Category Archives: Denial-of-service

“LexisNexis® Insurance Law Community Podcast featuring Scott Godes . . . on Cyber Liability Insurance Coverage”

LexisNexis was kind enough to have me record a podcast regarding insurance coverage for cyber liabilities. As LexisNexis states on the Insurance Law Center:

On this edition, Scott Godes discusses the types of cyber liabilities facing companies today, what to do, in terms of insurance, if a cyber incident or data breach occurs and types of policies that provide coverage for a cyber event. Copyright© 2010 LexisNexis, a division of Reed Elsevier Inc. Visit http://www.lexisnexis.com/community/insurancelaw/.

If you’d like to hear the entire podcast, please click here.

Disclaimer:
This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Join me for ACI’s 4th Annual Advanced Forum on Cyber & Data Risk Insurance.

data breach, cybersecurity, insurance coverage

Interested in learning more about cybersinsurance and cybersecurity?  How about coverage for data breaches, cybersecurity events, and other computer risks?  Then please join me for American Conference Institute’s:

4th Annual Advanced Forum on

Cyber & Data Risk Insurance

Monday, September 27 to Tuesday, September 28, 2010
The Helmsley Park Lane Hotel, New York, NY, United States

Cyber and data risk insurance is becoming critical to businesses that operate online, as cyber-attacks are increasing exponentially in terms of frequency, scope, costs and overall impact. With even the best compliance practices in place, it is impossible to guarantee that the private information of consumers and employees will be protected. State Attorneys General and the Federal Trade Commission are becoming more active in investigating and penalizing companies who fail to adequately prevent or respond to a data breach. Additionally, there has been an increase in federal and state legislation and a rise in private actions in the form of mass class actions that are sure to significantly impact this industry.

Demand for cyber and data risk insurance is growing rapidly as businesses are focusing their efforts to address their information risk and data security needs.Broader cyber risk insurance policies have emerged, covering costs relating to responding to a data breach including: notification costs, credit monitoring costs, forensic investigations, call center support, public relations and defense of a claim brought by individuals or federal and state officials.

In light of these risks and exposures, it is critical that you are up to date with the trends in the fast evolving area of cyber and data risk insurance. That is why American Conference Institute developed our successful and well-attended Cyber & Data Risk Insurance Conference in September 2007 and the response in 2008 and 2009 was even better. To those who have attended, come to this 4th annual event — now in New York City — for a revised and updated agenda and to hear from the best and the brightest in the industry, including the FTC, the OTS, the FBI, 2 State Attorneys General and an Assistant Attorney General. For first-time attendees, this conference is your best opportunity to get the tools you need to learn about the new policies, including pricing and negotiating specific coverage, mitigating risks associated with e-business, and to learn strategies so that you can maximize your profitability while minimizing your potential liabilities.

The security and safeguarding of information is vital to protect an organization from financial and reputational loss. This conference is your best opportunity to network with industry insiders, compare products and strategies and to learn valuable information on potential risks and liabilities so that you can put the appropriate insurance protection and risk management practices in place.

Be sure to also register for the Post-Conference Workshop: Negotiating and Drafting Cyber Risk Provisions and Policies

September 28, 2010; 2:00 p.m. – 5:00 p.m.

Back by popular demand with updated content to reflect new developments and additional workshop leaders to walk you through the ins and outs of negotiating and drafting this highly specialized coverage.

Register now by calling 888-224-2480, faxing your registration form to 877-927-1563 or registering online.

Dates:

Mon, Sep 27, 10

Tue, Sep 28, 10

Location:

The Helmsley Park Lane Hotel

New York, NY, United States

My panel, What Policy Holders Are and Should Be Looking for in Cyber and Data Security Coverage, will be covering:

  • Coverage considerations: What liability and first-party coverages are desirable?
  • Reasons companies have or have not bought coverage
  • How standards are evolving in response to new technology threats
  • Consumer redress: when is it covered and when not?
  • Coverage for liabilities (including defense and other costs) and first party losses
    • intentional violations
    • coverage for electronic and non-electronic loss
  • Implementing privacy and data security compliance and policies

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Note:  as a speaker at the conference, I was not charged a fee to attend the remainder of the conference.

