Tag Archives: DDoS

Bibeka Shrethsa quotes me in her article, “Companies Eye Data Breach Policies As CGL Exclusions Multiply”

In her article, Cos. Eye Data Breach Policies As CGL Exclusions Multiply, author Bibeka Shrestha writes about insurance coverage for cyber risks, such as hacks and data breaches, and what insurance coverage might be available under commercial general liability (CGL) and other insurance policies, in addition to cyberinsurance policies.

The article opens:

More and more companies, including law firms, are seeking out cyber policies that specifically cover hack attacks, as insurers grow bolder about repudiating coverage for data breaches under commercial general liability policies.

Insurance brokers and underwriters have admitted to providing coverage for cyber losses under general liability policies in the past, according to Scott Godes, [former] co-leader of Dickstein Shapiro LLP’s cyber security insurance coverage initiative.

The article then explains, “But the insurance industry is starting to push back on covering data breaches under these broad policies . . . .”  Ms. Shrestha uses another two quotes from me.  They all are after the jump, and the full content is available if you or your firm subscribe to the Insurance Law360 site and its content.

Want to read the other opinions and thoughts offered on the subject?  Then click on over to Cos. Eye Data Breach Policies As CGL Exclusions Multiply to read the entire article.


This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2012.

Insurance for Cyber Risks: Coverage Under CGL and “Cyber” Policies

Recently, I gave a presentation, along with Rick BortnickJennifer SmithWilliam T. Um, and Hon. Carl West (Ret.), about cyber risks, privacy class action claims, and insurance coverage for cybersecurity claims, cyber risks, privacy claims and privacy class actions, and other emerging risks.  We discussed these claims and we gave our thoughts about insurance coverage for cyber risks under cyberinsurance policies, as well as under Commercial General Liability policies (CGL), commercial crime policies, first party property and all risks policies, directors and officers policies (D&O), errors and omissions policies (E&O), and more.

As part of the presentation, Jennifer and I submitted a paper, Insurance for Cyber Risks:  Coverage Under CGL and “Cyber” Policies.  A nicely formatted version may be found here, hosted by Lockton.

ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar,

March 1-3, 2012:
Insurance coverage for data breaches, denial of service attacks, and cybersecurity events

Insurance for Cyber Risks:
Coverage Under CGL and “Cyber” Policies

Scott Godes, Esq.
[formerly] Dickstein Shapiro LLP

Washington, DC

Jennifer G. Smith, Esq.
Lockton Companies

Washington, DC


It may seem like a few years ago, every firm had a Y2K practice, and was prepared to provide advice and counseling about how to handle the anticipated end of the world.  Luckily for society at large, the worst case scenario was not realized.  Just a few years later, the focus on liability and risks as related to computers and network security has changed to another, but far more real, issue:  the risk of data breaches, hacks, network interruptions, and other cyber risks.  The number of data breaches and cyber attacks that companies and other entities have faced has been so widespread and expensive that 2011 was dubbed “the year of the cyber attack.”  A recent PricewaterhouseCoopers report characterized “Cybercrime . . . as one of the top four economic crimes.”

Two of the most well-known cyber risks are cyber attacks and data breaches.  One form of cyber attack is a denial of service incident.  Denial of service attacks may be designed to bring a website or service down, preventing customers from accessing the site or the company’s products or services.  One research and development center has explained that denial of service attacks come in a variety of forms.  The three basic types of denial of service attacks are:

  • consumption of scarce, limited, or non-renewable resources;
  • destruction or alteration of configuration information;
  • and physical destruction or alteration of network components.

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and may be called “permanent denial-of-service (PDOS) attack[s].”  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”

Another cyber risk, perhaps more widely discussed in the news, is a data breach.  The term data breach is used broadly, usually to describe incidents in which hackers, rogue current or former employees, or others steal or otherwise gain access to personally identifiable information or personal health information.  For example, in Anderson v. Hannaford Brothers Co., the court described a data breach against “a national grocery chain whose electronic payment processing system was breached by hackers . . . [with] hackers [having] stole[n] up to 4.2 million credit and debit card numbers, expiration dates, and security codes . . . .”

