“A Lawyer’s Advice for Evaluating Your Cyber Coverage”

February 10, 2012

I recently wrote an article titled, “A Lawyer’s Advice for Evaluating Your Cyber Coverage:  Policies vary significantly from carrier to carrier—and even within the various forms of one company.”  It has been published on the Property Casualty 360° website, republished from the February 6, 2012 issue of National Underwriter.

In the article, I discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events, including what factors to consider when buying cyberinsurance policies for cyber risks.  I also discuss how different cyber risks may be characterized, whether as within first party, or third party insurance coverages, and how to keep those risk factors in mind when brokering, broking, or buying a cyberinsurance policy.

Here is a brief excerpt from the article:

Policyholders and insureds exposed to cyber risks would be well served to analyze carefully their insurance policies to determine exactly which coverages apply to them—and to see if any critical coverages are missing.

Cyber Liability insurance should provide coverage for the vast majority of key cyber risks, and there may also be overlapping coverage under other policies for such exposures.

The first place that a company should look to determine whether it has, or may have, coverage for cyber risks is any specific Cyber Liability policies that the entity holds. A very close look at these policies is warranted, as the coverage under such policies often varies significantly from carrier to carrier—and even within the various forms that one particular insurance company offers.

Want to read moreThen click on over to the full article.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

2 Comments | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage | Tagged: , , , , , , , , , , , , | Permalink
Posted by Scott Godes

Would your company’s insurance cover a cyberattack?

October 28, 2011

DDoSOn October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.“  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1]  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2]  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3]  The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[5]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6]  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11]  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12]  Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16]  The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.

[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).

[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[7] Id.

[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

[15] See MBIA Inc. v. Fed. Ins. Co., 652 F.3d 152, 160 (2d Cir. 2011).

[16] See Eyeblaster, 613 F.3d at 804.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

3 Comments | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, D&O Insurance, Data breach insurance coverage, Denial-of-service, First party insurance coverage | Tagged: , , , , , , , , , , , | Permalink
Posted by Scott Godes

“Legal Corner: Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection”

October 27, 2011

My colleague, Ken Trotter, and I recently wrote an article titled, “Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection.”  The article is reprinted below, courtesy of and permission from, the fine people at Hospitality Upgrade magazine:

Scott Godes  godess@dicksteinshapiro.com
Kenneth Trotter  trotterk@dicksteinshapiro.com
Hospitality© 2011 Hospitality Upgrade. No reproduction without written permission. It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks.  A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies.  According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves.Cybersecurity risks can cause a company to incur significant loss or liability.  A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds.  Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes.  Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability.  Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits.

Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information.  Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack.

Involving Technology and Privacy Managers in Insurance-related Matters  Because of the variation in cyberinsurance coverages and the underwriting inquiries that often go along with the purchase of such insurance policies, companies may find the process to be a great opportunity for a company’s risk managers, technology managers and privacy managers to work together to help understand potential risks to the company and what risk transfers are being purchased through the insurance policies offered.  Working together aligns the risk managers’ understanding of specific insurance-related issues, the technology managers’ technical expertise regarding the companies’ systems and protections that will be helpful to understand any technical requirements in an application or insurance policy, and the privacy managers’ knowledge of the potential privacy risks that the company faces in light of the information held and how and where it is used.  Indeed, given their understanding of the technical and practical considerations involved in protecting a company’s data from a cyberattack, technology and information managers may be in a unique position to assist the company’s risk managers in understanding the technical implications of specific policy language.

Insurance Coverage Considerations  When considering what coverages may apply or purchasing cyberinsurance coverage, it is essential to consider many types of coverage, as coverages often are written and offered in different modules and on varying insurance policy forms.  On a regular basis, insurers are writing and introducing new policies marketed as being tailored specifically to cover data breaches and cyberattacks.  In addition, coverage may be available under traditional forms of insurance.  Indeed, policyholders may have overlapping coverage for data breaches and certain cyberrisks, with the potential for coverage under cybersecurity policies as well as traditional insurance policies.  When analyzing the coverage afforded by such policies, it is critical to understand the impact of exclusions on coverages and any sublimits on the amount of coverage afforded by the policy.  Because of the variety of coverages being offered, as discussed below, technology managers can assist the company by providing a careful review of the technical language used in the policy to help determine the scope and limitations of the coverage being purchased with respect to a specific company’s operations.

Cybersecurity and Data Breach Policies  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Such policies are relatively new to the marketplace and are constantly changing. Specific policies for cybersecurity and data breach have been known as Network Risk, Cyberliability, Privacy and Security or Media Liability insurance.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the Internet Liability and Network Protection Policy, and insurance companies may base their coverages on this basic insuring agreement or they may provide their own company-worded policy form.  Because these policies are frequently updated and changed, it is important to compare the coverages offered across companies and within a company’s offerings.

Traditional Forms of Insurance  Although it is ideal to purchase a policy designed specifically for cybersecurity risks, more traditional forms of insurance may also provide overlapping coverage for data breaches and cyberrisks, depending on the particular coverage terms and exclusions in the individual policy.  Coverage may be provided by the following types of policies:  commercial general liability; first-party property and business interruption; directors and officers or errors and omissions; crime; kidnap, ransom and extortion.  Insurance companies, however, have been fighting their obligations to pay claims for cyber-related loss under such traditional insurance policies.  A major insurer recently sued a corporate policyholder in New York, asking the court to rule that traditional insurance policies do not cover a series of high-profile data breaches, cyberattacks and cyberrisks.

Making a Claim for Coverage   If a cyberevent occurs, such as a data breach, then it is vital that risk managers, technology managers and privacy managers work together to seek recovery under all potentially available insurance policies.  It is recomended that policyholders send notice of the claim or occurrence to all potentially applicable insurers, whether under a special cybersecurity policy or under the more traditional forms of insurance. After an insurance claim is tendered to insurers, they may raise various defenses to coverage. Companies, however, should not assume that such defenses will defeat coverage. Whether an event is covered will often depend on careful analysis of the specific policy language involved, the facts of a company’s particular losses and the law of the applicable jurisdiction. Insurance carriers may take a hard line regarding the application of the exclusions in their policies.  For example, under certain insurance policies, there is coverage for property damage and insurers have asserted that there has been no property damage as a result of a cyberattack. Technology managers, however, may be able to assist the company in marshalling evidence to prove that a cyberattack has damaged the company’s computer equipment, or that there has been a loss of use of computer equipment (another way of demonstrating property damage under certain insurance policies).  Technology managers should stay involved throughout the insurance recovery process to help assure that any representations and statements about the company’s technology and the cyberevent are accurate and properly characterized.

