Tag Archives: Business interruption

“A Lawyer’s Advice for Evaluating Your Cyber Coverage”

I recently wrote an article titled, “A Lawyer’s Advice for Evaluating Your Cyber Coverage:  Policies vary significantly from carrier to carrier—and even within the various forms of one company.”  It has been published on the Property Casualty 360° website, republished from the February 6, 2012 issue of National Underwriter.

In the article, I discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events, including what factors to consider when buying cyberinsurance policies for cyber risks.  I also discuss how different cyber risks may be characterized, whether as within first party, or third party insurance coverages, and how to keep those risk factors in mind when brokering, broking, or buying a cyberinsurance policy.

Here is a brief excerpt from the article:

Policyholders and insureds exposed to cyber risks would be well served to analyze carefully their insurance policies to determine exactly which coverages apply to them—and to see if any critical coverages are missing.

Cyber Liability insurance should provide coverage for the vast majority of key cyber risks, and there may also be overlapping coverage under other policies for such exposures.

The first place that a company should look to determine whether it has, or may have, coverage for cyber risks is any specific Cyber Liability policies that the entity holds. A very close look at these policies is warranted, as the coverage under such policies often varies significantly from carrier to carrier—and even within the various forms that one particular insurance company offers.

Want to read moreThen click on over to the full article.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

Would your company’s insurance cover a cyberattack?

DDoSOn October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.”  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1]  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2]  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3]  The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[5]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6]  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11]  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12]  Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16]  The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.


[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).

[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[7] Id.

[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

[15] See MBIA Inc. v. Fed. Ins. Co., 652 F.3d 152, 160 (2d Cir. 2011).

[16] See Eyeblaster, 613 F.3d at 804.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

“Legal Corner: Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection”

My former colleague, Ken Trotter, and I recently wrote an article titled, “Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection.”  The article is reprinted below, courtesy of and permission from, the fine people at Hospitality Upgrade magazine:

Scott Godes  godess@dicksteinshapiro.com
Kenneth Trotter  trotterk@dicksteinshapiro.com
Hospitality© 2011 Hospitality Upgrade. No reproduction without written permission. It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks.  A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies.  According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves.Cybersecurity risks can cause a company to incur significant loss or liability.  A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds.  Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes.  Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability.  Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits.Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information.  Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack.Involving Technology and Privacy Managers in Insurance-related Matters  Because of the variation in cyberinsurance coverages and the underwriting inquiries that often go along with the purchase of such insurance policies, companies may find the process to be a great opportunity for a company’s risk managers, technology managers and privacy managers to work together to help understand potential risks to the company and what risk transfers are being purchased through the insurance policies offered.  Working together aligns the risk managers’ understanding of specific insurance-related issues, the technology managers’ technical expertise regarding the companies’ systems and protections that will be helpful to understand any technical requirements in an application or insurance policy, and the privacy managers’ knowledge of the potential privacy risks that the company faces in light of the information held and how and where it is used.  Indeed, given their understanding of the technical and practical considerations involved in protecting a company’s data from a cyberattack, technology and information managers may be in a unique position to assist the company’s risk managers in understanding the technical implications of specific policy language.Insurance Coverage Considerations  When considering what coverages may apply or purchasing cyberinsurance coverage, it is essential to consider many types of coverage, as coverages often are written and offered in different modules and on varying insurance policy forms.  On a regular basis, insurers are writing and introducing new policies marketed as being tailored specifically to cover data breaches and cyberattacks.  In addition, coverage may be available under traditional forms of insurance.  Indeed, policyholders may have overlapping coverage for data breaches and certain cyberrisks, with the potential for coverage under cybersecurity policies as well as traditional insurance policies.  When analyzing the coverage afforded by such policies, it is critical to understand the impact of exclusions on coverages and any sublimits on the amount of coverage afforded by the policy.  Because of the variety of coverages being offered, as discussed below, technology managers can assist the company by providing a careful review of the technical language used in the policy to help determine the scope and limitations of the coverage being purchased with respect to a specific company’s operations.