In the context of personal health information, “[U.S. Department of Health and Human Services] HHS issued regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached.”  HIPAA imposes liability immediately for breaches of certain information by certain parties; the requirements state that the entity “shall” provide notice, and do not make reference to a letter from the government or a lawsuit to enforce the law.  When a “violation is not corrected . . . a penalty” may be imposed that is $50,000 for each violation, up to $1,500,000 in a calendar year, rather than $10,000 and a cap of $250,000.

Setting the legal and enforcement issues aside, consider certain business issues that may motivate an organization to choose  insurance as a risk transfer solution:

  • Loss of assets, brand, and reputation.
  • Investor fallout from uncovered losses with large claim and class action potential.
  • Many functions are conducted by outside vendors and contractors who may lack insurance and assets to respond. What if the vendor makes a systemic mistake? What if they fail to purchase insurance or keep it? What if they are located in a country where this insurance cannot be obtained? What if the policy they purchased denies coverage or has inadequate limits?
  • PCI (credit card industry security standards) compliant companies have had their security compromised from processes lapse, human error, or criminal insider.
  • No system can be designed to eliminate the potential for loss, as people and processes failures cannot be eliminated. Insiders may be perpetrators.
  • Responsibility rests with the data owner from a legal, regulatory perspective, and credit card association operating regulations.
  • Insurance companies have become more aggressive in asserting (even if wrongfully so) that “traditional” insurance may not cover security liability or adequately cover privacy risks.


Policyholders and insureds facing cyber risks and liabilities would be well served to analyze their entire slate of insurance policies to determine what coverages might apply to such risks.  Indeed, the Division of Corporation Finance of the U.S. Securities and Exchange Commission recently released “CF Disclosure Guidance:  Topic No. 2 – Cybersecurity.”  That guidance, in the context of cyber risks, notes insurance coverage for such risks, stating:  “Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include: . . . [a d]escription of relevant insurance coverage.”

Is there coverage for cyber risks under a “standard form” commercial general liability (“CGL”) insurance policy, one with insuring agreements drafted by the Insurance Services Office (“ISO”)?  That question is at issue at the time of this writing between Zurich (among other insurance companies) and various Sony entities in litigation.  In 2011, Sony allegedly suffered various cyber attacks and data breaches, with the events allegedly costing Sony nine figures, and leading to multiple putative class action lawsuits against various Sony entities.  Seeking to avoid defending or indemnifying Sony, Zurich filed an action against Sony, seeking declarations that there is no coverage under various CGL policies, among other requests for rulings.

Zurich itself had recognized, in at least one article, that “[t]hird-party liability policies such as Commercial General Liability (CGL) policies provide coverage to a company . . . for data security breaches.”

Standard form CGL policies often provide coverage for personal and advertising injury, bodily injury, and property damage.  “Personal and advertising injury” has several definitions; but for purposes of data breaches and cyber risks, one relevant definition is “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”  The term “bodily injury” often is defined as including “bodily injury, sickness or disease . . . including death resulting . . . at any time.”  When analyzing the scope of bodily injury coverage in the context of cyber risks, however, consider whether the definition of “bodily injury” has been expanded to include mental anguish, mental injury, shock, fright, or similar terms.  “Property damage” in standard form CGL policies often includes “[p]hysical injury to tangible property, including all resulting loss of use of that property” and “[l]oss of use of tangible property that is not physically injured,” but often states that “electronic data is not tangible property.”

The leading case addressing these issues held that personal and advertising injury coverage was available for computer- and internet-based class action claims.  In Netscape Communications Corp. v. Federal Insurance Co., the U.S. Court of Appeals for the Ninth Circuit’s brief (and unpublished) opinion, along with the earlier trial court opinion that the Ninth Circuit reversed, illustrates that Netscape Communications Corporation (“Netscape”) was sued in putative class action lawsuits regarding a software program that provided Netscape with information about users’ internet activities and which Netscape used for targeted advertising.  The claimants alleged that Netscape’s program violated the Electronic Communications Privacy Act (“ECPA”) and the Computer Fraud and Abuse Act (“CFAA”).  The court held that “[a]lthough the underlying claims against AOL were not traditional breach of privacy claims, given that coverage provisions are broadly construed, the underlying complaints sufficiently alleged that AOL had intercepted and internally disseminated private online communications.”

With a dearth of cases interpreting publication in the cybersecurity context, it is helpful to consider analogous cases.  In Zurich American Insurance Co. v. Fieldstone Mortgage Co., a leading case on the issue, the insurance company argued “that in order to constitute a publication, the information that violates the right to privacy must be divulged to a third party.”  The court correctly rejected that argument, explaining that “the majority [of circuits] have found that the publication need not be to a third party.”  Other courts have followed the well-reasoned Fieldstone decision, finding that unauthorized access of credit reports meets the publication requirement under the relevant personal and advertising injury provisions.

Those holdings are critical in the context of data breaches.  Data breaches, as noted above, consist of situations in which private information has been publicized to third parties.  Therefore, the basic insuring agreement relating to personal and advertising injury should be considered broad enough to encompass a data breach.

To the extent that CGL policies have broadened definitions of bodily injury, there may be an argument that bodily injury coverage applies to, or (at a minimum) provides a defense for, data breach claims.  For example, one of the class action complaints filed against Sony alleges that “plaintiff and the Class have suffered damages, including, but not limited to, . . . fear and apprehension of fraud . . . .”  Such an allegation could be read as falling within an expanded definition of “bodily injury,” depending on how broadly the definition is written and whether it is construed as being tied to a physical bodily injury from the rest of the definition of the term.

The potential application of property damage coverage may be a more fact specific inquiry in the context of cyber risks.  For those policies excluding “electronic data” from the definition of “property damage,” convincing an insurer that a data breach alone caused covered property damage, or gives rise to a duty to defend under property damage coverage, will be challenging for policyholders and insureds.  Nonetheless, certain cyber attacks may result in property damage in the form of physical damage to tangible property.  For example, certain denial-of-service attacks cause physical destruction or alteration of network components.  If an insured can demonstrate that there were allegations of such damage, or actual evidence of such damage, property damage coverage should apply, as the claim does not implicate software and data alone.

The definition of property damage, in a standard form CGL policy, typically includes “[l]oss of use of tangible property that is not physically injured.”  This phrase presents an opportunity to seek coverage for loss of use of tangible property, such as the loss of use of computers or networks rendered inaccessible or inoperable as a result of a cyber attack.

A real world example is found in the Johns v. Sony complaint.  The putative class alleges that “Plaintiffs seek damages to compensate themselves and the Class for their loss (both temporary and permanent) of use of their PlayStation consoles . . . .”  Those loss of hardware use allegations should be considered loss of use of tangible property for purposes of pursuing and maximizing any insurance recovery.

In Eyeblaster, Inc. v. Federal Insurance Co., the U.S. Court of Appeals for the Eighth Circuit considered a similar set of allegations.  That dispute involved a complaint in which the claimant “alleg[ed] that Eyeblaster injured his computer, software, and data after he visited an Eyeblaster website.”  The court analyzed the scope of property damage coverage.  After determining that one prong of the property damage definition was not met, because the claimant alleged software and operating system damage, without allegations of damage to hardware, the court then considered whether the loss of use of tangible property prong of property damage was met.  The court held that alleged computer freezes, pop-up ads, hijacked browsers, random error messages, slowed performance and crashes, and ads based on past Internet surfing habits constituted property damage in the form of loss of use of tangible property sufficient for coverage under a CGL policy.  Likewise, in State Auto Property & Casualty Insurance Co. v. Midwest Computers & More, an Oklahoma federal district court held that loss of use of a computer system allegations fell within the loss of use of tangible property terms of the policy.

