Tag Archives: denial of service

The State of Cyber Insurance

Cyber attacks are escalating in their frequency and intensity and pose a growing threat to the business community as well as the national security of countries. High-profile cyber incidents in 2014 reflected the expanding spectrum of cyber threats, from point-of-sale (POS) breaches against customer accounts to targeted denial-of-service (DoS) attacks meant to disable a company’s network. Businesses in ever-greater numbers sought financial protection through insurance, buying coverage for losses from data breaches and business outages.

Boost in Cyber Insurance Demand Drives Insurers’ Response

Healthcare facilities, universities and schools continue to be on cybercriminals’ radar, but attacks in the hospitality and gaming, power and utilities and other sectors reveal that no organization is immune to a cyber attack or failure of technology.

Healthcare and education clients had the highest cyber insurance take-up rates in 2014, followed by hospitality and gaming and services. Universities and schools present attractive targets because they house a vast array of personal information of students, parents, employees, alumni and others: Social Security numbers, healthcare information, financial data and research papers can all be compromised.

The broader scope of hacktivists contributed to the increase in cyber insurance purchases in 2014. Sectors that again showed notable year-over-year increases in the number of clients purchasing cyber coverage included hospitality and gaming and education. Other areas that stood out in 2014 included the power and utilities sector, with more clients buying standalone cyber coverage. Power and utilities companies frequently cite the risks and vulnerabilities associated with the use of supervisory control and data acquisition networks — which control remote equipment — and the cost of regulatory investigations as driving factors behind their cyber coverage purchases.

The reasons for purchasing cyber coverage vary from board mandates seeking to protect corporate reputations to companies looking to mitigate potential revenue loss from cyber-induced interruptions of operations. Insurers responded to this demand by offering broader cyber insurance coverage in 2014, including coverage for contingent business interruption and cyber-induced bodily injury and property damages. They also expanded availability of loss-control services, including risk-assessment tools, breach counseling and event response assistance.

Cyber Limits Rise

Companies with revenues of more than $1 billion have increased their cyber insurance limits worldwide by 42% on average since 2012, according to Marsh Global Analytics estimates. Over the same time period, healthcare companies have bought 178% more cyber insurance, and power and utilities firms have expanded their coverage by 98%.

Rising spending on cyber insurance

Source: Marsh Global Analytics. Percentage increase in spending by companies with more than $1 billion in revenues on cyber-risk insurance from 2012 through 2014.

Cyber Rates and Coverage

Increases in the frequency and severity of losses and near-constant headlines about attacks and outages kept cyber insurance premiums generally volatile in 2014. Average rate increases at renewal for both primary layers and total programs were lower in the fourth quarter than in the first. The increased loss activity prompted pricing challenges for some insureds, particularly retailers, where renewal rates rose 5% on average and as much as 10% for some clients.

Market capacity also varied according to industry. Most industries were able to secure cyber coverage with aggregate limits in excess of $200 million, while the most targeted industries, like retailers and financial institutions, faced a challenging market.

Insureds also face heightened due diligence from underwriters seeking to drill down beyond simple reviews of the company’s general information security policies. For example, insureds in the retail sector are being asked about their deployment of encryption and EMV (credit card) technology. And all insureds are now routinely asked whether they have formal incident response plans in place that outline procedures for protecting data and vendor networks and, more importantly, if such plans have been tested.

A Growing Concern

In 2015, managing cyber risk is clearly a top priority for organizations. For example, business interruption (BI) drew a lot of attention in 2014, a trend likely to continue throughout 2015. While BI has historically been thought of as the effect of a critical system going down for an extended period, technology failures and cyber attacks can create far-reaching outages affecting secondary systems, clients and even vendors. Such events can also lead to higher recovery costs, which are becoming a concern for boards of directors and senior management.

There is also concern stemming from the expansion of regulation and litigation. Regulators were active in policing cyber risks in 2014, and oversight is likely to expand significantly in coming years. With cyber risk seen as a critical issue on both sides of the aisle in Washington, D.C., companies will face regulatory challenges in 2015 and beyond.

Sectors that have already seen significant regulatory activity — for example, healthcare, financial services and education — will likely face more stringent regulations and larger fines. All industries should pay attention to existing and impending regulations, tighten controls and prepare to present and defend their compliance regime. Civil litigation in the wake of a breach or disclosure of a cyber event also escalated in 2014, with class actions at times following the disclosure of a breach by mere hours.

As demand for cyber insurance grows, remember that risk transfer is only part of the solution. Enhanced information sharing between industry and government is another step toward having a comprehensive risk-mitigation strategy. Insurers and brokers are expanding the availability of loss-prevention and risk-mitigation services such as risk-assessment tools, breach preparation counseling and breach response assistance. The expanded roster of services and enhanced coverage can provide additional value from policies, usually without a specific added premium.

What to Consider When Buying Cyber

No industry or organization, wherever situated and whatever the size, is immune to the threat of cyberattack, and the impact can be catastrophic, both financially and in terms of reputation. For example, eBay recently announced a massive cyberattack that may have exposed the personal data of 128 million customers globally.

The management of cyberrisk clearly needs to be high on the boardroom agenda. Network security alone cannot fully address the issue: Experience has shown that even top-notch, state-of-the-art cybersecurity is vulnerable.

Boards need to ensure that they identify key risks and prioritize the protection of critical information. Internal policies and procedures should be put in place to ensure that staff are aware of risky behaviors, such as disclosing passwords and opening suspicious documents in unsolicited emails. Companies need to see that network security systems and controls are regularly tested and monitored, and that response procedures are in place in case of a cyberattack or data breach.

Insurance can also play a vital role in managing cyberrisks. As part of the board’s risk assessment, it needs to understand the types of cyberrisk, and the potential losses and liabilities that follow. This is the first step in understanding the organization’s insurance requirements and the extent of coverage required for cyberrisks.

Consider the Company’s Risk Profile
An initial assessment of the company’s risk profile and areas particularly vulnerable to cyberattack is crucial.  External advice may be needed. The risk assessment should extend across the organization. The assessment needs to consider the amount and type of personally identifiable information, customer data and confidential corporate data the organization maintains and how such data is used, transmitted and stored. The company’s technology infrastructure should be evaluated, as well as potential threats to network security and the likely consequences of significant interruptions to online working or customer transactions. Also consider the risk of third-party claims arising from the company’s media content and the services provided to support e-commerce.

The company needs a complete understanding of any potential impact of a cyberattack or data breach, including the wider impact on business strategy. Performing a thorough risk assessment not only helps the organization identify and address risks and potential gaps in security but can facilitate underwriting of cyberrisks and may even result in premium reductions. Once the organization has a grasp of its risk profile and potential exposures, it can consider its insurance needs.

Examine Existing Insurance Policies
Some coverage for these potential losses and liabilities may be available under existing insurance policies already held by the business. These include general liability, directors and officers liability, professional indemnity, crime and property and business interruption policies. Careful assessment of the coverage provided by these policies is essential, however, as there are likely gaps in coverage because such policies have not historically been designed to cover non-tangible assets and network-related risks. The company will need to consider whether to fill those gaps with enhancements to existing policies or through new cyberrisk products now being offered by insurers.

Consider the Need for Cyberinsurance
There are now a number of cyberinsurance products available, and the scope of coverage varies from insurer to insurer. These policies typically cover losses and liabilities such as:

  • Data liability. This covers damages and defense costs resulting from any claim against the insured from a data breach that compromises personal information. It should also cover claims alleging that information has been lost or compromised as a result of unauthorized access to, or use of, the insured’s computer systems. It is important that the policy covers not only an individual’s personal information but also employee data and confidential corporate information. Many organizations possess third-party trade secrets, customer lists, marketing plans and other information that could be beneficial to competitors and may result in liability if compromised.
  • Media liability. This insures damages and defense costs resulting from any claim against the insured for infringement of copyright and other intellectual property rights, as well as misappropriation or theft of ideas or media content. While coverage may not extend to content published in a personal capacity, this should ideally be included, as organizations may face significant liabilities as a result of employees using Twitter, Facebook and other social media.
  • Regulatory coverage. This covers the costs of response to any administrative, government or regulatory investigation following a data breach or cyberattack, as well as any fines or penalties imposed.  However, this coverage is typically limited to civil fines and penalties, as criminal fines and penalties are not insurable in many jurisdictions. Some regulators, including the Financial Conduct Authority (FCA) and the Securities Exchange Commission (SEC), prohibit regulated firms from recovering from insurers any fines or penalties the regulators impose.
  • Remediation coverage. Most policies provide coverage for additional costs associated with a data breach, including the costs incurred to notify those affected and relevant authorities, provide credit monitoring for those affected and set up call centers to field inquiries from concerned clients. Coverage may also extend to the costs of forensic services to determine the cause and scope of a breach, as well as public relations expenses and other crisis management costs.
  • Information assets coverage. The policy may include coverage for costs of recreating, restoring or repairing the company’s own data and computer systems. This may also extend to third-party data that has not been captured by back-up systems or that has been corrupted or lost because of negligence or technical failure.
  • Network interruption coverage. The policy may cover lost revenue from network interruptions or disruptions because of a denial of service attack, malicious code or other security threats.
  • Extortion coverage. Many policies insure the costs of responding to ransom or extortion demands to prevent a threatened cyberattack.

Cyberinsurance policies vary significantly, so the specific policy terms and conditions should be analyzed carefully to ensure that the coverage meets the company’s likely loss scenarios and potential exposures. It is particularly important to consider whether the coverage extends to information in the hands of third parties where data handling, processing and storage has been outsourced to third parties, including cloud service providers. If the organization has outsourced data handling, then it should secure coverage for any loss or business interruption arising from data that is managed by third-party service providers.

Consider the “retroactive date,” as policies often limit coverage to cyberattacks or data breaches occurring after a specified date, such as policy inception. It is important to request retroactive coverage for network security breaches that may have occurred before the inception date, as it is not uncommon for cyberattacks to remain undetected for a considerable period.

Review Defense and Settlement Provisions
Cyberinsurance policies include defense provisions that typically limit coverage for defense costs to those that are reasonable and incurred with the insurer’s prior written consent. While many insurers include these types of provisions to insist on the appointment of their own choice of defense counsel, selection of defense lawyers is an important issue. Some companies prefer to appoint lawyers whom they know well and who are familiar with their business. Moreover, certain claims arising from the use of technology, such as claims for breach of confidence, breach of copyright and defamation, require specialist counsel with particular experience. The company should therefore consider requesting a specific provision reserving the right to choose its defense lawyer, although the decision will usually be subject to the insurer’s prior approval.

Check the Fine Print
The “devil is in the details,” especially with cyberinsurance. While the market has developed rapidly in recent years, there are inconsistencies in the cover provided, and minor variations can have significant impact on the availability of coverage.

There will likely be efforts by the insurer to exclude risks that should be covered under other types of policy, and this is not unreasonable. It is important, however, to avoid broadly worded exclusions that could extend beyond that concern, or attempt to undermine the initial purpose of the insurance. For example, insurers might seek to impose exclusions based on possible shortcomings in the company’s network security. These types of exclusions should be resisted.

Insurance can play a vital role as part of an overall strategy to mitigate cyberrisk, but it is necessary to look beyond the policy limits to ensure that the coverage provided — whether under traditional policy forms or specific cyberinsurance policies — is as broad as possible.

Ms. Gates wrote this article with Sarah Turpin, a partner in the dispute resolution and insurance coverage groups in K&L Gates’ London office.

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.

The Metrics Of The Matrix: Making Sure Your Cyber-Risks Are Covered

We live in a world that is almost entirely dependent upon digital technology. Internet sales and marketing, and even the simple efficiency of how information flows, can be a critical indicator of a company's success. Along with it comes an increased risk of hackers, disruption of service, theft of intellectual property, loss or theft of financial data, or worse, the theft of a customer's confidential information. Throw in a global economy that increases international exposure, and you have a recipe for disaster. While most large corporations have sophisticated network security measures in place, small to mid-size businesses cannot afford them, or are not even aware of the potential security risks. But if you consider information to be an asset, and the means with which it is gathered and used as a measure of your company's performance, the need to protect it becomes abundantly clear.

