Category Archives: Denial-of-service

“2012 Data Privacy and Information Security Predictions”

My friend, Christine Marciano, who is President, Cyber Data Risk Managers, just released her 2012 Data Privacy and Information Security Predictions. The report is an interesting series of predictions on what 2012 will hold in the areas of privacy and cyber risks. Here is how Christine describes the report:

This is our first Data Privacy and Information Security Predictions report. We asked
leading Data Privacy and Information Security professionals what they thought the New
Year will hold in terms of the threats that are on the 2012 landscape. The predictions
that are included in this report offer a wide range of threats and concerns that need to
be considered by every business or organization that operates in cyberspace regardless
of its size.

Christine starts off the report with some of her own predictions regarding 2012 and what people might expect in terms of cyber risks and cyber threats:

As we start 2012, we can expect to see a continuance of data breaches and increasing cyber attacks. Taking a look back at 2011, we have learned that no system is ever 100% secure no matter the name or the size of an organization. It’s important for businesses and organizations to know what they need to be prepared for and to take steps to help minimize the threats that do not appear to be going away. Looking ahead, it appears that in 2012 we will see an increase of heightened and very sophisticated threats than what was seen in 2011. We can recall 2011 as the year the hackers and the hacktivists got started on the data breach and gained a great amount of attention. With all of the digital information and big data that is being stored, it should come as no surprise that data breaches are not going away in 2012 as they are only going to get bigger. I expect that we will also see more serious hacktivists attacks. It seems that the hacktivist is no longer hacking organizations just for the fun of it. They are attacking for specific causes and I believe that hacktivists are going to be a very serious threat in 2012 and organizations must be prepared.

Christine cites me for a prediction about data breaches and insurance coverage for data breaches and privacy risks. Here is her write up for me in the report:

DATA BREACHES WILL FORCE MANY TO REVIEW THEIR EXISTINGINSURANCE POLICIES TO SEE WHAT’S COVERED

Scott N. Godes, [formerly] Counsel, Dickstein Shapiro LLP, states…

In terms of a trend in the areas of privacy and information security, I have noticed a sea change in both areas, leading to more need for analysis of insurance policies to cover these risks. When considering privacy risks, there has been an expansion of risks and potential liability for privacy violations, with the Pineda v. Williams Sonoma decision serving as one example. This year also has been called the year of the data breach, and companies are taking a hard look at how their insurance might and does cover such claims. These risks are being considered much more closely by companies, along with a careful analysis of how their insurance policies might cover.

Follow Scott Godes on Twitter:
@insurancecvg

She also quotes several people who write and speak a good deal about cyber risks, including:

  • Misha Glenny, Author of DarkMarket: Cyberthieves, Cybercops and You (Knopf, 2011), about smartphones and international cybercrime;
  • Jim Duster, Vice President of Sales, Debix; and Jake Kouns, Director of Cyber Security and Technology Risks, Underwriting, Markel Corporation, about the growth of cyberinsurance for 2012;
  • InfoLawGroup Senior Counsel, Richard Santales, about EU Data Protection regulation changes, HIPAA breach notification changes, upcoming FTC privacy report, and cloud computing;
  • InfoLawGroup Partner, David Navetta, about concerns over BYOD (“bring your own device”) and COIT (“consumerization of information technology);
  • Bruce Anderson, CEO, Cyber Investigation Services, about small and medium businesses becoming a target for data breaches in 2012, increased cyber attacks, growth in website attacks, mobile threats, and hacktivists targeting the cloud;
  • Anthony M. Freed, Managing Editor at Infosec Island, about cyber attacks on critical infrastructure;
  • Shaun Dakin, Managing Director, Webbmedia Group, about the FTC using existing power to regulate commercial enterprises; and
  • Robert Fletcher, founder and CEO of Intellectual Property Insurance Services Corporation, as to how Changes in America Invents Act will drive intellectual property owners to explore specialized intellectual property insurance policies to fund IP litigation.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2012.

