Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Cybercrime is in the news. It is also a significant matter of concern for any company that does business on the Internet or uses a computer. In other words, everyone. In just the last six months, a sample of some news items includes: � Cyber-terrorists target AT&T for helping Israel get its government sites back on-line after sabotage by pro-Palestinian hackers. New York Post, Oct. 31, 2000, page 14. � Unidentified intruders gain access to Microsoft computers for six weeks and view source codes for a future software product. The New York Times, page 1, Oct. 28, 2000. � Worldwide losses from cybercrime total 42.9 billions this year. And without doubt, this is only the beginning. Report from a recent conference of computer specialists from the Group of Eight industrialized Nations. Adam Tanner, Reuters, Oct. 24, 2000. � Seventy-two percent of leading companies in the United Kingdom report that they suffered losses from cybercrime in the last three years. Business Insurance, July 31, 2000, page 31. As significant as the reported losses appear, actual losses may be far greater. A company may be reluctant to report cybercrime due to a fear of bad publicity, or because such reports may encourage others to invade the company’s computer network. Cybercrime losses also may remain undiscovered. Stolen information given to a competitor can result in a competitive loss, even though the actual theft is undetected. The threat of cybercrime is growing. Opportunities for cybercriminals, or individuals creating cyber-mischief (which still can cause a significant economic loss) are on the rise as a result of: � increased interconnection to the Internet, particularly with the expansion of e-commerce; � increased intercompany reliance on computer systems, including remote access capability (a factor in the recent Microsoft break-in); � rapid development in technology that gives cybercriminals new and better burglary tools. For instance, there is software that scans the Internet looking for computers with weaknesses that can be exploited to gain access; � more hackers, with more time and greater dedication than corporate security departments; and � the globalization of cybercrime. Many cybercriminals are beyond the reach of effective regulation and law enforcement. At the same time that the threat of cybercrime is increasing, the assets that are the target of the cybercriminal are more valuable. In the past, a company was worried about theft of its equipment and inventory. In the emerging technology-based economy, a growing percentage of a company’s assets, if not its most valuable asset, is information, including: intellectual property (design data, know-how, source codes, trade secrets and patents) and customer, supplier and market information. Similarly, a company’s day-to-day operations are dependent less on physical equipment than on its computer operating systems and accounting information. These intangible assets are the type most vulnerable to cybercrime. WHAT IS CYBERCRIME? Cybercrime is loosely defined to include all forms of criminal activity that involve computers. Many forms of cybercrime do not differ from traditional criminal activity, except in the scope of the possible loss. Child pornography is the same crime, whether the images are digital or on photographic paper. A fraudulent scheme can be based on statements communicated through the mail, over telephone wires or on the Internet. The nature of the crime is essentially the same. However, dependence on computers and connection to the Internet also exposes a corporation to new forms of losses from network disruptions, security breaches, the introduction of computer viruses, electronic espionage, extortion and information theft. There are, however, wrongful acts committed through the use of the Internet or computers that may or may not violate a criminal statute, but nevertheless can cause significant loss to the corporate victim. For instance, hacking, cracking, spoofing and sniffing. These all are terms used to describe various ways to obtain unauthorized access to a computer. That access may be in furtherance of a criminal scheme to steal intellectual property (for instance, to sell information to a competitor) or merely as a form of intellectual exercise and mischief without a specific intent to obtain personal enrichment. Whereas physical trespass can be, and is, criminalized (See, e.g., N.Y. Penal Law, 140 et. seq.), trespass in cyberspace may not be. The introduction of a computer virus may be part of an extortion scheme, or an effort to leave a harmless message or “Easter egg.” E-mail bombings, or spamming also may be part of an extortion scheme or mere mischief. In both cases, it may disrupt a corporation’s business and be costly. Many jurisdictions have passed specific criminal statutes, or have amended existing laws to cover cybercrime. For example, in 1986, New York enacted Penal Law 156, et. seq., to deal expressly with crimes involving computers. It criminalizes unauthorized use of a computer (�156.05), computer trespass (�156.10), computer tampering (��156.20 and 156.25), unlawful duplication of computer-related material (�156.30) and criminal possession of computer material (�156.35). Other provisions