Tag Archives: confidential information

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

Cybersecurity: Five Tips on Disclosure Requirements

With annual reporting season underway, C-suite executives wake to another day and another data breach. Target, Michael’s, Snapchat, Facebook, Twitter, Adobe — the list goes on and on. By now, all companies should appreciate that, notwithstanding the most robust and sophisticated network security, any company is a vulnerable next “Target” for a serious cybersecurity incident. Consequences typically include negative publicity, reputational damage that hurts customer and investor confidence, lost market capitalization, claims and legal disputes, regulatory investigations — and falling stock prices. In the wake of its high-profile data breach, Target’s directors and officers were hit on Jan. 29, 2014, with a shareholder derivative action alleging that “Target shares were trading above $63.50 on Dec. 18, 2013, before the news of the data breach and have fallen over 10.5% to $57.60” and that “Target … has suffered considerable damage from breach.”1

In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity incidents in general, companies are well-advised to consider whether their current cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk factor disclosures may assist a company in avoiding a Securities and Exchange Commission (SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action litigation and shareholder derivative litigation in the wake of a cybersecurity incident that hurts the company’s stock price — or, at a minimum, may mitigate a company’s potential exposure in the event of such litigation.

The Form 10-Ks that public companies are preparing to file in the coming weeks present a significant opportunity for companies to review and strengthen their cybersecurity risk factor disclosures. Below are five tips that companies may wish to consider in reviewing the adequacy of their existing cybersecurity disclosures:

SEC Disclosure Guidance

By way of background, companies must keep in mind that, although existing disclosure requirements do not (yet) expressly reference “cybersecurity,” the SEC’s Division of Corporation Finance (SEC staff) has emphasized the importance of appropriate cybersecurity disclosures. In the wake of what it termed “more frequent and severe cyber incidents,” the SEC issued cybersecurity disclosure guidance,2 which advises companies to review, on a continuing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.3

While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the SEC’s guidance stresses that existing requirements oblige companies to make appropriate cybersecurity disclosures. 

SEC Chairwoman Mary Jo White reaffirmed a company’s current cybersecurity disclosure obligations in response to an April 9, 2013, letter received from Senate Commerce Chairman Jay Rockefeller.4 In his letter, Chairman Rockefeller urged the SEC to “elevate [its] guidance,” noting that “investors deserve to know whether companies are effectively addressing their cybersecurity risks.” In response, Chairwoman White emphasized that “[e]xisting disclosure requirements … impose an obligation on public companies to disclose risks and events that a reasonable investor would consider material” and that “cybersecurity risks are among the factors a public company would consider in evaluating its disclosure obligations.”5 Chairwoman White also highlighted that cybersecurity risk “is a very important issue that is of increasing concern” and stated that the SEC “continues both to prioritize this important matter in its review of public company disclosures and to issue comments concerning cybersecurity.”

In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such that the disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the company. The guidance proceeds to advise that appropriate disclosures may include the following:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.6

Although the guidance does not add cybersecurity disclosure obligations, it is abundantly clear that failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that hurts a company’s stock price.

The Five Tips

The following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC’s disclosure guidance as well as comments issued to approximately 55 companies over the last two years.

1. Perform a cybersecurity risk asssessment. The SEC staff states in its guidance that it expects companies to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents as well as the adequacy of preventive actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware. To facilitate adequate disclosures, companies should consider engaging in a thorough assessment concerning their current cybersecurity risk profile and the impact that a cybersecurity breach may have on the company’s business. In addition to positioning the company to provide adequate cybersecurity risk factor disclosures, the undertaking of a risk assessment is consistent with the National Institute of Standards and Technology’s recently released Preliminary Cybersecurity Framework.7 At a high level, it provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices and to identify gaps that should be addressed to progress toward a desired “target” state of cybersecurity risk management.8 Although the Cybersecurity Framework is voluntary, organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Cybersecurity Framework provides a de facto standard for cybersecurity and risk management.

