The sales of cyber-insurance policies has spiked sharply this year, mainly due to the increased attention and scrutiny of massive data breaches from Target and Neiman Marcus over the last holiday season. Also, in what was once an uncommon occurrence, banks are now suing retailers who have been victimized by hackers accessing mission-critical data. These threats against corporate data have finally caused many businesses to seek out risk management practices, such as insurance coverage, to protect against loss.

In general, most cyber-insurance policies cover the cost of a data breach investigation, customer notification and credit-monitoring services, as well as legal expenses and damages resulting from consumer class action litigation. According to The Wall Street Journal today, general liability insurers are expected to adopt language specifically excluding damages arising out of cyber-attacks. The nuances of the policies have still not been perfected, and companies should have an attorney who understands this area of law examine the scope of coverage contained within each policy. Doing due diligence will help organizational leaders better determine if the insurance premium benefits the company from a cost-savings standpoint.

In a report published today in The Wall Street Journal, the Obama White House was presented with the final four recommendations for restructuring the National Security Agency’s (“NSA”) controversial bulk collection of data.  As one would imagine, none of the four options available are perfect, but they include: (1) Abolishment of the entire program itself; (2) have the phone companies retain the data; (3) have a government agency, other than the NSA (e.g. FBI), hold onto the data; or(4) have an entity outside the phone company and government hold onto the data. 

When looking at the last 3 options objectively, it would seem that the problem really never goes away.  Private phone companies will become quasi-government agencies, and is it feasible to think, given its past history under J. Edgar Hoover, that the FBI would be trustworthy enough not hold onto the data?  Judges are apprehensive about expanding the role of the U.S. judicial system to such an oversight role, but the appointment of a “special master” which oversees how the data is collected would be just what the NSA program needs if it is to sustain itself long-term.  Arguably, the main role, or function, of our government is to protect and safeguard the citizens of the United States, and the first option, or “nuclear” option, would deal a major blow to intelligence efforts on the national security level.

In response to the thousands of mobile applications hitting the market that often rely on consumer data (i.e. contact information, location, photos, etc.), the Federal Trade Commission (“FTC”) released a suggested list of security guidelines for mobile app developers to follow when designing a program. While a no one-size-fits-all checklist can exist, the FTC views these security tips as a way to help protect the developers, consumers, and reputation of the app. The following are 12 suggested security guidelines for mobile application developers to consider:

1. Make someone responsible for security;
2. Take stock of the data you collect and retain;
3. Understand the differences between mobile platforms;
4. Don’t rely on a platform alone to protect your users;
5. Generate credentials securely;
6. Use transit encryption for usernames, passwords, and other important data;
7. Use due diligence on libraries and other third-party code;
8. Consider protecting data you store on a user’s device;
9. Protect your servers, too;
10. Don’t store passwords in plaintext;
11. You’re not done once you release your app. Stay aware and communicate with your users;
12. If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations

Before getting into the core aspects of this security guideline, make sure to evaluate the ecosystem upon which the app will reside. The FTC comments that while it is important to get the mobile app working and accepted by an app store, a critical third step, the anticipation and prevention of security glitches, is vital to the apps long-term viability.

Appellate court judge, Hon. Richard Leon, ruled today that the mass collection of American’s telephone data is “Orewellian” and most likely unconstitutional. What exactly is a “National Security Letter” (or “NSL” for short)? Actually, NSL’s have been around for quite some time, but the USA PATRIOT Act greatly expanded its functionality in the wake of 9/11. An NSL is a written demand by the FBI that compels Internet Service Providers (ISPs), credit companies, financial services firms, and other organizations to turn over confidential customer information. The written demand does not require court approval and comes with a built-in gag order that prevents the recipient from disclosing the fact that they have been served a NSL. Thousands of these Letters have been issued by the FBI over the years, and it has been very cost prohibitive for many small businesses to challenge the efficacy of the nondisclosure requirement.

