The 7 Things I Know About Cyber Security After 25 Years | April 2024
The Hidden Exposures of Technology
1. The Hidden Exposures of Technology:
A Risk and Insurance Perspective
CPCU Society
I-Day – New Jersey
October 20, 2006
Robert W. Muilenburg, Esq.
Adam M. Smith, Esq.
2. INTRODUCTION
Technology provides significant benefits to
society
Continues to develop rapidly
Substantial challenge to insurance industry
Unknown liability risks for new technology
Partnering with manufacturing industry vs.
protecting company from unforeseen
exposures
Coughlin Duffy, LLP 2
3. AGENDA
Technology exposures:
– Blast Faxes/Spam email/Text messaging
– Data Security/Identity Theft
– Internet/Web utilization
– Radio Frequency Identification
– Nanotechnology
Incompatibility with GL policies
“Cyber-insurance” products
Coughlin Duffy, LLP 3
4. Blast Faxes
Telephone Consumer Protection Act (47
U.S.C. § 227)
– Prohibits the “use of any telephone, facsimile
machine, computer, or other device to send
an unsolicited advertisement to a telephone
facsimile machine”
– Provides for a private right of action
– Potential damages: actual monetary loss or
$500, whichever is greater
– Treble damages ($1,500 per fax) allowed if
willful violation
Coughlin Duffy, LLP 4
5. Blast Faxes
Increasing exposure for TCPA suits
– TCPA suits are amenable to class actions
– Potential damages are in the millions
– Over 100 TCPA lawsuits seeking class action status have
been brought in Cook County, Illinois
– Charter One Bank faced liability of $35 million for sending
unsolicited faxes to approx. 70,000 phone numbers
– A Georgia car wash hired a company to send 70,000 faxes
to random phone numbers and faces $36.5 million in
liability
– Class actions have been brought within the Fourth,
Seventh, Eighth and Tenth Circuits
Coughlin Duffy, LLP 5
6. Blast Faxes
Hooters of Augusta (Georgia)
– 1,321 class members received 6
unsolicited faxes
– Damages found to be $1500/violation
– Treble damages awarded for willful
violations
– Total verdict: $11,889,000
– Settled for $9 million
Coughlin Duffy, LLP 6
7. Text Messaging
Short message service is a major
mode of communication for marketing
TCPA, CAN-Spam Act and state laws
can limit text messaging in marketing
and promotional campaigns
Some states have enacted instant
message Spam laws known as “Anti-
Spim”
Coughlin Duffy, LLP 7
8. Text Messaging
Joffe v. Acacia Mortgage Company (AZ 2005)
– Joffe alleged violations of TCPA based upon receipt of
unsolicited text messages to his cellular phone
– TCPA prohibits using “any automatic dialing system” to
make “any call” to “any telephone number assigned to a...
cellular telephone service”
– Appellate Court found that “any call” included the attempt
to communicate by telephone
– Court found that delivery of SMS promotional text
messages by telephone qualified as telephone call
– Court also found that the CAN-Spam Act and the TCPA
have dual applicability
Coughlin Duffy, LLP 8
9. Spam email
CAN-SPAM Act of 2003
– Regulates email whose primary purpose is
advertising or promoting a commercial product
or service
– Bans misleading header and subject lines;
requires recipients be given “opt-out” method
– No private right of action; only the FTC, State
Attorneys General and Internet Service Providers
can sue
– Potential Damages
Coughlin Duffy, LLP 9
10. Spam email
Earthlink v. KSTM (Georgia 2006)
– September 2006: Awarded $11 million
against Nevada spammer
– Treble damages awarded
Earthlink alone has been awarded
$200 million in judgments against
spammers
Coughlin Duffy, LLP 10
11. DATA SECURITY/IDENTITY
THEFT
FTC received over 250,000 indentity
theft complaints in 2005
The Love Bug, Melissa and other
viruses were estimated to cost
companies more than $54 billion, since
1995, in removal costs, repairs and
lost productive and sales due to down
time
Coughlin Duffy, LLP 11
12. DATA SECURITY/IDENTITY
THEFT
500 large American companies and
government agencies reported in a
recent FBI sponsored survey that:
