“Know Your Limits”
Among the more difficult decisions faced by companies buying cyberinsurance is determining appropriate policy limits. The truth is that there is no one way to determine appropriate limits. Businesses...
View Article“High-Net-Worth, High Net Risk?”
The Target data breach reportedly impacted over 100 million people. The Anthem breach, approximately 80 million. And the Ashley Madison hack made almost 40 million users nibble their nails while the...
View Article“Beware the Terrorism Exclusion or Else…”
Commercial property and liability insurance policies typically contain exclusions for terrorist acts. Terrorism exclusions became industry standard following 9/11, the largest single insured loss...
View Article“URMIA Western Regional Conference”
I’m pleased to announce that Louis Guard, Counsel and Chief of Staff at Hobart and Smith Colleges, and I will be presenting at the University Risk Management and Insurance Association’s Western...
View Article“Employees’ Intentional Misconduct Rising Cause of Data Breaches”
And your policy may or may not have you covered. If you want to know a little bit more (I know you do), follow this link to TheEmployerHandbook.com, where my colleague, Eric Meyer (aka “The Blog King,...
View Article“Cyberinsured Staying Alive – After Summary Judgment”
There are few cases interpreting stand-alone cyberinsurance policies. So, when there is a development in one of them, however unrelated to the novel construction issues raised by these new(ish)...
View Article“Bark But No Bite for Cybersecurity Act of 2015?”
Yes, I’m late to the party. President Obama signed the Cybersecurity Act of 2015 into law over a month ago. Plenty of ink has already been spilled about it. The act encourages, but does not require,...
View Article“Ew Part II: EU/US Reach Privacy Shield Agreement”
It’s been four months since the EU invalidated the Safe Harbor agreement that had been allowing US companies to transfer data into and out of the EU despite the EU’s more stringent privacy laws. I...
View Article“HIPAA Fines and the Physical-Digital Divide”
Health and Human Services’ (HHS) Office for Civil Rights recently issued a $239,000.00 HIPAA fine to Lincare, Inc. I don’t know if the fine will be covered by cyberinsurance. I don’t even know...
View Article“Two Historic Hollywood Hacks (for the price of one)”
Hollywood Presbyterian Medical Center recently made headlines when cyber-extortionists prevented access to all electronic patient files for 10 days. Reports of the hackers demands ranged from $3.4...
View Article“Show Me the Money – Seriously, Because We Can’t Find It”
ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred. This is fraud. But...
View Article“The (Broken) Record Approach to Policy Limit Selection”
Many (lucky) institutions lack historical data breach response cost information. They therefore struggle to select cyber policy limits. A popular approach is to multiply the total number of records...
View Article“Cyberinsurance Mandates Coming?”
Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax. There is a growing consensus that the Securities and Exchange Commission is inching toward a...
View Article“Cyber Extortion Coverage Is Good for Your Health (Records)”
Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach. On February 5, 2016, hackers froze the hospital out of its electronic patient records. Reports have indicated...
View Article“Breaches and Bagels”
On April 28, 2016, Angie Singer Keating (CEO of IT security firm Reclamere), Renee Martin (a true HIPAA expert) and little old me will be presenting the first of a three-part series on data breach...
View Article“Are You Down with B.E.C.?”
You probably are not. The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams. A “B.E.C.” is when someone misuses social media or...
View Article“Travelers v. Portal Healthcare Solutions – NBD”
FYI, NBD is “internet slang” for “no big deal.” “Internet slang” is what my little brother uses in text messages. Anyway. Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling...
View Article“When Retro Isn’t Cool”
Those new, old-school Air Jordans are retro cool (and I have them). Those new cyberinsurance retroactive dates – eh. I blogged about retroactive dates here. Reminder: an insurance policy retroactive...
View Article“P.F. Chang’s On the Hook for Contractual Liabilities”
On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and...
View Article“The Inky Explains How Your Firm Can Avoid Cybercrime”
Check out today’s article by Chris Mondics of the Philadelphia Inquirer. Mondics, citing yours truly and several other top professionals in the field, covers the increased attention being paid to...
View Article“After the After (First) Party”
Cyberinsurance policies typically provide first and third party coverage. First party coverage relates to an insured’s own expenses in investigating and remediating a data breach, and recovering the...
View Article“Don’t Let a Limitation of Liability Provision Jeopardize Cyber Coverage”
Here is how it is supposed to work. Something bad happens. You’re insurance company pays for it. Then, your carrier sues the bad guy who harmed you. That’s subrogation. In the data breach context,...
View Article“Ew All Over Again – The New, New US/EU Data Privacy Deal”
If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you. The US/EU Data Privacy Shield self-certification process goes...
View Article“I’ll Show You Mine If You Show Me Your (Policy Limits)”
The struggle to identify appropriate policy limits continues to frustrate many in the market for cyberinsurance. So does the difficulty involved with comparing premiums across policies offering...
View Article“What’s on the Horizon in Privacy and Data Security?”
Unless you already know the answer, you might want to check out a recent webinar presented by Angie Singer Keating (of the IT firm Reclamere), Brian Courtney (The Safegard Group, insurance brokerage),...
View Article“The Physical Damage Hot Potato”
First, I have to say that Paul Stockman at McGuireWoods has beaten me to the punch in his article, “Cyber Risk ‘IRL’.” So, read that. Stockman addresses a coverage issue I’ve noted in cyber policies...