Cybersecurity and Data Breach Policies  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Such policies are relatively new to the marketplace and are constantly changing. Specific policies for cybersecurity and data breach have been known as Network Risk, Cyberliability, Privacy and Security or Media Liability insurance.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the Internet Liability and Network Protection Policy, and insurance companies may base their coverages on this basic insuring agreement or they may provide their own company-worded policy form.  Because these policies are frequently updated and changed, it is important to compare the coverages offered across companies and within a company’s offerings.

Traditional Forms of Insurance  Although it is ideal to purchase a policy designed specifically for cybersecurity risks, more traditional forms of insurance may also provide overlapping coverage for data breaches and cyberrisks, depending on the particular coverage terms and exclusions in the individual policy.  Coverage may be provided by the following types of policies:  commercial general liability; first-party property and business interruption; directors and officers or errors and omissions; crime; kidnap, ransom and extortion.  Insurance companies, however, have been fighting their obligations to pay claims for cyber-related loss under such traditional insurance policies.  A major insurer recently sued a corporate policyholder in New York, asking the court to rule that traditional insurance policies do not cover a series of high-profile data breaches, cyberattacks and cyberrisks.

Making a Claim for Coverage   If a cyberevent occurs, such as a data breach, then it is vital that risk managers, technology managers and privacy managers work together to seek recovery under all potentially available insurance policies.  It is recomended that policyholders send notice of the claim or occurrence to all potentially applicable insurers, whether under a special cybersecurity policy or under the more traditional forms of insurance. After an insurance claim is tendered to insurers, they may raise various defenses to coverage. Companies, however, should not assume that such defenses will defeat coverage. Whether an event is covered will often depend on careful analysis of the specific policy language involved, the facts of a company’s particular losses and the law of the applicable jurisdiction. Insurance carriers may take a hard line regarding the application of the exclusions in their policies.  For example, under certain insurance policies, there is coverage for property damage and insurers have asserted that there has been no property damage as a result of a cyberattack. Technology managers, however, may be able to assist the company in marshalling evidence to prove that a cyberattack has damaged the company’s computer equipment, or that there has been a loss of use of computer equipment (another way of demonstrating property damage under certain insurance policies).  Technology managers should stay involved throughout the insurance recovery process to help assure that any representations and statements about the company’s technology and the cyberevent are accurate and properly characterized.

Beyond in-house technology personnel, companies that have sustained losses due to a data breach or cyberattack should consider speaking with an attorney who represents policyholders and has familiarity with this area. Because of the assistance of such lawyers, some policyholders have been able to obtain substantial recovery even after the insurer initially denied the policyholder’s claim.

Scott Godes and Kenneth Trotter are attorneys with Dickstein Shapiro LLP who devote a significant portion of their practice to the representation of policyholders in complex insurance disputes with insurance companies. They may be reached at godess@dicksteinshapiro.com or trotterk@dicksteinshapiro.com. This information is general and educational and is not legal advice.  For more information, please visit www.hospitalitylawyer.com.

Thank you to the Hospitality Upgrade website for permission to use this article.

This article appeared on the Hospitality Upgrade website on 1 October 2011—link to article:

http://www.hospitalityupgrade.com/_magazine/magazine_Detail-ID-694.asp

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.  [Note that the contact information for Ken Trotter and me since has changed.]

Insurance coverage against cyberattacks and data breaches relating to the hospitality industry and hotels.

four star hotelMy former colleague, Ken Trotter, and I recently wrote an article titled, “Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection.”  It has been published in Hospitality Upgrade magazine‘s Fall 2011 issue.  In the article, we discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events, in light the risks for such events that the hospitality industry, and hotels in particular, face.  We discuss coverages for cyberattacks and data breaches against hotels and the hospitality industry under new cyberinsurance policies, and overlapping coverage with other insurance policies for data breaches, cyber risks, cyberattacks, and cyber events.  We also discuss involving multiple people within the company to discuss the risks and evaluate the purchase of new insurance and cyberinsurance policies.

