Cyber Risk Network. If you haven’t checked it out, you should. Its extremely informative. And I’ll be a regular contributor.

Cheers.

Rick

By now, almost everyone has read or heard about – or even been directly impacted by – the theft of financial data relating to over 40 million credit and debit cards used at Target stores in November and December last year.

However, the insurance coverage aspects of the breach have generally flown under the radar.

To a company like Target (or whoever is affected by the next breach), the availability of insurance coverage is an important component of crisis management and remediation, litigation and regulatory investigation strategies, and reputational/brand/lost income protection.

So assuming Target has purchased potentially applicable insurance products, what coverages might apply?  And how might they respond?

At a minimum, it can be expected that Target will investigate the availability of coverage under four separate lines of insurance: Cyber, privacy and technology (CPT); general liability; crime/fidelity and; directors and officers liability policies.

Read the rest of this entry »

Cyber, Privacy and Technology Best Practices and Reputational Harm: Why Legal Professionals Need a Lawyer’s Advice, Counsel and Privileges

BabyB_LPlate_improvedIntroduction

Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CBT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.

Executive Summary

An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is incumbent that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.

Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information (“PII”), personal health information (“PHI”) and/or confidential commercial information (“CCI”). It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).

In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.

In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.

To continue reading, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

Create PDF    Send article as PDF   

Asia-Pacific Cyber Law Risks and Developments

We first published the following White Paper extract in October 2011. While the White Paper might be somewhat dated (and therefore will be refreshed shortly), it remains relevant for our friends interested in learning the basics of Asia Pacific cyber/privacy law. Please let me know if you’d like to see the entire paper. Rick

I. Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity.

At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).

Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies

Read the rest of this entry »

Canadians More Exposed Than One Would Think

canada-flag-stereotypesOkay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.

What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.

Read the rest of this entry »

The Insurance Industry: In Regulators’ Sights

If you’re an insurance company, it may be time to open your cyber-related checkbooks if you haven’t done so already. New York Governor Andrew Cuomo’s Department of Financial Services (“NYSDF”) soon may be watching you. They’re already asking questions as if certain insurers were “persons of interest,” just as it did earlier this year with certain of the larger banks.

On May 28, the NYSDF sent what are referred to as “308 letters” to 31 regulated health, life and general liability insurance companies (seemingly those with the highest premium revenue). The NYSDF’s letters request information on (1) the insurers’ existing IT-related management policies and procedures with respect to the prevention of cyber attacks, (2) actual cyber attacks occurring within the past three years, (3) the quantum of funds and resources dedicated to cybersecurity, and (4) how they safeguard customers’ and business entities’ health and personally identifiable information (the letters specifically identify financial information as a subject category).

Read the rest of this entry »

Identity Theft: A Christmas Poem Revisited

Regular Cyberinquirer readers may recall the following holiday poem by Amanda Lorenz. Like the Yule Log, we here at Cyberinquirer Central have decided to republish Amanda’s poem on an annual basis at holiday time, barring extenuating circumstances. Hope you agree that it remains fresh and timely. In any event, enjoy! And happy holiday season from your friends at Cyberinquirer.

Twas the month before Christmas and all through the house,
All the children were networking with the click of a mouse.
Cyber thieves were nestled all snug in their chairs,
Waiting for shoppers to unknowingly share.
As I shopped for him and he shopped for me,
The thieves stole our money and our financial history.
We did not even realize that this information was taken,
And we thought the denial of our credit card was mistaken.
Using Phishing or SMiShing and hacking the links,
Our private information was retrieved in a blink.
Perhaps we should have shopped on a network that was secure,
Or at least checked our credit reports monthly to be sure,
That thieves were not using our names and our faces
To purchase plane tickets to tropical places.
So to all of the shoppers who like to avoid the crowd,
Protect your info this season and make CyberInquirer proud!

Wish You a Merry Christmas cartoons image illustration picture

Happy Holidays from CyberInquirer!

Fax Online    Send article as PDF   

Who Owns Patient Data in Electronic Health Records?