As early as the year 2000, underwriters at Lloyds of London predicted that e-commerce1 would “emerge as the single biggest insurance risk of the 21st century.”2 They were dead on. Between 2009 and 2011, the cost of data breaches rose from $6.8 million to $7.7 million — a blistering 9%.3 As one commentator noted, the cost and number of data breaches was so high that 2011 was christened “the year of the cyber-attack.”4 Indeed, the risk was seen as so severe that the SEC released disclosure guidelines for publicly traded companies recommending the disclosure of “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”5 According to the SEC, “disclosure” includes a “[d]escription of the relevant insurance coverage.”6 Although the number of cyber-attacks decreased slightly in 2012, this should not be taken as a sign that the threat of an attack is any less likely; it just means that some companies are responding to attacks more quickly, or implementing stronger security measures on the front end.

While the threat of a cyber-attack may conjure up the image of an overzealous computer geek with the mad-cap idea of ruling the world from his mother's basement, or a network of head-to-toe-in-black cyber-villains, a competitor seeking market dominance may be an equally likely culprit. A cyber-attack can take many forms. Most commonly, a company suffers a data breach, where “hackers, [ ] current or former employees, or others steal or otherwise gain access to personally identifiable information.”7 However, there are also “phishing” and “pfarming” schemes where the culprit poses as a legitimate user to steal or redirect internet traffic, or transmit a virus. Another form of attack is known as a “denial of service” incident, designed to temporarily or indefinitely block public access to a particular website or server. This involves “saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.”8 These attacks “usually lead to a server overload.”9 The most serious attacks “are comparable to 'tak[ing] an ax to a piece of hardware,” which requires a complete “replacement or reinstallation of hardware.”10 A company targeted by a cyber-attack can suffer a loss of informational assets and a significant interruption in operations, not to mention a damaged reputation.

The theft of intellectual property may or may not come as a result of a direct cyber-attack. Rather, a rogue company may steal your ideas, your website design, your domain names and meta-tags, or they may simply advertise and sell knock-off products. Chances are, if they are not using the internet for this purpose, they got your information from the business you transact online. As if this were not enough, there is the potential liability you face if confidential information is exposed, or you inadvertently infringe upon the intellectual property of a competing business. Customers and even shareholders affected by a data breach “commonly initiate expensive and very public litigation.”11 Likewise, the pursuit of patent and trademark infringement claims has skyrocketed in recent years, and the cost of defending these claims has symbiotically followed suit. Interestingly, the protection of the intellectual property itself seems to be a concern that is almost secondary to the economic warfare that is often waged by the aggressor.

In a world where technology barely keeps up with technology, how can you effectively protect your business against the threat of a cyber-attack, and potential cyber-liability? If you own a website, engage in direct or indirect internet sales, use clouding, linking, framing, solicit business via electronic communication, conduct financial transactions on the internet, exchange information via the internet, or store information through an internet server, your company is at risk. Managing these hazards can be tricky. As seen by the recent attacks on eBay, Amazon, Yahoo, and Google, even companies that have defined internet usage are not immune. No matter how big or small you are it is absolutely imperative that you implement internal security controls to prevent and/or respond quickly to an attack. Simple measures such as encrypting data, regularly changing passcodes, conducting routine virus scans, and limiting the number of employees who have access to confidential information can go a long way. However, insuring against these risks should be your primary objective because a cyber-attack can literally destroy your business overnight.

So, how does your company measure up? Let's take a little test. Assuming you are a “brick and mortar” business is your company:

  • Insured under a Property policy?
  • Insured under a Comprehensive General Liability policy?
  • Insured under a Director's & Officer's liability policy?
  • Insured under a specialty lines policy the expressly insures first and third party Cyber-hazards?

If you answered “no” to the last question, your company is at risk. The traditional products that insure small to medium sized businesses are unfortunately inadequate to cover even the known cyber-hazards, much less the ones that are surely on the horizon as e-commerce continues to grow and change, and new markets emerge. For instance, as it pertains to the loss you may suffer as a result of a data breach, while a standard property policy covers “physical loss or damage to covered property,” the term “covered property” does not include intangible assets like data. More recent property forms either exclude coverage for data breaches outright, or subject the loss of electronic data to a minimal sub-limit of liability.