Beyond in-house technology personnel, companies that have sustained losses due to a data breach or cyberattack should consider speaking with an attorney who represents policyholders and has familiarity with this area. Because of the assistance of such lawyers, some policyholders have been able to obtain substantial recovery even after the insurer initially denied the policyholder’s claim.

Scott Godes and Kenneth Trotter are attorneys with Dickstein Shapiro LLP who devote a significant portion of their practice to the representation of policyholders in complex insurance disputes with insurance companies. They may be reached at godess@dicksteinshapiro.com or trotterk@dicksteinshapiro.com. This information is general and educational and is not legal advice.  For more information, please visit www.hospitalitylawyer.com.

Thank you to the Hospitality Upgrade website for permission to use this article.

This article appeared on the Hospitality Upgrade website on 1 October 2011—link to article:

http://www.hospitalityupgrade.com/_magazine/magazine_Detail-ID-694.asp

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

Leave a Comment » | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage, Denial-of-service | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Scott Godes

Insurance coverage against cyberattacks and data breaches relating to the hospitality industry and hotels.

October 22, 2011

four star hotelMy colleague, Ken Trotter, and I recently wrote an article titled, “Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection.”  It has been published in Hospitality Upgrade magazine‘s Fall 2011 issue.  In the article, we discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events, in light the risks for such events that the hospitality industry, and hotels in particular, face.  We discuss coverages for cyberattacks and data breaches against hotels and the hospitality industry under new cyberinsurance policies, and overlapping coverage with other insurance policies for data breaches, cyber risks, cyberattacks, and cyber events.  We also discuss involving multiple people within the company to discuss the risks and evaluate the purchase of new insurance and cyberinsurance policies.

Here is a brief excerpt from the article:

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks. . . .

Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds. Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes. Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability. . . .

Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information. Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack. . . .

Read more

Want to read moreThen click on over to the full article.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

2 Comments | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage | Tagged: , , , , , , , , , , , , | Permalink
Posted by Scott Godes

“Protecting Your Company Against Loss or Liability Arising from Cyberattacks”

September 22, 2011

My colleague, Ken Trotter, and I recently wrote an article titled, “Protecting Your Company Against Loss or Liability Arising from Cyberattacks.”  It has been published in Hospitality Lawyer‘s September 2011 In-House Counsel Newsletter.  In the article, we discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events.  We discuss coverages under new cyberinsurance policies, and overlapping coverage with other insurance policies for data breaches, cyber risks, cyberattacks, and cyber events.

We provide an overview of potential coverage under:

  • First party property policies;
  • Business interruption coverage and policies;
  • Commercial General Liability (CGL) policies;
  • Directors and Officers Liability (D&O) policies;
  • Errors and Omissions policies; and
  • Crime and Fidelity policies.

We also give practical considerations when making claims for coverage.

Here is the opening paragraph to the article:

Does your company have insurance policies that will cover data breaches and cyber attacks?  The hospitality industry is particularly vulnerable to data breaches and other cyberattacks.  According to Willis Group Holdings, a British insurance firm, insurance claims for data theft worldwide jumped 56% last year, with a large number of those attacks targeting the hospitality industry.  The report said the largest share of cyber attacks—38%—were aimed at hotels, resorts and tour companies.  As just one example of these attacks, computer hackers broke into the computer system of a national hotel chain and stole the guests’ credit card information.  This summer, the Secret Service informed the owner of a family-run Italian restaurant that a thief hacked into the communication system between the cash register and the credit card processing company, stole credit card numbers, and then used them to fraudulently make purchases across the United States.  Businesses in the hospitality industry will continue to be attractive targets for hackers and data thieves, particularly since they obtain and maintain confidential data from consumers including countless credit card records.  There are risks for companies well beyond the possibility of hackers stealing consumer data.  Vital corporate data, whether it’s shared on the company’s servers or by third parties, may become inaccessible or even destroyed in a hacker attack.  Managing such risk is critical to successful business operations. Read more

Want to read moreThen click on over to the newsletter.

1 Comment | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage | Tagged: , , , , , , , , , , , , | Permalink
Posted by Scott Godes

Insurance Coverage for Denial-of-Service Attacks

May 10, 2011

DDoS

It seems that 2011 has been the year of cyberattacks – denial of service attacks, data breaches, and more.  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1]  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2]  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3]  The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[5]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6]  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11]  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12]  Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16]  The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.

Scott Godes is counsel with Dickstein Shapiro’s Insurance Coverage Practice in the firm’s Washington, D.C. office.  Mr. Godes is the co-head of the firm’s Cyber Security Insurance Coverage Initiative and co-chair of the American Bar Association Computer Technology Subcommittee of the Insurance Coverage Committee of the Section of Litigation.  He frequently represents corporate policyholders in insurance coverage disputes.

[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).

[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[7] Id.

[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

[15] See MBIA, Inc. v. Fed. Ins. Co., No. 08 Civ. 4313, 2009 WL 6635307 (S.D.N.Y. Dec. 30, 2009).

[16] See Eyeblaster, 613 F.3d at 804.

Update:  This post also has been put online over at DoS-Attacks.com.  You can see the post by clicking here.

Second update:  This post also has been put online at the Lexis Insurance Law Community.  You can see the post by clicking here.

Third update:  This post also has been put online on the Blog Notions insurance blog.  You can see the post by clicking here.

Fourth update:  This post also has been put online on Core Compass.  You can see the post by clicking here (registration required).

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

10 Comments | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, D&O Insurance, Data breach insurance coverage, Denial-of-service, First party insurance coverage | Tagged: , , , , , , , , , , , | Permalink
Posted by Scott Godes

“Insurance Coverage for Disaster-Related Losses: The Japan Earthquake and Tsunami”

April 22, 2011

Interested in learning about insurance coverage issues relating to the recent Japan earthquake and tsunami?  My Dickstein Shapiro colleagues, Selena Linde and John Heintz, joined by Ronald Van Epps of The Claro Group, are presenting a webinar that will address these issues.  Here is the description from our firm’s website:

In-house counsel and risk managers at companies affected by the earthquake and tsunami in Japan will get a better understanding of insurance coverage issues including: What types of insurance policies should you look to for coverage? What are the basic steps for preparing and presenting a claim? What challenges should you expect from your insurers? And finally, how can you obtain the best recoveries possible?
Selena Linde and John Heintz, partners in Dickstein Shapiro‘s Insurance Coverage Practice, along with Ronald Van Epps, managing director of The Claro Group, will address these questions and more during the webcast on Tuesday, May 10, 2011, at 2:00 PM ET.