Following is a guest post by Doug Pollack, CIPP/US, chief strategy officer at ID Experts, a leading provider of healthcare privacy and data breach solutions. The article explores the thorny issue of “ownership” as it applies to patient data stored in and shared by electronic health record systems.

Cheers.

Rick

I recently began exploring the question of who, or what entity, owns the data that is incorporated in our patient electronic health records (EHRs). I originally began thinking about this because I was imagining that the “owner” would be responsible under circumstances where there was an unauthorized disclosure of such protected health information (PHI), in other words a data breach. It seemed like such a simple question, I had assumed I would find the answer to be just as straightforward. As it turns out, many have pondered this question and suggest that the question of “ownership” of medical data may be a misplaced one, an unanswerable question, and that the more relevant question is what control the patient, and other members of the health ecosystem, have relative to accessing, modifying, appending and transmission of this data. In other words, how is patient privacy provided for within the new EHR universe?

Read the rest of this entry »

Planet Mars, Curiosity, and Data Security

For those captivated by recent events in astronomy, parallels can be drawn between the recent landing of NASA’s rover Curiosity on planet Mars and the public discourse on data security in Canada. With the distinction that one is effectively equipped with the right budget and tools to achieve its actual objective, both have come a very long way, both have managed to blaze through layers of clouds, both seek to secure ingredients essential to life, and both are now aimlessly wandering about unchartered territories.

A decisive factor in Barrack Obama’s 2008 political campaign was the extensive use of individual, thin sliced consumer data to send highly tailored messages to gain political support. Within 13 years, Google has become the most valuable brand in the world through the aggregation of vast amounts of data including search data, or data held in Gmail accounts. This information is then used to create an advertising cruise missile, which is much more efficient than the old method of pattern bombing.

Read the rest of this entry »

State Privacy Laws Evolve While Congress Campaigns

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

Read the rest of this entry »

Human Error: The Greatest Risk and Root Cause of Data Security

Whether discussing data encryption, network security, or internal data privacy management practices and policies, the most sophisticated IT security protocols, the most learned team of specialists, and the most compliant of data management practices and policies cannot escape, prevent, or remedy what many businesses and organizations have rightly labeled as the root cause of data security failures: human error. While they tend to possess greater network security than smaller organizations, the risk of human error should be of particular a concern to medium and large size organizations whose internal controls over data and employees are inevitably diluted by their size and numbers.

Read the rest of this entry »

Data Privacy and Unauthorized Non-Hackers: the Rise and Risk of Accountability and Breach Notifications in Canada

Recent unauthorized access to British Columbia Institute of Technology’s computer network, which contained personal medical information of approximately 12,680 individuals, is yet another reminder of risks of exposure to data breaches. That none of the data on BCIT’s computer network was compromised or misused is reflective of a low-profile non-hacker intrusion, and of the ease with which computer networks can be infiltrated. Indeed, a sophisticated hacker would know better than to leave massive amounts of data, rightly labeled by some as the “oil” of the 21st century, uncompromised. More curious than uncompromised data, however, is BCIT’s notification in the absence of an actual data breach, and mandatory breach notification provisions under B.C. privacy law.

Read the rest of this entry »

First Circuit Court of Appeals Holds Bank’s Online Security Measures “Commercially Unreasonable” in Landmark Decision

In a landmark decision, the First Circuit Court of Appeals held in Patco Construction Company, Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012) that People’s United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 which had been stolen from PATCO’S bank account. In so doing, the Court reversed the decision of the United States District Court for the District of Maine which had granted summary judgment in the bank’s favor.

The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO. While the bank’s security system flagged each one of the transactions as “high risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, the bank’s security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not “commercially reasonable” under the Uniform Commercial Code, as codified under Maine Law.

Read the rest of this entry »

Cyberstalkers Beware: You’re Not Anonymous

A quick google search will reveal thousands of hundreds of thousands of hits for the term cyberstalking. Indeed, as of today, there are over 900,000 posts where the word is used. Perhaps not surprisingly, many of the listings involve teen cyberbullying and child protection issues. There are also large numbers of celebrities who are cyberstalked or otherwise harassed. Beyond juveniles and celebrities, the most frequently stalked demographic are 18-32 year old females, a cohort to which some of our own bloggers (and co-publishers) belong. Curiously, reports indicate that more and more women are also the cyberstalkers, not just the victims. Anecdotal stories suggest many of these women are married but unhappy with their lives.

