Revisiting Cyber Insurance: Are You Covered?

Online Security Technology background

Increasingly, companies are looking to insurance to help manage their cybersecurity risks and defray losses sustained from data breaches.  Losses can range from reputational damage, business interruption, and professional fees for computer forensic services and attorneys to handle regulatory inquiries or lawsuits.  In the event of a data breach or other cyber incident, recent rulings suggest that traditional insurance policies, like a company’s Commercial General Liability Policy (CGL), may provide coverage, or, at the very least, a defense to lawsuits spawned by cyber events.

How do you know if you are covered under traditional policies?  First, carefully review the language of traditional insurance policies, such as CGL policies, to see if a data breach or the release of personally identifiable information (PII) fits within the policy’s definition of a covered event.  Even if it looks like the language is broad enough to include data breaches or other errors that result in the release of PII, it still may not be enough.  Some courts have delved into the parties’ intent and declined to find coverage where the parties did not clearly intend to cover cyber incidents.  Other courts have strictly interpreted the language in the policy, finding coverage regardless of whether the parties anticipated cyber events at the time the policy was issued. 


Will Privacy Enforcement Actions Impact “Reasonable” Security Measures Needed to Protect Trade Secrets?

Lock and Key (Small)

In widely-publicized, contested privacy cases last year, the FTC advocated in favor of a high baseline for information security measures.  Among the security practices attacked by the FTC as critical mistakes by companies suffering data breaches:

  1. Storing sensitive data in readable text;
  2. Any system that permits the use of easily-guessed passwords;
  3. Failure to use firewalls between internal systems, the corporate network and the Internet;
  4. Lack of adequate administrative security policies and procedures;
  5. Failure to adequately restrict third-party vendors from network and corporate servers;
  6. Failure to employ reasonable measures to detect and prevent unauthorized access; and,
  7. Failure to follow proper incident response procedures.


Private Bankrolling of Defamation and Privacy Suits

Peter Thiel v. Gawker MediaThe New York Times recently reported that famed Silicon Valley investor and PayPal co-founder Peter Thiel has been secretly bankrolling “Hulk Hogan’s” (real name Terry Bollea) invasion of privacy suit against Gawker Media. The lawsuit concerns the publication of a sex tape involving Mr. Bollea and the then-wife of one of his friends. Yuck. Double yuck that Gawker saw fit to publish the tape on its site.

The yuck factor and legal merits of the suit aside, Mr. Thiel’s involvement could be a game changer. For more than 50 years, American defamation law has been tilting decidedly in favor of media defendants and libel trials have correspondingly slowed to a trickle. There has, however, been an uptick in newsgathering torts asserted against media entities and such cases usually involve trespassing allegations, or unwarranted invasions of personal privacy. Mr. Bollea’s sex tape suit falls into that category.


Re-Thinking the “Standard” Arbitration Clause in Cloud Agreements (Part III): Taking Full Advantage of ADR in Cloud Agreements

Cloud Tech Alternative Dispute ResolutionPart I of this three-part article included some history about how it came to be so common that modern technology agreements – including “cloud agreements” – often include a “standard” arbitration clause. Part II asked and answered the question: Is arbitration “cheaper, faster and better” than a traditional lawsuit?

This final installment will focus on some of the clear disadvantages of arbitration and make some suggestions regarding how to better take advantage of the availability of ADR.

Sometimes, It’s Not How You Play the Game, It’s Whether You Win or Lose
The one aspect of arbitration that is perhaps most starkly different from a traditional lawsuit is that an arbitration award is, for all practical purposes, final. It is extremely difficult to overturn an arbitration award on appeal. Generally, an arbitration award will be overturned only if there is some evidence of corruption, fraud or other misconduct on the part of the arbitrator. Buttressing the legal principles upholding the finality of arbitration awards are two practical realities. First, arbitration proceedings are rarely transcribed (which can save substantial costs). Second, arbitrators do not always analyze the reasons for their decision in writing, making it difficult for any reviewing court to determine whether, in fact, the arbitrator made a mistake. If there is simply no record, it’s nearly impossible to convince a court to overturn an award in arbitration.


Rethinking the “Standard” Arbitration Clause in Cloud Agreements (Part II)

Cloud AgreementsPart I of this article included a little bit of history about how it came to be so common that modern technology agreements – including “cloud agreements” – often include a rather ubiquitous, sort of “standard” arbitration clause. The first article in this three-part series also put forth the question of whether some of the common assumptions about arbitration – namely, that arbitration is cheaper, faster and better than a traditional lawsuit – are true.

This middle article in the series aims to try to answer that question: Is arbitration truly “cheaper, faster or better?” A close examination of these common assumptions reveals that, while there are indeed some clear advantages to arbitration, some of the claimed advantages may be lost if parties simply agree to a “standard” arbitration clause, without giving the matter any considered thought on the front end of a transaction. This kind of inertia often leads to an arbitration proceeding that looks very much like a traditional lawsuit. The parties who agree to an arbitration provision without giving it any thought will find that arbitration is often just as expensive as a traditional lawsuit, that it may not be any faster, and that a “more rational result” does not necessarily work to every party’s advantage.


Rethinking the “Standard” Arbitration Clause in Cloud Agreements

Cloud TechnologyTwenty or so years ago, arbitration began to gain wide acceptance among lawyers as a viable alternative for the effective resolution of civil disputes.  Clients were beginning to view “alternative dispute resolution” (ADR) as the best hope for avoiding the expensive morass that litigation in court can sometimes be.  As a result, many trial lawyers began to jump on the bandwagon and tout their skills not only as trial lawyers, but also as experts in “all forms of dispute resolution.”  Certainly, very few lawyers ever attempted to talk their client out of inserting an arbitration clause into an agreement.  Indeed, many lawyers began to insert “standard” arbitration clauses into every agreement they drafted.  This is the first of a three-part article on why using a “standard” arbitration clause in all of your cloud agreements is not such a great idea.