Click to Add to Outlook

Click here to register for the webcast.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

1 Comment | Business interruption, Contingent business interruption, Earthquake, Tsunami | Tagged: , , , , , | Permalink
Posted by Scott Godes

Insurance Recovery for Recent Earthquake and Tsunami- Related Losses in Japan

March 18, 2011

Looking for an analysis of insurance coverage issues relating to the recent earthquake and tsunami in Japan?  The alert below, authored by my colleagues in my firm’s Insurance Coverage Practice, provides a discussion on insurance coverage considerations for businesses affected by the recent earthquake and tsunami in Japan. These catastrophic events have caused loss of life, destruction, and dislocation on a massive scale. As the situation stabilizes and the focus turns to economic recovery, businesses will begin to examine their operations and assess their losses. Specifically, property insurance, including business interruption and contingent business interruption coverages, may protect against not only physical damage to and loss of property, but also financial losses arising from an inability to conduct business (either at all or at the same levels as before); the extra expenses incurred in dealing with the effects of a disaster, including money spent to minimize any damage and losses; and the costs incurred in establishing the extent of the losses. Moreover, contingent business interruption coverage often contained in first-party property policies may provide coverage where a business faces loss due to its suppliers’ inability to provide needed parts and resources, or its customers’ inability to take delivery of product because of the damage to their own business ventures. Other types of insurance that also may respond include policies for trade disruption, event cancellation, and directors and officers.

My colleagues and I recommend that when a business faces unanticipated losses, it should immediately consider how its insurance will respond and have skilled coverage counsel, not just claim adjustors, assess their insurance policies and assist in developing a plan to determine and document losses that were or will be sustained because of the disaster. We have learned from experience that many business commit errors in assessing and documenting their losses or interpreting their insurance policies that later hurt them in the adjusting process that could have been avoided.

In addition to the attached timely alert, our firm also has authored an in-depth white paper on insurance coverage for property damage and business interruption claims that is available upon request and may be obtained by visiting our firm’s website at http://www.dicksteinshapiro.com.

Insurance Recovery for Recent Earthquake and Tsunami-Related Losses in Japan

March 2011

The earthquake and tsunami in Japan have caused loss of life, destruction, and dislocation on a massive scale. For those who have lost friends, family, employees, homes, and businesses, and who face the continuing threats posed by damaged nuclear facilities, recovery will be a very personal and arduous process. As the situation stabilizes and the focus turns to economic recovery, however, businesses will begin to examine their operations and assess their losses. Obviously, businesses operating nearest the epicenter will have suffered the most severe losses. However, the sheer scale of the disaster, combined with Japan’s critical importance to the international economy, guarantee that businesses throughout Japan and the rest of the world will face related disruption and losses.

Whenever a business faces unanticipated losses, it should immediately consider how its insurance will respond. Insurance is critical to disaster recovery. Specifically, property insurance, including business interruption and contingent business interruption coverages, may protect against not only physical damage to and loss of property, but also financial losses arising from an inability to conduct business (either at all or at the same levels as before); the extra expenses incurred in dealing with the effects of a disaster, including money spent to minimize any damage and losses; and the costs incurred in establishing the extent of the losses. Moreover, contingent business interruption coverage often contained in first-party property policies may provide coverage where a business faces loss due to its suppliers’ inability to provide needed parts and resources, or its customers’ inability to take delivery. Other types of insurance that also may respond include policies for trade disruption, event cancellation, and directors and officers.

Understanding Your Losses and Coverage

Policyholders should act immediately to evaluate both the extent of their losses and the scope of coverage for those losses. That evaluation must not be based on conventional wisdom about the scope of the policyholder’s insurance—this is especially true in the context of property insurance, because policy forms often vary significantly. Rather, the policyholder should examine its policies with a specific understanding of both the policy language and how its business has been, or is likely to be, impacted by events.

Policyholders also must immediately begin to carefully document all expenses incurred as a result of their loss because an insurer will demand a detailed proof of loss upon receiving notice of a claim from its policyholder.  For larger companies, special loss-related account numbers should be created within their accounting systems to make tracking these losses easier when the insurance companies raise questions.

Applicable Insurance Coverages

The tragedy in Japan has unfolded on such a massive scale that policyholders will have incurred losses from a wide variety of causes.  We have listed below a sampling of potentially available lines of coverage.

First-Party Property policies provide insurance for direct losses to or affecting the policyholder’s property.  These policies protect a policyholder’s place of operations and inventory and provide coverage for lost or damaged property.  Many property insurance policies are sold on an “all risk” basis, meaning that they cover losses to real property caused by any peril not expressly excluded.  Because of the breadth of coverage afforded by an “all risk” policy, once a policyholder shows that it has suffered a loss, the burden of proof shifts to the insurer to show that the loss is not covered.

By comparison, a second type of property insurance—a “named peril” policy—covers only those perils expressly listed.  Both types of policies usually contain exclusions to coverage.  Earthquakes and floods, for example, are often excluded from commercial property policies, and must be added through endorsements or stand-alone coverage.  It is important to carefully review all aspects of a policy to determine whether coverage for the specific loss is clearly excluded.

In addition to covering property damage, many property policies also provide some or all of the following “time element” coverages that are designed to reimburse the policyholder for financial losses.  As a senior executive at a major insurer stated with respect to business interruption claims stemming from the earthquake and tsunami, “‘[a] lot of the largest corporations have insurance programs that include coverage for these sorts of things . . . .  There’s going to be a ripple effect felt around the world.’”  Erik Holm & Serena Ng, Insurers May Face ‘Far-Reaching’ Claims As Supply Chain Breaks, Dow Jones Newswires (Mar. 16, 2011).

