In 1964, futurist Arthur C. Clarke predicted that in 50 years, people “will no longer commute—they will communicate.” For a significant portion of the American workforce, the future is now. COVID-19 has fundamentally changed how we communicate: The virtual meeting is suddenly our primary means of interaction with coworkers. Video conferencing platforms like Zoom, Microsoft

According to ZDNet, hackers successfully breached eleven major cryptocurrency exchanges in 2019 and stole more than $283 million worth of cryptocurrency (view reference here). We should expect this number to increase in 2020 as governments and cybersecurity experts warn that hackers will seek to take advantage of the coronavirus crisis to infiltrate corporations and as a vast number of employees move to teleworking. Specifically, cryptocurrency owners who maintain “hot wallets” should be particularly vigilant in protecting their assets because hot wallets are more vulnerable to theft and may not be covered by current insurance policies. Lloyd’s of London, however, recently announced the development of a new policy that will provide coverage for hot wallets. This blog has previously discussed the insurance industry’s attempts to develop new policies and endorsements to cover risks related to the cryptocurrency industry. See relevant past articles: Prepare for the Future With Cryptocurrency Insurance and The New Money: Cryptocurrencies and the Role of Insurance.
Continue Reading Cryptocurrency Insurance for “Hot Wallets”

Numerous businesses facing class action lawsuits brought under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14 et seq., have sought insurance coverage under general liability policies only to receive blanket denials. It appears some relief may be on the way as the first Illinois Appellate Court to consider the issue affirmed the decision of the trial court and found in favor of coverage. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834 (March 20, 2020).
Continue Reading First Illinois Appellate Decision Finds Coverage for BIPA Class Action Under General Liability Policy

Most firms that provide technology services or products have insurance to protect them against the risk that a dissatisfied customer will bring a claim or a lawsuit against them for damages arising out of the company’s products or services. It is very likely that such firms purchase general liability insurance, which is an important product that covers many different risks, including property damage, bodily injury, advertising injury, and other business-related claims. Most importantly, general liability insurance policies often require the insurer to defend the company in the event of litigation, making it a particularly valuable type of insurance. But will general liability insurance protect your tech company in the event of a claim by a client for purely financial damages? The short answer is, probably not. This is the reason for tech firms to consider a Technology Errors and Omissions (Tech E&O) policy as part of their overall coverage program. Using the examples below, this article discusses the coverage such policies can provide.

Example 1: Tech Product

Let’s say your company designs and provides building design software to architecture firms. Due to a problem with your software, several architectural designs for major projects have incorrect specifications, which impact many large projects. As a result, your company’s clients lose revenue because they have to revise the design plans for these projects, which takes additional weeks of architect time. If the architects then sue your company for damages, it will have to defend itself in the lawsuit and possibly pay a settlement or judgment to the architecture firms. 
Continue Reading Technology E&O Insurance

As the risks associated with cyber liability continue to evolve, so do the insurance products that are theoretically meant to protect against those risks. As the insurance industry attempts to keep pace, the applications that insurers are using to capture the data they believe is necessary to underwriting these risks are also evolving and vary to a large degree. Regardless of whether an application is long or short or seeks information in generalities or in detail, all prospective policyholders must take care in completing these applications, enlisting the help of a data security professional (whether within the organization or a consultant) and possibly of a good broker that specializes in this area. Indeed, a failure to provide accurate information could cause an insurer to resist providing coverage for a claim, or attempt to rescind the policy, on the purported grounds that there was a material misrepresentation in the policy application.

This article first provides an overview of the key categories of information that most cyber-liability insurance applications seek, followed by some of the key principles of which a policyholder should be aware in the event an insurer attempts to deny a claim or rescind a policy based on alleged misrepresentations or omissions in the policy application. 
Continue Reading Filling Out a Cyber Insurance Policy Application: Do Not Give Insurers a Material Misrepresentation Defense

Data breaches are up significantly in 2019, exposing billions of confidential records and costing companies millions of dollars on average per breach. Security experts counsel their clients that data breaches are inevitable as even the largest, most secure systems may be breached. In spite of this environment, many tech companies are woefully unprepared to respond to a cyber intrusion, data breach, or other cyber-related event. Are you ready?

As insurance coverage lawyers, we often work with clients to confront this organization-wide challenge after a breach has occurred. The better approach, however, is to prepare in advance by understanding your risks, building a team, securing and monitoring your data, having a well developed and rehearsed response plan, and tailoring your insurance program to a possible breach. Additionally, having counsel involved throughout the preparation and response process is critical to protect privilege, minimize legal liability, and maximize insurance coverage. 
Continue Reading Preparing for Data Breaches: Data Mapping, Response Team and Insurance

This author has previously discussed the inevitability of security hacks and attempts to require companies holding third-party data to pay some type of damages to the alleged victims of a hack. Even though damage from such hacks is often hard to prove, those who claim to have been victimized and their lawyers, who often operate on contingencies, will continue to file lawsuits that often result in the imposition of at least defense costs and, at times, of some indemnity payments. Hacked companies also suffer actual damage from loss of customers when the hacks are reported as required by multiple laws. Companies should thus take reasonable precautions against data breaches. But if a company takes such reasonable precautions, it should be able to buy insurance for the inevitable hack that actually provides coverage for resulting defense expenses, indemnity payments, and loss of business income.
Continue Reading Watch Out for the Statutory/Governmental Exclusion and Any Restriction on Paying Ransom Demands for Malware Attacks

Companies enter an array of technology transactions with third-parties that allow vendors access to the Company’s source code, customer data, employee information, cybersecurity measures, and other critical data and infrastructure. These relationships inevitably increase the potential of a cyber attack impacting the Company through an attack against the vendor.
Continue Reading How Does Your Company Transfer Risk in Its Technology Transactions?

As previously reported here, (Nov. 8, 2017), companies falling victim to electronic impersonation (“spoofing”) schemes have frequently turned to “computer fraud” coverage found in typical crime policies. In this type of fraud, someone impersonates a vendor, contract partner, or company executive via email or other electronic means, and directs the transfer of funds to

I have several times discussed the need for cyber insurance that will actually cover reasonable claims; a need that still seems to exist. The case of Hub Parking Technology USA v. Illinois National Insurance Company (https://www.law360.com/articles/1170778/parking-tech-co-says-aig-must-defend-it-in-privacy-row) that was brought in Pennsylvania District Court in June of this year illustrates this problem. Hub bought security and privacy insurance that was intended to cover security breaches and disclosure of personal data in violation of privacy rules. Hub was then sued in underlying litigation for printing parking receipts at the Cleveland Airport that showed eight digits of credit card numbers instead of the standard last four digits permitted under various state statutes and case law. When Hub submitted the claim to its cyber insurer, the cyber insurer rejected the claim based on its conclusion that there had been no loss of privacy or security information, as well as on several exclusions, such as those for contractually assumed liability and intentional acts. Although the insurer may have had a legitimate complaint that there really was no damage from this alleged violation (and the plaintiffs had not alleged that anyone suffered actual damage or identity theft arising from the parking receipts at issue; they rather relied on an FTC study showing that similar incidents have caused actual damage, so that the potential for damage existed), that should not have prevented the insurer from providing at least a defense.  
Continue Reading Will Your Cyber Insurance Actually Pay Claims?