2. Consider disclosing prior — and potential — breaches. To the extent a company or one of its subsidiaries has suffered a reported or known cybersecurity event, the company should anticipate that the SEC may issue a comment letter if the event is not disclosed. The following comments are typical of what a company might expect to see: 

  • We note that [your subsidiary] announced on its website that a cyber attack occurred during which millions of user accounts were compromised. Please tell us what consideration you gave to including expanded disclosure consistent with the guidance provided by the Division of Corporation Finance's Disclosure Guidance Topic No. 2.
  • We have read several reports of various cyber attacks directed at the company. If, in fact, you have experienced cyber attacks, security breaches or other similar events in the past, please state that fact to provide the proper context for your risk-factor disclosure. 

​Notably, the guidance states that appropriate disclosures may include a description of cybersecurity incidents that are material individually or in the aggregate. And the comments issued to date indicate that where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company’s risk-factor disclosure be expanded to state generally that the company has been the victim of hacking — regardless of the fact that prior events were immaterial. A few of the SEC comments to date include (in summary form):

  • We note your response that the incident did not have a material impact on the company’s business. To place the risks described in this risk factor in appropriate context, in future filings please expand this risk factor to disclose that you have experienced cyber attacks and breaches.
  • You state that you have not experienced a material breach of cybersecurity. Your response does not appear to address whether you are experiencing any potential current business risks concerning cybersecurity. For example, despite the fact you believe you have not experienced a material breach of your cybersecurity, are you currently experiencing attacks or threats to your systems? If you have experienced attacks in the past, please expand your risk factor in the future to state that.
  • We note that your response suggests that you have, in fact, experienced third-party breaches of your computer systems that did not have a material adverse effect on the company’s operations. To place the risks described in your current risk factor in appropriate context, in future filings please expand your disclosure to state that you have experienced cyber attacks and breaches.

​In addition, the SEC’s guidance advises that companies may need to disclose known or threatened cyber incidents together with known and potential costs and other consequences. Companies in targeted industries that have not yet suffered a cybersecurity incident (or are not yet aware that they have suffered an incident) should consider disclosing how the company might be affected by a cybersecurity incident — even if no specific threat has been made against the company. Below are sample summary comments received by companies based on their particular industry or peer disclosures:

  • We note press reports that hotels and resorts are increasingly becoming a target of cyber attacks. Please provide risk -actor disclosure describing the cybersecurity risks that you face. If you have experienced any cyber attacks in the past, please state that fact in the new risk factor to provide the proper context.
  • Given that other companies in your industry have actually encountered such risks from cyber attacks, such as attempts by third parties to gain access to your systems for purposes of acquiring your confidential information or intellectual property, including personally identifiable information that may be in your possession, or to interrupt your systems or otherwise try to cause harm to your business and operations and have disclosed that such risks may be material to their business and operations, please tell us what consideration you gave to including disclosure related to cybersecurity risks or cyber incidents.
  • We note that the incidences of cyber attacks, including upon financial institution or their service providers, have increased over the past year. In future filings, please provide risk-factor disclosure describing the cybersecurity risks that you face. In addition, please tell us whether you have experienced cyber attacks in the past. If so, please also disclose that you have experienced such cyber attacks to provide the proper context for your risk-factor disclosure.

3. Be specific. The SEC staff has advised that companies should avoid boilerplate language and vague statements of general applicability. In particular, the guidance states that companies should not present risks that could apply to any issuer or any offering and should avoid generic risk-factor disclosure. In addition, the guidance states that companies should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure. Companies that offer generally applicable statements may expect to receive comments such as the following:

  • You state that, “Like other companies, our information technology systems may be vulnerable to a variety of interruptions, as a result of updating our SAP platform or due to events beyond our control, including, but not limited to, natural disasters, terrorist attacks, telecommunications failures, computer viruses, hackers and other security issues.” Please tell us whether any such events relating to your cybersecurity have occurred in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosure.
  • We note that you disclose that you may be vulnerable to breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events. Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosures. 

4. Remember that a vulnerability “road map” is not required. Although the SEC seeks disclosures that are sufficient to allow investors to appreciate the nature of the risks faced by a company, it has made clear that the SEC does not seek information that would create a road map or otherwise compromise a company’s cybersecurity. At the outset of its guidance, the SEC staff states that it is mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a “road map” for those who seek to infiltrate a company’s network security — and that disclosures of that nature are not required under the federal securities laws. The SEC guidance later reiterates that the federal securities laws do not require disclosure that itself would compromise a company’s cybersecurity.