Read the rest of this entry »

Agreement between the US, NATO, and Australia on Cyber Security

The US and Australia have a longstanding agreement to back each other up in case of physical enemy attack, but now have moved that agreement to the arena of cyber-attack as well. With Australia’s history of cyber-attacks well known, such as an attack two years ago that brought down Australia’s Parliament’s website, the country cannot afford to ignore cyber security any longer.

Read the rest of this entry »

Cyber-security in a Hyperconnected World

The cyber-attacks recently launched by six individuals from the group Anonymous, an international hacktivist collective, against 13 Quebec government and police websites are but a fleeting glimpse of a much broader problem associated with the cyber world, most of which remains largely unseen. Succinctly stated, the cyber-attacks were a response to the Quebec Liberal party’s constitutionally questionable Bill 78 that was recently passed as a response to the student crisis sparked three months ago over the government’s planned 75% tuition increase. That six individual were arrested by law enforcement agencies and charged with mischief, conspiracy, and unlawful use of a computer should hardly be reassuring.

Read the rest of this entry »

Insurers: Assert Your Subrogation Rights

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

The Implications of a Cyberattack on Your Securities Portfolio: You May Want to Read Your Holdings’ 10-Ks

falling moneySo, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.

Take, for example, Intel (INTC). In the “Risks” section of its 2009 10-K, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. Kudos to Intel for making this disclosure, which predated the October 2011 publication of the SEC Guidance addressing public companies’ cyber risks and exposures (discussed here and elsewhere, including in the March 2012 edition of the Advisen Cyber Journal. Please feel free to contact me for details on how to obtain this must-read issue and subscribe. Advisen has done a masterful job, as it does with all of its publications). As will be discussed in my next post, a significant number of public companies still have not complied with their cyber risk and cyber exposure reporting “obligations” under the SEC Guidance.

As to Intel, the subject 10-K listed several noteworthy risks. The most intriguing stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.”

The adverse economic impact of a cyber-related disclosure is not theoretical, either. Indeed, in the immediate wake of the News Corp./News of the World cell phone hacking scandal in mid-2011, News Corp’s market cap reportedly fell by over 15%, valued at approximately $7 billion, in less than a week. Not surprisingly, News Corp was sued shortly thereafter in a series of securities fraud class actions, which remain pending.

While cyber risks and exposures may or may not have an impact on a stock’s trading price, their potential impact can not be ignored. Google (GOOG) is another example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. By April 25, 2010 Google’s shares were trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyber event can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation (remember News of the World? After 168 years of tremendous success globally, it ceased publishing on July 10, 2011 as a direct result of the hacking scandal), all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

PDF24 Creator    Send article as PDF   

What Underwriters Don’t Know Can Cost Them…Dearly

j0282993The occurrence and frequency of cyber breaches are not as transparent as one might expect. Or hope, for that matter. To the contrary, the FBI’s chief cyber crimes investigator recently admitted that “thousands” of cyber crimes have gone unreported due to companies’ fears about the impact of adverse publicity on their reputations and bottom lines.

According to Shawn Henry, assistant director of the FBI’s Cyber Division, hackers regularly access computer security systems and steal millions of dollars and credit card numbers without such incidents ever being publicly reported. Indeed, Mr. Henry has acknowledged that “[o]f the thousands of cases that we’ve investigated, the public knows about a handful…There are million-dollar cases that nobody knows about.”

And the problem is not limited to Fortune 500 and other large companies such as TJX and Heartland, which have voluntarily disclosed cyber intrusions. Indeed, the incidence of cyber attacks on such companies is growing marginally or even shrinking, as these entities implement more complex security systems. The more frequent target has become medium-sized and small companies which do not have the resources or perhaps the ability or interest to enhance their cyber protections. The same goes for private citizens whose personal wealth and, equally troublesome, personal secrets may be at risk as their personally identifiable information is wrongfully retrieved and then used to access their bank and other investment accounts. Needless to say, no one wants to admit they’ve been hit or that their resources have been stolen. The stigma alone is a major deterrent to such public disclosures. (“Hey Joe… guess what… I was just robbed of $10 million!! And, they learned that I’ve been cheating on my spouse for the past ten years… How about that!!!”).

