Tag Archives: intellectual property

The 4 Major Sources of Change for Insurance

The insurance industry faces disruption from a host of new technological and social phenomena. To plan for these, it is helpful to first examine how other industries have either successfully navigated large-scale changes and prospered, or have failed to do so and disappeared.

This article will examine past and future market disruptors. It provides case studies of businesses that have failed or succeeded to navigate large-scale changes. By reviewing these cases, business leaders in the insurance industry will get a sense of how to prepare for inevitable disruptions.

Four Major Sources of Change and How to Deal with Them

Many of the recent and impending market disruptions fall into the following categories:

Source#1: Disruptive Innovations

Some innovations completely displace old markets or create new ones. This can be devastating for businesses if they fail to adapt quickly.

The best example of this is the Kodak/Fuji Film rivalry that took place during the advent of digital media. Both companies were in the same dire straights: Inexpensive digital photos would soon replace the lucrative camera film, decreasing profits by more than a quarter.

However, when digital media eventually took over, Fuji Film was able to thrive, while Kodak nearly faded out.

As Fuji clearly demonstrated, the best way to handle disruptive innovation is through radical flexibility. In a 2012 article, The Economist summarized the rivalry outcome as follows: “Kodak acted like a stereotypical change-resistant Japanese firm, while Fujifilm acted like a flexible American one.”

While Kodak was complacent, Fuji developed new products, sold intellectual property such as chemical compounds and sought new markets for film. By the time Kodak had gone into bankruptcy proceedings, Fuji had diversified enough to remain competitive, at one point growing to some $12.6 billion in market value while Kodak’s shrank to less than $220m.

Source #2: Technological Upheaval

Some new technologies change the way businesses operate from within. The best example of this is analytics software. Analytics refers to the use of sophisticated mathematical techniques to produce new value from data.

The adoption of analytics will become virtually universal. According to technology-research firm IDC, big-data technology and services will grow at a 27% compounded annual rate through 2017 to more than $32 billion worldwide. A study conducted by MIT Sloan Management Review and IBM found that organizations that excel in analytics usually outperform new adopters of analytics by three to one.

To manage technological upheaval, businesses are thinking creatively about new possibilities presented by new technology. For example, Sky Italia, a satellite TV provider, uses analytics to predict what kind of content its customers want to see, based not only on their watching habits but on their social media activity. Casinos use analytics to gauge customer behavior based on such fine points as when patrons order drinks, where they play the most and even when they smile.

Source #3: Consumer-Culture Shifts

Digital technology has a widespread impact on culture that affects customer/vendor relationships. One prominent outcome of this is that buyers are moving much further down the sales funnel before interacting with salespeople.

For example, in 2012, Ernst & Young completed a global survey of 30,000 banking customers and found that those who were unhappy with their banks were twice as likely to switch to a competitor as they were in 2011. Because accounts can be transferred with just a few clicks of the mouse, banks now have to work harder to keep their customers from leaving. Further, banking clients are increasingly performing their own research without input from bankers.

The same is true for B2B customers, as one CEO of a B2B company described in an interview with Forbes:

“My sales team has called on every possible client, and they don’t know where to go next.”

According to member-based business advisory company CEB, buyers now go through about 57% of the purchasing process before ever talking to sales.

To react to changes in consumer culture, marketers must replace the old sales models with “facilitated buying” strategies. Vendors are increasingly interacting with prospects right where they are and provide more value on the front-end. By acting as buyers’ guides rather than salespeople, sales teams will grow relationships through trust. This is why content marketing strategies are displacing traditional advertising in many marketing budgets.

Source #4: Price-Determination Fluctuations

In the present consumer culture, price determination has become more elastic and complex. As such, many businesses are re-inventing their pricing structures.

The health insurance and health benefits industries are examples where large-scale pricing shifts are taking place. Because of the Affordable Care Act, health benefits brokers will now have to disclose their commissions, which will give clients more negotiating leverage. Those brokers who have the most technical skill and who can flexibly price products and services are having the most success.

Another contributing factor to pricing shifts is in the spending habits of “millennials.” These people, ages 13 to 30, are increasing in purchasing power by about 3% per year. Their spending is unpredictable, is mostly digital and will account for nearly one-third of total spending by 2020.

To meet consumer demands for pricing options, businesses are becoming more inventive. For example, the Silicon Valley start-up Uber offers a crowd-sourced taxi-like service that employs “surge pricing.” Under this model, Uber services cost more when demand is high and the supply of cars low.