View Article“The Danger of the Cyber Endorsement”
For relatively little expense, insureds can often add cyber endorsements to traditional CGL, professional liability or other insurance policies. On October 25, 2016, the Northern District of Alabama...
View Article“What Pension Fund Fiduciaries Need to Know About Cyberinsurance”
This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional...
View Article“Carriers and Brokers Filling the Coverage Gaps”
Stand-alone cyberinsurance is a critical component of enterprise risk management. But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve...
View Article“Unfortunately, This Will Get Physical”
There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people. The first known event involved the 2008-2010...
View Article“3 Tips for Public Pension Funds”
On Tuesday, I was privileged to be part of a panel discussing cyberinsurance for public pension funds at Kessler Topaz’s Evolving Fiduciary Obligations for Institutional Investors conference, joining...
View Article“I’m a Little Short – Gladly Pay You Tuesday?”
Solvency. It means you can pay your tab. Cyber attacks are occurring with greater frequency and effectiveness, resulting in an ever-increasing bill. The cyberinsurance market is booming, but will...
View Article“To Be ExSPECted? Contractual Liability Exclusion Bars PCI Fine Coverage Again”
In Spec’s Family Partners v. The Hanover Insurance Company, the Southern District of Texas became the second court to grapple with the interaction among Payment Card Industry (PCI) fines, payment card...
View ArticleColorado Strengthens Consumer Privacy Protections
On May 18, 2018, the Colorado legislature sent HB 18-1128, an Act Concerning Strengthening Protections for Consumer Data Privacy, to the governor’s desk for execution. The bill is one of a number of...
View ArticleThe Data on (Breached) Data: Chubb Shares Two Decades of Cyber Claims Data
Since 2016, Verizon has annually declined to estimate the average cost of a data breach. Verizon reasons that since there are many variables that can determine breach cost, there is no reliable...
View ArticleLiving Too Social in the Education Industry?
The 2018 Verizon Data Breach Investigations Report indicates that in the education industry (yes, it’s an industry), the most prevalent type of data breach is “social attacks.” What’s a social attack?...
View ArticleTo Be ExSPECted? Or not to be?
Like a brown-paper-bag-wrapped birthday present, the Fifth Circuit’s June 25th decision in Spec’s v. Hanover arrived in my in-box with a resounding ‘meh.’ You see, I get daily emails from Westlaw...
View Article“The New Millennium, and the Old CGL Policies”
The war to find data breach coverage under commercial general liability (CGL) policies continues to wage. In St. Paul Fire & Marine Insurance v. Rosen Millennium, Inc. et al., filed in March 2017...
View Article“In Other News…DOJ Issues Cyber Incident Response Framework”
This month, the Department of Justice issued a fairly comprehensive set of pre and post cyber security incident recommendations. For all you total geeks, you can get the whole thing here. For those...
View Article“Voluntary Parting is Not Sweet Sorrow”
It’s (approximately) the ides of National Cybersecurity Awareness Month. Yes, it’s a thing. A 15-year old thing. Appropriately, I spent last night at a cybersecurity seminar hosted by Citrin...
View Article“Part II: Same Email/Wire Scam, Same Carrier, Different Result”
Yesterday, I wrote about the application of the “voluntary parting” exclusion in Schmidts v. Travelers, a 2015 case out of the Southern District of Ohio. If you couldn’t tell, I didn’t agree with the...
View Article“Common Law Duty to Protect Employee Data Undercuts Contractual Liability...
Sexy title, I know. Here’s the thing – this is a big deal. Particularly for employers, and likely for any entity that collects and stores personal data, the law in Pennsylvania just changed...
View Article“My Least Favorite Exclusion Challenged by Milk’s Favorite Cookie”
Welcome back. Unless you never left, in which case you’re probably having a smoother morning than I am. If you’re reading this, we’re both having better mornings than Mondelez International, Inc. had...
View Article“Smart Buildings, Smart Coverage”
Cyber this. Cyber that. I deal in dirt, and I don’t care. If there’s a commercial building on top of that dirt, you should. The “internet of things” refers to the ever-expanding connectivity between...
View ArticleClik here to view.
“A Tale of Two Carriers – Disparate Views of War/Terrorism Exclusion”
In January, I offered my view on Zurich’s invocation of an ‘act of war’ exclusion to deny coverage for Mondelez International’s losses caused by NotPetya. And made a funny joke about Oreos in the...
View Article“Still Not Down with BEC”
In April 2016, I highlighted insurance issues related to business enterprise compromises, or BECs. Yesterday, I had the privilege of presenting on the topic to the Central Jersey Chapter of the...
View Article“From the Front Lines: Former FBI Field Agent’s Perspective on BECs”
In 2018, the FBI’s Internet Crime Complaint Center (IC3) received more than 900 complaints of internet driven crime every day. This amounted to over 350,000 complaints involving $2.7 billion in...
View Article(Not) My Corona: Tips to More Securely Work Remotely
Had my mother previewed this post, she would have cautioned me not to give myself a kenahorah (ken-a-ho-rah). That’s a yiddish term. It means doing or saying something to tempt evil, to invite bad...
View ArticleCOVID-19: Phishing Scammers Taking Advantage
Classic phishing attacks identify an item of information or an opportunity that is appealing to a target audience, and they use that to bait the target into clicking a malicious link or opening a...
View ArticleWhat Is A Physical Loss In The Digital Age?
Increasingly, businesses buy cyberinsurance to protect valuable electronic assets, including computer systems themselves and the data stored within them. These policies, however, are relatively young....
View Article