Here is a brief excerpt from the article:

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks. . . .

Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds. Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes. Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability. . . .

Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information. Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack. . . .

Read more

Want to read moreThen click on over to the full article.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

“Protecting Your Company Against Loss or Liability Arising from Cyberattacks”

My former colleague, Ken Trotter, and I recently wrote an article titled, “Protecting Your Company Against Loss or Liability Arising from Cyberattacks.”  It has been published in Hospitality Lawyer‘s September 2011 In-House Counsel Newsletter.  In the article, we discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events.  We discuss coverages under new cyberinsurance policies, and overlapping coverage with other insurance policies for data breaches, cyber risks, cyberattacks, and cyber events.

We provide an overview of potential coverage under:

  • First party property policies;
  • Business interruption coverage and policies;
  • Commercial General Liability (CGL) policies;
  • Directors and Officers Liability (D&O) policies;
  • Errors and Omissions policies; and
  • Crime and Fidelity policies.

We also give practical considerations when making claims for coverage.

Here is the opening paragraph to the article:

Does your company have insurance policies that will cover data breaches and cyber attacks?  The hospitality industry is particularly vulnerable to data breaches and other cyberattacks.  According to Willis Group Holdings, a British insurance firm, insurance claims for data theft worldwide jumped 56% last year, with a large number of those attacks targeting the hospitality industry.  The report said the largest share of cyber attacks—38%—were aimed at hotels, resorts and tour companies.  As just one example of these attacks, computer hackers broke into the computer system of a national hotel chain and stole the guests’ credit card information.  This summer, the Secret Service informed the owner of a family-run Italian restaurant that a thief hacked into the communication system between the cash register and the credit card processing company, stole credit card numbers, and then used them to fraudulently make purchases across the United States.  Businesses in the hospitality industry will continue to be attractive targets for hackers and data thieves, particularly since they obtain and maintain confidential data from consumers including countless credit card records.  There are risks for companies well beyond the possibility of hackers stealing consumer data.  Vital corporate data, whether it’s shared on the company’s servers or by third parties, may become inaccessible or even destroyed in a hacker attack.  Managing such risk is critical to successful business operations. Read more

Want to read moreThen click on over to the newsletter.

Insurance Coverage for Denial-of-Service Attacks

DDoS

It seems that 2011 has been the year of cyberattacks – denial of service attacks, data breaches, and more.  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1]  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2]  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3]  The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[5]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6]  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11]  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12]  Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16]  The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.

Scott Godes [was] counsel with Dickstein Shapiro’s Insurance Coverage Practice in the firm’s Washington, D.C. office.  Mr. Godes is the co-head of the firm’s Cyber Security Insurance Coverage Initiative and co-chair of the American Bar Association Computer Technology Subcommittee of the Insurance Coverage Committee of the Section of Litigation.  He frequently represents corporate policyholders in insurance coverage disputes.

[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).

[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[7] Id.

[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

[15] See MBIA, Inc. v. Fed. Ins. Co., No. 08 Civ. 4313, 2009 WL 6635307 (S.D.N.Y. Dec. 30, 2009).

[16] See Eyeblaster, 613 F.3d at 804.

Update:  This post also has been put online over at DoS-Attacks.com.  You can see the post by clicking here.

Second update:  This post also has been put online at the Lexis Insurance Law Community.  You can see the post by clicking here.

Third update:  This post also has been put online on the Blog Notions insurance blog.  You can see the post by clicking here.

Fourth update:  This post also has been put online on Core Compass.  You can see the post by clicking here (registration required).

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

Join me for the Second Annual NetDiligence® Cyber Risk & Privacy Liability Forum!

Want to learn about cybersecurity, cyberinsurance, privacy liability, cyberrisk, and other issues relating to privacy and network security, and insurance coverage for those risks?  Of course you do.

And you want to hear this from people who are recognized throughout the industry, including brokers selling cyberinsurance, underwriters writing and selling the coverage, and insurance attorneys who handle the claims and write coverage opinions about the risks, don’t you?  Of course!