– 90% had detected a computer security
breach within the past 12 months
– 85% had detected computer viruses
– 80% had suffered a monetary loss due to
a cyberattack
Coughlin Duffy, LLP 12
13. DATA SECURITY/IDENTITY
THEFT
2003 Census figures: 55% of U.S.
households have internet access (28% in
1998)
– August 2005: 61% connect via broadband
(Nielsen)
2006: Computer-based risks the #1 concern
among executives worldwide
– Ahead of corporate governance, trade, terrorism,
etc. (Swiss Re)
Every organization with a computer or
network is at risk
Coughlin Duffy, LLP 13
14. DATA SECURITY/IDENTITY
THEFT
– What Kind of Losses/Claims can be expected:
Cost to notify the public and individuals regarding a data loss
1.
event.
Claims for Safeguarding against Identity Theft
2.
Data Extortion – Hold the Information for Ransom
3.
Claims for Reimbursement of actual fraud related losses in
4.
cases of Identity Theft
D&O claims for loss of value of stock, negligence, invasion of
5.
privacy, etc.
Claims for Business Income due to lost income associated with
6.
customer dissatisfaction or fear.
Loss related to money spent on publicity campaigns to
7.
alleviate “bad” image from the event.
Government Fines and or Penalties
8.
Coughlin Duffy, LLP 14
15. DATA SECURITY/IDENTITY
THEFT
Common law theories of legal liability
– Negligence
– Fraud
– Misrepresentation
– Invasion of privacy
– Failure to Warn
– Breach of warranty/contract
Companies may also be subjected to
shareholder suits of government
enforcement actions
Coughlin Duffy, LLP 15
16. DATA SECURITY/IDENTITY
THEFT
More than 40 states have passed customer
notification legislation, including
Connecticut, Delaware, California, Florida,
New Jersey, New York and Texas
Federal law:
– Sarbanes-Oxley
– Gramm-Leach-Bliley
– HIPPA
Coughlin Duffy, LLP 16
17. DATA SECURITY/IDENTITY
THEFT
Recent lawsuits/enforcement actions:
– LexisNexis
– ChoicePoint, Inc.
– CardSystems
– DSW, Inc.
– BJ Wholesale Club, Inc.
– U.S. Bancorp
– Eckerd Drugs
Coughlin Duffy, LLP 17
18. DATA SECURITY/IDENTITY
THEFT
This can create a very costly scenario for
the company.
Examples:
– 3,000,000 identities stolen (not used); 5% sue =
150,000 claimants;150,000 X $300 =
$45,000,000
– 200 identities stolen (100 used fraudulently);
average damages of $25,000 = $2,500,000 loss.
Doesn’t address cost of mandatory
notification
Coughlin Duffy, LLP 18
19. INTERNET/ WEB
UTILIZATION
Almost every business has a web page
Different types of web pages
– Presence only
– Content aggregation
– Interactive
– Transactional/e-commerce
Coughlin Duffy, LLP 19
20. INTERNET/ WEB
UTILIZATION
Exposure depends on type of site
– Least exposure: presence only
– Greatest exposure: transactional
Types of exposure:
– Intellectual property
– Personal injury
– Fraud/identity theft
Coughlin Duffy, LLP 20
21. INTERNET/ WEB
UTILIZATION
Scheff v. Bock (Florida)
– October 10, 2006: Florida jury awarded
$11.3 million for defamation for posting
on an Internet bulletin board
– Site owner also sued; dismissed from
case
Coughlin Duffy, LLP 21
22. RADIO FREQUENCY
IDENTIFICATION
A very small chip or tag that communicates
digital data to a reader through radio waves
Estimated 2007 spending on RFID
implementation: over $1 billion
Recent proposed usages
– Tracking of senior citizens daily activities
– Tracking student attendance
– Tracking children
– Tracking immigrants
Coughlin Duffy, LLP 22
23. RADIO FREQUENCY
IDENTIFICATION
Current usages
– Tracking of farm animals and pets
– Walmart supply chain
– Denmark amusement park
– E-Z Pass
Coughlin Duffy, LLP 23
25. NANOTECHNOLOGY
nanos: Greek term for dwarf
one thousand millionth of a meter
Technology to visualize, characterize,
produce and manipulte matter of the size of
1 – 100 nm.
