Tuesday, October 6, 2009

We Want Your Information

It's 8 pm, who's watching your information? Does your insurance policy cover your company's potential liability if your network were breached?

In a prior post, I wrote about the E&O exposure that Tech companies face when their clients fall victim to a network security breach. (Access Unauthorized? Claim DENIED!) This post focuses on your potential liability from hacks on your own networks.

Earlier this year, I came across the following article:

Apptis Cited for Lax Computer Security on Army Medical Job

July 24 (Bloomberg) -- Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractor’s system was hacked from an Internet address in China...http://www.bloomberg.com/apps/news?pid=email_en&sid=aVGfDq5FlMBU

The Government relied on this company to maintain secure networks. That security failed, and Apptis found themselves liable. Did their policy cover the loss?

This is just my guess, but the claim was probably denied for 2 reasons:

1. You cannot be liable to yourself.

Errors & Omissions Insurance is a 3rd party coverage. Therefore, the policy will only respond to damages claimed by companies not assoicated with the insured (or the 1st party). In the above example, the Pentagon claimed that Apptis failed to provide adequate security as required in their contract and required them to refund a portion of the contract price. Apptis lost the money, so I don't believe their E&O policy would respond. It is possible that the E&O coverage may respond due to the alleged breach of contract. However, if the root cause of the damage is excluded by the policy, then the carrier may have denied coverage.

2. Network Security exclusion.

We will not pay damages or claim expenses for any claim arising out of or in any way related to: Failure to prevent identity theft or disclosure of personally identifiable information.

This is a common exclusion in E&O policies. Check your policy to see if it contains similar wording.

Cyber security has been a hot issue for several years. However, the Federal Government is redoubling its efforts to enforce secure networks and tighter controls on information. As the Apptis article shows, Uncle Sam will not hesitate to recoup his money, if he feels that your security was not up to snuff. The Apptis article states:

President Barack Obama is seeking to improve security in government computer systems. He said in May he will appoint a White House adviser to oversee the security of all government and business computer networks in response to widespread breaches and theft of information.

The Pentagon by September will publish proposed revisions to its acquisition rules that will require improved protection of Pentagon information in its contracts, said spokeswoman Cheryl Irwin. A draft proposal will be released for public comment, she said in an e-mail.

If you do business with the Federal Government, you will need to comply with their security standards. If those security standards fail, then your company may be held liable.

Has your company ever been a victim of information theft or an unauthorized intrusion? Please let me know how it affected your business.

No comments:

Post a Comment