Skip to main content
Top

2020 | OriginalPaper | Chapter

Cyber Risks: Three Basic Structural Issues to Resolve

Author : Leo P. Martinez

Published in: InsurTech: A Legal and Regulatory View

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

The incidence of cyber liability and cyber losses, collectively cyber risks, have increased greatly over the last several years. To add to the problem, cyber risks also expose insureds to statutory liability.
The increasing number of incidents has given rise to an important question: “to what extent is liability for data breaches covered by a CGL or other sort of insurance policy?” Insurers have responded by including exclusions to mass data breaches in their CGL policies and offering separate plans (with high premiums) to cover such an event. However, insurers face a problem in drafting these policies because there is a lack of judicial information about how these policies will be interpreted by the courts. Without a thorough case history, insurers cannot confidently draft these policies to exclude (or price in) certain high-risk practices.
In this vacuum, several aspects of cyber liability require resolution. A short list of issues will illuminate the problem.
1.
The definitional boundaries of exactly what is meant by cyber liability or loss is a basic systemic problem. The range of possible types of losses already seems daunting. It does not bode well if the insurance industry and policyholders face scores of coverage cases regarding cyber liability or loss coverage issues that seem only limited by human ingenuity.
 
2.
Will exclusions for cyber liability or losses be effective? The insurance industry’s odyssey with respect to the pollution exclusion suggests that a trial and error approach spanning 20 years is not a good idea.
 
3.
Are coverage provisions regarding cyber liability and losses effective? If so, do they affect the basic duties to indemnify and defend?
 
This paper addresses the three issues above with the aim of providing a framework for resolution.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Footnotes
1
Ostrander (2006), p. 1.
 
2
Although this should be true, the empirical support for the proposition is weak. Perhaps there is a phase lag that reflects potential policyholder’s lack of appreciation of the risk that is faced. For example, the prediction that the implementation of the European Union’s General Data Policy Regulation would lead to an increased demand for cyber insurance also failed to materialize. Mengqi Sun (June 21, 2018) Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance, WSJ B10.
 
3
Ponemon (2016). Some of the material that follows paraphrases discussion in Martinez and Richmond (2018).
 
4
Ponemon (2016). An ironic example of the cobbler’s children going unshod is the observation that lawyers, who should be especially vigilant about clients’ cyber risk issues, are themselves often underinsured in this area. Stephens and Tilton (2017), p. 12 (“Only 17 percent of attorneys reported having a cyber insurance policy....”). The penetration rate of cyber coverage among lawyers is marginally better than the 1/3 penetration rate among operating firms. Romanosky et al. (2017), p. 3.
 
5
Stephens and Tilton (2017), pp. 12, 15.
 
6
Dominitz (2017), pp. 32, 33 (describing cyber losses as “not just a passing fad”).
 
7
See Jerry and Mekel (2001), pp. 11–17 (discussing first-party and third-party insurance). While used interchangeably in this piece, third-party cyber risk cases are difficult to assess because the duty to defend lowers an insurer’s threshold obligations. OOIDA Risk Retention Grp., Inc. v. Griffin, 2016 U.S. Dist. LEXIS 57469 at p. 15 (E.D. Va. 2016) (“burden is not especially onerous as an insurer’s duty to defend”); Moreover, it is the insurer who bears the burden of proof regarding exclusions. Selective Way Ins. Co. v. Crawl Space Door Sys., 162 F. Supp. 3d 547, 551 (E.D. Va. 2016).
 
8
At the time “Breaking Bad” in Cyberspace: A Challenge for the Insurance Industry was written the list in footnote 9 was published on the NAIC website under the cybersecurity topics page. However, since 2014 the webpage has been updated and NAIC has removed the list below. NAIC’s updates do not discount the validity of the list below, rather just that NAIC’s focus on this topic has expanded. As of April 30, 2018, NAIC is considering creating a Cybersecurity Insurance Institute, demonstrating how this area of Insurance Law is expanding rapidly. For more information see, https://​www.​naic.​org/​cipr_​topics/​topic_​cyber_​risk.​htm.
 
