Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Estimates of the amount of damage to U.S. businesses caused by computer crime vary greatly, but there is no doubt that corporate America’s increased reliance on information technology has led in recent years to a dramatic increase in such losses. A 2003 study by the Computer Security Institute and the FBI found that 90 percent of respondents had suffered breaches of their computer system within the past year. The study also challenged the notion that the greatest threat to organizations comes from within, or that most hackers are “juveniles on joyrides through cyberspace.” The study determined that there is “much more illegal and unauthorized activity in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace.” Reports of specific instances of computer crime also suggest that the risk of damage to computer systems is real and growing. For example, the “Sobig.F” virus, which debuted in August, was the fastest spreading e-mail plague of all time. At its height, it infected one in every 17 e-mails. Despite these real and substantial risks, many companies are not doing enough to protect themselves. According to Ernst & Young’s Global Information Security Survey 2003, many organizations fail to adequately protect their digital assets by investing in information security. Companies often take no action until they have been the victim of a security breach and then compound their mistake by implementing a temporary “fix” that ignores their core business objectives. By comparison, measured, proactive spending is less costly in the long run than reactive spending, which is often overspending in response to an incident. Indeed, nearly 60 percent of the organizations that responded to the survey indicated they had never calculated a return on investment for information security spending. GENERAL LIABILITY NOT ENOUGH Apart from not implementing comprehensive computer security programs, many companies believe losses caused by security breaches would be covered by their general liability insurance policies. The trend in recent cases, however, is to deny coverage under general liability insurance policies for losses caused by breaches of computer security or from other cyberevents on the ground that damage or loss of data does not constitute tangible property. For example, the court in Cincinnati Ins. Co. v. Professional Data Servs. Inc., D.Kan. 01-2610-CM (2003), held that a claim against the insured for loss of software and the corrupted data it incorporates does not qualify as “loss of tangible property” within the meaning of a general liability policy and, accordingly, denied coverage. The court also rejected the insured’s theory that because software and hardware are tied together, coverage should be provided for the damage caused by the “idle hardware.” The court noted that “the loss of a particular computer software does not necessarily lead to the loss of computer hardware — the computer hardware may quite still function.” Applying a similar definition of tangible property, another federal district court also recently held that computer data and software were not tangible property covered under a general liability insurance policy. See America Online, Inc. v. St. Paul Mercury, Ins. Co., 207 F.Supp.2d 459 (E.D. Va. 2002). AOL brought an action seeking a declaration that its insurance company, St. Paul, had a duty to defend against claims brought against AOL alleging that Version 5.0 of its Internet access software had damaged their computers. The policy at issue defined “property damage” as “physical damage to tangible property of others, including all resulting loss of use of that property; or loss of use of tangible property of others that isn’t physically damaged.” Defining tangible property as “something that is capable of being touched or perceptible to the senses,” the court found that computer data, software and systems are intangible items stored on a tangible vessel, the computer or a disk. The court held, therefore, that the policy does not cover damage to computer data, software and systems because such items are not tangible property. The court also determined that claims of the loss of use of or access to a computer are intangible. Finally, in the most recent case in this area, Compaq Computer Corp. v. St. Paul Fire and Marine Ins. Co., Minn. Ct. App., C3-02-2222 (2003), the court held that the insurer was not obligated to defend two class action lawsuits that claimed that computers manufactured by the insured had, among other things, caused the loss of use, corruption, and destruction of data without any prior warning to the user, under a policy that includes “property damage.” The court rejected Compaq’s argument that data stored on floppy disks is “tangible property” on the ground that data lacks the physical form and characteristics necessary to meet the definition of tangible property. CYBERINSURANCE The decisions in these cases and others suggest that companies are not paying adequate attention to the scope of their insurance policies and to whether their general business insurance policies cover such events. Exposure can potentially be very large and may not only include losses based on damage to a company’s own computer system but may also lead to liability to third parties for the unintended dissemination of proprietary or personal information or for the denial of service. Companies should, therefore, closely examine their existing general liability policies to determine if the most frequent cyberrisks are covered. To the extent that a general business policy does not provide the requisite level of protection, companies should consider obtaining “cyberinsurance.” In recent years, a number of leading insurance companies have begun offering specific policies that cover the loss caused by damage to a