Two weeks ago, I discussed the California case of PhoneDog v. Kravitz, where an employee, who used a company Twitter account as part of his job duties, left the company and continued to use the same Twitter account and tweet to the same followers. The (former) employee claimed that he had the right to continue tweeting, and PhoneDog responded that he was barking up the wrong tree (best I could do at the moment). As I mentioned in my last post, the court had denied the employee’s attempt to dismiss the entire case at inception, and allowed the company to amend its complaint to provide more specificity on some of its claims. Time for an update.

Since that decision, PhoneDog amended its complaint to re-allege claims for intentional interference with prospective economic advantage and negligent interference with prospective economic advantage. Then, the employee filed another request to dismiss those two claims, demonstrating that he was up for a dog fight (I’m trying). Three days ago, on January 30th, the court again denied the employee’s dismissal request, ruling that the company had now sufficiently clarified – at least for pleading purposes – how it did have economic relations with the 17,000 followers of the Twitter account, and how those relations were disrupted by the employee’s post-resignation conduct. The impact of that ruling is that PhoneDog can now proceed with the case, and the significant time and money that the employee will be forced to spend responding to requests for information and documents, and appearing at depositions.

Employer Take Away: What should you as an employer take away from this development?

In the dog-eat-dog world of competition between companies and their employees (I’m gaining some momentum here), the outcome of this case may provide our first definitive guidance on the questions of how we should define a “trade secret” when it comes to social media, and the extent to which social media forums and networks belong to the employer or the employee. In the meantime, those issues can be addressed to a large extent by having your employees sign appropriate agreements that define these ownership issues.

We will continue to monitor the PhoneDog case for you, and update you on any significant developments. Until then (I’m ready for a big finish)… We may not learn much before the dog days of summer, but it may just be that, in the end, the former employee can’t be running with both hounds and hares when it comes to being provided access to a Twitter audience by his employer and then trying to keep that audience when he leaves.

Rick Bortnick

Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request.  Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation. 

Not surprisingly, in coverage litigation, insurance companies are requesting access to information contained in their insured’s social media accounts, such as Facebook. Currently, courts are divided as to whether insurers or other involved entities are entitled to non-public portions of the social media account, requiring disclosure of usernames and passwords. As the cases suggest below, whether an insurer or other entity may view privately-held information depends on whether the publicly-shared information provides a factual predicate for further discovery into the insured’s social media account.

Several cases have upheld an insurer’s right to subpoena its insured’s Facebook or other social media account in coverage litigation. In Beye v. Horizon Blue Cross Blue Shield of New Jersey, the plaintiffs, parents of children who allegedly suffer from anorexia or bulimia, sued their health insurer for denying claims for benefits for their children. The plaintiffs asked the court to reconsider ordering them to produce information contained on their children’s social media accounts.  While declining to vacate its order, the court modified the information that must be disclosed.  To alleviate privacy concerns, the court required only production of the entries made on Facebook or MySpace that the beneficiaries shared with others. The court explained that “[t]he privacy concerns are far less where the beneficiary herself chose to disclose the information.”

A recent New York Supreme Court case demonstrates both the impact that information posted on Facebook has on an insurer’s coverage analysis as well as the Court’s hesitation to provide unfettered access into a personal Facebook account. The insured sought underinsured motorist benefits after he allegedly suffered personal injuries as a result of a car accident. The insured claimed that “he was unable to work, had difficulty walking, and was unable to lift heavy objects, run, ski, dance, or walk up stairs.” The insurance company argued that no coverage existed as the insured breached its contract by misrepresenting material facts in violation of the insurance policy. In support of its argument, the insurer pointed to pictures of the insured posted on “publicly available portions” of his Facebook account. These photographs depicted the insured participating in numerous activities, including standing on top of a pool slide, climbing the pool’s ladder, and bending over a boat trailer. Several of the photographs were included in an album entitled, “Another day of play . . . . I gotta get a job.” 

In light of this information, the insurer sought additional discovery and an order compelling the insured to provide unlimited access to his Facebook account. The Court held that additional discovery, including unlimited access to the insured’s Facebook account, was unwarranted at that time. The Court found that this discovery request was overly broad and that there was no showing that the material sought was necessary and not cumulative. Significantly, however, the Court left the door open to a narrower discovery request for such information.

Due to Facebook’s global presence, the issue concerning discoverability of information contained on Facebook is not only a concern in the United States.  In 2009, a Canadian woman’s disability benefits were discontinued after the insurance company found pictures of her seemingly having a good time on vacation. She had been on leave from her job and receiving disability benefits for severe depression. While the insurance company claimed that the Facebook pictures were only a “piece of the puzzle,” they undoubtedly played a significant role in the insurance company’s decision to discontinue her disability benefits. 

Discoverability of social media information is not only of interest to an insurer in coverage litigation, but is also significant for insurers who are providing a defense for their insureds in litigation. In Zimmerman v. Weis Markets, Inc., a Pennsylvania court was not deterred by privacy concerns when it compelled access to social media accounts.  The plaintiff sued the defendant after he allegedly suffered injuries while operating a forklift at the defendant’s warehouse. The court ordered the plaintiff to disclose his username and passwords for any and all MySpace or Facebook accounts to the defendant. 

Accordingly, the court permitted discovery into the non-public portions of the plaintiff’s Facebook and MySpace accounts to determine whether the insured suffered the physical injuries claimed in his complaint. The court reasoned that “Facebook’s privacy policy explains that users post any content on the site at their own risk and informs users that this information may become publicly available.” At the same time, the court clarified that it did not support “a carte blanche entitlement to Facebook and MySpace” as part of discovery requests. Rather, the court noted that review of the publicly available information warranted further discovery into the privately-held information.

In both coverage litigation against the insured and defending the insured in underlying litigation, discoverability of information contained in social media accounts is significant in assessing liability and preparing litigation strategy.  As these cases illustrate, in addition to publicly-available information, access to an insured’s privately-held information in its social media account may be compelled, especially if the discovery request is properly supported by facts casting doubt on the genuineness of the insured’s representations. In today’s world, it seems as though the information previously only attainable by an accepted “friend request” can just as likely be attained by a “discovery request.”