Join me for RIMS 2012 Annual Conference & Exhibition in Philadelphia!

Looking for a fantastic seminar devoted to risk and insurance?  Are you a risk manager?  Are you part of the insurance industry?  Are you someone who helps companies get their claims covered and paid (that’s me! that’s me!)?

Of course, then, you want to attend a risk management seminar with “no boundaries.”  Well, look no further.  “No boundaries” is how RIMS describes its RIMS12 annual conference for 2012:

If your organization is like most, risk is not confined to just one department. Everyone has risk management responsibilities. At RIMS 2012 Annual Conference & Exhibition, there are no limits to the information and resources available to help you and your organization innovatively minimize risks. You’ll find a wide array of educational sessions offering practical strategies, no matter what your business area. Sessions are offered at all experience levels—from beginner to advanced—so you can design an educational experience that fits your needs. And, the Exhibit Hall is jam-packed with solutions–everything you’ll need for the upcoming year.

The event is from April 15-18, 2012 in Philadelphia.

Not sure whether you should attend?  Here’s what RIMS says, and I couldn’t have said it better myself:

The Value of Attending

As the current economic climate continues to affect companies, some critical training and education budgets have been slashed or put on hold. Yet, the need for proper training, innovative tools and resources is greater now than ever before. At RIMS 2012 Annual Conference & Exhibition you will participate in the single most educational, informative conference for risk professionals. Refresh your skill set, pick up new tips and techniques, and network with nearly 10,000 risk professionals.

But just in case you need help justifying the value of attending RIMS to your management, here are the top reasons why you should register today:

  • Top-notch education–With 120+ sessions, hot topic sessions, keynote presentations, a jam-packed Exhibit Hall and unique networking opportunities, RIMS ’12 has more new strategies, ideas and practical solutions in one place that you will find anywhere else!
  • Keynote presentations–You’ll hear business visionaries share how to best utilize your resources in this time of financial uncertainty, enhance your leadership skills and align effective risk management with your organization’s business goals. Learn how to incorporate successful change management strategies into your risk policy, work in constantly evolving markets and structure your risk program to handle planned—and unplanned—challenges as they arise.
  • Industry leaders–Solve today’s challenges with the help of top industry leaders. At RIMS 2012, world-class speakers will discuss techniques and best practices that will advance your understanding of risk management and help you maneuver your risk program past current and future obstacles. This is the knowledge that will ensure your organization’s stability and growth—especially in these demanding times!
  • Save your company money!–Attend sessions that will save your company money and take away cost-cutting strategies. Your registration will have paid for itself! View the conference program to find the best sessions to fit your business needs.
  • Exhibit Hall–Walk through the Exhibit Hall to meet with service providers and discover thousands of ground-breaking resources, the latest innovations and breakthrough solutions. Hold on to those business cards—they will help you create innovative strategies and find new solutions when you need them.
  • Networking–Navigate the twists and turns of developing a successful risk management program with nearly 10,000 leading risk professionals who will bring a fresh perspective to your risk program. We’ve got events such as a grand Opening Reception, keynote presentations, award receptions, Wednesday Night Spectacular and more for you to meet old friends and make new ones.
  • Make a difference–Join your peers and give back to Vancouver, our host city, or support the future of the risk management industry. Participate in RIMS Community Service Day or join us for the Spencer Educational Foundation fundraising event. Details on these special events are available in the conference program.
  • Global reach–Attendees from more than 50 countries will come together in Philadelphia at RIMS 2012 to learn how to improve their risk program and operate efficiently and effectively in today’s global marketplace. Learn the challenges of doing business in China, balancing operational risks associated with global sourcing, tips for implementing a global risk program, and more! Attend one of the sessions offered in Spanish and Japanese for a truly global perspective. What’s more, you’ll find many multinational corporations and international organizations in the Exhibit Hall.
  • Share your knowledge–Host an “everything I learned at RIMS ’12” information session for your coworkers and pass on the new tools and strategies that you acquired, as well as information on the new contacts and solution providers you met.
  • It’s the premier industry conference–In terms of learning, networking, solution-sharing, peer exchange and connecting with service providers, RIMS ’12 is the only place where you can find it all. So, join us in Philadelphia and gain the advantage that you need to elevate your profile with your organization!