9
Cope and Reynolds (2015).
The types of Coverage Identified by the National Association of Insurance Commissioners (NAIC) include the following:
  • Liability for security or privacy breaches, including loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems;
  • The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers;
  • The costs associated with restoring, updating or replacing business assets stored electronically;
  • Business interruption and extra expense related to a security or privacy breach;
  • Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media (for an in-depth discussion of specific risks arising from the use of social media, please see Carrie E. Cope, Dirk E. Ehlers & Keith W. Mandell (2014) Social Media and Insurance: The Insider’s Guide to Successful Risk Assessment and Management);
  • Expenses related to cyber extortion or cyber terrorism; and
  • Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings. Cope and Reynolds (2015), p. 29.
The types of cyber risk liability identified by The Insurance Information Institute include an equally impressive listing:
  • Loss/Corruption of Data—covers damage to, or destruction of, valuable information assets because of viruses, malicious code and Trojan horses;
  • Business Interruption—covers loss of business income because of an attack on a company’s network that limits its ability to conduct business, such as a denial-of-service computer attack--coverage also includes extra expenses, forensic expenses and dependent business interruption;
  • Liability—covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company because of:
  • Breach of privacy because of theft of data (such as credit cards, financial or health related data);
  • Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties;
  • Failure of security which causes network systems to be unavailable to third parties;
  • Rendering of Internet Professional Services; and
  • Allegations of copyright or trademark infringement, libel, slander, defamation or other ‘media’ activities in the company’s website, such as postings by visitors on bulletin boards and in chat rooms—this also covers liabilities associated with banner ads for other businesses located on the site;
  • D&O/Management Liability—newly developed tailored D&O products provide broad all risks coverage, meaning that the risk is covered unless specifically excluded—all liability risks faced by directors, including cyber risks, are covered;
  • Cyber Extortion—covers the ‘settlement’ of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers;
  • Crisis Management—covers the costs to retain public relations assistance or advertising to rebuild a company’s reputation after an incident—coverage is also available for the cost of notifying consumers of a release of private information, as well as the cost of providing credit-monitoring or other remediation services in the event of a covered incident;
  • Criminal Rewards—covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a cybercriminal who has attacked a company’s computer systems;
  • Data Breach—covers the expenses and legal liability resulting from a data breach—policies may also provide access to services helping business owners to comply with regulatory requirements and to address customer concerns;
  • Identity Theft—provides access to an identity theft call center in the event of stolen customer or employee personal information; and
  • Social Media/Networking—insurers are looking to develop products that cover a company’s social networking activities under one policy. Some cyber policies now provide coverage for certain social media liability exposures such as online defamation, advertising, libel and slander. Hartwig and Wilkinson (2014); Cope and Reynolds (2015), pp. 30–31.
 
10
Romanosky et al. (2017), p. 14 (mentioning systems restoration in addition to data recovery and data re-creation).
 
11
Romanosky et al. (2017), p. 14.
 
12
Romanosky et al. (2017), p. 14.
 
13
Stephens and Tilton (2017), p. 15.
 
14
Wood et al. (2017), pp. 38–39.
 
15
Wood et al. (2017), pp. 38–39.
 
16
Buchanan et al. (2018), Latham & Watkins (2014) Cyber Insurance: A Last Line of Defense When Technology Fails. https://​www.​lw.​com/​thoughtLeadershi​p/​lw-cybersecurity-insurance-policy-coverage.
 
17
While Directors and Officers Liability (D&O) policies and Errors and Omissions Liability (E&O) policies are distinct from Commercial General Liability (CGL) policies, the potential gaps in coverage appear to be similar. Latham & Watkins (2014) Cyber Insurance: A Last Line of Defense When Technology Fails. https://​www.​lw.​com/​thoughtLeadershi​p/​lw-cybersecurity-insurance-policy-coverage. Decisions on whether CGL, E&O, and D&O polices cover cyber risk events come down to subtle differences in policy language. The definitional problems described within this article creates the ambiguity of coverage for cyber risks. Oshinsky and Lee (2010).
 
