The Hidden Exposures of Technology


Published on

Presentation regarding the hidden exposures of technology from a risk and insurance perspective

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Hidden Exposures of Technology

  1. 1. The Hidden Exposures of Technology: A Risk and Insurance Perspective CPCU Society I-Day – New Jersey October 20, 2006 Robert W. Muilenburg, Esq. Adam M. Smith, Esq.
  2. 2. INTRODUCTION Technology provides significant benefits to society Continues to develop rapidly Substantial challenge to insurance industry Unknown liability risks for new technology Partnering with manufacturing industry vs. protecting company from unforeseen exposures Coughlin Duffy, LLP 2
  3. 3. AGENDA Technology exposures: – Blast Faxes/Spam email/Text messaging – Data Security/Identity Theft – Internet/Web utilization – Radio Frequency Identification – Nanotechnology Incompatibility with GL policies “Cyber-insurance” products Coughlin Duffy, LLP 3
  4. 4. Blast Faxes Telephone Consumer Protection Act (47 U.S.C. § 227) – Prohibits the “use of any telephone, facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine” – Provides for a private right of action – Potential damages: actual monetary loss or $500, whichever is greater – Treble damages ($1,500 per fax) allowed if willful violation Coughlin Duffy, LLP 4
  5. 5. Blast Faxes Increasing exposure for TCPA suits – TCPA suits are amenable to class actions – Potential damages are in the millions – Over 100 TCPA lawsuits seeking class action status have been brought in Cook County, Illinois – Charter One Bank faced liability of $35 million for sending unsolicited faxes to approx. 70,000 phone numbers – A Georgia car wash hired a company to send 70,000 faxes to random phone numbers and faces $36.5 million in liability – Class actions have been brought within the Fourth, Seventh, Eighth and Tenth Circuits Coughlin Duffy, LLP 5
  6. 6. Blast Faxes Hooters of Augusta (Georgia) – 1,321 class members received 6 unsolicited faxes – Damages found to be $1500/violation – Treble damages awarded for willful violations – Total verdict: $11,889,000 – Settled for $9 million Coughlin Duffy, LLP 6
  7. 7. Text Messaging Short message service is a major mode of communication for marketing TCPA, CAN-Spam Act and state laws can limit text messaging in marketing and promotional campaigns Some states have enacted instant message Spam laws known as “Anti- Spim” Coughlin Duffy, LLP 7
  8. 8. Text Messaging Joffe v. Acacia Mortgage Company (AZ 2005) – Joffe alleged violations of TCPA based upon receipt of unsolicited text messages to his cellular phone – TCPA prohibits using “any automatic dialing system” to make “any call” to “any telephone number assigned to a... cellular telephone service” – Appellate Court found that “any call” included the attempt to communicate by telephone – Court found that delivery of SMS promotional text messages by telephone qualified as telephone call – Court also found that the CAN-Spam Act and the TCPA have dual applicability Coughlin Duffy, LLP 8
  9. 9. Spam email CAN-SPAM Act of 2003 – Regulates email whose primary purpose is advertising or promoting a commercial product or service – Bans misleading header and subject lines; requires recipients be given “opt-out” method – No private right of action; only the FTC, State Attorneys General and Internet Service Providers can sue – Potential Damages Coughlin Duffy, LLP 9
  10. 10. Spam email Earthlink v. KSTM (Georgia 2006) – September 2006: Awarded $11 million against Nevada spammer – Treble damages awarded Earthlink alone has been awarded $200 million in judgments against spammers Coughlin Duffy, LLP 10
  11. 11. DATA SECURITY/IDENTITY THEFT FTC received over 250,000 indentity theft complaints in 2005 The Love Bug, Melissa and other viruses were estimated to cost companies more than $54 billion, since 1995, in removal costs, repairs and lost productive and sales due to down time Coughlin Duffy, LLP 11
  12. 12. DATA SECURITY/IDENTITY THEFT 500 large American companies and government agencies reported in a recent FBI sponsored survey that: – 90% had detected a computer security breach within the past 12 months – 85% had detected computer viruses – 80% had suffered a monetary loss due to a cyberattack Coughlin Duffy, LLP 12
  13. 13. DATA SECURITY/IDENTITY THEFT 2003 Census figures: 55% of U.S. households have internet access (28% in 1998) – August 2005: 61% connect via broadband (Nielsen) 2006: Computer-based risks the #1 concern among executives worldwide – Ahead of corporate governance, trade, terrorism, etc. (Swiss Re) Every organization with a computer or network is at risk Coughlin Duffy, LLP 13
