MA Deadline Extended For Businesses To Encrypt Data
20 November 2008The Commonwealth of Massachusetts has extended by at least four months a deadline for businesses to electronically encrypt digital records of their customers’ personal information.
The law follows a several years-long string of high profile data breaches by both private and government entities, the majority of which involved the theft of portable devices, such as laptops.
Tech Company Personal / Advertising Injury Coverages
20 November 2008The standard General Liability policy covers “personal injury” and “advertising injury” unless the insured is in the business of advertising, broadcasting, publishing, or telecasting. For this reason, there is no coverage for IT firms that are in the business of designing websites, determining content, providing content, or providing internet access.
Why do tech firms need coverage for “personal injury”? First of all “personal injury” coverage may be needed to protect a tech firm against an allegation of slander, libel, or oral or written publication that violates a person’s right of privacy. It is not too difficult to see how a tech firm could get sued under these circumstances.
In addition, coverage may also needed for “advertising injury” in the event of an allegation of the taking of another’s idea in your advertisement or infringement of copyright, trade dress, or slogan in your advertisement.
The key word is “advertisement”. There is no coverage for infringement of copyright, trade mark, trade dress, or slogan unless they occur in your advertisement.
An exclusion in the policy form eliminates coverage for injury arising out of electronic chat rooms or bulletin boards that the insured hosts, owns, or excercises control over. In addition, there is another exclusion arising out of the unauthorized use of another’s name or product in your email address, domain name, meta tag, or similar tactic used to mislead the potential customers of another.
It is obvious that the standard General Liability form does not adequately protect tech companies or IT professionals against these imporant exposures. As a result, coverage can be sought as part of a Professional Liability or Errors & Omissions policy form.
These policies can add back essential coverages such as for those tech firms in the business of advertising or publishing, violation of a person’s right of privacy or undue publicity, intellectual property infringements, etc.
It is strongly recommended that tech companies or IT professionals deal with a tech insurance specialist to make sure that their coverage needs are addressed.
Tech Professional Services Not Covered By General Liability
19 November 2008Tech companies and IT professionals need General Liability to provide coverage for claims or lawsuits for negligence alleging bodily injury, property damage, personal injury, and advertising injury.
Many General Liability policy forms have an exclusion which takes away coverage for a laundry list of professional services including legal, accounting, architectural, engineering, medical, health care and computer consulting, design, or programming services including web site design.
Obviously, this presents a problem for tech compaines or IT professionals seeking General Liability coverage. But, the problem can be solved by an insurance professional who specializes in insuring tech and IT risks.
Carriers like The Hartford can add eliminate this harmful Professional Services exclusion by endorsing the policy to add back coverage for tech professional services. Hartford has a special endorsement entitled “Technology Services Coverage” for this purpose.
Be sure to avoid these types of problems by dealing with a tech insurance specialist.
Loss To Electronic Data Not Covered Under General Liability
19 November 2008Standard General Liability policies for businesses don’t adequately cover the liability risk of “property damage” to “electronic data”.
Most service or contracting businesses could cause property damage that results in loss of or damage to a third party’s electonic data that is housed on their computer system. This exposure is not limited to IT firms.
Standard General Liability forms provide coverage for liability arising out of “property damage”. “Property Damage” is defined as a) physical injury to tangible property including loss of use thereof and b) loss of use of tangible property that is not injured…. As used in this definition, “electronic data” is not tangible property.
“Electronic data” is defined as information, facts, or programs: a) stored as or on, b) created or used on: or c) transmitted to or from: computer software…..hard or floppy discs, CD-ROMS, tapes, drives, cells, data processing devices, or any other media which are used with electronically controlled equipment.
This problem can be solved by the addition of various endorsements to add back coverage for property damage to electronic data. The cost is usually minimal.
However, some General Liability carriers that cater to IT firms will not add back this coverage. As a result, IT firms may need to verify that their Professional Liability (Errors & Omissions Liability) policy picks up this exposure. The key is to locate the definition of “tangible property” and find out if electronic data is included.
Insider Jobs Account For Most Cyber Theft Losses
19 November 2008Outside hackers, whether domestic or part of criminal gangs in Eastern Europe and Asia, get most of the media attention.
However, inside jobs by a company’s own employees account for 70% of all security incidents that result in losses according to some sources. This is know as authorized access for unauthorized use.