“Insurance Coverage for Intellectual Property and Cybersecurity Risks.”

Can you think of many, or, in fact, any, companies that are risk free when it comes to the areas of intellectual property or cybersecurity?  If you represent companies with risks relating to intellectual property and cybersecurity, what insurance coverage would apply if those risks turned into claims and potential liabilities?  Are you familiar with the developing body of insurance coverage law in those areas?

I’m the author of a forthcoming treatise chapter that answers those exact questions.  It’s the “Insurance Coverage for Intellectual Property and Cybersecurity Risks” chapter of the New Appleman Law of Liability Insurance, Second Edition, to be released in June 2010.  Here’s the chapter’s introduction:

Two developing areas of insurance coverage law are the issues of insurance coverage for intellectual property-based claims and cybersecurity-based claims.  This chapter describes coverages available for such claims.  The chapter first analyzes and details the development of coverage for intellectual property claims through advertising injury found in general liability insurance policies, as well as other coverages.  The chapter then analyzes coverage for cybersecurity claims.  The area of coverage for cybersecurity claims is, relative to most insurance coverage topics, quite nascent, and the chapter considers decisions that should be seen as analogous to this developing topic.  The chapter discusses coverage for cybersecurity claims under general liability, first-party, and other policies, as well as new policies being marketed as specific to cybersecurity risks and claims.

The intellectual property section of the chapter provides a basic overview of various types of intellectual property risks and provides a detailed discussion of how insurance policies apply to those risks.  The chapter explains the legal principles at issue when seeking insurance coverage for such risks and potential liabilities.  The chapter discusses the majority and minority rules for various issues and provides an analysis of the various exclusions that insurance companies have cited when trying to deny coverage for intellectual property claims.

The cybersecurity section of the chapter provides an overview of the new and growing cybersecurity risks faced today and details what insurance policies apply to those risks.  The chapter details how courts have ruled on coverage questions for cybersecurity and computer-related risks and liabilities.  For those areas of the law that are not as well-developed, in light of the relatively new nature of cybersecurity risks, the chapter notes analogous caselaw and how those holdings should apply to cybersecurity claims.  The section also notes issues to consider for companies in the market for new and specialized cybersecurity insurance policies.

This post appeared originally at the Lexis Insurance Law Community.
Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

Please join me for the NetDiligence® Cyber Risk & Privacy Liability Forum

hblc

Dickstein Shapiro LLP is pleased to announce that

Scott Godes, Esq. is speaking on the Are You Covered When Hackers Get Through?
session at this conference.

Dickstein

NetDiligence® Cyber Risk & Privacy

Liability Forum

Date: June 7-8, 2010

Price: Risk Managers, CFOs: $795*;

Insurers, Brokers, Policyholders: $895*; Attorneys: $1,195*

Location: The Union League, 140 South Broad Street, Philadelphia, PA

CLE Credit: 6-8 CLE credits (CPD and CPCU credits also available), depending on state requirements. View the CLE credit details.

Mention promo code COB10A when you register for the live event and save $100!**

Chairs

Nicholas Economidis, Specialty Lines, Beazley Group

John Mullen, Sr., Esq., Nelson Levine de Luca & Horst,

Chair of Complex Litigation Practice Group

Robert Parisi, Jr., SVP, National Practice Leader for

Tech/Telecom E&O, and Network Risk, Marsh FINPRO

What You Will Learn

(For a complete agenda and faculty listing, click here.)

  • Keynote Address by Keith Morales of The Federal Reserve Bank of Philadelphia
  • Data Breach Liability: An Unstable Legal Environment
  • Cyber Security and Privacy Liability Concerns: The Risk Managers Speak
  • Regulatory Trends Briefing
  • Loss Control-Assessing & Quantifying Network Risks
  • Responding to a Data Breach
  • Design and Implementation of an Incident Response Plan
  • Solving Special Computer Security Issues
  • Are You Covered When Hackers Get Through?
  • Looking Into the Crystal Ball: Future Insurance Needs

To learn more or register for this conference,

please call 484-324-2755 or click here.

