Category Archives: Denial-of-service

Insurance Coverage for Denial-of-Service Attacks

DDoS

It seems that 2011 has been the year of cyberattacks – denial of service attacks, data breaches, and more.  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1]  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2]  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3]  The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[5]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6]  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11]  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12]  Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16]  The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.

Scott Godes [was] counsel with Dickstein Shapiro’s Insurance Coverage Practice in the firm’s Washington, D.C. office.  Mr. Godes is the co-head of the firm’s Cyber Security Insurance Coverage Initiative and co-chair of the American Bar Association Computer Technology Subcommittee of the Insurance Coverage Committee of the Section of Litigation.  He frequently represents corporate policyholders in insurance coverage disputes.

[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).

[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[7] Id.

[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

[15] See MBIA, Inc. v. Fed. Ins. Co., No. 08 Civ. 4313, 2009 WL 6635307 (S.D.N.Y. Dec. 30, 2009).

[16] See Eyeblaster, 613 F.3d at 804.

Update:  This post also has been put online over at DoS-Attacks.com.  You can see the post by clicking here.

Second update:  This post also has been put online at the Lexis Insurance Law Community.  You can see the post by clicking here.

Third update:  This post also has been put online on the Blog Notions insurance blog.  You can see the post by clicking here.

Fourth update:  This post also has been put online on Core Compass.  You can see the post by clicking here (registration required).

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

“Is Your Company Prepared for Cyber Risk?”

Looking for a great article discussing cyber risk, the costs of cyber risk and data breaches, how companies and corporate boards are dealing with cyber risk, and a discussion about cyber insurance?  Then you should click here, to read a great article in Corporate Board Member Magazine, written by Chris Costanzo, “Is Your Company Prepared for Cyber Risk?

The article’s lede is:

If directors think about cybercrime at all, they are apt to consider cases like Heartland Payment Systems or TJX Cos., in which hackers exposed millions of customer records. Actually, they should be contemplating Google, which accused an electronic spy ring based in China of unleashing sophisticated cyber attacks against its computer systems early last year.

The Google case is emblematic of a new type of cybercrime that is stealthier and potentially more harmful than the massive data breaches that were front-page news a few years ago. When hackers steal customer data, they do it quickly and move on, leaving companies with the administrative hassle of notifying customers.

It goes on to quote several thought leaders on cyber risk, including people who consult on cyber risk, remediation for data breaches and cyber threats, and lawyers who work on the area of insurance coverage for cyber risks.  Mr. Costanzo was nice enough to quote me in the article:

That’s not to say companies shouldn’t explore other options. “If you haven’t bought a cyber policy, you should absolutely look to other policies to see what other coverage could be available there,” says Scott Godes, [formerly] counsel at Washington, D.C.-based Dickstein Shapiro. Existing case law backs up the use of general liability or errors and omissions policies to cover cyber breaches, Godes says. “But I would be loathe to say, ‘Don’t buy a cyber policy,’ particularly as insurance companies get more savvy,” he adds.

The entire article is a great read if you have an interest in cyber security and cyber risk.  Click here to read the entire article, “Is Your Company Prepared for Cyber Risk?

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

Join me for the Second Annual NetDiligence® Cyber Risk & Privacy Liability Forum!

Want to learn about cybersecurity, cyberinsurance, privacy liability, cyberrisk, and other issues relating to privacy and network security, and insurance coverage for those risks?  Of course you do.

And you want to hear this from people who are recognized throughout the industry, including brokers selling cyberinsurance, underwriters writing and selling the coverage, and insurance attorneys who handle the claims and write coverage opinions about the risks, don’t you?  Of course!

What’s that, you want all of that, and CLE credit, too?  Done.

If you’re looking for all of that and more, organized and hosted by my good friends at HB Litigation Conferences, please join me for the:

NetDiligence® Cyber Risk & Privacy Liability Forum

Date: June 9-10, 2011
Location: The Union League, 140 South Broad Street, Philadelphia, PA
Chairs: Richard Bortnick, Esq., Cozen O’Connor, West Conshohocken, PA
Oliver Brew, Senior Vice President of Technology – Media and Telecoms Underwriting, Hiscox USA, New York
Toby Merrill, VP & National Privacy, Technology & Media Liability Product Manager, ACE Professional Risk
Meredith Schnur, Professional Risk Group, Wells Fargo Insurance Services USA, Inc., New York

Delegate Rates

Attorneys: $1,195**; Insurers & Brokers: $895**; Risk Managers and CFOs: $795**

Agenda and Speakers

Register Now! Conference Venue and Hotel

The Union League is located at 140 South Broad Street, Philadelphia. A block of rooms has been secured for Wednesday, June 8th and Thursday, June 9th at a rate of $189 for a standard room and $239 for a suite. The rate includes complimentary breakfast for (2) guests per room, use of our fitness center and complimentary internet. For reservations, please call 215-587-5570 and refer to the HB LITIGATION CONFERENCE room block. If you have any questions or need assistance, please contact Cyndy Noonan at cyndy.noonan@litigationconferences.com or 484-324-2755×201.

