Limiting Computer Crime Losses With Cyberinsurance

Estimates of the amount of damage to U.S. businesses caused by computer crime vary greatly, but there is no doubt that corporate America's increased reliance on information technology has led in recent years to a dramatic increase in such losses.

A 2003 study by the Computer Security Institute and the FBI found that 90% of respondents had suffered breaches of their computer system within the past year. The study also challenged the notion that the greatest threat to organizations comes from within, or that most hackers are “juveniles on joyrides through cyberspace.”

The study determined that there is “much more illegal and unauthorized activity in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace.”

Reports of specific instances of computer crime also suggest that the risk of damage to computer systems is real and growing. For example, the “Sobig.F” virus, which debuted in August 2003, was the fastest spreading e-mail plague of all time. At its height, it infected one in every 17 e-mails. In addition, because much of the damage caused by cybercrime is committed by defendants with little or no real net worth, organizations may not be able to recover anything near the amount it cost them to investigate and repair the damage.

Despite these real and substantial risks, many companies are not doing enough to protect themselves. According to Ernst & Young's Global Information Security Survey 2003, many organizations fail to adequately protect their digital assets by investing in information security. Companies often take no action until they have been the victims of a security breach and then compound their mistake by implementing a temporary “fix” that ignores their core business objectives.

By comparison, measured proactive spending is less costly in the long run than reactive spending, which is often overspending in response to an incident. Indeed, nearly 60% of the organizations that responded to the survey indicated they had never calculated a return on investment for information security spending.

General Liability Not Enough

Apart from not implementing comprehensive computer security programs, many companies believe losses caused by security breaches would be covered by their general liability insurance policies. The trend in recent cases, however, is to deny coverage under general liability insurance policies for losses caused by breaches of computer security or from other cyberevents on the ground that damage or loss does not constitute tangible property. For example, the Fourth Circuit in America Online Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003) upheld a ruling that computer data and software were not tangible property covered under a general insurance policy. Accord Ward General Insurance Services Inc. v. The Employers Fire Insurance Co., Cal. Ct. App. 4th Dist., No. 01cc14520 (2003); Seagate Technology Ins. v. St. Paul Fire and Marine Ins., 11 F.Supp.2d 1150 (N.D. Cal. 1998); Compaq Computer Corp. v. St. Paul Fire and Marine Ins. Co., Minn Ct. App., C3-20-2222 (2003).

AOL brought an action seeking a declaration that its insurance company, St. Paul, had a duty to defend against claims brought against AOL alleging that Version 5.0 of its Internet access software had damaged their computers. The policy at issue defined “property damage” as “physical damage to tangible property of others, including all resulting loss of use of that property; or loss of use of tangible property of others that isn't physically damaged.”

The court rejected AOL's argument that damage to software is physical damage to tangible property. The court, relying on the usual and ordinary meaning of “tangible” as “capable of being touched; able to be perceived as materially existent especially by the sense of touch; palpable, tactile,” and “tangible property” as “having physical substance apparent to the senses,” distinguished between the “physical magnetic material” on a computer hard drive that “retains data, information, and instructions” which is tangible property and the “data, information and instructions, which are codified in a binary language for storage on the hard drive,” and which is not tangible property:

Instructions to the computer and the data and information possessed by it are abstract ideas in the minds of the programmer and the user. The switches and the magnetic disks are media, as would be paper and pencil. Loss of software or damage to software thus is not damage to the hardware, but to the idea, its logic, and its consistency with other ideas and logic. Of course, without any code and instructions, the hardware consists simply of millions of electronic switches, circuits, and drives that can be turned on or off but that cannot function as a computer. To a user, such a computer would be 'dead.' But regardless of whether the software is rendered unusable, the hardware remains available for instructions and recording.

The court then compared the situation therein to that when the combination to a combination lock is forgotten or changed. The lock becomes useless but it is not physically damaged. With the retrieval or resetting of the combination ' the idea ' the lock can be used again. Similarly, with damage to software, whether by reconfiguration or loss of instructions, the computer may become inoperable. However, the hardware is not damaged. The switches continue to function to receive instructions and the data and information developed on the computer can still be preserved on the hard drive. While the loss of the idea represented by the configuration of the computer switches or the combination for the lock might amount to damage, such damage is damage to intangible property. It is not damage to the physical components of the computer or the lock, ie, to those components that have “physical substance to the senses.” Thus, according to the court, because the insurance policy covers “physical damage to tangible property,” it does not include damage to computer data.

Cyberinsurance

The decisions in these cases and others suggest companies are not paying adequate attention to the scope of their insurance policies and to whether their general business insurance policies cover such events. Exposure can potentially be very large, and may not only include losses based on damage to a company's own computer system, but may also lead to liability to third parties for the unintended dissemination of proprietary or personal information or for the denial of service.

Given this exposure, companies should, therefore, closely examine their existing general liability policies to determine if the most frequent cyberrisks are covered. In particular, companies should make sure that damages caused by the loss or public disclosure of confidential information ' as well the costs of investigating a cyberevent ' are covered. To the extent that a general business policy does not provide the requisite level of protection, companies should consider obtaining “cyberinsurance.”

In recent years, a number of leading insurance companies have begun offering specific policies that cover the loss caused by damage to a computer system or loss of proprietary confidential information. While these policies generally are very expensive and have high deductibles, the total amount of potential loss may make them a worthwhile investment.

In purchasing such a policy, companies should be sensitive to the scope of their coverage. For example, a cyberinsurance policy may be drafted to cover a computer attack directed at a particular company but would not cover a more generalized attack. Similarly, employee negligence is often excluded from coverage.

An effective cyberpolicy should be broadly written and cover a range of possible threats, including computer viruses, security breaches, corruption of data, misappropriation of confidential proprietary information and the extortionate demands of computer hackers. It should also include damage caused by both insiders and outsiders, as well as intentional acts regardless of motive. The latter is not an insignificant risk because recent surveys have suggested that most companies have not taken adequate steps to prevent internal computer mishaps and abuses. Indeed, according to the Ernst & Young security survey, executives “should focus more on the less obvious and less publicized threats, such as disgruntled employees and former employees, network links to business partners who don't have proven trustworthy systems, the theft of laptop and handheld computers, and insecure wireless access points set up by employees. These can be the things that many not only cause serious damage, but can tarnish an organization's brand.”

Finally, a company may even want to consider seeking “post-incident coverage” for public relations expenses, for example.

Overall Computer Security Plan

It is important, however, that companies do not rely exclusively on a cyberinsurance policy to protect them. Most insurance companies require a company seeking cyberinsurance to have instituted a basic security policy that includes such items as physical security and employee training before issuing a policy. Moreover, a comprehensive computer-security policy makes good business sense and can more than pay-off in the long run.

The first step in the institution of such a plan is to conduct a detailed assessment of the type of risks faced by the company, and an evaluation of its overall security measures, including physical and network vulnerabilities.

Existing security procedures should be reviewed to determine that they are consistent with business processes and objectives. The review should also identify the company's key assets with the idea of how to better protect them. The overall goal should be to identify those areas of greatest concern in order to create a computer security plan that is designed for that specific company. It makes little sense for a Fortune 500 company that depends heavily on its intellectual property and information system to have the same computer security plan as a 100-person company that maintains little or no confidential information on its computer system.

After the review has been completed, a comprehensive plan that is carefully drafted to reflect the review's findings should be drafted. Although the details of a plan must be formulated on a case-by-case basis, there are a number of elements common to all effective computer security plans.

First, the plan must include steps to train employees in the importance of computer security. Employees must consider computer security to be a normal part of their day-to-day responsibilities and understand the consequences related to policy violations ' including legal ramifications. Employees must also be taught to understand the dangers of social engineering, and that even the most innocuous piece of information, such as the internal phone number of an employee, can be used in the process of obtaining a company's most valuable information. Indeed, in a recent British survey, 90% of respondents gave up their office computer password in exchange for a cheap pen.

Second, the plan must include the implementation of adequate technological security measures to maintain company-wide security, satisfy business objectives and protect the most critical information assets.

Third, it must include steps to prevent insider abuse, including performing background checks before hiring any employee would have access to sensitive data, and procedures on dealing with an employee who leaves or has been terminated.

Fourth, the plan should provide for the monitoring of computer network access, and to log attempts at unauthorized access.

Fifth, an effective plan cannot be considered complete without the inclusion of the procedures of responding to an incident involving the breach of computer security or the loss of confidential information. Thus, a company must determine how to respond to a computer intrusion, denial-of-service attack, theft of intellectual property, or other computer network-based crime.

And finally, the plan should include criteria to be used to determine if law enforcement officials should be contacted. Companies should weigh the advantages and disadvantages of referring a matter involving a breach of computer security or misappropriation of confidential proprietary information to the government for possible criminal prosecution.

Companies are facing the increased risk that they will be the victim of an attack on their information technology systems. Whether such an incident becomes nothing more than a minor irritant or escalates to pose a threat to a company's financial health may depend on the prophylactic steps the “victim” company has undertaken to protect its computer system, and whether the company has a cyberinsurance policy.

Estimates of the amount of damage to U.S. businesses caused by computer crime vary greatly, but there is no doubt that corporate America's increased reliance on information technology has led in recent years to a dramatic increase in such losses.

A 2003 study by the Computer Security Institute and the FBI found that 90% of respondents had suffered breaches of their computer system within the past year. The study also challenged the notion that the greatest threat to organizations comes from within, or that most hackers are “juveniles on joyrides through cyberspace.”

The study determined that there is “much more illegal and unauthorized activity in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace.”

Reports of specific instances of computer crime also suggest that the risk of damage to computer systems is real and growing. For example, the “Sobig.F” virus, which debuted in August 2003, was the fastest spreading e-mail plague of all time. At its height, it infected one in every 17 e-mails. In addition, because much of the damage caused by cybercrime is committed by defendants with little or no real net worth, organizations may not be able to recover anything near the amount it cost them to investigate and repair the damage.

Despite these real and substantial risks, many companies are not doing enough to protect themselves. According to Ernst & Young's Global Information Security Survey 2003, many organizations fail to adequately protect their digital assets by investing in information security. Companies often take no action until they have been the victims of a security breach and then compound their mistake by implementing a temporary “fix” that ignores their core business objectives.

By comparison, measured proactive spending is less costly in the long run than reactive spending, which is often overspending in response to an incident. Indeed, nearly 60% of the organizations that responded to the survey indicated they had never calculated a return on investment for information security spending.

General Liability Not Enough

Apart from not implementing comprehensive computer security programs, many companies believe losses caused by security breaches would be covered by their general liability insurance policies. The trend in recent cases, however, is to deny coverage under general liability insurance policies for losses caused by breaches of computer security or from other cyberevents on the ground that damage or loss does not constitute tangible property. For example, the Fourth Circuit in America Online Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003) upheld a ruling that computer data and software were not tangible property covered under a general insurance policy. Accord Ward General Insurance Services Inc. v. The Employers Fire Insurance Co., Cal. Ct. App. 4th Dist., No. 01cc14520 (2003); Seagate Technology Ins. v. St. Paul Fire and Marine Ins ., 11 F.Supp.2d 1150 (N.D. Cal. 1998); Compaq Computer Corp. v. St. Paul Fire and Marine Ins. Co., Minn Ct. App., C3-20-2222 (2003).

AOL brought an action seeking a declaration that its insurance company, St. Paul, had a duty to defend against claims brought against AOL alleging that Version 5.0 of its Internet access software had damaged their computers. The policy at issue defined “property damage” as “physical damage to tangible property of others, including all resulting loss of use of that property; or loss of use of tangible property of others that isn't physically damaged.”

The court rejected AOL's argument that damage to software is physical damage to tangible property. The court, relying on the usual and ordinary meaning of “tangible” as “capable of being touched; able to be perceived as materially existent especially by the sense of touch; palpable, tactile,” and “tangible property” as “having physical substance apparent to the senses,” distinguished between the “physical magnetic material” on a computer hard drive that “retains data, information, and instructions” which is tangible property and the “data, information and instructions, which are codified in a binary language for storage on the hard drive,” and which is not tangible property:

Instructions to the computer and the data and information possessed by it are abstract ideas in the minds of the programmer and the user. The switches and the magnetic disks are media, as would be paper and pencil. Loss of software or damage to software thus is not damage to the hardware, but to the idea, its logic, and its consistency with other ideas and logic. Of course, without any code and instructions, the hardware consists simply of millions of electronic switches, circuits, and drives that can be turned on or off but that cannot function as a computer. To a user, such a computer would be 'dead.' But regardless of whether the software is rendered unusable, the hardware remains available for instructions and recording.

The court then compared the situation therein to that when the combination to a combination lock is forgotten or changed. The lock becomes useless but it is not physically damaged. With the retrieval or resetting of the combination ' the idea ' the lock can be used again. Similarly, with damage to software, whether by reconfiguration or loss of instructions, the computer may become inoperable. However, the hardware is not damaged. The switches continue to function to receive instructions and the data and information developed on the computer can still be preserved on the hard drive. While the loss of the idea represented by the configuration of the computer switches or the combination for the lock might amount to damage, such damage is damage to intangible property. It is not damage to the physical components of the computer or the lock, ie, to those components that have “physical substance to the senses.” Thus, according to the court, because the insurance policy covers “physical damage to tangible property,” it does not include damage to computer data.

Cyberinsurance

The decisions in these cases and others suggest companies are not paying adequate attention to the scope of their insurance policies and to whether their general business insurance policies cover such events. Exposure can potentially be very large, and may not only include losses based on damage to a company's own computer system, but may also lead to liability to third parties for the unintended dissemination of proprietary or personal information or for the denial of service.

Given this exposure, companies should, therefore, closely examine their existing general liability policies to determine if the most frequent cyberrisks are covered. In particular, companies should make sure that damages caused by the loss or public disclosure of confidential information ' as well the costs of investigating a cyberevent ' are covered. To the extent that a general business policy does not provide the requisite level of protection, companies should consider obtaining “cyberinsurance.”

In recent years, a number of leading insurance companies have begun offering specific policies that cover the loss caused by damage to a computer system or loss of proprietary confidential information. While these policies generally are very expensive and have high deductibles, the total amount of potential loss may make them a worthwhile investment.

In purchasing such a policy, companies should be sensitive to the scope of their coverage. For example, a cyberinsurance policy may be drafted to cover a computer attack directed at a particular company but would not cover a more generalized attack. Similarly, employee negligence is often excluded from coverage.

An effective cyberpolicy should be broadly written and cover a range of possible threats, including computer viruses, security breaches, corruption of data, misappropriation of confidential proprietary information and the extortionate demands of computer hackers. It should also include damage caused by both insiders and outsiders, as well as intentional acts regardless of motive. The latter is not an insignificant risk because recent surveys have suggested that most companies have not taken adequate steps to prevent internal computer mishaps and abuses. Indeed, according to the Ernst & Young security survey, executives “should focus more on the less obvious and less publicized threats, such as disgruntled employees and former employees, network links to business partners who don't have proven trustworthy systems, the theft of laptop and handheld computers, and insecure wireless access points set up by employees. These can be the things that many not only cause serious damage, but can tarnish an organization's brand.”

Finally, a company may even want to consider seeking “post-incident coverage” for public relations expenses, for example.

Overall Computer Security Plan

It is important, however, that companies do not rely exclusively on a cyberinsurance policy to protect them. Most insurance companies require a company seeking cyberinsurance to have instituted a basic security policy that includes such items as physical security and employee training before issuing a policy. Moreover, a comprehensive computer-security policy makes good business sense and can more than pay-off in the long run.

The first step in the institution of such a plan is to conduct a detailed assessment of the type of risks faced by the company, and an evaluation of its overall security measures, including physical and network vulnerabilities.

Existing security procedures should be reviewed to determine that they are consistent with business processes and objectives. The review should also identify the company's key assets with the idea of how to better protect them. The overall goal should be to identify those areas of greatest concern in order to create a computer security plan that is designed for that specific company. It makes little sense for a Fortune 500 company that depends heavily on its intellectual property and information system to have the same computer security plan as a 100-person company that maintains little or no confidential information on its computer system.

After the review has been completed, a comprehensive plan that is carefully drafted to reflect the review's findings should be drafted. Although the details of a plan must be formulated on a case-by-case basis, there are a number of elements common to all effective computer security plans.

First, the plan must include steps to train employees in the importance of computer security. Employees must consider computer security to be a normal part of their day-to-day responsibilities and understand the consequences related to policy violations ' including legal ramifications. Employees must also be taught to understand the dangers of social engineering, and that even the most innocuous piece of information, such as the internal phone number of an employee, can be used in the process of obtaining a company's most valuable information. Indeed, in a recent British survey, 90% of respondents gave up their office computer password in exchange for a cheap pen.

Second, the plan must include the implementation of adequate technological security measures to maintain company-wide security, satisfy business objectives and protect the most critical information assets.

Third, it must include steps to prevent insider abuse, including performing background checks before hiring any employee would have access to sensitive data, and procedures on dealing with an employee who leaves or has been terminated.

Fourth, the plan should provide for the monitoring of computer network access, and to log attempts at unauthorized access.

Fifth, an effective plan cannot be considered complete without the inclusion of the procedures of responding to an incident involving the breach of computer security or the loss of confidential information. Thus, a company must determine how to respond to a computer intrusion, denial-of-service attack, theft of intellectual property, or other computer network-based crime.

And finally, the plan should include criteria to be used to determine if law enforcement officials should be contacted. Companies should weigh the advantages and disadvantages of referring a matter involving a breach of computer security or misappropriation of confidential proprietary information to the government for possible criminal prosecution.

Companies are facing the increased risk that they will be the victim of an attack on their information technology systems. Whether such an incident becomes nothing more than a minor irritant or escalates to pose a threat to a company's financial health may depend on the prophylactic steps the “victim” company has undertaken to protect its computer system, and whether the company has a cyberinsurance policy.