Yes, I’m late to the party.  President Obama signed the Cybersecurity Act of 2015 into law over a month ago.  Plenty of ink has already been spilled about it.  The act encourages, but does not require, companies to share information about data breaches and responses with each other and with the federal government.  Most of the ‘controversy’ has centered on the act’s perceived lack of privacy protections for individuals whose information is shared.

Yawn.

Privacy is important.  Measures should be taken to protect individuals’ data, and the act does include at least some level of protection.  Whether it’s enough remains to be seen.

The more interesting issue is whether the act can even be effective at preventing data breaches.  Somehow, that issue seems to have been largely lost in the shuffle.  Many on the tech side doubt that the act can have a significant impact.  “Cybersecurity through information sharing is like driving a car by looking in the rearview mirror,” explained Brett Helm, CEO of cybersecurity firm DB Networks.  Because threats are rapidly evolving, and because most of the biggest breaches are caused by unique types of attacks, gathering information about past attacks may be only marginally beneficial, like studying physical diseases that people just don’t get anymore.

The effectiveness of the act should drive the privacy protection debate.  If the act is effective, shouldn’t the concern over privacy be abated by the fact that additional data breaches were prevented, resulting in the compromise of fewer individuals’ data? If the act is not effective, the problem isn’t the information exchange.  It’s the fact that massive amounts of data remain vulnerable.

The Cybersecurity Act of 2015 is certainly not going to be the last federal word on cybersecurity.  We can expect to see attempts to standardize breach notification, to impose security standards and possibly even to standardize liability exposure.  As these new laws are debated, however, we should not lose focus on the primary goal of preventing breaches in the first place, with the aftermath of the breach being a secondary concern.

 

 

There are few cases interpreting stand-alone cyberinsurance policies.  So, when there is a development in one of them, however unrelated to the novel construction issues raised by these new(ish) policies, it’s worth a word.  Or 350.

Travelers v. Federal Recovery Services, Inc. (D. Utah No. 2:14-CV-170) is not a remarkably interesting case.  It was one of the first times that a court issued a written opinion deciding whether a claim implicating electronic data misuse was covered by a cyberinsurance policy.  But the Court found that the insured’s intentional withholding of the data from its rightful owner triggered an exclusion barring coverage for the insured’s intentional misconduct.  A CGL decision in cyber-clothing.

Armed with the court’s holding that Travelers had no duty to defend or indemnify, Travelers filed a motion for summary judgment.  In the bag, right?

Wrong.  See 2016 WL 146453 (Jan. 12, 2016).

The court spared the insured’s breach of the covenant of good faith and fair dealing claim.  The insured argued that Travelers breached the covenant by refusing to accept notice of the claim and waiting to begin its investigation until after the formal initiation of litigation.  The insured argued that this delay left it exposed to be damaged between the time that it first tendered the claim in December 2012 and when Travelers issued a final denial of coverage in June 2013.  With the assistance of some expert testimony about claims handling processes, the insured won itself a trial.

Still not exactly remarkable.  There is one interesting rub, though.  The claims handling process is likely to be more scrutinized in the cyber-context than with respect to traditional lines, as cyberinsurance policies, particularly first party claims seeking breach response, are extremely time-sensitive.  Any delay can have major ramifications.  That wasn’t exactly the case in Travelers v. FRS, but given the dearth of case law in this context, that’s not going to keep the case out of briefs.  “Though no court has explicitly applied a heightened standard of care in the context of cyberinsurance claims handling, courts have recognized the need to scrutinize carrier delays in resolving this type of coverage dispute…”.

Lawyers…

And your policy may or may not have you covered.  If you want to know a little bit more (I know you do), follow this link to TheEmployerHandbook.com, where my colleague, Eric Meyer (aka “The Blog King, ” aka, “I’m Very Important,” aka “The Rock Star“) has graciously allowed me to guest post on the topic.  While you’re there, feel free to poke around and get some good information about employment law from a management-side employment attorney.  He’s much funnier than I am, in his not-that-humble opinion.