  14. 14. DATA SECURITY/IDENTITY THEFT – What Kind of Losses/Claims can be expected: Cost to notify the public and individuals regarding a data loss 1. event. Claims for Safeguarding against Identity Theft 2. Data Extortion – Hold the Information for Ransom 3. Claims for Reimbursement of actual fraud related losses in 4. cases of Identity Theft D&O claims for loss of value of stock, negligence, invasion of 5. privacy, etc. Claims for Business Income due to lost income associated with 6. customer dissatisfaction or fear. Loss related to money spent on publicity campaigns to 7. alleviate “bad” image from the event. Government Fines and or Penalties 8. Coughlin Duffy, LLP 14
  15. 15. DATA SECURITY/IDENTITY THEFT Common law theories of legal liability – Negligence – Fraud – Misrepresentation – Invasion of privacy – Failure to Warn – Breach of warranty/contract Companies may also be subjected to shareholder suits of government enforcement actions Coughlin Duffy, LLP 15
  16. 16. DATA SECURITY/IDENTITY THEFT More than 40 states have passed customer notification legislation, including Connecticut, Delaware, California, Florida, New Jersey, New York and Texas Federal law: – Sarbanes-Oxley – Gramm-Leach-Bliley – HIPPA Coughlin Duffy, LLP 16
  17. 17. DATA SECURITY/IDENTITY THEFT Recent lawsuits/enforcement actions: – LexisNexis – ChoicePoint, Inc. – CardSystems – DSW, Inc. – BJ Wholesale Club, Inc. – U.S. Bancorp – Eckerd Drugs Coughlin Duffy, LLP 17
  18. 18. DATA SECURITY/IDENTITY THEFT This can create a very costly scenario for the company. Examples: – 3,000,000 identities stolen (not used); 5% sue = 150,000 claimants;150,000 X $300 = $45,000,000 – 200 identities stolen (100 used fraudulently); average damages of $25,000 = $2,500,000 loss. Doesn’t address cost of mandatory notification Coughlin Duffy, LLP 18
  19. 19. INTERNET/ WEB UTILIZATION Almost every business has a web page Different types of web pages – Presence only – Content aggregation – Interactive – Transactional/e-commerce Coughlin Duffy, LLP 19
  20. 20. INTERNET/ WEB UTILIZATION Exposure depends on type of site – Least exposure: presence only – Greatest exposure: transactional Types of exposure: – Intellectual property – Personal injury – Fraud/identity theft Coughlin Duffy, LLP 20
  21. 21. INTERNET/ WEB UTILIZATION Scheff v. Bock (Florida) – October 10, 2006: Florida jury awarded $11.3 million for defamation for posting on an Internet bulletin board – Site owner also sued; dismissed from case Coughlin Duffy, LLP 21
  22. 22. RADIO FREQUENCY IDENTIFICATION A very small chip or tag that communicates digital data to a reader through radio waves Estimated 2007 spending on RFID implementation: over $1 billion Recent proposed usages – Tracking of senior citizens daily activities – Tracking student attendance – Tracking children – Tracking immigrants Coughlin Duffy, LLP 22
  23. 23. RADIO FREQUENCY IDENTIFICATION Current usages – Tracking of farm animals and pets – Walmart supply chain – Denmark amusement park – E-Z Pass Coughlin Duffy, LLP 23
  24. 24. RADIO FREQUENCY IDENTIFICATION Exposures: – Invasion of privacy – Identity theft Coughlin Duffy, LLP 24
  25. 25. NANOTECHNOLOGY nanos: Greek term for dwarf one thousand millionth of a meter Technology to visualize, characterize, produce and manipulte matter of the size of 1 – 100 nm. Small size – High surface to volume ratio – Unique properties (material strength and weight reduction, conductivity, new optical properties) – New entry ways (high mobility in human body and environment) Coughlin Duffy, LLP 25
  26. 26. NANOTECHNOLOGY Nanoparticles Ubiquitous industrial production – Materials – Parmaceuticals – Electronics – Chemical – Tools Coughlin Duffy, LLP 26
  27. 27. NANOTECHNOLOGY Engineered nanoparticles – Engineered particles Coated surfaces Specific properties Large volumes New materials – we cannot learn from the past – No long term experience – Few exposure assessments – Few toxicology assessments – No classification Uncertainty Coughlin Duffy, LLP 27
  28. 28. NANOTECHNOLOGY Living organisms – Entry into blood stream via nose, digestive system, lung, skin? – Body distribution (incl. brain?) Biodegradable – Elimination – Acute toxicity? Non-biodegradable – Accumulation? – Chronic toxicity? Coughlin Duffy, LLP 28
  29. 29. NANOTECHNOLOGY Environment – Particles treated to avoid agglomeration – Passage through soil, transport of contaminants – Ground water: drinking water quality – Absorption by plants (entry into food chain)? – Removal difficult, filters insufficient Coughlin Duffy, LLP 29
  30. 30. NANOTECHNOLOGY Potential product liability exposure – Product liability imposes strict liability for design defects, manufacturing defects or failure to warn claims – A design defect claim could arise in the context of a product that uses nano materials and allegedly results in inhalation exposure during manufacture or use – A failure to warn claim could be based upon the argument that the manufacturer did not conduct reasonable testing and due diligence in evaluating products’ dangers Coughlin Duffy, LLP 30
