Ping Service
Feedback Forms

ALJ Denies LabMD’s Motion for Sanctions Against the FTC

Although the litigation between LabMD and the Federal Trade Commission (FTC) continues in the Eleventh Circuit, an administrative law judge has resolved one battle between the two entities. Chief Administrative Law Judge D. Michael Chappell recently issued an order denying LabMD’s motion for sanctions against the FTC.

In 2009, information security firm Tiversa, Inc. notified the FTC that a file containing the personal information of over 9,300 LabMD customers (the “1718 file”) was available in a LimeWire sharing folder installed on a LabMD computer. The file was allegedly found on several LabMD IP addresses. LabMD alleged that Tiversa stole the file from a LabMD workstation in Atlanta, Georgia, and further claimed that the FTC never independently investigated the alleged theft or verified the origin or chain of custody for the 1718 file before commencing its action against LabMD.

Moreover, LabMD alleged an improper relationship between the FTC and Tiversa in that Tiversa benefitted financially from referring companies to the FTC for investigation. Specifically, LabMD alleged that many targets of FTC enforcement actions later became Tiversa clients. Accordingly, LabMD sought an order dismissing the FTC action with prejudice and awarding it attorney fees and costs.

Read the rest of this entry »

Tangible Property Coverage: The Next Frontier in the Tech Insurance Market

In the beginning

The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was In the beginning.

The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was operational, amidst concerns about the impact of a computer virus or the actions of a “Hacker”, a new term to many of us then.

Despite the lack of actuarial data, a few underwriters in the US and London started to devise solutions to indemnify business interruption losses and the costs to restore compromised data. Commonly known as “Hacker Insurance”, we found few buyers beyond large US banks. Clients found the underwriting process both intrusive and expensive as insurers demanded onsite security audits.

On July 1st 2003 everything changed.

Read the rest of this entry »

Cyber at Lloyds: Catching the cyber horse in motion

The following article was written by my good friend Tony Ellwood. Tony is senior executive, underwriting, at Lloyd’s Market Association and a thought leader. We are grateful to Tony for allowing us to republish his article, which first appeared in the July 16th edition of Insurance Day.

Rick

LondonThe question of whether a running horse has all four hooves in the air simultaneously was one that perplexed generations. No matter just how closely a horse was observed, the motion of its legs was simply too rapid for the human eye to register accurately. It was not until the advent of photography and an experiment by Eadweard Muybridge in 1878 that the question was answered. He developed a camera that was triggered by wires attached to a horse’s legs allowing him to shoot 24 photographs as the horse ran past, which proved beyond a shadow of doubt that a horse does indeed lose contact completely with the ground in mid-gait.

There are many parallels between Muybridge’s study of the running horse and a new survey the Lloyd’s Market Association (LMA) has launched to understand the full extent of cyber risk being underwritten in the Lloyd’s market. The similarity is the sheer pace with which cyber liability has grown from its beginnings in the mid-1990s to current global premiums in the order of £1.5bn, and still rising sharply. The speed of that growth, combined with the rate at which cyber has evolved as a product, make it a particularly tricky line to pin down. What’s more, the question that has been formulating in the LMA’s collective mind is how much cyber liability is being written at Lloyd’s within other classes of business such as marine or aviation. This survey is the first attempt to comprehensively map that business.

Read the rest of this entry »

The Insurance Industry and ICANN: The Next Frontier

icann-flagsWe all take the Internet for granted.  Short of a power outage taking down phone lines, cell towers and satellite transmissions, the Internet will always be there. Like death and taxes, you can count on it.

Not that the paradigm will change any time soon, but at some point, it might.

On March 14 and 17, 2014, the Wall Street Journal reported on the decision by the National Telecommunications and Information Administration (“NTIA”), part of the Commerce Department, to cede control of the Internet from the Internet Corporation for Assigned Names and Numbers (“ICANN”) (a U.S. non-profit) to an organization of multinational stakeholders.

As readers of Cyberinquirer, know, ICANN is responsible for managing the core of the Internet by distributing domain names and Web addresses.  It’s been doing so since 1998.

Read the rest of this entry »

The Target Breach: Show Me The Insurance

The following article was first published by the Advisen Cyber Risk Network. If you haven’t checked it out, you should. Its extremely informative. And I’ll be a regular contributor.

Cheers.

Rick

By now, almost everyone has read or heard about – or even been directly impacted by – the theft of financial data relating to over 40 million credit and debit cards used at Target stores in November and December last year.

However, the insurance coverage aspects of the breach have generally flown under the radar.

To a company like Target (or whoever is affected by the next breach), the availability of insurance coverage is an important component of crisis management and remediation, litigation and regulatory investigation strategies, and reputational/brand/lost income protection.

So assuming Target has purchased potentially applicable insurance products, what coverages might apply?  And how might they respond?

At a minimum, it can be expected that Target will investigate the availability of coverage under four separate lines of insurance: Cyber, privacy and technology (CPT); general liability; crime/fidelity and; directors and officers liability policies.

Read the rest of this entry »

Snowden Affair Fuels the Conflict for Control of the Internet

The following article, written by my friend Vince Vitkowsky, originally appeared in Advisen Front Page News, Cyber Edition, on November 7, 2013. Vince is an attorney in private practice who specializes in litigation, arbitration, and matters at the intersection of insurance, cybersecurity, and public policy.  He can be reached at vvitkowsky@gmail.com.

Cheers.

Rick

20130711_internet10-1There is a serious conflict over future control of the Internet, as nations seek to influence its delivery mechanisms, protocols, economics, security, content, and governance.  Until now, key functions have been managed through a multi-stakeholder approach, using technical organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN), with oversight conducted by the US.  But the last several years have seen a growing challenge to this system and the US role.  Now a tipping point may have been reached.  The public disclosures of the scope of the NSA surveillance programs have led to widespread international criticism, focusing and catalyzing the call for changes in Internet governance.  The Internet is the most dynamic engine for economic growth in the world today, as well as the vital mechanism for dissemination of ideas.  So the outcome of the conflict for control will have profoundly important commercial and political consequences.

Key developments.  The pressure for change came into sharp focus in Dubai in December 2012, at the World Conference on International Telecommunications (WCIT), which was held by the UN’s International Telecommunications Union (ITU).  There, the US struggled unsuccessfully against the movement for greater international control.  It urged that the current system, based around ICANN and other nongovernmental organizations, be preserved.  It made every possible effort to deny that regulation of any aspect the Internet was within the authority of the ITU.  But that view was repudiated by a majority of nations, and the WCIT ended in acrimonious collapse.