But for the disclosures of Edward Snowden, little is known about exactly how the NSA Spying Program really works. It is known that after 9/11, for example, the FBI paid multimillion-dollar contracts to AT&T and Verizon requiring the telecom companies to place employees inside the FBI, and to them grant the FBI access to the telecom databases so they could immediately service FBI requests for telephone records. In short, all the data that travels across the Internet is carried on “fiber optic splitter cables” that allows the information to be mirrored or “split” – the split data is an exact carbon copy of each other whereby one copy is sent to its intended destination, and the other to the NSA for collection and analytics. Once the government has analyzed the information, the data is funneled to investigative agencies, like the FBI and DEA, to help launch criminal investigations of Americans.

The Department of Justice Inspector General determined that the AT&T and Verizon employees let FBI agents illegally look at customer records without paperwork, and even wrote NSLs for the FBI. At the very minimum, employees of Verizon and AT&T were acting as de facto government agents whenever they assisted the FBI in its request for telephone data, and that should have required a court to review the information request.

To better understand issues that are not always easily answerable, sometimes we should be forced to examine the alternative opposing viewpoint no matter how benign or absurd. While it would seem hard to defend the NSA’s practice of mass collecting call detail records of non-suspect Americans as not violating the 4th Amendment rights under the U.S. Constitution, does the “open letter” signed today by Google, et al, to President Obama and the U.S. Congress seem to come across as being a bit disingenuous? Consider the following case before looking upon that comment as being incredulous:

Our law enforcement officials have a delicate dance between protecting the safety and welfare of all citizens, and yet still maintain the integrity of the civil liberties we hold dear. The premise of the open letter was to make a plea to regulate online spying programs and to push for changes in order to better protect user privacy. The suggested course of conduct by the Big 8 tech firms was (1) to limit the government’s ability to collect users’ information; (2) set up a legal system of oversight and accountability for that authority; (3) allow the companies to publish the number and nature of the demands for data; (4) ensure that users’ online data can be stored in different countries; and (5) establish a framework to govern data requests between countries. Brad Smith, General Counsel of Microsoft, stated “People won’t use technology they don’t trust[.]”

However, those same companies, when taking into context their business model, practice the very same methods of data collection that the NSA and other executive agencies seek when making a court ordered request for production. The business and economic interest is based on the data analytics derived from the email messages, search engine queries, payment details, and other personal information that they collect from their customers – all in an effort to provide a more targeted online experience. These are the same businesses whose ULA’s (user license agreements) state that the customer retains all rights and title in the data transmitted, and yet their servers are constantly under attack by rogue agents and botnets. Everyone of those companies has at one point in time experienced a breach in data security, and not one would state that their IT network is impenetrable. A very prominent founder and CEO of one the firms has declared in the past that “Privacy is dead.”

Point being, are these firms in any more of a position to make the demands they made today than that of a legal request granted from some non-descript court of law? The answer we all seek, and demand, is of course greater transparency, both from the government and the service providers in which we place our mission-critical data. To date, there have been over 621 million records breached, and that is only what has been reported. Many businesses simply refuse to adequately report on data loss, because of the collateral damage it may cause to its business reputation. The government’s position may simply be that they are doing legally, via a court order, that which is already being done illegally for lack of internal and external controls. A paradigm shift in our legal framework AND in the way we conduct business “in the Clouds” is truly the bipartisan answer we should demand.

A bipartisan group of House and Senate members introduced the USA FREEDOM Act last month in an attempt to restore Americans’  privacy rights by ending the bulk collection of phone records and requiring greater oversight, transparency, and accountability with respect to domestic surveillance programs.  The Sensenbrenner-Rokita NSA Reform Bill (another name for the USA FREEDOM Act) includes significant privacy and oversight provisions, detailed reporting on the number and types of FISA (Foreign Intelligence Surveillance Act) orders issued, and the creation of a Special Advocate post, whose purpose is to advocate for the civil liberties and privacy rights before the FISA (Foreign Intelligence Surveillance Act) Court.

