Over the past two decades, business operating efficiency has been catapulted to higher levels thanks to the rapid development and use of technology. Customer information can now be accessed from almost anywhere on the globe. Millions of transactions between consumers and businesses take place online every single day and companies now advertise on every corner of the cyber world. Unfortunately, as companies rely more and more on technology they inadvertently open themselves up to a host of new risks. And with no end in sight of technological developments, businesses must be aware of the increase in first and third party exposures as new technologies are implemented into their day-to-day operations. This article is the first of two parts and will discuss some of these new exposures that many now call cyber risks. Next, the article will briefly mention the legal trends that also affect companies’ cyber risk exposures. Finally, we discuss how to manage these specific types of risks by comparing the coverage afforded by a standard Commercial General Liability (CGL) policy to a specialized Cyber risk policy. The second part to this article will apply actual cyber-related losses to both types of policies to show what they can do when put into action.
The Cyber Threat
Today, companies face a barrage of threats when using computers to transact business. By simply being connected to a network many cyber risks are born. Potential security breaches resulting in theft or destruction of customer data are main concerns when storing and transferring sensitive information. Security breaches can result in extremely high costs, as a data breach committed by cyber criminals in 2006 cost TJ Maxx more than $171 million (King, 2009). Furthermore, security breaches are likely to become more prevalent as businesses require more employees to carry mobile devices, which are frequently taken off of the businesses’ premises. Businesses must be aware of this and put the appropriate security policies into place for employees to follow.
Companies also create new risks by simply operating a company website. Businesses can run into copyright and trademark infringement suits, personal injury claims, and domain name disputes. Domain name disputes have decreased over the years as laws have been created to prevent cybersquatters from registering trademark names. More recently, shorter URL’s have been introduced to use on Twitter, which are more efficient as posts on Twitter are limited to just 140 characters (Lavallee, 2009). But, as URL’s become shorter, they begin to lack clarity. In the end result, this lack of clarity will make it much easier for cybersquatters to fraudulently register URL’s and to defend them in court.
The use of social networking sites to advertise and interact with consumers is another rising trend in business and is a major concern. Many companies also allow employees to use company chatrooms, bulletin boards, and blogs to discuss new topics or issues in their industry with other professionals. The potential downside to these new communication tools is that employees have a place to sound off about their company or clients, creating possible libel, disparagement, or even invasion of privacy injuries. These personal and advertising injuries have been around for a long time, but companies should be aware of the added exposure created when allowing employees to use these new forms of media.
Finally, companies can incur large amounts of first party expenses when cyber losses occur. Due to the tightening of federal laws and state regulations, many of these expenses can be attributed to the costs to investigate the security breach, notify customers of the breach, defend cases in court, and pay fines imposed by regulations. Additionally, should the business or consumer lose access to the business’ website, online sales may be lost. Companies that experience data breaches usually incur costs to restore lost or damaged data as well. This process can be very costly and time consuming.
The Legal Trend
Several laws and regulations have been adapted over the years to incorporate businesses’ use of the Internet in their day-to-day operations. Of the federal agencies involved in this arena of law, the Federal Trade Commission (FTC) has the most significant presence. A brief description of these laws and the regulatory trend is provided below:
- The FTC Act, originally introduced in 1914, prohibits unfair competitive practices and unfair or deceptive advertising (FTC.gov). Over the years, the Act has come to prohibit unfair or deceptive advertising in “any medium,” which has allowed application of the law to Internet advertising.
- The Fair and Accurate Credit Transaction Act (FACTA) was originally introduced in 2003. Later, in 2005, the FTC added the Disposal Rule to the Act, which requires all companies to destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed. Damages range from $100 to $1,000 per customer violation plus possible punitive damages (FTC.gov).
- The Children’s Online Privacy Protection Act (COPPA) was enacted in 1998 by Congress and is an example of a law enacted specifically for Internet use. This Act was designed to keep businesses from collecting information from children under the age of 13, unless parental permission is given. In late 2008, Sony paid $1 million to settle charges with the FTC for violating COPPA (FTC.gov).
- The Gramm-Leach-Bliley Act (GBLA) and Health Insurance Portability and Accountability Act (HIPAA) were both introduced in the late 90’s and help protect sensitive customer information in the financial and health industries.
State regulatory trend
- In 2003, California became one of the first states to enact data security breach regulations requiring companies to notify third parties of potential data security breaches (Smedinghoff, 2008).
- In early 2009, the state of Massachusetts implemented a data security breach regulation very similar to that of federal law, if not stricter (Smedinghoff, 2008). “These regulations require companies to (1) implement a risk based, process-oriented, “comprehensive, written information security program”, and (2) encrypt all personal information stored on laptops and other portable devices” (Smedinghoff, 2008). Massachusetts was the first state to actually define “reasonable security” in their regulations (Smedinghoff, 2008).
- As of Dec., 2009, forty-five states had enacted security breach notification laws (NCSL, 2009). The strictness of these laws vary among the states.