Read the rest of this entry »

Asia-Pacific Cyber Law Risks and Developments

We first published the following White Paper extract in October 2011. While the White Paper might be somewhat dated (and therefore will be refreshed shortly), it remains relevant for our friends interested in learning the basics of Asia Pacific cyber/privacy law. Please let me know if you’d like to see the entire paper. Rick

I. Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity.

At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).

Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies

Read the rest of this entry »

Power to the People: Social Media Technologies Mediating Corporate Social Governance

The measure of effectiveness of a CEO and its executive board has always been the degree to which the business is achieving its purpose. Whether in Canada, the U.S., Europe or Asia, an executive board’s purpose should be to increase shareholder value, a purpose that is best accomplished by serving the needs of various stakeholders. Somewhere in the pyramid of stakeholders is the consumer or client, whose likes, favorites, and preferences must be met with quality personalized products and services that deliver high competitive value. In an interconnected global knowledge economy, this has meant listening to what consumers are saying online through social media platforms like Facebook and Twitter, and engaging in two-way conversations to respond in real-time to consumer demands.

Read the rest of this entry »

The Queen v. Cole: Privacy Protection for Employer-Issued Equipment in Canada

The recent decision The Queen v. Cole by the Supreme Court of Canada touches upon interesting issues regarding information privacy in the digital age.

The facts are simple. An information technologist working at the same high school as Mr. Cole, a teacher, remotely accessed Cole’s history of internet access and one of his drives and found a hidden file which contained nude photographs of a student. The photographs and internet file were copied onto a disc and given to the police, which determined that a search warrant was unnecessary. Cole was subsequently charged with possession of child pornography and fraudulently obtaining data from another computer hard drive. The trial judge excluded the computer material under Sections 8 and 24(2) of the Charter. In overturning the decision, the summary conviction appeal court found no breach of Section 8. This decision was set aside by the Ontario Court of Appeal, which concluded that the evidence of the disc containing the temporary internet files and the laptop computer and its mirror image was excluded. A 6-1 majority ruling by the Supreme Court concluded that the police infringed upon Cole’s rights but upheld the Court of Appeals’ finding that the evidence should not have been excluded from trial.

Read the rest of this entry »

Planet Mars, Curiosity, and Data Security

For those captivated by recent events in astronomy, parallels can be drawn between the recent landing of NASA’s rover Curiosity on planet Mars and the public discourse on data security in Canada. With the distinction that one is effectively equipped with the right budget and tools to achieve its actual objective, both have come a very long way, both have managed to blaze through layers of clouds, both seek to secure ingredients essential to life, and both are now aimlessly wandering about unchartered territories.

A decisive factor in Barrack Obama’s 2008 political campaign was the extensive use of individual, thin sliced consumer data to send highly tailored messages to gain political support. Within 13 years, Google has become the most valuable brand in the world through the aggregation of vast amounts of data including search data, or data held in Gmail accounts. This information is then used to create an advertising cruise missile, which is much more efficient than the old method of pattern bombing.

Read the rest of this entry »

State Privacy Laws Evolve While Congress Campaigns

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

Read the rest of this entry »

Human Error: The Greatest Risk and Root Cause of Data Security

Whether discussing data encryption, network security, or internal data privacy management practices and policies, the most sophisticated IT security protocols, the most learned team of specialists, and the most compliant of data management practices and policies cannot escape, prevent, or remedy what many businesses and organizations have rightly labeled as the root cause of data security failures: human error. While they tend to possess greater network security than smaller organizations, the risk of human error should be of particular a concern to medium and large size organizations whose internal controls over data and employees are inevitably diluted by their size and numbers.

Read the rest of this entry »

Past the Point of No Return: Jones v. Tsige and the “New” Tort of Invasion of Privacy in Canada

Jeremy Bentham used to refer to the common law as the “dog law”. As he explains it, “whenever your dog does anything you want to break him of, you wait till he does it, and then beat him for it. This is the way you make laws for your dog: and this is the way the judges make law for you and me.” .

Insofar as the tort of invasion of privacy in Canada is concerned, Jeremy Bentham was arguably right. Aside from the province of Quebec, which is governed by a civil law system, and a few other provinces in Canada which have benefited from a statutorily enacted tort of invasion of privacy, lower Courts have been divided over the existence of a free-standing tort of invasion of privacy at common law. The recent decision Jones v. Tsige (2012) by the Ontario Court of Appeal is the first to confirm that what used to be an embryonic tort of invasion of privacy is now alive and well in Canada

Read the rest of this entry »

Agreement between the US, NATO, and Australia on Cyber Security

The US and Australia have a longstanding agreement to back each other up in case of physical enemy attack, but now have moved that agreement to the arena of cyber-attack as well. With Australia’s history of cyber-attacks well known, such as an attack two years ago that brought down Australia’s Parliament’s website, the country cannot afford to ignore cyber security any longer.

Read the rest of this entry »

Cyber-security in a Hyperconnected World

The cyber-attacks recently launched by six individuals from the group Anonymous, an international hacktivist collective, against 13 Quebec government and police websites are but a fleeting glimpse of a much broader problem associated with the cyber world, most of which remains largely unseen. Succinctly stated, the cyber-attacks were a response to the Quebec Liberal party’s constitutionally questionable Bill 78 that was recently passed as a response to the student crisis sparked three months ago over the government’s planned 75% tuition increase. That six individual were arrested by law enforcement agencies and charged with mischief, conspiracy, and unlawful use of a computer should hardly be reassuring.

Read the rest of this entry »

Insurers: Assert Your Subrogation Rights

The following column was first published in the second issue of Advisen’s Cyber Liability Journal (here). I will republish my future columns in coming months. In the meantime, you can subscribe to the Journal at http://corner.advisen.com/journals.html (here).

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance.

At present, there are over 25 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model.

Read the rest of this entry »

Will SEC Guidance Awaken Private Companies To Cyber Insurance Needs?

The following article was first published in Advisen’s inaugural Cyber Liability Journal (here) as my first regular column. The second Journal was published today and is available from Advisen at http://corner.advisen.com/journals.html (here). I will republish my second column in the coming days.