A final note specific to data breaches is the question of coverage for credit monitoring under CGL policies.  Policyholders and insureds should anticipate that insurance companies will assert that credit monitoring costs are not covered under CGL policies.  One such anticipated argument is that credit monitoring does not consist of “damages” “because of” personal and advertising injury, bodily injury, or property damage.  Policyholders and insureds should note that courts have rejected similar insurance company arguments in analogous contexts.  For example, class action plaintiffs have alleged that certain products (such as asbestos or lead paint) cause bodily injury at the cellular level, and, as such, they are entitled to the cost of medical monitoring that would allow said plaintiffs to know whether they will develop a cognizable injury or disease.  For those decisions recognizing the underlying claim alleges a covered claim, those decisions have recognized that medical monitoring costs are “damages” “because of” bodily injury.  That authority should be considered a persuasive basis in response to anticipated insurance company arguments that credit monitoring costs are excluded from coverage.


No doubt countless side-by-side coverage comparisons have been lost in the land of good intentions trying to delineate the distinctions between CGL, property, and cyber insurance solutions.  There are solid arguments that there is coverage for cyber risks under the insuring agreements within a standard ISO form CGL policy.  Likewise, policyholders have had some success in arguing that coverage may be afforded under the Computer Funds Transfer, Theft or Employee Theft/Dishonesty insuring agreements within a Fidelity and/or Commercial Crime program.  There also are solid arguments that coverage for private companies may provide coverage (specifically entity coverage) for cyber-related losses under a private company Directors & Officers Liability insurance program.  Notwithstanding those solid arguments and favorable case decisions, policyholders found themselves facing denials or in insurance coverage litigation to determine whether a CGL or other insurance policy will cover a data breach or other cyber event.

What is the solution then, for those organizations that are concerned with insurance companies taking aggressive positions as to coverage under CGL or other policies for cyber risks in the wake of a data breach or other cyber event?  Insurance companies now are marketing stand-alone, dedicated insurance policies as being designed to address information risk.  Those insurance policies should provide the solution.

Many refer to this solution as “cyber insurance.”  Cyber insurance is a coat of many colors, with as many product names as there are colors of the rainbow.  Other variations include:  Information Security Insurance, Network Security Insurance, Privacy Insurance, Data Breach Insurance, Network Breach Insurance, Technology Solutions, Cyber-this, Cyber-that (e.g., “plus”, “enhancement”, “solution”), Information Insurance, or, when all else fails, some iteration of Professional Liability or E&O – seemingly irrespective of the buyer’s actual services.  For the purposes of this article and to avoid calling attention to any one particular insurer, we will continue to refer to this solution as “cyber insurance.”

Although the expression “no two forms are alike” may be a stretch under other circumstances, it is painfully, tediously true in the cyber insurance context.  These forms vary vastly from the fundamental structure and scope of the policy to the retention and use of outside experts.  Certain policies are duty to defend policies; others are indemnity policies.  Certain policies have specifically delineated intentional torts drafted into the definition of “personal injury” or “wrongful act”; other policies – perhaps in an effort to avoid changing forms amid rapidly evolving regulations – leave such definitions or insuring agreements rather broadly defined.  Some might even argue “vague and ambiguous.”  Each of these issues, and the many others not listed herein, serves as a reminder to potential buyers to rely on their experts in the search for the best cyber insurance solution for that particular organization.

The core elements of cyber insurance that are unique to this particular insurance solution may include coverage in varying degrees for the following:

