Insurer Must Cover a Retailer’s Losses Due to a Cyberattack Under Its Blanket Crime Insurance Policy

Any business that collects credit card information from customers risks liability if it fails to keep that information secure. In the event of a breach, a business would face claims from its customers for damages from identity theft and other losses. Businesses may also find themselves liable to their merchant service banks and the credit card networks for the cost of refunding the customers’ unauthorized charges. Insurance coverage for claims such as these remains an unsettled question. A recent court decision involving a nationwide retailer, Retail Ventures, Inc., et al v. National Fire Union Insurance Company of Pittsburgh, illustrates how businesses and their insurers may handle such matters in the future.

A series of cyberattacks in February 2005 breached the computer network at a DSW Shoe Warehouse location, allowing the hacker to access the company’s main system. The hacker obtained checking account and credit card information for at least 1.4 million customers. Fraudulent credit card charges and bank withdrawals began appearing in early March 2005. DSW Shoe Warehouse and its affiliated companies, Retail Ventures, Inc. and DSW, Inc. (collectively referred to here as “DSW”) notified its insurer of a claim while it investigated the matter.

DSW ultimately incurred expenses resulting from the breach from communications and settlements with customers, public relations, and attorney’s fees in connection with investigations by the Federal Trade Commission (FTC) and seven state Attorneys General. DSW’s largest single expense was paid to the credit card networks for chargebacks, administrative expenses, and fines. DSW reportedly paid over $4 million to the Visa and MasterCard networks. Read the rest of this entry »

Cyber Risk Insurance: When Conventional Liability Coverage Might Not be Enough

Businesses seem to be adopting cloud computing, e-commerce, and other internet technologies at an ever-accelerating rate, and these technologies continue to evolve and adapt to meet business’ needs. Insurance policies that protect businesses from losses and other liabilities, however, are not always so quick to change. For businesses that rely on various forms of electronic communication and data, this can create a gap in coverage and a risk of catastrophic loss. Some insurers have begun to fill the gap with “cyber risk” policies, and coverage is slowly beginning to appear in general liability policies.

Understanding Conventional Coverage

A standard business liability policy will cover ordinary losses, such as damaged facilities, broken equipment, or ruined inventory. This type of coverage is essential for the sorts of problems businesses have faced for millennia: damage in a storm or other natural disaster; theft or loss of essential business machinery or computers; injury to a customer on the business premises; or loss of inventory, such as spoilage of food during a power outage. Conventional coverage might include loss of electronic data as a result of equipment failure or force majeure, but it most likely will not include some of the newer threats of the internet era. Read the rest of this entry »

Copper Theft Presents Significant Risks to Businesses

Theft of copper and other metals has long plagued businesses and homeowners, and the problem has gotten worse in recent years. The price of copper has significantly increased over the past decade, making it a tempting target for thieves. Copper thieves can cause extensive damage in the act of extracting copper wiring or piping, often vastly greater than the value of the copper itself. New state laws and city ordinances attempt to prevent any benefits that may come from copper theft, and businesses and homeowners can take steps to protect themselves from the most egregious acts of theft.

A Growing Problem

Thieves usually steal copper and other metals in order to sell it to scrap metal dealers or recyclers. Copper is frequently visible and relatively easy to steal. According to the enterprise security industry journal Security, the price of copper nearly doubled between 2005 and 2008. Many law enforcement officials, according to Security, claim that methamphetamine addicts account for a large number of copper thefts around the country. It has become a major liability for many businesses, costing them millions of dollars per year in both losses of material and the cost of repairing damage caused by thieves. Theft of copper wiring may also pose a risk to public safety. The FBI reported that residents of Jackson, Mississippi did not receive adequate warning of oncoming tornadoes in April 2008 because thieves had recently stripped copper wire from five of the town’s tornado warning sirens. Read the rest of this entry »

International Privacy Group Issues Recommendations on Cloud Computing Policy

The International Working Group on Data Protection in Telecommunications (“Working Group”), an organization of European data protection agencies, recently released a report on the protection of data and privacy in international cloud computing. Although the European Union (EU) and the United States take different approaches to data privacy, the Working Group’s report draws on U.S. practices in presenting a series of recommendations for data protection between countries. Whatever actions the U.S. takes regarding international data protection, the Working Group’s recommendations offer a useful guide for U.S. businesses that use cloud computing and wish to minimize their risk of data breaches and other losses.

