Category Archives: Cyber

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce (PLUS Journal Archive)

Posted on by
2

PLUS CyberIn this preview of an article from Issue XXIV, Volume 12 of the PLUS Journal (December 2011) authors Richard J Bortnick and Abby J Sher look at how intangible cyber losses are not typically covered under a CGL policy.

PLUS is offering exclusive cyber liability and data security sessions as part of the upcoming Medical PL and Professional Risk Symposia, March 29 & 30 in Chicago.

From the Journal article:

A typical CGL policy defines “property damage” as “physical injury to tangible property, including all resulting loss of use of that property.” Although this definition would apply to traditional property damage losses (such as those arising from fires, impaired property and the like), many policyholders and brokers might incorrectly assume that it also extends to technology and cyber privacy losses involving intangible property, such as electronic data. Such an interpretation, however, may be regarded as contrary to the plain and ordinary meaning of the policy language, which specifies that “property damage” is premised upon ” physical injury to tangible property.”

This misconception perhaps is based upon the intuition of policyholders and brokers that traditional policy forms should adapt to protect against evolving risks.  While this assumption may seem reasonable to policyholders, it is not one ratified either by policy drafters or the courts, as will be discussed more fully below.

Prior to the widespread use of technology and paperless systems, the disclosure of confidential information and destruction or theft of client or employee records would, generally speaking, have involved paper documents – that is to say, “tangible” property – and thereby possibly would have been covered by a CGL and/or fidelity policy. At the same time, prior to the advent of the internet and the widespread use of computers, the possibility that a company might  be damaged by the electronic “equivalent” of a data theft or computer breakdown was largely unimaginable, and surely not contemplated by underwriters, brokers or their policyholders.  Thus, CGL policies were not drafted with the thought that such risks would exist – or be covered.

Oddly, it is sheer coincidence that a typical CGL policy specifically carves out intangible property damage from its definition of “property damage.”   Indeed, ISO’s addition of the word “tangible” to its standard CGL form in 1966 was in response to efforts by policyholders to obtain coverage for rights, obligations, and other forms of economic loss.  Prior to 1966, “property damage” was defined as “injury to or destruction to property.”  The 1966 definition, which defined “property damage” as “injury to or destruction of tangible property” was “misleadingly simple.” Laurie Vasichek, Liability Coverage for “Damage Because of Property Damage” Under the Comprehensive General Liability Policy, 68 Minn. L. Rev. 795, 801 (1984).  In view of this and other criticisms of the 1966 revision, ISO further clarified the definition in 1973 so as to require “physical injury to tangible property.”  Like the 1966 amendment, this change was designed to limit coverage to the intended categories of loss, and to preclude coverage for diminution in value and other intangible losses.

It nonetheless remains that CGL policies were not drafted in contemplation of cyber losses and were not rated to address their potential breadth, as the scope of a cyber loss can easily exceed the loss resulting from a typical property damage claim. In the course of a data breach, a large quantity of data can be remotely accessed, duplicated, and disseminated within a fraction of a second; certainly far more permanent damage can be done in a nano-second than in the case of a defective product or a natural catastrophe involving traditional brick and mortar property damage.  Moreover, if stolen personal or confidential corporate information is circulated on the Internet, the harm becomes both permanent and widespread.  The potential implications of this loss extend far beyond the scope of traditional tangible property damage. Cyber breach remediation requires time, intelligence and a significantly more advanced means of reparation, if any such repairs are even achievable when it comes to personal and confidential corporate information.

PLUS members can read the entire article on  www.plusweb.org.You must log in to the website to view this content.

A Message from PLUS President Jeff Lattmann

Posted on by
Reply

PLUS President Jeffrey Lattmann from the heart of Times Square, home of the PLUS D&O Symposium.

The D&O Symposium was a great event, with over 1,200 industry insiders from 34 states and 16 countries converging on New York for 2 days of learning and networking. We’re not resting on our laurels, though. We at PLUS have already turned our attention toward late March and the next installments in the PLUS Symposia Series… Medical PL and Professional Risk. These two events, taking place concurrently on March 29 and 30 in Chicago, Illinois, focus on the latest trends and topics across medical, employment, e&o and other professional liability lines.

