By Douglas McLeod
Cyberrisk is evolving quickly as computer technology develops and as regulators step up efforts to ensure a safe marketplace. Even as companies grapple with the extent of their exposure to malicious and accidental data security breaches, the landscape is shifting.
Cloud computing, for instance--in which companies outsource computing and data storage needs to third-party vendors--raises a host of liability and insurance issues.
Companies are still responsible for personal data stored on cloud providers' servers, and some may be too reliant on providers' security measures, especially given the limitations of liability often written into providers' service contracts, experts said.
Also, companies often share space on cloud servers with providers' other clients, and some cloud contracts allow providers to move clients' data from one server to another.
Even a company that is not a target of cyberattacks could be a greater risk if it is sharing space with a company that is prone to attack, said Toby Merrill, vice president with ACE Professional Risk in Philadelphia. When a breach occurs, experts typically seek to create an "image" of the server for forensic investigation, said Lori S. Nugent, a partner with Wilson, Elser, Moskowitz, Edelman & Dicker in Chicago. This process can become complicated if the server also contains confidential information of unrelated companies, she said.
Companies also have to keep track of the physical location of the cloud servers they're using, Nugent said. If a company is in the United States and its cloud server is in Europe, it may have reporting and other obligations under European law.
For insurers the cloud presents a potential loss aggregation problem if they write cyberliability policies for multiple companies using the same cloud provider.
Other evolving cyberrisks include:
-- Social media and mobile devices. Social media have become an extension of email, used by company employees at home, at work and on laptops, smart phones and other devices while traveling. Security risks have likewise grown. Employees can inadvertently disclose confidential information or download malware from social media sites, experts warn. As mobile devices blur the line between workers' professional and personal lives, confidential business information becomes more vulnerable to attacks on employees' own devices and email accounts.
-- Regulatory enforcement. Along with state laws setting data breach response obligations, federal laws impose privacy rules for various industries. Health care companies, for example, are subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act. Regulators have stepped up enforcement in recent months: Massachusetts General Hospital agreed earlier this year to pay a $1 million penalty for potential HIPAA violations after an employee left medical records of 192 patients on a subway train on the way to work.
The 2009 HITECH Act, meanwhile, empowers state attorneys general to pursue violations of the federal law. Such cases potentially represent a political benefit to aggressive prosecutors and a financial benefit to states that would collect fines and penalties, cyberrisk experts said. "There's a lot of wait and see still in terms of how the regulators will actually behave," Nugent said.
-- Changing privacy law. The scope of what constitutes "personally identifiable information" continues to evolve. The California Supreme Court ruled earlier this year, for example, that zip codes requested during credit card transactions are protected personal data under a state credit card law.
Consumer lawsuits over privacy issues also are increasing, including suits filed last year against Apple Inc., Google Inc. and Web advertising network Interclick Inc. over applications that allow advertisers to track users' web browsing habits, downloads and other personal information.
October 15, 2011
Copyright 2011© LRP Publications