  31. 31. NANOTECHNOLOGY Recent report by the National Research Counsel notes too little money has been invested in understanding potential health and environmental risks Risk Management Issues for Nanotechnology Insureds – Potential exposure from new unchartered technology – Insureds must disclose known risks and research with respect to products insured Potential Ways to Limit Exposure – Provide coverage on claim made basis only – Limitations on number of claims or providing batch clause or a specific event limitations Coughlin Duffy, LLP 31
  32. 32. ARE TECHNOLOGY CLAIMS COVERED UNDER GL POLICIES? Coverage A: BI and PD – Is intangible property damage covered? – Is electronic data tangible property? – Was the injury expected of intended from the standpoint of the insured? Coughlin Duffy, LLP 32
  33. 33. ARE TECHNOLOGY CLAIMS COVERED UNDER GL POLICIES? Coverage B: Personal and Advertising Injury – Does the offense arise out of the insured’s business? – Was there a publication or an utterance? – Was there a nexus to the insured’s advertising? – Does the liability arise out of one of the enumerated offenses? – Was the act caused or directed by the insured with knowledge that it would violate another’s rights or would inflict injury? Coughlin Duffy, LLP 33
  34. 34. ARE TECHNOLOGY CLAIMS COVERED UNDER GL POLICIES? Insurance coverage will likely depend upon the allegations – Government enforcement actions Look for exclusions for fines and penalties Do remediation costs for security breach satisfy “damages” definition Coughlin Duffy, LLP 34
  35. 35. ARE TECHNOLOGY CLAIMS COVERED UNDER GL POLICIES? – Private party actions (class actions?) Is it Bodily Injury? No Is it Advertising Injury? Must arise out of advertising activities Is it Personal Injury? Isn’t there an invasion of privacy? Many policies will require publication or an utterance Coughlin Duffy, LLP 35
  36. 36. ARE TECHNOLOGY CLAIMS COVERED UNDER GL POLICIES? Private party actions (class actions?) – – Is it Property Damage? See, Computer Corner, Inc. v. Fireman’s Fund, 2002 N.M. App. LEXIS 37 (loss of data is tangible property damage) Numerous other courts have held otherwise 2004 CGL revision, exclusion (p): eliminates cover for loss of electronic data Coughlin Duffy, LLP 36
  37. 37. Blast Faxes Coverage Issues Coverage sought as invasion of privacy claim – CGL policies generally cover “oral or written publication of material that violates a person’s right to privacy” – Insureds argue TCPA claim for unsolicited faxes constitutes a covered invasion of privacy claim Coughlin Duffy, LLP 37
  38. 38. Blast Faxes Coverage Issues Early cases finding coverage exists – In Prime TV LLC v. Travelers (NC) the Federal District Court concluded that the TCPA was enacted to protect privacy, a TCPA claim must therefore fall within coverage for “hidden publication of material that violates a person’s right of privacy” – In Hooters of Augusta (GA) the insured sought coverage for a $9 million settlement for distribution of unsolicited faxes and the Court found that TCPA was enacted to protect individuals’ privacy and therefore must fall within advertising injury coverage. Court rejected the argument that the TCPA was a penal statute. – In Western Rim (TX 2003) the Court found the insurer had a duty to defend the insured in litigation where it was charged with sending, through an agent, 80,000 unsolicited faxes advertising apartment complexes to prospective tenants and the Court found a violation of the TCPA constituted a violation of a person’s right of privacy Coughlin Duffy, LLP 38
  39. 39. Blast Faxes Coverage Issues Recent Cases Finding TCPA Claims Not Covered – More recent decisions find that a right of privacy has not been violated unless the content of the material published violates the privacy rights – Courts are finding the intent of the privacy coverage is to provide insurance for claims arising from the offensive content of the material, not the offensive manner in which it is transmitted In American States (IL 7th Cir. 2004) the Court noted two major types of privacy – claims: Informational, where a person wishes to keep certain facts and information private or information secret Locational, where a person wishes to avoid intrusion and preserve their right of seclusion Locational, right The Court found that the language of the privacy coverage in the CGL policy only covers privacy claims involving intrusion upon a person’s secrecy person’ In evaluating TCPA claims, the court must distinguish between privacy claims based upon privacy seclusion and those based upon publication of secret facts In Resource Bank Shares (4th Cir. 2005) the Court noted that the TCPA’s unsolicited – fax prohibition protected seclusion privacy, in which content is irrelevant The Court found that insurance policies do not cover seclusion damages; rather they insure damages; violations of content-based privacy content- Coughlin Duffy, LLP 39
