Articles
Are you the business manager of your legal practice? Do you advise other organizations about prudent business practices? Do you routinely inform clients about significant business risks they may face? If so, you should be aware of a family of new perils that have arisen with the explosion of communication, information and electronic technologies—cyber risks.
In the mid-1990’s, as businesses and not-for-profit organizations came to increasingly rely on their databases, web sites and e-mail systems, they started to experience problems, losses, and lawsuits arising from this new technology. Many were surprised to find that claims were denied because traditional, standard insurance policies weren’t drafted with cyber risks in mind.
There are two distinct loss categories related to this new electronic technology: first-party (loss of one’s own property or income), and third-party (losses arising from alleged responsibility for causing another’s loss). Reasons for protecting against exposures in either area include:
• Protecting the organization’s bottom line
• Protecting the organization’s reputation
• As an outgrowth of business due-diligence activities
• Meeting regulatory and legal requirements
Understand First-party Losses
Damage to a computer network’s hardware, software or data by a computer virus or from a hacker is a common first-party loss. In 2002, USDOJ after a member of the IT department at UBS Paine Webber was given a bonus below his expectations, he planted a “logic bomb” in the company’s computer system which, a couple of weeks after the employee’s termination, shut down the company’s trading platform at 9:30 a.m. every Monday for several weeks until the offending software could be found and removed. UBS Paine Webber spent over $3 million to correct the situation.
In addition to the direct losses involved, significant losses of revenue can arise from attendant periods of shut-down and cleanup. A widely-publicized event involved E*Trade, which suffered an insured loss in excess of $5,000,000 arising out of downtime following a hacking incident.
Thieves can steal money or other assets by breaking into or abusing rights to an organization’s systems. There have been hundreds of examples—just enter “cyber theft” or similar terms into your favorite search engine. Bill Wall has compiled a listing of many of the most-publicized hacking events, going back to1961.
A more recent example of first-party loss arises from extortionate threats to shut down (through a denial-of-service attack) or sabotage system elements. One incident involved a dismissed and disgruntled IT employee who hacked back into his employer’s system and then, over the course of several weeks, encrypted the entire database of his former employer. He subsequently (and anonymously) demanded $2 million in ransom to provide the encryption key. If law enforcement had not located the perpetrator and “convinced” him to turn over the key, it would have cost more than $10 million in super-computer and employee time to have decrypted the database independently.
Electronic discovery has become a complete sub-specialty in the practice of law. Organizations have been overwhelmed with the costs of producing electronic history and the ramifications of what has been found (or found to have been destroyed) in the process. (A good article introducing this subject appears at Jenner.)
Understand Third-Party Losses
Courts have found businesses liable for libelous content of employee e-mails. Other third-party loss occurrences have involved allegations of having a computer virus transmitted through a defendant’s computer network into the plaintiff’s system. Suits and claims involving misuse or appropriation of intellectual property are increasingly frequent, and include infringement of copyright and trademark as well as plagiarism. Even posting an unauthorized link to parts of another’s web site can lead to expensive litigation. (A good article on the perils of hyper linking appears at the Internet Library of Law and Court Decisions.)
“Professional” or E&O liability losses can arise from businesses that rely on computers, such as those suffered by a telemarketing firm whose automatic dialing system was inadvertently programmed to call hundreds of customers for a client bank to cross-sell a new bank product at 4:00 a.m. (!) instead of 4:00 p.m. This resulted (as one might expect) in a loss of business for the bank, which then sought to recover against the telemarketer.
Losses and costs involved with privacy law violations can be among the most severe, and contain elements of both first-party (costs to notify, interruption of business) and third-party (arising out of duties to protect customer or client data) losses.
Manage The Risks Through Loss Control
In the discipline of risk management, after exposures to loss have been identified (and perhaps quantified and prioritized), solutions for handling those risks should be selected and implemented. A widely-accepted solution to most risks is loss control—keeping the loss from ever happening and/or minimizing the severity of losses that do happen. Loss control solutions for cyber risks include information technology (“IT”) elements and policy/procedure implementations. Both of these solution sets should be thought of as “cost of admission” activities today. They are foundational components to any modern business plan.