In order to be implicated, policies typically require damage by a covered peril to property.  “Time element” coverage may include:

  • Business Interruption:  Reimburses the policyholder for the amount of gross earnings minus normal expenses (i.e., its profits) that the policyholder would have earned but for the interruption of the policyholder’s business.  Business interruption coverage generally requires that the “interruption” result from damage to covered real or personal property.  Policyholders, for example, have obtained reimbursement under such coverage when other widespread disasters such as Hurricane Katrina and the 9/11 terrorist attacks caused business interruption.  Coverage may be available for time element losses at interdependent properties, for example, where damage to an insured’s overseas factory cuts off supply, and therefore slows operations, at its domestic facilities.
  • Contingent Business Interruption:  Protects against economic losses caused by the policyholder’s inability to receive a supplier’s goods or services, or the policyholder’s inability to deliver its goods or services to customers, that arise due to a covered peril to the property of the supplier or customer that leads to the inability to deliver.  The term “supplier” should be read broadly, to account for the complex and interdependent nature of businesses today.
  • Utility Service Interruption:  Provides coverage for losses that the policyholder incurs due to the interruption of utility services that result from physical damage to the property that supplies the utility.  This coverage usually is provided through an endorsement to a property policy and may require that the interruption of service has lasted a minimum amount of time—usually 24 hours.  Service interruption coverage also can vary widely with regard to what types of utilities are covered.
  • Extra Expense: Indemnifies the policyholder for the reasonable and necessary increased costs of conducting its business operations due to property damage caused by an insured peril at its facilities or that of a supplier.
  • Civil Authority:  Protects the policyholder from losses caused by the inability to access its premises when a civil authority denies such access because of covered damage to, or destruction of, property belonging to others.  Some civil authority coverages require physical damage to the policyholder’s own premises, but others do not.  A “civil authority” for purposes of this coverage may extend beyond national and local governments.  For example, after the 9/11 terrorist attacks, some policyholders successfully argued that the baseball commissioner’s cancellation of games constituted an order of a civil authority.
  • Ingress/Egress:  Protects the policyholder against lost business income and extra expenses when the policyholder’s premises are inaccessible for reasons other than an order of civil authority.  This type of coverage typically requires that the property damage be located within a certain radius of the policyholder’s premises.  For example, such coverage has been implicated when public transit or roads providing access to a business were closed and there was also property damage in the business’s immediate area.
  • Extensions beyond the time limits set forth in the policy:  Some policies allow the recovery period to be measured beyond the interruption period alone and will extend through the end of a period of time ending when the policyholder’s business returns to the levels that were anticipated but for the event that caused the property damage.

Most of the issues raised by the time element coverage of first-party property policies require careful analysis and forethought before the impacted entity asserts any position to its insurers. The hypothetical “what if” world measured by these policies often provides the opportunity for insurance companies to take positions hostile to the policyholder if advance planning and documentation have not been addressed at an early stage.

Trade Disruption policies are designed to protect against loss of earnings and extra expenses caused by disruption in the supply chain, even when there is no physical loss or damage to the policyholder’s assets.  This coverage was developed specifically for businesses that depend on global supply chains.  This relatively new form of insurance may help to provide consistent coverage to the insured.  As is always true of “niche” coverages, however, the insured should understand how its trade disruption insurance interacts with other forms of coverage, including standard all risk policies, and anticipate an overly cautious view of coverage from a claims adjuster.

Event Cancellation policies are designed to compensate policyholders for losses arising out of the cancellation, interruption, or postponement of specified events.  These policies typically specify that coverage is triggered if the cancellation, interruption, or postponement is caused by factors that are beyond the policyholder’s control.  They typically insure a wide range of events, for example when a policyholder incurred losses arising out of the cancellation of music concerts in the aftermath of the 9/11 terrorist attacks.

Directors & Officers policies may provide defense and indemnity coverage for companies and their directors and officers who may face claims regarding their preparation for, or response to, a crisis.  For example, claims may be made against directors and officers for failure to have proper procedures and plans in place for dealing with the crisis.

Travel Insurance policies are designed to cover costs for delays, such as extra hotel stays or the price involved in changing flight reservations, the nonrefundable costs for interrupted or canceled trips, lost or stolen luggage, medical emergencies, and even medical evacuation.

Mitigation Costs

Insurance policies may provide coverage for any mitigation costs that the insured takes to prevent or mitigate actual or imminent damage to its property.  Many policies contain clauses specifically covering such “loss prevention” or “sue and labor” expenses, and the common law in many jurisdictions may obligate insurers to reimburse these expenses.  Insurers therefore may be obligated to pay for these measures to help prevent property damage, for example the costs of boarding up a building’s windows when a hurricane is approaching.  The legal theory is simple: policyholders should take reasonable steps to minimize or reduce their losses, thus saving themselves and their insurers money, and their insurers should pay for these steps.

Additional Insured Coverage

Companies also may be able to access coverage outside of their own insurance portfolios for losses stemming from the earthquake and tsunami if the company is an “additional insured” under another company’s policy.  Generally, there are two ways to obtain additional insured status—either (a) via an endorsement that specifically lists the company as an “additional insured” or (b) via a blanket endorsement that automatically extends “additional insured” status to parties entering contracts with the named insured.  Whether your company as an additional insured will have the same coverage as the named insured varies by policy; your company may have the same rights as the named insured, or more limited rights, depending on the language.  Thus, when looking for coverage for losses stemming from the recent events in Japan, businesses should inquire regarding their additional insured status—it may prove to be another portal to insurance recoveries.

Policy Conditions and Requirements

Policyholders should be wary of potential time traps in their policy.  For example, a policy may obligate the policyholder to provide the insurer with notice of a loss “as soon as possible” or “as soon as practicable” after a loss or other insured event.  The consequences of failure to give prompt notice differ, depending on the type of policy and the jurisdiction.  Policies usually require that proofs of loss be submitted within a relatively short time—often within 60 days after the loss incepts or within 60 days after the insurer requests a proof of loss, unless an extension is secured.  Finally, many first-party policies contain a contractual statute of limitations.  Therefore, policyholders must be careful to commence a coverage suit within time limits or obtain an agreement with the insurer tolling the running of the limitations period.

Insurer Defenses to Coverage

Insurers may raise challenges to the availability of coverage for losses related to the earthquake and tsunami.  These challenges may include disputes regarding:  (a) whether coverage for claims related to earthquakes and tsunamis are barred by any policy exclusions; (b) whether physical damage to insured property is required to trigger time element coverage such as business interruption coverage, and, if so, what may qualify as property damage; (c) whether coverage exists for amounts spent to prevent or mitigate damages, even if property damage never takes place.

Companies should not assume that insurer defenses necessarily will defeat coverage.  Each policy requires a careful analysis, based on the specific policy language involved, the facts of a company’s particular losses, and the law of the applicable jurisdiction.  Careful advance planning is suggested, if time permits, before any claim is made to the insurer.

Obtaining and Maximizing Insurance Recovery

Pursuing an insurance claim following a disaster is often a complex and challenging process.  Policyholders should consider obtaining the assistance of coverage counsel, because many issues can significantly affect the existence or amount of recovery under an insurance policy.

Resolution of coverage issues may depend not only on the law of a particular jurisdiction that will be applied and the facts presented by a claim, but also on how facts are presented to the insurance company, or to a court, if litigation is necessary.  An attorney may be able to analyze coverage and help the policyholder present its claim to maximize protection under its insurance policies.

