Tag Archives: First party insurance coverage

Join me for RIMS 2012 Annual Conference & Exhibition in Philadelphia!

Looking for a fantastic seminar devoted to risk and insurance?  Are you a risk manager?  Are you part of the insurance industry?  Are you someone who helps companies get their claims covered and paid (that’s me! that’s me!)?

Of course, then, you want to attend a risk management seminar with “no boundaries.”  Well, look no further.  “No boundaries” is how RIMS describes its RIMS12 annual conference for 2012:

If your organization is like most, risk is not confined to just one department. Everyone has risk management responsibilities. At RIMS 2012 Annual Conference & Exhibition, there are no limits to the information and resources available to help you and your organization innovatively minimize risks. You’ll find a wide array of educational sessions offering practical strategies, no matter what your business area. Sessions are offered at all experience levels—from beginner to advanced—so you can design an educational experience that fits your needs. And, the Exhibit Hall is jam-packed with solutions–everything you’ll need for the upcoming year.

The event is from April 15-18, 2012 in Philadelphia.

Not sure whether you should attend?  Here’s what RIMS says, and I couldn’t have said it better myself:

The Value of Attending

As the current economic climate continues to affect companies, some critical training and education budgets have been slashed or put on hold. Yet, the need for proper training, innovative tools and resources is greater now than ever before. At RIMS 2012 Annual Conference & Exhibition you will participate in the single most educational, informative conference for risk professionals. Refresh your skill set, pick up new tips and techniques, and network with nearly 10,000 risk professionals.

But just in case you need help justifying the value of attending RIMS to your management, here are the top reasons why you should register today:

  • Top-notch education–With 120+ sessions, hot topic sessions, keynote presentations, a jam-packed Exhibit Hall and unique networking opportunities, RIMS ’12 has more new strategies, ideas and practical solutions in one place that you will find anywhere else!
  • Keynote presentations–You’ll hear business visionaries share how to best utilize your resources in this time of financial uncertainty, enhance your leadership skills and align effective risk management with your organization’s business goals. Learn how to incorporate successful change management strategies into your risk policy, work in constantly evolving markets and structure your risk program to handle planned—and unplanned—challenges as they arise.
  • Industry leaders–Solve today’s challenges with the help of top industry leaders. At RIMS 2012, world-class speakers will discuss techniques and best practices that will advance your understanding of risk management and help you maneuver your risk program past current and future obstacles. This is the knowledge that will ensure your organization’s stability and growth—especially in these demanding times!
  • Save your company money!–Attend sessions that will save your company money and take away cost-cutting strategies. Your registration will have paid for itself! View the conference program to find the best sessions to fit your business needs.
  • Exhibit Hall–Walk through the Exhibit Hall to meet with service providers and discover thousands of ground-breaking resources, the latest innovations and breakthrough solutions. Hold on to those business cards—they will help you create innovative strategies and find new solutions when you need them.
  • Networking–Navigate the twists and turns of developing a successful risk management program with nearly 10,000 leading risk professionals who will bring a fresh perspective to your risk program. We’ve got events such as a grand Opening Reception, keynote presentations, award receptions, Wednesday Night Spectacular and more for you to meet old friends and make new ones.
  • Make a difference–Join your peers and give back to Vancouver, our host city, or support the future of the risk management industry. Participate in RIMS Community Service Day or join us for the Spencer Educational Foundation fundraising event. Details on these special events are available in the conference program.
  • Global reach–Attendees from more than 50 countries will come together in Philadelphia at RIMS 2012 to learn how to improve their risk program and operate efficiently and effectively in today’s global marketplace. Learn the challenges of doing business in China, balancing operational risks associated with global sourcing, tips for implementing a global risk program, and more! Attend one of the sessions offered in Spanish and Japanese for a truly global perspective. What’s more, you’ll find many multinational corporations and international organizations in the Exhibit Hall.
  • Share your knowledge–Host an “everything I learned at RIMS ’12” information session for your coworkers and pass on the new tools and strategies that you acquired, as well as information on the new contacts and solution providers you met.
  • It’s the premier industry conference–In terms of learning, networking, solution-sharing, peer exchange and connecting with service providers, RIMS ’12 is the only place where you can find it all. So, join us in Philadelphia and gain the advantage that you need to elevate your profile with your organization!