of the Penal Code dealing with traditional crimes also were amended so that they could be applied to cybercrime. For instance, the definition of “property” in the larceny sections was amended to include “computer data” and a “computer program” (�155.00 (1)). Many states, however, do not have comparable provisions. Moreover, technology and hackers seem to move faster than legislators, creating new forms of wrongful conduct that is not criminalized, but that still can cause a significant loss. For instance, when tens of millions of dollars were lost to businesses last May because of the “Love Bug” virus introduced in the Philippines, the suspect could not be prosecuted because his conduct did not violate an existing criminal statute. Another problem with relying on the criminal law to regulate the Internet, is the fact that cybercrime is global. As just noted, the “Love Bug” originated in the Philippines. It appears that the recent intrusion into Microsoft’s computer originated in St. Petersburg, Russia. In fact, St. Petersburg is reported to be a stronghold of a criminal computer underground. Several years ago, a Russian programmer in St. Petersburg infiltrated Citibank’s electronic fund transfer system and stole millions of dollars. The problems of keeping the law current with criminal ingenuity, even on a local level, are magnified in the international community. Different countries have different views of privacy rights and the degree of regulation that is considered acceptable. International regulation of cybercrime might be viewed as an impermissible meddling into a country’s technological infrastructure. Moreover, there will always be rogue states that will allow cybercriminals to operate, particularly when the likely targets are Western corporations. Finally, there are priorities. Many countries, despite their good intentions, have difficulty handling low-tech street crime. They simply do not have the resources to worry about computer crime whose primary victims are in the industrialized West. Perhaps the most significant issue in the reliance upon the criminal law to control wrongful conduct on the Internet is the difficulty with enforcement. The whole ethic of the Internet rejects regulation. Cyberspace is like the Wild West, a frontier of immense opportunity — but with no sheriff. Thus, even if criminal laws existed that adequately covered cybercrime, it still would be difficult to track down, apprehend, and convict the wrongdoer. Accordingly, corporations are best advised to circle the wagons and find ways to protect themselves. INSURANCE AS A DEFENSE Many corporations have their security services report to the facilities department. That arrangement was understandable when the corporation’s main assets were plant, equipment, and inventory, but may be inappropriate when the assets needing protection are intangible. Corporations must develop their own forms of sophisticated risk management designed to protect their information systems from unauthorized access and manipulation. However, even assuming that the corporation has a sophisticated Information Technology department and has installed the latest forms of firewalls, passwords and security codes, the lesson of the Microsoft break-in is that if it can happen there, it can happen anywhere. Microsoft had a strong reputation for Internet security. Yet, an intruder apparently was able to exploit a weakness in the home computer of a Microsoft employee. When the employee accessed the corporate computer from his home, the intruder used that access as a vehicle to introduce a program into Microsoft’s corporate computer that opened backdoors through which the intruder was later able to gain entry. Insurance is a form of corporate security defense that cannot be hacked or cracked. Corporate risk managers should review existing policies to see if they provide coverage for some types of losses resulting from cybercrime and if those policies can be endorsed to expand the coverage. Risk managers also should consider the new policy forms that are specifically designed to cover Internet risks. TRADITIONAL POLICIES That cyber-risks and cyber-losses are not explicitly addressed in traditional policy forms does not mean that such losses are not covered. A corporation looking to see if loss or damage to its own property is covered by existing insurance should first review any First Party Property policies that it might have. Such policies are designed to cover “First Party” losses, i.e., losses of property owned or in the custody of the policyholder. There also are various forms of crime policies that might apply, particularly if the wrongful conduct has been criminalized. Policyholders also must assess whether a breakdown in their computer systems, including Internet service, exposes them to liabilities to third parties. If this is the case, then those policyholders must review their liability policies, most commonly their comprehensive general liability (CGL) or umbrella policies, to determine what insurance might be available to cover third-party claims. Analysis of any insurance policy begins first with an examination of the insuring agreement and a comparison of the insuring agreement with the loss sought to be covered. The next step is to see whether any of the