5. Consider insurance. Network security alone cannot entirely address the issue of cybersecurity risk; no firewall is unbreachable, and no security system is impenetrable. Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against cybersecurity risk. Reflecting this reality, the SEC guidance advises that appropriate disclosures may include a description of relevant insurance coverage that a company has in place to cover cybersecurity risks. The SEC’s guidance provides another compelling reason for companies to carefully evaluate their current insurance program and consider purchasing cyber and data privacy-related insurance products, which can be extremely valuable.9 In the wake of a data breach such as at Target, for example, a solid cyber insurance policy may cover not only liability arising out of potential litigation, such as defense costs, settlements and judgments, but also breach-notification costs and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers and public relations efforts, as well as potential regulatory investigations, fines and penalties. Recent SEC comments have requested information regarding both whether the company has obtained relevant insurance coverage as well as the amount of the company’s cyber liability insurance.

Considering these five tips may assist companies in minimalizing the likelihood of receiving an SEC comment letter (and possibly multiple rounds of comments) and, even more importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a cybersecurity incident.

1 Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶ 76.

2The guidance defines “cybersecurity” as “body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”

3SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

4The April 9, 2013 letter is available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51

5Chairman White’s May 1, 2013 letter is available at http://articles.law360.s3.amazonaws.com/0441000/441415/512013%20Letter%20from%20SEC%20Chair%20White. pdf

6While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be appropriate in other areas of a company’s filings, including management’s discussion and analysis “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”

7The Cybersecurity Framework, available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf.

8Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013), available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/

9 Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert (Jan. 16, 2014), available at http://www.klgates.com/before-becoming-the-next-target–recent-case-highlights-the-need-to-consider-insurance-for-data-breaches-01-16-2014/

How to Purchase Cyber Insurance

Cyber insurance can be an extremely valuable asset in an organization’s strategy to address and mitigate cyber security, data privacy and other risks. But selecting and negotiating the right insurance product can present a significant challenge, given, among other things, the lack of standardized policy language and the fact that many “off the shelf” policies do not adequately match the organization’s risk profile. The following five tips will help to facilitate a successful cyber policy placement.

#1. Get a Grasp on Risk Profile and Tolerance

A successful cyber placement is facilitated by having a thorough understanding of an organization’s risk profile, including the scope and type of personally identifiable information and confidential corporate data maintained by the company and the manner in which (and by whom) such data is used, transmitted and stored. A complete understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data breach or network security incident. When an organization has a grasp on its risk profile, potential exposure and risk tolerance, it is well-positioned to consider the type and amount of insurance coverage that it needs to adequately respond to identified risks and exposure.

#2. Look at Existing Coverage

The California federal district court’s recent decision in Hartford Casualty Insurance Company v. Corcino & Associates et al. 1 — upholding coverage under a commercial general liability (CGL) policy for a data breach that compromised the confidential medical records of nearly 20,000 patients — underscores that there may be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for data breach and network security liability and network security failures under an organization’s commercial property, D&O, E&O, professional liability, fiduciary, crime and other coverages.

#3. Purchase Cyber Insurance As Needed

As recently described in Law360,  2 in response to decisions upholding coverage for data breach, privacy, network security and other cyber risks, the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines of coverage. By way of example, Insurance Services Office, Inc. (ISO) 3 recently filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information. 4

Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information. By way of example, the AIG Specialty Risk Protector® specimen policy 5 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” 6 “Privacy Event” includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.7

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

  • costs associated with post-data breach notification
  • credit monitoring services
  • forensic investigation to determine cause and scope of a breach
  • public relations efforts and other “crisis management” expenses
  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem. 

The sublimits typically associated with remediation coverage warrant careful attention. Cyber insurance policies often offer other types of coverages, including:

  • network security coverage (often in the same coverage grant as the “privacy” coverage discussed above), which generally covers liability arising out of security threats to networks, including, for example, transmission of malicious code and DDoS attacks;
  • media liability coverage, which generally covers liability arising out of, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content;
  • information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing the insured’s own data or computer systems;
  • network interruption coverage, which generally covers an insured for its lost revenue due to network interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to networks; and
  • extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to prevent a threatened cyber attack.

In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.

#4. Spotlight the “Cloud”

Cyber risk is intensified by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March 2012, found that more than 41% of U.S. data breaches are caused by third-party errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” 8 Many “off the shelf” cyber policies, however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of third parties) and to network security threats to the insured’s own network or computer system — not the networks / computer systems of third parties. This may result in illusory coverage. As recently described in Law360, 9 the recent high-profile attack on the New York Times homepage, during which users who tried to access  www.nytimes.com were directed to a website apparently maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies because the attack was not on the New York Times “system” as defined in many policies, but rather on the system of a third-party domain name registrar.

#5. Remember the Cyber Misnomer

Keep in mind that many data breaches are not electronic — they often result from non-electronic sources. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Neither should a cyber insurance policy. A solid policy will cover non-electronic data, such as paper records. 10 Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop or loss of a USB drive.

There are many other considerations and points to focus on. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

This article first appeared in FC&S Legal, The National Underwriter Company on October 17, 2013.

1 No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013). The two underlying class action lawsuits alleged that Stanford Hospital and Clinics and the insured, medical consulting firm Corcino & Associates, violated the privacy rights of numerous patients by providing confidential personally identifiable medical information to an individual who posted the information on a public website. In particular, the claimants alleged that “the private, confidential, and sensitive medical and/or psychiatric information of almost 20,000 patients of Stanford’s Emergency Department appeared on a public website and remained publicly available online for almost one full year.” Id. at 2 (quoting the Second Amended Class Action Complaint in Springer, et al. v. Stanford Hosp. and Clinics, et al., No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)). The underlying complaints contained causes of action for violations of the claimants’ constitutional right of privacy, common law privacy rights, the California Confidentiality of Medical Information Act (CMIA) and the California Lanterman Petris Short (LPS) Act. The suits sought, among other things, statutory damages of $1000 per person under CMIA and statutory damages of up to $10,000 per person under LPS.

2See Roberta D. Anderson, ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber” Insurance, Law360 (Sept. 23, 2013).

3ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.

4CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled

equipment.” Id.

5See AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage Section.

6Id. Section 1. 

7 Id. Section 2.(d). “Security Breach Notice Law” includes “any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or potential unauthorized access by others to Confidential Information stored on such Computer System, including but not limited to, the statute known as California SB 1386 (§1798.82, et. al. of the California Civil Code).” Id. Section 2.(m).

82011 Global Cost Of Data Breach Study, Ponemon Institute LLC, at 6 (Mar. 2012).

9See Lon Berk, Takeaways From Recent Cyberattack On New York Times, Law360 (Sept. 17, 2013)

10  See Richard S. Betterley, The Betterley Report, Cyber/Privacy Insurance Market Survey, at 18 (June 2013).

The Metrics Of The Matrix: Making Sure Your Cyber-Risks Are Covered

We live in a world that is almost entirely dependent upon digital technology. Internet sales and marketing, and even the simple efficiency of how information flows, can be a critical indicator of a company's success. Along with it comes an increased risk of hackers, disruption of service, theft of intellectual property, loss or theft of financial data, or worse, the theft of a customer's confidential information. Throw in a global economy that increases international exposure, and you have a recipe for disaster. While most large corporations have sophisticated network security measures in place, small to mid-size businesses cannot afford them, or are not even aware of the potential security risks. But if you consider information to be an asset, and the means with which it is gathered and used as a measure of your company's performance, the need to protect it becomes abundantly clear.

As early as the year 2000, underwriters at Lloyds of London predicted that e-commerce1 would “emerge as the single biggest insurance risk of the 21st century.”2 They were dead on. Between 2009 and 2011, the cost of data breaches rose from $6.8 million to $7.7 million — a blistering 9%.3 As one commentator noted, the cost and number of data breaches was so high that 2011 was christened “the year of the cyber-attack.”4 Indeed, the risk was seen as so severe that the SEC released disclosure guidelines for publicly traded companies recommending the disclosure of “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”5 According to the SEC, “disclosure” includes a “[d]escription of the relevant insurance coverage.”6 Although the number of cyber-attacks decreased slightly in 2012, this should not be taken as a sign that the threat of an attack is any less likely; it just means that some companies are responding to attacks more quickly, or implementing stronger security measures on the front end.

