If your business suffered the same sort of cyberattacks alleged to have taken place against aEURoeU.S. government Web sites aEUR" including those of the White House and the State Department aEUR"aEUR? over the July 4, 2009 holiday weekend, would your insurance cover losses that your company faced?[1] Not worried, because the alleged attacks were only against government sites? Unfortunately, the cyberattacks were more widespread, and allegedly included, aEURoeaccording to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.aEUR?[2]
Denial of Service Attacks
The cyberattacks described were denial-of-service incidents. Personnel from aEURoeCERT(R) Program,aEUR? which aEURoeis part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,aEUR? have explained:
Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:
- consumption of scarce, limited, or non-renewable resources
- destruction or alteration of configuration information
- physical destruction or alteration of network components.[3]
Some attacks are comparable to aEURoetak[ing] an ax to a piece of hardwareaEUR? and are known as aEURoeso-called permanent denial-of-service (PDOS) attack[s].aEUR?[4] If a system suffers such an attack, which also has been called aEURoepure hardware sabotage,aEUR? it aEURoerequires replacement or reinstallation of hardware.aEUR?[5]
What Insurance Coverage Might Apply?
If your company faces a denial-of-service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of insurance policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies. Consider whether first party all risk or property coverage may apply. First party all risk policies tend to provide coverage for the policyholderaEUR(TM)s losses due to property damage. If the denial-of-service cyberattack caused physical damage to your companyaEUR(TM)s servers or hard drives, your companyaEUR(TM)s first party all risk insurer should not have a credible argument that there was no property damage. Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your companyaEUR(TM)s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[6]
First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack. (Contingent business interruption losses may include those arising out of a third partyaEUR(TM)s cyber security-based business interruption.)[7]
Look also to other coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack. In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack. E&O policies may provide coverage for such attacks as well.
If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your companyaEUR(TM)s liability policies would provide coverage. More importantly, consider your companyaEUR(TM)s commercial general liability (CGL) insurance policy (if your company does not have a specialized cyber liability policy).
The first coverage provided in a standard-form CGL insurance policy covers liability for property damage. Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage. Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that aEURoethe computer data in question aEUR~was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyedaEUR(TM)aEUR? and that such lost data was covered under a CGL policy.[8] Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage. But also note that your companyaEUR(TM)s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[9] Consider further whether a claim would fall within the property damage coverage for loss of use of tangible propertyaEUR"loss of use of servers, hard drives, or computers because of the cyberattack; loss of use is covered under CGL policies.[10]
Also consider whether the personal injury coverage in a CGL policy applies. That insuring agreement provides coverage for invasions of privacy and more; certain cyberattacks could meet the personal injury policy provisions, based on an invasion of privacy and publication of information that should have remained private.[11]
Consider Cyber Security Specialty Policies
Looking beyond the coverages and endorsements discussed above, your company should consider the recent cyberattacks as an opportunity to reevaluate the need for specialized coverages for cyber security losses. Insurance companies continue to introduce new specialized products for cyber security risks, marketing the new policies as including data compromise, cyber liability, network risk, and/or computer data coverage. The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the aEURoeInternet Liability and Network Protection Policy,aEUR? and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form. Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing. An experienced insurance broker may be able to advise what coverages are available, and an attorney with experience in advising policyholders about insurance coverage issues may be able to advise as to the potential strengths and weaknesses of the various policy terms offered.
[Note 1: This post also appears on Lexis' Insurance Law Center, with thanks to my friend Karen Yotis.]
[Note 2: This post is featured in Blawg Review #221, thanks to H. Scott Leviant of The Complex Litigator.]
[1] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).
[2] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).
[3] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).
[4] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).
[5] Id.
[6] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing aEURoephysical damageaEUR? beyond aEURoeharm of computer circuitryaEUR? to encompass aEURoeloss of access, loss of use, and loss of functionalityaEUR?).
[7] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360, (Apr. 8, 2009) http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).
[8] See, e.g., Computer Corner, Inc. v. FiremanaEUR(TM)s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).
[9] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006) http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.aEUR(TM)s endorsement for aEURoeelectronic data liabilityaEUR?).
[10] See, e.g., Eyeblaster, Inc. v. Fed. Ins. Co., No. 08-6340, -- F.3d ---, 2010 WL 2869547 (8th Cir. July 23, 2010) (also available at http://www.ca8.uscourts.gov/opndir/10/07/083640P.pdf).
[11] See, e.g., Netscape CommcaEUR(TM)ns Corp. v. Fed. Ins. Co., 343 F. AppaEUR(TM)x 271 (9th Cir. 2009).
This post also appears onLexis' Insurance Law Center http://www.lexisnexis.com/Community/insurancelaw/blogs/insurancelawblog/archive/2009/07/13/Insurance-Coverage-for-Cyberattacks.aspx).
About The Author:
Scott N. Godes is an attorney who represents and advises corporate policyholders regarding insurance coverage and recovery issues. He is a seasoned litigator with true trial experience; one of his insurance coverage trial victories was featured on the front page of the New York Law Journal and Business Insurance.
Mr. Godes has represented and counseled policyholders regarding insurance coverage for computer data, hardware, and software claims; data breaches; crime and fidelity losses; directors and officers and securities claims; business and contingent business interruption losses; first-party property losses; mass tort liabilities; product liability claims; asbestos claims; environmental property damage; flood losses; and class actions.
Mr. Godes currently is co-chair of the ABAaEUR(TM)s Computer Technology Subcommittee of the Insurance Coverage Litigation Committee and is the co-lead of Dickstein ShapiroaEUR(TM)s Cyber Security insurance coverage initiative. He is the author of the chapter on insurance coverage for cybersecurity and intellectual property risks in the New Appleman Law of Liability Insurance (LexisNexis 2010) and the Cyber Security section of the Insurance chapter in the Corporate Compliance Practice Guide (LexisNexis 2009).
Mr. Godes is a frequent speaker and author regarding insurance coverage issues. He writes the Corporate Insurance Blog (http://corporateinsuranceblog.com) and you can follow him on Twitter regarding insurance coverage issues at http://twitter.com/insurancecvg.
Mr. GodesaEUR(TM) detailed biography is available on LinkedIn (http://www.linkedin.com/in/scottgodes).
Disclaimer:
This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the authoraEUR(TM)s law firm and/or the authoraEUR(TM)s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). (C) All rights reserved. 2010.
Meet The Experts
Review articles and blog posts by our list of insurance experts!
Click Here For Participating Firms
VIEW RATINGS FOR INSURERS
Enter name of Insurance Company and press GO button.