Rick

Many who underwrite or broker insurance, or practice law in the cyber/technology/privacy (“CTP”) realm migrated to this emerging area from the directors and officers liability regime. At the same time, it did not take a crystal ball to recognize that it was only a matter of time before CTP and D&O found a commonality. And that time is now.

Virtually every public and private company is reliant on computer networks and electronic data. It’s a way of life in the 21st Century. And there’s no going back. Yet with reliance comes risk. It seems we read about significant CTP breaches involving large, multinational companies almost on a weekly basis. CTP breaches have become a well-recognized risk of doing business. Estimates project that over 10 percent of us already have been hacked or had their identities stolen. I am among them.

Read the rest of this entry »

The Implications of a Cyberattack on Your Securities Portfolio: You May Want to Read Your Holdings’ 10-Ks

falling moneySo, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.

Take, for example, Intel (INTC). In the “Risks” section of its 2009 10-K, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. Kudos to Intel for making this disclosure, which predated the October 2011 publication of the SEC Guidance addressing public companies’ cyber risks and exposures (discussed here and elsewhere, including in the March 2012 edition of the Advisen Cyber Journal. Please feel free to contact me for details on how to obtain this must-read issue and subscribe. Advisen has done a masterful job, as it does with all of its publications). As will be discussed in my next post, a significant number of public companies still have not complied with their cyber risk and cyber exposure reporting “obligations” under the SEC Guidance.

As to Intel, the subject 10-K listed several noteworthy risks. The most intriguing stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.”

The adverse economic impact of a cyber-related disclosure is not theoretical, either. Indeed, in the immediate wake of the News Corp./News of the World cell phone hacking scandal in mid-2011, News Corp’s market cap reportedly fell by over 15%, valued at approximately $7 billion, in less than a week. Not surprisingly, News Corp was sued shortly thereafter in a series of securities fraud class actions, which remain pending.

While cyber risks and exposures may or may not have an impact on a stock’s trading price, their potential impact can not be ignored. Google (GOOG) is another example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. By April 25, 2010 Google’s shares were trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyber event can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation (remember News of the World? After 168 years of tremendous success globally, it ceased publishing on July 10, 2011 as a direct result of the hacking scandal), all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

www.pdf24.org    Send article as PDF   

What Underwriters Don’t Know Can Cost Them…Dearly

j0282993The occurrence and frequency of cyber breaches are not as transparent as one might expect. Or hope, for that matter. To the contrary, the FBI’s chief cyber crimes investigator recently admitted that “thousands” of cyber crimes have gone unreported due to companies’ fears about the impact of adverse publicity on their reputations and bottom lines.

According to Shawn Henry, assistant director of the FBI’s Cyber Division, hackers regularly access computer security systems and steal millions of dollars and credit card numbers without such incidents ever being publicly reported. Indeed, Mr. Henry has acknowledged that “[o]f the thousands of cases that we’ve investigated, the public knows about a handful…There are million-dollar cases that nobody knows about.”

And the problem is not limited to Fortune 500 and other large companies such as TJX and Heartland, which have voluntarily disclosed cyber intrusions. Indeed, the incidence of cyber attacks on such companies is growing marginally or even shrinking, as these entities implement more complex security systems. The more frequent target has become medium-sized and small companies which do not have the resources or perhaps the ability or interest to enhance their cyber protections. The same goes for private citizens whose personal wealth and, equally troublesome, personal secrets may be at risk as their personally identifiable information is wrongfully retrieved and then used to access their bank and other investment accounts. Needless to say, no one wants to admit they’ve been hit or that their resources have been stolen. The stigma alone is a major deterrent to such public disclosures. (“Hey Joe… guess what… I was just robbed of $10 million!! And, they learned that I’ve been cheating on my spouse for the past ten years… How about that!!!”).

For cyber insurers, a prospective policyholder’s unwillingness to disclose such intrusions can be a major problem, both from an underwriting and claims perspective. As always, the key is proper detailed due diligence up-front. Underwriters can not take for granted that they would or should know about an intrusion at a potential account. They must ask the right questions, require the proper warranties, and “pull back the curtain” to ensure that the risks they take on are just that – risks – rather than cyber intrusions waiting to happen. “Penny-wise, pound foolish” is particularly apt. Spend the time and money to vet your proposed accounts. The cost of a claim or related coverage litigation will dwarf the expense of a thorough underwriting investigation. Unlike the availability of insurance, that is a guarantee.

Fax Online    Send article as PDF   

Access to Insured’s Social Media Accounts: No Friend Request Necessary

The following article, written by my colleague Nicole Moody, first appeared in the Chicago Daily Law Bulletin. Thanks to Nicole for allowing us to republish it here.

Rick Bortnick

Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request. Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation.

Read the rest of this entry »

The Coverage Question

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

New Cybersecurity Disclosure Guidance for Public Companies: Focusing Attention, Raising Questions

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

Securities Law and Cyber Disclosures… Perfect Together…Especially for Cyber and Tech Underwriters and Brokers. And Me

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that “the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s “recommendations.”

Read the rest of this entry »

Tenth Circuit “Dishes Out” Important Opinion Addressing The Scope Of Advertising Injury Coverage For Patent Infringement Claims

On October 17, 2011, the U.S. Court of Appeals for the Tenth Circuit issued a much-anticipated decision addressing the scope of “Advertising Injury” (“AI”) coverage for patent infringement claims. Dish Network Corp. v. Arch Specialty Ins. Co., No. 10-1445, __ F.3d __ , 2011 U.S. App. LEXIS 20955 (10th Cir. 2011), rev’g, 734 F. Supp. 2d 1173 (D. Colo. 2010). The court, applying Colorado law, reversed a decision from the District of Colorado in which that court granted summary judgment to the insurers. In the underlying action, the plaintiff alleged that Dish Network Corp. (“Dish”) had infringed one or more of twenty-three patents by “making, using, offering to sell, and/or selling . . . automated telephone systems, including . . . the Dish Network customer service telephone system, that allow[s] Dish’s customers to perform pay-per-view ordering and customer service functions over the telephone.” The Tenth Circuit concluded that the record was unclear about how Dish actually used the technologies at issue, but that some of the patent-holder’s most well-known innovations involved interactive call processing.