Our friends at Advisen have recruited thought leaders from across the European cyber and technology industries (and a certain U.S. lawyer/blogger) to discuss a myriad of topics of interest to underwriters, brokers and risk managers alike. Speakers include luminaries such as Paul Bantick of Beazley, Stephen Boddington of Chartis, Robert Bond of Speechly Bircham, Dan Trueman of ANV, Chris Cotterell of Safeonline, Emily Freeman of Lockton, Simon Milner of JLT Specialty, Joe Trotti and Jeremy Smith of Willis, Tony Dearsley of Kroll Ontrack, Stewart Room of Field Fisher Waterhouse, Andrew Horrocks of Clydes, yours truly, and a host of others.

 Among other cutting-edge topics, we will discuss Privacy and Data Security Regulation, Coverages and Coverage Issues, CyberSecurity Disclosures and Exposures, and Data Breach Responses and Strategies.

Equally important, the program is priced at a level that firms and companies will find extremely attractive. And did I mention that there is no cost at all for Risk Managers to attend?

For program and registration information, please visit https://www.signup4.net/Public/ap.aspx?EID=CYBE21E. Or, feel free to drop me a line at rbortnick@cozen.com.

I look forward to seeing everyone there!

The following article was first published by our colleague Michael Schmidt on his blog, Social Media Employment Law Blog. It is part of our continuing effort to keep Cyberinquirer readers on top of decisions relevant to Social Media in the context of litigation. Thanks for the reprint, Mike.

What would you do if your employee continued to use your company’s Twitter account after he stopped working for you?

What if your (former) employee claimed that he, not your company, actually owned the rights to the Twitter followers?

Ever thought about it?

I have posted several times about how social media has not created new causes of action, but rather has provided a new application for traditional claims. One of the areas that I surmised would develop in time was the interplay between social media and post-employment competition and trade secret rights. According to two new decisions, that time has apparently come.

In PhoneDog v. Kravitz (Northern District of California), the company gave its employee (Kravitz) use of a Twitter account as part of his employment. Kravitz tweeted information to promote the company’s services, and generated approximately 17,000 followers. Kravitz left the company, and, while he changed the account “handle”, he continued to use the same account to tweet to the same followers. PhoneDog sued Kravitz for continuing to use the Twitter account, claiming that the “compilation of subscribers and the password used to access the account” constituted company trade secrets. Valuing each of the 17,000 followers at $2.50, the company sought damages of $340,000 for “stealing” each of those followers for 8 months.

The court denied Kravitz’s request for immediate dismissal of the entire case, finding that the complaint sufficiently alleged (for initial, liberal allegation purposes) a trade secret/misappropriation claim, and, thus, that the parties would have to further develop their positions through discovery. The court also refused to dismiss the company’s claim that the Twitter account (and not just the “handle”) constituted company property and should have been surrendered at termination.

Similar issues were raised in Eagle v. Edcomm, Inc. (Eastern District of Pennsylvania), though this time involving LinkedIn. Dr. Eagle had a Ph.D in communication and psychology, and co-founded Edcomm, Inc. to provide financial and related training services. Eagle established a LinkedIn account (with the assistance of company administration, who knew the password), which she used in part to promote the company’s services, as well as to develop her professional reputation and network. After the company was purchased by a third party, Eagle and others were terminated, and the company later changed Eagle’s password and her account profile to display the name and photo of the company’s new chief executive officer.

Eagle sued the company, alleging violations of the Computer Fraud and Abuse Act, and identity misappropriation/theft. The company asserted a counterclaim, arguing that the LinkedIn account was created using the company’s e-mail addresses and substantive templates to provide certain information, which rendered the accounts company property. In its decision on Eagle’s request for the immediate dismissal of the counterclaim, the court ruled that certain company claims could advance. Of note, the court found that the company is entitled to develop through discovery that it was its own staff that “developed the [LinkedIn] accounts and maintained the connections, which are the route through which” the company has its relationships with client contacts to provide services. In the end, as with the PhoneDog case, the court was not willing to make a determination as to ownership of the social media account at the early stages of the case.

What should an employer take away from this development?

There are a few issues that were not addressed by both of these inception-stage decisions, including the extent to which the account’s user agreements should play a role in determining appropriate expectations and true ownership rights between employer and employee. Nevertheless, your company should consider creating policies and agreements that address, not only the substance of what is posted or done through social media, but also the important ownership and access issues that may arise during, and particularly after, an employee’s employment. That is especially true for any employees whose job duties include engaging in social media activities on behalf of your company.

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Additionally, companies are assessing their contractual relationships with vendors with respect to protecting sensitive data, confirming that the company is fully indemnified and also enjoys the status of an additional insured under a vendor’s own insurance.

Cyber-risk insurance goes by various names, most of which include one or more terms such as “data,” “cyber,” “network” and “privacy.” This insurance has evolved over the past decade to become a standalone product rather than the assortment of special cyber-endorsements that had been tacked onto traditional policies covering commercial general liability, employer practices, directors and officers, commercial crime, fidelity bond, professional liability, and errors and omissions.

These endorsements had provided tailored coverage that otherwise may have been excluded, such as losses from “digital asset replacement expense,” “electronic data processing hardware and software,” “computer and funds transfer fraud,” “computer extortion,” and “crisis management and public relations,” as well as third party losses from “breach of privacy and security,” “media liability,” and “governmental fines and penalties.” The current offerings include some or all of these coverages, but unlike the many traditional policies, are not necessarily built off of standardized ISO forms and are far from interchangeable in terms of both coverage provisions and exclusions.

Litigation involving insurance coverage for data breaches is becoming increasingly prevalent, with a number of courts addressing the reach of various traditional business policies. Clear guidance from the courts is somewhat elusive, however. So before drawing too many conclusions from one or two high-profile examples, it is essential to consider specific policy language and weigh the significance or prior judicial interpretations.

For example, an insured business that tenders a data breach claim against its existing CGL policy could get push-back from its carrier, as Sony recently discovered when it sought coverage against privacy litigation after its PlayStation Network was breached in April and the personal data of approximately 77 million customers was stolen. The typical CGL policy includes complex and debatable definitions of several key terms, as well as potentially ambiguous exclusions relating to electronic data. Commercial crime and E&O policies have also been the subject of coverage disputes arising from data breaches, with varying outcomes and ongoing cases now in the appellate courts.