18
Schwarcz (2017), pp. 1500–1502; Buchanan and Gallozzi (2018).
 
19
Romanosky et al. (2017), p. 14.
 
20
Retail Sys., Inc. v. CNA Ins. Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991).
 
21
Dominitz (2017), pp. 36–37. This may also explain the large variation in pricing among available cyber loss policies. Latham & Watkins (2014) Cyber Insurance: A Last Line of Defense When Technology Fails. https://​www.​lw.​com/​thoughtLeadershi​p/​lw-cybersecurity-insurance-policy-coverage.
 
22
Buchanan and Gallozzi (2018).
 
23
Buchanan and Gallozzi (2018).
 
24
Nitardy (2017), p. 27; Latham & Watkins (2014) Cyber Insurance: A Last Line of Defense When Technology Fails. https://​www.​lw.​com/​thoughtLeadershi​p/​lw-cybersecurity-insurance-policy-coverage.
 
25
Latham & Watkins (2014) Cyber Insurance: A Last Line of Defense When Technology Fails. https://​www.​lw.​com/​thoughtLeadershi​p/​lw-cybersecurity-insurance-policy-coverage. (a similar lack characterizes Directors and Officers Liability (D&O) policies and Errors and Omissions Liability (E&O) policies).
 
26
Matthew Bender & Company, Inc. (2nd 2011) Appleman on Insurance Law & Practice Archive. 20-129 § 129.2.
 
27
Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 554 (2003) (data does not qualify as a “direct physical loss”); America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 95 (4th Cir. 2003) (while a hard drive is tangible property, the data, information, and instructions, which are codified in a binary language for storage on the hard drive, are not tangible property); Union Pump Co. v. Centrifugal Tech., Inc., 2009 U.S. Dist. LEXIS 86352 (W.D. La. 2009) (electronic data is not tangible property).
 
28
Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556 (2003).
 
29
America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 95 (4th Cir. 2003).
 
30
America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003).
 
31
E.g. Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013) (direct and physical loss can include loss of reliability); Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010) (loss of use of computer was a physical loss).
 
32
See, e.g., Retail Sys., Inc. v. CNA Ins. Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991) (holding computer tapes were tangible property); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288, 1290 (7th Cir. 1983) (a faulty controller in data processing system caused damage and a loss of customer data, court held insurer had a duty to defend under CGL as property damage); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 132 N.M. 264, 266 (N.M. Ct. App. 2002) (district court found computer data in case “was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed.”).
 
33
Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013); Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010).
 
34
Anthem Elecs., Inc. v. Pac. Emplrs. Ins. Co., 302 F.3d 1049 1058-59 (9th Cir. 2002).
 
35
Anthem Elecs., Inc. v. Pac. Emplrs. Ins. Co., 302 F.3d 1049 1058-59 (9th Cir. 2002).
 
36
American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 U.S. Dist. LEXIS 7299; 2000 WL 726789 at 7 (dealing with a property damage policy, which insured against specific business interruption and service interruption losses). In Ingram Micro, Ingram’s computer systems became inoperable because of a power outage. Id. at 1. Ingram made a claim to American, which American denied based on its determination that a power outage did not cause “direct physical loss or damage from any cause, howsoever or wheresoever incurring” to Ingram’s computer system. Id. at 2 (emphasis added). The Court rejected American’s argument that the computer system and the matrix switch were not “physically damaged” because despite the loss of the programming information, the computers were able to perform their intended functions. Id. at 5. Instead, the Court agreed with Ingram and found that “physical damage” was “not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.” Id. at 6. In finding that there was the requisite physical loss, the court borrowed from the federal computer fraud statute and other criminal statutes, which make it an offense to cause damage to a protected computer and which define damage as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. at 7. A subsequent Tennessee decision followed the Ingram Micro analysis. Southeast Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 838 (W.D. Tenn. 2006).
 
37
State Auto Property & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001) (while data was not tangible property, the loss of the use of the customer’s computer was tangible property).
 