Group Discounts

Group Discounts are available. Please contact Brownie Bokelman at 484-324-2755 x212 or Brownie.Bokelman@litigationconferences.com. Groups of 5+ and Passport Packages are available for additional savings for your firm’s practice group or legal department or for package pricing for a single conference or a series of conferences.

My panel will be:

GL vs. Network Security

  • GL underwriter panel topic, GL vs. AIPI claims
  • Other’s insurance & concurrent insurance
  • Forgotten insurance agreement-when does adv.
    injury under a GL stop and where does injury begin
    under media policy
  • Coverage and how the policies respond

Moderator: Thomas Srail, Senior Vice President-Willis Executive Risks, Willis North America
Shannon Giese, Financial Services Group–Professional Risk Solutions, A Division of Aon Risk Services Northeast, Inc.
Scott Godes, Esq., [formerly] Dickstein Shapiro LLP
Richard Reed, Vice President & Worldwide Commercial Errors and Omissions Product Manager, Chubb Specialty Insurance, Warren, NJ

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

Note:  as a speaker at the conference, I will not be charged a fee to attend the remainder of the conference.

myspace profile views counter

Video interviews for RiskCommunities, TechRisk Institute regarding cybersecurity, privacy, and cyberinsurance.

Julie Davis of Risk Communities recently asked me to speak with her about insurance coverage for cybersecurity claims, data breaches, and other cyberrisks. Julie did video interviews of me and uploaded them to the Risk Communities video channel.

Here’s how Risk Communities introduced me:

“Last year we introduced our broadcast channel, with the idea of highlighting business professionals, and topics, that are impacting business and risk management issues for the technology industry. Scott Godes as volunteered his time to help our followers understand insurance and risk management challenges and trends in Network, Privacy and Security risks.”

There are two video clips. We discuss litigation trends in the area of insurance coverage for cybersecurity, various types of insurance coverage for cybersecurity, risk transfer for cyberrisks, and data and network privacy issues.

Here’s my video interview: “Overview of Network, Security & Privacy Exposures and Risks”

Here’s my video interview: “Overview of Litigation and Trends in Network, Security & Privacy Risks”

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

My Chapter on Insurance Coverage for Cybersecurity and Intellectual Property Claims Now Available in the New Appleman Law of Liability Insurance Treatise

Looking for a treatise on insurance coverage?  How about one that has an entire chapter on insurance coverage for cybersecurity and intellectual property claims and risks?

Remember when I wrote that I had written a chapter on insurance coverage for cybersecurity and intellectual property claims for the New Appleman Law of Liability Insurance Treatise?  Of course you do.  And you probably were wondering, “When will I be able to buy that treatise, so that I can have it on my bookshelf and refer to it regularly for all of my questions about insurance coverage for cybersecurity and intellectual property claims?!?”  Well, here’s your answer.  The treatise is available on the Lexis website.  That’s right!  Although you really will want to race right to Chapter 18 – Insurance Coverage for Intellectual Property and Cybersecurity Risks, so that you can read about insurance for data breaches, DDoS attacks, viruses, hackers, cybercrime, and IP losses, you’ll get the whole treatise, too.  It’s a five volume looseleaf set that gets updated with supplements. 

So what are you waiting for?  Click here to order your very own treatise.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

AgentsOfAmerica.ORG features my post: “Insurance Coverage for Cyberattacks and Denial-of-Service Incidents”

If your business suffered losses from a cybersecurity incident, a denial-of-service attack, or some other computer-, network-, or internet-related event, would you know whether your insurance would cover the losses?  If your insurance company denied your claim, would you know whether the insurance company had done so properly?

Well, if you’d like some additional thoughts on these issues, check out my post at the AgentsOfAmerica.ORG website.  They posted my piece titled, “Insurance Coverage for Cyberattacks and Denial-of-Service Incidents” and also featured it in their newsletter.  In my post, I discuss insurance coverage for cyberattacks, cybersecurity events, denial-of-service (DDoS) attacks, and more.  I note a couple of recent cases finding in favor of insurance for these sorts of events under commercial general liability (CGL) insurance policies as well as new cyber insurance policies.

So head over to the AgentsOfAmerica.ORG site and check out my post to see more!

 

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

“LexisNexis® Insurance Law Community Podcast featuring Scott Godes . . . on Cyber Liability Insurance Coverage”

LexisNexis was kind enough to have me record a podcast regarding insurance coverage for cyber liabilities. As LexisNexis states on the Insurance Law Center:

On this edition, Scott Godes discusses the types of cyber liabilities facing companies today, what to do, in terms of insurance, if a cyber incident or data breach occurs and types of policies that provide coverage for a cyber event. Copyright© 2010 LexisNexis, a division of Reed Elsevier Inc. Visit http://www.lexisnexis.com/community/insurancelaw/.

If you’d like to hear the entire podcast, please click here.

Disclaimer:
This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

« Older Entries Recent Entries »