terms in the Insuring Agreement are defined in the policy. The definition section is often a way in which insurance companies restrict the scope of coverage provided by the policy. In determining whether a cyber-loss is covered by a traditional insurance policy, it is necessary to review any definition of “property damage” or “property” contained in the policy. Such definitions may restrict coverage to “physical damage” to “tangible property.” These types of definitions may exclude that type of intangible loss suffered in cyberspace. On the other hand, some traditional policies contain endorsements that expand those definitions to include forms of intangible property. Such policies clearly have application to some forms of cyber-losses. Finally, a policyholder looking for coverage must review the policy exclusions. Many policies have specific provisions designed to exclude coverage for losses arising out of damage to the policyholder’s computer systems or arising out of use of the Internet. Certain policies also may have exclusions for losses arising out of employee or third-party crime, which may apply to a cybercrime loss. For example, First Party Property policies were designed during a period when policyholders were concerned about their tangible assets, such as plant, equipment and inventory. Those policies also were originally designed to cover certain enumerated physical perils, such as fire, flood and earthquakes. Obviously, there is not likely to be any coverage for cybercrimes under these types of policies. However, corporations now often buy an “All Risk” Property Policy, which provides coverage for all types of perils, unless specifically excluded. It insures against all loss “by reason of Physical Loss or Damage to Property owned by or in the custody of the Insured �.” Whether an “All Risk” policy provides insurance for some forms of cyber-loss will depend upon how the terms “Physical Damage” and “Property” are defined in the policy or through case law. In some first-party policies, the concept of “Damage” can include loss of use. Thus, if spamming or the introduction of a computer virus causes a computer to freeze or break down, a resulting loss might be covered. Similarly, some first-party property policies define the term “property” to include “electronic data processing or electronically controlled equipment,” “storage media,” “data stored on such media” or “records on media.” Under such policies, a policyholder may have a strong argument that some losses from cybercrime are covered. The issue of whether lost data can constitute property damage also has been the subject of litigation. In Retail Systems, Inc. v. CNA Insurance Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991), the policyholder lost a computer tape that contained its client’s data. The policyholder submitted the resulting claim to its insurance company, which denied coverage on the grounds that the lost data was not property damage within the definition of the policy — physical damage to tangible property. The court ruled that because the data had been integrated into, and was located only on, the lost tape, there was “tangible property damage” under the policy. In St. Paul Fire & Marine Insurance Co. v. National Computer Systems, Inc., 490 N.W.2d 626 (Minn. Ct. App. 1992), the policyholder’s employees had taken proprietary data in binders from a previous employer when they changed jobs. The court found that there was no property damage, and no coverage, because: (i) the underlying claim did not seek damages for the stolen binders; and (ii) the policyholder did not lose the use of the data, because it was duplicated in other records. In Seagate Technology, Inc. v. St. Paul Fire & Marine Insurance Co., 11 F. Supp. 2d 1150 (N.D. Cal. 1998), the insured manufactured allegedly defective disk drives, which were incorporated into the claimant’s computers, causing them to malfunction. The court held that the failure of the computers was not physical damage to tangible property and, thus, did not constitute “property damage” under the terms of the third-party liability insurance policy. Under the reasoning in Seagate, the breakdown of a computer or Internet site through spamming would not constitute property damage. As these cases begin to demonstrate, the concepts of what constitutes “damage” or “property” are being re-evaluated as they might apply to intangible assets in cyberspace. These cases are only the beginning of an area of litigation that will be contentious and will have broad implications for policyholders. A form of first-party coverage that often accompanies the All Risk Property form, is insurance for business interruption. Such insurance will respond only if the business is interrupted and income is lost because there has been damage to the type of property covered by the All Risk portion of the policy. However, if the term “Property” is defined or construed by case law to include lost data or the operations of a computer network, then there may be insurance for business losses that result from a shutdown of a company’s computer system due to cybercrime. There also are coverages that a corporate policyholder can buy to protect itself against various forms of criminal activity. These policies define insurance by the