Network Security & Internet Liability

Network Security Insurance History

Network Security Insurance (sometimes referred to as Cyber Liability or Internet Liability) has been available for a little over 10 years. It was originally created to protect companies where technologies and the internet play an important role in basic day to day operations. Today, this is almost every business. For example :

  • Does your company have a network connected to the internet or a website?
  • Do you depend on e-mail for communications?
  • Do you store private customer data on your computers?
  • Do you hold files with personal information on your employees?

As technology continues to play a bigger role in business we are becoming more exposed to emerging risks. Subsequently, companies are spending more time validating and reviewing the data security standards and risk management practices. In addition, many customers are now requiring proof of insurance that will address privacy breach events. Many federal and state regulatory agencies have put increasing responsibility for network security breaches on businesses. If you have ever received a letter notifying you of a security breach from an entity that you do business with then you have been impacted by these regulations.

The Internet is now a critical delivery channel for information, referrals, billing and research – automating traditional workflows can improve operational efficiency but can also bring new responsibilities and additional, unprecedented risks. The accessibility of the Internet increases vulnerability to the theft, alteration or accidental disclosure of personally identifiable information which can affect an organizations earnings, reputation and operations.

Most companies carry a general liability policy, which covers provides protection against suits from third parties alleging bodily injury or property damage (for example- you sell a product that causes an injury to a customer). The growing dependence upon the internet has given rise to very significant loss potentials related to privacy, intellectual property, network security and digital content disputes. These claims involve economic losses not bodily injury. Traditional insurance policies do not provide sufficient coverage with regards to network liability, failure to protect, or wrongful disclosure of, personally identifiable information and therefore, specific Cyber Liability policies should be considered as part of a comprehensive risk management program.

Major Risks of Using of the Internet & Computer Networks

  1. Damage, Theft or Disclosure of Personally Identifiable Information

    Hackers can access a database and steal large quantities of confidential data in seconds. Disgruntled employees can also use a company’s network to destroy information or steal it to sell for a profit. Protecting client’s confidential information is paramount but this risk should not be managed by firewall technology alone.

    Liability arising from a wrongful disclosure of or failure to protect information can come from a variety of areas in addition to a “physical” breach of a company’s network security - information may be stored on a lap top which is subsequently stolen, data may be stored on a server at a third party location, information may be retrieved from disposal companies charged with destroying such information, paper files may be stolen – all of these scenarios may lead to third party law suits together with additional first party costs that will be incurred to comply with legislation governing requirements to notify all parties who may have had information compromised.

    Examples of first party costs that would be covered include:

    • Notification Costs including printing, postage, drafting costs, call center costs, advertising
    • Credit Monitoring Costs including credit freezes and fraud alerts
    • Crisis Management Expenses (PR costs, reputational recovery)

  2. Denial of Service Attacks & Transmission of Malicious Code

    Any company connected to the Internet is susceptible to viruses which can be inadvertantly transmitted to others resulting in legal liabilities as well as damage to, or destruction of client and other valuable information.

  3. Intellectual Property & Content Infringement

    The Internet creates new exposures for content and advertising litigation – an example of this would be an incident in which content is added to the insured's website, copyrighted

    Material from a third party is inadvertently included. The third party, aware of the unauthorized usage of the content, alleges damages.

Coverages Available & Coverage Terms Explained

  • Security Liability (including Internal Breach)

    Coverage for damages and defense arising from an attack on the insureds network, including by employees also, liability arising from the transmission of a computer virus, unauthorized access, denial of service attacks, failure to protect "Personally Identifiable Information" (PII)

  • Privacy Coverage Extension

    Extends Security Liability to include liability arising from a failure to protect or wrongful disclosure of private information, violation of any federal or state in connection with protection of information - extends definition of network to include anywhere that PII is held.

