There are Chinese websites offering distributed-denial-of-service (“DDoS”) attacks for sale.  Reminder: DDoS attacks generally involve a hacker taking control of a bunch of internet connected computers, or botnets, and telling them to flood a webserver with enough activity to crash the system.  While Chinese sites get a lot press, there are plenty of other places to purchase botnet attacks. You can even specify how many botnets you want flooding a particular system and for how long.  I read on a web forum that you can rent 1,000 botnets for an hour for as little as $25.

And for that, I’m thankful.

What? You heard me.

We used to think of hacking as an activity reserved for evil geniuses with rare abilities.  Like Dade “Zero Cool” Murphy from “Hackers,” or Gavin Orsay in “House of Cards.”  Because so few people were capable of launching attacks, we perceived the likelihood of their occurrence as, well, unlikely.

The ability to cheaply buy hacking attacks may have two positive consequences.  First, it should dispel any remaining belief that hacking attacks are rare or unlikely to affect a particular target.  Hacking attempts are common, and now anyone can cause them.  As attempts have increased, the number of immune targets has dwindled to nearly nada.  Fact: hacking attempts are an omnipresent threat that must be dealt with by every business.

The second positive consequence is more of a hypothesis at this point.  As botnet attacks flood our systems with increasing frequency, our IT security should become stronger, whether because a greater variety of threats become recognizable by our firewalls or because the rising number of attacks cause software developers and businesses to invest greater resources in defensive measures.  Whether the story unfolds this way remains to be seen, but it makes good sense.  Don’t you think?

At a minimum, the $25 hack-attack should at least grab people’s attention.  And given the stakes, for that, I am thankful.

I frequently hear that cyberinsurance decisions are made solely by Risk Managers.  In the typical circumstance, that makes sense.  Risk Managers manage risk.  But cyberliability, at this stage, is not a universe of typical circumstances.

The nature of the risk is new and rapidly changing.  Actuarial data is sparse.  Carriers and Risk Managers frequently have incomplete understandings of insureds’ IT infrastructure and exposure.  As a result, unlike the standard policy forms that have evolved over decades in other contexts, cyberinsurance policies are all over the place in terms of coverage grants and exclusions.  Amid this lack of uniformity, many insureds likely have coverage that is inappropriate or incomplete.

There is good news.

Insureds that are fortunate enough to have Risk Managers often have Chief Information Officers.  These folks know your IT infrastructure like it’s their job.  Funny, right?

By many accounts, including a thorough article by Kathleen Richards in Information Security Magazine, IT professionals nevertheless often have no involvement in cyberinsurance decisions.  This is a problem.  Without consulting the individual most familiar with your IT infrastructure, it is less likely that you get the coverage you need and more likely that you pay for unnecessary coverage.

But here’s your real takeaway.

Having an IT professional at the table makes it less likely that an insurer denies coverage altogether.  Carriers have shied away from “penetration testing,” or actual testing of insureds’ network security.  Instead, carriers rely on policy applications that contain a multitude of detailed questions about IT security practices.  At least one carrier has already sought to deny coverage based on its contention that the insured did not employ the actual security practices identified in its policy application.  See Columbia Casualty Co. v. Cottage Health Systems, No. 2:15-cv-03432 (Central District California) (dismissed on other grounds).

If a CIO is part of your team, manage the risk of having inappropriate or no coverage.  Talk to your IT professionals.  They don’t bite (probably).


Let’s play a word association game.  What is the first word that comes to mind when I say the phrase, “data breach”?  If you thought, “hacking,” you’re not the only one.  But according to many accounts, hacking accounts for only about a third of data breaches.

Plain old theft, in its more traditional, purse snatching form, accounts for another ten percent of breaches.  While laptop theft is the most common cause in this context, there have been many data breaches in the past year caused by the theft of desktop computers, thumb drivers and, of course, smart phones.  Obviously, thumb drives and phones are the easiest to snatch.  They are also increasingly becoming key operational elements in nearly every industry, and I expect the number of breaches caused by their theft to likewise trend upward.  Another ten percent of breaches are caused by “malicious insiders,” disgruntled current or former employees who damage or sell data for all of the obvious reasons.

You probably haven’t raised an eyebrow yet.  But we’ve only covered the causes of about half of data breaches.  What about the other half?

Approximately a quarter are caused by improper disposal of data, both in electronic and paper form.  The circumstances of these breaches range from somewhat complicated failures to properly wipe hardware (and subsequent restoration of the data) to simple failures to shred key documents or lock the dumpster.  Oops.  The last quarter of breaches are caused by – drumroll – accident.  Sending documents to the wrong recipient, office fires, warehouse flooding.  Double oops.

So what?

So, theft (whether from hacking, purse snatching or ticked-off employees), negligence and accidents are typically insured by traditional insurance like commercial general liability coverage, right?  Maybe.  When the resultant damage is loss or improper disclosure of data, as contrasted to damage to a person or a physical property, traditional policies increasingly exclude coverage.  Consider, for example,  ISO exclusion CG 21 06 05 14, which in 2014 began to exclude from CGL coverage “injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”  Translation – we don’t cover data breaches, no matter the cause.