While the threat of a cyber-attack may conjure up the image of an overzealous computer geek with the mad-cap idea of ruling the world from his mother's basement, or a network of head-to-toe-in-black cyber-villains, a competitor seeking market dominance may be an equally likely culprit. A cyber-attack can take many forms. Most commonly, a company suffers a data breach, where “hackers, [ ] current or former employees, or others steal or otherwise gain access to personally identifiable information.”7 However, there are also “phishing” and “pfarming” schemes where the culprit poses as a legitimate user to steal or redirect internet traffic, or transmit a virus. Another form of attack is known as a “denial of service” incident, designed to temporarily or indefinitely block public access to a particular website or server. This involves “saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.”8 These attacks “usually lead to a server overload.”9 The most serious attacks “are comparable to 'tak[ing] an ax to a piece of hardware,” which requires a complete “replacement or reinstallation of hardware.”10 A company targeted by a cyber-attack can suffer a loss of informational assets and a significant interruption in operations, not to mention a damaged reputation.

The theft of intellectual property may or may not come as a result of a direct cyber-attack. Rather, a rogue company may steal your ideas, your website design, your domain names and meta-tags, or they may simply advertise and sell knock-off products. Chances are, if they are not using the internet for this purpose, they got your information from the business you transact online. As if this were not enough, there is the potential liability you face if confidential information is exposed, or you inadvertently infringe upon the intellectual property of a competing business. Customers and even shareholders affected by a data breach “commonly initiate expensive and very public litigation.”11 Likewise, the pursuit of patent and trademark infringement claims has skyrocketed in recent years, and the cost of defending these claims has symbiotically followed suit. Interestingly, the protection of the intellectual property itself seems to be a concern that is almost secondary to the economic warfare that is often waged by the aggressor.

In a world where technology barely keeps up with technology, how can you effectively protect your business against the threat of a cyber-attack, and potential cyber-liability? If you own a website, engage in direct or indirect internet sales, use clouding, linking, framing, solicit business via electronic communication, conduct financial transactions on the internet, exchange information via the internet, or store information through an internet server, your company is at risk. Managing these hazards can be tricky. As seen by the recent attacks on eBay, Amazon, Yahoo, and Google, even companies that have defined internet usage are not immune. No matter how big or small you are it is absolutely imperative that you implement internal security controls to prevent and/or respond quickly to an attack. Simple measures such as encrypting data, regularly changing passcodes, conducting routine virus scans, and limiting the number of employees who have access to confidential information can go a long way. However, insuring against these risks should be your primary objective because a cyber-attack can literally destroy your business overnight.

So, how does your company measure up? Let's take a little test. Assuming you are a “brick and mortar” business is your company:

  • Insured under a Property policy?
  • Insured under a Comprehensive General Liability policy?
  • Insured under a Director's & Officer's liability policy?
  • Insured under a specialty lines policy the expressly insures first and third party Cyber-hazards?

If you answered “no” to the last question, your company is at risk. The traditional products that insure small to medium sized businesses are unfortunately inadequate to cover even the known cyber-hazards, much less the ones that are surely on the horizon as e-commerce continues to grow and change, and new markets emerge. For instance, as it pertains to the loss you may suffer as a result of a data breach, while a standard property policy covers “physical loss or damage to covered property,” the term “covered property” does not include intangible assets like data. More recent property forms either exclude coverage for data breaches outright, or subject the loss of electronic data to a minimal sub-limit of liability.

Likewise, the coverage typically afforded under a CGL policy for liability claims resulting from an unauthorized intrusion is insufficient. CGL policies provide relatively broad liability coverage, but only for certain defined risks. The policies are “menu” driven, and are endorsed to include or exclude particular coverages or risks, such as employee liability, inland marine or commercial crime. Cyber-liability may or may not inadvertently come within the coverage terms of a particular endorsement, but the standardized forms are definitely not geared towards insuring these risks.