“Sympathetic” pricing is another new pricing trend with humanistic intentions. According to business trend firm Trendwatching.com, waning consumer loyalty brought on by digital empowerment has made businesses eager to show consumers that they care. This has led to a series of warmer and fuzzier relationship-building strategies.

For instance, “painkiller” pricing is an emerging strategy meant to provide relief. An example of painkiller pricing is where bars give discounts to patrons who have been served a ticket that day. Another example is “compassionate” pricing, which typically involves sliding scales for lower-income customers. Finally, “purposeful” pricing is meant to effect social change – such as through offering free public transport to alleviate inner city traffic.

Conclusion

For most industries, disruption is inevitable. Oftentimes, those businesses that are most accustomed to success will have the most trouble adapting.

The first essential step in planning for disruptions is to gain a basic understanding of what the incoming challenges will look like. Once this is accomplished, insurance businesses can begin applying lateral and creative planning strategies to successfully navigate the change.

Screenshot 2014-08-16 15.49.19

How the ‘Internet of Things’ Affects Strategic Planning

When it comes to technology, the boardroom has been learning a new language: mobile, social, cloud, cyber security, digital disruption and more. Recently the National Association of Corporate Directors released an eight-part video series on the board’s role: The Intersection of Technology, Strategy and Risk. We have spent much of the past year focused on cyber security, an essential discussion given the widespread theft of intellectual property, privacy invasions and data breaches. A report on cyber crime and espionage by the Center for Strategic and International Studies (CSIS) in Washington, D.C., last year estimated that cyber crime costs the global economy $300 billion a year – an entire industry is growing around hacking! Research by PwC shows cyber insurance is the fastest-growing specialty coverage ever – around $1.3 billion a year in the U.S. As our boardroom agendas often get filled with discussions on risk, I asked Frontier Communications board director Larraine Segil how to shift the conversation to strategy. Larraine has a keen focus on opportunity and suggested we delve into solutions for governing “The Internet of Things.”

What exactly is the Internet of Things, and what are the implications for business strategy?

Think about connecting any device with an on and off switch to the Internet and to each other. This includes everything from cell phones, thermostats and washing machines to headphones, cameras, wearable devices and much more. This also applies to components of machines – for example, the jet engine of an airplane. If the device has an on and off switch, then chances are it can be a part of the Internet of Things. The technology research firm Gartner says that by 2020 there will be more than 26 billion connected devices. Think about Uber, the company that connects a physical asset (car and driver) to a person in need of a ride via a website. That simple connection has disrupted the taxi industry.

Airbnb has done the same for the lodging industry by directly connecting people with spaces to rent to those in need of accommodations.

What does this mean to for our companies? Larraine, what are you thinking when you hear about the Internet of Things for business opportunities? As a director, how can you help directors govern in this fast-moving digital age?

Frontier Communications provides connectivity services to a national customer base primarily in rural areas and is integrally involved in the Internet of Things. Frontier has a number of strategic alliances with companies that develop and market those very devices – or “things” – such as the Dropcam camera, a cloud-based WiFi video monitoring service with free live streaming, two-way talk and remote viewing that makes it easy to stay connected with places, people and pets, no matter where you are. Other alliances expanding the “things” will be introduced in the rest of 2014.

As a director, it is critical to be educated constantly about new trends, products and opportunities – competition is fast-moving, and customers are better-educated about their options than ever before. Strategically, the board has to think way ahead of the present status quo – and with the help of management and outside domain experts, explore opportunities for alliances. This requires using strategic analysis at every board meeting (not just at one offsite a year) and welcoming constant director education and brainstorming both within and outside of the company’s industry. The board should continually identify and evaluate strategic directions to keep the company fresh and nimble.

Remembering that we’ve only just begun, here are some critical questions boards should be asking about technology and the Internet of Things:

1. Are you including strategic discussions around technology at every board meeting?
2. Do your strategic directions include alliances within and outside of your industry?
3. How would you assess your current level of interaction with the chief information officer and chief technology officer? What can be done to improve the effectiveness of communications with them?
4. As a board, how are you helping to guide your company in innovative directions, taking into consideration disruptive technologies, competitor alliances and new ideas or skills coming from outside your industry?