What’s that, you want all of that, and CLE credit, too?  Done.

If you’re looking for all of that and more, organized and hosted by my good friends at HB Litigation Conferences, please join me for the:

NetDiligence® Cyber Risk & Privacy Liability Forum

Date: June 9-10, 2011
Location: The Union League, 140 South Broad Street, Philadelphia, PA
Chairs: Richard Bortnick, Esq., Cozen O’Connor, West Conshohocken, PA
Oliver Brew, Senior Vice President of Technology – Media and Telecoms Underwriting, Hiscox USA, New York
Toby Merrill, VP & National Privacy, Technology & Media Liability Product Manager, ACE Professional Risk
Meredith Schnur, Professional Risk Group, Wells Fargo Insurance Services USA, Inc., New York

Delegate Rates

Attorneys: $1,195**; Insurers & Brokers: $895**; Risk Managers and CFOs: $795**

Agenda and Speakers

Register Now! Conference Venue and Hotel

The Union League is located at 140 South Broad Street, Philadelphia. A block of rooms has been secured for Wednesday, June 8th and Thursday, June 9th at a rate of $189 for a standard room and $239 for a suite. The rate includes complimentary breakfast for (2) guests per room, use of our fitness center and complimentary internet. For reservations, please call 215-587-5570 and refer to the HB LITIGATION CONFERENCE room block. If you have any questions or need assistance, please contact Cyndy Noonan at cyndy.noonan@litigationconferences.com or 484-324-2755×201.

Group Discounts

Group Discounts are available. Please contact Brownie Bokelman at 484-324-2755 x212 or Brownie.Bokelman@litigationconferences.com. Groups of 5+ and Passport Packages are available for additional savings for your firm’s practice group or legal department or for package pricing for a single conference or a series of conferences.

My panel will be:

GL vs. Network Security

  • GL underwriter panel topic, GL vs. AIPI claims
  • Other’s insurance & concurrent insurance
  • Forgotten insurance agreement-when does adv.
    injury under a GL stop and where does injury begin
    under media policy
  • Coverage and how the policies respond

Moderator: Thomas Srail, Senior Vice President-Willis Executive Risks, Willis North America
Shannon Giese, Financial Services Group–Professional Risk Solutions, A Division of Aon Risk Services Northeast, Inc.
Scott Godes, Esq., [formerly] Dickstein Shapiro LLP
Richard Reed, Vice President & Worldwide Commercial Errors and Omissions Product Manager, Chubb Specialty Insurance, Warren, NJ

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

Note:  as a speaker at the conference, I will not be charged a fee to attend the remainder of the conference.

myspace profile views counter

AgentsOfAmerica.ORG features my post: “Insurance Coverage for Cyberattacks and Denial-of-Service Incidents”

If your business suffered losses from a cybersecurity incident, a denial-of-service attack, or some other computer-, network-, or internet-related event, would you know whether your insurance would cover the losses?  If your insurance company denied your claim, would you know whether the insurance company had done so properly?

Well, if you’d like some additional thoughts on these issues, check out my post at the AgentsOfAmerica.ORG website.  They posted my piece titled, “Insurance Coverage for Cyberattacks and Denial-of-Service Incidents” and also featured it in their newsletter.  In my post, I discuss insurance coverage for cyberattacks, cybersecurity events, denial-of-service (DDoS) attacks, and more.  I note a couple of recent cases finding in favor of insurance for these sorts of events under commercial general liability (CGL) insurance policies as well as new cyber insurance policies.

So head over to the AgentsOfAmerica.ORG site and check out my post to see more!

 

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Join me at the First Party Claims Conference!

On October 19 and 20, 2010, I’m going to be presenting at the First Party Claims Conference in Warwick, Rhode Island.

What’s the First Party Claims Conference, you ask?  Well, the website describes the event as:

The 2010 FIRST PARTY CLAIMS CONFERENCE (FPCC) on October 18-20 in Warwick, Rhode Island is the insurance event that offers the maximum amount of education and CE credits for a minimal investment of time and money.