My session will be CLM203: Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management.  Joined by Rick Bortnick and Art Boyle, we’ll be discussing insurance coverage for cyberrisks and privacy claims, including data breaches, denial-of-service attacks, privacy class actions, and other cybersecurity and privacy events:

Session Code: CLM203
Date: Wednesday, April 18, 2012
Time: 8:45 AM – 10:00 AM
Every day, the media reports another major cyber breach. No person or corporation is immune. Government entities, financial institutions, health care providers, Fortune 500 companies and even cyber-security firms are under constant attack. And the inevitable class action privacy breach lawsuits follow. The trend among courts and government regulators has been to allow these suits to proceed to discovery and beyond. The associated costs are increasing exponentially. A single cyber breach could cost tens of millions of dollars. Projections for costs from the Sony breach start at $1 billion. You may think to look to your cyber or tech insurer for help, but what about a straightforward first- or third-party policy or a professional services policy? Is the theft of information covered under a fiduciary policy? How will you address and coordinate the crisis management? Who do you hire? Can a law firm help? And while an increasing number of underwriters offer cyber-insurance products, many claims professionals are not yet familiar with the coverages or how to evaluate and handle the resultant claims. Become better informed with a debate on cyber risks and litigation, crisis management, loss control, the applicability of insurance and cyber-risk strategies.
Panel

Interested in attending?  Then head on over to the RIMS 2012 website to register.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

Join me for the ABA Insurance Coverage Litigation Committee’s 2012 Annual CLE Seminar in Tucson, Arizona!

You know that insurance touches every aspect of litigation, not to mention its importance in the context of corporate transactions, right?  In today’s economic climate, the value of insurance is critical.  As an attorney, you want to stay informed about the latest trends in insurance coverage law, right?  You’re probably also looking for some CLE credit as well.  Do you want to go some place warm this winter?  Maybe Arizona?

If you said “yes” to any of those questions, then you should join me at the Loews Ventana Canyon Resort for the ABA’s 2012 Insurance Coverage Litigation Committee (ICLC) CLE seminar, from March 1-3, 2012 in Tucson, Arizona.

Here’s what the ABA ICLC says about the seminar:

Why You Should Attend
Insurance touches every aspect of litigation. In today’s economy, it is critical to stay informed on the latest trends in the law. Join many of the nation’s top insurance company and policyholders’ counsel and other industry leaders at the Insurance Coverage Litigation Committee Annual CLE Seminar. This year’s program once again will provide the same high-quality presentations and valuable networking  opportunities as prior ICLC programs.

What You Will Learn

  • How to make rain. Learn what clients really want from their lawyers and how to expand business.
  • When disasters strike. How insurance coverage can assist the construction, energy, and hospitality industries.
  • The credit crisis and how D & O coverage may help pay for these claims.
  • How to present coverage issues at trial. Can you make insurance issues interesting?
  • Can you overcome insurer bias? Learn from practitioners who have faced these challenges.
  • Overlooked and underutilized provisions in insurance policies.
  • Privilege issues in insurance coverage litigation.
  • Can a policyholder recover consequential damages in the absence of bad faith?

Who Should Attend

  • All attorneys who litigate in the area of insurance coverage.
  • In-house counsel and seasoned practitioners needing an update from the leading trial lawyers, experts and members of the judiciary on the latest legal developments.

My panel will be the greatest panel ever,* discussing insurance coverage for cyberrisks, including data breaches, denial-of-service attacks, and other cybersecurity events:

Saturday, March 3, 2012
9:05 am – 10:05 am CLE breakout session

Insurance Coverage for Data Breaches, Denial-of-Service Attacks, and Cybersecurity Events, and the Tidal Wave of Class Action Lawsuits Following Data Breach Disclosures.
There has been a recent tidal wave of data breaches, network interruptions, and cyberattacks, resulting in countless class actions. This program will explore how insurance coverage may help fund the costs to defend these lawsuits. Would your insurance policies cover those events? What coverages are available in the marketplace?