Representations and Warranties Insurance: How It Can Help Close Business Deals

A Representations and Warranties policy provides coverage for losses incurred as a result of breaches or inaccuracies of the representations and warranties made in business transactions.  A seller typically makes numerous representations to the buyer and warrants to the buyer critical facts about the business.  These attestations are an inducement to the buyer.  While parties both hope that the representations are accurate, disagreements often arise.  Such disputes routinely occur in connection with financial condition, accounts receivable or intellectual property.  Disagreements can also arise over the scope of representations and warranties made, as well as the duration and amount of a seller’s indemnification obligations.

Often, when a transaction is nearly complete, last-minute issues can create an impasse.  It is at this critical juncture that R&W insurance can be utilized to remove obstacles and  facilitate closure.  The preemptive purchase of R&W insurance can remove fears regarding certain representations that might lead to litigation after the deal closes. An R&W policy can also eliminate the need for a buyer to rely on the seller to make continuing indemnification payments—meaning a buyer wouldn’t need to chase down sellers who might be foreign, insolvent or long gone.  In this regard, R&W policies provide both sides of the deal with peace of mind that each party will receive what they believe they bargained for.

HOW are R&W Policies Structured?
Each agreement is unique, and an R&W policy is tailored to meet the specific needs of each deal.  Depending on the client’s needs (whether the buyer or seller), R&W policies can be structured to achieve various things.  These goals might include: (1) increasing the amount of indemnity available, (2) providing a “backstop” to the indemnity already available, (3) extending the expiration of the indemnity, (4) eliminating the need for collateral for contingent liabilities, (5) providing “ground up” coverage to replace an indemnity, or (6) increasing the scope or breadth of an agreed indemnity.

WHEN should parties consider the purchase of an R&W policy?
Most often, R&W policies are purchased in a mergers-and-acquisitions context.  However, R&W policies are also secured in connection with restructurings, insolvencies, liquidations, financings or loans, or in connection with the licensing of intellectual property.  In these situations, an R&W policy adds value as it can eliminate or reduce perceived or identified exposures and can address disagreements on the allocation of legal or financial risk for certain perceived or already identified exposures.  It can also give one buyer a competitive edge over another.

For example, consider a transaction where the buyer requires that a seller retain liability equal to 30% of deal consideration in respect of breaches of representations and warranties, while the seller is only willing to assume liability for up to 10% of deal consideration.  An R&W policy could provide coverage for the buyer for loss resulting from breaches exceeding 10% of deal consideration up to a limit of 30% of deal consideration. 

Or consider a situation where the seller’s weak financial position causes the buyer to require that security be posted for seller liability for breach of any representations and warranties.  An R&W policy could be designed to cover the buyer for loss resulting from breaches only if the seller is unable to meet the liability it has agreed to assume under the sale agreement.

WHO Buys an R&W Policy?
Buy-side policies make up the majority of R&W policies.  A buy-side policy enables the buyer, should a breach occur, to recover losses directly from the insurer without having to make a claim against the seller, often without having to locate and pursue the seller.  Such a policy provides the buyer with assurance that the value of the acquired business will not be reduced by unexpected liability.  Further, buyers can utilize R&W policies to improve their bargaining position by using the coverage to enhance their bid by reducing the indemnity ceiling and required escrow.

A sell-side policy provides indemnification by the insurer for defense costs and loss resulting from claims made by the buyer for inaccuracies in the transaction that are the subject of seller representations and warranties.  Simply put, a sell-side policy also enables the seller to walk away from a closed deal confident that the proceeds it receives in the transaction will not be diminished by subsequent legal claims and claw-back.  A sell-side policy provides a structure so that the seller can make a clean break once the sale has been executed by reducing or eliminating the need for an escrow account.  This is of great value to the seller as the seller can distribute more of the proceeds from the transaction more quickly, thereby expediting shareholder return (and the purchase of the yacht or sports car that the seller has always wanted).

If I have a client who wants to consider R&W coverage, what information would they need to provide?  Generally, underwriters can prepare a non-binding indication with a minimal amount of key information.  This information would include (1) the draft purchase agreement, (2) the draft disclosure schedules, and 3) the most recent audited or reviewed financials of the target.

Socius has conferred with Ambridge Partners LLC, a leading managing general underwriter of Representations & Warranties Insurance (R&W), to present this article.

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.