And who doesn’t like getting the “maximum amount of education” for the “minimal” amount of time and money? There will be 21 educational sessions and 39 presenters. The conference is open to everyone in the insurance claims community: accountants, adjusters, agents, attorneys, brokers, consultants, engineers, vendors/suppliers and others.

The title of the presentation that I will be making with Darrell Hamer is:

Contingent Business Interruption Insurance – Will You Be Covered When Bad Things Happen To Other People? Scott Godes, Esq., [formerly] of Dickstein Shapiro LLP and Darrell Hamer of Property Claim Advisory Services Corporation

You do remember what contingent business interruption insurance is, don’t you?  What’s that, you need a refresher?  Well, click here and read all about it!  Then register for the conference.  Our panel is going to be great.  We’re going to give tips and details based on first hand, real world experience in pursuing coverage for contingent business interruption claims.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

Note:  as a speaker at the conference, I will not be charged a fee to attend the remainder of the conference.

“Insurance Coverage for Intellectual Property and Cybersecurity Risks.”

Can you think of many, or, in fact, any, companies that are risk free when it comes to the areas of intellectual property or cybersecurity?  If you represent companies with risks relating to intellectual property and cybersecurity, what insurance coverage would apply if those risks turned into claims and potential liabilities?  Are you familiar with the developing body of insurance coverage law in those areas?

I’m the author of a forthcoming treatise chapter that answers those exact questions.  It’s the “Insurance Coverage for Intellectual Property and Cybersecurity Risks” chapter of the New Appleman Law of Liability Insurance, Second Edition, to be released in June 2010.  Here’s the chapter’s introduction:

Two developing areas of insurance coverage law are the issues of insurance coverage for intellectual property-based claims and cybersecurity-based claims.  This chapter describes coverages available for such claims.  The chapter first analyzes and details the development of coverage for intellectual property claims through advertising injury found in general liability insurance policies, as well as other coverages.  The chapter then analyzes coverage for cybersecurity claims.  The area of coverage for cybersecurity claims is, relative to most insurance coverage topics, quite nascent, and the chapter considers decisions that should be seen as analogous to this developing topic.  The chapter discusses coverage for cybersecurity claims under general liability, first-party, and other policies, as well as new policies being marketed as specific to cybersecurity risks and claims.

The intellectual property section of the chapter provides a basic overview of various types of intellectual property risks and provides a detailed discussion of how insurance policies apply to those risks.  The chapter explains the legal principles at issue when seeking insurance coverage for such risks and potential liabilities.  The chapter discusses the majority and minority rules for various issues and provides an analysis of the various exclusions that insurance companies have cited when trying to deny coverage for intellectual property claims.

The cybersecurity section of the chapter provides an overview of the new and growing cybersecurity risks faced today and details what insurance policies apply to those risks.  The chapter details how courts have ruled on coverage questions for cybersecurity and computer-related risks and liabilities.  For those areas of the law that are not as well-developed, in light of the relatively new nature of cybersecurity risks, the chapter notes analogous caselaw and how those holdings should apply to cybersecurity claims.  The section also notes issues to consider for companies in the market for new and specialized cybersecurity insurance policies.

This post appeared originally at the Lexis Insurance Law Community.
Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.

myspace profile views counter

“Guest View: Insurance for the cloud”

When you hear “cloud computing,” is insurance the first thing that you think of?  No?  I’m the only one who thinks that way?  Well, if you were wondering about the implications of cloud computing on insurance and risks, I co-wrote an article with my former colleague, Idan Ivri that addresses those questions.

First, what does “cloud computing” mean?  We explain:

Cloud computing is a loose term, but it generally refers to storing user data or applications on a remote server rather than on users’ own systems. A 2009 industry study by Coda Research Consultancy estimated that, by 2015, various forms of such software could represent 17% of all information technology spending worldwide.

That sounds great, doesn’t it?  The idea is that you and your business don’t have to buy expensive suites of software or massive servers and hard drives to store all of your applications, because you will be able to access them via a third party (sometimes known as a third party application service provider (ASP) or software as a service (SAAS)).

