Articles Posted in News and Policy

There are Chinese websites offering distributed-denial-of-service (“DDoS”) attacks for sale.  Reminder: DDoS attacks generally involve a hacker taking control of a bunch of internet connected computers, or botnets, and telling them to flood a webserver with enough activity to crash the system.  While Chinese sites get a lot press, there are plenty of other places to purchase botnet attacks. You can even specify how many botnets you want flooding a particular system and for how long.  I read on a web forum that you can rent 1,000 botnets for an hour for as little as $25.

And for that, I’m thankful.

What? You heard me.

I frequently hear that cyberinsurance decisions are made solely by Risk Managers.  In the typical circumstance, that makes sense.  Risk Managers manage risk.  But cyberliability, at this stage, is not a universe of typical circumstances.

The nature of the risk is new and rapidly changing.  Actuarial data is sparse.  Carriers and Risk Managers frequently have incomplete understandings of insureds’ IT infrastructure and exposure.  As a result, unlike the standard policy forms that have evolved over decades in other contexts, cyberinsurance policies are all over the place in terms of coverage grants and exclusions.  Amid this lack of uniformity, many insureds likely have coverage that is inappropriate or incomplete.

There is good news.

Let’s play a word association game.  What is the first word that comes to mind when I say the phrase, “data breach”?  If you thought, “hacking,” you’re not the only one.  But according to many accounts, hacking accounts for only about a third of data breaches.

Plain old theft, in its more traditional, purse snatching form, accounts for another ten percent of breaches.  While laptop theft is the most common cause in this context, there have been many data breaches in the past year caused by the theft of desktop computers, thumb drivers and, of course, smart phones.  Obviously, thumb drives and phones are the easiest to snatch.  They are also increasingly becoming key operational elements in nearly every industry, and I expect the number of breaches caused by their theft to likewise trend upward.  Another ten percent of breaches are caused by “malicious insiders,” disgruntled current or former employees who damage or sell data for all of the obvious reasons.

You probably haven’t raised an eyebrow yet.  But we’ve only covered the causes of about half of data breaches.  What about the other half?

Some have called higher education institutions the “center of the bulls-eye” when it comes to data breach targets.  That’s probably a bit too dramatic.  Just a bit.

Higher ed institutions need their networks to be accessible by large numbers of students and faculty members across a broad range of locations.  Students and professors produce and consume an enormous volume of electronic data.  And schools store the good stuff – think financial, medical and personally identifiable information.  The combination of perceived vulnerability and valuable information is kind of a perfect storm.

And the storm has officially made landfall.  Richard Perez-Pena, of the New York Times, did a nice job covering this climate change in his 2013 article, “Universities Face a Rising Barrage of Cyberattacks.”  Perez-Pena reported that the University of Wisconsin was seeing 90,000 – 100,000 hacking attempts per day.  Berkeley reported millions of attempts per week.  He notes that these institutions, between student and faculty data and research, are “among the most open and robust centers of information exchange in the world.”  Open and robust is a good thing, right?

Beware of the checks your on-line privacy and security policies write. If your you-know-whats can’t cash them, plaintiffs might.

Increasingly, plaintiffs are filing lawsuits after “hackers” access their personal information through undersecured websites or electronic databases. Almost every company holds some type of customer information in electronic form. As companies enhance their web presences, many have posted security and privacy policies. If you’re a business owner, you likely have one (if you don’t, you should). And if you’ve ever used the internet (if you haven’t, you’re not reading this article), you’ve seen links to these at the bottom of web pages, and you’ve probably ignored them. I certainly have.

Here’s the problem for businesses – hackers are hard to find and are usually judgment proof. If your data security is breached, and if your customers want to sue somebody, they are going to sue you.

Contact Information