Act Now to Evaluate Your Risks

Even if your business has been fortunate enough to avoid direct losses from the events in Japan, the tragedy in that country nevertheless presents a stark reminder of the importance of aligning your business’s insurance coverage with the risks it faces.  While typical “all risk” policies are comprehensive in scope, flood and earthquake are often excluded in standard policy forms, and must be added to the insured’s coverage.  Moreover, when a catastrophic claim arises, insurers may invoke multiple policy exclusions and defenses to limit coverage.  Advance planning can help to clarify coverage and avoid disputes.

Our Firm

Dickstein Shapiro exclusively represents policyholders in coverage disputes.  The firm has assembled a team of attorneys that already is looking into the insurance coverage issues implicated by the earthquake and tsunami in Japan.  Our attorneys have successfully resolved some of the most significant coverage cases in the country and the firm’s Insurance Coverage Practice was recently named among the top five insurance practices in the United States by Law360; listed as a tier 1 national firm for insurance in U.S. News & World Report’s first-ever Best Law Firms issue; and the sole recipient of Chambers USA’s prestigious 2008 Award for Excellence in the “Insurance Coverage: Policyholder” category.

Contact Information

We would be happy to further discuss with you the insurance implications of the earthquake and tsunami in Japan for your business.  For more information, please contact:

John E. Heintz, Partner
(202) 420-5373
heintzj@dicksteinshapiro.com

Stephen N. Goldberg, Partner
(310) 772-8325
goldbergs@dicksteinshapiro.com

Geoffrey M. Long, Associate
(202) 420-2711
longg@dicksteinshapiro.com

Jared Zola, Partner
(212) 277-6684
zolaj@ dicksteinshapiro.com

© 2011 Dickstein Shapiro LLP. All Rights Reserved.

Because of the variations in policy language, this alert does not address all issues. It also does not replace, and should not be relied on instead of, legal advice. However, it does provide a starting point and serves as an aid in understanding the maze of factual and legal issues regarding insurance. This alert may be considered advertising in some states.

In addition to my awesome colleagues mentioned in the alert, feel free to e-mail me or contact me, if you have questions about the insurance coverage issues raised here.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

1 Comment | Additional Insured, Business interruption, Contingent business interruption, First party insurance coverage, Tsunami | Tagged: , , , , , | Permalink
Posted by Scott Godes

AgentsOfAmerica.ORG features my post: “Insurance Coverage for Cyberattacks and Denial-of-Service Incidents”

October 8, 2010

If your business suffered losses from a cybersecurity incident, a denial-of-service attack, or some other computer-, network-, or internet-related event, would you know whether your insurance would cover the losses?  If your insurance company denied your claim, would you know whether the insurance company had done so properly?

Well, if you’d like some additional thoughts on these issues, check out my post at the AgentsOfAmerica.ORG website.  They posted my piece titled, “Insurance Coverage for Cyberattacks and Denial-of-Service Incidents” and also featured it in their newsletter.  In my post, I discuss insurance coverage for cyberattacks, cybersecurity events, denial-of-service (DDoS) attacks, and more.  I note a couple of recent cases finding in favor of insurance for these sorts of events under commercial general liability (CGL) insurance policies as well as new cyber insurance policies.

So head over to the AgentsOfAmerica.ORG site and check out my post to see more!

 

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Leave a Comment » | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, D&O Insurance, Data breach insurance coverage, Defense Costs, Denial-of-service, Duty to defend | Tagged: , , , , , , , , , , , , | Permalink
Posted by Scott Godes

Join me at the First Party Claims Conference!

October 3, 2010

On October 19 and 20, 2010, I’m going to be presenting at the First Party Claims Conference in Warwick, Rhode Island.

What’s the First Party Claims Conference, you ask?  Well, the website describes the event as:

The 2010 FIRST PARTY CLAIMS CONFERENCE (FPCC) on October 18-20 in Warwick, Rhode Island is the insurance event that offers the maximum amount of education and CE credits for a minimal investment of time and money.

And who doesn’t like getting the “maximum amount of education” for the “minimal” amount of time and money? There will be 21 educational sessions and 39 presenters. The conference is open to everyone in the insurance claims community: accountants, adjusters, agents, attorneys, brokers, consultants, engineers, vendors/suppliers and others.

The title of the presentation that I will be making with Darrell Hamer is:

Contingent Business Interruption Insurance – Will You Be Covered When Bad Things Happen To Other People? Scott Godes, Esq., of Dickstein Shapiro LLP and Darrell Hamer of Property Claim Advisory Services Corporation

You do remember what contingent business interruption insurance is, don’t you?  What’s that, you need a refresher?  Well, click here and read all about it!  Then register for the conference.  Our panel is going to be great.  We’re going to give tips and details based on first hand, real world experience in pursuing coverage for contingent business interruption claims.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Note:  as a speaker at the conference, I will not be charged a fee to attend the remainder of the conference.

1 Comment | Business interruption, Contingent business interruption, First party insurance coverage | Tagged: , , | Permalink
Posted by Scott Godes

“LexisNexis® Insurance Law Community Podcast featuring Scott Godes of Dickstein Shapiro LLP on Cyber Liability Insurance Coverage”

July 23, 2010

LexisNexis was kind enough to have me record a podcast regarding insurance coverage for cyber liabilities. As LexisNexis states on the Insurance Law Center:

On this edition, Scott Godes discusses the types of cyber liabilities facing companies today, what to do, in terms of insurance, if a cyber incident or data breach occurs and types of policies that provide coverage for a cyber event. Copyright© 2010 LexisNexis, a division of Reed Elsevier Inc. Visit http://www.lexisnexis.com/community/insurancelaw/.

If you’d like to hear the entire podcast, please click here.

Disclaimer:
This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

2 Comments | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage, Defense Costs, Denial-of-service, Duty to defend, First party insurance coverage | Tagged: , , , , , , , , , , , , | Permalink
Posted by Scott Godes

Join me for ACI’s 4th Annual Advanced Forum on Cyber & Data Risk Insurance.

July 9, 2010

data breach, cybersecurity, insurance coverage

Interested in learning more about cybersinsurance and cybersecurity?  How about coverage for data breaches, cybersecurity events, and other computer risks?  Then please join me for American Conference Institute’s:

4th Annual Advanced Forum on

Cyber & Data Risk Insurance

Monday, September 27 to Tuesday, September 28, 2010
The Helmsley Park Lane Hotel, New York, NY, United States

Cyber and data risk insurance is becoming critical to businesses that operate online, as cyber-attacks are increasing exponentially in terms of frequency, scope, costs and overall impact. With even the best compliance practices in place, it is impossible to guarantee that the private information of consumers and employees will be protected. State Attorneys General and the Federal Trade Commission are becoming more active in investigating and penalizing companies who fail to adequately prevent or respond to a data breach. Additionally, there has been an increase in federal and state legislation and a rise in private actions in the form of mass class actions that are sure to significantly impact this industry.

Demand for cyber and data risk insurance is growing rapidly as businesses are focusing their efforts to address their information risk and data security needs.Broader cyber risk insurance policies have emerged, covering costs relating to responding to a data breach including: notification costs, credit monitoring costs, forensic investigations, call center support, public relations and defense of a claim brought by individuals or federal and state officials.

In light of these risks and exposures, it is critical that you are up to date with the trends in the fast evolving area of cyber and data risk insurance. That is why American Conference Institute developed our successful and well-attended Cyber & Data Risk Insurance Conference in September 2007 and the response in 2008 and 2009 was even better. To those who have attended, come to this 4th annual event — now in New York City — for a revised and updated agenda and to hear from the best and the brightest in the industry, including the FTC, the OTS, the FBI, 2 State Attorneys General and an Assistant Attorney General. For first-time attendees, this conference is your best opportunity to get the tools you need to learn about the new policies, including pricing and negotiating specific coverage, mitigating risks associated with e-business, and to learn strategies so that you can maximize your profitability while minimizing your potential liabilities.

The security and safeguarding of information is vital to protect an organization from financial and reputational loss. This conference is your best opportunity to network with industry insiders, compare products and strategies and to learn valuable information on potential risks and liabilities so that you can put the appropriate insurance protection and risk management practices in place.

Be sure to also register for the Post-Conference Workshop: Negotiating and Drafting Cyber Risk Provisions and Policies

September 28, 2010; 2:00 p.m. – 5:00 p.m.

Back by popular demand with updated content to reflect new developments and additional workshop leaders to walk you through the ins and outs of negotiating and drafting this highly specialized coverage.

Register now by calling 888-224-2480, faxing your registration form to 877-927-1563 or registering online.

Dates:

Mon, Sep 27, 10

Tue, Sep 28, 10

Location:

The Helmsley Park Lane Hotel

New York, NY, United States

My panel, What Policy Holders Are and Should Be Looking for in Cyber and Data Security Coverage, will be covering:

  • Coverage considerations: What liability and first-party coverages are desirable?
  • Reasons companies have or have not bought coverage
  • How standards are evolving in response to new technology threats
  • Consumer redress: when is it covered and when not?
  • Coverage for liabilities (including defense and other costs) and first party losses
    • intentional violations
    • coverage for electronic and non-electronic loss
  • Implementing privacy and data security compliance and policies

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Note:  as a speaker at the conference, I was not charged a fee to attend the remainder of the conference.

1 Comment | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage, Defense Costs, Denial-of-service, First party insurance coverage | Tagged: , , , , , , , , | Permalink
Posted by Scott Godes

“Insurance Coverage for Intellectual Property and Cybersecurity Risks.”

May 19, 2010

Can you think of many, or, in fact, any, companies that are risk free when it comes to the areas of intellectual property or cybersecurity?  If you represent companies with risks relating to intellectual property and cybersecurity, what insurance coverage would apply if those risks turned into claims and potential liabilities?  Are you familiar with the developing body of insurance coverage law in those areas?

I’m the author of a forthcoming treatise chapter that answers those exact questions.  It’s the “Insurance Coverage for Intellectual Property and Cybersecurity Risks” chapter of the New Appleman Law of Liability Insurance, Second Edition, to be released in June 2010.  Here’s the chapter’s introduction:

Two developing areas of insurance coverage law are the issues of insurance coverage for intellectual property-based claims and cybersecurity-based claims.  This chapter describes coverages available for such claims.  The chapter first analyzes and details the development of coverage for intellectual property claims through advertising injury found in general liability insurance policies, as well as other coverages.  The chapter then analyzes coverage for cybersecurity claims.  The area of coverage for cybersecurity claims is, relative to most insurance coverage topics, quite nascent, and the chapter considers decisions that should be seen as analogous to this developing topic.  The chapter discusses coverage for cybersecurity claims under general liability, first-party, and other policies, as well as new policies being marketed as specific to cybersecurity risks and claims.

The intellectual property section of the chapter provides a basic overview of various types of intellectual property risks and provides a detailed discussion of how insurance policies apply to those risks.  The chapter explains the legal principles at issue when seeking insurance coverage for such risks and potential liabilities.  The chapter discusses the majority and minority rules for various issues and provides an analysis of the various exclusions that insurance companies have cited when trying to deny coverage for intellectual property claims.

The cybersecurity section of the chapter provides an overview of the new and growing cybersecurity risks faced today and details what insurance policies apply to those risks.  The chapter details how courts have ruled on coverage questions for cybersecurity and computer-related risks and liabilities.  For those areas of the law that are not as well-developed, in light of the relatively new nature of cybersecurity risks, the chapter notes analogous caselaw and how those holdings should apply to cybersecurity claims.  The section also notes issues to consider for companies in the market for new and specialized cybersecurity insurance policies.

This post appeared originally at the Lexis Insurance Law Community.
Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

1 Comment | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage, Defense Costs, Denial-of-service, Duty to defend, First party insurance coverage, Uncategorized | Tagged: , , , , , , , , , , , | Permalink
Posted by Scott Godes

“Oil in the Gulf: Litigation & Insurance Coverage”

May 5, 2010

Looking to learn more about the oil spill in the Gulf and the Deepwater Horizon Drilling Rig explosion?  Want to know what sort of insurance coverage could cover resulting liability, first party, business interruption, contingent business interruption, and other claims?

Then you should check out the Oil in the Gulf: Litigation & Insurance Coverage Teleconference, hosted by my friends at HB Litigation Conferences.