My session will be CLM203: Cyber Attacks and Privacy Claims: Litigation, Insurance and Crisis Management.  Joined by Rick Bortnick and Art Boyle, we’ll be discussing insurance coverage for cyberrisks and privacy claims, including data breaches, denial-of-service attacks, privacy class actions, and other cybersecurity and privacy events:

Session Code: CLM203
Date: Wednesday, April 18, 2012
Time: 8:45 AM – 10:00 AM
Every day, the media reports another major cyber breach. No person or corporation is immune. Government entities, financial institutions, health care providers, Fortune 500 companies and even cyber-security firms are under constant attack. And the inevitable class action privacy breach lawsuits follow. The trend among courts and government regulators has been to allow these suits to proceed to discovery and beyond. The associated costs are increasing exponentially. A single cyber breach could cost tens of millions of dollars. Projections for costs from the Sony breach start at $1 billion. You may think to look to your cyber or tech insurer for help, but what about a straightforward first- or third-party policy or a professional services policy? Is the theft of information covered under a fiduciary policy? How will you address and coordinate the crisis management? Who do you hire? Can a law firm help? And while an increasing number of underwriters offer cyber-insurance products, many claims professionals are not yet familiar with the coverages or how to evaluate and handle the resultant claims. Become better informed with a debate on cyber risks and litigation, crisis management, loss control, the applicability of insurance and cyber-risk strategies.
Panel

Interested in attending?  Then head on over to the RIMS 2012 website to register.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

Advertisements

Join me for the ABA Insurance Coverage Litigation Committee’s 2012 Annual CLE Seminar in Tucson, Arizona!

You know that insurance touches every aspect of litigation, not to mention its importance in the context of corporate transactions, right?  In today’s economic climate, the value of insurance is critical.  As an attorney, you want to stay informed about the latest trends in insurance coverage law, right?  You’re probably also looking for some CLE credit as well.  Do you want to go some place warm this winter?  Maybe Arizona?

If you said “yes” to any of those questions, then you should join me at the Loews Ventana Canyon Resort for the ABA’s 2012 Insurance Coverage Litigation Committee (ICLC) CLE seminar, from March 1-3, 2012 in Tucson, Arizona.

Here’s what the ABA ICLC says about the seminar:

Why You Should Attend
Insurance touches every aspect of litigation. In today’s economy, it is critical to stay informed on the latest trends in the law. Join many of the nation’s top insurance company and policyholders’ counsel and other industry leaders at the Insurance Coverage Litigation Committee Annual CLE Seminar. This year’s program once again will provide the same high-quality presentations and valuable networking  opportunities as prior ICLC programs.

What You Will Learn

  • How to make rain. Learn what clients really want from their lawyers and how to expand business.
  • When disasters strike. How insurance coverage can assist the construction, energy, and hospitality industries.
  • The credit crisis and how D & O coverage may help pay for these claims.
  • How to present coverage issues at trial. Can you make insurance issues interesting?
  • Can you overcome insurer bias? Learn from practitioners who have faced these challenges.
  • Overlooked and underutilized provisions in insurance policies.
  • Privilege issues in insurance coverage litigation.
  • Can a policyholder recover consequential damages in the absence of bad faith?

Who Should Attend

  • All attorneys who litigate in the area of insurance coverage.
  • In-house counsel and seasoned practitioners needing an update from the leading trial lawyers, experts and members of the judiciary on the latest legal developments.

My panel will be the greatest panel ever,* discussing insurance coverage for cyberrisks, including data breaches, denial-of-service attacks, and other cybersecurity events:

Saturday, March 3, 2012
9:05 am – 10:05 am CLE breakout session

Insurance Coverage for Data Breaches, Denial-of-Service Attacks, and Cybersecurity Events, and the Tidal Wave of Class Action Lawsuits Following Data Breach Disclosures.
There has been a recent tidal wave of data breaches, network interruptions, and cyberattacks, resulting in countless class actions. This program will explore how insurance coverage may help fund the costs to defend these lawsuits. Would your insurance policies cover those events? What coverages are available in the marketplace?

Speakers:

Scott N. Godes

Rick Bortnick

Jennifer Smith

William T. Um

Hon. Carl West

Interested in attending?  Then head on over to the ABA’s website to register.  If you’re looking for the reservations page for the event on the Loews Ventana Canyon hotel website, you can find it by clicking here.

*I cannot guarantee that you will find this to be the greatest panel ever.  But you might.  Isn’t that good enough for you?

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

myspace profile views counter

Join me for IQPC’s Cyber-Risk & Data Breach Management Summit

Are you looking for a conference discussing cyber risk and data breach management issues?  Do you want to network with industry insiders, compare products and strategies, and to learn valuable information on potential cyber risks and liabilities?  If you do, then you’ll want to join me at the IQPC Cyber-Risk & Data Breach Management Summit on November 30-December 2, 2011.

Here are the introductory details:

Managing the Risk and Impact of Data Breaches without Disrupting Business Innovation and Growth

Virtually every business today is facing cyber risks, ranging from the loss of information on a single laptop to disruption of its entire business due to a data center outage or attack. In today’s information economy, the protection of data is a key element in the long-term competitiveness and survival of commercial organizations. Whether faced by a regulatory investigation or litigation stemming from a data breach organizations have understand and address the cyber risks they continually face and exercise due care in implementing policies to protect their business and comply with regulations. Effective cyber security depends on coordinated, integrated preparations for responding to and recovering from, a range of possible cyber attacks. The best approach to information security incorporates risk management as part of the firm’s overall strategy and objectives.

This conference will provide an innovative and fresh eye to traditional cyber security processes and tools, and will present ideas and real-life examples that you can apply to your organization’s risk management programs. Furthermore, this conference will highlight how cyber risk insurance can protect your company in the event it suffers a breach and mitigate your risk.

* * *

NOVEMBER 30 – DECEMBER 2, 2011 | SENTRY CENTER, NEW YORK, NY

My panel will be on December 2, at 9:45 am:

Lessons from the Latest Litigation and Enforcement Actions Resulting from a Breach

This session will examine case studies based on recent litigation as a result of data breach incidents that will help you learn to recognize the potential weaknesses that present themselves prior to an account data
compromise. You will learn the most up-to-date detection and prevention practices your organization can implement to prevent a potentially damaging breach from occurring.

Interested in attending?  [ Register Now ]

Update:  If you’d like to attend, and would like a huge discount (seriously huge, way bigger than your typical cyber Monday discounts), let me know ASAP, and I’ll put you in touch with the organizer.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

Note:  as a speaker at the conference, I will not be charged a fee to attend the remainder of the conference.

myspace profile views counter

Would your company’s insurance cover a cyberattack?

DDoSOn October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.”  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1]  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2]  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3]  The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

  • consumption of scarce, limited, or non-renewable resources
  • destruction or alteration of configuration information
  • physical destruction or alteration of network components.[5]

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6]  If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11]  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12]  Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16]  The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.


[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).

[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).

[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).

[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).

[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).

[7] Id.

[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).

[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).

[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).

[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

[15] See MBIA Inc. v. Fed. Ins. Co., 652 F.3d 152, 160 (2d Cir. 2011).

[16] See Eyeblaster, 613 F.3d at 804.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

“Legal Corner: Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection”

My former colleague, Ken Trotter, and I recently wrote an article titled, “Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection.”  The article is reprinted below, courtesy of and permission from, the fine people at Hospitality Upgrade magazine:

Scott Godes  godess@dicksteinshapiro.com
Kenneth Trotter  trotterk@dicksteinshapiro.com
Hospitality© 2011 Hospitality Upgrade. No reproduction without written permission. It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks.  A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies.  According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves.Cybersecurity risks can cause a company to incur significant loss or liability.  A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds.  Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes.  Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability.  Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits.Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information.  Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack.Involving Technology and Privacy Managers in Insurance-related Matters  Because of the variation in cyberinsurance coverages and the underwriting inquiries that often go along with the purchase of such insurance policies, companies may find the process to be a great opportunity for a company’s risk managers, technology managers and privacy managers to work together to help understand potential risks to the company and what risk transfers are being purchased through the insurance policies offered.  Working together aligns the risk managers’ understanding of specific insurance-related issues, the technology managers’ technical expertise regarding the companies’ systems and protections that will be helpful to understand any technical requirements in an application or insurance policy, and the privacy managers’ knowledge of the potential privacy risks that the company faces in light of the information held and how and where it is used.  Indeed, given their understanding of the technical and practical considerations involved in protecting a company’s data from a cyberattack, technology and information managers may be in a unique position to assist the company’s risk managers in understanding the technical implications of specific policy language.Insurance Coverage Considerations  When considering what coverages may apply or purchasing cyberinsurance coverage, it is essential to consider many types of coverage, as coverages often are written and offered in different modules and on varying insurance policy forms.  On a regular basis, insurers are writing and introducing new policies marketed as being tailored specifically to cover data breaches and cyberattacks.  In addition, coverage may be available under traditional forms of insurance.  Indeed, policyholders may have overlapping coverage for data breaches and certain cyberrisks, with the potential for coverage under cybersecurity policies as well as traditional insurance policies.  When analyzing the coverage afforded by such policies, it is critical to understand the impact of exclusions on coverages and any sublimits on the amount of coverage afforded by the policy.  Because of the variety of coverages being offered, as discussed below, technology managers can assist the company by providing a careful review of the technical language used in the policy to help determine the scope and limitations of the coverage being purchased with respect to a specific company’s operations.

Cybersecurity and Data Breach Policies  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Such policies are relatively new to the marketplace and are constantly changing. Specific policies for cybersecurity and data breach have been known as Network Risk, Cyberliability, Privacy and Security or Media Liability insurance.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the Internet Liability and Network Protection Policy, and insurance companies may base their coverages on this basic insuring agreement or they may provide their own company-worded policy form.  Because these policies are frequently updated and changed, it is important to compare the coverages offered across companies and within a company’s offerings.

Traditional Forms of Insurance  Although it is ideal to purchase a policy designed specifically for cybersecurity risks, more traditional forms of insurance may also provide overlapping coverage for data breaches and cyberrisks, depending on the particular coverage terms and exclusions in the individual policy.  Coverage may be provided by the following types of policies:  commercial general liability; first-party property and business interruption; directors and officers or errors and omissions; crime; kidnap, ransom and extortion.  Insurance companies, however, have been fighting their obligations to pay claims for cyber-related loss under such traditional insurance policies.  A major insurer recently sued a corporate policyholder in New York, asking the court to rule that traditional insurance policies do not cover a series of high-profile data breaches, cyberattacks and cyberrisks.

Making a Claim for Coverage   If a cyberevent occurs, such as a data breach, then it is vital that risk managers, technology managers and privacy managers work together to seek recovery under all potentially available insurance policies.  It is recomended that policyholders send notice of the claim or occurrence to all potentially applicable insurers, whether under a special cybersecurity policy or under the more traditional forms of insurance. After an insurance claim is tendered to insurers, they may raise various defenses to coverage. Companies, however, should not assume that such defenses will defeat coverage. Whether an event is covered will often depend on careful analysis of the specific policy language involved, the facts of a company’s particular losses and the law of the applicable jurisdiction. Insurance carriers may take a hard line regarding the application of the exclusions in their policies.  For example, under certain insurance policies, there is coverage for property damage and insurers have asserted that there has been no property damage as a result of a cyberattack. Technology managers, however, may be able to assist the company in marshalling evidence to prove that a cyberattack has damaged the company’s computer equipment, or that there has been a loss of use of computer equipment (another way of demonstrating property damage under certain insurance policies).  Technology managers should stay involved throughout the insurance recovery process to help assure that any representations and statements about the company’s technology and the cyberevent are accurate and properly characterized.

Beyond in-house technology personnel, companies that have sustained losses due to a data breach or cyberattack should consider speaking with an attorney who represents policyholders and has familiarity with this area. Because of the assistance of such lawyers, some policyholders have been able to obtain substantial recovery even after the insurer initially denied the policyholder’s claim.

Scott Godes and Kenneth Trotter are attorneys with Dickstein Shapiro LLP who devote a significant portion of their practice to the representation of policyholders in complex insurance disputes with insurance companies. They may be reached at godess@dicksteinshapiro.com or trotterk@dicksteinshapiro.com. This information is general and educational and is not legal advice.  For more information, please visit www.hospitalitylawyer.com.

Thank you to the Hospitality Upgrade website for permission to use this article.

This article appeared on the Hospitality Upgrade website on 1 October 2011—link to article:

http://www.hospitalityupgrade.com/_magazine/magazine_Detail-ID-694.asp

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.  [Note that the contact information for Ken Trotter and me since has changed.]

Insurance coverage against cyberattacks and data breaches relating to the hospitality industry and hotels.

four star hotelMy former colleague, Ken Trotter, and I recently wrote an article titled, “Insurance Recovery for Loss or Liability Arising from Cyberattacks; Obtain and preserve insurance for your company’s protection.”  It has been published in Hospitality Upgrade magazine‘s Fall 2011 issue.  In the article, we discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events, in light the risks for such events that the hospitality industry, and hotels in particular, face.  We discuss coverages for cyberattacks and data breaches against hotels and the hospitality industry under new cyberinsurance policies, and overlapping coverage with other insurance policies for data breaches, cyber risks, cyberattacks, and cyber events.  We also discuss involving multiple people within the company to discuss the risks and evaluate the purchase of new insurance and cyberinsurance policies.

Here is a brief excerpt from the article:

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks. . . .

Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds. Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes. Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability. . . .

Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information. Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack. . . .

Read more

Want to read moreThen click on over to the full article.

Disclaimer:

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.

“Protecting Your Company Against Loss or Liability Arising from Cyberattacks”

My former colleague, Ken Trotter, and I recently wrote an article titled, “Protecting Your Company Against Loss or Liability Arising from Cyberattacks.”  It has been published in Hospitality Lawyer‘s September 2011 In-House Counsel Newsletter.  In the article, we discuss insurance coverage for data breaches, cyber risks, cyberattacks, and cyber events.  We discuss coverages under new cyberinsurance policies, and overlapping coverage with other insurance policies for data breaches, cyber risks, cyberattacks, and cyber events.

We provide an overview of potential coverage under:

  • First party property policies;
  • Business interruption coverage and policies;
  • Commercial General Liability (CGL) policies;
  • Directors and Officers Liability (D&O) policies;
  • Errors and Omissions policies; and
  • Crime and Fidelity policies.

We also give practical considerations when making claims for coverage.

Here is the opening paragraph to the article:

Does your company have insurance policies that will cover data breaches and cyber attacks?  The hospitality industry is particularly vulnerable to data breaches and other cyberattacks.  According to Willis Group Holdings, a British insurance firm, insurance claims for data theft worldwide jumped 56% last year, with a large number of those attacks targeting the hospitality industry.  The report said the largest share of cyber attacks—38%—were aimed at hotels, resorts and tour companies.  As just one example of these attacks, computer hackers broke into the computer system of a national hotel chain and stole the guests’ credit card information.  This summer, the Secret Service informed the owner of a family-run Italian restaurant that a thief hacked into the communication system between the cash register and the credit card processing company, stole credit card numbers, and then used them to fraudulently make purchases across the United States.  Businesses in the hospitality industry will continue to be attractive targets for hackers and data thieves, particularly since they obtain and maintain confidential data from consumers including countless credit card records.  There are risks for companies well beyond the possibility of hackers stealing consumer data.  Vital corporate data, whether it’s shared on the company’s servers or by third parties, may become inaccessible or even destroyed in a hacker attack.  Managing such risk is critical to successful business operations. Read more

Want to read moreThen click on over to the newsletter.

« Older Entries Recent Entries »