38
Buchanan et al. (2018).
 
39
Buchanan et al. (2018).
 
40
Buchanan et al. (2018).
 
41
Id.; Insurance Services Office, Inc. (2013) Exclusion — Access or Disclosure of Confidential or Personal Information and Data-Related Liability — With Limited Bodily Injury Exception, CG 21 06 05 14.
The competing endorsements are the two versions of a revised Exclusion P that the ISO published in May 2014: one with a “limited bodily injury exception” and one without. The one with the exception preserves coverage for bodily injury damages, such as an injury sustained when glucose monitoring sensors stop receiving data. ISO Form CG 21 06 05 14 (2015). The other version essentially reverts to the 2004 variant of Exclusion P—it excludes any such damages, regardless of whether they arose from bodily injury or property damage. ISO Form CG 21 07 05 14 (2015). As always, the admonition is to read the applicable policy and the endorsements it contains.
 
42
Garrie and Mann (2014), pp. 389–390.
 
43
O’Donnel and Oonk (2017), pp. 10–11 (citing broad array of available policy forms).
 
44
Stephens and Tilton (2017), p. 18.
 
45
Stephens and Tilton (2017), p. 18.
 
46
Dominitz (2017), p. 33.
 
47
Dominitz (2017), p. 33.
 
48
Stephens and Tilton (2017), p. 18.
 
49
Stephens and Tilton (2017), p. 15 (“Sixty percent of ALPS’s insureds wisely retain the cyber coverage.”).
 
50
Garrie and Mann (2014), pp. 389–390.
 
51
Romanosky et al. (2017) (suggesting that 52% of exclusion types could be identified after an examination of only six policies).
 
52
Romanosky et al. (2017).
 
53
Buchanan et al. (2018).
Even if a potential policyholder is aware of the war exclusions and the consequent effect on coverage of cyber losses, it is an open question whether it is possible for even the most sophisticated of policyholders to avoid the war exclusions. Buchanan et al. (2018).
 
54
Buchanan et al. (2018).
 
55
Buchanan et al. (2018). The categorical statement in the text requires some qualification. There are as many as 13% of cyber policies that cover terrorism related losses. Romanosky et al. (2017).
 
56
Schwarcz (2017), pp. 1500–1502.
 
57
Latham & Watkins (2014) Cyber Insurance: A Last Line of Defense When Technology Fails. https://​www.​lw.​com/​thoughtLeadershi​p/​lw-cybersecurity-insurance-policy-coverage; Buchanan and Gallozzi (2018). (adding the lack of “standardization among cyber policies’ wordings,” as a factor); O’Donnel and Oonk (2017), pp. 10–11 (noting that the creation of new forms has added to the mass of untested language).
 
58
35 F. Supp. 3d 765 (E.D. Va. 2014), aff’d per curiam, 644 Fed. Appx. 245 (4th Cir. 2016).
 
59
35 F. Supp. 3d 765, 767 (E.D. Va. 2014), aff’d per curiam, 644 Fed. Appx. 245 (4th Cir. 2016).
 
60
35 F. Supp. 3d 765, 770 (E.D. Va. 2014), aff’d per curiam, 644 Fed. Appx. 245 (4th Cir. 2016).
 
61
35 F. Supp. 3d 765, 772 (E.D. Va. 2014), aff’d per curiam, 644 Fed. Appx. 245 (4th Cir. 2016). (“That Portal’s conduct falls within the broader and primary definition of “publicity” suffices to establish that Portal gave unreasonable publicity to patients’ private lives when it posted their medical records online without security restriction.”).
 
62
Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010).
 
63
Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010).
 
64
Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010). (citing State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113, 1116 (W.D. Okla. 2001)).
 
65
Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010).
 
66
Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821, 824-26 (6th Cir. 2012).
 
67
Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821, 832 (6th Cir. 2012).
 
68
Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821, 833 (6th Cir. 2012).
 
69
First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 Del. Super. LEXIS 465 at 5–7.
 
70
First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 Del. Super. LEXIS 465 at 16.
 
71
First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 Del. Super. LEXIS 465 at 25.
 
72
First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 Del. Super. LEXIS 465 at 25.
 
73
No. CV–15–01322–PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016).
 
74
No. CV–15–01322–PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016) at 12.
 
75
No. CV–15–01322–PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016) at 12.
 
76
InComm Holdings Inc. v. Great Am. Ins. Co., 2017 U.S. Dist. LEXIS 38132; 2017 WL 1021749 at 23 (policy language providing coverage for “computer fraud” did not cover fraud on the part of those who used telephones to defraud the insured); Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252, 258–259 (5th Cir. 2016) (computer was not direct cause of loss and use of email was “merely incidental” and noting every fraud that uses email is not a computer fraud).
 