It is still too early to predict the extent of coverage disputes relating to standalone cyber policies, but risk managers should expect the courts to begin hearing these cases in the near future. In short, great care should be taken before making any assumptions about whether coverage will or will not be found in a given case.

A risk manager thus faces the daunting task of assessing a highly technical set of security risks. He or she must weigh all the potential legal, financial, competitive and reputational consequences, compare those against existing insurance policies and determine if there is a need for specialized coverage. A mistake could devastate the company in the event of a data breach. Additionally, once an appropriate cyber-risk policy is selected, the company may undergo a technical audit by underwriters and may need to invest in additional security measures.

Due to the gravity and complexity of this process, it should involve a series of discussions among members of a team that includes well-informed risk, insurance, legal and information security professionals. Together, this partnership of experts will attempt to place the company’s needs somewhere along a spectrum of possible exposures and outcomes.

At one end of the spectrum, no new coverage may be needed. For example, a software maker that already carries “tech E&O” insurance may already be sufficiently insured against the peril of a customer’s damage claims for negligence arising from a data breach incident. At the other end, some coverage may be impossible to obtain, such as insurance for punitive damages, which is largely prohibited as a matter of public policy. Most companies face potential outcomes that fall in the middle of the spectrum, where the decision is most complex.

Certain questions can provide a framework for the team to exchange information and reach a consensus on appropriate coverage. Here are 10 that every company should ask:

1. What is the nature of the data that may be compromised in a network security breach incident?
2. What is the scope of the business risk that would arise from an attack on the network that involves the loss of data, the corruption of its integrity or the inability to access that data?
3. What technology controls have we used to mitigate this risk?
4. To what extent will our existing insurance policies cover this exposure?
5. What are the features and limits of cyber-risk policies available to address the residual risk, and how much do they cost?
6. Could we implement additional controls now to qualify for cyber-risk insurance at a lower cost?
7. Are there any additional controls the insurance underwriters would require as a condition for coverage?
8. Are there other steps we can take to reduce exposure to data breaches involving vendors and independent contractors who handle our data?
9. Until the courts address and resolve potential cyber policy coverage issues, what legal uncertainties will we continue to face, and can those be addressed by negotiating endorsements?
10. Whatever our decision today, under what circumstances should we revisit these issues?

By raising and responding to these questions, the management and advisory team will be able to navigate the company’s course through this largely uncharted territory and provide critical protection against evolving cyber-risk exposures.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

The study takes into account a wide range of business costs, including expenses for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyses the economic impact of lost or diminished customer trust as measured by customer churn or turnover rates. The insurers however, are convinced that the true cost, and therefore exposure, is far higher.

To illustrate, the Study provides a cost-calculator which for the purposes of this article, was used to provide a sample cost-analysis for a fictitious company with the following attributes:

- part of the financial services industry;
- a formal privacy and data protection security data policy has been implemented across the entire enterprise;
- handles consumer and customer data, including credit card information;
- handles employee records;
- the company is unsure of the most likely cause of a data breach;
- employees store sensitive data on laptops or removable storage;
- sensitive data on all laptops or removable storage is encrypted;
- there is a dedicated information security officer;
- global headcount is between 25,001 and 75,000;
- operations in all global regions;
- is headquartered in the UK; and
- an estimated 100,000 records are at risk in the event of a data breach.

Based on these inputs and the Ponemon Institute’s trend data, the risk exposure is as follows:

- Companies in the financial services industry with that risk profile have a likelihood of experiencing a data breach in the next 12 months of 9.3%.
- The average cost per record is $66.
- The average cost per breach is $7,906,667.

This is a necessarily subjective test, with obvious limitations. However, all of the recent large breaches and new regulatory focus – in the EU, US and globally – suggest that this cannot be a true measure of exposure, nor any true measure of the cost of a breach.

We believe that the true exposure faced by our clients necessitates a deeper understanding and more aggressive costing of reputational risk, shareholder/stakeholder risk and intellectual property risk.

The persistence and sophistication of the new corporate threats are significant, with attacks seeking more attractive payloads than credit card and personal health information (PHI) data. Although by its very nature accurate breach data is difficult to obtain, a secret report by the Canadian government published in November 2010 stated that 86 % of all large Canadian corporations had been attacked. The report also read that espionage hacking of the private sector has doubled in two years.

A March 2010 Forrester Research report found that proprietary knowledge and company secrets are twice as valuable as custodial data which refers to payment card information, and customer and medical data.

Media coverage after a data breach can affect a company’s brand reputation and shareholder value and therefore breaches are underreported. McAfee’s 2009 report on the Unsecured Economies, the first global study on the security of information economies, found that companies worldwide lost more than an estimated $1 trillion in 2008 due to data leaks, the cost of remediation and reputational damage.

The Report suggests that:

- One in seven companies has not reported data breaches to outside government agencies or authorities, or stockholders.
- Only three in ten companies report all data breaches suffered, while one in ten companies will only report breaches that they are legally obliged to, and no more.
- Six in ten companies currently ‘pick and choose’ the breaches they report, depending on how they feel about them.
- Almost half of surveyed companies experienced a small data breach, and almost a quarter of companies suffered a data breach in the last year.
- Around a quarter of companies have had a merger and acquisition (M&A) or a new product/solution rollout stopped or slowed by a data breach, or the credible threat of a data breach.

The admission of a significant vulnerability could flag other attackers so very few companies are willing to be public about intellectual capital losses. M&A activity, partnerships, product rollouts are all potential victims of cyber theft and the miscreants of the underground economy.

Perhaps this is why only a quarter of companies conduct forensic analysis of a breach, and only half of them take steps to remediate and protect systems for the future after a breach or attempted breach. More than half of companies have, at some point in their history, decided not to investigate a security incident because of the cost of such an investigation. Companies are more likely to investigate a small data breach internally, rather than bringing in external help. This lack of investigation means that potential vectors of attacks are not shored up and future threat persists: insiders are not identified, and incongruities are not investigated to identify a larger threat. This lack of remediation may open up companies to the risks of future breaches.