The Metrics Of The Matrix: Making Sure Your Cyber-Risks Are Covered

We live in a world that is almost entirely dependent upon digital technology. Internet sales and marketing, and even the simple efficiency of how information flows, can be a critical indicator of a company's success. Along with it comes an increased risk of hackers, disruption of service, theft of intellectual property, loss or theft of financial data, or worse, the theft of a customer's confidential information. Throw in a global economy that increases international exposure, and you have a recipe for disaster. While most large corporations have sophisticated network security measures in place, small to mid-size businesses cannot afford them, or are not even aware of the potential security risks. But if you consider information to be an asset, and the means with which it is gathered and used as a measure of your company's performance, the need to protect it becomes abundantly clear.

As early as the year 2000, underwriters at Lloyds of London predicted that e-commerce1 would “emerge as the single biggest insurance risk of the 21st century.”2 They were dead on. Between 2009 and 2011, the cost of data breaches rose from $6.8 million to $7.7 million — a blistering 9%.3 As one commentator noted, the cost and number of data breaches was so high that 2011 was christened “the year of the cyber-attack.”4 Indeed, the risk was seen as so severe that the SEC released disclosure guidelines for publicly traded companies recommending the disclosure of “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”5 According to the SEC, “disclosure” includes a “[d]escription of the relevant insurance coverage.”6 Although the number of cyber-attacks decreased slightly in 2012, this should not be taken as a sign that the threat of an attack is any less likely; it just means that some companies are responding to attacks more quickly, or implementing stronger security measures on the front end.

While the threat of a cyber-attack may conjure up the image of an overzealous computer geek with the mad-cap idea of ruling the world from his mother's basement, or a network of head-to-toe-in-black cyber-villains, a competitor seeking market dominance may be an equally likely culprit. A cyber-attack can take many forms. Most commonly, a company suffers a data breach, where “hackers, [ ] current or former employees, or others steal or otherwise gain access to personally identifiable information.”7 However, there are also “phishing” and “pfarming” schemes where the culprit poses as a legitimate user to steal or redirect internet traffic, or transmit a virus. Another form of attack is known as a “denial of service” incident, designed to temporarily or indefinitely block public access to a particular website or server. This involves “saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.”8 These attacks “usually lead to a server overload.”9 The most serious attacks “are comparable to 'tak[ing] an ax to a piece of hardware,” which requires a complete “replacement or reinstallation of hardware.”10 A company targeted by a cyber-attack can suffer a loss of informational assets and a significant interruption in operations, not to mention a damaged reputation.

The theft of intellectual property may or may not come as a result of a direct cyber-attack. Rather, a rogue company may steal your ideas, your website design, your domain names and meta-tags, or they may simply advertise and sell knock-off products. Chances are, if they are not using the internet for this purpose, they got your information from the business you transact online. As if this were not enough, there is the potential liability you face if confidential information is exposed, or you inadvertently infringe upon the intellectual property of a competing business. Customers and even shareholders affected by a data breach “commonly initiate expensive and very public litigation.”11 Likewise, the pursuit of patent and trademark infringement claims has skyrocketed in recent years, and the cost of defending these claims has symbiotically followed suit. Interestingly, the protection of the intellectual property itself seems to be a concern that is almost secondary to the economic warfare that is often waged by the aggressor.

In a world where technology barely keeps up with technology, how can you effectively protect your business against the threat of a cyber-attack, and potential cyber-liability? If you own a website, engage in direct or indirect internet sales, use clouding, linking, framing, solicit business via electronic communication, conduct financial transactions on the internet, exchange information via the internet, or store information through an internet server, your company is at risk. Managing these hazards can be tricky. As seen by the recent attacks on eBay, Amazon, Yahoo, and Google, even companies that have defined internet usage are not immune. No matter how big or small you are it is absolutely imperative that you implement internal security controls to prevent and/or respond quickly to an attack. Simple measures such as encrypting data, regularly changing passcodes, conducting routine virus scans, and limiting the number of employees who have access to confidential information can go a long way. However, insuring against these risks should be your primary objective because a cyber-attack can literally destroy your business overnight.

So, how does your company measure up? Let's take a little test. Assuming you are a “brick and mortar” business is your company:

  • Insured under a Property policy?
  • Insured under a Comprehensive General Liability policy?
  • Insured under a Director's & Officer's liability policy?
  • Insured under a specialty lines policy the expressly insures first and third party Cyber-hazards?