77
Dominitz (2017), pp. 34–35 (discussing causation issues).
 
78
First Commonwealth Bank v. St. Paul Mercury Ins. Co., 2014 U.S. Dist. LEXIS 141538; 2014 WL 4978383 at 10–11 (settlement with customer for damage caused to client by malware not covered because insured failed to obtain insurer consent).
 
79
WMS Indus. v. Fed. Ins. Co., 588 F. Supp. 2d 730, 733–734 (S.D. Miss. 2008) (potential network damage claim denied on the basis that the claim was not within the time window specified in the policy—“during the period of restoration”).
 
80
For an interesting discussion of whether exclusions for “acts of war” and “warlike activity” apply to state sponsored acts cyber-attacks, see Doherty (2017), p. 16.
 
81
There is ample evidence that the use of modest limits or sublimits is widespread. Romanosky et al. (2017), p. 11; Buchanan and Gallozzi (2018). (suggesting that, in some cases, $100 million limits are far too low given the large potential losses. A more insidious observation is that modest limits or sublimits “are effectively exclusions masquerading as coverage grants....” Buchanan and Gallozzi (2018).
 
82
Stephens and Tilton (2017), pp. 12, 17.
 
83
Enigbokan and Ajayi (2017), pp. 112, 114.
 
84
Boyce (2001).
 
85
Stephens and Tilton (2017), pp. 12, 17.
 
86
There is some indication that this is happening in a way. Researchers have discovered that six sample policies contained about 88% of the coverages available suggesting that the insurance industry itself is consolidating the perils it is willing to cover. Romanosky et al. (2017), p. 10.
 
87
See 42 U.S.C. § 1320d–5.
 
88
N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00 (2017); Stephens and Tilton (2017), p. 12.
 
89
N.Y. Comp. Codes R. & Regs. tit. 23, §§ 500.02-500.17 (2017) (These minimum standards include requirements for: penetration testing, vulnerability assessments, audit trail assessments, access privilege restrictions, application security, risk assessments, multi-factor authentication, limitations on data retention, training and monitoring requirements, incident response plans, encryption requirements, and specific notice to the superintendent of cyber events).
 
90
Romanosky et al. (2017), pp. 19, 31. Applications for insurance seem to require only rudimentary information. Id. at 19.
 