It is believed that this underground economy will continue to fuel rising exposure for companies. Yet, as difficult as it is for insurers and companies to measure this nebulous cost, there are new, more estimable exposures, and therefore costs, being added to the risk landscape: broader analysis includes the wider effects of a data breach such as:

- loss of brand or reputation, potential for regulatory actions, investigations, fines or penalties;
- loss of customer goodwill, whether this is measured by turnover, client retention or balance sheet intangible assets;
- claims against company directors and senior officers by customers and/or shareholders, including class actions or representative proceedings in the US, EU or Australia;
- supply chain disruption or other contingent business interruption to the company’s operations;
- loss of tangible assets such as monetary instruments or financial securities;
- potential for future extortion against the company or its directors and senior officers;
- claims for breach of confidentiality, copyright and intellectual property; and
- industry-specific fines and penalties (such as for financial services, payment-card industry, healthcare).

Although insurers provide products to cover many of these exposures, the newest spectres are claims by shareholders and stakeholders against company directors, and class actions. The recent $ 4.9 billion lawsuit – stemming from a breach of back-up tapes containing personal information of almost five million US soldiers – confirms that the likelihood of consumers winning such a claim is still not high, unless they are able to show that the breach led to personal damages, such as non-reimbursed credit card fraud charges. Most case law torts in the US (and Australia) require the claimants to suffer some type of harm.

But legal sentiment may be changing: an appeals court in Boston last month ruled that a lawsuit could continue against grocery chain Hannaford Bros., which lost more than four million credit and debit card numbers in 2007. A three-judge panel ruled that fees paid by consumers for identity theft insurance and new cards, taken as a proactive measure following the breach, could constitute financial damages.

More worryingly, this is not confined to the US; we believe that this development will spread eventually to Australia, Canada and the EU. The possible introduction of a statutory cause of action for breach of privacy in these jurisdictions, will likely increase liability exposure to data breaches. A cause of action obviously increases the potential financial exposure to companies. Coupled with a large-scale privacy breach, it also increases the possibility of class actions.

Are class actions far away?

If a security breach is attributable to a failure by a company to take reasonable steps to implement robust e-security architecture, shareholders may want to know what steps (if any) the directors took to prevent the breach. After all, directors have a duty to exercise fiduciary care and due diligence in the protection of corporate assets and loss minimisation. Therefore claims against directors and officers should be considered as part of the true cost of data breaches.

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and his colleague, Ken Trotter, and appeared on Scott’s personal site, Corporate Insurance Blog, after being published by Hospitality Upgrade magazine. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro.

Rick Bortnick

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks.  A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies.  According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves. Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds.  Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes.  Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability.  Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits. Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information.  Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack. Involving Technology and Privacy Managers in Insurance-related Matters Because of the variation in cyberinsurance coverages and the underwriting inquiries that often go along with the purchase of such insurance policies, companies may find the process to be a great opportunity for a company’s risk managers, technology managers and privacy managers to work together to help understand potential risks to the company and what risk transfers are being purchased through the insurance policies offered.  Working together aligns the risk managers’ understanding of specific insurance-related issues, the technology managers’ technical expertise regarding the companies’ systems and protections that will be helpful to understand any technical requirements in an application or insurance policy, and the privacy managers’ knowledge of the potential privacy risks that the company faces in light of the information held and how and where it is used.  Indeed, given their understanding of the technical and practical considerations involved in protecting a company’s data from a cyberattack, technology and information managers may be in a unique position to assist the company’s risk managers in understanding the technical implications of specific policy language. Insurance Coverage Considerations When considering what coverages may apply or purchasing cyberinsurance coverage, it is essential to consider many types of coverage, as coverages often are written and offered in different modules and on varying insurance policy forms.  On a regular basis, insurers are writing and introducing new policies marketed as being tailored specifically to cover data breaches and cyberattacks.  In addition, coverage may be available under traditional forms of insurance.  Indeed, policyholders may have overlapping coverage for data breaches and certain cyberrisks, with the potential for coverage under cybersecurity policies as well as traditional insurance policies.  When analyzing the coverage afforded by such policies, it is critical to understand the impact of exclusions on coverages and any sublimits on the amount of coverage afforded by the policy.  Because of the variety of coverages being offered, as discussed below, technology managers can assist the company by providing a careful review of the technical language used in the policy to help determine the scope and limitations of the coverage being purchased with respect to a specific company’s operations. Cybersecurity and Data Breach Policies The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Such policies are relatively new to the marketplace and are constantly changing. Specific policies for cybersecurity and data breach have been known as Network Risk, Cyberliability, Privacy and Security or Media Liability insurance.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the Internet Liability and Network Protection Policy, and insurance companies may base their coverages on this basic insuring agreement or they may provide their own company-worded policy form.  Because these policies are frequently updated and changed, it is important to compare the coverages offered across companies and within a company’s offerings. Traditional Forms of Insurance  Although it is ideal to purchase a policy designed specifically for cybersecurity risks, more traditional forms of insurance may also provide overlapping coverage for data breaches and cyberrisks, depending on the particular coverage terms and exclusions in the individual policy.  Coverage may be provided by the following types of policies:  commercial general liability; first-party property and business interruption; directors and officers or errors and omissions; crime; kidnap, ransom and extortion.  Insurance companies, however, have been fighting their obligations to pay claims for cyber-related loss under such traditional insurance policies.  A major insurer recently sued a corporate policyholder in New York, asking the court to rule that traditional insurance policies do not cover a series of high-profile data breaches, cyberattacks and cyberrisks. Making a Claim for Coverage   If a cyberevent occurs, such as a data breach, then it is vital that risk managers, technology managers and privacy managers work together to seek recovery under all potentially available insurance policies.  It is recomended that policyholders send notice of the claim or occurrence to all potentially applicable insurers, whether under a special cybersecurity policy or under the more traditional forms of insurance. After an insurance claim is tendered to insurers, they may raise various defenses to coverage. Companies, however, should not assume that such defenses will defeat coverage. Whether an event is covered will often depend on careful analysis of the specific policy language involved, the facts of a company’s particular losses and the law of the applicable jurisdiction. Insurance carriers may take a hard line regarding the application of the exclusions in their policies.  For example, under certain insurance policies, there is coverage for property damage and insurers have asserted that there has been no property damage as a result of a cyberattack. Technology managers, however, may be able to assist the company in marshalling evidence to prove that a cyberattack has damaged the company’s computer equipment, or that there has been a loss of use of computer equipment (another way of demonstrating property damage under certain insurance policies).  Technology managers should stay involved throughout the insurance recovery process to help assure that any representations and statements about the company’s technology and the cyberevent are accurate and properly characterized. Beyond in-house technology personnel, companies that have sustained losses due to a data breach or cyberattack should consider speaking with an attorney who represents policyholders and has familiarity with this area. Because of the assistance of such lawyers, some policyholders have been able to obtain substantial recovery even after the insurer initially denied the policyholder’s claim. This article appeared on the Hospitality Upgrade website on 1 October 2011—link to article: http://www.hospitalityupgrade.com/_magazine/magazine_Detail-ID-694.asp