My colleague, Selena Linde, will be one of the two speakers for the event.  On the agenda, among other things, will be:

  • The recent Gulf Disaster-Deepwater Horizon Drilling Rig explosion, sinking and spill
  • Who will the claimants be and what theories of liability will prevail?
  • Analysis of the applicable coverage claims and exclusions including business interruption, property and environmental coverage claims
  • Unique state law issues for insurers in direct action states, such as Louisiana

To register, you can download the Registration Form (PDF) and mail/fax/email it to HB Litigation Conferences, complete the online form, or e-mail or call Brownie Bokelman at 484-324-2755 x 212 to register.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

Leave a Comment » | Business interruption, Contingent business interruption, Environmental insurance coverage, First party insurance coverage, Pollution exclusion, Pollution insurance, Uncategorized | Tagged: , , , , , , , , , , | Permalink
Posted by Scott Godes

“Losses Due to Volcanic Eruption: Insurance Coverage Considerations”

April 23, 2010

Looking for information about insurance coverage for losses related to the recent volcano eruption in Iceland that has affected Europe, air travel, airplanes, and commerce in general?  If you are, take a look at the Alert that my colleagues Kirk A. Pasich, Stephen N. Goldberg, Kenneth Berline Trotter, Jared Zola wrote.  Here is a snippet:

A volcano under Iceland’s Eyjafjallajökull glacier erupted on April 14th, spewing clouds of ash up to 30,000 feet into the air. The volcanic eruption in Iceland already has caused significant disruption to businesses and individuals. For example, airlines were unable to fly planes even if they wanted to, because national aviation authorities shut down airports and air space. As a result, hundreds of thousands of passengers were unable to fly to or from the region. Although air travel is slowly resuming in some countries, the disruption continues, and experts cannot say when the problems will end.

The Alert discusses potential coverage under Event Cancellation policies, Trade Disruption policies, Travel Insurance policies, and First-Party Property policiesClick here to read the full Alert.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

Leave a Comment » | Business interruption, Contingent business interruption, First party insurance coverage | Tagged: , , , , , , , | Permalink
Posted by Scott Godes

“Guest View: Insurance for the cloud”

January 5, 2010

When you hear “cloud computing,” is insurance the first thing that you think of?  No?  I’m the only one who thinks that way?  Well, if you were wondering about the implications of cloud computing on insurance and risks, I co-wrote an article with my colleague, Idan Ivri that addresses those questions.

First, what does “cloud computing” mean?  We explain:

Cloud computing is a loose term, but it generally refers to storing user data or applications on a remote server rather than on users’ own systems. A 2009 industry study by Coda Research Consultancy estimated that, by 2015, various forms of such software could represent 17% of all information technology spending worldwide.

That sounds great, doesn’t it?  The idea is that you and your business don’t have to buy expensive suites of software or massive servers and hard drives to store all of your applications, because you will be able to access them via a third party (sometimes known as a third party application service provider (ASP) or software as a service (SAAS)).

But is cloud computing all silver lining, and no, uh, grey cloud? We note:

[I]f developers make privacy the top priority, cloud-computing developers may face those that say they should be liable for the bad behavior of unsavory customers seeking a dark place to host illegal data or viruses.

On the other hand, privacy standards that are too low could make developers liable for data theft against legitimate users, or for putting private data into the hands of advertisers. Developers will also have to handle disruptions or unavailability of data and services to end users.

Do developers, ASPs and SAAS providers have insurance to cover those risks?  Will “traditional” insurance policies cover?  What about specialized “cyber” policies?  For the rest of the discussion about insurance for cloud computing, click on over to the full article at Software Development Times on the Web.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.
myspace profile views counter

2 Comments | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, Data breach insurance coverage, Defense Costs, Denial-of-service, Duty to defend, First party insurance coverage | Tagged: , , , , , , , , , , , | Permalink
Posted by Scott Godes

Presentation on Your Cyber Security Strategy — How to Capitalize on New Opportunities & Mitigate Risks

December 1, 2009

Interested in cyber security issues?  Please join me for the following program (now archived here), live or via webinar, presented by the Washington Metropolitan Area Corporate Counsel Association:

WMACCA Government Contractors Forum: Your Cyber Security Strategy — How to Capitalize on New Opportunities & Mitigate Risks

Dec 9, 2009
8:00 AM – 10:00 AM
LIVE at Gannett Co., Inc., 7950 Jones Branch Drive, McLean, Virginia OR by WEBCAST from your desk.

Overview

As the corporate world becomes more and more virtual, the need for cyber and data security has never been greater. Understanding the Administration’s new cyber security initiatives and changes on the legislative front can give companies a competitive advantage in developing comprehensive cyber security programs. If your business is grappling with emerging threats, limited funds, and slow procurement processes, you are not alone.  Find out how to capitalize on the opportunities available through the Safety Act and other mechanisms to protect your company, and how your insurance coverage policies may cover potential liabilities. This program will address what you need to know, what you need to do, and how to “just do it.”

Speakers

Presented by Scott N. Godes, of Dickstein Shapiro LLP; David Kessler, Senior Corporate Counsel, Symantec Corporation; Kenneth A. Mendelson, Managing Director, Stroz Friedberg. Moderated by Brian E. Finch of Dickstein Shapiro LLP.

Notes

Breakfast will be provided on-site from 8:00 – 8:30 a.m.  The program and webcast will begin at 8:30 a.m.

Webcast Log-In Instructions:
1. Go to www.ec.commpartners.com
2. In the middle of the page where it says Meeting Number, type the following number –340258
3. Click Enter
4. Type your full name and e-mail address when prompted

CLE

Credits: 1.5 hour pending
State: Virginia
Category: General

Contact

Robin Hayutin
Phone: 703-242-8773
E-mail: robin.hayutin@wmacca.com

Location

LIVE at Gannett Co., Inc., 7950 Jones Branch Drive, McLean, Virginia OR by WEBCAST from your desk.

703-854-6000

Sign Up

Cost

Free of charge

View All Events

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.
myspace profile views counter

1 Comment | Business interruption, Cloud computing, Contingent business interruption, Cyber insurance, D&O Insurance, Data breach insurance coverage, Defense Costs, Denial-of-service | Tagged: , , , , , , , , | Permalink
Posted by Scott Godes

Join Me for Insurance Coverage for Cybersecurity CLE Hosted by the Pennsylvania Bar Institute.

August 14, 2009

On Wednesday, August 26, 2009, I’ll be presenting a CLE for the Pennsylvania Bar Institute on insurance coverage for cybersecurity liabilities.  Here’s a snapshot of the PBI’s page so that you can sign up.

Business Law | Insurance Practice
search:
 advanced
Tele-Web Seminar

Tele-Web Seminar
Insurance Coverage for Cybersecurity

1.5 Total CLE credits (No Ethics)
Note: This tele-web seminar will begin on Wednesday, August 26, 2009 at 12:00 PM to 1:30 PM Eastern Time.
Product №: 6116T
Course Level: Intermediate
Duration: 90 minutes

Register Now
  • Remember
    		•
  • Tell a Friend
    		•
    Item Description | Faculty | Pricing

    Item Description

    The financial liability of failing to protect information properly can be extraordinarily high.  One way in which to protect your clients and yourself from liability is to obtain cybersecurity insurance.  This program examines this relatively new type of insurance, the pros and cons of obtaining it, and will help you to help your clients explore their options.

