Most companies that sell technology-based products or services purchase Errors and Omissions (E&O) Insurance to indemnify them from liability caused by the failure of their products or services. When the vendor’s products or services require access to the clients’ confidential information – and especially personally identifiable information (PII) or protected health information (PHI) – the nature and extent of the vendor’s obligations can get more complicated.
The combination of traditional E&O exposures with rapidly evolving privacy/data security exposures has created new insurance coverage and claims-handling uncertainties. As a result, technology companies that handle, store or transmit their clients’ or customers’ sensitive data are increasingly getting squeezed when they buy E&O insurance policies. Read more…
The New York Times published an article today predicting that there will be a surge in the purchase of what it refers to as “cyber insurance” – insurance covering a range of exposures relating to the breach of privacy and network security. The article has some significant exaggerations and misleading statements, and it quotes extensively from people whose livelihood depends upon cybersecurity breaches and the sale of insurance policies, but it provides a useful window on the current environment. The article places great importance on the recent guidelines issued by the SEC’s Division of Corporation Finance. Click here for WGA’s blog post and downloadable White paper discussing these new guidelines and their potential impact Read more…
The recent rash of cyber breaches at public companies and an outcry from federal lawmakers has prompted U.S. securities regulators to issue guidance for when companies must disclose cyber attacks to investors. The guidelines issued by the U.S. Securities and Exchange Commission are to help reporting companies determine whether they need to disclose the risks they face in protecting their electronic data, as well as the costs they have incurred or could incur because of cybersecurity breaches.
The increase in corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Breaches are now more frequent and severe. Public companies and their advisors should focus greater attention on how disclosure obligations under the Read more…
Six-figure losses common for even small businesses
A survey by Symantec of more than 3,000 businesses provides useful information about the current state of corporate cybersecurity. Symantec’s 2011 State of Security Survey found that 73% of small and midsize companies had suffered a cyber attack in the past year, and that 30% of the attacks were “somewhat/extremely effective” in compromising the victims’ data. Companies are on alert. According to the study, in fact, companies considered cybersecurity their greatest threat — greater than criminal activity, natural disasters, and terrorism.
Many companies are already bristling with perimeter weaponry designed to prevent external attacks, but their defenses are not impregnable. More than 70% of the respondents experienced cyber Read more…
Two Peas in Different Pods
Much ink has been spilled about Zurich Insurance’s recent denial of coverage for the massive Sony Playstation breach. Some of the early commentary has been useful (mostly by providing accurate descriptions of what has transpired so far), while some has been wildly amiss (mostly by mischaracterizing the kind of coverage at issue). In the end, Zurich’s coverage denial will probably be confirmatory rather than revelatory — that is, it will likely confirm the warnings of experienced insurance professionals and not uncover any shocking new facts about coverage for breaches of privacy and data security.
Less attention has been paid to a pair of claims involving Dropbox, a popular cloud-based storage service. One claim was filed with the FTC, alleging that Dropbox had made false claims about the security of its users’ data. The other claim, a class action lawsuit, followed a self-inflicted breach Read more…
Most businesses are now aware of the financial and reputational risks they face from breaches of their confidential information. Each week, sometimes even everyday, there are reports describing the theft or loss of sensitive data from companies, healthcare and educational institutions, or governments. Many of these incidents receive considerable media attention, such as the serial breaches at Sony. Security experts speculate about the costs companies incur in connection with data breaches, ranging from the hundreds of thousands to the hundreds of millions of dollars.
Much of the media attention is understandably directed at breaches of confidential consumer information. Those involve the compromise of personally identifiable information that can be used to engage in identity theft and cause terrible personal financial Read more…
The recent avalanche of news about stolen email addresses and/or passwords (Epsilon, Sony, Sega) is making people wonder if their confidential information has been wrongfully obtained by hackers. A new website, conveniently named “Should I Change My Password?” , makes it easy to see if your sensitive consumer information is in 13 publicly available databases that contain more than 800,000 stolen records. These databases have been published by hackers, such as LulzSec and Anonymous, who claim to be hacking for fun or to make a political point.
This site was created by a technology professional who says he wanted to give people an easy way to see if they have been affected by recent hacks, and also some basic advice about creating and using passwords safely. To check if your information is in the database Read more…
The Texas Comptroller notified about 3.5 million people last month that their personal information (including names, addresses and Social Security Numbers, and in some cases driver’s license numbers and dates of birth) was publicly exposed for about one year because of data security lapses by the government.
The Facts
The breach occurred after various state agencies and entities transferred information about individuals to the Comptroller’s office for use in verifying unclaimed property records. The information was required to be provided to the Comptroller by state law. Unfortunately, there were several missteps in how the data was transferred and handled. For starters, the transferred files were required to be encrypted — but they weren’t. Then, Read more…
On April 27, 2011, Sony publicly disclosed that hackers had breached its PlayStation Network (which includes its Qriocity video and music-streaming services) and had gained access to 77 million consumer records. This revelation came several days after Sony had shut down the Network, saying at the time only that an outage had been responsible for the interruption. On the 27th Sony disclosed that the compromised consumer information included names, addresses, email addresses, birth dates, login and password information, purchase history, and possibly credit card information. A statement indicated that the credit card information was encrypted, and that there was no evidence it had been taken.
The massive size of the breach has caused much speculation about the expenses that Sony will incur in dealing with the matter. One article said that the costs could rise as high as $24B (yes, billion) Read more…
The recent extended outage of Amazon’s “cloud computing” business has generated many questions about what insurance policies would be likely to provide indemnification for losses caused by the crash.
Amazon has a significant cloud computing business, which it calls Amazon Web Services (AWS). AWS rents data storage and web services to its customers. These customers use the outsourced services to avoid the expense and distraction of providing those services for themselves. As a risk management matter, cloud computing customers should make sure that their data is stored in different locations and that they have adequate backup and disaster recovery options in the event of outages or crashes. As such “redundancy” services can be expensive, some of Amazon’s smaller corporate customers did not purchase them. When Amazon’s data center in Northern Virginia experienced an extended outage, these customers did not have effective contingency plans, and their websites performed slowly or crashed. Read more…
Most companies that sell technology-based products or services purchase Errors and Omissions (E&O) Insurance to indemnify them from liability caused by the failure of their products or services. When the vendor’s products or services require access to the clients’ confidential information – and especially personally identifiable information (PII) or protected health information (PHI) – the nature and extent of the vendor’s obligations can get more complicated.
