New Hampshire Bar Association
About the Bar
For Members
For the Public
Legal Links
Publications
Newsroom
Online Store
Vendor Directory
NH Bar Foundation
Judicial Branch
NHMCLE

Support Of Lawyers/Legal Personnel All Concern Encouraged

The New Hampshire Bar Associate thanks January LawLine hosts Bob Wunder, Steve Hermans, Julia Eastman and Dan Coolidge.
New Hampshire Bar Association
Lawyer Referral Service Law Related Education NHBA CLE NHBA Insurance Agency

Member Login
username and password

Bar News - May 23, 2003


Data Security & Privacy Law

By: Ronald N. Weikers
 

Part 2 of 2: Corporate Liability and Insurance Coverage

As discussed in Part 1, a variety of federal and state laws impose criminal and civil liability on hackers for their misdeeds. While many hackers have gone to prison, very few have repaid their victims.i

As such, who can your injured client turn to for compensation? Even worse, will other victims turn to your client for compensation, even though your client is itself a victim?

The "More Culpable Victim" Theory

Hackers typically have no assets, and they almost always act independently of organizations that can afford to compensate victims of their conduct. There have been a few instances of institutional hacking, but those are rare exceptions to the rule. Thus, if hackers can be found, they are almost always judgment-proof.

It is therefore likely that victims of cyberattacks will seek compensation from corporations that are lax in their security measures, enabling hackers to launch attacks from defendants' vulnerable systems, even if defendants are victims themselves. In other words, in those instances when a hacker breaks into a victim's system – i.e., Victim 1's system – and launches an attack from Victim 1's system against Victim 2's system – i.e., the "downstream victim" – then Victim 2 may seek to recover its damages from Victim 1, the "upstream victim." The issue is whether Victim 1 was negligent in its security measures under some standard of care, or whether Victim 1 breached some contractual relationship with Victim 2, if any, thereby enabling the hacker to cause damage to Victim 2.

Plaintiffs will argue that companies have a duty to protect themselves and others from hacking, given that security technology is prevalent and inexpensive relative to the damage that can result. Thus, upstream victims may have a duty to protect downstream victims based on some reasonableness standard.

At least one complaint alleging negligence has already been filed by a downstream victim against an upstream victim.ii A Web hosting company's allegedly negligent security enabled a hacker to use his server as a platform to launch a Denial of Service (DoS) attackiii against another Web hosting company, taking 90,000 Web sites offline in the process. The case settled prior to trial.

The relevant standard may be based on new security and privacy rules and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), which has been previously discussed in New Hampshire Bar Association periodicals. The standard may also be based on something called "ISO 17799." ISO is the International Organizations for Standardization, based in Geneva, Switzerland, which is also responsible for more commonly known standards such as ISO 9000 and 9001 for production facilities.

ISO 17799 is general in nature – it does not specify exactly what type of technological measures that system owners must employ – but it requires an internal analysis and implementation of a number of security and privacy measures. HIPAA relies in part on ISO 17799.

The relevant sections of ISO 17799 provide as follows:

  1. System Access Control. System owners must: a) prevent unauthorized access to information systems; b) ensure the protection of networked services; c) detect unauthorized activities; and d) ensure information security when using mobile computing and telenetworking facilities.

  2. System Development and Maintenance. System owners must: a) ensure that security is built into operational systems; b) ensure that IT projects and support activities are conducted in a secure manner; and c) maintain the security of application systems software and data.

  3. Physical and Environmental Security. System owners must prevent unauthorized access, damage and interference to business premises and information.

  4. Compliance. System owners must: a) avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations, and of any security requirements; b) ensure compliance of systems with organizational security policies and standards; and c) maximize the effectiveness of the system audit process.

  5. Personnel Security. System owners must: a) reduce risks of human error, theft, fraud or misuse of facilities (such as by doing background checks on key MIS people); b) ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; and c) minimize the damage from security incidents and malfunctions, and learn from any such incidents.

  6. Security Organization. System owners must: a) manage information security within the company; and b) maintain the security of organizational information processing facilities and information assets accessed by third parties.

  7. Computer and Network Management. System owners must: a) ensure the correct and secure operation of information processing facilities; and b) protect the integrity of software and information.

  8. Security Policy. System owners must provide management direction and support for information security.

Insurance Coverage

In addition to seeking compensation from upstream victims and hackers, victims will seek first-party coverage from their insurers for damage to their own systems. Upstream victims may also seek coverage under their third-party liability policies for damage to downstream victims.