But is cloud computing all silver lining, and no, uh, grey cloud? We note:

[I]f developers make privacy the top priority, cloud-computing developers may face those that say they should be liable for the bad behavior of unsavory customers seeking a dark place to host illegal data or viruses.

On the other hand, privacy standards that are too low could make developers liable for data theft against legitimate users, or for putting private data into the hands of advertisers. Developers will also have to handle disruptions or unavailability of data and services to end users.

Do developers, ASPs and SAAS providers have insurance to cover those risks?  Will “traditional” insurance policies cover?  What about specialized “cyber” policies?  For the rest of the discussion about insurance for cloud computing, click on over to the full article at Software Development Times on the Web.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2010.
myspace profile views counter

Presentation on Your Cyber Security Strategy — How to Capitalize on New Opportunities & Mitigate Risks

Interested in cyber security issues?  Please join me for the following program (now archived here), live or via webinar, presented by the Washington Metropolitan Area Corporate Counsel Association:

WMACCA Government Contractors Forum: Your Cyber Security Strategy — How to Capitalize on New Opportunities & Mitigate Risks

Dec 9, 2009
8:00 AM – 10:00 AM
LIVE at Gannett Co., Inc., 7950 Jones Branch Drive, McLean, Virginia OR by WEBCAST from your desk.

Overview

As the corporate world becomes more and more virtual, the need for cyber and data security has never been greater. Understanding the Administration’s new cyber security initiatives and changes on the legislative front can give companies a competitive advantage in developing comprehensive cyber security programs. If your business is grappling with emerging threats, limited funds, and slow procurement processes, you are not alone.  Find out how to capitalize on the opportunities available through the Safety Act and other mechanisms to protect your company, and how your insurance coverage policies may cover potential liabilities. This program will address what you need to know, what you need to do, and how to “just do it.”

Speakers

Presented by Scott N. Godes, [formerly] of Dickstein Shapiro LLP; David Kessler, Senior Corporate Counsel, Symantec Corporation; Kenneth A. Mendelson, Managing Director, Stroz Friedberg. Moderated by Brian E. Finch of Dickstein Shapiro LLP.

Notes

Breakfast will be provided on-site from 8:00 – 8:30 a.m.  The program and webcast will begin at 8:30 a.m.

Webcast Log-In Instructions:
1. Go to http://www.ec.commpartners.com
2. In the middle of the page where it says Meeting Number, type the following number –340258
3. Click Enter
4. Type your full name and e-mail address when prompted

CLE

Credits: 1.5 hour pending
State: Virginia
Category: General

Contact

Robin Hayutin
Phone: 703-242-8773
E-mail: robin.hayutin@wmacca.com

Location

LIVE at Gannett Co., Inc., 7950 Jones Branch Drive, McLean, Virginia OR by WEBCAST from your desk.

703-854-6000

Sign Up

Cost

Free of charge

View All Events

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.
myspace profile views counter

Join Me for Insurance Coverage for Cybersecurity CLE Hosted by the Pennsylvania Bar Institute.

On Wednesday, August 26, 2009, I’ll be presenting a CLE for the Pennsylvania Bar Institute on insurance coverage for cybersecurity liabilities.  Here’s a snapshot of the PBI’s page so that you can sign up.

Business Law | Insurance Practice
search:
advanced
Tele-Web Seminar

Tele-Web Seminar
Insurance Coverage for Cybersecurity

1.5 Total CLE credits (No Ethics)

Note: This tele-web seminar will begin on Wednesday, August 26, 2009 at 12:00 PM to 1:30 PM Eastern Time.
Product №: 6116T
Course Level: Intermediate
Duration: 90 minutes

Register Now
Item Description | Faculty | Pricing

Item DescriptionThe financial liability of failing to protect information properly can be extraordinarily high.  One way in which to protect your clients and yourself from liability is to obtain cybersecurity insurance.  This program examines this relatively new type of insurance, the pros and cons of obtaining it, and will help you to help your clients explore their options.