The odds of finding coverage for data breach events in traditional insurance policies are getting worse.  Quickly.  If you haven’t already cannon-balled into the data privacy insurance pool, it’s time to at least dip your toe.  The water’s probably not as bad as you think.

Some have called higher education institutions the “center of the bulls-eye” when it comes to data breach targets.  That’s probably a bit too dramatic.  Just a bit.

Higher ed institutions need their networks to be accessible by large numbers of students and faculty members across a broad range of locations.  Students and professors produce and consume an enormous volume of electronic data.  And schools store the good stuff – think financial, medical and personally identifiable information.  The combination of perceived vulnerability and valuable information is kind of a perfect storm.

And the storm has officially made landfall.  Richard Perez-Pena, of the New York Times, did a nice job covering this climate change in his 2013 article, “Universities Face a Rising Barrage of Cyberattacks.”  Perez-Pena reported that the University of Wisconsin was seeing 90,000 – 100,000 hacking attempts per day.  Berkeley reported millions of attempts per week.  He notes that these institutions, between student and faculty data and research, are “among the most open and robust centers of information exchange in the world.”  Open and robust is a good thing, right?


Most hacking attempts are not successful.  But an alarmingly increasing number of them are.  In 2014, it’s been reported that the University of Maryland, North Dakota University, Butler University and Indiana University all suffered “mega breaches,” attacks compromising over 100,000 records.  Over 25 other schools reported smaller breaches, including our own Penn State.  These breaches were a case of the hiccups compared to the 2011 breach at Maricopa County Community College.  Over 2 million records were compromised.  A class action lawsuit sought $2,500 per affected person.  That’s claimed damages over $5 billion.  With a “B.”

Remarkably, many schools still do not have data privacy insurance.  Some cite cost as a factor, but coverage is generally more affordable than most assume.  More importantly, data breach coverage has officially become one of those things that even if you can’t afford it, you really can’t afford not to have it.  Like, um, commercial general liability insurance.  Or directors and officers insurance.  And…well, I think you get my drift.

In the European Union, data privacy is a fundamental right.  Think life, liberty and the sanctity of your Gmail inbox.  The EU’s data privacy laws are therefore more stringent than similar laws in the United States.  From 1995, when the EU’s laws came into effect, until 2000, this was a big problem for US companies doing business internationally.  Compliance with stricter data privacy laws is expensive, logistically difficult, and – well – really, really expensive.

On July 26, 2000, everything changed.  The European Commission adopted the “Safe Harbor Adequacy Decision.”  This allowed US companies to opt-in a self-certify that they complied with a stipulated set of US/EU data privacy standards.

On October 6, 2015, everything changed.  Again.

The Court of Justice of the European Union (CJEU), in the matter of Maximillian Schrems v. Data Protection Commissioner, invalidated the Safe Harbor Adequacy Decision.  Max, a Facebook user since 2008, had initiated the case before the Irish Data Protection Commissioner (yeah, they have that).  He complained that Facebook sent his information from servers in Ireland to servers in the US for storage, and that based on Edward Snowden’s accounts of the NSA’s access to private data, his data had no real protection against surveillance by the United States.  Basically, safe harbor, shmafe harbor.

The Commish upheld the validity of safe harbor.  Max appealed to the Irish High Court, which stayed the case and referred the question of the validity of safe harbor to the CJEU.  The CJEU said safe harbor, shmafe harbor, stating that “[t]he United States intelligence services’ access to the data transferred seems to extend to the content of the electronic communications, which would compromise the essence of the fundamental right to respect for privacy [and could] compromise the essence of the fundamental right to protection of personal data.”  Translation, NSA not okay.

US companies are scrambling to figure out EU data privacy compliance plans.  Legislators are looking for legislative solutions.  It’s kind of a big deal.

But this blog is about insurance, isn’t it?  Yes, it is.

The insurance implications of the Schrems decision are also a big deal.  When the ‘data privacy and cyberliability’ insurance policies now in place were issued, safe harbor was totally a thing.  Many of those policies include coverage for regulatory investigations and resultant penalties.  When safe harbor was a valid way to comply with EU data privacy laws, US companies’ exposure to EU regulatory enforcement was relatively well-understood and quantifiable.   With safe harbor going the way of the flip-phone, a key data point in risk profile assessment has essentially become a complete unknown.  Complete unknowns and insurance underwriters are not friends.  In fact, rumors are that they have not spoken since asbestos became a thing.

It remains to be seen how quickly and aggressively EU authorities target US companies for regulatory enforcement.  US companies have recently seen a dramatic increase in enforcement action from state attorneys general and the FCC.  It is not unreasonable to expect the same type increased activity from EU authorities.  More investigations.  More penalties.  Wait for it…More claims.