    Our faculty will discuss:

    • An overview of cybersecurity and data breach risks and potential liabilities
    • How “traditional” insurance coverage might cover cybersecurity and data breach risks and liabilities
    • New insurance products in the marketplace for cybersecurity and data breach risks and liabilities
    		 Back to top

    Pricing Back to top
    • Members–PA or any co. bar assn.
    		 $99.00
    • Nonmember
    		 $119.00

    Faculty Back to top
    Scott Godes, Esq., Dickstein Shapiro, LLP, Washington, DC
    Timothy Delahunt, Esq., Kenney, Shelton, Liptak & Nowak, LLP, Buffalo, NY
    Arturo PerezReyes, Client Executive, Saylor & Hill, Oakland, CA
    Back to top
    Register NOW so you can print the course materials when they are available.
    icon_acrobat Instructions (1 Page, 14 KB)
    Contact us at 1-800-932-4637
    Email us at callincle@pbi.org     		click for live chat Having trouble using this site?
    Help us improve
    Powered by Legalspan

    myspace profile views counter

    Disclaimer:

    This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

    Leave a Comment » | Business interruption, Contingent business interruption, Cyber insurance, Data breach insurance coverage, Denial-of-service, First party insurance coverage | Tagged: , , , , , , , | Permalink
    Posted by Scott Godes

    Coverage Disputes Over Data Breaches . . . (as summarized by HB Litigation Conferences)

    August 13, 2009

    On July 15, 2009, I gave a presentation regarding insurance coverage for data breaches for my friends at HB Litigation Conferences, along with Tim Delahunt and Arturo Perez-ReyesTom Hagy (yes, the “H” in “HB”) wrote a really nice blog post discussing and summarizing the content of the teleconference, which you can find by clicking here.

    Tom opens the piece with a provocative title and subtitle, asking:

    Coverage Disputes Over Data Breaches . . .

    . . . A Deluge or a Dud?

    He explains:

    With hundreds of laws governing data privacy and the potential for billions of dollars in damages, you can’t help but think that insurance coverage disputes are about to fall on courts like confetti.

    Maybe yes; maybe no.

    Either way, companies need to pay as close attention to their insurance policies as they do their data protection policies.

    Tom then gives a nice summary of the introduction and overview regarding potential insurance coverage for data breaches that I provided to the conference attendees:

    Speaking on HB’s July 15 teleconference – “Private Data Breaches: Insurance Coverage Implications & Prevention – policyholder counsel Scott Godes of Dickstein Shapiro told listeners that, despite what insurance counsel might say, “don’t write off your existing coverage” if looking for protection. He also said to know the window of time to get your notice in quickly to get your insurer “to partner up with you,” and to consider new cyber-security coverage – but “know its limitations.”

    Tom also featured some of the fascinating data points that my co-presenter Arturo Perez Reyes provided on this burgeoning area of liability:

    Co-presenter Arturo Perez Reyes said California alone has 81 separate privacy laws, and there are hundreds of laws outside the U.S. If you lose records, you will have to tell everyone that you lost them, he said, “essentially notifying a whole class of potential plaintiffs.”

    There was a 44% increase in data losses last year that resulted in $50B in losses, Reyes reported, adding that nine million people were affected by identification theft.

    “The concept of a firewall is a joke,” Reyes declared.

    Tom also highlighted some back and forth between me and co-presenter Tim Delahunt:

    Godes criticized insurance company arguments against coverage for data theft arising from failures on the part of the policyholder’s systems. “If there is no failure to maintain proper authentication and no failure of data security measures, there would be no potential liability and no lawsuits,” he said. “And if there never was a failure of proper authentication and never was a failure of data security, I suppose insurance companies would be thrilled because they would get your insurance premiums and nothing ever goes wrong.”Co-presenter Timothy Delahunt of Kenney, Shelton, Liptak & Nowak called this a “classic policyholder complaint – that insurance companies issue coverage then deny it.”

    “The analogue is that courts will find coverage when they need to, to satisfy an underlying liability. Do I think the facts and policy language have changed?” Delahunt asked. “By and large no. Could the coverage landscape change as underlying liability expands? I believe that’s possible.”

    For the rest of the analysis and the post, click here.  And thanks, of course, to Tom and HB Litigation Conferences for the write up!

    myspace profile views counter

    Disclaimer:

    This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

    3 Comments | Business interruption, Contingent business interruption, Cyber insurance, Data breach insurance coverage, Denial-of-service, First party insurance coverage | Tagged: , , , , , | Permalink
    Posted by Scott Godes

    Total Cessation of Business Is Not Required for BI Coverage.

    August 10, 2009

    Advisen just published my article, Just How Much Business Disruption Is Required To Obtain Coverage Under Contingent Business Interruption Insurance Policies?.

    In the piece, I explain that:

    In insurance coverage cases relating to the application of contingent business interruption coverage, insurers consistently argue that there must have been a “total cessation” of operations, no matter the applicable policy language. They further argue that if there was no “total cessation” of business operations, the insurers are not obligated to provide contingent business interruption coverage. Those arguments, however, should not carry the day.

    What is contingent business interruption insurance coverage?

    “Regular business-interruption insurance replaces profits lost as a result of physical damage to the insured’s plant or other equipment; contingent business-interruption coverage goes further, protecting the insured against the consequences of suppliers’ problems.” Archer Daniels Midland Co. v. Hartford Fire Ins. Co., 243 F.3d 369, 371 (7th Cir. 2001) (“Archer v. Hartford”). In short, if a third party suffers a business interruption that affects the policyholder, such as “damage to [a third party’s] plant, which was neither owned nor operated by” the insured, “contingent business interruption insurance applie[s] to the losses suffered by” the named insured. CII Carbon, L.L.C. v. Nat’l Union Fire Ins. Co., 918 So.2d 1060, 1068 (La. App. 4 Cir. 2005).

    The article discusses what sort of interruption is required under contingent business interruption policies. I argue that:

    The plain language of policies that require only an “interruption of business” does not, by the terms, require a total “cessation” or “suspension” of business.

    For the complete analysis, click here to read the complete article.

    myspace profile views counter

    Disclaimer:

    This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

    3 Comments | Business interruption, Contingent business interruption, First party insurance coverage | Tagged: , , | Permalink
    Posted by Scott Godes

    « Previous Entries
    Follow

    Get every new post delivered to your Inbox.

    Join 1,353 other followers