*All cancellations must be received in writing. Full refunds will be issued if cancellation requests are received 4 weeks before the event begins. Credits, good for 6 months from date of issue, will be issued if cancellation requests are received 3 weeks before the event begins. HBLC reserves the right to cancel any of its programs. Speakers, sessions and times are subject to change.

**Limit one discount per registrant. Discount cannot be combined with any other offer. Offer valid at the live event only and on new registrations only.

UnionLeauge

CAN’T ATTEND?

You can still benefit from this program! Audio/video recordings are available now.  Individually priced and packaged, each recording captures the information and insights delivered by our faculty. Listen to experts, gain new perspectives, and learn proven techniques. For more information,

click here, call 484-324-2755, or email Allison.Emery@litigationconferences.com.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Note:  as a speaker at the conference, I was not charged a fee to attend the remainder of the conference.

myspace profile views counter

Check out my article, “At Risk: Insurance Coverage for Cyber Security and Data Breaches” in Strategize Magazine.

The fine folks at Strategize Magazine have published an article that I wrote, along with my colleague, Ken Trotter.  The article is titled, “At Risk:  Insurance Coverage for Cyber Security and Data Breaches.”  It’s in the January/February 2010 edition of the magazine.

Strategize is a magazine that promises:

in each issue of Strategize, we’ll clear out the clutter to reveal what’s really relevant. Our aim is to be your one-stop information source that brings the reader to the boardroom, following the national trends that affect business today, and the innovations of our most provocative business leaders.

Our article gives a clear and easy to read overview of insurance coverage for cyber security and data breach claims.  We give real world examples of data breaches and cyber security incidents, and how they affect businesses today.  We also discuss coverage for those types of claims under commercial general liability insurance policies, first party insurance policies, crime policies, directors and officers policies, and more.  Interested?*  Then aim your mouse here to readAt Risk:  Insurance Coverage for Cyber Security and Data Breaches.”

* Even if you’re not that interested in the topic, it’s worth the click to see the cool online magazine format and graphic that they put with the article.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

“From Doctors to ‘E-tailers’: The Expanding Market of Cyber Risks and Coverages.”

Are you going to the 2010 Insurance Coverage Litigation Committee CLE Seminar that the American Bar Association Insurance Coverage Litigation Committee is hosting in Tucson, Arizona on March 4-6, 2010?  If you are, please sign up for my roundtable presentation, “From Doctors to ‘E-tailers’:  The Expanding Market of Cyber Risks and Coverages.”  I will be speaking with my friend Dana A. Ferestein on the issues.  We’re going to discuss cybersecurity threats and potentially available insurance coverage, along with tips to keep in mind when considering coverage issues under new policies.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

Join Me at the NetDiligence® Cyber Risk & Privacy Liability Forum!

My good friends at HB Litigation Conferences present:

The NetDiligence® Cyber Risk & Privacy Liability Forum
June 7-8, 2010 | The Union League, 140 South Broad Street, Philadelphia, PA

I’ll be a speaker on a panel discussing insurance coverage for cyber risk and privacy issues.  Here’s the topic for my panel:

Are You Covered When Hackers Get Through?

• Does a company have coverage for data breaches?

• Knowing your client and when to advise coverage

• Advising clients who have been hacked

• How to secure coverage for future incidents

• Finer legal points of coverage-handling fines, penalties, and notice costs

• Business interruption claims

Moderator: Nicholas Economidis, Specialty Lines, Beazley Group, Philadelphia

Scott Godes, Esq, [formerly] Dickstein Shapiro, Washington, DC

Oliver Brew, Vice President of Technology, Media and Telecoms Underwriting, Hiscox USA, Westchester, NY

Richard Bortnick, Esq., Cozen O’Connor, West Conshohocken, PA

Take a look at the full agenda by clicking here.  And you can register online by clicking here.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Note:  as a speaker at the conference, I was not charged a fee to attend the remainder of the conference.
myspace profile views counter

A blog post so nice, it had to be published twice.