For cyber insurers, a prospective policyholder’s unwillingness to disclose such intrusions can be a major problem, both from an underwriting and claims perspective. As always, the key is proper detailed due diligence up-front. Underwriters can not take for granted that they would or should know about an intrusion at a potential account. They must ask the right questions, require the proper warranties, and “pull back the curtain” to ensure that the risks they take on are just that – risks – rather than cyber intrusions waiting to happen. “Penny-wise, pound foolish” is particularly apt. Spend the time and money to vet your proposed accounts. The cost of a claim or related coverage litigation will dwarf the expense of a thorough underwriting investigation. Unlike the availability of insurance, that is a guarantee.

PDF Creator    Send article as PDF   

The Coverage Question

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

An Insurer’s View: Examining the Rising Costs of Breaches

The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

Read the rest of this entry »

New Cybersecurity Disclosure Guidance for Public Companies: Focusing Attention, Raising Questions

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

The Hospitality Industry Revisited: Does Your Company Have Proper Coverage?


101387303-a0006-000338.530x298In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Read the rest of this entry »

Securities Law and Cyber Disclosures… Perfect Together…Especially for Cyber and Tech Underwriters and Brokers. And Me

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that “the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s “recommendations.”

Read the rest of this entry »

And Now, the Maine Event: Mitigation Costs Constitute Damages in Data-Breach Case

Businesses that necessarily require their customers to disclose credit card and personal information, beware. Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for “mitigation damages” arising from alleged negligence and breach of contract were viable. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).

In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported.

Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards. Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer. Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards.

Read the rest of this entry »

INTRODUCTION TO CANADA’S PIPEDA PRIVACY LEGISLATION

I. Overview

Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.

Read the rest of this entry »

Underwriters and Their Policyholders Agree: Less Is More When It Comes to Crisis Management Expenses

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…

At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Read the rest of this entry »

What is Corporate and Business Identity Theft and What Are the Risks and Damages Associated with It?

The yellow fever outbreak of summer 1798 was the worst in Philadelphia’s history. Over 5,000 residents were infected, and nearly 1,300 died, causing even President Washington to flee. On the night of September 1st, 1798, the vault at Carpenter Hall was breached and the then-massive amount of $162,821 went missing. This first bank robbery in the United States, attributed as an “inside job”, ushered in an era of robberies that turned criminals into celebrities. Jesse James, Bonnie and Clyde, and John Dillinger have become legends. At present, the risk of yellow fever has been mitigated due to vaccines. The risk of bank vaults being physically robbed similarly has been reduced.

Read the rest of this entry »

Cyber Liability Insurance for Universities: Incentivizing Best Practices as a Condition to Coverage (a.k.a “Reverse Underwriting”)

Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.

One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.

In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

Cyber Security On President Obama’s Agenda

Faced with revitalizing a deteriorated economy, formulating a national budget, and the aftermath of Osama Bin Laden’s death, President Barack Obama has his hands full. Yet, in the midst of all the issues commanding the White House’s attention, the Obama Administration somehow has found time to address the threats to our nation’s cyber security.

According to Business Insurance, on Thursday, May 12, 2011, the Obama Administration proposed cyber security legislation to improve protection for individuals and the federal government’s computer and network systems. The proposed legislation would address national data breach reporting by creating simpler and standardized reporting requirements for the 47 states that contain such requirements. The proposal would also synchronize penalties for computer crimes with other crimes. Additionally, the government, through the Department of Homeland Security, would become directly involved in assisting the industry as well as state and local governments in policing and enforcing cyber security. The proposed legislation encourages the state and local governments to share information with the Department of Homeland Security about cyber threats or related incidents by providing them with immunity for doing so.