Small size
– High surface to volume ratio
– Unique properties (material strength and weight
reduction, conductivity, new optical properties)
– New entry ways (high mobility in human body
and environment)
Coughlin Duffy, LLP 25
27. NANOTECHNOLOGY
Engineered nanoparticles
– Engineered particles
Coated surfaces
Specific properties
Large volumes
New materials – we cannot learn from the past
– No long term experience
– Few exposure assessments
– Few toxicology assessments
– No classification
Uncertainty
Coughlin Duffy, LLP 27
28. NANOTECHNOLOGY
Living organisms
– Entry into blood stream
via nose, digestive system, lung, skin?
– Body distribution (incl. brain?)
Biodegradable
– Elimination
– Acute toxicity?
Non-biodegradable
– Accumulation?
– Chronic toxicity?
Coughlin Duffy, LLP 28
29. NANOTECHNOLOGY
Environment
– Particles treated to avoid agglomeration
– Passage through soil, transport of
contaminants
– Ground water: drinking water quality
– Absorption by plants (entry into food
chain)?
– Removal difficult, filters insufficient
Coughlin Duffy, LLP 29
30. NANOTECHNOLOGY
Potential product liability exposure
– Product liability imposes strict liability for design
defects, manufacturing defects or failure to warn
claims
– A design defect claim could arise in the context
of a product that uses nano materials and
allegedly results in inhalation exposure during
manufacture or use
– A failure to warn claim could be based upon the
argument that the manufacturer did not conduct
reasonable testing and due diligence in
evaluating products’ dangers
Coughlin Duffy, LLP 30
31. NANOTECHNOLOGY
Recent report by the National Research Counsel
notes too little money has been invested in
understanding potential health and environmental
risks
Risk Management Issues for Nanotechnology
Insureds
– Potential exposure from new unchartered technology
– Insureds must disclose known risks and research with
respect to products insured
Potential Ways to Limit Exposure
– Provide coverage on claim made basis only
– Limitations on number of claims or providing batch clause
or a specific event limitations
Coughlin Duffy, LLP 31
32. ARE TECHNOLOGY CLAIMS
COVERED UNDER GL POLICIES?
Coverage A: BI and PD
– Is intangible property damage covered?
– Is electronic data tangible property?
– Was the injury expected of intended from
the standpoint of the insured?
Coughlin Duffy, LLP 32
33. ARE TECHNOLOGY CLAIMS
COVERED UNDER GL POLICIES?
Coverage B: Personal and Advertising Injury
– Does the offense arise out of the insured’s
business?
– Was there a publication or an utterance?
– Was there a nexus to the insured’s advertising?
– Does the liability arise out of one of the
enumerated offenses?
– Was the act caused or directed by the insured
with knowledge that it would violate another’s
rights or would inflict injury?
Coughlin Duffy, LLP 33
34. ARE TECHNOLOGY CLAIMS
COVERED UNDER GL POLICIES?
Insurance coverage will likely depend
upon the allegations
– Government enforcement actions
Look for exclusions for fines and penalties
Do remediation costs for security breach
satisfy “damages” definition
Coughlin Duffy, LLP 34
35. ARE TECHNOLOGY CLAIMS
COVERED UNDER GL POLICIES?
– Private party actions (class actions?)
