Cyber Insurance: Common Pitfalls of the Insured

Insurance Application Risk Management Safety ConceptAs we have noted in a number of recent posts, tech companies need cyber insurance. The risk of not having it is simply not worth it.  But cyber insurance policies can be confusing to understand because the policies vary depending on your type of business, business needs, and how your customers are serviced. Some companies might need a combination of cyber policies in order to have complete cyber insurance coverage. It is very important to do your due diligence, think critically about the cyber insurance needs of your company, and find a policy that covers all of your company’s cyber risk.

Companies must pay attention to the details of the cyber insurance policy and be both clear and accurate about the representations they are making in the application for coverage. The insurance industry makes money by collecting premiums and minimizing claims. This creates a natural tension between the policyholder and carrier.  When a company makes a claim, it would like to get the benefit of the bargain it made with the insurer. That benefit is for the insurer to pay for the claim. The insurer agrees to pay, as long as the claimant has met all of its obligations under the policy.

CONTINUE READING . . .

Outsourcing Lessons from an “Uber” Uber-Rider

UberIn July 2015, my 12-year-old SUV, with 220,000 miles, finally breathed its last breath.  It was time for me to buy a new car.  But, instead, I decided to try a little personal experiment with the “sharing economy.”  Based on a back-of-the-napkin calculation, I determined that it might actually be cheaper to completely outsource my driving to Uber (or its competitor, Lyft).  Using a source like Edmunds.com, it’s easy to find out the “true cost of ownership” of any car you might have your eye on.  Looking at comparable replacement vehicles, my “true cost to own”– fees, fuel, insurance, maintenance and repairs – was around $4,000 annually, not even counting the actual cost of the car.  $4,000 is a lot of Uber rides!  I wondered: could I completely outsource my driving and come out ahead?  I decided to conduct an experiment for three months, chart it all out on a spreadsheet, and test my theory.

That was almost 14 months ago, and I can report that, as of today, I don’t own a car.  But recent stories about Uber’s $1.27 billion loss in the first half of 2016 caused me to wonder whether my outsourcing provider will be around for the long haul.  And that got me thinking about some of the other lessons I’ve learned about outsourcing, which may be helpful to pass along.

CONTINUE READING . . .

Revisiting Cyber Insurance: Are You Covered?

Online Security Technology background

Increasingly, companies are looking to insurance to help manage their cybersecurity risks and defray losses sustained from data breaches.  Losses can range from reputational damage, business interruption, and professional fees for computer forensic services and attorneys to handle regulatory inquiries or lawsuits.  In the event of a data breach or other cyber incident, recent rulings suggest that traditional insurance policies, like a company’s Commercial General Liability Policy (CGL), may provide coverage, or, at the very least, a defense to lawsuits spawned by cyber events.

How do you know if you are covered under traditional policies?  First, carefully review the language of traditional insurance policies, such as CGL policies, to see if a data breach or the release of personally identifiable information (PII) fits within the policy’s definition of a covered event.  Even if it looks like the language is broad enough to include data breaches or other errors that result in the release of PII, it still may not be enough.  Some courts have delved into the parties’ intent and declined to find coverage where the parties did not clearly intend to cover cyber incidents.  Other courts have strictly interpreted the language in the policy, finding coverage regardless of whether the parties anticipated cyber events at the time the policy was issued. 

CONTINUE READING . . .

Will Privacy Enforcement Actions Impact “Reasonable” Security Measures Needed to Protect Trade Secrets?

Lock and Key (Small)

In widely-publicized, contested privacy cases last year, the FTC advocated in favor of a high baseline for information security measures.  Among the security practices attacked by the FTC as critical mistakes by companies suffering data breaches:

  1. Storing sensitive data in readable text;
  2. Any system that permits the use of easily-guessed passwords;
  3. Failure to use firewalls between internal systems, the corporate network and the Internet;
  4. Lack of adequate administrative security policies and procedures;
  5. Failure to adequately restrict third-party vendors from network and corporate servers;
  6. Failure to employ reasonable measures to detect and prevent unauthorized access; and,
  7. Failure to follow proper incident response procedures.

CONTINUE READING . . .

Private Bankrolling of Defamation and Privacy Suits

Peter Thiel v. Gawker MediaThe New York Times recently reported that famed Silicon Valley investor and PayPal co-founder Peter Thiel has been secretly bankrolling “Hulk Hogan’s” (real name Terry Bollea) invasion of privacy suit against Gawker Media. The lawsuit concerns the publication of a sex tape involving Mr. Bollea and the then-wife of one of his friends. Yuck. Double yuck that Gawker saw fit to publish the tape on its site.

The yuck factor and legal merits of the suit aside, Mr. Thiel’s involvement could be a game changer. For more than 50 years, American defamation law has been tilting decidedly in favor of media defendants and libel trials have correspondingly slowed to a trickle. There has, however, been an uptick in newsgathering torts asserted against media entities and such cases usually involve trespassing allegations, or unwarranted invasions of personal privacy. Mr. Bollea’s sex tape suit falls into that category.

CONTINUE READING . . .

Re-Thinking the “Standard” Arbitration Clause in Cloud Agreements (Part III): Taking Full Advantage of ADR in Cloud Agreements

Cloud Tech Alternative Dispute ResolutionPart I of this three-part article included some history about how it came to be so common that modern technology agreements – including “cloud agreements” – often include a “standard” arbitration clause. Part II asked and answered the question: Is arbitration “cheaper, faster and better” than a traditional lawsuit?

This final installment will focus on some of the clear disadvantages of arbitration and make some suggestions regarding how to better take advantage of the availability of ADR.