If you answered “no” to the last question, your company is at risk. The traditional products that insure small to medium sized businesses are unfortunately inadequate to cover even the known cyber-hazards, much less the ones that are surely on the horizon as e-commerce continues to grow and change, and new markets emerge. For instance, as it pertains to the loss you may suffer as a result of a data breach, while a standard property policy covers “physical loss or damage to covered property,” the term “covered property” does not include intangible assets like data. More recent property forms either exclude coverage for data breaches outright, or subject the loss of electronic data to a minimal sub-limit of liability.

Likewise, the coverage typically afforded under a CGL policy for liability claims resulting from an unauthorized intrusion is insufficient. CGL policies provide relatively broad liability coverage, but only for certain defined risks. The policies are “menu” driven, and are endorsed to include or exclude particular coverages or risks, such as employee liability, inland marine or commercial crime. Cyber-liability may or may not inadvertently come within the coverage terms of a particular endorsement, but the standardized forms are definitely not geared towards insuring these risks.

Rather, CGL policies are split into two parts — Coverage Part A for Bodily Injury and Property Damage Liability, and Coverage Part B for Personal and Advertising Injury. The terms “bodily injury,” “property damage,” and “personal and advertising injury” are separately defined, and each coverage part is subject to its own specific set of exclusions. Under Coverage Part A, the term “property damage” is defined to mean “physical injury to tangible property” or “loss of use of tangible property” — and therein lies the rub. “Tangible property” is property that is capable of being handled, held or touched. See State Auto Property and Cas. Ins. Co. v. Midwest Computers & More,America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003); Recall Total Information Management,12

Further, while lawsuits filed against a company whose client's financial information has been exposed typically includes claims for mental anguish. Mental anguish that is not consequential to physical harm or injury, or that does not manifest itself as physical injury is not “bodily injury” under a CGL policy. See e.g. Nance v. Phoenix Ins. Co., 118 Fed. Appx. 640, 642 (3d Cir. 2004) (Pennsylvania law) Jacobsen v. Farmers Union Mut. Ins. Co., 87 P.3d 995, 999 (2004); Tackett v. American Motorists Ins. Co., 213 W. Va. 524 (2003); Armstrong v. Federated Mut. Ins. Co., 785 N.E.2d 284, 292-93 (Ind. Ct. App. 2003); Farm Bureau Ins. Co. of Nebraska v. Martinsen, 659 N.W.2d 823, 827 (Neb. 2003); Galgano v. Metropolitan Property and Cas. Ins. Co., 838 A.2d 993, 999 (Conn. 2004); Smith v. Animal Urgent Care, Inc., 542 S.E.2d 827, 830-31 (W. Va. 2000); Costello v. Nationwide Mut. Ins. Co., 795 A.2d 151, 155 (Md. App. 2002); SCR Medical Transp. Services, Inc. v. Browne, 781 N.E.2d 564, 571 (Ill. App. 1st Dist. 2002); Allstate Ins. Co. v. Diamant, 518 N.E.2d 1154 (Mass. 1988).13 On your best day, it depends upon what jurisdiction you are in as to whether or not that coverage would apply to a cyber-liability claim.

Coverage for “personal and advertising injury” nowadays is almost a joke. Generally speaking, coverage for “personal and advertising injury” is intended to address liability claims for the infringement of intellectual property rights, or other types of personal injury torts (i.e. defamation and invasion of privacy claims). Under older versions of the CGL, the terms “personal injury” and “advertising injury” were separately defined. The term “Advertising injury” included the “[m]isappropriation of advertising ideas or style of doing business” and the infringement of a “copyright, title or slogan.” Now, the terms “personal and advertising injury” have been conflated, and are defined to mean:

  1. False, arrest, detention or imprisonment;
  2. Malicious prosecution;
  3. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies, committed by or on behalf of its owner, landlord, or lessor;
  4. Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;
  5. Oral or written publication of material that violates a person's right of privacy;
  6. Copying, in your “advertisement,” a person's or organization's “advertising idea” or style of “advertisement”;
  7. Infringement of copyright, slogan or title of any literary or artistic work, in your “advertisement.”

As it pertains to a data breach, at least one Court has held that under the newer version of the CGL, theft of customer data is a “publication of material that violates a person's right of privacy.” See Norfold & Dedham Mut. Fire Ins. Co. v. Clearly Consultants, Inc., 81 Mass.App.Ct. 40 (Dec. 16, 2011). Other Courts, however, have disagreed, leaving an uncertain gap as to whether or not your policy would cover such an event. See Creative Host. Ventures, Inc. v. E.T. Ltd., Inc., 2011 U.S. App. 19990 (Sept. 30, 2011).