Needless to say, the discoverability of social media posts is an important issue for litigants on both sides of the “v” and will continue to be the subject of fiercely-litigated motion practice. We will monitor the issue and post updates as courts across the country rule on this imporant, oftentimes substantively dispositive, issue.

Rick Bortnick

One of the high-profile battles being fought in the social media world continues to be over the ability of one party in a lawsuit to compel the other party to produce messages, posts, pictures, and other “private” things done over a social networking site like Facebook.   The trend continues to reveal that courts are willing to compel disclosure in the right circumstances, and the most recent decision issued by a New York appellate court is no different.

In Patterson v. Turner Construction Company (New York Supreme Court, Appellate Division, First Department, October 27, 2011), the plaintiff sued for personal injury damages that included physical and psychological injuries that he claims to have suffered.   During the lawsuit, the defendant asked the court to direct the plaintiff to provide an authorization allowing defendant to obtain “all of plaintiff’s Facebook records compiled after the incident alleged in the complaint, including any records previously deleted or archived[.]”   The plaintiff, obviously, fought that request.

The first level court granted the defendant’s request, but the appellate division modified that ruling slightly, though still indicating that requests for social networking information are not per se improper.   First, the court on appeal rejected plaintiff’s privacy argument, stating that “[t]he postings on plaintiff’s online Facebook account, if relevant, are not shielded from discovery merely because plaintiff used the service’s privacy settings to restrict access.”  

The operative phrase there is “if relevant”, as the appeals court still held that “it is possible that not all Facebook communications are related to the events that gave rise to plaintiff’s cause of action.”   So, in light of the fact that defendant’s request was overbroad, the appellate division directed that the matter go back to the first level court to provide:

“a more specific identification of plaintiff’s Facebook information that is relevant, in that it contradicts or conflicts with plaintiff’s alleged restrictions, disabilities, and losses, and other claims.”

Employer Take Away:   What should you as an employer take away from this development?   

The Patterson decision involves a personal injury action, yet the principles apply equally to employment litigation.   The fundamental premise is that employers can and should seek discovery from plaintiff employees in the context of a lawsuit.  However, the request must be made in the right kind of case, at the right stage of the case, and have the right scope.  

It is often difficult to identify with precision the relevant information that will be gleaned through social networking discovery before you see what is there (that’s partly the point of seeking the discovery in the first place).  There is a fine line between a mere fishing expedition and a reasonable likelihood of discovering relevant facts.   By showing that you (through your attorney) have crafted a reasonable, narrowly-tailored request for information that is “relevant” because it has a good chance of contradicting or conflicting with actual positions taken by the employee in the case, you will have a far greater likelihood of success in getting potentially helpful information for your defense

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

The Guidelines mention both intentional and unintentional breaches of cybersecurity, but mostly focus on deliberate attacks. They note that such attacks may involve money or other financial assets, intellectual property, or other sensitive information belonging to a company, its customers or its business partners. The Guidelines list some of the many adverse consequences of successful cybersecurity attacks, including:

 Remediation expenses, such as the cost of providing notice of breach, credit monitoring and call center services;

 Increased cybersecurity protection costs such as the hiring of additional personnel and third-party experts and consultants, and the purchase of additional protective technologies;

 Lost revenues resulting from unauthorized use of stolen proprietary information or the failure to retain or attract customers following an attack;

 Litigation; and

 Reputational damage adversely affecting customer or investor confidence.

The federal securities laws are designed to provide disclosure about “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” The Guidelines state that the potential consequences cited above may in particular cases be sufficiently material, because of the nature of a company’s business or the magnitude of a cyber incident, to require disclosure. The bulk of the Guidelines describe the principal places in federal securities filings that such disclosures should be considered.

The Guidelines remind companies to consider, on an ongoing basis, whether they must disclose the nature and extent of their particular cybersecurity risks. Some early commentary has referred to the Guidelines as rules or regulations. They are not yet characterizing them as nonbinding suggestions likely understates their importance.

Each company determines what it must disclose by applying the rules to its own business and circumstances. When important new developments arise, it can be difficult for companies to know how these developments affect their disclosure obligations under rules that don’t appear to address them. So the Division of Corporation Finance periodically issues guidelines explaining how it believes the existing disclosure rules should be interpreted with respect to these new developments. This happened with Y2K, with climate change — and now with cybersecurity. The Guidelines say that they are intended to be “consistent with the relevant disclosure considerations that arise in connection with any business risk.” Guidelines are not intended to break new ground; they represent what the Division thinks the existing disclosure rules already require.

In other words, the Division’s position is that the current disclosure rules already require registrants to consider cybersecurity risks and to disclose them as necessary to provide “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”

The Guidelines cite several places in public filings where such disclosure may be required. Here’s a summary of the key provisions:

Risk Factors

Each public company must disclose the most significant factors that make investment in it speculative or risky. Companies assessing the need for a risk factors disclosure should consider the probability of cyber incidents and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. Generic risk factor disclosure should be avoided; the rules are intended to elicit information about the material risks affecting the particular company making the disclosure, not a listing of risks that can affect any company. According to the Guidelines, appropriate disclosure may include the following:

 Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;

 To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

 Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;

 Risks related to cyber incidents that may remain undetected for an extended period; and

 Description of relevant insurance coverage.

Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A)

Companies need to disclose cybersecurity risks and past incidents “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” The theft of key corporate intellectual property is cited as the kind of cyber incident that might materially affect future revenues and/or cybersecurity protection expenditures and therefore should be disclosed.

Description of Business

A company must disclose in the ‘Description of Business” section of its SEC filings if cybersecurity incidents materially affect its products, services, relationships with customers or suppliers, or competitive conditions.

Legal Proceedings

If a company is involved in legal proceedings involving a cyber incident, it may need to make disclosures about the proceedings. The Guidelines give the example of the theft of a material amount of customer information that result in litigation.

Financial Statement Disclosures

Cybersecurity incidents and risks may materially affect a company’s financial statements in ways that must be disclosed. The Guidelines provide various examples, such as payments to customers as incentive to maintain business relationships, losses from asserted and unasserted claims related to warranties, breach of contract, product recall and replacement, and indemnification obligations.

Disclosure Controls and Procedures

Companies are required to assess and disclose the adequacy their disclosure controls and procedures. Companies must disclose if cyber incidents and risks may compromise their ability to record, process, summarize, and report information in SEC filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. For example, if information might not be recorded properly because a cyber incident has affected a company’s information systems, a company may conclude — and have to disclose — that its disclosure controls and procedures are ineffective.

How might the Guidelines affect securities claims?

Guidelines are not entitled to formal deference by courts in disclosure cases, but judges give varying degrees of informal deference to Division guidance when they adjudicate disclosure cases. Plaintiffs will likely point to the Guidelines when arguing that defendant companies haven’t complied with the disclosure rules. On the other hand, companies often try to use Division guidelines defensively, asserting that in following the guidelines they have satisfied the disclosure rules.

How will the Guidelines affect disclosure and risk management and insurance?

Some early commentary suggests the Guidelines will not significantly change disclosure practices. Public companies will certainly take the Guidelines seriously and more fully describe their material cybersecurity exposures — without providing a roadmap for exploiting any security weaknesses. Some companies will try to inoculate themselves from securities claims by providing the kind of broad, generic statements often seen in the Risk Factors section of SEC filings. The Guidelines will lead many companies to confront the nature and extent of their cybersecurity risks more forcefully than they have in the past. In order to assess the materiality of their cybersecurity risks, companies will have to quantify them — and quantifying risks unmasks previously vague or fuzzy judgments about them. Corporate executives will have more useful information about their cybersecurity risks, which may in turn lead to increased efforts to forestall the operational and financial disruption that breaches cause. Companies will almost certainly review and strengthen their cybersecurity risk management practices.

After being forced to quantify the potential financial impact of cybersecurity breaches, many companies will also reassess the adequacy of their insurance protection. That is rarely a simple task. Among many other things, it requires an in-depth and nuanced understanding of what various types of insurance policies do and do not cover with respect to cybersecurity breaches.

Here are a few of the issues that companies and their advisors will have to consider as they determine how to respond to the Guidelines:

How should a company quantify cybersecurity risks? Cybersecurity breaches can have wide-ranging consequences. A company will probably spend large sums on matters such as forensic investigation into the cause and extent of the breach, legal fees, notice to affected individuals, credit monitoring, identity theft and call center services where appropriate, public relations and communications, government and PCI DSS fines and penalties, and indemnification to corporate clients and others if their proprietary information is compromised. The company may also incur business interruption expenses, the loss of customers, management distraction, opportunity costs, discounts and other customer retention costs, and many other direct and indirect costs. Some of these exposures will be relatively easy to estimate based on currently available data, while others will be extremely difficult to gauge. How should a company estimate these exposures in assessing the materiality of cybersecurity breaches? Will widely cited studies into the costs of data breaches (such as the Ponemon Institute’s annual study) become the de facto standard for estimating exposure? How should a company weigh the many potential indirect costs of a data breach in determining the materiality of cybersecurity risks?

Which policies may provide at least some coverage for cybersecurity-related breaches? A company may have several different types of insurance policies — some commonly considered “cyber” policies, others not — that could provide coverage for at least some of the costs it would incur after a breach. The company will have to determine which policies might provide any coverage and which wouldn’t; which cybersecurity exposures each policy addresses and which it doesn’t; and whether and to what extent various policies can be aggregated to provide additional protection. And as the insurance coverage dispute in the Sony PlayStation breach matter demonstrates [See blog post here http://wp.me/pFoTv-LU], the availability of coverage under non-cyber policies is far from clear.

How should a company that accepts payment cards (such as credit cards) address the special bundle of risks that are related to the evolving Payment Card Industry Data Security Standards and the rules imposed by the payment card brands? It can be expected that over time there will develop fairly standard ways of disclosing payment card-related risks, but it may be a rocky road.

What will be the impact of more extensive disclosure on the availability and cost of insurance to indemnify cybersecurity losses? Insurers routinely review a public company’s SEC filings as part of the underwriting process. Many stipulate that a company’s SEC filings constitute part of the application for insurance (usually a negotiable issue to some degree). At least two adverse possibilities come to mind: (1) that extensive descriptions of cybersecurity risks and incidents, crafted by lawyers to overcome allegations of inadequate disclosure, will scare insurers into curtailing coverage and/or charging higher prices, and (2) that some insurers will use these disclosures to try and deny coverage in subsequent claims, on the grounds that a disclosure later shown to be inadequate constitutes a breached warranty that therefore voids coverage. The D&O (Directors and Officers) insurance sector has dealt with this issue for a long time and seems to have largely worked things out. The cyber insurance sector will probably get to a similar equilibrium, although it may take a while and cause some pain in the process.

The new cybersecurity guidelines therefore may have raised as many questions as they answer, and they will certainly require careful and nuanced navigation by companies and their advisors. Companies will need to undertake a fresh and detailed analysis, with each SEC filing, to make sure that their disclosures adequately reflect the cybersecurity risks they face in their then-current business operations.

The Facts

Defendant Jessica Rosko (“Rosko”) collided with a minivan at an intersection in rural Pennsylvania, pushing the van into the motorcycle on which Plaintiff Jennifer Largent (“Largent”) was a passenger. Largent brought suit against Rosko in the Franklin County Court of Common Pleas, alleging serious and permanent physical and mental injuries, pain and suffering. Largent v. Reed, No. 2009-1823, slip op. (Pa. C.P. Franklin Nov. 8, 2011). Rosko claims that certain posts on Largent’s Facebook account contradict her claims of serious and severe injury. Specifically, Rosko claims that Largent had posted several photographs that show her “enjoying life with her family” and “a status update about going to the gym.”

Largent refused to provide any information about her Facebook account during her deposition, and Plaintiffs’ counsel advised that it would not voluntarily turn over such information. Rosko subsequently filed a Motion to Compel Plaintiff Jennifer Largent’s Facebook Login Information, which served as the impetus for the trial court’s ruling.

The Decision

In a methodical and well-written opinion, the court described the purpose and logistics of Facebook, including its “detailed, ever-changing privacy policy,” and concluded, “users of Facebook know that their information may be shared by default[.]” The plaintiff raised three arguments in opposition to the motion to compel her Facebook information: (1) the information sought was irrelevant and did not meet Pennsylvania’s prima facie threshold; (2) disclosure would violate privacy laws such as the Stored Communications Act, 18 U.S.C. §§ 2701-12 (“SCA”); and (3) the discovery request was overbroad because disclosure would cause the plaintiff unreasonable embarrassment and annoyance. The court debunked each of these arguments in turn.

As to the discovery standard, the court recognized Pennsylvania’s broad discovery rules and the slight threshold for relevancy, concluding “it is clear that material on social networking websites is discoverable in a civil case[,]” especially where the plaintiff claims to suffer from chronic physical pain, yet posted information about exercising at a gym. The court also addressed the lack of binding authority in Pennsylvania, noting that Pennsylvania trial courts, as well as courts in other jurisdictions, have allowed discovery of social networking data in civil lawsuits.

As to whether allowing the discovery would constitute a violation of privacy laws, the court held that there is no confidential social networking privilege under Pennsylvania law and that the SCA is inapplicable because Largent is not an internet service provider, and thus is not regulated by the SCA. Perhaps stating the obvious, the court concluded, “[b]y definition, there can be little privacy on a social networking website. Facebook’s foremost purpose is to ‘help you connect and share with the people in your life.’ That can only be accomplished by sharing information with others. Only the uninitiated or foolish could believe that Facebook is a lockbox of secrets.” (Emphasis in original.)
Finally, as to the breadth of Rosko’s discovery request, the court stated that unreasonableness is determined on a case-by-case basis. In the case before it, the court found that Largent had not identified any specific facts that would lead to the conclusion that discovery would cause unreasonable embarrassment or annoyance; specifically, the cost of investigating the plaintiff’s Facebook account would be borne by the defendant, the plaintiff could still access her account while the defendant was investigating, and the defendant would only be allotted a 21-day window to perform the investigation. The court thereby held that “in filing a lawsuit seeking monetary damages, Largent has placed her health at issue, which vitiates certain privacy interests. Any posts on Facebook that concern Largent’s health, mental or physical, are discoverable, and any privilege concerning such information is waived.”

What does it all mean?

The Largent opinion, while carefully thought-out and meticulously written, is not an appellate decision, and therefore is not binding as precedent on other trial courts. Nonetheless, it joins Zimmerman v. Weis Mkts., Inc., No. CV-09-1535, 2011 WL 2065410 (Pa. C.P. Northumberland May 19, 2011) and McMillen v. Hummingbird Speedway, Inc., No. 113-2010-CD, 2010 WL 4403285 (Pa. C.P. Jefferson Sept. 9, 2010), other Pennsylvania trial court decisions, in setting a precedent that a plaintiff’s social networking information is discoverable in a civil case under Pennsylvania law. We are left to anxiously await a Pennsylvania appellate court decision on this issue.

In the interim, these trial court decisions raise questions about whether the line between “public” and “private” has blurred beyond recognition. Are messages sent from one Facebook user to another, and not visible to others, private? Are pictures posted with the strictest “privacy setting,” so that only a select few can see them, private? Or is anything and everything that one does on Facebook considered public, and vulnerable to being discovered by an opposing party in a civil suit? In case it is the latter: keep you friends close, but your Facebook posts closer.

Twas the month before Christmas and all through the house,
All the children were networking with the click of a mouse.
Cyber thieves were nestled all snug in their chairs,
Waiting for shoppers to unknowingly share.

 As I shopped for him and he shopped for me,
The thieves stole our money and our financial history.
We did not even realize that this information was taken,
And we thought the denial of our credit card was mistaken.
Using Phishing or SMiShing and hacking the links,
Our private information was retrieved in a blink.

 Perhaps we should have shopped on a network that was secure,
Or at least checked our credit reports monthly to be sure,
That thieves were not using our names and our faces
To purchase plane tickets to tropical places.
So to all of the shoppers who like to avoid the crowd,

Protect your info this season and make CyberInquirer proud!

Happy Holidays from CyberInquirer!

We’re only two weeks away from the season’s premier cyber education event: The PLUS Northwest Chapter & IIABKC Cyber Workshop, to be held on December 7 (a date which will live in infamy), 2011 at the Washington Athletic Club in downtown Seattle. This will be my first trip to Seattle, so I’m really looking forward to it, as well as to meeting those of you who attend. The panel is entitled Emerging Issues Surrounding Cyber Privacy and Security Risk

So, you’re wondering, who are the panelists? Well, PLUS Northwest has assembled a crackerjack lineup of the following special guest speakers:

David Molitano,Vice President/Division Manager, Content Technology & Services at OneBeacon Professional Insurance; Kimberly Horn, Claims Manager for Technology, Media and Business Services at Beazley Group; and Karl Peterson, Senior Vice President, E&O and eRisk Product Team at Willis Executive Risks Practice.

You’ll only get this quality of presenter at the PLUS Northwest Chapter event. Don’t be fooled by pretenders or others promoting cyber conferences with lesser lights. This is THE cyber event to attend. And the post-workshop cocktail reception is an added bonus.