The fine folks at the Lexis Insurance Law Center have republished my post, “Dusting Off an Old Law” – Insurance Coverage for Trespass to Chattels Claims.  Many thanks to my friend Karen Yotis for putting the article online.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.
myspace profile views counter

“Guest View: Insurance for the cloud”

When you hear “cloud computing,” is insurance the first thing that you think of?  No?  I’m the only one who thinks that way?  Well, if you were wondering about the implications of cloud computing on insurance and risks, I co-wrote an article with my former colleague, Idan Ivri that addresses those questions.

First, what does “cloud computing” mean?  We explain:

Cloud computing is a loose term, but it generally refers to storing user data or applications on a remote server rather than on users’ own systems. A 2009 industry study by Coda Research Consultancy estimated that, by 2015, various forms of such software could represent 17% of all information technology spending worldwide.

That sounds great, doesn’t it?  The idea is that you and your business don’t have to buy expensive suites of software or massive servers and hard drives to store all of your applications, because you will be able to access them via a third party (sometimes known as a third party application service provider (ASP) or software as a service (SAAS)).

But is cloud computing all silver lining, and no, uh, grey cloud? We note:

[I]f developers make privacy the top priority, cloud-computing developers may face those that say they should be liable for the bad behavior of unsavory customers seeking a dark place to host illegal data or viruses.

On the other hand, privacy standards that are too low could make developers liable for data theft against legitimate users, or for putting private data into the hands of advertisers. Developers will also have to handle disruptions or unavailability of data and services to end users.

Do developers, ASPs and SAAS providers have insurance to cover those risks?  Will “traditional” insurance policies cover?  What about specialized “cyber” policies?  For the rest of the discussion about insurance for cloud computing, click on over to the full article at Software Development Times on the Web.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.
myspace profile views counter

Presentation on Your Cyber Security Strategy — How to Capitalize on New Opportunities & Mitigate Risks

Interested in cyber security issues?  Please join me for the following program (now archived here), live or via webinar, presented by the Washington Metropolitan Area Corporate Counsel Association:

WMACCA Government Contractors Forum: Your Cyber Security Strategy — How to Capitalize on New Opportunities & Mitigate Risks

Dec 9, 2009
8:00 AM – 10:00 AM
LIVE at Gannett Co., Inc., 7950 Jones Branch Drive, McLean, Virginia OR by WEBCAST from your desk.

Overview

As the corporate world becomes more and more virtual, the need for cyber and data security has never been greater. Understanding the Administration’s new cyber security initiatives and changes on the legislative front can give companies a competitive advantage in developing comprehensive cyber security programs. If your business is grappling with emerging threats, limited funds, and slow procurement processes, you are not alone.  Find out how to capitalize on the opportunities available through the Safety Act and other mechanisms to protect your company, and how your insurance coverage policies may cover potential liabilities. This program will address what you need to know, what you need to do, and how to “just do it.”

Speakers

Presented by Scott N. Godes, [formerly] of Dickstein Shapiro LLP; David Kessler, Senior Corporate Counsel, Symantec Corporation; Kenneth A. Mendelson, Managing Director, Stroz Friedberg. Moderated by Brian E. Finch of Dickstein Shapiro LLP.

Notes

Breakfast will be provided on-site from 8:00 – 8:30 a.m.  The program and webcast will begin at 8:30 a.m.

Webcast Log-In Instructions:
1. Go to http://www.ec.commpartners.com
2. In the middle of the page where it says Meeting Number, type the following number –340258
3. Click Enter
4. Type your full name and e-mail address when prompted

CLE

Credits: 1.5 hour pending
State: Virginia
Category: General

Contact

Robin Hayutin
Phone: 703-242-8773
E-mail: robin.hayutin@wmacca.com

Location

LIVE at Gannett Co., Inc., 7950 Jones Branch Drive, McLean, Virginia OR by WEBCAST from your desk.

703-854-6000

Sign Up

Cost

Free of charge

View All Events

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.
myspace profile views counter

“Strategy for Creating an Effective Corporate Compliance Program”

I welcome you to check out the new Lexis Corporate Compliance Practice Guide:  The Next Generation.  My colleagues and I wrote Chapter 43. Specific Corporate Compliance Challenges by Practice Area: Insurance.  I wrote the section on insurance coverage for cyber security risks.