  40. 40. Blast Faxes Coverage Issues Courts differ on whether coverage is provided based upon property damage – In Prime TV, the court found the TCPA claim was insured under the “property damage coverage” – The property damage is the injured party’s loss of paper and ink – Most courts find no coverage because there is no accident or the sending of faxes is expected or intended by the insured Coughlin Duffy, LLP 40
  41. 41. Blast Faxes Coverage Issues New policy language A new ISO exclusion for “methods of sending material or information” went into effect in some states by March 2005 – The exclusion provides coverage does not apply to “distribution of material in violation of statutes – “Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate: a. the TCPA; or b. the CAN-Spam Act of 2003; or c. any statute, ordinance or regulation other than the TCPA CAN-Spam Act of 2003 that prohibits or limits the sending, transmitting, communicating or distribution of material or information – This exclusion should bar coverage for claims sought under the personal and advertising injury liability section based upon violations of the TCPA and CAN-Spam Act Coughlin Duffy, LLP 41
  42. 42. CyberCoverages
  43. 43. CyberInsurance Market 21st-century threat with 20th-century insurance coverage In 2005, written premiums for “cyberinsurance” topped $200 million; in 2003, the amount was $100 million. President Bush’s adviser on cybersecurity has encouraged cyberinsurance coverages for railroads, aviation, banking, telecommunication, power and oil and gas. Coughlin Duffy, LLP 43
  44. 44. CyberInsurance Market Most common types of cover: – 1st party business interruption – 1st party electronic damage – 1st party extortion – 3rd party network security liability – 3rd party (downstream) network liability – 3rd party media liability Coughlin Duffy, LLP 44
  45. 45. Third-Party Coverages Chubb Cybersecurity Liability Insurance Covers losses suffered by the Insured on account of third-party claims that the Insured’s “cyber activities” caused the third-party: – Content injury – Reputational injury – Conduit injury – Impaired access injury, or Coughlin Duffy, LLP 45 – Disclosure injury
  46. 46. Chubb Cybersecurity Liability Insurance Content injury – “injury . . . because of an actual or alleged infringement of: (a) . . . a mark; (b) a copyright; (c) the name of a product, service or organization; or (d) the title of an artistic or literary work” Reputational injury – “injury . . . because of an actual or alleged: (a) disparagement of such third party’s products or services; (b) libel or slander of such third party; or (c) violation of such third party’s right of Coughlin Duffy, LLP 46 privacy or publicity”
  47. 47. Chubb Cybersecurity Liability Insurance Conduit injury – “injury . . .because such third party’s System cannot be used or is less useful than normal” Impaired Access injury – “injury sustained by a Customer [of the Insured] . . . because [the Customer’s authorized] access [to the Insured’s System] has been impaired or denied” Coughlin Duffy, LLP 47
  48. 48. Chubb Cybersecurity Liability Insurance Disclosure injury – “injury, other than a Reputational Injury, sustained by a Customer because of the unauthorized display, transmission or dissemination of a Record on the Internet” Definition of Customer: “a natural person or organization which: (a) is applying for, or requesting, [the Insured’s] products or services; (b) has applied for, or has requested [the Insured’s] products or services; or (c) is using, or has used [the Coughlin Duffy, LLP 48 Insured’s] products or services”
  49. 49. First-Party Coverages AIG Internet and Network Security Insurance Covers losses suffered by the Insured for: – Cyberextortion – Injury to the Insured’s Information Assets – Business interruption Coughlin Duffy, LLP 49
  50. 50. AIG Internet and Network Security Insurance Definition of “Computer Attack”: “Unauthorized Access, Unauthorized Use, transmission of a Malicious Code, or a Denial of Service Attack that (1) alters, . . .corrupts, disrupts, deletes, damages or prevents, restricts, access to, a Computer System; (2) results in the disclosure of private or confidential information stored on the Insured’s Computer System; or (3) results in Identity Theft . . . .” Coughlin Duffy, LLP 50
  51. 51. AIG Internet and Network Security Insurance Information Asset Loss – “(1) with respect to Information Assets (i.e., software and electronic data). . . that are altered, corrupted, destroyed, disrupted, deleted or damages, the actual and reasonable costs [Insured] incur[s] to Restore [the] Information Assets . . . ; (2) with respect to Information Assets (i.e., software and electronic data). . . that are copied, misappropriated, or stolen, the stated value [as set forth in the policy of such assets]; (3) with respect to Information Assets (i.e computer system capacity) that are misappropriated or stolen, the actual cash value [Insured] paid for such lost capacity, which would not have been paid by [Insured] but for such Coughlin Duffy, LLP 51
  52. 52. Q&A Coughlin Duffy, LLP 52