computer system or loss of proprietary confidential information. While these policies generally are very expensive and have high deductibles, the total amount of potential loss may make them a worthwhile investment. In purchasing such a policy, companies should be sensitive to the scope of their coverage. For example, a cyberinsurance policy may be drafted to cover a computer attack directed at a particular company but would not cover a more generalized attack. Similarly, employee negligence is often excluded from coverage. An effective cyberpolicy should be broadly written and cover a range of possible threats, including computer viruses, security breaches, corruption of data, misappropriation of confidential proprietary information and the extortionate demands of computer hackers. It should also include damage caused by both insiders and outsiders as well as intentional acts regardless of motive. The latter is not an insignificant risk because recent surveys have suggested that most companies have not taken adequate steps to prevent internal computer mishaps and abuses. Indeed, according to the Ernst & Young security survey, executives “should focus more on the less obvious and less publicized threats, such as disgruntled employees and ex-employees, network link to business partners who don’t have proven trustworthy systems, the theft of laptop and handheld computers, and insecure wireless access points set up by their employees. These can be the things that may not only cause serious damage, but can tarnish an organization’s brand.” Finally, a company may even want to consider seeking “post-incident coverage” for public relations expenses, for example. OVERALL COMPUTER SECURITY PLAN It is important, however, that companies do not rely exclusively on a cyberinsurance policy to protect them. Most insurance companies require the company seeking cyberinsurance to have instituted a basic security policy that includes such items as physical security and employee training before issuing a policy. Moreover, a comprehensive computer security policy makes good business sense and can more than pay-off in the long run. The first step in the institution of such a plan is to conduct a detailed assessment of the type of risks faced by the company and an evaluation of its overall security measures, including physical and network vulnerabilities. Existing security procedures should be reviewed to determine that they are consistent with business processes and objectives. The review should also identify the company’s key assets with the idea of how to better protect them. The overall goal should be to identify those areas of greatest concern in order to create a computer security plan that is designed for that specific company. For example, it makes little sense for a Fortune 500 company that depends heavily on its intellectual property and information system to have the same computer security plan as a 100-person company that maintains little or no confidential information on its computer system. After the review has been completed, a comprehensive plan that is carefully drafted to reflect the review’s findings should be drafted. Although the details of a plan must be formulated on a case by case basis, there are a number of elements common to all effective computer security plans. First, the plan must include steps to train employees in the importance of computer security. Employees must consider computer security to be a normal part of their day-to-day responsibilities and understand the consequences related to policy violations including possible legal ramifications. Employees must also be taught to understand the dangers of social engineering and that even the most innocuous piece of information, such as the internal phone number of an employee, can be used in process of obtaining a company’s most valuable information. Indeed, in a recent British survey, 90 percent of respondents gave up the office computer password in exchange for a cheap pen. Second, the plan must include the implementation of adequate technological security measures to maintain company-wide security, satisfy business objectives and protect the most critical information assets. Third, it must include steps to prevent insider abuse including performing background checks before hiring any employee who would have access to sensitive data and procedures on dealing with an employee who leaves or has been terminated. Fourth, the plan should provide for the monitoring of computer network access and to log attempts at unauthorized access. Fifth, an effective plan cannot be considered complete without the inclusion of how to respond to an incident involving the breach of computer security or the loss of confidential information. Thus, a company must determine how to respond to a computer intrusion, denial-of-service attack, theft of intellectual property, or other network based crime. And finally, the plan should include criteria to be used to determine if law enforcement should be contacted. Companies should weigh the advantages and disadvantages of referring a matter involving a breach of computer security or misappropriation of confidential proprietary information to the government for possible criminal prosecution. Companies are facing the increased risk that they will be the victim of an attack on their information technology system. Whether such an incident becomes nothing more than a minor irritant or escalates to pose a threat to a company’s financial health may depend on the prophylactic steps the victim company has undertaken to protect its computer system. Peter J. Toren is the head of Sidley Austin Brown & Wood’s Intellectual Property Practice in New York. He is also the author of “Intellectual Property and Computer Crimes” (Law Journal Press 2003).

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.