Here’s what Lisa C. Coppolo McManus, Legal Content Planner for LexisNexis® Matthew Bender®, wrote:

LexisNexis is providing a free download of a chapter from “The Corporate Compliance Practice Guide: The Next Generation.” An excerpt:

The CEO/President of the corporation should provide leadership for the compliance program. This includes launching the compliance program with the message from the CEO/President. This leadership at the top sets the tone for the compliance program and is an essential element of creating a culture of compliance within the corporation.

Further, top management must ensure the effectiveness of the compliance office by providing necessary personnel and funding. Top management should take a leadership role in fostering the compliance program by supporting the program in their daily activities.

Finally, ”specific high-level personnel,” which usually consists of the compliance officers in the compliance office, should be designated with the responsibility for the day-to-day operation of the compliance program. The chief compliance officer is critical to the success of the compliance program. For the compliance effort to succeed, the chief compliance officer should be afforded access to the CEO/President and the Board of Directors, as well as sufficient funding and staff. A chief compliance officer should be appointed to coordinate the activities of individual compliance ”officers” at subsidiaries. Finally, it is vital that the chief compliance officer and all other compliance officers be known for their integrity and high ethical standards.

For the free download, go to http://tinyurl.com/ylnjeff . Login is required, but it’s free and easy (and no spam!).

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.
myspace profile views counter

“Dusting Off an Old Law” – Insurance Coverage for Trespass to Chattels Claims.

“TrespNo Trespassingass to chattels”?!?  Isn’t that a doctrine that was dead and buried, brought up only to torment…educate first year law students?  Not any more!  In the electronic age, the trespass to chattels doctrine has been revived.  It has been used for all sorts of claims, including anti-spam claims, network interference claims, and more.

Of course, if you’re like me, you wonder, “Is there insurance available to cover such claims?”  I wrote an article, bylined with two co-authors, in which I address those questions.  Risk and Insurance just published the piece.

The piece’s introduction reads:

As computer technology rapidly advances, legislatures often cannot enact laws quickly enough to respond to new cybersecurity risks. Enterprising lawyers, however, have turned to old legal doctrines for relief. The doctrine of “trespass to chattels,” for example, is an antiquated term that once was buried in the dusty pages of old law dictionaries. But lawyers who handle cybersecurity issues, including allegations of spam, viruses, worms, unauthorized access, and more, have revived the doctrine as a means of redress. For companies facing potential liabilities based on such allegations, the availability of insurance coverage is critical to navigate the nuances of the ever-changing landscape.

Is there coverage for such claims?

Although designed to cover a wide range of risks that could befall a business, many standard form “traditional” insurance policies do not explicitly mention cybersecurity or claims arising out of online activity. But look closely, because coverage can still be available. For example, commercial general liability (CGL) insurance policies, the basic insurance policies bought by thousands of companies every year, provide, in standard form, two basic coverages relevant to this question: coverage for liability arising out of “property damage” and coverage for liability arising out of “personal and advertising injury.” Both coverages might apply to potential liability for a trespass to chattels claim.

Where should a company look when facing trespass to chattels claims?

Although designed to cover a wide range of risks that could befall a business, many standard form “traditional” insurance policies do not explicitly mention cybersecurity or claims arising out of online activity. But look closely, because coverage can still be available. For example, commercial general liability (CGL) insurance policies, the basic insurance policies bought by thousands of companies every year, provide, in standard form, two basic coverages relevant to this question: coverage for liability arising out of “property damage” and coverage for liability arising out of “personal and advertising injury.” Both coverages might apply to potential liability for a trespass to chattels claim.

For the analysis of property damage and personal and advertising injury coverage in CGL policies for trespass to chattels claims, click on over to Risk and Insurance to read the full piece. If not available through those links, the piece has been saved in the Internet Archive by clicking here.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.
myspace profile views counter

New content coming!

New posts coming!Loyal readers, I know that I have not updated the site with new content for longer than I’d prefer.  Rest assured that I have been working on a number of pieces, all of which are close to being finished.  I’ll either make them available here or put links here so that you can get to the content.