Read the rest of this entry »

INTRODUCTION TO CANADA’S PIPEDA PRIVACY LEGISLATION

I. Overview

Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.

Read the rest of this entry »

Ensuring Discovery Compliance: Sanctions Relating to Past, Present, and Future Adverse Parties

First published on September 22, 2011 at e-Discovery Law Review
Monetary sanctions, attorneys fees, and adverse inference jury instructions are the more common type of sanctions imposed on litigants for the spoliation of evidence, or not producing relevant documents. Recently, however, a court has increased the severity and impact of sanctions by applying them not only to current litigation, but also to a party’s future litigation, with the effects lingering for years to come.

The Underlying Suit

“Any competent electronic discovery effort would have located this email.” These words were written in an opinion by a United States District Judge in the Eastern District of Texas in Green v. Blitz U.S.A., Inc., No. 2:07-CV-372 (E.D. Tex., Mar. 1, 2011) Green involved a product liability suit in which the requirement of a flame arrester was in dispute. The jury returned a defense verdict, and the plaintiff collected a low settlement amount as part of a high-low settlement agreement. During discovery in a subsequent case with the same defendant and plaintiff’s counsel, counsel learned of documents that were not produced in Green. The plaintiff then filed a motion for sanctions against the defendant in Green and a motion to re-open the Green case. While the court denied the motion to re-open because the statute of limitations had expired, the court did impose sanctions for the discovery abuse.

Read the rest of this entry »

Best Buy “Geeks” Out, Accusing Others of Trademark Infringement

In addition to being a trademark geek, I could be accurately accused of also being a tech geek. A “geek” is someone who loves using, and helping other people use, technology to help simplify his or her life. Best Buy, capitalizing on this endearing term for electronic lovers, created the Geek Squad, a tech support service. Their distinctive orange and black cars marked with their trademarked logo can be called out to provide in-home support or they are just a phone call away to help you with your technological needs.

There’s not too many other words other than geek that convey the nerdy type of people who love technology, but Best Buy is taking action against others who use “geek” for this purpose in their slogans. In a recent lawsuit against Newegg.com, Best Buy claimed trademark infringement over Newegg’s slogan “Geek On,” saying that the similarity between the motto, in addition to using orange and black in their logo, breaches their rights. And this is neither the first, nor the last, time that Best Buy will sue companies over this issue.

Read the rest of this entry »

Discovery in the Age of Cloud Computing

During the last decade, individuals and business have changed the way they manage their data by moving this data management offsite – otherwise known as cloud computing. This differs from the old model of information management that, more or less, mirrored the pre-computing era, meaning that an employee’s file might be kept in a cabinet in a Human Resources (“HR”) office or stored on a company’s in-house server. With cloud computing, however, that same employee file may be stored hundreds or thousands of miles away from the HR officer who needs to review it – or the IT officer tasked with preserving that data for potential litigation.

As discussed more fully in Rick Bortnick’s prior posts (here and here), cloud computing outsources data and software management, migrating it from the local to the global by providing instant access over the internet. According to the National Institute of Standards and Technology, cloud computing has five primary characteristics: (1) “on-demand self-service,” or the ability to call up stored data or capabilities as needed; (2) broad network access through a variety of platforms; (3) pooling resources providing “location independence”; (4) “rapid elasticity” in the distribution of computing capabilities, and (5) “measured service,” or service-appropriate control and optimization by the cloud system manager rather than the local user. It is the pooling of resources and the measured service managed by third-parties that pose the greatest risks during e-discovery.
Read the rest of this entry »

Cyber Liability Insurance for Universities: Incentivizing Best Practices as a Condition to Coverage (a.k.a “Reverse Underwriting”)

Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.

One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.

In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

“Anonymous” Hacks PlayStation Network and Sony Feels the Pain

Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.
If anyone still harbors the notion that video games are simple distractions from the age of Pong, they haven’t seen the latest statistics. One of the most popular games released last year, “Call of Duty: Black Ops”, generated $650 million in the first five days of sales and exceeded $1 billion in record time. The achievement put the game in the company of Michael Jackson’s “Thriller” album and James Cameron’s movie “Titanic.” As a whole, the video game industry has been valued at over $100 billion. That massive size and scope makes the impact of a cyber attack all the more devastating.

Bloggers Beware: Righthaven’s got its eye on you…

Whether you own a website where you allow blogs and comments to be posted, or if you are the blogger/poster, listen up.

For those of you who haven’t heard of Righthaven LLC, they are to the blogging world what editors are to the Law Review world…cite-checking and anti-plagiarism “proponents” (let’s call ‘em that, for argument’s sake). Righthaven’s been making quite a splash and has gained popularity among news chains since its coming into existence in the spring of 2010. According to David Kravets’ article, “Righthaven Expands Troll Operation With Newspaper Giant[1], Righthaven has filed over 180 lawsuits and has settled over 70 of them already. Its major suppliers of copyrighted material include Stephens Media (owners of Las Vegas Review-Journal), MediaNews Group (owners of San Jose Mercury News and the Denver Post), and WEHCO Media (owners of Arkansas Democrat-Gazette and Chattanooga Times Free Fress), to name a few.[2] Owned by Net Sortie Systems LLC and SI Content Monitor LLC, Righthaven is the brain-child of Las Vegas-based IP attorney, Steven Gibson.[3] Righthaven’s clients assign their rights in the content to Righthaven, who then sues for copyright infringement.[4]

In order to analyze the problems faced by the parties to such lawsuits, we’ll have to discuss the U.S. Copyright Act, as well as the Digital Millennium Copyright Act (“DMCA”).

Read the rest of this entry »

Invasions of Privacy In The Cyber Sphere: Who’s Watching And What They Know About You

Google, Facebook, Twitter, Foursquare—millions of Americans, including myself, depend on these cyber sites as their gateway to information and communication in the outside world. What we may not realize, or choose to ignore for convenience’s sake, is that this gateway lies on a two-way street. The information that we seek using websites such as Google and what we communicate on Facebook and Twitter provide companies with vital data to better market their products to us. This use of information is referred to as “data mining. “

An example of data mining can be seen in the advertisements that pop up on the side of your Facebook home page. Such ads are often relevant to the information posted on your “Profile” page, such as advertisements promoting products from your college alma mater.