The Working Group, founded in 1983, operates under the auspices of the European Commission, the executive body of the EU. Its headquarters is in Berlin, Germany. A directive from the European Parliament, passed in 1995 and becoming effective in 1998, established procedures to protect individuals’ personal data, facilitate the “free movement” of data, and restrict the movement of data to non-EU countries with less-stringent privacy protections. Article 29 of the directive established a “Working Party on the Protection of Individuals with regard to the Processing of Personal Data,” whose mandate is similar to that of the Working Group. In 2000, the U.S. and the EU entered into a “safe harbor” agreement that affirmed the adequacy of U.S. data protection laws under the EU’s own framework. The Federal Trade Commission (FTC) has authority over data protection issues in the U.S. The Article 29 Working Party has called for the U.S. to make further agreements with the EU regarding data security between government agencies. Read the rest of this entry »

Guidelines for Financial Institutions that Use Outsourced Cloud Computing Can Help Other Businesses as Well

A federal interagency organization has released a set of guidelines for cloud computing geared towards financial institutions. The Federal Financial Institution Examination Council (FFIEC) is an interagency body tasked with developing uniform standards and practices among agencies that perform financial institution examinations, such as the Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau. It released its report, “Outsourced Cloud Computing,” on July 10, 2012, in which it highlights some of the risks faced by financial institutions that use outsourced cloud computing services, or cloud computing applications run by a third-party vendor operating outside of the institution’s own firewalls. The risks affect both operations and compliance for financial institutions, but the guidelines offer useful concepts for other business entities as well, as outsourced cloud computing presents risks to any type of venture. It identified six key areas of risk and risk management.

Due Diligence in Selecting Service Providers

Businesses must carefully review the capabilities of prospective cloud computing service providers, balancing the cost-savings benefits of outsourcing with the risks of data loss or breach. They should identify a provider whose services match their own data security plan. The three key considerations for a third party’s services, according to the guidelines, are how it classifies data it manages in the cloud, how it segregates sensitive financial data from other clients’ data, and how it responds to data losses and other disasters. Read the rest of this entry »

Water Scarcity Means Risks for the Enterprise and Public Sectors

Texas, along with other states and regions of the country, is experiencing an historic drought. In addition to the wildfires that caused billions in damage around the state last year, drought conditions have caused critical water shortages. Small towns and water-intensive industries have been particularly hard-hit. Public sector functions, particularly public utilities, are often the first to feel the effects of water scarcity. The risk quickly moves into the private sector, affecting industries like agriculture and, eventually, any business that relies on running water. Recent reports suggest that much of the private sector has not planned for the risks associated with water scarcity. Businesses that rely on available water may suffer, as may those that invest in utilities and other water-dependent enterprises.

According to the Texas Water Development Board (TWDB), drought conditions currently affect all regions of the state. The various indices of drought conditions, precipitation, and fire risk range from above average to extreme. The Edwards Plateau, which encompasses most of the Texas Hill Country and includes the city of Austin, is experiencing a “moderate” drought on the TWDB’s scale. The crop moisture index for the region is “severely dry,” just below the highest index of “extremely dry,” and the region is at high risk for fire.

Click to enlarge in a new window

Read the rest of this entry »

Businesses Should Look at “Cyber Accessibility” When Assessing ADA Compliance

The concept of “cyber accessibility” has recently gained prominence, as businesses have reviewed their obligations under the Americans with Disabilities Act (ADA). The term “cyber accessibility,” or “web accessibility,” refers to the accessibility of the world wide web and other internet services to people with physical or cognitive impairments. Congress enacted the ADA in 1990, when few people used the internet, and the world wide web barely existed. Today, web access is nearly a requirement for many functions of society. Recent legal actions, brought under the ADA to compel companies to make their websites more accessible, have the attention of the business world. Companies should begin to consider cyber accessibility issues as part of their ADA compliance reviews and their overall risk management planning. They should include provisions for accessibility in their internet policies, and they should make sure that programmers and designers have training in accessibility.