Speakers:

Scott N. Godes

Rick Bortnick

Jennifer Smith

William T. Um

Hon. Carl West

Interested in attending?  Then head on over to the ABA’s website to register.  If you’re looking for the reservations page for the event on the Loews Ventana Canyon hotel website, you can find it by clicking here.

*I cannot guarantee that you will find this to be the greatest panel ever.  But you might.  Isn’t that good enough for you?

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

Would your company’s insurance cover a cyberattack?

DDoSOn October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.”  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1]  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2]  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3]  The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[5]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6]  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11]  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12]  Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16]  The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.


[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).

[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[7] Id.

[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

[15] See MBIA Inc. v. Fed. Ins. Co., 652 F.3d 152, 160 (2d Cir. 2011).

[16] See Eyeblaster, 613 F.3d at 804.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

“Legal Corner: Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection”

My former colleague, Ken Trotter, and I recently wrote an article titled, “Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection.”  The article is reprinted below, courtesy of and permission from, the fine people at Hospitality Upgrade magazine:

Scott Godes  godess@dicksteinshapiro.com
Kenneth Trotter  trotterk@dicksteinshapiro.com
Hospitality© 2011 Hospitality Upgrade. No reproduction without written permission. It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks.  A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies.  According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves.Cybersecurity risks can cause a company to incur significant loss or liability.  A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds.  Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes.  Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability.  Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits.Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information.  Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack.Involving Technology and Privacy Managers in Insurance-related Matters  Because of the variation in cyberinsurance coverages and the underwriting inquiries that often go along with the purchase of such insurance policies, companies may find the process to be a great opportunity for a company’s risk managers, technology managers and privacy managers to work together to help understand potential risks to the company and what risk transfers are being purchased through the insurance policies offered.  Working together aligns the risk managers’ understanding of specific insurance-related issues, the technology managers’ technical expertise regarding the companies’ systems and protections that will be helpful to understand any technical requirements in an application or insurance policy, and the privacy managers’ knowledge of the potential privacy risks that the company faces in light of the information held and how and where it is used.  Indeed, given their understanding of the technical and practical considerations involved in protecting a company’s data from a cyberattack, technology and information managers may be in a unique position to assist the company’s risk managers in understanding the technical implications of specific policy language.Insurance Coverage Considerations  When considering what coverages may apply or purchasing cyberinsurance coverage, it is essential to consider many types of coverage, as coverages often are written and offered in different modules and on varying insurance policy forms.  On a regular basis, insurers are writing and introducing new policies marketed as being tailored specifically to cover data breaches and cyberattacks.  In addition, coverage may be available under traditional forms of insurance.  Indeed, policyholders may have overlapping coverage for data breaches and certain cyberrisks, with the potential for coverage under cybersecurity policies as well as traditional insurance policies.  When analyzing the coverage afforded by such policies, it is critical to understand the impact of exclusions on coverages and any sublimits on the amount of coverage afforded by the policy.  Because of the variety of coverages being offered, as discussed below, technology managers can assist the company by providing a careful review of the technical language used in the policy to help determine the scope and limitations of the coverage being purchased with respect to a specific company’s operations.

Cybersecurity and Data Breach Policies  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Such policies are relatively new to the marketplace and are constantly changing. Specific policies for cybersecurity and data breach have been known as Network Risk, Cyberliability, Privacy and Security or Media Liability insurance.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the Internet Liability and Network Protection Policy, and insurance companies may base their coverages on this basic insuring agreement or they may provide their own company-worded policy form.  Because these policies are frequently updated and changed, it is important to compare the coverages offered across companies and within a company’s offerings.