But for those of you who are hungry for more content, here’s an overview of the pieces that are coming:

  1. Insurance coverage for an improperly named insured.  The article discusses an insurance company’s duty to defend a lawsuit brought against an insured wrongly named in or served with a complaint.
  2. Insurance coverage for data breaches.  The article discusses the various forms of insurance that should respond to allegations of a data breach.
  3. Discovery of reinsurance in the context of insurance coverage litigation.  Recent cases and other materials have demonstrated that reinsurance is relevant to insurance coverage disputes, and the piece provides both an overview of why and a discussion of new decisions and public information confirming the relevance.
  4. Insurance coverage for trespass to chattels claims.  Trespass to chattels is probably something you’d never think that you’d hear after the first year of law school ended.  But the theory has been used recently in the context of cyber security claims.  The piece discusses insurance coverage for such allegations.
  5. Insurance coverage for cloud computing risks.  Cloud computing is the next big thing, it seems.  Insurance for such risks will have an ever increasing importance as cloud computing becomes more prevalent, and this piece discusses potential sources for coverage for such risks.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.
myspace profile views counter

Join Me for Insurance Coverage for Cybersecurity CLE Hosted by the Pennsylvania Bar Institute.

On Wednesday, August 26, 2009, I’ll be presenting a CLE for the Pennsylvania Bar Institute on insurance coverage for cybersecurity liabilities.  Here’s a snapshot of the PBI’s page so that you can sign up.

Business Law | Insurance Practice
search:
advanced
Tele-Web Seminar

Tele-Web Seminar
Insurance Coverage for Cybersecurity

1.5 Total CLE credits (No Ethics)

Note: This tele-web seminar will begin on Wednesday, August 26, 2009 at 12:00 PM to 1:30 PM Eastern Time.
Product №: 6116T
Course Level: Intermediate
Duration: 90 minutes

Register Now
Item Description | Faculty | Pricing

Item DescriptionThe financial liability of failing to protect information properly can be extraordinarily high.  One way in which to protect your clients and yourself from liability is to obtain cybersecurity insurance.  This program examines this relatively new type of insurance, the pros and cons of obtaining it, and will help you to help your clients explore their options.

Our faculty will discuss:

  • An overview of cybersecurity and data breach risks and potential liabilities
  • How “traditional” insurance coverage might cover cybersecurity and data breach risks and liabilities
  • New insurance products in the marketplace for cybersecurity and data breach risks and liabilities
Register Now Back to top

Pricing Back to top
  • Members–PA or any co. bar assn.
$99.00
  • Nonmember
$119.00

Faculty Register Now Back to top
Scott Godes, Esq., [formerly] Dickstein Shapiro, LLP, Washington, DC
Timothy Delahunt, Esq., Kenney, Shelton, Liptak & Nowak, LLP, Buffalo, NY
Arturo PerezReyes, Client Executive, Saylor & Hill, Oakland, CA
Register Now Back to top
Register NOW so you can print the course materials when they are available.
icon_acrobat Instructions (1 Page, 14 KB)
Contact us at 1-800-932-4637
Email us at callincle@pbi.org
click for live chat Having trouble using this site?
Help us improve
Powered by Legalspan

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Coverage Disputes Over Data Breaches . . . (as summarized by HB Litigation Conferences)

On July 15, 2009, I gave a presentation regarding insurance coverage for data breaches for my friends at HB Litigation Conferences, along with Tim Delahunt and Arturo Perez-ReyesTom Hagy (yes, the “H” in “HB”) wrote a really nice blog post discussing and summarizing the content of the teleconference, which you can find by clicking here.

Tom opens the piece with a provocative title and subtitle, asking:

Coverage Disputes Over Data Breaches . . .

. . . A Deluge or a Dud?

He explains:

With hundreds of laws governing data privacy and the potential for billions of dollars in damages, you can’t help but think that insurance coverage disputes are about to fall on courts like confetti.

Maybe yes; maybe no.

Either way, companies need to pay as close attention to their insurance policies as they do their data protection policies.