97
Nitardy (2017), pp. 26, 31 (questioning whether insurance law can evolve with technology).
 
98
Jerry and Mekel (2001), pp. 7, 30; Nitardy (2017), pp. 26, 31; Buchanan and Gallozzi (2018).
 
99
Buchanan et al. (2018).
 
Literature
go back to reference America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 95 (4th Cir. 2003) America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 95 (4th Cir. 2003)
go back to reference American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 U.S. Dist. LEXIS 7299; 2000 WL 726789 at 7 American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 U.S. Dist. LEXIS 7299; 2000 WL 726789 at 7
go back to reference Anthem Elecs., Inc. v. Pac. Emplrs. Ins. Co., 302 F.3d 1049 1058-59 (9th Cir. 2002) Anthem Elecs., Inc. v. Pac. Emplrs. Ins. Co., 302 F.3d 1049 1058-59 (9th Cir. 2002)
go back to reference Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252, 258-59 (5th Cir. 2016) Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252, 258-59 (5th Cir. 2016)
go back to reference Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013) Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013)
go back to reference Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013) Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013)
go back to reference Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288, 1290 (7th Cir. 1983) Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288, 1290 (7th Cir. 1983)
go back to reference Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 132 N.M. 264, 266 (N.M. Ct. App. 2002) Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 132 N.M. 264, 266 (N.M. Ct. App. 2002)
go back to reference Cope CE, Reynolds I (2015) “Breaking Bad” in Cyberspace: A Challenge for the Insurance Industry. Emerging Issues 7296 Cope CE, Reynolds I (2015) “Breaking Bad” in Cyberspace: A Challenge for the Insurance Industry. Emerging Issues 7296
go back to reference Doherty KR (2017) The Art of (Cyber) War. Intell Prop Technol Law J 29(6):16 Doherty KR (2017) The Art of (Cyber) War. Intell Prop Technol Law J 29(6):16
go back to reference Dominitz EJ (2017) To err is human; to insure, divine: shouldn’t cyber insurance cover data breach losses arising (in whole or in part) from negligence? The Brief 46(4):32, 33 (describing cyber losses as “not just a passing fad”) Dominitz EJ (2017) To err is human; to insure, divine: shouldn’t cyber insurance cover data breach losses arising (in whole or in part) from negligence? The Brief 46(4):32, 33 (describing cyber losses as “not just a passing fad”)
go back to reference Enigbokan O, Ajayi N (2017) Managing cybercrimes through the implementation of security measures. J Inf Warf 16:112, 114 Enigbokan O, Ajayi N (2017) Managing cybercrimes through the implementation of security measures. J Inf Warf 16:112, 114
go back to reference Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010) Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010)
go back to reference First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 Del. Super. LEXIS 465 at 5-7 First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 Del. Super. LEXIS 465 at 5-7
go back to reference First Commonwealth Bank v. St. Paul Mercury Ins. Co., 2014 U.S. Dist. LEXIS 141538; 2014 WL 4978383 at 10-11 First Commonwealth Bank v. St. Paul Mercury Ins. Co., 2014 U.S. Dist. LEXIS 141538; 2014 WL 4978383 at 10-11
go back to reference Garrie D, Mann M (2014) Cyber-security insurance: navigating the landscape of a growing field. J Marshal J Inf Technol Priv Law 31:389–390 Garrie D, Mann M (2014) Cyber-security insurance: navigating the landscape of a growing field. J Marshal J Inf Technol Priv Law 31:389–390
go back to reference InComm Holdings Inc. v. Great Am. Ins. Co., 2017 U.S. Dist. LEXIS 38132; 2017 WL 1021749 at 23 InComm Holdings Inc. v. Great Am. Ins. Co., 2017 U.S. Dist. LEXIS 38132; 2017 WL 1021749 at 23
go back to reference Insurance Services Office, Inc. (2013) Exclusion — Access or Disclosure of Confidential or Personal Information and Data-Related Liability — With Limited Bodily Injury Exception, CG 21 06 05 14 Insurance Services Office, Inc. (2013) Exclusion — Access or Disclosure of Confidential or Personal Information and Data-Related Liability — With Limited Bodily Injury Exception, CG 21 06 05 14
go back to reference Jerry RH, Mekel ML (2001) Cybercoverage for cyber-risks: an overview of insurers’ responses to the perils of E-Commerce. Conn Inst Law J 7:11–17 Jerry RH, Mekel ML (2001) Cybercoverage for cyber-risks: an overview of insurers’ responses to the perils of E-Commerce. Conn Inst Law J 7:11–17
go back to reference Martinez LP, Richmond DR (2018) Insurance law, 8th edn. West Publishing Co Martinez LP, Richmond DR (2018) Insurance law, 8th edn. West Publishing Co