Read the rest of this entry »

“Anonymous” Hacks PlayStation Network and Sony Feels the Pain

Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.
If anyone still harbors the notion that video games are simple distractions from the age of Pong, they haven’t seen the latest statistics. One of the most popular games released last year, “Call of Duty: Black Ops”, generated $650 million in the first five days of sales and exceeded $1 billion in record time. The achievement put the game in the company of Michael Jackson’s “Thriller” album and James Cameron’s movie “Titanic.” As a whole, the video game industry has been valued at over $100 billion. That massive size and scope makes the impact of a cyber attack all the more devastating.

Cyber Crime and Securities Fraud Litigation: The Next Wave?

Following the publication of our original post on the implications of a cyber attack on investors’ securities portfolios (see here), we have been asked by scores of readers whether securities fraud litigation arising from cyber crime has ensued. Not surprisingly, the answer is “yes.”

Indeed, we have located at least two such cases, one a putative securities fraud class action against a payment processing company and the second an SEC initiated action against a private investor. The results may (or may not) surprise you, depending on your perspective of trial courts’ levels of judicial activism and willingness to render substantive decisions at early stages of litigation.

In re: Heartland Payment Systems, No. 09-1043 (D.N.J. Dec. 07, 2009) remains the paradigm for such litigation. To facilitate its payment processing services, Heartland Payment Systems (“Heartland”) stored millions of credit and debit card numbers on its internal computer network. In December 2007, hackers launched a Structured Query Language Attack (“SQL attack”) on Heartland’s payroll management system. To its credit, Heartland was able to successfully avert the attack before any personally identifiable information was stolen. At the same time, however, the company failed to detect malicious software (“malware”) which had been placed on the network by the SQL attack. The malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers. Heartland did not discover the breach until January 2009, at which time it notified government authorities and publicly disclosed the event. Over the course of the following month, Heartland’s stock price dropped over $15 per share. Perhaps not surprisingly, shareholder class actions ensued.

In their complaint, plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. Specifically, plaintiffs claimed that the defendants concealed the SQL attack and misrepresented the general state of Heartland’s data security. Plaintiffs further alleged that the defendants’ conduct was fraudulent because they were aware that Heartland’s network had been breached, yet they had not fully remedied the problem Read the rest of this entry »

Your “Status Update” May be Revealing More Than Your Status

There have been a recent flurry of blog posts and media stories warning internet users about the potential dangers of posting their whereabouts on social networking sites, as such personal information is being used by opportunists to facilitate crimes. For example, just in the last month, three men in Nashua, New Hampshire allegedly used information they obtained from users’ Facebook status updates to learn when the users would not be home and thereupon broke into their vacant and vulnerable residences. Although Facebook has denied any link between its site and the crimes, the Nashua police believe that detailed information about the posters’ travel plans provided the thieves with sufficient information to know when the homes would be unoccupied.

Of course, the incidence of such crimes has not been widely disseminated through traditional media sources, such as newspapers, radio and television. As such, most Americans are unaware of this increasing phenomena. At the same time, internet users are more widely and more frequently publishing their personal information, including their travel and vacation plans, on social networking and other public sites. Moreover, beyond the routine “tweets” and run-of-the-mill social networking status updates, new applications for cellular phones and PDAs are being created to facilitate geographical updates. These applications such as “Foursquare,” “Gowalla” and “Facebook Places,” enable users to instantly identify their current physical location on the profiles they have created on social networking sites. Needless to say, allowing geographical information to freely be disclosed to the public can provide opportunists with even more accurate information about the whereabouts of their victims and their distance from an unoccupied and vulnerable residence.

Read the rest of this entry »

Concurrent CGL and E&O Coverage for “Spyware?” Yes, Says the Eighth Circuit

On July 23, 2010, the United States Court of Appeals for the Eighth Circuit issued an important decision in Eyeblaster, Inc. v. Federal Ins. Co., 2010, U.S. App. LEXIS 15152, No. Civ. A. 08-3640, finding concurrent coverage under both a General Liability (“CGL”) insurance policy and a separate Information and Network Technology Errors and Omissions Liability (“E&O”) policy in circumstances where an online marketing company installed software on a consumer’s computer system, allegedly corrupting the computer’s software operating system.