Our faculty will discuss:

  • An overview of cybersecurity and data breach risks and potential liabilities
  • How “traditional” insurance coverage might cover cybersecurity and data breach risks and liabilities
  • New insurance products in the marketplace for cybersecurity and data breach risks and liabilities
Register Now Back to top

Pricing Back to top
  • Members–PA or any co. bar assn.
$99.00
  • Nonmember
$119.00

Faculty Register Now Back to top
Scott Godes, Esq., [formerly] Dickstein Shapiro, LLP, Washington, DC
Timothy Delahunt, Esq., Kenney, Shelton, Liptak & Nowak, LLP, Buffalo, NY
Arturo PerezReyes, Client Executive, Saylor & Hill, Oakland, CA
Register Now Back to top
Register NOW so you can print the course materials when they are available.
icon_acrobat Instructions (1 Page, 14 KB)
Contact us at 1-800-932-4637
Email us at callincle@pbi.org
click for live chat Having trouble using this site?
Help us improve
Powered by Legalspan

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Coverage Disputes Over Data Breaches . . . (as summarized by HB Litigation Conferences)

On July 15, 2009, I gave a presentation regarding insurance coverage for data breaches for my friends at HB Litigation Conferences, along with Tim Delahunt and Arturo Perez-ReyesTom Hagy (yes, the “H” in “HB”) wrote a really nice blog post discussing and summarizing the content of the teleconference, which you can find by clicking here.

Tom opens the piece with a provocative title and subtitle, asking:

Coverage Disputes Over Data Breaches . . .

. . . A Deluge or a Dud?

He explains:

With hundreds of laws governing data privacy and the potential for billions of dollars in damages, you can’t help but think that insurance coverage disputes are about to fall on courts like confetti.

Maybe yes; maybe no.

Either way, companies need to pay as close attention to their insurance policies as they do their data protection policies.

Tom then gives a nice summary of the introduction and overview regarding potential insurance coverage for data breaches that I provided to the conference attendees:

Speaking on HB’s July 15 teleconference – “Private Data Breaches: Insurance Coverage Implications & Prevention – policyholder counsel Scott Godes [formerly] of Dickstein Shapiro told listeners that, despite what insurance counsel might say, “don’t write off your existing coverage” if looking for protection. He also said to know the window of time to get your notice in quickly to get your insurer “to partner up with you,” and to consider new cyber-security coverage – but “know its limitations.”

Tom also featured some of the fascinating data points that my co-presenter Arturo Perez Reyes provided on this burgeoning area of liability:

Co-presenter Arturo Perez Reyes said California alone has 81 separate privacy laws, and there are hundreds of laws outside the U.S. If you lose records, you will have to tell everyone that you lost them, he said, “essentially notifying a whole class of potential plaintiffs.”

There was a 44% increase in data losses last year that resulted in $50B in losses, Reyes reported, adding that nine million people were affected by identification theft.

“The concept of a firewall is a joke,” Reyes declared.

Tom also highlighted some back and forth between me and co-presenter Tim Delahunt:

Godes criticized insurance company arguments against coverage for data theft arising from failures on the part of the policyholder’s systems. “If there is no failure to maintain proper authentication and no failure of data security measures, there would be no potential liability and no lawsuits,” he said. “And if there never was a failure of proper authentication and never was a failure of data security, I suppose insurance companies would be thrilled because they would get your insurance premiums and nothing ever goes wrong.”Co-presenter Timothy Delahunt of Kenney, Shelton, Liptak & Nowak called this a “classic policyholder complaint – that insurance companies issue coverage then deny it.”

“The analogue is that courts will find coverage when they need to, to satisfy an underlying liability. Do I think the facts and policy language have changed?” Delahunt asked. “By and large no. Could the coverage landscape change as underlying liability expands? I believe that’s possible.”

For the rest of the analysis and the post, click here.  And thanks, of course, to Tom and HB Litigation Conferences for the write up!

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Total Cessation of Business Is Not Required for BI Coverage.