At the outset, data mining seems like a win-win situation for both the consumer and the seller—the consumer is marketed with a product in which they are seemingly interested and the company has utilized its advertising budget in an informed, cost-effective manner. At the same time, however, the threat of an invasion of privacy is real and has the attention of members of Congress and federal officials to create legislation regulating the way in which, and the extent to which, our personal information is shared with third parties.

Read the rest of this entry »

Concurrent CGL and E&O Coverage for “Spyware?” Yes, Says the Eighth Circuit

On July 23, 2010, the United States Court of Appeals for the Eighth Circuit issued an important decision in Eyeblaster, Inc. v. Federal Ins. Co., 2010, U.S. App. LEXIS 15152, No. Civ. A. 08-3640, finding concurrent coverage under both a General Liability (“CGL”) insurance policy and a separate Information and Network Technology Errors and Omissions Liability (“E&O”) policy in circumstances where an online marketing company installed software on a consumer’s computer system, allegedly corrupting the computer’s software operating system.

Eyeblaster Inc. (“Eyeblaster”), the policyholder, is a company that creates, delivers and manages online interactive advertising. For the period December 5, 2006, to December 5, 2007, it was insured under two concurrent policies issued by Federal Insurance Company (“Federal”): (1) a CGL policy covering occurrences which cause damage to tangible property, and (2) an E&O policy which covered claims for financial loss caused by a wrongful act in connection with a product’s failure to perform its intended function or serve its intended purpose, resulting in damage to intangible property. As to the latter policy, intangible property included software, data and other electronic information. Both policies were “duty to defend” forms.

Read the rest of this entry »

The White House’s “Progress” Report on Cybersecurity: There’s A Long Road Ahead

Lest one question the severity of the evolving challenges in our rapidly growing cyber world, President Obama has crystallized it succinctly: (1) “cyber threat is one of the most serious economic and national security challenges we face as a nation;” and (2) “America’s economic prosperity in the 21st century will depend on cybersecurity.” In other words, President Obama has declared cybersecurity to be a national security priority.

While that’s obviously good news, the follow-up question is “how are we doing in meeting the associated demands?” Regrettably, not so well, it seems.

Speaking before cybersecurity and privacy experts from government, law enforcement, the private sector, academia and privacy and civil liberties groups, President Obama, Homeland Security Secretary Janet Napolitano, Commerce Secretary Gary Locke, Cyber Coordinator Howard Schmidt and other Administration officials uniformly acknowledged that far more work needs to be done to protect digital communications and information infrastructure and make it more difficult and costly for cybercrimimals.

Read the rest of this entry »

Immigration Enforcement’s New Target: Counterfeit Movies and Shows

Apparently feeling that they’ve resolved the longstanding issue of illegal immigration and can move on to the next crisis, Immigration and Customs Enforcement (“ICE”) and the U.S. Justice Department have identified a new enemy in their ongoing stuggle to protect truth, justice and the American way: Internet sites that sell counterfeit goods and pirated movies.

Indeed, just this month, government officials announced that they have shut down nine websites as part of their newly announced initiative, “Operation In Our Sites,” which is intended to protect Hollywood’s intellectual property. Officials estimated that nearly 7 million pirated movies and shows per month were downloaded from the offending websites.

The announcement was held on a soundstage at The Walt Disney Studios in Burbank, CA. Neither Johnny Depp nor Captain Hook reportedly was present.

Read the rest of this entry »

Credit Card Hackers’ Favorite Target…Hotels.

We’ve all heard the story of the clerk at the local gas station who was double-swiping credit cards in order to make fraudulent copies. Online banking, restaurants, clothing retailers…every industry is potentially a target. Yet the industry that was the subject of more credit card thefts than any other sector in 2009? Hotels.

To the point, SpiderLabs (an affiliate of Trustwave, a data-security consulting firm) has published a study which reports that 38% of the credit card hacking events in 2009 involved the hospitality industry. Over one-third of all thefts of credit card numbers occurred at hotels. Much to my surprise, given the wealth of reporting on the subject, the financial services industry lagged well behind at a comparatively minor 19%. Retail followed at 14.2% while restaurants and bars were fourth at 13%.

I guess I shouldn’t have been surprised, though, as my own credit card number was stolen several years back while i was staying at a business travelers’ hotel in New York City. I had gone to the City for a Cinco de Mayo event sponsored by a major international insurer. Several days later, I received a call from my credit card company asking if I had bought gasoline on Long Island or a $5000 television at a big box retailer. While I do buy gasoline, I hadn’t been on Long Island. And while I certainly would have loved a $5000 television (or, for economy’s sake, something less pricey), I hadn’t bought that either. The conclusion was simple: my credit card number had been stolen when I used it at the New York hotel.

So, why hotels? According to security analysts, they’re generally easy targets. The large chain hotels may employ sophisticated security technology or other protections. Or they may not. In either case, how about smaller or private owned, non-chain hotels? The next time you check into a hotel, ask what security methods they use to protect credit card information. You probably won’t like the answer. The credit card number that you provide at check-in may sit in a folder or a file maintained right at the front desk. Who would prevent someone from simply lifting the file? Especially in the middle of the night. The single desk clerk on overnight duty?

Read the rest of this entry »

Two New Online Resources For IP Information: “WIPO GOLD” And USPTO

Within the last week, two separate intellectual property search engines were launched, each of which has the potential to significantly palliate searches for patents, trademarks and other IP. http://www.wipo.int/wipogold/en/

Specifically, on June 1, 2010, the World Intellectual Property Organization (“WIPO”) introduced a free online public resource, “WIPO GOLD” which aims to facilitate universal access to IP information. It promises “quick and easy access to a broad collection of searchable IP data and tools relating to, for example, technology, brands, domain names, designs, statistics, WIPO standards, IP classification systems and IP laws and treaties..” The site also includes a helpful translation option, should users wish to search results in a language other than the default, English. The news report can be viewed here: http://www.wipo.int/pressroom/en/articles/2010/article_0018.html

Meanwhile, the United States Patent and Trademark Office (USPTO) separately announced on June 2, 2010 that it has entered into a “no-cost, two-year agreement with Google to make bulk electronic patent and trademark public data available to the public in bulk form.” Under the agreement, USPTO will provide Google with “existing bulk, electronic files, which Google will host without modification for the public free of charge.” Examples of searchable items include: patent grants and applications; trademark applications and Trial and Appeal Board (TTAB) proceedings; and patent classification information. The USPTO and Google also will work together to make additional data available in the future, such as patent and trademark file histories and related data, the office said. The bulk data can be accessed at http://www.google.com/googlebooks/uspto.html.