Among many clients and lawyers, “ADR” – pretty soon after its advent – became almost synonymous with what is only one of its forms – arbitration.  Moreover, the “standard” arbitration clause has become more and more “plain vanilla” over the past twenty years.  As a result, ADR may have lost many of the attractive qualities that made it appear to so many two decades ago as a panacea.  The one advantage of ADR clauses in agreements is that they provide the opportunity for creativity and flexibility.  However, when drafting contracts these days, many lawyers and clients blindly insert into each new agreement the same arbitration clause they used in the last agreement.


Authenticating Purchases with Facial Recognition

Selfie PayFacial recognition technology has rapidly advanced in sophistication and accuracy over the years. Early use of the technology was focused on facial detection in security systems. Since 2014, the federal government has introduced facial recognition technology, along with collecting travelers’ fingerprints, in its U.S. Global Entry system in an effort to strengthen border security in major airports across the U.S. And perhaps the most widely known use of facial recognition technology today is the function of “tagging” in online social networks which allows users to identify friends in photos.

Recently, businesses have begun exploring facial recognition’s potential benefits for increasing the level of security in commercial transactions. Amazon recently proposed to implement a patented method (“Image Analysis for User Authentication”) for its customers to complete a transaction by performing an action in front of a camera, such as a smile or a wink to help confirm the person’s identity. Google has been testing its newly developed mobile payment app called “Hands Free,” which allows smartphone users to complete a transaction in the store without taking out their devices. Hands Free allows small businesses to confirm the identity of the shoppers at check out to complete the transaction by uploading a picture of them via an in-store camera that confirms their identity. Similarly, MasterCard is also planning to introduce a similar facial recognition technology called “Selfie Pay” in the U.S this summer.


Erin Andrews Jury Sends Hoteliers a $55 Million Dollar Reality Check

Erin Andrews Privacy Lawsuit“Privacy law” continues to evolve in the face of ever-advancing technology. Legislative bodies, administrative agencies, courts, tech companies, and a host of other interests are working to innovate, keep pace with, or catch up. Even the First Amendment, which has been interpreted by courts, lawyers, and scholars for hundreds of years, and, which stands as a counter-balance to the right of privacy, is being tested in new ways. But the recent trial involving Erin Andrews highlights that, sometimes, privacy issues are simple, and businesses need to implement common sense policies or face potentially costly outcomes.

A Nashville jury recently handed Ms. Andrews a $55 million verdict against a Nashville hotel franchise owned by West End Hotel Partners and operated by Windsor Capital Management. Michael David Barrett, a notorious stalker, modified a hotel peephole and filmed Ms. Andrew while she was changing, then uploaded the illegally recorded material onto the Internet. Mr. Barrett was ultimately captured by law enforcement; he pleaded guilty and was sentenced to 27 months in prison. In Ms. Andrews’s civil privacy case, she testified that she suffered severe emotional distress as a result of the incident. According to both sides, Barrett stalked and filmed at least 10 women in various hotels across the country. The jury in the Nashville case found that West End Hotel Partners and Windsor Capital Management were 49 percent to blame, and Barrett was 51 percent to blame.


Cyber Insurance: Make Sure You Understand Your Coverage

Cyber Insurance CoveragesToday, businesses are increasingly purchasing cyber-specific insurance in an effort to mitigate the financial impact of a breach or other cybercrime.  In terms of what might be covered in a cyber insurance policy, there are basically two types of coverage – “first party” coverage and “third-party” coverage.  First party coverage covers the types of losses that your company might suffer directly in the event of a data incident.  That may include losses, some of which may be covered and some not, such as data destruction, denial of service attacks, incident response, crisis management, public relations, forensic investigation, remediation, breach notifications, credit monitoring, data restoration, business interruption, lost intellectual property, theft and extortion, or damage to reputation. Third party coverage refers to coverage for claims that may be made by third parties against your company arising out of a data incident, such as data breach lawsuits, for example.

The cyber insurance market is set to triple, from 2014 annual sales of around $2.5 billion to $7.5 billion by 2020.  In some sense that news is not very surprising and the number not so high: news of large-scale hacking incidents involving the theft of millions of records seems alarmingly regular.  Given what is at stake for companies that possess and could lose large amounts of valuable data, buying insurance makes sense.  Cyber-related crime already costs the global economy $400 billion per year, and that number is expected to rise.

But key questions remain.  Are cyber risks covered by more general policies that are not cyber-specific?  If not, what should cyber insurance look like?  Looking at some recent cases involving the still nascent cyber insurance market is revealing.


The Internet of Things and the FTC – Don’t Be the Test Case

FTC and the Internet of ThingsKevin Ashton, an expert on digital innovation, stated 15 years ago that, “If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best.”  We are a lot closer to that reality now than when Mr. Ashton first wrote those words.

As most people know by now, the Internet of Things is the ever-more-present future in which everyday objects like refrigerators and thermostats have network connectivity, allowing them to send and receive data to a source—whether you know it or not. Potentially helpful uses include things like smart meters that conserve energy in homes, saving natural resources as well as money for consumers. But not all uses are necessarily helpful. For example, what about health care insurance providers tracking measurable health information and making decisions on insurability based on such measures? And what happens if hackers take over networks where connected devices reside?