risk (the type of crime), not by the nature of the lost property (physical or intangible). A common form of crime policy is a Fidelity policy, which insures against “loss resulting solely and directly from dishonest or fraudulent acts by Employees.” Thus, if a dishonest employee sabotages the employer’s computer system, extorts money through the threatened introduction of a computer virus or uses the computer network to steal from the company, this type of loss should be covered by a Fidelity policy. Other types of crime coverage specifically insure against losses due to theft, burglary, forgery and other enumerated criminal acts. Any of these crimes can be furthered through use of the computer. The mere fact that the crimes are committed, in part, in cyberspace does not cause the resulting losses to be excluded from coverage. ‘CYBER-INSURANCE’ DESIGN As Jeffrey Roberts, an assistant vice president of insurance broker Marsh & McLennan (Marsh) warns: “Traditional policies were not designed to address intangibles such as customer lists, trade secrets and other intangible assets. Adding endorsements or deleting exclusions can result in convoluted wording and gray coverage areas.” As a result of this uncertainty, the Internet has led to the development of a number of specialized coverages specifically designed to insure against losses that may be experienced in cyberspace. Most of the insurers selling these forms of coverage require an extensive security assessment as part of the underwriting process, as well as the implementation of ongoing risk management. For instance, the policyholder may be required to record all computer log-ons, install surveillance and intrusion detection software, require regular password changes and provide computer backups. However, despite the insurance market’s enthusiasm for cyber-insurance, there is little claims history under the new policy forms, and the scope of coverage has not been tested in court. Therefore, there is some uncertainty as to how these new policies will be applied, and the scope of coverage actually provided. Moreover, because the losses are technology-driven, the policies may have to be modified continually to accommodate new types of cyber-loss. It is also important to note that there is no standardized cyber-insurance form, but, rather, a growing number of individual forms marketed by different insurance companies, which cover a different mix of losses. Thus, after a loss is submitted, the policyholder may be surprised by alleged “gaps” in coverage. As Jeffrey Roberts of Marsh warns: “There are cyber-liability products out there that exclude losses from unauthorized access, all Intellectual Property losses and other exposures that are critical coverages. Therefore, it is important to have an experienced person analyze the policy in advance and compare it to the likely exposures that a particular policyholder may face.” Many of the new cyber-policies have been targeted to a specific type of business, such as financial institutions. For instance, Lloyds has an “Electronic and Computer Crime Policy” that often is incorporated into a Financial Institutions Bond. This policy form insures against, inter alia, losses to the financial institution arising out of the fraudulent input, modification or destruction of computer data. Other policies are designed for more general consumption. They insure against losses that arise from specifically defined risks such as “Cyberspace Activities,” “Electronic Commerce” or a “Network Computer Act.” The scope of the coverage provided by each policy is dependent upon the policy definition of those terms. An example of a broad form of cyber-policy is Net Secure. It has been put together by Marsh on behalf of a consortium of insurance companies. Net Secure includes both first- and third-party coverage for losses arising from damage to “Electronic Data,” “Electronic Information Assets,” “Electronic Computer Programs” or “Electronic Data Processing Media” that results from a “Computer Virus,” an “Attack,” “Unauthorized Access” or “Unauthorized Use.” Again, all of these terms are specifically defined in the policy. Net Secure also covers a corresponding loss of business income as a result of any of the defined perils. Net Secure has a separate section for crime coverage, which insures against losses from computer crime, theft of computer systems resources, and extortion. Julie Davis, director of the AON Technology Risk Group, who also brokers insurance policies, cautions that insurance policies must be tailored to the individual needs of the policyholder. “Insureds should beware of the ‘one size fits all’ approach. No two cyber-liability forms are alike and companies must first understand all of their network liability exposures before engaging in an insurance contract. Moreover, the biggest mistake that companies make is that they fail to recognize that as their business model changes, so does their risk profile. Wall Street, however, will reward those companies that take a 360-degree view in implementing risk management approaches for all of their organizational risks, including those in cyber-space.” Randy Paar is a partner in the New York office of Dickstein Shapiro Morin & Oshinsky

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.