Eyeblaster Inc. (“Eyeblaster”), the policyholder, is a company that creates, delivers and manages online interactive advertising. For the period December 5, 2006, to December 5, 2007, it was insured under two concurrent policies issued by Federal Insurance Company (“Federal”): (1) a CGL policy covering occurrences which cause damage to tangible property, and (2) an E&O policy which covered claims for financial loss caused by a wrongful act in connection with a product’s failure to perform its intended function or serve its intended purpose, resulting in damage to intangible property. As to the latter policy, intangible property included software, data and other electronic information. Both policies were “duty to defend” forms.

Read the rest of this entry »

Identity Theft: Our Children At Risk

Interviewing for your first job as a teenager is as exciting as it is intimidating. Thoughts of what to do with your first paycheck consume your mind as you rehearse your best “do-you-want-fries-with-that” smile. The interview proceeds flawlessly and you start to count the dollar signs as you await the job offer. But imagine your surprise when you are informed that you did not get the job because your background check revealed that you are over $75,000 in debt and five years behind in your child support payments for your eleven year old child…a terrifying thought considering you are only 16 years old.

Adults aren’t the only victims of identity theft. Child identity theft is an increasing and understated crime. A child’s Social Security Number (“SSN”) is the perfect target, as the theft typically goes undetected until years after the crime has taken place. Indeed, the crime might not be discovered until the rightful owner/victim uses his or her SSN for the first time years later. This revelation often occurs when the victim applies for his or her first job or financial aid before college.

The scheme works as follows: businesses are using various techniques to search the Internet for dormant SSNs. These numbers often belong to long-term inmates, dead people or children. Obtaining them is not as difficult as one may think, as SSNs are distributed systematically depending on age, geographical location and when the number is issued. Once it has been determined that no one is actively using the number to obtain credit, the numbers are offered for sale.

Read the rest of this entry »

The White House’s “Progress” Report on Cybersecurity: There’s A Long Road Ahead

Lest one question the severity of the evolving challenges in our rapidly growing cyber world, President Obama has crystallized it succinctly: (1) “cyber threat is one of the most serious economic and national security challenges we face as a nation;” and (2) “America’s economic prosperity in the 21st century will depend on cybersecurity.” In other words, President Obama has declared cybersecurity to be a national security priority.

While that’s obviously good news, the follow-up question is “how are we doing in meeting the associated demands?” Regrettably, not so well, it seems.

Speaking before cybersecurity and privacy experts from government, law enforcement, the private sector, academia and privacy and civil liberties groups, President Obama, Homeland Security Secretary Janet Napolitano, Commerce Secretary Gary Locke, Cyber Coordinator Howard Schmidt and other Administration officials uniformly acknowledged that far more work needs to be done to protect digital communications and information infrastructure and make it more difficult and costly for cybercrimimals.

Read the rest of this entry »

Credit Card Hackers’ Favorite Target…Hotels.

We’ve all heard the story of the clerk at the local gas station who was double-swiping credit cards in order to make fraudulent copies. Online banking, restaurants, clothing retailers…every industry is potentially a target. Yet the industry that was the subject of more credit card thefts than any other sector in 2009? Hotels.

To the point, SpiderLabs (an affiliate of Trustwave, a data-security consulting firm) has published a study which reports that 38% of the credit card hacking events in 2009 involved the hospitality industry. Over one-third of all thefts of credit card numbers occurred at hotels. Much to my surprise, given the wealth of reporting on the subject, the financial services industry lagged well behind at a comparatively minor 19%. Retail followed at 14.2% while restaurants and bars were fourth at 13%.

I guess I shouldn’t have been surprised, though, as my own credit card number was stolen several years back while i was staying at a business travelers’ hotel in New York City. I had gone to the City for a Cinco de Mayo event sponsored by a major international insurer. Several days later, I received a call from my credit card company asking if I had bought gasoline on Long Island or a $5000 television at a big box retailer. While I do buy gasoline, I hadn’t been on Long Island. And while I certainly would have loved a $5000 television (or, for economy’s sake, something less pricey), I hadn’t bought that either. The conclusion was simple: my credit card number had been stolen when I used it at the New York hotel.