Traditional Forms of Insurance  Although it is ideal to purchase a policy designed specifically for cybersecurity risks, more traditional forms of insurance may also provide overlapping coverage for data breaches and cyberrisks, depending on the particular coverage terms and exclusions in the individual policy.  Coverage may be provided by the following types of policies:  commercial general liability; first-party property and business interruption; directors and officers or errors and omissions; crime; kidnap, ransom and extortion.  Insurance companies, however, have been fighting their obligations to pay claims for cyber-related loss under such traditional insurance policies.  A major insurer recently sued a corporate policyholder in New York, asking the court to rule that traditional insurance policies do not cover a series of high-profile data breaches, cyberattacks and cyberrisks.

Making a Claim for Coverage   If a cyberevent occurs, such as a data breach, then it is vital that risk managers, technology managers and privacy managers work together to seek recovery under all potentially available insurance policies.  It is recomended that policyholders send notice of the claim or occurrence to all potentially applicable insurers, whether under a special cybersecurity policy or under the more traditional forms of insurance. After an insurance claim is tendered to insurers, they may raise various defenses to coverage. Companies, however, should not assume that such defenses will defeat coverage. Whether an event is covered will often depend on careful analysis of the specific policy language involved, the facts of a company’s particular losses and the law of the applicable jurisdiction. Insurance carriers may take a hard line regarding the application of the exclusions in their policies.  For example, under certain insurance policies, there is coverage for property damage and insurers have asserted that there has been no property damage as a result of a cyberattack. Technology managers, however, may be able to assist the company in marshalling evidence to prove that a cyberattack has damaged the company’s computer equipment, or that there has been a loss of use of computer equipment (another way of demonstrating property damage under certain insurance policies).  Technology managers should stay involved throughout the insurance recovery process to help assure that any representations and statements about the company’s technology and the cyberevent are accurate and properly characterized.

Beyond in-house technology personnel, companies that have sustained losses due to a data breach or cyberattack should consider speaking with an attorney who represents policyholders and has familiarity with this area. Because of the assistance of such lawyers, some policyholders have been able to obtain substantial recovery even after the insurer initially denied the policyholder’s claim.

Scott Godes and Kenneth Trotter are attorneys with Dickstein Shapiro LLP who devote a significant portion of their practice to the representation of policyholders in complex insurance disputes with insurance companies. They may be reached at godess@dicksteinshapiro.com or trotterk@dicksteinshapiro.com. This information is general and educational and is not legal advice.  For more information, please visit www.hospitalitylawyer.com.

Thank you to the Hospitality Upgrade website for permission to use this article.

This article appeared on the Hospitality Upgrade website on 1 October 2011—link to article:

http://www.hospitalityupgrade.com/_magazine/magazine_Detail-ID-694.asp

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.  [Note that the contact information for Ken Trotter and me since has changed.]

Podcast on D&O insurance, cybersecurity, cyber liabilities, privacy class actions, and insurance: “Executive Summary Webinar Series: What You Need to Know Before You Walk Into the Boardroom (July 2011)”

I recently joined Priya Cherian Huskins and Lauri Floresca of Woodruff Sawyer & Co. to discuss D&O insurance, cyberinsurance, and insurance coverage for privacy issues, data breaches, cyberattacks, denial-of-service attacks and more.   Lauri and Priya gave an overview of the D&O insurance marketplace, including changes in pricing, availability of limits, and new insurance policies and insurance products.  Then we shifted gears and talked about cybersecurity, cyber liability, and insurance coverage for cybersecurity risks.  We touched on the latest data breaches, privacy claims and class actions, and other cyber incidents to have hit the news and discussed the related insurance coverage issues.  The audio and supporting materials (that Woodruff Sawyer prepared) have been put online as a podcast and supporting PDF, so that you listen, in case you missed the live presentation.

To listen to this podcast, click here.

To view a pdf of the presentation, click here.

Date and Time


 

Tuesday, July 19, 2011


Webinar

11:00 AM – 11:30 AM PST


This webinar is offered free of charge.