Cyber accessibility, generally speaking, means the accessibility of the internet to people with impaired sight, hearing, or speech; learning and other cognitive impairments; limited movement; sensitivity to light or sound; and combinations thereof. The internet has become a necessary tool for job seeking, financial management and transactions, and many aspects of the legal system. E-mail and social media are a preferred method of communication for many people, and many employers either require or strongly encourage employees to use e-mail and other online services. Read the rest of this entry »

New Entrants in the Cloud Computing Sector Offer Options, Risks to Businesses

Cloud-based internet services are springing up left and right on the internet, with small start-ups contending with established technology companies. The list of leading cloud service providers contains many familiar names, such as Amazon and Google. More familiar names are joining the fray, giving companies looking to establish themselves in the cloud, or expand their existing activities, a multitude of options. It also means that businesses must carefully consider the benefits and risks of using cloud-based services, including cybersecurity and data integrity. The explosive growth of cloud computing has also meant a lack of industry standards, meaning a company using a particular cloud service provider may have difficulty transferring their data elsewhere. Each business using the cloud bears ultimate responsibility for their own data, security, and confidentiality, and they must plan accordingly.

Amazon Web Services, operated by online retailer Amazon, is the biggest provider of cloud-based services, according to the technology blog GigaOM. It may currently operate as many as 450,000 servers worldwide. Its leading competitors include long-familiar names like Google, IBM, Microsoft, and Hewlett-Packard. Less-familiar names like Rackspace and VMware also provide extensive cloud computing services, and the social networking company Facebook is reportedly developing its own data services.

The discussion of Amazon’s vast cloud offerings leads GigaOM to ask whether the internet needs more cloud service providers. For any business looking to expand in the cloud, options are good when looking for the best services and best prices. Businesses need to consider issues of cybersecurity and privacy in conducting risk management planning. They should add to that the question of portability: as tech companies race to build cloud networks to compete with Amazon and other giants of the industry, each individual provider will seek to keep its customers close. This is causing something called “cloud lock-in,” where a lack of common computing standards means that a user could be trapped in their current cloud service, prevented from moving by both technological and cost constraints. Companies must evaluate exit strategies for any prospective cloud service. Read the rest of this entry »

The Risks of Restricting Employees’ Social Media Access: How the Internet is Affecting the Interpretation of Labor Laws

The National Labor Relations Board (NLRB), the federal agency that monitors and investigates alleged unfair labor practices, has issued several reports over the past year addressing concerns about employers’ social media policies. Social media technology seems to evolve at an exponentially faster rate than our labor laws. Employers and labor advocates alike are constantly trying to catch up to the latest online service. For now, businesses may remain a step behind, but they have some anecdotal guidelines, courtesy of the NLRB, to assist them in creating social media policies and managing risks under state and federal labor laws.

Lafe Solomon, the NLRB’s Acting General Counsel, has issued a series of reports for employers, from which it may be possible to glean a set of guidelines on social media. The reports unfortunately do not contain a concise set of rules, but some basic principles are apparent. Knowing these rules is important because employers face the risk of complaints, investigations, and civil liability to their own employees if their social media policies violate labor laws.

The NLRB’s first report came out on August 18, 2011. The report examined several recent cases of employee social media activity, giving particular attention to whether the employees’ social media statements constituted “protected concerted activity.” This is a common term in labor law relating to actions undertaken by two or more employees for “mutual aid or protection” in their employment. Read the rest of this entry »

U.S. Utilities Face Cybersecurity Risks as Hacker Attacks Mount

The prospect of a cyberattack on public utilities and other vital infrastructure has loomed in America’s imagination for years, serving as the plot for countless films, thriller novels, and television shows. Recent news from the federal government and the private sector has brought attention back to the topic. American infrastructure may remain vulnerable to certain types of cyberattacks, and the possible damage from such an attack would impact public and private resources alike. The risks faced by public and private utilities may help businesses assess their own cybersecurity risks and serve as a model for their own risk management.

The U.S. Department of Homeland Security (DHS) recently issued an alert regarding attacks by an unknown group of hackers that, over the past six months, have targeted the nation’s natural gas pipelines. DHS reportedly does not know if the attacks are an attempt to gain intelligence about the U.S. gas pipeline system, or if the attacks intend to damage the system. The attacks involve a technique known as “spear-phishing,” which sends e-mails that appear to come from friends or family of a targeted individual. Malware attached to the e-mails infects the target’s computer and attempts to steal passwords that would allow access to utility control systems. DHS has reportedly been working with utility companies since March to fight the attacks. Hackers, some linked to China, have targeted the natural gas sector several times in the past few years. Read the rest of this entry »