Sometimes, It’s Not How You Play the Game, It’s Whether You Win or Lose
The one aspect of arbitration that is perhaps most starkly different from a traditional lawsuit is that an arbitration award is, for all practical purposes, final. It is extremely difficult to overturn an arbitration award on appeal. Generally, an arbitration award will be overturned only if there is some evidence of corruption, fraud or other misconduct on the part of the arbitrator. Buttressing the legal principles upholding the finality of arbitration awards are two practical realities. First, arbitration proceedings are rarely transcribed (which can save substantial costs). Second, arbitrators do not always analyze the reasons for their decision in writing, making it difficult for any reviewing court to determine whether, in fact, the arbitrator made a mistake. If there is simply no record, it’s nearly impossible to convince a court to overturn an award in arbitration.

CONTINUE READING . . .

Rethinking the “Standard” Arbitration Clause in Cloud Agreements (Part II)

Cloud AgreementsPart I of this article included a little bit of history about how it came to be so common that modern technology agreements – including “cloud agreements” – often include a rather ubiquitous, sort of “standard” arbitration clause. The first article in this three-part series also put forth the question of whether some of the common assumptions about arbitration – namely, that arbitration is cheaper, faster and better than a traditional lawsuit – are true.

This middle article in the series aims to try to answer that question: Is arbitration truly “cheaper, faster or better?” A close examination of these common assumptions reveals that, while there are indeed some clear advantages to arbitration, some of the claimed advantages may be lost if parties simply agree to a “standard” arbitration clause, without giving the matter any considered thought on the front end of a transaction. This kind of inertia often leads to an arbitration proceeding that looks very much like a traditional lawsuit. The parties who agree to an arbitration provision without giving it any thought will find that arbitration is often just as expensive as a traditional lawsuit, that it may not be any faster, and that a “more rational result” does not necessarily work to every party’s advantage.

CONTINUE READING . . .

Rethinking the “Standard” Arbitration Clause in Cloud Agreements

Cloud TechnologyTwenty or so years ago, arbitration began to gain wide acceptance among lawyers as a viable alternative for the effective resolution of civil disputes.  Clients were beginning to view “alternative dispute resolution” (ADR) as the best hope for avoiding the expensive morass that litigation in court can sometimes be.  As a result, many trial lawyers began to jump on the bandwagon and tout their skills not only as trial lawyers, but also as experts in “all forms of dispute resolution.”  Certainly, very few lawyers ever attempted to talk their client out of inserting an arbitration clause into an agreement.  Indeed, many lawyers began to insert “standard” arbitration clauses into every agreement they drafted.  This is the first of a three-part article on why using a “standard” arbitration clause in all of your cloud agreements is not such a great idea.

Among many clients and lawyers, “ADR” – pretty soon after its advent – became almost synonymous with what is only one of its forms – arbitration.  Moreover, the “standard” arbitration clause has become more and more “plain vanilla” over the past twenty years.  As a result, ADR may have lost many of the attractive qualities that made it appear to so many two decades ago as a panacea.  The one advantage of ADR clauses in agreements is that they provide the opportunity for creativity and flexibility.  However, when drafting contracts these days, many lawyers and clients blindly insert into each new agreement the same arbitration clause they used in the last agreement.

CONTINUE READING . . .

Authenticating Purchases with Facial Recognition

Selfie PayFacial recognition technology has rapidly advanced in sophistication and accuracy over the years. Early use of the technology was focused on facial detection in security systems. Since 2014, the federal government has introduced facial recognition technology, along with collecting travelers’ fingerprints, in its U.S. Global Entry system in an effort to strengthen border security in major airports across the U.S. And perhaps the most widely known use of facial recognition technology today is the function of “tagging” in online social networks which allows users to identify friends in photos.

Recently, businesses have begun exploring facial recognition’s potential benefits for increasing the level of security in commercial transactions. Amazon recently proposed to implement a patented method (“Image Analysis for User Authentication”) for its customers to complete a transaction by performing an action in front of a camera, such as a smile or a wink to help confirm the person’s identity. Google has been testing its newly developed mobile payment app called “Hands Free,” which allows smartphone users to complete a transaction in the store without taking out their devices. Hands Free allows small businesses to confirm the identity of the shoppers at check out to complete the transaction by uploading a picture of them via an in-store camera that confirms their identity. Similarly, MasterCard is also planning to introduce a similar facial recognition technology called “Selfie Pay” in the U.S this summer.

CONTINUE READING . . .

Erin Andrews Jury Sends Hoteliers a $55 Million Dollar Reality Check

Erin Andrews Privacy Lawsuit“Privacy law” continues to evolve in the face of ever-advancing technology. Legislative bodies, administrative agencies, courts, tech companies, and a host of other interests are working to innovate, keep pace with, or catch up. Even the First Amendment, which has been interpreted by courts, lawyers, and scholars for hundreds of years, and, which stands as a counter-balance to the right of privacy, is being tested in new ways. But the recent trial involving Erin Andrews highlights that, sometimes, privacy issues are simple, and businesses need to implement common sense policies or face potentially costly outcomes.

A Nashville jury recently handed Ms. Andrews a $55 million verdict against a Nashville hotel franchise owned by West End Hotel Partners and operated by Windsor Capital Management. Michael David Barrett, a notorious stalker, modified a hotel peephole and filmed Ms. Andrew while she was changing, then uploaded the illegally recorded material onto the Internet. Mr. Barrett was ultimately captured by law enforcement; he pleaded guilty and was sentenced to 27 months in prison. In Ms. Andrews’s civil privacy case, she testified that she suffered severe emotional distress as a result of the incident. According to both sides, Barrett stalked and filmed at least 10 women in various hotels across the country. The jury in the Nashville case found that West End Hotel Partners and Windsor Capital Management were 49 percent to blame, and Barrett was 51 percent to blame.

CONTINUE READING . . .