So, why hotels? According to security analysts, they’re generally easy targets. The large chain hotels may employ sophisticated security technology or other protections. Or they may not. In either case, how about smaller or private owned, non-chain hotels? The next time you check into a hotel, ask what security methods they use to protect credit card information. You probably won’t like the answer. The credit card number that you provide at check-in may sit in a folder or a file maintained right at the front desk. Who would prevent someone from simply lifting the file? Especially in the middle of the night. The single desk clerk on overnight duty?

Read the rest of this entry »

Wake Up and Smell the Threats: Two Recent Examples of Why Municipalities Need Cyber Insurance

Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.

Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post No One is Immune. Even Government Entities Need Cyber/Tech Insurance?

Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.

Read the rest of this entry »

But I’m Innocent, I Swear! This Website Proves It!

Who would have thought a comment as innocent as “Just walked into work at Cozen O’Connor-Toronto…so much work to get done” could potentially cause you so much trouble?

I came across an article this weekend by Tracy Staedter, titled “I’m Not Home: Please Rob Me”. Ready to become paranoid? Read the article – it’s short and to the point. Ever send out Evites? How about prior tweets, MySpace posts, etc. inviting people to your place and including an address? Bingo! Better pack up and move quick!

The website causing havoc is www.PleaseRobMe.com. Check it out…make sure you aren’t on the site…then check again after every time you tweet, post, etc. Do you have the time to constantly check? Probably not. Should you? Probably. It may make you paranoid, but then again, shouldn’t you be? But should the creators of the website be blamed – legally, morally, ethically? Should they be held accountable for what you put out into the public realm? Can you sue for violation of your privacy rights? Do you really have an expectation of privacy in any of those posts? In an age where MySpace, Friendster and other social networking sites regularly have their records subpoenaed, why should anyone think that anything they post will be “private”? What piqued my curiosity even more was how this website could apply in the criminal or tort law application. Can this website be used to substantiate or corroborate an accused’s alibi – “Your Honor, look! I have proof that I wasn’t in the city when the crime occurred…I tweeted that I would be in Los Angeles!” Look, my knowledge of Canadian (or U.S., for that matter) Criminal Law/Procedure does not extend further than the 800 or so pages of textbooks I read while in law school. But surely this website can be put to more use than just what the creators intended. So long as a proper foundation is laid, and the purported evidence is relevant, it may be admitted, right? Something to definitely consider as a defense attorney.

The creators of the website claim the site is supposed to help us…to open our eyes to the evil out in the world. Call me crazy, but perhaps a simple email addressed to me would have been more appreciated…though it leaves one wondering if such a logical course of action would have been as effective.

www.pdf24.org    Send article as PDF   

What’s in a Name? Domain Name Disputes for Dummies

Never underestimate the value of a good domain name! As any website owner will tell you, http://www.rose.com, by any other name, is likely to lose customers.

About a week ago, my colleague’s nephew, Kevin Bortnick, found himself in a domain name predicament. His plight is interesting and he has graciously permitted us to blog about his situation, which provides some useful context for a discussion about domain name disputes.

Kevin is a talented website developer who used the name “KBortnick” or “KB” for his internet business. In November of 2005, he registered the domain name kbortnick.com for a period of four years, at a cost of about $10 per year. Although the domain name expired in November, 2009, he explained that “I was moving out & had a bit of a money crunch, so I figured I’d renew it in about a month, because it really wasn’t worth anything & I figured it would be fine….”

A couple of weeks ago, he attempted to re-register the name, only to discover that someone else had purchased it. That unknown ‘someone’ had immediately put it up for sale on a website that auctions off domain names, http://seto.com, subject to a minimum bid of $480. As you can imagine, Kevin was livid. “The highest I’ve ever seen my domain name appraised at was about $30”, he exclaimed, “and most places didn’t even give it that!”