In other words, as technology moves forward, so too does the ability to research and guard intellectual property ownership and interests… at least in the Western Hemisphere and other WIPO member countries. Now, if only the remainder of the world could come together to unify owners’ capabilities to globally protect their IP rights.

PDF Editor    Send article as PDF   

Wake Up and Smell the Threats: Two Recent Examples of Why Municipalities Need Cyber Insurance

Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.

Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post No One is Immune. Even Government Entities Need Cyber/Tech Insurance?

Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.

Read the rest of this entry »

But I’m Innocent, I Swear! This Website Proves It!

Who would have thought a comment as innocent as “Just walked into work at Cozen O’Connor-Toronto…so much work to get done” could potentially cause you so much trouble?

I came across an article this weekend by Tracy Staedter, titled “I’m Not Home: Please Rob Me”. Ready to become paranoid? Read the article – it’s short and to the point. Ever send out Evites? How about prior tweets, MySpace posts, etc. inviting people to your place and including an address? Bingo! Better pack up and move quick!

The website causing havoc is www.PleaseRobMe.com. Check it out…make sure you aren’t on the site…then check again after every time you tweet, post, etc. Do you have the time to constantly check? Probably not. Should you? Probably. It may make you paranoid, but then again, shouldn’t you be? But should the creators of the website be blamed – legally, morally, ethically? Should they be held accountable for what you put out into the public realm? Can you sue for violation of your privacy rights? Do you really have an expectation of privacy in any of those posts? In an age where MySpace, Friendster and other social networking sites regularly have their records subpoenaed, why should anyone think that anything they post will be “private”? What piqued my curiosity even more was how this website could apply in the criminal or tort law application. Can this website be used to substantiate or corroborate an accused’s alibi – “Your Honor, look! I have proof that I wasn’t in the city when the crime occurred…I tweeted that I would be in Los Angeles!” Look, my knowledge of Canadian (or U.S., for that matter) Criminal Law/Procedure does not extend further than the 800 or so pages of textbooks I read while in law school. But surely this website can be put to more use than just what the creators intended. So long as a proper foundation is laid, and the purported evidence is relevant, it may be admitted, right? Something to definitely consider as a defense attorney.

The creators of the website claim the site is supposed to help us…to open our eyes to the evil out in the world. Call me crazy, but perhaps a simple email addressed to me would have been more appreciated…though it leaves one wondering if such a logical course of action would have been as effective.

Create PDF    Send article as PDF   

Does The World Need A U.N. Sponsored Cyber Peace Treaty? One Diplomat Emphatically Says Yes… As the U.S. Gears Up For A Cyberwar

As the cyber war of words heats up between the U.S. and China, the rest of the world is taking notice….and proposing action.

Most recently, the head of the United Nations’ communication and technology agency, Secretary General Hamadoun Toure of the International Telecommunications Union, proposed a treaty whereby member countries agree not to precipitate a cyber attack against other member countries. “The framework would look like a peace treaty before a war,” he is reported to have said.

Secretary Toure’s proposal follows a series of concerns expressed at last month’s World Economic Forum in Davos-Klosters, Switzerland, including a harsh warning that cyber attacks could amount to a declaration of war. According to Secretary Toure, “[a] cyber war would be worse than a tsunami – a catastrophe.” Because of the potential devastating consequences of a cyber war, the Secretary strongly recommended that countries agree not to harbor cyber criminals and “commit themselves not to attack another.” Of course, nothing is quite as simple as that. For example, John Negroponte, the former director of U.S. intelligence, cautioned that intelligence agencies would “express reservations” about such a treaty. Given the breadth and scope of China’s, Russia’s and other countries’ intelligence operations and their reported limits on information disclosures, Mr. Negroponte’s remarks likely would be echoed by other nations.

Read the rest of this entry »

What’s in a Name? Domain Name Disputes for Dummies

Never underestimate the value of a good domain name! As any website owner will tell you, http://www.rose.com, by any other name, is likely to lose customers.

About a week ago, my colleague’s nephew, Kevin Bortnick, found himself in a domain name predicament. His plight is interesting and he has graciously permitted us to blog about his situation, which provides some useful context for a discussion about domain name disputes.

Kevin is a talented website developer who used the name “KBortnick” or “KB” for his internet business. In November of 2005, he registered the domain name kbortnick.com for a period of four years, at a cost of about $10 per year. Although the domain name expired in November, 2009, he explained that “I was moving out & had a bit of a money crunch, so I figured I’d renew it in about a month, because it really wasn’t worth anything & I figured it would be fine….”

A couple of weeks ago, he attempted to re-register the name, only to discover that someone else had purchased it. That unknown ‘someone’ had immediately put it up for sale on a website that auctions off domain names, http://seto.com, subject to a minimum bid of $480. As you can imagine, Kevin was livid. “The highest I’ve ever seen my domain name appraised at was about $30”, he exclaimed, “and most places didn’t even give it that!”

(I empathized with Kevin’s situation. Over Canadian Thanksgiving, while I was sitting before the computer in a state of turkey-induced lethargy, I was suddenly roused from my stupor by the discovery that the domain name “pamelapengelley.com” could be registered for the low, low price of just $10 a year. I may soon write a post that is entitled “How I learned the hard way that just because you can make a hideously tacky personal flash website dedicated to your glorious self doesn’t mean that you should make one.” But I digress…)

Kevin’s dilemma got me thinking – is this what is known as “cybersquatting”? Is there any remedy for this sort of thing? Does Kevin have any recourse?

In fact, there are a couple of different mechanisms for resolving a cybersquatting dispute, and my understanding of them was greatly assisted by some basic knowledge about the development of the Internet and some tech-related acronyms like “DNS”, “IP” and “ccTLD”. If these terms are unfamiliar to you, then I ask for your indulgence while I lay out some of the basic IT background. It’s a bit lengthy so if you are computer-savvy, you may just want to skip part 1. Read the rest of this entry »

Cyber/Tech Underwriters Build Their Portfolios…As Corporate Executives Fret

j0283561The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.

A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.

The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.

The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.

The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.

This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.