I’m pleased to announce that Louis Guard, Counsel and Chief of Staff at Hobart and Smith Colleges, and I will be presenting at the University Risk Management and Insurance Association’s Western Regional Conference on February 17, 2016 in Denver, Colorado.  The presentation, “Cyber 2.0: What We’ve Learned So Far and What We Haven’t,” will discuss the need for cyberinsurance in the higher education industry, the critical elements of coverage and several specific, complex issues faced by schools in this context.  Whether your school is considering procuring cyberinsurance for the first time or is looking to identify key issues in the renewal process, we’ll give you concrete take-aways to facilitate a more informed and more up-to-date analysis.  Plus, we’re hilarious.  See you in Denver!

Commercial property and liability insurance policies typically contain exclusions for terrorist acts.  Terrorism exclusions became industry standard following 9/11, the largest single insured loss ever, with estimated damages between $30 – $70 billion.  With reinsurers thereafter making the terrorism exclusion a condition of reinsurance, primary carriers quickly adopted terrorism exclusions that are so common today that it’s pretty much taken for granted that policies will include them.

The London-based Cyber Risk and Insurance Forum (CRIF) recently offered two statistics illustrating why the same fait accompli attitude cannot be taken with respect to cyberinsurance.  CRIF reported that 58% of hacking activity emanates from entities or individuals that could be characterized as terrorists, or “hacktivists,” meaning that the breach had political, social, religious or other similar motivations.  CRIF further reported that in the London market, nearly 80% of policies examined excluded this type of risk.  Simply stated, a majority of policies did not cover a majority of the relevant risk.

There is no case law illustrating what is and what isn’t cyber terrorism.  There have, however, been headline grabbing hacks that carriers would likely view as within the scope of a terrorism exclusion.  In 2014, the “Guardians of Peace” hacked into Sony Entertainment’s network and threatened 9/11 style attacks at theaters that showed the film, “The Interview,” a movie premised upon an assassination attempt on North Korean Supreme Leader Kim Jong-un.  Sony cancelled the movie release and President Obama increased sanctions on North Korea.

The 2015 Ashley Madison hack involved a fact pattern more along the lines of a law school exam, where a compelling case could be made for or against application of a terrorism exclusion.  The “Impact Team,” a vigilante justice group, threatened as follows: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”  By other websites, the Impact Team meant “Cougarlife.com.”  Apparently, that site did not offend the Impact Team’s social or moral agenda.

Was the Ashley Madison hack an act of terror?  It would likely depend on the policy language.  But with more than half of cyber risk at least arguably within the scope of terrorism exclusions, these exclusions cannot be taken for granted as in other contexts.

 

The Target data breach reportedly impacted over 100 million people.  The Anthem breach, approximately 80 million.  And the Ashley Madison hack made almost 40 million users nibble their nails while the world skimmed that now infamous “list.” But one of the most notable cyberinsurance developments of 2015 was the introduction of a policy designed to protect just one person.

The big retailers, financial institutions and healthcare organizations dominate the data breach headlines, but high-net-worth individuals have exposure to the same types of cyber security issues more typically associated with large corporations.  For obvious reasons, hackers have begun to turn their attention to the theft of high-net-worth individuals’ financial data and account information.  Hackers have also begun to cause considerable trouble by digging into high-profile individuals’ healthcare records, and by posing as these individuals on social media platforms.  And without IT departments protecting networks and responding to threats, the rich and the famous have become a fairly enticing target for cyber crime.