go back to reference Matthew Bender & Company, Inc. (2nd 2011) Appleman on Insurance Law & Practice Archive. 20-129 § 129.2 Matthew Bender & Company, Inc. (2nd 2011) Appleman on Insurance Law & Practice Archive. 20-129 § 129.2
go back to reference N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00 (2017) N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00 (2017)
go back to reference N.Y. Comp. Codes R. & Regs. tit. 23, §§ 500.02-500.17 (2017) N.Y. Comp. Codes R. & Regs. tit. 23, §§ 500.02-500.17 (2017)
go back to reference Nitardy ME (2017) Fraud involving a computer is not automatically “Computer Fraud”. Brief 46(4):27 Nitardy ME (2017) Fraud involving a computer is not automatically “Computer Fraud”. Brief 46(4):27
go back to reference O’Donnel B, Oonk LA (2017) Changes in latitudes, changes in attitudes: looking back over 25 years of coverage litigation. Brief 47:10–11 O’Donnel B, Oonk LA (2017) Changes in latitudes, changes in attitudes: looking back over 25 years of coverage litigation. Brief 47:10–11
go back to reference OOIDA Risk Retention Grp., Inc. v. Griffin, 2016 U.S. Dist. LEXIS 57469 at p. 15 (E.D. Va. 2016) OOIDA Risk Retention Grp., Inc. v. Griffin, 2016 U.S. Dist. LEXIS 57469 at p. 15 (E.D. Va. 2016)
go back to reference Ostrander B (2006) Chasing Moore’s Law: information technology policy in the United States. J High Technol Law 5:1 Ostrander B (2006) Chasing Moore’s Law: information technology policy in the United States. J High Technol Law 5:1
go back to reference P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company, No. CV–15–01322–PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016) P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company, No. CV–15–01322–PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016)
go back to reference Retail Sys., Inc. v. CNA Ins. Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991) Retail Sys., Inc. v. CNA Ins. Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991)
go back to reference Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821, 824-26 (6th Cir. 2012) Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821, 824-26 (6th Cir. 2012)
go back to reference Romanosky S et al (2017) Content analysis of cyber insurance polices. Rand Corp WR-1208:3, 14 Romanosky S et al (2017) Content analysis of cyber insurance polices. Rand Corp WR-1208:3, 14
go back to reference Schwarcz D (2017) Coverage information in insurance law. Minn Law Rev 101:1500-02 Schwarcz D (2017) Coverage information in insurance law. Minn Law Rev 101:1500-02
go back to reference Selective Way Ins. Co. v. Crawl Space Door Sys., 162 F. Supp. 3d 547, 551 (E.D. Va. 2016) Selective Way Ins. Co. v. Crawl Space Door Sys., 162 F. Supp. 3d 547, 551 (E.D. Va. 2016)
go back to reference Southeast Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 838 (W.D. Tenn. 2006) Southeast Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 838 (W.D. Tenn. 2006)
go back to reference State Auto Property & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001) State Auto Property & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001)
go back to reference Stephens JF, Tilton MW (2017) Lawyers still lag behind in network and information security risk management: clients and regulators demand more. Brief 46(4):12, 15 Stephens JF, Tilton MW (2017) Lawyers still lag behind in network and information security risk management: clients and regulators demand more. Brief 46(4):12, 15
go back to reference Sun M (June 21, 2018) Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance, WSJ B10 Sun M (June 21, 2018) Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance, WSJ B10
go back to reference Travelers Indemnity Co. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014), aff’d per curiam, 644 Fed. Appx. 245 (4th Cir. 2016) Travelers Indemnity Co. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014), aff’d per curiam, 644 Fed. Appx. 245 (4th Cir. 2016)
go back to reference Union Pump Co. v. Centrifugal Tech., Inc., 2009 U.S. Dist. LEXIS 86352 (W.D. La. 2009) (electronic data is not tangible property) Union Pump Co. v. Centrifugal Tech., Inc., 2009 U.S. Dist. LEXIS 86352 (W.D. La. 2009) (electronic data is not tangible property)
go back to reference Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556 (2003) Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556 (2003)
go back to reference WMS Indus. v. Fed. Ins. Co., 588 F. Supp. 2d 730, 733-34 (S.D. Miss. 2008) WMS Indus. v. Fed. Ins. Co., 588 F. Supp. 2d 730, 733-34 (S.D. Miss. 2008)
go back to reference Wood SA et al (2017) Aviation and cybersecurity: an introduction to the problem and the developing law. Brief 46(4):38–39 Wood SA et al (2017) Aviation and cybersecurity: an introduction to the problem and the developing law. Brief 46(4):38–39
Metadata
Title
Cyber Risks: Three Basic Structural Issues to Resolve
Author
Leo P. Martinez
Copyright Year
2020
Publisher
Springer International Publishing
DOI
https://doi.org/10.1007/978-3-030-27386-6_10