Likewise, the coverage typically afforded under a CGL policy for liability claims resulting from an unauthorized intrusion is insufficient. CGL policies provide relatively broad liability coverage, but only for certain defined risks. The policies are “menu” driven, and are endorsed to include or exclude particular coverages or risks, such as employee liability, inland marine or commercial crime. Cyber-liability may or may not inadvertently come within the coverage terms of a particular endorsement, but the standardized forms are definitely not geared towards insuring these risks.

Rather, CGL policies are split into two parts — Coverage Part A for Bodily Injury and Property Damage Liability, and Coverage Part B for Personal and Advertising Injury. The terms “bodily injury,” “property damage,” and “personal and advertising injury” are separately defined, and each coverage part is subject to its own specific set of exclusions. Under Coverage Part A, the term “property damage” is defined to mean “physical injury to tangible property” or “loss of use of tangible property” — and therein lies the rub. “Tangible property” is property that is capable of being handled, held or touched. See State Auto Property and Cas. Ins. Co. v. Midwest Computers & More,America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003); Recall Total Information Management,12

Further, while lawsuits filed against a company whose client's financial information has been exposed typically includes claims for mental anguish. Mental anguish that is not consequential to physical harm or injury, or that does not manifest itself as physical injury is not “bodily injury” under a CGL policy. See e.g. Nance v. Phoenix Ins. Co., 118 Fed. Appx. 640, 642 (3d Cir. 2004) (Pennsylvania law) Jacobsen v. Farmers Union Mut. Ins. Co., 87 P.3d 995, 999 (2004); Tackett v. American Motorists Ins. Co., 213 W. Va. 524 (2003); Armstrong v. Federated Mut. Ins. Co., 785 N.E.2d 284, 292-93 (Ind. Ct. App. 2003); Farm Bureau Ins. Co. of Nebraska v. Martinsen, 659 N.W.2d 823, 827 (Neb. 2003); Galgano v. Metropolitan Property and Cas. Ins. Co., 838 A.2d 993, 999 (Conn. 2004); Smith v. Animal Urgent Care, Inc., 542 S.E.2d 827, 830-31 (W. Va. 2000); Costello v. Nationwide Mut. Ins. Co., 795 A.2d 151, 155 (Md. App. 2002); SCR Medical Transp. Services, Inc. v. Browne, 781 N.E.2d 564, 571 (Ill. App. 1st Dist. 2002); Allstate Ins. Co. v. Diamant, 518 N.E.2d 1154 (Mass. 1988).13 On your best day, it depends upon what jurisdiction you are in as to whether or not that coverage would apply to a cyber-liability claim.

Coverage for “personal and advertising injury” nowadays is almost a joke. Generally speaking, coverage for “personal and advertising injury” is intended to address liability claims for the infringement of intellectual property rights, or other types of personal injury torts (i.e. defamation and invasion of privacy claims). Under older versions of the CGL, the terms “personal injury” and “advertising injury” were separately defined. The term “Advertising injury” included the “[m]isappropriation of advertising ideas or style of doing business” and the infringement of a “copyright, title or slogan.” Now, the terms “personal and advertising injury” have been conflated, and are defined to mean:

  1. False, arrest, detention or imprisonment;
  2. Malicious prosecution;
  3. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies, committed by or on behalf of its owner, landlord, or lessor;
  4. Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;
  5. Oral or written publication of material that violates a person's right of privacy;
  6. Copying, in your “advertisement,” a person's or organization's “advertising idea” or style of “advertisement”;
  7. Infringement of copyright, slogan or title of any literary or artistic work, in your “advertisement.”

As it pertains to a data breach, at least one Court has held that under the newer version of the CGL, theft of customer data is a “publication of material that violates a person's right of privacy.” See Norfold & Dedham Mut. Fire Ins. Co. v. Clearly Consultants, Inc., 81 Mass.App.Ct. 40 (Dec. 16, 2011). Other Courts, however, have disagreed, leaving an uncertain gap as to whether or not your policy would cover such an event. See Creative Host. Ventures, Inc. v. E.T. Ltd., Inc., 2011 U.S. App. 19990 (Sept. 30, 2011).