Advisen just published my article, Just How Much Business Disruption Is Required To Obtain Coverage Under Contingent Business Interruption Insurance Policies?.

In the piece, I explain that:

In insurance coverage cases relating to the application of contingent business interruption coverage, insurers consistently argue that there must have been a “total cessation” of operations, no matter the applicable policy language. They further argue that if there was no “total cessation” of business operations, the insurers are not obligated to provide contingent business interruption coverage. Those arguments, however, should not carry the day.

What is contingent business interruption insurance coverage?

“Regular business-interruption insurance replaces profits lost as a result of physical damage to the insured’s plant or other equipment; contingent business-interruption coverage goes further, protecting the insured against the consequences of suppliers’ problems.” Archer Daniels Midland Co. v. Hartford Fire Ins. Co., 243 F.3d 369, 371 (7th Cir. 2001) (“Archer v. Hartford”). In short, if a third party suffers a business interruption that affects the policyholder, such as “damage to [a third party’s] plant, which was neither owned nor operated by” the insured, “contingent business interruption insurance applie[s] to the losses suffered by” the named insured. CII Carbon, L.L.C. v. Nat’l Union Fire Ins. Co., 918 So.2d 1060, 1068 (La. App. 4 Cir. 2005).

The article discusses what sort of interruption is required under contingent business interruption policies. I argue that:

The plain language of policies that require only an “interruption of business” does not, by the terms, require a total “cessation” or “suspension” of business.

For the complete analysis, click here to read the complete article.

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Conflicts, mediation, and contingent business interruption insurance.

Attorney-mediator Victoria Pynchon recently posted that “you must create disputes to resolve conflicts.”  And from there, she cites my post about contingent business interruption insurance coverage.  Vickie explains that ADR professional should not see all conflicts as bad:

Most people think ADR professionals believe that all conflicts are bad. Quite the contrary.  Those of us who are trained and practiced in dispute resolution understand that conflict must ripen into one or more disputes for society to evolve along the arc of justice.

She continues, explaining that:

To “make room” for those “contradictory forces” we often must raise a ruckus or ask for something we never believed we might be entitled to.  Say, gay marriage.

She concludes by citing to my post about contingent business interruption insurance coverage.  How does she get there?  She reminds corporate policyholders that decades ago:

Corporations once had a cozy, apparently non-conflictual relationship with their carriers because no one questioned the carriers when they said a claim wasn’t covered.

Corporate policyholders, however, would be well-advised to consider closely an insurer’s denial of coverage.  Vickie  concludes that her “stream of consciousness” took her on the path to my post, which explains what contingent business interruption insurance is, and why “In insurance coverage litigation regarding contingent business interruption losses, it is important to turn a critical eye on insurers’ arguments if they have denied coverage.”

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.

Ensuring Contingent Business Interruption Coverage

Today, Insurance Law360 published a piece that I wrote regarding contingent business interruption coverage.  Are you wondering what is contingent business interruption insurance, and whether your business needs it?  I gave an overview of the coverage in the article:

First, an overview of contingent business interruption coverage. “Regular business-interruption insurance replaces profits lost as a result of physical damage to the insured’s plant or other equipment; contingent business-interruption coverage goes further, protecting the insured against the consequences of suppliers’ problems.” Archer Daniels Midland Co. v. Hartford Fire Ins. Co., 243 F.3d 369, 371 (7th Cir. 2001) (“Archer v. Hartford”).

Often times, however, when policyholders ask their insurers to cover losses stemming from contingent business interruption, the insurers refuse, asserting that there must have been a “total cessation” of business operations.  Insurers consistently argue that if there was no “total cessation” of business operations, they are not obligated to provide contingent business interruption coverage.  The insurers’ arguments, however, are wrong.  As I conclude in the article (advice that applies to many situations in which insurers have denied coverage for claims for their corporate policyholders):

In insurance coverage litigation regarding contingent business interruption losses, it is important to turn a critical eye on insurers’ arguments if they have denied coverage.

For the full article, click on over to Insurance Law360.com.

myspace profile views counter

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.