PDF Creator    Send article as PDF   

The Globalization of Cyber/Tech Risks and the Implications for Worldwide Insurance Coverage

j0254490As recognized below in Pamela’s post discussing whether the loss of computer data is “property damage” in the eye of tort law, the issues surrounding cyber/tech/privacy liability and the attendant insurance coverages are not the exclusive province of the United States or U.S. courts.

To the contrary, virtually every country worldwide is increasingly faced with the problem of having to deal with the hard social and legal issues presented by a rapidly evolving cyber world. So too, policyholders and the insurers who typically grant worldwide coverage under their policies must recognize that the risks faced are not exclusive to the U.S. or our Canadian cousins. The risks are global in nature and policyholders and insurers alike need to stay current with what’s happening outside our cocoon of the Western Hemisphere.

I am certain every reader is aware of the socio-political dispute whereby Google has threatened to withdraw from China amid claims that the Chinese government has hacked into Google’s and other third-parties’ databases, spied on Google email accounts, and tightened blocks on tens of thousands of internet sites, including Facebook, Twitter and YouTube. U.S. Secretary of State Hillary Clinton has spoken on the subject, advocating that companies such as Google refuse to support “politically motivated censorship.” Secretary Clinton also accused China, Tunisia and Uzbekistan of boosting censorship and called on Beijing to investigate the recent cyber attacks on Google and others. (On a side note, just last week, Europe’s principal security and human rights watchdog accused Turkey of blocking 3700 internet sites for “arbitrary and political reasons.”).

Read the rest of this entry »

Online Banking and “Reasonable Security” Under the Law: Breaking New Ground?

j0300523With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law.

Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking (Patco Construction Co. v. People’s United Bank (“PATCO”) and JM Test Systems, Inc. v. Capital One Bank (“JMT”)) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case). In short, since the Shames-Yeakel case proceeded past the “damages” pleading phase, it (and possibly these other online breach suits) reveals how some courts view security “standards” and approach the question of whether a company has achieved “reasonable security.” I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.

Read the rest of this entry »

Loss of Computer Data: Is it Property Damage?

j0236341Let us say, speaking hypothetically, that a grossly negligent individual (who, since we are speaking hypothetically, is named…”Mr. X”) has accidentally uninstalled my favorite computer game, “Sid Meyers Civilization IV” (for which, by the way, I paid good money and patiently waited three whole hypothetical hours to legally download onto my computer).

Let us further hypothesize that I was twelve hours into a very successful game which has now gone the way of the passenger pigeon. Is the loss of my computer software considered “damage to property” for the purpose of a negligence action, or is it just a form of pure economic loss? “Of course it’s property damage!” I thought to myself, “and a most egregious form at that!”

Yet, in law, as in life, few things are certain. I was compelled to learn more, and so I conducted a brief review of the case law from Canada, the United States and Australia to satisfy my curiosity. What I have learned is that, notwithstanding that we live in the age of the internet, it is far from clear whether we can sue for the loss of electronic data in a negligence action.

Read the rest of this entry »

Cloud Computing: What Every Underwriter Should Know. And Why They Should Care. Now. Today. This Minute.

j0284068Emailing. Instant messaging. Texting. On-line gaming. Ten years ago, even five years ago, such words and concepts were alien to the typical luddite. Now, these terms are not just parts of the common parlance; a vast majority of us actually use these resources on a daily basis (in some cases, with our childrens’ guidance and assistance).

Consider, then, the relatively new concept of “cloud computing.” In lay terms, cloud computing is the on-line or internet-based use of a third-party vendors’ or service providers’ off-site (and hopefully secure) servers for data storage and/or management. Hotmail, Facebook, LinkedIn, YouTube and Google all use cloud computing to serve their members, often at no cost. At the same time, there are a growing number of vendors (like Apple) which “host” or “back-up” at-home and business computer systems by storing a consumer’s data or facilitating their use of cost-effective business solutions for a monthly or annual fee. Users typically do not have to incur fixed costs or purchase hardware or even software programs. All they need is access to a computer and the internet. And with that, voila! Cloud computing is just a click away.

Needless to say, the advent of cloud computing has opened up a world of opportunity for entrepreneurial software developers, hardware providers, and data storage companies around the globe. At the same time, it has created new business segments with a keen need for insurance products. Cyber insurance. Tech insurance. Property/All-Risk insurance. Business Interruption insurance. Professional Services/E&O insurance. Fidelity/Crime insurance. And, in some cases, personal injury/advertising injury coverage.

The potential third-party exposures are endless. Consider, for example, the legal (and regulatory) implications (and concomitant need for insurance) when an unauthorized user hacks into a “cloud” database storing personally identifiable or proprietary business information. Or think about the possibility of liability for a software developer or data storage vendor who has a customer that uses the cloud to host viruses or illegal content. Or who simply release information about their clients to marketers, advertisers or other third-parties without considering the impact or legal ramifications of their doing so. And how about power outages or other crises or service interruptions that prevent customers from accessing their accounts or critical business information that may be the key to closing an all-important business deal (resulting in privacy claims, claims of lost income, lost profits and business interruption expense and other alleged third-party injury).

So too, first-party cyber/tech risks are well known in other contexts and would apply with equal force and effect to cloud computing. The threat of service interruptions, data corruption and the like all necessitate the need for insurance.

The bottom line, as always, is that underwriters need to constantly stay ahead of the curve and tailor their products (and marketing strategies) to address the ever-changing landscape of new and innovative technology resources. Today cloud computing. Tomorrow? Ask me tomorrow night….


PDF Converter    Send article as PDF   

No One is Immune. Even Government Entities Need Cyber/Tech Insurance

cyberCyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.

Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.

What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.

The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response, both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:

Read the rest of this entry »

Non-Profits Face Massachusetts’ Tough New Data Security Law on March 1, 2010

j0297033

The roads traveled by non-profit entities have never been easy ones to negotiate. Indeed, the time, expense and, dare I say, risk of doing good deeds and raising capital has been fraught with potholes and impediments from the get-go. Now, that road has become even more treacherous for non-profits and their cyber/tech insurers alike.

1. An Overview of Massachusetts’ New Data Security Law

Effective March 1, 2010, a new data security breach law will become effective in the Commonwealth of Massachusetts. Described by some as the toughest data security law in the U.S., the law and corresponding regulations applies to all entities, including non-profits, that employ or serve Massachusetts residents and which store, own or license “personal information” about a Massachusetts resident. Here is the Press Release from the Office of Consumer Affairs and Business Regulation. Here is the Final Version of The Regulations.