There is even more uncertainty with regard to intellectual property liability claims. Both older and newer versions of the CGL require that the offense occur in the course of the advertisement of your own goods, products or services. This would include internet-based sales and marketing, but not all forms of electronic commerce. The most current CGL forms in use, however, essentially gut coverage for intellectual property claims with the following exclusion:

This insurance does not apply to:

“Personal and advertising injury”:

(7) Arising out of any violation of any intellectual property rights such as copyright, patent, trademark, trade name, trade secret, service mark or other designation of origin or authenticity.

However, this exclusion does not apply to infringement, in your “advertisement,” of

(a) Copyright;

(b) Slogan, unless the slogan is also a trademark, trade name, service mark or other designation of origin or authenticity; or,

(c) Title of any literary or artistic work.

Under this widely used form, there is no coverage for trademark or copyright infringement (or any other one of the enumerated torts), unless the infringement occurs during the course of your advertisement of a slogan, unless the slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity.” The problem with this language is that whether a slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity” is not dependent upon whether the mark is federally protected under the Lantham Act. Rather, the standards for determining whether a trade or service mark is eligible for protection are the same under the common law and the federal law. 15 U.S.C. § 1051 et. seq. Two Pesos, Inc. v. Taco Cabana, Inc., 505 U.S. 763 (1992); Amazing Spaces, Inc. v. Metro Mini Storage, 608 F.3d 225 (5th Cir. 2010); Board of Supervisors for the Louisiana State University Agriculture and Mech. College v. Smack Apparel Co., 550 F.3d 465 (5th Cir. 2008); Genesee Brewing Co., Inc. v. Stroh Brewing Co., 124 F.3d 137 (2nd Cir. 1997); Laredo v. Union Nat'l Bank, Austin, 909 F.2d 839, 842 (5th Cir. 1990). It is difficult to imagine a set of circumstances where a slogan would not also be “a trademark, trade name, service mark or other designation of origin or authenticity” under the common law. Coverage is essentially illusory, or at best, ambiguous. On a good day, your insurer is going to contest whether it owes a duty to defend an intellectual property liability claim. Where does this leave you?

There may be limited coverage under your Director's & Officer's Liability policy, but the forms vary in the scope of coverage and there may not be coverage for the acts and omissions of regular employees. Further, the policy will likely only cover your liabilities to your shareholders, and those to whom you owe a fiduciary duty. Fortunately, there are newer products on the market that are specifically designed to cover cyber-related risks. In a 2005 press release, Insurance Services Organization (ISO) unveiled its E-Commerce Program to address cyber liability exposure. According to ISO, “[t]he menu-based policy comprises five separate agreements:

  • Website publishing liability provides coverage against Internet-related publishing perils, including libel against a person or organization, and copyright, trademark, and service mark infringement allegations arising out of content published by the policyholder on its website.
  • Network security liability covers the policyholder against claims for failing to maintain the security of a computer system resulting in unauthorized access and publication of personal information, such as credit card numbers or personal medical information.
  • Replacement or restoration of electronic data provides coverage for the cost of replacing or restoring electronic data lost or rendered inaccessible because of an e-commerce incident, such as a virus, malicious instruction or denial-of-service attack.
  • Cyber extortion provides coverage for extortion expenses incurred and ransom payments made because of an extortion threat. Extortion is defined as a threat to commit an e-commerce incident, disseminate the policyholder's proprietary information, reveal a weakness in its source code or publish personal information belonging to policyholders' clients.
  • Business income and extra expense provides coverage for loss of business income or extra expenses incurred as a result of an extortion threat or e-commerce incident.14

ACE, Hartford, Chubb, Chartis (AIG), Ironshore, Travelers, SafeOnline, CNA, and Zurich are among the insurers offering products specifically covering cyber-hazards.15 However, these companies may or may not have adopted the ISO forms, but may be using products that were internally developed. Still, most of the companies who have targeted this market are going to be competitive, offering coverage for a combination of network security liability, media liability, expense and damage from a violation of privacy tort, coverage for fines and regulatory expenses, loss electronic information (including the cost to recovery lost, corrupted or stolen data), cyber-extortion, and business interruption arising out of a majority of these events. Specific products also exist for liability claims arising out of patent, trademark and trade dress infringement claims, both to pay for the costs of defending those suits, or the cost to pursue a third party who infringes upon your company's intellectual assets.