  • Crisis Fund  / Security Notification Costs

    1st Party coverage for expenses incurred following an attack including (but not limited to) Notification Costs (including postage, printing, drafting, call center costs), Credit Monitoring Costs, Crisis Management Costs (PR costs, advertising etc)

  • Professional Services Liability

    Coverage for damages and defense relating to the performance of the insureds Professional Services.

  • Cyber Extortion

    Coverage for the investigation and settlement of a cyber-extortion threat.

  • Information Asset Protection (1st Party Loss)

    Coverage for damage, destruction, corruption, or theft of insureds information assets, including bandwidth, due to a covered attack on the insureds network.

  • Media Liability Coverage

    Coverage for damages and defense relating to content based injuries such as libel, slander, defamation, copyright, title, trademark or invasion of privacy arising from the display of materials on insured's website etc.

  • Businss Interruption

    Coverage for Loss of insureds Business Income & Extra Expenses incurred, both online and offline, resulting from a covered loss.

"Typical" Policy Exclusions

All insurance contain Insuring Agreements (coverage grants) and also exclusions and limitations, major exclusions found in Network Security policies include :

  • Losses due to Interruptions caused by Telecommunications Providers
  • Losses due to Interruptions casued by  ISP / ASP
  • Failure to Follow Minimum Required Practices
  • Inability to use or lack of performance of software due to expiration, cancellation or withdrawal, software that as not been released from developmental stage or passed all test runs or proven successful in applicable daily operations
  • Inability to use software due to insureds modification of such programs in violation of software license agreement
  • Pollution
  • Securities based claims (SEC etc)
  • Violations of ERISA or other similar acts
  • Fines & Penalties (punitive damages MAY be insurable)
  • Patent Infringement, Misappropriation of Trade Secrets
  • Bodily Injury
  • Loss or destruction of tangible property (does not apply to damage to data)
  • Anti Trust, Deceptive Trade Practices, Restraint of Trade
  • Fraudulent, Dishonest or Criminal conduct
  • False or misleading advertising about your products or pricing
  • Insured –v- Insured exclusion
  • Chargeback liability, liability or fees incurred as a result of bank etc reversing a payment transaction
  • War

Risk Management & Controls

When assessing a risk for the purposes of providing a Network Security policy, Insurers require that the proposed insured company should have in place, or be prepared to consider implementing, the following risk control & risk management controls :

  • Anti-virus software on all computing devices
  • Automatic updates for anti-virus on a daily basis
  • Automatic scans and filters on e-mail attachments and downloads before opening files
  • Automatically receiving virus and other threat notifications from the United States Computer Emergency Readiness Team (US-Cert), SANS Institute or a similar provider
  • Securely configure firewalls other than a default configuration
  • Configure networks using multiple firewalls to separate back office functions from Internet “facing” operations
  • Promulgate a security policy to all employees and contractors
  • Have a tested disaster recovery plan that includes security incident response plan that addresses both direct (eg hacking) and indirect (eg virus) attacks on the network
  • Back up network data and configuration files daily
  • Store back up files offsite
  • Allow remote access to network only if it is via a VPN or equivalent system
  • Monitor network platform vendors daily to availability of security patches and upgrades
  • Test and install security patches and upgrades within 30 days of availability (preferably within 7 days)
  • Lock server room or otherwise limit access to authorized personnel

State Law Overview

Ohio Data Breach Law Overview

Ohio law makes ignoring potential data theft a luxury no business, large or small, can afford.

Recent data breaches underscore the reality of potential threats. If a data breach happens to you, you or your business may be forced to notify your clients or customers, or face hefty fines. What’s worse, if personal information is breached, so is the faith clients and customers have in you as a trusted business adviser. The new computer code Effective Feb. 17, 2006, Ohio HB 104, sponsored by State Rep. Earl Martin R-Avon Lake, amended the Ohio Revised Code to require consumer notification for breach of personal information.