There is even more uncertainty with regard to intellectual property liability claims. Both older and newer versions of the CGL require that the offense occur in the course of the advertisement of your own goods, products or services. This would include internet-based sales and marketing, but not all forms of electronic commerce. The most current CGL forms in use, however, essentially gut coverage for intellectual property claims with the following exclusion:

This insurance does not apply to:

“Personal and advertising injury”:

(7) Arising out of any violation of any intellectual property rights such as copyright, patent, trademark, trade name, trade secret, service mark or other designation of origin or authenticity.

However, this exclusion does not apply to infringement, in your “advertisement,” of

(a) Copyright;

(b) Slogan, unless the slogan is also a trademark, trade name, service mark or other designation of origin or authenticity; or,

(c) Title of any literary or artistic work.

Under this widely used form, there is no coverage for trademark or copyright infringement (or any other one of the enumerated torts), unless the infringement occurs during the course of your advertisement of a slogan, unless the slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity.” The problem with this language is that whether a slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity” is not dependent upon whether the mark is federally protected under the Lantham Act. Rather, the standards for determining whether a trade or service mark is eligible for protection are the same under the common law and the federal law. 15 U.S.C. § 1051 et. seq. Two Pesos, Inc. v. Taco Cabana, Inc., 505 U.S. 763 (1992); Amazing Spaces, Inc. v. Metro Mini Storage, 608 F.3d 225 (5th Cir. 2010); Board of Supervisors for the Louisiana State University Agriculture and Mech. College v. Smack Apparel Co., 550 F.3d 465 (5th Cir. 2008); Genesee Brewing Co., Inc. v. Stroh Brewing Co., 124 F.3d 137 (2nd Cir. 1997); Laredo v. Union Nat'l Bank, Austin, 909 F.2d 839, 842 (5th Cir. 1990). It is difficult to imagine a set of circumstances where a slogan would not also be “a trademark, trade name, service mark or other designation of origin or authenticity” under the common law. Coverage is essentially illusory, or at best, ambiguous. On a good day, your insurer is going to contest whether it owes a duty to defend an intellectual property liability claim. Where does this leave you?

There may be limited coverage under your Director's & Officer's Liability policy, but the forms vary in the scope of coverage and there may not be coverage for the acts and omissions of regular employees. Further, the policy will likely only cover your liabilities to your shareholders, and those to whom you owe a fiduciary duty. Fortunately, there are newer products on the market that are specifically designed to cover cyber-related risks. In a 2005 press release, Insurance Services Organization (ISO) unveiled its E-Commerce Program to address cyber liability exposure. According to ISO, “[t]he menu-based policy comprises five separate agreements:

  • Website publishing liability provides coverage against Internet-related publishing perils, including libel against a person or organization, and copyright, trademark, and service mark infringement allegations arising out of content published by the policyholder on its website.
  • Network security liability covers the policyholder against claims for failing to maintain the security of a computer system resulting in unauthorized access and publication of personal information, such as credit card numbers or personal medical information.
  • Replacement or restoration of electronic data provides coverage for the cost of replacing or restoring electronic data lost or rendered inaccessible because of an e-commerce incident, such as a virus, malicious instruction or denial-of-service attack.
  • Cyber extortion provides coverage for extortion expenses incurred and ransom payments made because of an extortion threat. Extortion is defined as a threat to commit an e-commerce incident, disseminate the policyholder's proprietary information, reveal a weakness in its source code or publish personal information belonging to policyholders' clients.
  • Business income and extra expense provides coverage for loss of business income or extra expenses incurred as a result of an extortion threat or e-commerce incident.14

ACE, Hartford, Chubb, Chartis (AIG), Ironshore, Travelers, SafeOnline, CNA, and Zurich are among the insurers offering products specifically covering cyber-hazards.15 However, these companies may or may not have adopted the ISO forms, but may be using products that were internally developed. Still, most of the companies who have targeted this market are going to be competitive, offering coverage for a combination of network security liability, media liability, expense and damage from a violation of privacy tort, coverage for fines and regulatory expenses, loss electronic information (including the cost to recovery lost, corrupted or stolen data), cyber-extortion, and business interruption arising out of a majority of these events. Specific products also exist for liability claims arising out of patent, trademark and trade dress infringement claims, both to pay for the costs of defending those suits, or the cost to pursue a third party who infringes upon your company's intellectual assets.