Is it Bodily Injury? No
Is it Advertising Injury? Must arise out of
advertising activities
Is it Personal Injury? Isn’t there an
invasion of privacy? Many policies will
require publication or an utterance
Coughlin Duffy, LLP 35
36. ARE TECHNOLOGY CLAIMS
COVERED UNDER GL POLICIES?
Private party actions (class actions?)
–
– Is it Property Damage?
See, Computer Corner, Inc. v.
Fireman’s Fund, 2002 N.M. App. LEXIS
37 (loss of data is tangible property
damage)
Numerous other courts have held
otherwise
2004 CGL revision, exclusion (p):
eliminates cover for loss of electronic
data
Coughlin Duffy, LLP 36
37. Blast Faxes Coverage Issues
Coverage sought as invasion of privacy
claim
– CGL policies generally cover “oral or
written publication of material that
violates a person’s right to privacy”
– Insureds argue TCPA claim for unsolicited
faxes constitutes a covered invasion of
privacy claim
Coughlin Duffy, LLP 37
38. Blast Faxes Coverage Issues
Early cases finding coverage exists
– In Prime TV LLC v. Travelers (NC) the Federal District Court
concluded that the TCPA was enacted to protect privacy, a TCPA
claim must therefore fall within coverage for “hidden publication
of material that violates a person’s right of privacy”
– In Hooters of Augusta (GA) the insured sought coverage for a $9
million settlement for distribution of unsolicited faxes and the
Court found that TCPA was enacted to protect individuals’ privacy
and therefore must fall within advertising injury coverage. Court
rejected the argument that the TCPA was a penal statute.
– In Western Rim (TX 2003) the Court found the insurer had a
duty to defend the insured in litigation where it was charged with
sending, through an agent, 80,000 unsolicited faxes advertising
apartment complexes to prospective tenants and the Court found
a violation of the TCPA constituted a violation of a person’s right
of privacy
Coughlin Duffy, LLP 38
39. Blast Faxes Coverage Issues
Recent Cases Finding TCPA Claims Not Covered
– More recent decisions find that a right of privacy has not been violated unless the
content of the material published violates the privacy rights
– Courts are finding the intent of the privacy coverage is to provide insurance for
claims arising from the offensive content of the material, not the offensive manner
in which it is transmitted
In American States (IL 7th Cir. 2004) the Court noted two major types of privacy
–
claims:
Informational, where a person wishes to keep certain facts and information private or
information
secret
Locational, where a person wishes to avoid intrusion and preserve their right of seclusion
Locational, right
The Court found that the language of the privacy coverage in the CGL policy only covers
privacy claims involving intrusion upon a person’s secrecy
person’
In evaluating TCPA claims, the court must distinguish between privacy claims based upon
privacy
seclusion and those based upon publication of secret facts
In Resource Bank Shares (4th Cir. 2005) the Court noted that the TCPA’s unsolicited
–
fax prohibition protected seclusion privacy, in which content is irrelevant
The Court found that insurance policies do not cover seclusion damages; rather they insure
damages;
violations of content-based privacy
content-
Coughlin Duffy, LLP 39
40. Blast Faxes Coverage Issues
Courts differ on whether coverage is
provided based upon property damage
– In Prime TV, the court found the TCPA claim was
insured under the “property damage coverage”
– The property damage is the injured party’s loss
of paper and ink
– Most courts find no coverage because there is
no accident or the sending of faxes is expected
or intended by the insured
Coughlin Duffy, LLP 40
41. Blast Faxes Coverage Issues
New policy language
A new ISO exclusion for “methods of sending material or
information” went into effect in some states by March 2005
– The exclusion provides coverage does not apply to “distribution of
material in violation of statutes
– “Personal and advertising injury” arising directly or indirectly out of any
action or omission that violates or is alleged to violate:
a. the TCPA; or
b. the CAN-Spam Act of 2003; or
c. any statute, ordinance or regulation other than the TCPA
CAN-Spam Act of 2003 that prohibits or limits the
sending, transmitting, communicating or distribution
of material or information
– This exclusion should bar coverage for claims sought under the personal
and advertising injury liability section based upon violations of the TCPA
and CAN-Spam Act
Coughlin Duffy, LLP 41
43. CyberInsurance Market
21st-century threat with 20th-century
insurance coverage
In 2005, written premiums for
“cyberinsurance” topped $200 million; in
2003, the amount was $100 million.