  • Network Security Liability
    • Claim Expenses and Damages emanating from Network and non-Network security breaches.
  • Media Liability
    • Claim Expenses and Damages emanating from Personal Injury Torts and Intellectual Property Infringement (except Patent Infringement).
    • Claim Expenses and Damages emanating from Electronic Publishing (website) and some will provide coverage for all ways in which a company can utter and disseminate matter.
  • Privacy Liability
    • Claim Expenses and Damages emanating from violation of a Privacy Tort, Law or Regulation.
    • Claim Expenses and Damages emanating from a violation of a law or regulation arising out of a Security Breach.
  • Privacy Regulatory Proceeding and Fines
    • Claim Expenses in connection with a Privacy Regulatory inquiry, investigation or proceeding.
    • Damages/Fines related to a Consumer Redress Fund.
    • Privacy Regulations Fines.
    • PCI Fines.
  • Privacy Event Expense Reimbursement
    • Expense reimbursement for third party forensics costs.
    • Public Relations costs.
    • Legal.
    • Mandatory Notification Costs (Compliance with Security Breach Notification Laws) and Voluntary Notification Costs.
    • Credit Monitoring.
    • Call Center.
    • Second Security Audits required by Financial Institutions (varies by market).
  • Data/Electronic Information Loss
    • Covers the cost of recollecting or retrieving data destroyed, damaged or corrupted due to a computer attack.
  • Business Interruption or Network Failure Expenses
    • Covers cost of lost net revenue and extra expense arising from a computer attack and other human-related perils.  Especially valuable for computer networks with high availability needs.
  • Cyber-Extortion
    • Covers both the cost of investigation and the extortion demand amount related a threat to commit a computer attack, implant a virus, etc.

Also significant, and perhaps unique to the cyber insurance market, is the rapid rate at which the underwriters have modified and/or enhanced their forms. Issues like contractual liability/indemnification, mandatory versus voluntary notification, and even the defining triggers under the policy(ies) appear to change every 18 months – with new product introductions every six months.  Again, buyers are encouraged to carefully review the different program terms and conditions, so that they can prioritize and weigh their coverage needs against the solutions offered by the underwriters.

Although sorting through various cyber insurance solutions may be a daunting task to first-time buyers, it is worth repeating that insurance companies market this solution as being designed expressly to contemplate information risk, including data privacy and network security.  A properly designed insurance solution may very well pre-empt a difficult explanation to senior management after a cyber loss, a much more favorable position to be in than explaining why the policyholder’s insurance companies have sued the policyholder, simply because the policyholder put the insurance company on notice.


This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2012.

Join me at the 2012 NetDiligence® Cyber Risk & Privacy Liability Forum.

My good friends at HB Litigation Conferences present:

NetDiligence® Cyber Risk & Privacy Liability Forum
June 4-5, 2012| Hyatt at the Bellevue, Philadelphia, PA

I’ll be a speaker on a panel discussing the “State of the Cyber Nation – Cases, Theories, and Damages”:

State of the Cyber Nation – Cases, Theories, and Damages
•Is actual harm still needed?
•Statutory framework – CMIA litigation, Video Protection Privacy Act, and the Driver’s Privacy Protection Act
•Notable recent cases and their impact
•Current theories of liability and claims alleged
•How to present damages in this era
•How to minimize the chance of litigation after a breach and settlement opportunities
•More sophisticated defenses
•Identity Theft Restoration Act-suing hackers?  How federal courts may change the game
•Medical disclosure cases and how they fit into the mix
•Developments in insurance coverage for cyber and privacy risks

Theodore Kobus III, Esq., Baker & Hostetler LLP (Moderator)
John Mullen Sr., Esq., Nelson Levine de Luca & Horst, LLC
Scott Godes, Esq, [formerly] Dickstein Shapiro
Jamie Sheller, Esq.
, Sheller P.C.
Mark Camillo, Chartis Insurance
Ben Barnow, Esq., Barnow & Associates, P.C.

Take a look at the full agenda by clicking here.  And you can register online by clicking here.


This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

Note:  as a speaker at the conference, I was not charged a fee to attend the remainder of the conference.
myspace profile views counter

Join me for the IRMI Cyber & Privacy Risk Conference.

IRMI Cyber & Privacy Risk Conference.  Mark your calendar to join us in Baltimore, MD on May 16-17, 2012.

Noted cybersecurity, homeland and national security expert Richard A. Clarke will deliver the keynote address.

Discussing the last IRMI Cyber & Privacy Risk Conference, IRMI notes:

This past July in San Francisco, 100 risk managers, underwriters, agents and brokers attended the first IRMI Cyber & Privacy Risk Conference.