Individuals, or any business or governmental entity that conducts business in the state of Ohio, must disclose to any consumer who resides in the state a breach of his or her personal information. Consumer notification is required if personal information is believed to have been accessed and acquired by an unauthorized person, and may cause risk of identity theft or other fraud. Personal information is defined as an individual’s first name, or first initial, and last name in combination with any one or more of the following:

  • Social Security number
  • Driver’s license number or state identification card number
  • Account number or credit or debit card number, in combination with any required security code, access code, or password.
  • If the information is unlawfully obtained then the person or entity must notify affected consumers as expediently as possible within 45 days of the breach or from the date the breach was discovered.

Ways to notify impacted consumers include:

  • Written notice
  • Electronic notice (if the primary method of communication with the consumer is via electronic means)
  • Telephone notice.
  • If the computerized personal data is encrypted—or unreadable—or if only portions of the personal information are able to be unlawfully obtained and no other sensitive personal information is accessed and acquired, then there is no duty to report the breach.

In certain circumstances, alternative methods of notification may be employed. If the person or entity required to notify does not have sufficient contact information to provide notice, if the cost of notification would exceed $250,000, or the number of residents to whom notification must be made exceeds 500,000, a substitute notification method may be used.

Substitute notification methods include:

  • E-mail notice if e-mail address is available
  • Conspicuous posting of the notice on the person or entity’s Web site, if one is maintained
  • Notification of the major media outlets serving at least 75% of the population of the state.

In addition, separate substitute notice methods may be used if the person or entity required to disclose employs fewer than 10 people, or the cost of notifying all affected consumers would exceed $10,000. In this case, substitute notice must include:

  • Paid quarter-page advertisement in a local newspaper serving the area in which the notifying entity operates, published at least once a week for three consecutive weeks 
  • Conspicuous posting of the notice on the person or entity’s Web site, if one is maintained
  • Notification to major media outlets in the geographic area in which the entity is located.

If the disclosure applies to more than 1,000 Ohio residents, the person or entity is required to notify the major national credit information agencies, such as Equifax and Experian.

Paying the piper

H.B. 104 also provides the Ohio attorney general the authority to investigate compliance with the new regulations, and apply civil penalties in instances where noncompliance is proved.

Penalties for failing to properly notify affected consumers within 45 days include:

  • $1,000 per day for the first 60 days
  • Maximum $5,000 for 60-90 days
  • Maximum $10,000 per day over 90 days.

The new law also requires the judge in any case involving noncompliance to gauge whether the delay in notification was intentional or if disclosure was made in good faith when determining the amount of the fine. Maximum fines may be levied if the person or entity is found to have acted in bad faith, and the offending entity may also be liable for the costs of the attorney general’s investigation.

Delay of notification may be allowed if more expedient notification would interfere in the criminal investigation of the data breach. Additionally, financial institutions, which may be subject to separate and or additional notification requirements under federal law, are exempt from the requirements contained within H.B. 104.

The best way to avoid the need to notify your clients of a data breach is to prevent the breach in the first place. According to Chris Jenkins, chief technology strategist for The Ohio Society of CPAs, “It is not a matter of if your data will be breached, but when.” Precautionary measures can be taken to help prevent a breach of sensitive client information, and the potential loss of trust, examples include:

  • Protect desktop and laptop computers
  • Keep software up-to-date
  • Protect against viruses
  • Set up a firewall
  • Keep data safe
  • Implementing a regular backup procedure is a simple way to safeguard critical business data. Setting permissions and using encryption will also help.
  • Use the Internet safely
  • Unscrupulous Web sites, as well as pop-ups and animations, can be dangerous. Set rules about Internet usage to protect your business and your employees.
  • Protect networks
  • Remote access to a network may be a business necessity, but it is also a security risk needing closely monitored.    
  • Use strong passwords and be especially cautious about wireless networks.
  • Protect servers
  • Servers are your network’s command center. If they become compromised, your entire network is at risk. To protect your business, protect your servers.
  • Secure line of business applications
  • Make sure that software critical to business operations is fully secured around the clock. Internal and external vulnerabilities can lead to lost productivity or worse.
  • Manage computers from the server
>