By and large the cyber-liability policies currently on the market are offered on a claims-made, or claims-made and reported basis. Policies that contain first-party coverage for data breaches may contain fairly short notice requirements, as early response is critical to minimizing the loss and containing any resultant liability exposure. The only way to make sure that you are procuring the right coverage and the right amount of coverage is to (1) establish internal procedures to assess and routinely reassess your risks; (2) establish internal protocols for preventing and responding to cyber-related risks; (3) set goals and benchmarks to determine if your company is meeting expectations; (4) read the policies you currently have in effect to determine where your company stands; (5) if you determine additional coverage is necessary, read the policies carefully before you invest in premiums; and (6) evaluate your coverage on an annual basis. New insurance products are coming out about every 12-18 months. Many brokers keep specimen forms, and most are knowledgeable enough to ensure that the specific risks that you face are covered. And in today's technology-driven world, you cannot afford to leave these exposures uninsured, or underinsured. In today's world, addressing the potential risk exposures your company faces is not just a measure of your success, it may be determinative of your survival.

1“E-commerce” or e-comm is defined as “the buying and selling of products or services over electronic systems such as the Internet and other computer networks.” Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 15, 2012, < http://en.wikipedia.org/wiki/Ecommerce>. E-commerce “draws on such technologies as electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems.” Id. E-commerce can be divided into: E-tailing or 'virtual store-fronts' on Web sites with online catalogs, sometimes gathered into a 'virtual mall'; the gathering and use of demographic data through Web contacts; Electronic Data Interchange (EDI), the business-to-business exchange of data; e-mail and fax and their use as media for reaching prospects and established customers; Business-to-business buying and selling; and, the security of business transactions. Id.

2 David R. Cohen & Roberta D. Anderson, Insurance Coverage for “Cyber-Losses”, 35 Tort & Ins. L.J. 891 (2000), citing Reuters Eng. News. Serv., May 9, 2000.

3 2010 Annual Study: U.S. Cost of a Data Breach 13 (March 2011); available at <http://www/symantec.com/content/en/us/abuot/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf>.

4 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012), citing Garry Byers, Rapid Cyber Attack Response: Three Days Make All the Difference, Digital Forensic Investigator News (Sept. 28, 2011), available at <http://dfinenews.com/article/rapid-cyber-attack-response-three-days-make-all-difference>.

5 U.S. Securities and Exchange Commission Division of Corporate Finance, CF Disclosure Guidance: Topic No. 2 — Cybersecurity, (Oct. 13, 2011). Topic No. 2 states that: “In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

6 Id.

7 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

8 Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 14, 2012, <http://en.wikipedia.org/wiki/Denial_of_service_attacks>.

9 Id. “In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.”

10 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012)(citing Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID= 211201088 (May 19, 2008).

11 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

12 In State Auto Property & Casualty Co. v. Midwest Computers, the Court addressed whether data lost by Mid-West after it serviced computer equipment purchased by one of its customers was “tangible property” within the meaning of a CGL policy issued by State Auto to Midwest. Id. at 1115. Holding that it was not, the Court reasoned that the term intangible referred to property that was “[c]apable of being perceived esp. by the sense of touch: PALPABLE[;] … capable of being precisely identified or realized by the mind [;] … capable of being appraised at an actual or approximate value (assets).

13 But see Voicestream Wireless Corp. v. Federal Ins. Co., 112 Fed. Appx. 553, 555-56 (9th Cir. 2004) (Washington law). Williamson v. Historic Hurstville Ass'n, 556 So. 2d 103, 107 (La. Ct. App. 4th Cir. 1990); Loewenthal v. Security Ins. Co. of Hartford, 436 A.2d 493, 499 (Md. App. 1981).

14 http://www.iso.com/Press-Releases/2005/ISO-INTRODUCES-CYBER-RISK-PROGRAM-TO-HELP-COVER-$7-TRILLION-E-COMMERCE-MARKET.html.

15 David T. Chase & Todd L. Nunn, Insurance Coverage for Cyber risks and Losses, Stay Informed, April 27, 2011, available at http://www.klgates.com/insurance-coverage-for-cyber-risks-and-losses-04-27-2011.