Employees, independent contractors, or employees of independent contractors who are disgruntled with management may steal confidential information such as credit card numbers, bank account information, or proprietary information such as trade secrets.
Most Cyber Liabilty policies only cover unauthorized access by outsiders. Make sure that your policy also covers authorized access for unauthorized reasons.
Source: Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
Cyber Attack Loss Control And Risk Management Steps
19 November 2008The following risk management controls can help companies avoid cyber losses due to viruses, hackers, trojan horses, malware, denail of service, extortion, errors & ommissions in delivering tech services, intellectual property violations, etc.:
* firewalls
* encryption
* password protection
* network security reviews
* disaster recovery services
* forensic services in response to security breaches
* emergency loss containment
* employee handbook provisions on internet and email security
* hacker vulnerability assessments
* review of your content and use terms by intellectual property attorney
Sources:
With Computers Under Siege Cyber Insurance Rides To The Rescue
Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
Identity Theft Coverage In Cyber Liability
19 November 2008Cyber Liability policy forms may or may not cover the following types of identity theft:
Pfishing Attacks- Pfishers send spoofed emails that highjack the names of trusted companies like banks, credit card companies, e-retailers, etc. in an attempt to trick recipients into visiting counterfeit websites and entering confidential data into web forms. Such confidential data can take the form of account numbers, credit card numbers, social security numbers, user names, passwords, etc. Once this information has been received, the theft can begin.
Pfarming Attacks- Pfarmers send emails or design websites that plant crimeware into home computers and PC’s that directly extracts confidential information through the use of key logger monitoring software.
Some carriers may allude to coverage for pfishing and pfarming by use of terms unauthorized access or breach of security while the better forms will have affirmative coverage grants. A specific limit may be available for a business to restore their credit after an identity theft has occurred.
Source: With Computers Under Siege, Cyber Insurance To The Rescue
12 Specific Cyber Liability Risks
19 November 2008When analyzing a Cyber Liability policy for adequacy, the following specific risks may or not be covered:
* Errors & Omissions resulting in pue economic damages (needed for accounts that perform Cyber releated professional services for a fee for others)
* Personal injury such as libel (usually excluded under General Liability for accounts with Cyber exposure)
* Advertising injury such as inaccurate statement about a competitor (usually excluded under General Liability for accounts with Cyber exposure)
* Copyright infringement
* Trade or service mark infringement
* Patent infringement (difficult to obtain on Cyber Liability policy, may need to buy stand alone policy to insure this risk)
* Computer viruses, trojan horses, malware
* Unauthorized access by outsiders to confidential data
* Authorized access by insiders for illegal purposes
* Breach of security
* Loss of use
* Business interruption
Businesses should discuss the exposure to each of the above risks with their risk manager or insurance agent and decide which ones are necessary to be included in the coverage form. Don’t assume that all of these risks are covered without a specfic coverage grant in the policy language. Since Cyber Liability coverage forms are not standardized like may other policy forms, coverages tend to vary greatly from one carrier to the next.
Source: With Computers Under Seige, Cyber Insurance Rides To The Rescue
Cyber Risk As Serious As Current Financial Crisis
27 October 2008“We are experiencing a financial meltdown due to a fundamental misunderstanding and mismanagement of modern financial systems, which is generating a crisis of confidence in our core institutions. Today, all our critical infrastructures are reliant on cyber systems that are also misunderstood and mismanaged These vulnerabilities place both our financial and physical security in jeopardy unless we update the method we use to control our cyber systems”
Data Breaches Growing Rapidly: Tech Companies Uninsured
20 October 2008Over the past two and a half years, there have been over 225 million reported consumer data breaches. This year alone, there have been more than 30 million reported security breaches of consumer data. No one knows the actual numbers since it is suspected that most security breaches are unreported.
Most tech firms and regular businesses with exposure don’t have insurance to cover this exensive peril. Liability for the following categories of expenses are common in these breaches of security:
*Class action lawsuits
*Regulatory fines, fees, penalties
*Statutory notification expenses
Tech companies that collect confidential information or assist clients that do the same must make sure that their Professional Liability / Errors & Omissions policy is specially endorsed to respond to breach of security lawsuits. Non tech companies with exposure must make sure that their Cyber Liability policy does the same.
Source: S.H. Smith & Company, Inc. E Bulletin, 10-19-08