These industry thought leaders came away with a greatly improved understanding of how to identify, contractually transfer, and insure liability risks arising from the use of technology and the Internet in business. Many networking opportunities were provided to build relationships with leaders in cyber and privacy risk management and insurance.

My session will be:

Wednesday, May 16, 10:45 a.m. – 12:15 p.m.

The Cyber Risk Regulatory and Legal HorizonAs the web of laws and regulatory requirements increases, managing the risks of cyber security becomes even more challenging. On top of the multitude of state laws, the SEC recently released reporting requirements and Congress is set to take up a number of bills during 2012. This workshop will provide an overview the range of laws and regulations in place and explore the new legislative developments affecting cyber insurance and risks, as well as the reporting requirements issued recently by the SEC.


  • Scott N. Godes, Counsel in the Insurance Coverage Practice, [formerly] Dickstein Shapiro LLP
  • Jacob Olcott, Principal, Cybersecurity, Good Harbor Consulting, LLC
  • Tim Stapleton, Assistant Vice President and Professional Liability Product Manager, Zurich North America
  • Other Panelists To Be Announced

Interested in attending?  Then head on over to the RIMS 2012 website to register.


This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2012.

Note:  as a speaker at the conference, I will not be charged a fee related to the conference.

myspace profile views counter

“A Lawyer’s Advice for Evaluating Your Cyber Coverage”

I recently wrote an article titled, “A Lawyer’s Advice for Evaluating Your Cyber Coverage:  Policies vary significantly from carrier to carrier—and even within the various forms of one company.”  It has been published on the Property Casualty 360° website, republished from the February 6, 2012 issue of National Underwriter.

In the article, I discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events, including what factors to consider when buying cyberinsurance policies for cyber risks.  I also discuss how different cyber risks may be characterized, whether as within first party, or third party insurance coverages, and how to keep those risk factors in mind when brokering, broking, or buying a cyberinsurance policy.

Here is a brief excerpt from the article:

Policyholders and insureds exposed to cyber risks would be well served to analyze carefully their insurance policies to determine exactly which coverages apply to them—and to see if any critical coverages are missing.

Cyber Liability insurance should provide coverage for the vast majority of key cyber risks, and there may also be overlapping coverage under other policies for such exposures.

The first place that a company should look to determine whether it has, or may have, coverage for cyber risks is any specific Cyber Liability policies that the entity holds. A very close look at these policies is warranted, as the coverage under such policies often varies significantly from carrier to carrier—and even within the various forms that one particular insurance company offers.

Want to read moreThen click on over to the full article.


This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

“2012 Data Privacy and Information Security Predictions”

My friend, Christine Marciano, who is President, Cyber Data Risk Managers, just released her 2012 Data Privacy and Information Security Predictions. The report is an interesting series of predictions on what 2012 will hold in the areas of privacy and cyber risks. Here is how Christine describes the report:

This is our first Data Privacy and Information Security Predictions report. We asked
leading Data Privacy and Information Security professionals what they thought the New
Year will hold in terms of the threats that are on the 2012 landscape. The predictions
that are included in this report offer a wide range of threats and concerns that need to
be considered by every business or organization that operates in cyberspace regardless
of its size.

Christine starts off the report with some of her own predictions regarding 2012 and what people might expect in terms of cyber risks and cyber threats:

As we start 2012, we can expect to see a continuance of data breaches and increasing cyber attacks. Taking a look back at 2011, we have learned that no system is ever 100% secure no matter the name or the size of an organization. It’s important for businesses and organizations to know what they need to be prepared for and to take steps to help minimize the threats that do not appear to be going away. Looking ahead, it appears that in 2012 we will see an increase of heightened and very sophisticated threats than what was seen in 2011. We can recall 2011 as the year the hackers and the hacktivists got started on the data breach and gained a great amount of attention. With all of the digital information and big data that is being stored, it should come as no surprise that data breaches are not going away in 2012 as they are only going to get bigger. I expect that we will also see more serious hacktivists attacks. It seems that the hacktivist is no longer hacking organizations just for the fun of it. They are attacking for specific causes and I believe that hacktivists are going to be a very serious threat in 2012 and organizations must be prepared.