President Bush’s adviser on cybersecurity
has encouraged cyberinsurance coverages
for railroads, aviation, banking,
telecommunication, power and oil and gas.
Coughlin Duffy, LLP 43
44. CyberInsurance Market
Most common types of cover:
– 1st party business interruption
– 1st party electronic damage
– 1st party extortion
– 3rd party network security liability
– 3rd party (downstream) network liability
– 3rd party media liability
Coughlin Duffy, LLP 44
45. Third-Party Coverages
Chubb Cybersecurity Liability
Insurance
Covers losses suffered by the Insured
on account of third-party claims that
the Insured’s “cyber activities” caused
the third-party:
– Content injury
– Reputational injury
– Conduit injury
– Impaired access injury, or
Coughlin Duffy, LLP 45
– Disclosure injury
46. Chubb Cybersecurity Liability
Insurance
Content injury – “injury . . . because of an
actual or alleged infringement of: (a) . . . a
mark; (b) a copyright; (c) the name of a
product, service or organization; or (d) the
title of an artistic or literary work”
Reputational injury – “injury . . . because of
an actual or alleged: (a) disparagement of
such third party’s products or services; (b)
libel or slander of such third party; or (c)
violation of such third party’s right of
Coughlin Duffy, LLP 46
privacy or publicity”
47. Chubb Cybersecurity Liability
Insurance
Conduit injury – “injury . . .because
such third party’s System cannot be
used or is less useful than normal”
Impaired Access injury – “injury
sustained by a Customer [of the
Insured] . . . because [the Customer’s
authorized] access [to the Insured’s
System] has been impaired or denied”
Coughlin Duffy, LLP 47
48. Chubb Cybersecurity Liability
Insurance
Disclosure injury – “injury, other than a
Reputational Injury, sustained by a
Customer because of the unauthorized
display, transmission or dissemination of a
Record on the Internet”
Definition of Customer: “a natural person or
organization which: (a) is applying for, or
requesting, [the Insured’s] products or
services; (b) has applied for, or has
requested [the Insured’s] products or
services; or (c) is using, or has used [the
Coughlin Duffy, LLP 48
Insured’s] products or services”
49. First-Party Coverages
AIG Internet and Network Security
Insurance
Covers losses suffered by the Insured
for:
– Cyberextortion
– Injury to the Insured’s Information Assets
– Business interruption
Coughlin Duffy, LLP 49
50. AIG Internet and Network
Security Insurance
Definition of “Computer Attack”:
“Unauthorized Access, Unauthorized Use,
transmission of a Malicious Code, or a
Denial of Service Attack that (1) alters, . .
.corrupts, disrupts, deletes, damages or
prevents, restricts, access to, a Computer
System; (2) results in the disclosure of
private or confidential information stored on
the Insured’s Computer System; or (3)
results in Identity Theft . . . .”
Coughlin Duffy, LLP 50
51. AIG Internet and Network
Security Insurance
Information Asset Loss – “(1) with respect to
Information Assets (i.e., software and electronic
data). . . that are altered, corrupted, destroyed,
disrupted, deleted or damages, the actual and
reasonable costs [Insured] incur[s] to Restore [the]
Information Assets . . . ; (2) with respect to
Information Assets (i.e., software and electronic
data). . . that are copied, misappropriated, or
stolen, the stated value [as set forth in the policy of
such assets]; (3) with respect to Information Assets
(i.e computer system capacity) that are
misappropriated or stolen, the actual cash value
[Insured] paid for such lost capacity, which would
not have been paid by [Insured] but for such
Coughlin Duffy, LLP 51