IT solutions include:
• Establishing and maintaining good hardware and software firewalls
Making sure anti-virus and anti-spyware tools are always active on all servers and workstations, with regular updates
Installing intrusion detection and deterrent systems
Insuring encryption appropriate to the sensitivity of content
Performing regular and regularly-tested backups (with good security on the backup media)
Content filtering
Adopting ISO 17799 standards (www.iso-17799.com)
Clearly communicated, up-to-date and enforced policies and procedures are also requisite, and would include:
• A professionally-drafted IT security policy
Employee (and volunteer) Internet and e-mail use policies which are updated in the Employee Handbook
Well-considered disaster recovery plan, updated regularly and communicated to all key stakeholders and participants
Procedures for regularly patching and updating all software on all boxes
Keep in mind that these loss control activities are only a start, and that they are not 100% effective. IT solutions are typically developed in reaction to emergent, known threats, but the “bad guys” are often a step or two ahead. Policy and procedure implementation always depend on human beings; we all know what that implies.
Contractually Transfer Risk When Possible
Some of the cyber risks arising from relationships with vendors, customers, suppliers and the general public can be mitigated through the appropriate use of hold-harmless wording, indemnification agreements and/or carefully-worded privacy statements. Most lawyers will be comfortable navigating these waters.
Risk may also be transferred to underwriting insurance companies. However, standard business insurance policy language was drafted long before the Internet Era. Organizations that have lost valuable electronic data or intellectual property due to a variety of perils have usually been disappointed in their attempts to get their property insurers to indemnify them. Similarly, standard liability policies are triggered by policy-defined “Bodily Injury” and “Property Damage” events; courts have agreed with insurers that few third-party cyber-losses involve BI or PD.
Many of the gray areas that still might seem to be covered by traditional insurance forms have now been blacked out with the introduction of clarifying exclusionary endorsements and policy wording now commonly appearing on insurance renewals. The message is clear: if you or your clients want to be insured against cyber perils, buy cyber insurance.
Navigate The Forest Of Cyber Insurance
Fortunately, the market for such specialty insurance is sizable, growing fast and becoming more affordable. Unfortunately, the market for such specialty insurance is sizable, changing almost daily and contains no standardized products. Even a competent, experienced and technologically savvy insurance agent or broker has no business wandering through this territory alone.
Serendipitously, a few years back, our insurance agency established a working relationship with one of the true experts in the cyber insurance space—David Hallstrom, who works out of the Chicago office of Risk Placement Services, Inc., one of the largest insurance wholesalers in the country. He and other specialists in his office keep up with the world of cyber insurance. It takes someone with this level of involvement and experience to find the one best cyber-insurance solution for a particular organization or firm.
In the forest of cyber insurance, one can find scores of specialty policies that cover just a few perils, but there are at least a dozen modular policies that can be customized to include any number of coverage elements. Some of the major coverage options may include:
• Media Liability
Network Security
Professional (Errors & Omissions) Liability
Damage to Your Systems
Business Interruption
Electronic Theft
Threats / Extortion
Privacy Notification
In a subsequent article I will discuss the insuring agreements and some of the coverage elements for each of these classes of cyber insurance. Even a general knowledge of these coverages will not suffice, though, when it comes to recommending one policy form over another. For example, the majority of network security liability policies sold to technology firms (such as those who manage the networks for other businesses) contain an “intentional acts of employees” exclusion—despite the fact that more than one-third of the attacks against such firms arise out of the malicious acts of current or former employees.
While the most-publicized cyber breaches involve large companies, even the smallest organizations can be hit. Small and mid-sized firms often have fewer resources and skills for technology risk control, and may have only modest financial reserves; most would be wise to heed the advice to insure their cyber exposures.
Understand Privacy Rights
Recently, Privacy Rights Clearinghouse reported that “Over 167 million data records of U.S. residents have been exposed to security breaches since 2005.” This past January it was reported, “At least 35 states have enacted legislation requiring companies and/or government agencies to disclose security breaches involving personal information.” See NCSL for a schedule of states and their respective statutes.
Depending on circumstances and the types of records lost, the initial costs following a security breach will range from $10 to $30 per record (this would include internal investigation, notification costs, crisis management fees, and costs to comply with other state and federal statutes and regulations). A “Data Loss Calculator” also lists the damage amounts (from $1,000 to $22,000 per person) being sought in several pending class action lawsuits that involve data breaches. How many of your firm’s business or not-for-profit clients could afford a data breach? Have you made them aware of the risk?
The productivity gains and lifestyle improvements (or at least pace-of-life speedups) arising out of electronic technologies are dramatic and world-changing. These changes have concurrently introduced entirely new classes of perils and risks of loss. You would do well to include these cyber risks in your business analyses, and to be aware of the insurance and other risk management solutions that exist to manage them.
__________________
ACKNOWLEDGEMENT
I am indebted to David Hallstrom for help with the organization and content of this article, taken with his kind permission from one of his recent presentations.