Christine cites me for a prediction about data breaches and insurance coverage for data breaches and privacy risks. Here is her write up for me in the report:


Scott N. Godes, [formerly] Counsel, Dickstein Shapiro LLP, states…

In terms of a trend in the areas of privacy and information security, I have noticed a sea change in both areas, leading to more need for analysis of insurance policies to cover these risks. When considering privacy risks, there has been an expansion of risks and potential liability for privacy violations, with the Pineda v. Williams Sonoma decision serving as one example. This year also has been called the year of the data breach, and companies are taking a hard look at how their insurance might and does cover such claims. These risks are being considered much more closely by companies, along with a careful analysis of how their insurance policies might cover.

Follow Scott Godes on Twitter:

She also quotes several people who write and speak a good deal about cyber risks, including:

  • Misha Glenny, Author of DarkMarket: Cyberthieves, Cybercops and You (Knopf, 2011), about smartphones and international cybercrime;
  • Jim Duster, Vice President of Sales, Debix; and Jake Kouns, Director of Cyber Security and Technology Risks, Underwriting, Markel Corporation, about the growth of cyberinsurance for 2012;
  • InfoLawGroup Senior Counsel, Richard Santales, about EU Data Protection regulation changes, HIPAA breach notification changes, upcoming FTC privacy report, and cloud computing;
  • InfoLawGroup Partner, David Navetta, about concerns over BYOD (“bring your own device”) and COIT (“consumerization of information technology);
  • Bruce Anderson, CEO, Cyber Investigation Services, about small and medium businesses becoming a target for data breaches in 2012, increased cyber attacks, growth in website attacks, mobile threats, and hacktivists targeting the cloud;
  • Anthony M. Freed, Managing Editor at Infosec Island, about cyber attacks on critical infrastructure;
  • Shaun Dakin, Managing Director, Webbmedia Group, about the FTC using existing power to regulate commercial enterprises; and
  • Robert Fletcher, founder and CEO of Intellectual Property Insurance Services Corporation, as to how Changes in America Invents Act will drive intellectual property owners to explore specialized intellectual property insurance policies to fund IP litigation.


This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2012.

Join me for RIMS 2012 Annual Conference & Exhibition in Philadelphia!

Looking for a fantastic seminar devoted to risk and insurance?  Are you a risk manager?  Are you part of the insurance industry?  Are you someone who helps companies get their claims covered and paid (that’s me! that’s me!)?

Of course, then, you want to attend a risk management seminar with “no boundaries.”  Well, look no further.  “No boundaries” is how RIMS describes its RIMS12 annual conference for 2012:

If your organization is like most, risk is not confined to just one department. Everyone has risk management responsibilities. At RIMS 2012 Annual Conference & Exhibition, there are no limits to the information and resources available to help you and your organization innovatively minimize risks. You’ll find a wide array of educational sessions offering practical strategies, no matter what your business area. Sessions are offered at all experience levels—from beginner to advanced—so you can design an educational experience that fits your needs. And, the Exhibit Hall is jam-packed with solutions–everything you’ll need for the upcoming year.

The event is from April 15-18, 2012 in Philadelphia.

Not sure whether you should attend?  Here’s what RIMS says, and I couldn’t have said it better myself:

The Value of Attending

As the current economic climate continues to affect companies, some critical training and education budgets have been slashed or put on hold. Yet, the need for proper training, innovative tools and resources is greater now than ever before. At RIMS 2012 Annual Conference & Exhibition you will participate in the single most educational, informative conference for risk professionals. Refresh your skill set, pick up new tips and techniques, and network with nearly 10,000 risk professionals.