2. What is Meant by “Personal Information”?

The term “personal information is defined in the law to mean a Massachusetts resident’s first and last name, or first initial and last name, together with:

  1. The resident’s driver’s license number or state identification card;
  2. Bank/financial account or credit/debit account number; or
  3. Social Security number.

In other words, personal information will, generally speaking, include anything uniquely identifiable about a Massachusetts resident.

Read the rest of this entry »

Cybersecurity is an Economic Issue – Cyber Insurers Should Provide Economic Incentives, ISA Reports

j0232780In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target.

We may have gotten a good chuckle out of the various messages that were left on the Twitter accounts for Barack Obama, Britney Spears, and Bill O’Reilly, but the implications are serious; with every new technology comes new risk. Viruses can permanently erase an entire system, sensitive system files can be accessed and altered by intruders, computer networks can be infiltrated and used to attack others and credit card information can be absconded and used to make unauthorized purchases.

Cybersecurity” refers to the protection of that information by preventing, detecting and responding to attacks. Although there may be a tendency to consider cybersecurity to be a technical issue with technical solutions, it may also be useful to think of cybersecurity as an economic issuewith economic solutions.

This is the message that the Internet Security Alliance (“ISA”) has made in a landmark report issued earlier today, December 3, 2009. The ISA is a trade association which represents a gamut of corporate interests ranging from Defence and Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries. In its report, entitled Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” the ISA emphasizes that cybersecurity is an economic rather than a technical issue and that both the U.S. government and private industry need to revisit their assessments of cybersecurity by creating economic incentives and other programs to foster broader, and more enhanced, cybersecurity efforts and systems.

At present, the government has been relying on regulations to ostensibly improve cybersecurity. The ISA suggests that this method is not only outdated, but also ineffective in dealing with a 21st Century problem. The report sets forth a number of proposed economic solutions, many of which focus on encouraging companies to educate their executives about the economic and social benefits of cybersecurity. Key among these proposals is the suggestion that businesses should create risk management programs that educate their executives about the growing problem of cyber theft and abuse, and assist them incorporating cybersecurity solutions in their corporate business plans (rather than ceding such responsibilities to computer “geeks” in their IS or IT, as is typically the case today).

The report concludes that most companies underfund their investments in cybersecurity, and suggests that economic and other incentives are needed to prompt businesses to improve their cybersecurity. ISA’s report also suggests that the insurance industry become actively involved in providing a methodology by which returns on securities investments are quantified.

Among the ISA’s recommendations designed to encourage investment is a proposal that cyber insurance be used to promote the development of standards and practices and assist companies in quantifying and managing their cyber risks. At the same time, the ISA proposes that the government create limited liability protections for certified products and processes and recognized industry best practices. Alternatively, liability might be assigned on a sliding scale (comparative liability) such as limiting punitive damages while allowing actual damages and providing affirmative defenses with reduced standards (preponderance of evidence vs. clear and convincing etc.).

The report is long (over 70 pages) and quite detailed. For those interested in reading it, the report can be found here. Irrespective of whether readers choose to take the time to read the entire report, they should familiarize themselves with its purpose and intent, as it is a major step forward in promoting dialogue on the ever-growing problem of cyber crime. At a minimum, insurance underwriters and cyber professionals should study the report and perhaps incorporate some of the ISA’s recommendations in their own due diligence processes to compliment, for example, their existing NetDiligence® cyber risk assessment service (used by many leading US & UK insurers). Only through joint and collaborative efforts can the billion dollar problem of cyber crime be mitigated. It is incumbent on the insurance industry to be among the leaders in these efforts. We can begin by collecting comments on the ISA’s proposal and submitting them to its members, including those representing the insurance industry. Please feel free to comment below. As appropriate, we will forward them to the ISA with the author’s name and contact information, if so authorized.

Edit PDF    Send article as PDF   

Google TiVo: Now Who’s Watching Who?

183054-google-tivo-ad-data_originalPersonal information and data can be captured and aggregated in the most unlikely of ways. Take, for example, television viewing habits.

In the past, data aggregators such as A.C. Neilson have used a variety of techniques to measure television audiences’ viewing habits in order to assemble ratings and assist networks and advertisers in identifying viewership and demographic rankings. It began with people compiling viewing information in journals. As technology progressed, Neilson and other data aggregators used “black boxes” attached to televisions to compile the all-important viewership and demographic information. Some people equated these activities to a form of “Big Brother” watching over us, but in virtually all cases, the “Neilson families” did so willingly and were compensated for their voluntary participation.

Just as everything else, we have now progressed well beyond the activities of yesteryear. The latest news on the viewership and demographic aggregation front comes from Google, which has announced that it is teaming up with TiVo, the digital video recording company, to assist advertisers in measuring how and when their ads are viewed by consumers. As most people know, TiVo and its progeny allow viewers to “fast forward” through commercials so that they can view only the content they elect to watch. While a boon to viewers who hate commercials, this capability frustrates advertisers who pay tens of thousands if not tens of millions of dollars to television and cable networks to promote their services and products. According to Google, this new service is an attempt to re-create its AdWords and AdSense models on the small screen.

The hitch is that most TiVo users typically catch the beginning or end of a commercial or other unwanted programming as they attempt to watch their selected shows. Only the most prolific of remote controllers can precisely fast forward their recorded programming to view only what they want and not what they don’t want. Having now had TiVo for 7-1/2 years, I still suffer the fate of imperfect fast forwarding and consequent rewinding. I just can’t totally avoid those pesky commercials, no matter how hard I try. And believe me, I try.

Google is of the view that even that momentary viewership of the undesirable commercials, while not a full ad impression, is meaningful to advertisers. Thus, it plans to use “anonymous second-by-second DVR viewing data” to track how viewers see ads placed through Google TV Ads and to assemble data on viewers’ television habits.

So, what can we as TiVo users do about it? Google has not yet announced if viewers can “opt-out” of this service. If that option is not available, then the only options seem to be that we participate as willing or unwilling (and uncompensated) participants, or give up our TiVo. Needless to say, that latter option is not realistic. I love my TiVo. I won’t give it up. But at what cost? The price of my privacy, it seems.



PDF24 Creator    Send article as PDF