In 2015, Privilege Underwriters Reciprocal Exchange (PURE) introduced CyberSafe Solutions, a cyberinsurance policy for high-net-worth individuals.  The policy covers identity theft, unauthorized financial transactions and liability for cyber-related actions and damages.  With the policy, PURE also provides cybersecurity educational resources, a help line and a ten-point cyber risk assessment of the policy holder’s home network.  Through its partnership with Concentric Advisors, PURE is also offering a more in-depth home cyber security audit, a detailed analysis of policyholders’ web profiles to gauge type and scope of security exposure and “CyberShield,” a product that is basically an alarm system/emergency responder for your home network.  These risks are not likely covered by homeowner’s or any other insurance, and yet they are becoming among the most likely to manifest, particularly for individual’s whose personal data is the most valuable.

Wishing you all a happy and a healthy (physically and digitally) holiday season.

Among the more difficult decisions faced by companies buying cyberinsurance is determining appropriate policy limits.  The truth is that there is no one way to determine appropriate limits.  Businesses should consider their industry, their annual revenue and the types and amount of records that they process and maintain.  There are also really interesting tools out there, like this Data Breach Cost Calculator.  But unlike most other forms of insurance, where lost histories and experience allow businesses to comfortably select appropriate coverage limits, finding the right cyberinsurance limits remains a challenge.

The Ponemon Institute’s 2015 Cost of Data Breach Study was released this past June, and it offers valuable insight into the costs associated with data breaches.  The Study found that the average, all-in cost of a data breach was $3.8 million.  This number is by no means gospel.  However, Ponemon did survey 350 companies across four continents and 16 industry sectors, and the surveyed companies had data breaches ranging from relatively small (about 3,000 records) to over 100,000 compromised records.  This finding makes those $5 million policies that so many companies seem to be snapping up seem fairly reasonable.

Ponemon also reports that, in the United States, the average per-compromised record cost following a breach is $217.  For healthcare records, that number rises to $363 per record.  Based on the number of records a business processes and maintains, it may be able to estimate the potential cost of a breach.  This approach has its difficulties though.  Most notably, a business can’t possibly know ahead of time whether a particular breach will reach all of its records or only a narrow subset.

Which leads to my final point.

There are ways to minimize breach costs.  Ponemon found that the cost of a breach is linearly related to the mean time that it takes to identify the problem and contain it.  That means that having an incident response team with a pre-determined incident response plan (preferably that has been tested – think fire drill) will reduce data breach costs.  Ponemon also found that extensive use of encryption and employee training were other keys to limiting costs, but the clearest way to reduce exposure is to have personnel ready to respond to a breach when it occurs.

No one can tell you precisely what limits will strike the balance between cost-effectiveness and comprehensive coverage.  But considering the average cost of a breach, the average per-record cost of a breach and the actual steps taken to mitigate the effects of a breach should help guide the conversation.

If this post gets lost amid the too-good-to-be-true Cyber Monday deals and e-mail ambushes, it won’t be a complete surprise but would be something of a shame.  Since arriving on the holiday shopping scene in 2005, Cyber Monday has become one of the biggest shopping days of the year.  In 2014, consumers spent $2.68 billion shopping on-line, and the average transaction was only about a hundred bucks.  I’m not great at math – a lot of lawyers aren’t – but that is a lot of transactions.  A lot of credit card numbers.  Physical addresses.  E-mail addresses.  A lot of data with significantly more resale value than the Tickle-Me-Elmo that still intermittently tee-hees from a cardboard box in your attic.

Which brings us neatly to a simple tip about retroactive dates: Policyholders should negotiate retroactive dates prior to Cyber Monday and, for that matter, Black Friday.

A retroactive date is the time point identified in an insurance policy to serve as a gatekeeper of sorts.  Events that occurred prior to that date, no matter when a resulting claim is made, are not covered.  When it comes to cyberinsurance, and really any insurance, it’s in the policyholder’s interest to push that date back as far as possible.  But it may be in the margins where the real difference is made.  Most people think of retroactive dates in terms of the number of years back a policy will go in terms of the triggering event.  Policyholders, however, should be equally attuned to key days, weeks and months of the year when the opportunity for cybercrime is most pronounced – i.e., right now.