Please feel free to contact PLUS or me if you have any questions or would like further details about the Workshop. We look forward to seeing you there! And, in particular, meeting with you afterwards. Plus (no pun intended), for Cyberinquirer subscribers only, the first cocktail is on me. Just flip an email and let me know you’re coming.

Rick

With the help of our readers, Cyberinquirer has again been named as one of LexisNexis’s Top Insurance blogs 0f 2011. We are obviously flattered, particularly in view of the quality of the other blogs selected to this august list.  It shows that people are reading what we have to say. And that, perhaps, they are interested in what we have to say. We sure hope that to be the case. We love thinking, reading and talking about tech, privacy and cyber related issues (yeah, admittedly we’re geeks).  And we hope that you, our readers, gain from our insights, even if you don’t always agree with them.

So now that we’ve been recognized by LexisNexis for the second straight period, maybe some of you, our readers, will be more comfortable authoring a piece we can post. Remember, this blog is open to all relevant, responsible submissions, be they articles, commentaries, or just comments on something we have said that strikes a chord.  If you’ve got something to say that may be of interest to others in the community, email it to me at rbortnick@cozen.com and I will get back with you promptly. We strive to publish fresh, interesting content on a regular  basis, but its not always easy, as we do maintain law practices. And have other commitments. So flip your authored pieces. We’d actually appreciate it.

Needless to say, we couldn’t have done this on our own. So the honor is not just for us, but for you too. Thanks.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as  the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Having a keen academic interest in broking, underwriting and marketing, I am interested in knowing the percentages of hospitality industry companies that do — and don’t — have cyber/tech/privacy insurance. Not who has been attacked, mind you, but who does and doesn’t have insurance, and the percentage increases over time. I’m sure that such a report exists, but to date, I haven’t seen it perhaps someone else has. In the meantime, I’m very much looking forward to the 2011 statistics.We’ll probably have to wait a few months for the numbers crunchers to figure it out. But my (only semi-educated) guess is that while more and more companies are purchasing these insurance products, the percentage of those who have bought them is less than you think.

On the other hand, what has been published is the 2011 Global Security report issued by Trustwave Spider Labs which has been posted on-line by our good friends at Immersion. In that highly-informative 59 page survey, Spider Labs has this to say:

“While a reduction of breaches within the hospitality industry was observed from the prior year, hospitality businesses should remain on high alert. At this time, it appears that the organized crime group responsible for the majority of hospitality breaches in 2009 expanded their target list. Instead of focusing exclusively on the hospitality industry, this group became active within the food and beverage and retail markets as well. Evidence suggests this single organized crime group was responsible for 36% of all data breaches investigated by SpiderLabs in 2010.”

Read again what Spider Labs has said: “while a reduction of breaches within the hospitality industry was observed from the prior year, hospitality businesses should remain on high alert.”

But they didn’t stop there. Here’s more:

“Propagation

In 16% of cases, the attacker was able to propagate to additional physically dispersed targets through site-to-site internal network connections, such as MPLS. Though the hospitality industry was less represented this year, additional franchised industries experienced similar propagation techniques by attackers resulting in large-scale data breaches affecting multiple locations.

In these cases, many of these multi-location breaches were recently “upgraded” to fully shared connectivity across locations resulting in criminals being able to access many locations at once. Perhaps this was just an oversight in planning by corporate entity IT or security staff; however, a few hours of additional analysis and planning to develop simple network access rules could have prevented this type of propagation.”

Think about it. What Spider Labs is saying that if a hacker intrudes one of a number of connected or semi-connected hotels or other hospitality operations, they might have the key to all of them. No longer is each property limited to its own problems. The problem faced by one location should become the problem faced each and every location. In the wink of her eye. (for those who remember, a special shout-out to The Sweet’s classic ode, Ballroom Blitz).

What’s more, hotels now can obtain coverage to protect themselves against bad PR. Indeed, at least one London market insurer is selling hotel reputation insurance with limits in excess of $25 million which are intended to provide crisis management and lost revenues coverage.

The upshot of all of this is that Risk Managers, brokers and underwriters around the world need to get together to discuss risks, solutions and insurance. Perhaps with a cyber lawyer present? I’m happy to host such a meeting at one of our global offices if it would make sense for all. But regardless of who, what where, when or how (see, Mom, I DID pay attention during broadcast journalism classes at B.U.), such meetings need to take place at or even well before renewal time. The risks and costs are too great. The bad guys are numerous, spirited, and way too sophisticated. Premiums are reasonable. Most underwriters I know are too. As are the retailers and wholesalers who regularly play in this space. Let’s all get together and put a risk management plan together. If you’re a public company, its almost imperative that you do so in light of the recent SEC Guidance published on October 13 (which we discuss here).

In closing, hospitality industry Risk Managers, brokers and underwriters, we’ll summarize in four iconic lyrics: “Hey ho, let’s go“. (RIP, Johnny, Joey and Dee Dee).

Rick Bortnick

On October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.“  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.” Themore recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents.  Personnel from “CERT^® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

• consumption of scarce, limited, or non-renewable resources
• destruction or alteration of configuration information
• physical destruction or alteration of network components.

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].” If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy.  The market for cybersecurity policies has been called the Wild West of insurance marketplaces.  Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing.  The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.  Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event.  If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies.  In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy.  Consider whether first party all risk or property coverage may apply.  First party all risk policies typically provide coverage for the policyholder’s losses due to property damage.  If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage.  Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.  See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack.  (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)  Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009) (discussing coverage under first party policies resulting from third party interruptions).

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack.  In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.  For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage.  More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy.  If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage.  Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage.  Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.  See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).  Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage.  But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.  See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006) (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”). Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage. See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements.  Standard form CGL policies provide coverage for indemnity agreements.  See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).

Depending on the types of claims asserted, other liability policies may be triggered as well.  For example, directors and officers liability policies may provide coverage for investigation costs, see MBIA Inc. v. Fed. Ins. Co., 652 F.3d 152, 160 (2d Cir. 2011) and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”  See Eyeblaster, 613 F.3d at 804. 

The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.