But just in case you need help justifying the value of attending RIMS to your management, here are the top reasons why you should register today:

  • Top-notch education–With 120+ sessions, hot topic sessions, keynote presentations, a jam-packed Exhibit Hall and unique networking opportunities, RIMS ’12 has more new strategies, ideas and practical solutions in one place that you will find anywhere else!
  • Keynote presentations–You’ll hear business visionaries share how to best utilize your resources in this time of financial uncertainty, enhance your leadership skills and align effective risk management with your organization’s business goals. Learn how to incorporate successful change management strategies into your risk policy, work in constantly evolving markets and structure your risk program to handle planned—and unplanned—challenges as they arise.
  • Industry leaders–Solve today’s challenges with the help of top industry leaders. At RIMS 2012, world-class speakers will discuss techniques and best practices that will advance your understanding of risk management and help you maneuver your risk program past current and future obstacles. This is the knowledge that will ensure your organization’s stability and growth—especially in these demanding times!
  • Save your company money!–Attend sessions that will save your company money and take away cost-cutting strategies. Your registration will have paid for itself! View the conference program to find the best sessions to fit your business needs.
  • Exhibit Hall–Walk through the Exhibit Hall to meet with service providers and discover thousands of ground-breaking resources, the latest innovations and breakthrough solutions. Hold on to those business cards—they will help you create innovative strategies and find new solutions when you need them.
  • Networking–Navigate the twists and turns of developing a successful risk management program with nearly 10,000 leading risk professionals who will bring a fresh perspective to your risk program. We’ve got events such as a grand Opening Reception, keynote presentations, award receptions, Wednesday Night Spectacular and more for you to meet old friends and make new ones.
  • Make a difference–Join your peers and give back to Vancouver, our host city, or support the future of the risk management industry. Participate in RIMS Community Service Day or join us for the Spencer Educational Foundation fundraising event. Details on these special events are available in the conference program.
  • Global reach–Attendees from more than 50 countries will come together in Philadelphia at RIMS 2012 to learn how to improve their risk program and operate efficiently and effectively in today’s global marketplace. Learn the challenges of doing business in China, balancing operational risks associated with global sourcing, tips for implementing a global risk program, and more! Attend one of the sessions offered in Spanish and Japanese for a truly global perspective. What’s more, you’ll find many multinational corporations and international organizations in the Exhibit Hall.
  • Share your knowledge–Host an “everything I learned at RIMS ’12” information session for your coworkers and pass on the new tools and strategies that you acquired, as well as information on the new contacts and solution providers you met.
  • It’s the premier industry conference–In terms of learning, networking, solution-sharing, peer exchange and connecting with service providers, RIMS ’12 is the only place where you can find it all. So, join us in Philadelphia and gain the advantage that you need to elevate your profile with your organization!

My session will be CLM203: Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management.  Joined by Rick Bortnick and Art Boyle, we’ll be discussing insurance coverage for cyberrisks and privacy claims, including data breaches, denial-of-service attacks, privacy class actions, and other cybersecurity and privacy events:

Session Code: CLM203
Date: Wednesday, April 18, 2012
Time: 8:45 AM – 10:00 AM
Every day, the media reports another major cyber breach. No person or corporation is immune. Government entities, financial institutions, health care providers, Fortune 500 companies and even cyber-security firms are under constant attack. And the inevitable class action privacy breach lawsuits follow. The trend among courts and government regulators has been to allow these suits to proceed to discovery and beyond. The associated costs are increasing exponentially. A single cyber breach could cost tens of millions of dollars. Projections for costs from the Sony breach start at $1 billion. You may think to look to your cyber or tech insurer for help, but what about a straightforward first- or third-party policy or a professional services policy? Is the theft of information covered under a fiduciary policy? How will you address and coordinate the crisis management? Who do you hire? Can a law firm help? And while an increasing number of underwriters offer cyber-insurance products, many claims professionals are not yet familiar with the coverages or how to evaluate and handle the resultant claims. Become better informed with a debate on cyber risks and litigation, crisis management, loss control, the applicability of insurance and cyber-risk strategies.

Interested in attending?  Then head on over to the RIMS 2012 website to register.


This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

« Older Entries Recent Entries »