In 2012, PLPLUS CyberUS is placing special emphasis on Cyber/Data Security issues, coverages relevant across all professional liability lines. Multiple sessions touching on data security and cyber liability are part of this year’s schedule:

Cyber Security Expert Juval Aviv
Impact of Social Media on Insurance Companies
Social Media Expert Peter Shankman
Healthcare ERM: Are You Ready for the “Cloud”?
Data Breaches: Coming to a Network Near You

Registration is now open, so make sure you make it to Chicago in March for the Medical PL and Professional Risk Symposia. By registering for either of these great events you are able to attend sessions from both symposia.

Poking Around at Work: Limiting Employer Exposure from Social Media Use (PLUS Journal Archive)

Posted on by
Reply

In this preview of an article from Issue XXIV, Volume 11 of the PLUS Journal (November 2011) authors Sarah K Goldstein and Imbar Sagi look at the liability exposures relating to employee use of social media.

For more on employment liability and cyber exposures register for the 2012 Professional Risk Symposium, March 29-30 in Chicago.

From the article:

Social Media and Current Employees

More than ever, employers have access to what their employees do and say both inside and outside the workplace. Widespread usage has created a host of problems for employers who do not know the “new rules” of social media. A sampling of recent court and regulatory agency decisions provide some guidance.

A New Jersey court found that a restaurant manager who monitored employees’ postings on their personal Myspace sites violated state and federal laws protecting communications on social media websites. The lawsuit was brought by two employees fired after posting information criticizing their managers on an online forum, which required a password and invitation for access. The managers were not provided such access.  However, they coerced an employee into providing the password and, in turn, accessed the site, found the postings and promptly terminated the employees. The court held that employees’ criticisms, expressed via the social network, were protected activity pursuant to the Federal Stored Communications Act (18 U.S.C. Section 2707) and parallel New Jersey statute.

In another case, the National Labor Relations Board (“NLRB”) brought an action against a Connecticut company for illegally terminating an employee who criticized a supervisor on her personal Facebook page. The NLRB took the position that pursuant to Section 7 of the National Labor Relations Act (“NLRA”) the company cannot retaliate against an employee for engaging in “concerted activities for the purpose of collective bargaining or other mutual aid of protection.”  The company agreed to revise what the NLRB determined to be overly broad policies and procedures restricting employees from communicating on the internet with other employees about working conditions.

On August 18, 2011, Associate General Counsel of the NLRB issued Memorandum OM 11-74: Report of the Acting General Counsel Concerning Social Media Cases.  It summarizes the resolution of more than a dozen cases involving social media. From the NLRB’s standpoint, an employee’s activity is considered to be “concerted” and thereby protected, when the employee acts “with or on the authority of other employees, and not solely by and on behalf of the employee himself.” Concerted activity also includes “circumstances where individual employees seek to initiate or to induce or to prepare for group action” and where individual employees bring “truly group complaints” to management’s attention. It is significant to note that the participation of more than one employee is not required to find concerted activity.

Concerted activity by employees has been found lawful in the following instances: where a Facebook posting about perceived unfairness in the poster’s workplace drew similar responses from other employees; in a Facebook post by an employee seeking support from co-workers to lodge a complaint about another co-worker; and in a social media posting by an employee who wrote about his disagreement with a management decision.  In each of these cases, the employers’ discipline/termination of the employee was found to be problematic.

To date, state and federal courts have applied a broad standard allowing employees to discuss their work concerns in blogs and/or social networks. Similar to cases brought before the NLRB, courts have found concertedness when an employee drafts a post, when employees discuss their concerns and one of the employees decides to blog, and posts on a blog which simply invite others to participate in a discussion where the audience are co-workers interested in the topic at hand.

Because this area of law is still largely uncharted, legal experts suggest that employers take precautions against potential exposure now by having policies and procedures in place. Employers are urged to consider the NLRA Section 7, Title VII and correlated state statues as well as freedom of speech rights so that the rights of employees are not chilled via the company’s social media policy.

Employer surveillance creates fear among employees and chills their freedom to exercise rights under the labor laws.  When surveillance is used to track an employee for retaliatory purposes, such surveillance is unlawful. However, surveillance may be lawful when the employer has a reasonable belief that an employee is placing a company at risk for breach of confidentiality or proprietary information.

PLUS members can read the entire article on  www.plusweb.org.You must log in to the website to view this content.