(I empathized with Kevin’s situation. Over Canadian Thanksgiving, while I was sitting before the computer in a state of turkey-induced lethargy, I was suddenly roused from my stupor by the discovery that the domain name “pamelapengelley.com” could be registered for the low, low price of just $10 a year. I may soon write a post that is entitled “How I learned the hard way that just because you can make a hideously tacky personal flash website dedicated to your glorious self doesn’t mean that you should make one.” But I digress…)

Kevin’s dilemma got me thinking – is this what is known as “cybersquatting”? Is there any remedy for this sort of thing? Does Kevin have any recourse?

In fact, there are a couple of different mechanisms for resolving a cybersquatting dispute, and my understanding of them was greatly assisted by some basic knowledge about the development of the Internet and some tech-related acronyms like “DNS”, “IP” and “ccTLD”. If these terms are unfamiliar to you, then I ask for your indulgence while I lay out some of the basic IT background. It’s a bit lengthy so if you are computer-savvy, you may just want to skip part 1. Read the rest of this entry »

Cyber/Tech Underwriters Build Their Portfolios…As Corporate Executives Fret

j0283561The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.

A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.

The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.

The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.

The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.

This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.

PDF Editor    Send article as PDF   

The Globalization of Cyber/Tech Risks and the Implications for Worldwide Insurance Coverage

j0254490As recognized below in Pamela’s post discussing whether the loss of computer data is “property damage” in the eye of tort law, the issues surrounding cyber/tech/privacy liability and the attendant insurance coverages are not the exclusive province of the United States or U.S. courts.

To the contrary, virtually every country worldwide is increasingly faced with the problem of having to deal with the hard social and legal issues presented by a rapidly evolving cyber world. So too, policyholders and the insurers who typically grant worldwide coverage under their policies must recognize that the risks faced are not exclusive to the U.S. or our Canadian cousins. The risks are global in nature and policyholders and insurers alike need to stay current with what’s happening outside our cocoon of the Western Hemisphere.

I am certain every reader is aware of the socio-political dispute whereby Google has threatened to withdraw from China amid claims that the Chinese government has hacked into Google’s and other third-parties’ databases, spied on Google email accounts, and tightened blocks on tens of thousands of internet sites, including Facebook, Twitter and YouTube. U.S. Secretary of State Hillary Clinton has spoken on the subject, advocating that companies such as Google refuse to support “politically motivated censorship.” Secretary Clinton also accused China, Tunisia and Uzbekistan of boosting censorship and called on Beijing to investigate the recent cyber attacks on Google and others. (On a side note, just last week, Europe’s principal security and human rights watchdog accused Turkey of blocking 3700 internet sites for “arbitrary and political reasons.”).

Read the rest of this entry »

Online Banking and “Reasonable Security” Under the Law: Breaking New Ground?

j0300523With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law.

Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking (Patco Construction Co. v. People’s United Bank (“PATCO”) and JM Test Systems, Inc. v. Capital One Bank (“JMT”)) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case). In short, since the Shames-Yeakel case proceeded past the “damages” pleading phase, it (and possibly these other online breach suits) reveals how some courts view security “standards” and approach the question of whether a company has achieved “reasonable security.” I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.

Read the rest of this entry »

Loss of Computer Data: Is it Property Damage?

j0236341Let us say, speaking hypothetically, that a grossly negligent individual (who, since we are speaking hypothetically, is named…”Mr. X”) has accidentally uninstalled my favorite computer game, “Sid Meyers Civilization IV” (for which, by the way, I paid good money and patiently waited three whole hypothetical hours to legally download onto my computer).

Let us further hypothesize that I was twelve hours into a very successful game which has now gone the way of the passenger pigeon. Is the loss of my computer software considered “damage to property” for the purpose of a negligence action, or is it just a form of pure economic loss? “Of course it’s property damage!” I thought to myself, “and a most egregious form at that!”

Yet, in law, as in life, few things are certain. I was compelled to learn more, and so I conducted a brief review of the case law from Canada, the United States and Australia to satisfy my curiosity. What I have learned is that, notwithstanding that we live in the age of the internet, it is far from clear whether we can sue for the loss of electronic data in a negligence action.

Read the rest of this entry »