Visit Us At:

LinkedIn   Facebook   Twitter


Woodruff-Sawyer & Co.

50 California St., 12th Fl.

San Francisco, CA 94111

Before you walk into your next board meeting, what do you need to know when it comes to current D&O liability issues? The “Executive Summary” is Woodruff-Sawyer’s webinar series for CFOs, GCs, Controllers and others who work with boards of directors.  The upcoming session will feature a conversation with Woodruff-Sawyer’s Priya Cherian Huskins and Lauri Floresca, both nationally-recognized insurance experts, and Scott Godes [formerly] of Dickstein Shapiro.Scott [was] the co-leader of Dickstein Shapiro’s Cyber Security Coverage Initiative. Areas of Discussion

  • D&O Market Update
  • D&O Litigation Update

– Newest numbers on D&O suits
– Latest on Supreme Court rulings

  • Lessons from Sony & Citi: What boards should be asking about cyber liability

– Updates on the recent high-profile data security breaches
– Understanding the impact of California’s recent Supreme Court zip code decision
– What should boards do to mitigate cyber risks?

Click here to register for this webinar.

For questions, please email seminar@wsandco.com


Woodruff-Sawyer is one of the largest independent insurance brokerage firms in the nation, and is an active partner of International Benefits Network and Assurex Global. For over 90 years, Woodruff-Sawyer has been partnering with clients to implement and manage cost-effective and innovative insurance, employee benefits and risk management solutions, both nationally and abroad. Headquartered in San Francisco, Woodruff-Sawyer has offices throughout California and in Portland, Oregon. For more information, call 415.391.2141 or visit www.wsandco.com.


Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

Join me for a free webinar about D&O and cyberinsurance: “Executive Summary”: What You Need to Know Before You Walk into the Boardroom

Please join me on July 19, 2011, at 2:00 pm Eastern, for a free webinar hosted by Woodruff Sawyer & Co. Priya Cherian Huskins, Lauri Floresca, and I will discuss D&O insurance, cyberinsurance, and insurance coverage for privacy issues, data breaches, cyberattacks, denial-of-service attacks and more. Here are the details from Woodruff Sawyer‘s announcement:

 

Date and Time


 

Tuesday, July 19, 2011


Webinar

11:00 AM – 11:30 AM PST


This webinar is offered free of charge.


Visit Us At:

LinkedIn   Facebook   Twitter


Woodruff-Sawyer & Co.

50 California St., 12th Fl.

San Francisco, CA 94111

Before you walk into your next board meeting, what do you need to know when it comes to current D&O liability issues? The “Executive Summary” is Woodruff-Sawyer’s webinar series for CFOs, GCs, Controllers and others who work with boards of directors.  The upcoming session will feature a conversation with Woodruff-Sawyer’s Priya Cherian Huskins and Lauri Floresca, both nationally-recognized insurance experts, and Scott Godes [formerly] of Dickstein Shapiro.Scott [was] the co-leader of Dickstein Shapiro’s Cyber Security Coverage Initiative. Areas of Discussion

  • D&O Market Update
  • D&O Litigation Update

– Newest numbers on D&O suits
– Latest on Supreme Court rulings

  • Lessons from Sony & Citi: What boards should be asking about cyber liability

– Updates on the recent high-profile data security breaches
– Understanding the impact of California’s recent Supreme Court zip code decision
– What should boards do to mitigate cyber risks?

Click here to register for this webinar.

For questions, please email seminar@wsandco.com


Woodruff-Sawyer is one of the largest independent insurance brokerage firms in the nation, and is an active partner of International Benefits Network and Assurex Global. For over 90 years, Woodruff-Sawyer has been partnering with clients to implement and manage cost-effective and innovative insurance, employee benefits and risk management solutions, both nationally and abroad. Headquartered in San Francisco, Woodruff-Sawyer has offices throughout California and in Portland, Oregon. For more information, call 415.391.2141 or visit www.wsandco.com.

 

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

« Older Entries Recent Entries »