Sen. Patrick Leahy (D-VT) and Rep. Jim Sensenbrenner (R-WI) co-authored an op-ed article published in the Politico whereby they highlighted the need to ensure the protection of Americans’ civil liberties, while preserving the intelligence communities ability “to gather information in a more focused way, as was the intent of the PATRIOT Act.”  Both Messrs. Leahy and Sensenbrenner agree that Congress must provide our intelligence community with the necessary tools to keep our country safe, but to date, acknowledge that the intelligence community has failed to adequately justify their expansive use of current laws.

If passed and signed into law, the Bill would require that the Applicant (i.e. Government) establish “reasonable grounds” that the tangible things sought are “relevant” and “material” to an ongoing investigation.  The Applicant would be required to create a statement of proposed “minimization procedures” to ensure that the search would be as narrowly tailored as possible.  The Applicant would also have to submit a statement of facts showing reasonable grounds that disclosure of the Government’s interest in collecting data would result in (a) endangering the life or physical safety of any person; (b) flight from investigation; (c) destruction or tampering with evidence; (d) intimidation of potential witness; (e) interference with diplomatic relations; (f) altering a target that the government has an interest; (g) seriously endangering the national security of the U.S.; and (h) an explanation of how the nondisclosure requirement is narrowly tailored to address a specific harm.

Are these parameters sufficient enough to balance the civil liberties of Americans’ versus protecting our national security?  What type of “minimization procedures” would put your mind at rest to ensure that the intelligence community has not overstepped their bounds?  Does the legislation go far enough, if at all, in reclaiming what we lost as a result of 9/11, in regards to our privacy rights, business interests, and standing in the international community?

This past Summer the Ponemon Institute and Experian Data Breach Resolution organization released a report stating that most businesses now rank cyber-security risks higher than natural disasters and other major business risks. Despite the paradigm shift of this reality in the boardroom, few companies are still willing to purchase cyber-insurance as part of their overall risk management strategy. An organizations reluctance to purchase cyber-insurance, in spite of evidence suggesting otherwise, can be boiled down to the assessment of four competing priorities: (1) Risk Transfer – buy cyber-insurance in order to transfer risk to a third-party; (2) Risk Acceptance – bearing the risk and budgeting for the eventual losses; (3) Risk Mitigation – taking steps to contain and minimize anticipated risk losses; and (4) Risk Avoidance – eliminating a risk entirely by removing the conditions that created it.

In today’s corporate cyber-world, it is feasibly impossible for most companies to simply “avoid” the risk altogether. Most businesses have to rely upon certain internal controls to mitigate the risk, and then subsequently self-insure for the eventual breach of information. Upon close inspection of a cost-benefit model, this recommendation is the most financially prudent course of conduct. However, the cyber-insurance industry is rapidly evolving to a point where more and more businesses are looking to transfer their cyber-risks to a third-party.

Unlike traditional business insurance, cyber-insurance policies are unique to the issuing carrier, and nothing is standard in the industry at this time. While a sizable third-party market exists to cover losses suffered by a company’s customers, first-party policies that address direct harms to the company itself remain expensive, rare, and largely unattractive. Several factors are to blame for this, including: (1) a lack of actuarial data which results in high premiums for first-party policies that many can’t afford; (2) the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks; and (3) fear that a so-called “cyber hurricane” will overwhelm carriers who might otherwise enter the market before they build up sufficient reserves to cover large losses.

Companies surveyed by Experian and Ponemon reported that of the 56 percent of companies who reported a cyber-related breach, the average cost per incident was $9.4 million in the last 24 months. This figure, however, was only a small fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to a cyber-attack.

The role of third-party insurance versus self-insuring against cyber-security is not always a mutually exclusive investment. Cyber-security requires a comprehensive risk management solution that examines the organizations people, processes, and technology. To properly evaluate the necessary coverage, businesses should categorize and understand its exposure for its own losses and internal expenses, and consider potential liabilities to third parties based on an assessment of that business.


Get every new post delivered to your Inbox.