As noted in Nicole Perlroth’s New York Times article not quite a year ago, security experts like to say that there are two types of companies, those that have been hacked, and those that do not yet know that they have been hacked.  The increased risk of a data breach during the highest web traffic days of the year warrants careful consideration when negotiating a cyberinsurance retroactive date.  And, accounting for the risk that you may forget this important detail, just remember that catchy retro Bangles tune and the goal of making this Cyber Monday just another in a decade-long string of manic Cyber Mondays.

There are Chinese websites offering distributed-denial-of-service (“DDoS”) attacks for sale.  Reminder: DDoS attacks generally involve a hacker taking control of a bunch of internet connected computers, or botnets, and telling them to flood a webserver with enough activity to crash the system.  While Chinese sites get a lot press, there are plenty of other places to purchase botnet attacks. You can even specify how many botnets you want flooding a particular system and for how long.  I read on a web forum that you can rent 1,000 botnets for an hour for as little as $25.

And for that, I’m thankful.

What? You heard me.

We used to think of hacking as an activity reserved for evil geniuses with rare abilities.  Like Dade “Zero Cool” Murphy from “Hackers,” or Gavin Orsay in “House of Cards.”  Because so few people were capable of launching attacks, we perceived the likelihood of their occurrence as, well, unlikely.

The ability to cheaply buy hacking attacks may have two positive consequences.  First, it should dispel any remaining belief that hacking attacks are rare or unlikely to affect a particular target.  Hacking attempts are common, and now anyone can cause them.  As attempts have increased, the number of immune targets has dwindled to nearly nada.  Fact: hacking attempts are an omnipresent threat that must be dealt with by every business.

The second positive consequence is more of a hypothesis at this point.  As botnet attacks flood our systems with increasing frequency, our IT security should become stronger, whether because a greater variety of threats become recognizable by our firewalls or because the rising number of attacks cause software developers and businesses to invest greater resources in defensive measures.  Whether the story unfolds this way remains to be seen, but it makes good sense.  Don’t you think?

At a minimum, the $25 hack-attack should at least grab people’s attention.  And given the stakes, for that, I am thankful.

I frequently hear that cyberinsurance decisions are made solely by Risk Managers.  In the typical circumstance, that makes sense.  Risk Managers manage risk.  But cyberliability, at this stage, is not a universe of typical circumstances.

The nature of the risk is new and rapidly changing.  Actuarial data is sparse.  Carriers and Risk Managers frequently have incomplete understandings of insureds’ IT infrastructure and exposure.  As a result, unlike the standard policy forms that have evolved over decades in other contexts, cyberinsurance policies are all over the place in terms of coverage grants and exclusions.  Amid this lack of uniformity, many insureds likely have coverage that is inappropriate or incomplete.

There is good news.

Insureds that are fortunate enough to have Risk Managers often have Chief Information Officers.  These folks know your IT infrastructure like it’s their job.  Funny, right?

By many accounts, including a thorough article by Kathleen Richards in Information Security Magazine, IT professionals nevertheless often have no involvement in cyberinsurance decisions.  This is a problem.  Without consulting the individual most familiar with your IT infrastructure, it is less likely that you get the coverage you need and more likely that you pay for unnecessary coverage.

But here’s your real takeaway.

Having an IT professional at the table makes it less likely that an insurer denies coverage altogether.  Carriers have shied away from “penetration testing,” or actual testing of insureds’ network security.  Instead, carriers rely on policy applications that contain a multitude of detailed questions about IT security practices.  At least one carrier has already sought to deny coverage based on its contention that the insured did not employ the actual security practices identified in its policy application.  See Columbia Casualty Co. v. Cottage Health Systems, No. 2:15-cv-03432 (Central District California) (dismissed on other grounds).

If a CIO is part of your team, manage the risk of having inappropriate or no coverage.  Talk to your IT professionals.  They don’t bite (probably).

 

Contact Information