Until recently, computer software and data losses were neither affirmatively covered nor expressly excluded under standard commercial general liability (CGL) policies. These are known as "all-risk" policies, which generally cover property damage caused by all risks that are not specifically excluded. The counterpart to all-risk policies are "named peril" policies, which cover specifically identified risks.

Despite the fact that most CGL policies did not exclude software and data loss, insurers nonetheless routinely denied such claims. Moreover, most courts that considered the issue held that software in general, and data in particular, were not covered "tangible" property.

The insurance industry has therefore begun to fill this coverage void. AIG, Zurich North America, Chubb, Liberty and other insurers now offer named peril policies with titles like "Internet Advantage," "e-Comprehensive" and so on. Brokers for these policies include Marsh & McLennan, Insuretrust.com and others. Individual premiums range from several thousand dollars for a small business policy, to $1 million in premiums for every $25 million worth of coverage for larger businesses.

The total premiums paid this year throughout the industry will be approximately $100 million, and it is estimated that total premiums will rise to $2.5 billion by 2005. Cybercoverage will therefore soon become a mainstream product, and it may eventually be required under corporate fiduciary duties of good faith and due care.

It should be noted that these insurers generally require certification that policy holders are ISO 17799 compliant prior to, and during, the policy term. It should also be noted that such policies contain some amount of self-insured retention, which is essentially a deductible.

These new named peril cyberpolicies cover some of the following losses:

  1. Direct or indirect loss to trade secrets and other intellectual property, such as when a hacker deletes a database containing critical customer information. Some first-party cyberpolicies cover the replacement, reproduction or development costs at the time of the direct physical loss, but not the asset value of the destroyed intellectual property. Damage caused by a worm or a virus may also be covered, if a database is thereby destroyed, for example.

  2. Theft of money, securities, software and information assets by employees or non-employee hackers, including charge card, credit card and debit card customer information; banking, financial and investment account information; and other valuable, confidential proprietary business information. The coverage is, again, usually limited to the cost of reproduction or development.

  3. An indirect loss to an "intangible" asset (namely, data) causes first-party financial loss due to downtime. This may occur as a result of a DoS attack, for example, that chokes the insured's server for some period of time.

  4. Breach of confidentiality resulting in privacy violations. For example, a hacker steals and posts confidential financial, medical or other information about a customer.

  5. Financial loss to a third party. This is the downstream-versus-upstream-victim scenario, discussed above. For example, a hacker gets through a network firewall and uses the system as a "zombie" server in order to launch an attack against other companies' servers. This might also involve passing a worm or acting as a conduit for other malicious software (called "malware").

  6. Some policies also cover extortion over the Internet, which has become a common phenomenon. For example, hackers often threaten to disclose stolen, confidential information over the Internet, if a victim does not pay the hacker a "consulting" fee. Consequently, victims who refuse to pay may be forced to take their sites down for a period of time, while trying to find the extortionist. Business income losses may be covered under some policies or endorsements.

Conclusion

Almost all corporate clients are vitally dependent on computers and data. As such, attorneys should recommend the following security and privacy strategies:

  1. Perform an assessment to determine whether the company is ISO 17799 compliant. Compliance is useful for proving that a company has not been negligent in its security and privacy measures, as well as for obtaining cybercoverage insurance.

  2. Obtain some form and amount of cybercoverage insurance.

  3. Craft all software licenses and contracts with vendors so that systems and data are protected from security and privacy risks.

ENDNOTES

*

Ronald N. Weikers is an editor and author of the new treatise Data Security and Privacy Law: Combating Cyberthreats, published by West Group. For more information, contact Weikers & Co./software-law.com at (603) 647-2000 or RNW@Software-Law.com, or visit http://www.Software-Law.com.

i

For example, the New Hampshire teenage hacker known as "Coolio," who wreaked havoc around the country from his parents' home in Wolfeboro, has failed to pay $15,000 restitution, which was part of his negotiated plea. As such, Coolio may return to the state for further incarceration.

ii

See CI Host, Inc. v. DEVX.COM, Inc., et al., no. 01-CV-150 (N.D. Tex., filed Feb. 16, 2001) (complaint on file with author); see also Sarah D. Scalet, See You in Court, CIO Magazine (Nov. 1, 2001), available at http://www.cio.com/archive/110101/court_content.html (last visited Mar. 23, 2003).

iii

A Denial of Service ("DoS") attack occurs when an infiltrated system massively overwhelms a target computer by sending millions of spurious bits of data, by making millions of requests for data, or otherwise "pinging" the target on an immense scale, causing the target to slow down, freeze or crash. DoS attacks are relatively easy to effect, and can cause substantial damage to a target's software programs and data.

 

Click for directions to Bar events.

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer