A new product, underwritten by USF&G, offers technology Design Errors & Omissions Liability Insurance with annual premium rates starting at $2,500. Call us for details.
Bentley College recently hosted a half-day forum on Internet security issues. Officials from the FTC and the Massachusetts Attorney General’s Office joined industry experts to address both problems and solutions to Internet breaches.
Excerpts from “The FTC’s Internet Security Initiative” fact sheet include:
- Since 2001, the number of reported Internet security breaches has increased over 30 percent.
- Email volume has increased over 25 percent since 2001
- 53 percent of computer users apply the same username and password for all sites accessed
- 25 percent of users write their password down and keep it near their computer
- 50 percent of computer users fail to update virus protection software
It is realistic to assume that we all are a part of an Internet security statistic. Moreover, many of us fall under some regulatory privacy statutes. Remember, insurers do not defend you for violations of the law!
We need to decide how close our sensitive corporate documents should be to open lines. We need to do that today!
*We thank Bentley College for providing this valuable forum to the Boston business community. Materials provided by the FTC were especially valuable for web sites devoted to Internet security. Many private security consultants generously offered their expertise to the forum. This column has excerpted information provided at the forum.
Dot-com companies engaged in e-commerce have an unparalleled opportuinty to obtain personal information from their website users — a marketer’s dream. However, the use of this information is not limitless. The law of privacy applies to all transactions in information, including those on the Internet. If you have Internet access and are involved in e-commerce, you should be aware of the privacy implications each time you collect, use or provide user information.
The Federal Trade Commission recommends that websites display clear privacy policies covering:
- manner of collection
- use and disclosure of user information
- permitted third party use
- user information change
- user password control
- security measures against unauthorized access
As for safeguards against unauthorized interceptions, none of the technological solutions are fail-safe. Under The Electronic Communications Privacy Act, the intentional interception of any electronic communication is illegal and a successful plaintiff can obtain equitable relief, compensatory and punitive damages and attorney’s fees. The Computer Fraud and Abuse Act prohibits unauthorized actions taken against computer systems that constitute privacy invasions and outlaws attempts to obtain prohibited information.
Susan Rayne, Esq. is a technology and intellectual property law specialist and frequent speaker on technology issues, practicing with Bowditch & Dewey, LLP, Worcester, MA. Attorney Rayne can be reached at 508-926-3428.
Given the high investment in information technology infrastructure, corporate management needs to establish policies and procedures to protect computers, e-mail, and Internet communications in the same manner other business assets are protected. Legal e-mail policy expert, Mike Overly, states, “Many of the problems, and most of the lawsuits, that result from employee use of computers in the workplace revolve around electronic mail (e-mail). Approximately 40% of large organizations still don’t have a written policy in place or one that is adequate… Companies are doing a disservice when they rush out with a two- or three-page policy and forget it. They need a well-written policy, followed up with adoption and training for employees.”
Why set employee policies in the first place? In most ways the legal liability incurred from employee e-mail or Internet usage varies little from the liability borne from any document produced in the course of doing business. Rules of ethical conduct and privacy should apply to all communications resources. Since e-mail and the Internet are here to stay, management must have a way to both track and to enforce corporate policy. Those failing to implement, educate, or enforce usage policies will find themselves exposed to potential legal, privacy and productivity issues.
A well thought-out and strongly communicated e-mail, Internet, and computer use policy is the centerpiece to any company’s legal defense.
Michelle Drolet is the CEO and President of CONQWEST, Inc. of Holliston MA. CONQWEST offers technology solutions for corporate protection: Policy Planner (written policies), e-Minder (educating policies), Websense and Mailsweeper (enforcing policies). Ms. Drolet can be reached at 888-234-7404.
Computer theft is currently a $10 billion industry. Insurance claims on stolen computers have increased 600% with average theft claims in 1992 of $5,000 growing to $500,000 in 1998. Crimes where computers are the target are currently being replaced by computers being used as the instrument of crime
- Stock manipulation
- Hacking type crimes including Virus transmission and unauthorized intrusion into files
Are you safe?
Greater and greater protections are needed to assure your business record protection from intrusion. According to the U.S.Attorney’s office, disgruntled employees lead the list of computer crime perpetrators, followed by hackers, copyright and intellectual property thefts, and economic espionage, with Internet auction fraud growing quickly.
What can you do?
In 1996 Congress updated 18USC §1030, which gives broadened scope to computer crime. Vigilant corporate management should remember that even nuisance acts like password tampering could lead to criminal prosecution. Employers and employees alike should become aware of the federal statute’s protections and penalties.
Some information and statistics in this article are from material presented at “Cybercrime and Computer Forensics Executive Symposium” held in Cambridge January 20, 2000. Deloitte & Touche should be acknowledged and thanked for sponsoring the symposium and opening it to the Boston business community.
Businesses are noticing their insurance costs. Two years ago, at the bottom of a 10-year soft market cycle, costs were virtually insignificant, representing only .0015 percent of gross revenues. Steeply rising costs now dictate very close attention to premiums and coverage.
This article will examine something that has been unnecessary for the last decade: hard choices in insurance coverage to keep premiums under control in a slow economy. Following are fundamental principles of insurance that help risk managers decide where premium dollars can best be placed.
September 11 brought a $70 billion loss to a $300 billion industry. On top of that, a decade-long soft insurance market (typified by more than one dollar paid in claims for every dollar collected in premiums, while investment returns are expected to make up the difference as well as provide profit) has masked the inability of underwriting to quantify the risks associated with increasingly complex technology applications.
The insurance market was already hardening in 2000. Then the stock market decline began. Prices are increasing; insurers are declining risks. Insurer capacity to absorb risk has also greatly diminished.
So, in protecting business and technology exposures to loss when revenues are down and insurance costs are up, you need a new perspective. Coverage is purchased a peril at a time, so a sound sense of where loss potential lies is essential in determining what to self-insure [i.e., absorb the loss personally, similar to deleting collision from a 10-year-old car] and what risks to turn over to an insurer. Choose insurance as the last solution to protecting your risk.
These are the priorities of risk management.
- Transfer risk of loss to another party (under contract). Leases transfer risk; service contracts address risk assumption and transfer in very detailed ways. Risk transfer essentially shifts the cost of protection as well as specific conditions of protection to another party. For example, it is com-mon for your landlord to transfer to you in your lease the risks of injury to your employees and guests in the office building. You routinely provide a certificate of insurance to your landlord verifying liability coverage at agreed limits.
- Discard the highest risk activities of the business. If computer security is a piece of your business, the risks may outweigh the income (insurers specifically exclude security matters). If high-hazard operations are integral to your total product, physical segregation of the risk will help reduce costs.
- Assume as much risk as you can bear financially by choosing high deductibles, alarms and locks, redundant systems and other physical ways that can protect you before using insurance.
- Transfer to your insurer the catastrophic risk and everything you cannot handle by the above methods.
With respect to technology risks in particular, there is an additional layer of underwriting resistance in addition to the market circumstances noted. In the late 1990s, the occasional iconoclast went on record stating that corporate executives had suspended critical judgment to jump onto the Web. Old economy businesses gained the label of dinosaur as dot-coms burned hundreds of millions of dollars in venture funding. e-commerce, B2B and global economy became terms engendering both opportunity and challenge to the entrepreneur.
Optimizing your market possibilities on the Web is yet another task on your desk. There is, however, no doubt about the added exposure. As a consequence of your Web site presence, you will need to address the additional risks assumed as the Internet instantaneously makes your business global. Remember that anyone with a Web presnce is a publisher by virtue of that text, its promises, security issues and consumer expectations. Web sites expose businesses to:
- legal jurisdictions on another continent;
- regulatory concerns: Professionals may well be in violation of narrow geographic license restrictions;
- privacy and security obligations for customers;
- product representations with buyer expectations far beyond that of brochures and traditional advertising material;
- additional exposures of infringement, defamation, invasion of privacy, obscenity, plagiarism and/or unfair competition.
Standard insurance products address and cover only a few of the above perils. You need to examine your promises, client expectations, license restrictions, links and those specific areas listed below to be sure you are not surprised by unnecessary exposures. Even technology insurance specialists are wary of Internet exposures. Technology insurers are considerably more comfortable with computer and component hardware manufacturing, extending to less complex software products. As court cases define responsibilities, insurers are currently excluding Internet perils, even while the need for coverage grows. Specific policy exclusions are being added. Policyholders are largely on their own with respect to defending claims from the Internet.
Data security is also a great area of consumer concern. Credit card theft is increasing, especially via the Web. Transference of risk is complicated even when possible. Insurers are also excluding most, if not all, Internet security exposures. Only specialty products address these perils.
Specialty insurance products are emerging to address many uninsured issues. New policies address the following.
- Invasion of privacy: Contact information and memberships lists are two examples of common exposed Web content. Be sure to get permission from everyone listed as well as check any statutory compliance regarding your lists. (New insurance policy wording defines “privacy” very narrowly to “rights of private occupancy” to exclude Internet related coverage.)
- Copyright infringement: a growing area of complaint as the world accesses the material you put up on your site.
- Defamation (via e-mail): You should strictly enforce your e-mail policies to minimize your exposure to litigation from offended parties.
- Defamation (via Web sites): often in comparative advertising remarks about competitors.
- Trademark infringement (domain name): Well-publicized cases of domain name disputes and cyber squatting problems are part of the new world of the Internet. No one ever before confused Delta Airlines with Delta faucets, until delta.com.
- Trademark infringement (metatags): Your webmaster should be in close contact with your legal counsel so that you do not find yourself defending against an infringement claim.
Be sure your attorney, compliance officer, risk manager and insurance professional are part of your Web-presence team. Indeed, the Internet may well be on the critical path to your survival. Make sure it’s because it is supporting your business – not exposing it to litigation and insolvency!
Mass High Tech, 1998
“War game aims to prevent legal battles for insurer” describes exercise undertaken to analyze and place first insurance policy on cyberspace.