Rather, CGL policies are split into two parts — Coverage Part A for Bodily Injury and Property Damage Liability, and Coverage Part B for Personal and Advertising Injury. The terms “bodily injury,” “property damage,” and “personal and advertising injury” are separately defined, and each coverage part is subject to its own specific set of exclusions. Under Coverage Part A, the term “property damage” is defined to mean “physical injury to tangible property” or “loss of use of tangible property” — and therein lies the rub. “Tangible property” is property that is capable of being handled, held or touched. See State Auto Property and Cas. Ins. Co. v. Midwest Computers & More,America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003); Recall Total Information Management,12

Further, while lawsuits filed against a company whose client's financial information has been exposed typically includes claims for mental anguish. Mental anguish that is not consequential to physical harm or injury, or that does not manifest itself as physical injury is not “bodily injury” under a CGL policy. See e.g. Nance v. Phoenix Ins. Co., 118 Fed. Appx. 640, 642 (3d Cir. 2004) (Pennsylvania law) Jacobsen v. Farmers Union Mut. Ins. Co., 87 P.3d 995, 999 (2004); Tackett v. American Motorists Ins. Co., 213 W. Va. 524 (2003); Armstrong v. Federated Mut. Ins. Co., 785 N.E.2d 284, 292-93 (Ind. Ct. App. 2003); Farm Bureau Ins. Co. of Nebraska v. Martinsen, 659 N.W.2d 823, 827 (Neb. 2003); Galgano v. Metropolitan Property and Cas. Ins. Co., 838 A.2d 993, 999 (Conn. 2004); Smith v. Animal Urgent Care, Inc., 542 S.E.2d 827, 830-31 (W. Va. 2000); Costello v. Nationwide Mut. Ins. Co., 795 A.2d 151, 155 (Md. App. 2002); SCR Medical Transp. Services, Inc. v. Browne, 781 N.E.2d 564, 571 (Ill. App. 1st Dist. 2002); Allstate Ins. Co. v. Diamant, 518 N.E.2d 1154 (Mass. 1988).13 On your best day, it depends upon what jurisdiction you are in as to whether or not that coverage would apply to a cyber-liability claim.

Coverage for “personal and advertising injury” nowadays is almost a joke. Generally speaking, coverage for “personal and advertising injury” is intended to address liability claims for the infringement of intellectual property rights, or other types of personal injury torts (i.e. defamation and invasion of privacy claims). Under older versions of the CGL, the terms “personal injury” and “advertising injury” were separately defined. The term “Advertising injury” included the “[m]isappropriation of advertising ideas or style of doing business” and the infringement of a “copyright, title or slogan.” Now, the terms “personal and advertising injury” have been conflated, and are defined to mean:

  1. False, arrest, detention or imprisonment;
  2. Malicious prosecution;
  3. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies, committed by or on behalf of its owner, landlord, or lessor;
  4. Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;
  5. Oral or written publication of material that violates a person's right of privacy;
  6. Copying, in your “advertisement,” a person's or organization's “advertising idea” or style of “advertisement”;
  7. Infringement of copyright, slogan or title of any literary or artistic work, in your “advertisement.”

As it pertains to a data breach, at least one Court has held that under the newer version of the CGL, theft of customer data is a “publication of material that violates a person's right of privacy.” See Norfold & Dedham Mut. Fire Ins. Co. v. Clearly Consultants, Inc., 81 Mass.App.Ct. 40 (Dec. 16, 2011). Other Courts, however, have disagreed, leaving an uncertain gap as to whether or not your policy would cover such an event. See Creative Host. Ventures, Inc. v. E.T. Ltd., Inc., 2011 U.S. App. 19990 (Sept. 30, 2011).

There is even more uncertainty with regard to intellectual property liability claims. Both older and newer versions of the CGL require that the offense occur in the course of the advertisement of your own goods, products or services. This would include internet-based sales and marketing, but not all forms of electronic commerce. The most current CGL forms in use, however, essentially gut coverage for intellectual property claims with the following exclusion:

This insurance does not apply to:

“Personal and advertising injury”:

(7) Arising out of any violation of any intellectual property rights such as copyright, patent, trademark, trade name, trade secret, service mark or other designation of origin or authenticity.

However, this exclusion does not apply to infringement, in your “advertisement,” of

(a) Copyright;

(b) Slogan, unless the slogan is also a trademark, trade name, service mark or other designation of origin or authenticity; or,

(c) Title of any literary or artistic work.

Under this widely used form, there is no coverage for trademark or copyright infringement (or any other one of the enumerated torts), unless the infringement occurs during the course of your advertisement of a slogan, unless the slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity.” The problem with this language is that whether a slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity” is not dependent upon whether the mark is federally protected under the Lantham Act. Rather, the standards for determining whether a trade or service mark is eligible for protection are the same under the common law and the federal law. 15 U.S.C. § 1051 et. seq. Two Pesos, Inc. v. Taco Cabana, Inc., 505 U.S. 763 (1992); Amazing Spaces, Inc. v. Metro Mini Storage, 608 F.3d 225 (5th Cir. 2010); Board of Supervisors for the Louisiana State University Agriculture and Mech. College v. Smack Apparel Co., 550 F.3d 465 (5th Cir. 2008); Genesee Brewing Co., Inc. v. Stroh Brewing Co., 124 F.3d 137 (2nd Cir. 1997); Laredo v. Union Nat'l Bank, Austin, 909 F.2d 839, 842 (5th Cir. 1990). It is difficult to imagine a set of circumstances where a slogan would not also be “a trademark, trade name, service mark or other designation of origin or authenticity” under the common law. Coverage is essentially illusory, or at best, ambiguous. On a good day, your insurer is going to contest whether it owes a duty to defend an intellectual property liability claim. Where does this leave you?

There may be limited coverage under your Director's & Officer's Liability policy, but the forms vary in the scope of coverage and there may not be coverage for the acts and omissions of regular employees. Further, the policy will likely only cover your liabilities to your shareholders, and those to whom you owe a fiduciary duty. Fortunately, there are newer products on the market that are specifically designed to cover cyber-related risks. In a 2005 press release, Insurance Services Organization (ISO) unveiled its E-Commerce Program to address cyber liability exposure. According to ISO, “[t]he menu-based policy comprises five separate agreements:

  • Website publishing liability provides coverage against Internet-related publishing perils, including libel against a person or organization, and copyright, trademark, and service mark infringement allegations arising out of content published by the policyholder on its website.
  • Network security liability covers the policyholder against claims for failing to maintain the security of a computer system resulting in unauthorized access and publication of personal information, such as credit card numbers or personal medical information.
  • Replacement or restoration of electronic data provides coverage for the cost of replacing or restoring electronic data lost or rendered inaccessible because of an e-commerce incident, such as a virus, malicious instruction or denial-of-service attack.
  • Cyber extortion provides coverage for extortion expenses incurred and ransom payments made because of an extortion threat. Extortion is defined as a threat to commit an e-commerce incident, disseminate the policyholder's proprietary information, reveal a weakness in its source code or publish personal information belonging to policyholders' clients.
  • Business income and extra expense provides coverage for loss of business income or extra expenses incurred as a result of an extortion threat or e-commerce incident.14

ACE, Hartford, Chubb, Chartis (AIG), Ironshore, Travelers, SafeOnline, CNA, and Zurich are among the insurers offering products specifically covering cyber-hazards.15 However, these companies may or may not have adopted the ISO forms, but may be using products that were internally developed. Still, most of the companies who have targeted this market are going to be competitive, offering coverage for a combination of network security liability, media liability, expense and damage from a violation of privacy tort, coverage for fines and regulatory expenses, loss electronic information (including the cost to recovery lost, corrupted or stolen data), cyber-extortion, and business interruption arising out of a majority of these events. Specific products also exist for liability claims arising out of patent, trademark and trade dress infringement claims, both to pay for the costs of defending those suits, or the cost to pursue a third party who infringes upon your company's intellectual assets.

By and large the cyber-liability policies currently on the market are offered on a claims-made, or claims-made and reported basis. Policies that contain first-party coverage for data breaches may contain fairly short notice requirements, as early response is critical to minimizing the loss and containing any resultant liability exposure. The only way to make sure that you are procuring the right coverage and the right amount of coverage is to (1) establish internal procedures to assess and routinely reassess your risks; (2) establish internal protocols for preventing and responding to cyber-related risks; (3) set goals and benchmarks to determine if your company is meeting expectations; (4) read the policies you currently have in effect to determine where your company stands; (5) if you determine additional coverage is necessary, read the policies carefully before you invest in premiums; and (6) evaluate your coverage on an annual basis. New insurance products are coming out about every 12-18 months. Many brokers keep specimen forms, and most are knowledgeable enough to ensure that the specific risks that you face are covered. And in today's technology-driven world, you cannot afford to leave these exposures uninsured, or underinsured. In today's world, addressing the potential risk exposures your company faces is not just a measure of your success, it may be determinative of your survival.

1“E-commerce” or e-comm is defined as “the buying and selling of products or services over electronic systems such as the Internet and other computer networks.” Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 15, 2012, < http://en.wikipedia.org/wiki/Ecommerce>. E-commerce “draws on such technologies as electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems.” Id. E-commerce can be divided into: E-tailing or 'virtual store-fronts' on Web sites with online catalogs, sometimes gathered into a 'virtual mall'; the gathering and use of demographic data through Web contacts; Electronic Data Interchange (EDI), the business-to-business exchange of data; e-mail and fax and their use as media for reaching prospects and established customers; Business-to-business buying and selling; and, the security of business transactions. Id.

2 David R. Cohen & Roberta D. Anderson, Insurance Coverage for “Cyber-Losses”, 35 Tort & Ins. L.J. 891 (2000), citing Reuters Eng. News. Serv., May 9, 2000.

3 2010 Annual Study: U.S. Cost of a Data Breach 13 (March 2011); available at <http://www/symantec.com/content/en/us/abuot/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf>.

4 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012), citing Garry Byers, Rapid Cyber Attack Response: Three Days Make All the Difference, Digital Forensic Investigator News (Sept. 28, 2011), available at <http://dfinenews.com/article/rapid-cyber-attack-response-three-days-make-all-difference>.

5 U.S. Securities and Exchange Commission Division of Corporate Finance, CF Disclosure Guidance: Topic No. 2 — Cybersecurity, (Oct. 13, 2011). Topic No. 2 states that: “In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

6 Id.

7 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

8 Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 14, 2012, <http://en.wikipedia.org/wiki/Denial_of_service_attacks>.

9 Id. “In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.”

10 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012)(citing Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID= 211201088 (May 19, 2008).

11 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

12 In State Auto Property & Casualty Co. v. Midwest Computers, the Court addressed whether data lost by Mid-West after it serviced computer equipment purchased by one of its customers was “tangible property” within the meaning of a CGL policy issued by State Auto to Midwest. Id. at 1115. Holding that it was not, the Court reasoned that the term intangible referred to property that was “[c]apable of being perceived esp. by the sense of touch: PALPABLE[;] … capable of being precisely identified or realized by the mind [;] … capable of being appraised at an actual or approximate value (assets).

13 But see Voicestream Wireless Corp. v. Federal Ins. Co., 112 Fed. Appx. 553, 555-56 (9th Cir. 2004) (Washington law). Williamson v. Historic Hurstville Ass'n, 556 So. 2d 103, 107 (La. Ct. App. 4th Cir. 1990); Loewenthal v. Security Ins. Co. of Hartford, 436 A.2d 493, 499 (Md. App. 1981).

14 http://www.iso.com/Press-Releases/2005/ISO-INTRODUCES-CYBER-RISK-PROGRAM-TO-HELP-COVER-$7-TRILLION-E-COMMERCE-MARKET.html.

15 David T. Chase & Todd L. Nunn, Insurance Coverage for Cyber risks and Losses, Stay Informed, April 27, 2011, available at http://www.klgates.com/insurance-coverage-for-cyber-risks-and-losses-04-27-2011.