By and large the cyber-liability policies currently on the market are offered on a claims-made, or claims-made and reported basis. Policies that contain first-party coverage for data breaches may contain fairly short notice requirements, as early response is critical to minimizing the loss and containing any resultant liability exposure. The only way to make sure that you are procuring the right coverage and the right amount of coverage is to (1) establish internal procedures to assess and routinely reassess your risks; (2) establish internal protocols for preventing and responding to cyber-related risks; (3) set goals and benchmarks to determine if your company is meeting expectations; (4) read the policies you currently have in effect to determine where your company stands; (5) if you determine additional coverage is necessary, read the policies carefully before you invest in premiums; and (6) evaluate your coverage on an annual basis. New insurance products are coming out about every 12-18 months. Many brokers keep specimen forms, and most are knowledgeable enough to ensure that the specific risks that you face are covered. And in today's technology-driven world, you cannot afford to leave these exposures uninsured, or underinsured. In today's world, addressing the potential risk exposures your company faces is not just a measure of your success, it may be determinative of your survival.

1“E-commerce” or e-comm is defined as “the buying and selling of products or services over electronic systems such as the Internet and other computer networks.” Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 15, 2012, < http://en.wikipedia.org/wiki/Ecommerce>. E-commerce “draws on such technologies as electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems.” Id. E-commerce can be divided into: E-tailing or 'virtual store-fronts' on Web sites with online catalogs, sometimes gathered into a 'virtual mall'; the gathering and use of demographic data through Web contacts; Electronic Data Interchange (EDI), the business-to-business exchange of data; e-mail and fax and their use as media for reaching prospects and established customers; Business-to-business buying and selling; and, the security of business transactions. Id.

2 David R. Cohen & Roberta D. Anderson, Insurance Coverage for “Cyber-Losses”, 35 Tort & Ins. L.J. 891 (2000), citing Reuters Eng. News. Serv., May 9, 2000.

3 2010 Annual Study: U.S. Cost of a Data Breach 13 (March 2011); available at <http://www/symantec.com/content/en/us/abuot/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf>.

4 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012), citing Garry Byers, Rapid Cyber Attack Response: Three Days Make All the Difference, Digital Forensic Investigator News (Sept. 28, 2011), available at <http://dfinenews.com/article/rapid-cyber-attack-response-three-days-make-all-difference>.

5 U.S. Securities and Exchange Commission Division of Corporate Finance, CF Disclosure Guidance: Topic No. 2 — Cybersecurity, (Oct. 13, 2011). Topic No. 2 states that: “In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

6 Id.

7 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

8 Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 14, 2012, <http://en.wikipedia.org/wiki/Denial_of_service_attacks>.

9 Id. “In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.”

10 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012)(citing Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID= 211201088 (May 19, 2008).

11 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

12 In State Auto Property & Casualty Co. v. Midwest Computers, the Court addressed whether data lost by Mid-West after it serviced computer equipment purchased by one of its customers was “tangible property” within the meaning of a CGL policy issued by State Auto to Midwest. Id. at 1115. Holding that it was not, the Court reasoned that the term intangible referred to property that was “[c]apable of being perceived esp. by the sense of touch: PALPABLE[;] … capable of being precisely identified or realized by the mind [;] … capable of being appraised at an actual or approximate value (assets).

13 But see Voicestream Wireless Corp. v. Federal Ins. Co., 112 Fed. Appx. 553, 555-56 (9th Cir. 2004) (Washington law). Williamson v. Historic Hurstville Ass'n, 556 So. 2d 103, 107 (La. Ct. App. 4th Cir. 1990); Loewenthal v. Security Ins. Co. of Hartford, 436 A.2d 493, 499 (Md. App. 1981).

14 http://www.iso.com/Press-Releases/2005/ISO-INTRODUCES-CYBER-RISK-PROGRAM-TO-HELP-COVER-$7-TRILLION-E-COMMERCE-MARKET.html.

15 David T. Chase & Todd L. Nunn, Insurance Coverage for Cyber risks and Losses, Stay Informed, April 27, 2011, available at http://www.klgates.com/insurance-coverage-for-cyber-risks-and-losses-04-27-2011.