Tom then gives a nice summary of the introduction and overview regarding potential insurance coverage for data breaches that I provided to the conference attendees:

Speaking on HB’s July 15 teleconference – “Private Data Breaches: Insurance Coverage Implications & Prevention – policyholder counsel Scott Godes [formerly] of Dickstein Shapiro told listeners that, despite what insurance counsel might say, “don’t write off your existing coverage” if looking for protection. He also said to know the window of time to get your notice in quickly to get your insurer “to partner up with you,” and to consider new cyber-security coverage – but “know its limitations.”

Tom also featured some of the fascinating data points that my co-presenter Arturo Perez Reyes provided on this burgeoning area of liability:

Co-presenter Arturo Perez Reyes said California alone has 81 separate privacy laws, and there are hundreds of laws outside the U.S. If you lose records, you will have to tell everyone that you lost them, he said, “essentially notifying a whole class of potential plaintiffs.”

There was a 44% increase in data losses last year that resulted in $50B in losses, Reyes reported, adding that nine million people were affected by identification theft.

“The concept of a firewall is a joke,” Reyes declared.

Tom also highlighted some back and forth between me and co-presenter Tim Delahunt:

Godes criticized insurance company arguments against coverage for data theft arising from failures on the part of the policyholder’s systems. “If there is no failure to maintain proper authentication and no failure of data security measures, there would be no potential liability and no lawsuits,” he said. “And if there never was a failure of proper authentication and never was a failure of data security, I suppose insurance companies would be thrilled because they would get your insurance premiums and nothing ever goes wrong.”Co-presenter Timothy Delahunt of Kenney, Shelton, Liptak & Nowak called this a “classic policyholder complaint – that insurance companies issue coverage then deny it.”

“The analogue is that courts will find coverage when they need to, to satisfy an underlying liability. Do I think the facts and policy language have changed?” Delahunt asked. “By and large no. Could the coverage landscape change as underlying liability expands? I believe that’s possible.”

For the rest of the analysis and the post, click here.  And thanks, of course, to Tom and HB Litigation Conferences for the write up!

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Corporate Insurance Blog featured in Blawg Review #224.

Thanks, Baby Barista and Times Online for featuring the Corporate Insurance Blog in Blawg Review #224.  In light of the recent issues with Twitter, Baby Barista wrote:

Finally, with Twitter down, if you start to worry about the consequences of cyber-attacks then Corporate Insurance Blog says it’s a good week to read about insurance coverage in that respect.

myspace profile views counter

If you’re getting here via Blawg Review, welcome!  And feel free to take a look at my writings on the fascinating issue of insurance coverage.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Insurance Coverage for Cyberattacks and Denial-of-Service Incidents.

If your business suffered the same sort of cyberattacks alleged to have taken place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend, would your insurance cover losses that your company faced?[1] Not worried, because the alleged attacks were only against government sites?  Unfortunately, the cyberattacks were more widespread, and allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[2]

Denial of Service Attacks

 

The cyberattacks described were denial-of-service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[3]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware,” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[4] If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[5]

What Insurance Coverage Might Apply?

If your company faces a denial-of-service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  Consider whether first party all risk or property coverage may apply.  First party all risk policies tend to provide coverage for the policyholder’s losses due to property damage.  If the denial-of-service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[6]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include those arising out of a third party’s cyber security-based business interruption.)[7]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy (if your company does not have a specialized cyber liability policy).

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[8] Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[9] Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack.

Consider Cyber Security Specialty Policies

Looking beyond the coverages and endorsements discussed above, your company should consider the recent cyberattacks as an opportunity to reevaluate the need for specialized coverages for cyber security losses.  Insurance companies continue to introduce new specialized products for cyber security risks, marketing the new policies as including data compromise, cyber liability, network risk, and/or computer data coverage.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  An experienced broker may be able to advise what coverages are available, and an attorney with experience in advising policyholders about insurance coverage issues may be able to advise as to the potential strengths and weaknesses of the various policy terms offered.

[Note 1:  This post also appears on Lexis’ Insurance Law Center, with thanks to my friend Karen Yotis.]

[Note 2:  This post is featured in Blawg Review #221, thanks to  H. Scott Leviant of The Complex Litigator.]


[1] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html(July 8, 2009).

[2] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[3] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[4] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[5] Id.

[6] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[7] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360, (Apr. 8, 2009) http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[8] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[9] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006) http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Recent Entries »