The cyberinsurance market is still relatively young.  Carriers have struggled to price premiums in the absence of sufficient actuarial data and extensive loss histories, and these problems are exacerbated by the rapidly changing nature of the risk itself.  Schrems is only one example of how quickly and dramatically the cyberliability landscape is changing.  It should by now be taken for granted that US companies, and indeed all companies, need to approach initial policy retention with great care.   The policy review and purchase process should be the result of a team effort, including IT, legal and business consultants and decision-makers who have discussed in detail the types of data that they control, data security measures in place and to be put in place and potential exposure points of exposure.

The same careful approach must be taken during the annual renewal process.  Companies cannot simply renew data privacy and cyberliability policies in the same manner that they renew CGL or D&O policies.  The risk and the rules are changing too rapidly.  Every year, companies should get the gang back together to review policy language and to discuss legal, business and technological developments that impact coverage.  Coffee should be served.  And donuts.


New Jersey residential landlords have one more issue to consider when deciding whether to commence summary dispossession actions against their Tenants. On January 17, 2014, Gov. Chris Christie signed into law Assembly Bill 3851. Pursuant to this new law, every residential lease agreement executed on or after February 1, 2014, which affords a Landlord the right to recover its attorneys’ fees and costs incurred in any action against the tenant shall be construed to contain a reciprocal right in favor of the tenant regardless of the express terms of the lease. Luckily, this law does not apply to commercial lease agreement.
Continue reading

The primary reason for “incorporation” (in the case of a limited liability company or limited partnership, “formation”) is the insulation of shareholders/members/partners from obligations of the corporation/LLC/LP. Normally, limited liability will not be abrogated. However, the “corporate veil” which affords protection to the shareholders/members/limited partners may be “pierced” when the corporate form is used for wrongful purposes (such as fraud or to evade creditors). The doctrine of “piercing the corporate veil” was developed to prevent the corporate form from being utilized to defeat the ends of justice, perpetrate fraud, accomplish a crime, or otherwise evade the law. This doctrine also extends to situations involving multiple corporations which are often effectively managed as a single enterprise. When business is conducted through several corporate entities without distinguishing among them, there is a risk that a court will collapse some or all of the entities into one, imposing liability on the controlling individuals.
Continue reading

IWaterBottles.jpg Imagine waking up and reading the this headline: “Your City Bans Your Family/Small/Medium/Big Business.” This week, the citizens of San Francisco awoke to a unanimously enacted ban on the sale of bottled water on public property. Wow.

This is not an industry that you’d expect to be legislatively shut out of an entire market. But now more than ever, the law and legislation change rapidly and drastically. Information is immediately available. Analyses are deeper and more complete. Public opinion is swift and harsh. The fact that you’ve been doing business the same way for 30 years does not mean that things won’t change tomorrow.

So what do you do?
Continue reading

Contracts are about preparing for the worst. Define your obligations, then limit your liability. Disclaim warranties. Require notice and an opportunity to cure. Nobody wants to think about their relationships going bad when they begin, but NOBODY wants to be the person who didn’t do just that..

The “forum selection clause” provides important protection in the new-ish global economy. The forum selection clause is an agreement to an exclusive litigation locale. This can be a particular country, state or even municipality.

When disputes arise, litigation locale can be used as a way to harass or otherwise disadvantage the party being sued. Consider the buyer in New York who purchases goods from a company in San Francisco. If the buyer is not happy, where do you think it’s going to sue?

Imagine if Germany could have required Russia to fight on its home field in World War Two. The front on which wars are fought can be outcome determinative.

Absent of a forum selection clause, most courts follow the “first-filed” rule, meaning that the first-filed action is where the parties must litigate. Meaning, if you lose the race to the courthouse, you’d better start asking around for lawyers across the country, hope you have plenty of coverage at the office and buy a plane ticket. Several tickets, actually.. For small and medium sized business, the cost of litigating thousands of miles from home can be devastating.

An enforceable forum selection clause, however, can trump the first-filed rule. That’s exactly what happened in Ingres Corp. v. CA, Inc., 8 A.3d 1143, 1145 (Del. 2010). In Ingres, the parties had agreed to litigate disputes exclusively in Delaware or New York. One of the parties, a California company, sued in – you guessed it – California. The defendant then filed a second lawsuit in Delaware, the agreed-upon forum. The California Plaintiff sought to stay the Delaware action on the basis of the prior California case.

The court denied the stay request, holding that the parties “agreed in the [contract to] adjudicate all claims in … a specific forum. By enjoining the [California Plaintiff] from proceeding in a different forum, I simply hold it to the promises it made-promises that remain binding upon it.” The Delaware Supreme Court affirmed, concluding simply that lower court “carefully considered the parties’ contractual agreements and enforced the forum selection clause included therein.”

Litigating far from home is not always avoidable. It will be anything but a comedy the night before you have to fly to wherever on the eve of trial. But including litigation locale among your usual negotiation points can eliminate the funny business associated with forum selection. At the very least, you can better assess the risks associated with and value of doing business with foreign companies if you know where disputes will be litigated. And once you do that, you can raise a glass and toast the new relationship that isn’t ever going to sour. Cheers!

Contact Information