As previously mentioned, the majority of states currently have breach notification laws and the first state to adopt a notification law was California. Now, California has a new bill that, if passed, would require companies to provide victims with more information regarding the breach as well as notify the State if the breach affects over 500 California residents. The notification to a central governmental agency could allow for improved tracking of breach activity. But in this particular area, California is not necessarily the pack leader as other states already have requirements for providing breach notification to state enforcement agencies. As discussed at the recent Security Breach Notification seminar at Berkeley, all of these notification laws may not be working anyway, as data on security breaches continues to be unreliable. Still, as long as the notification laws are in place, companies can better afford compliance if they have insurance coverage that helps offset the cost. Many insurance markets do offer protection for breach notification costs. Look for protection that includes privacy regulatory-imposed civil fines and penalties and consider what type of private data is covered as well as what type of limit applies.

By applying an early state statute instead of the U.S. Supreme Court’s decision regarding what constitutes actual malice, the 1^st Circuit U.S. Court of Appeals in Boston is allowing a libel lawsuit brought by a terminated employee against his employer to proceed. Since the content in question is an email that no one disputes is true, the ruling is creating a stir regarding the impact on the First Amendment.

Click to read more ...

RETIREMENT! Wow! It’s hard to believe the time is here for me…seems very weird and a little scary at times, but also VERY exciting. Some have said they think I’m too young to retire. But, for the past year or so, I’ve felt as though my thinking is possibly too old for the state of our industry.

Click to read more ...

A breach of contract exclusion in the errors and omissions policy purchased by an insurance agent that held binding authority for a property insurer was applied recently to bar the agent from receiving any E&O coverage when it was sued for having, apparently negligently rather than purposefully, issued two property policies that were beyond the scope of its binding authority.

Click to read more ...

As reported by the Washington Post, the latest survey from the Ponenom Institute pins down the average cost to a company for a security breach at $6.6 million for 2008 (up from $6.3 million in 2007 and nearly $5 million in 2006). The cost per lost record is estimated at $202. When we first started blogging this cost, states were still developing notification laws. At this point, the majority of states have passed some legislation for it. While there are insurance options to aid companies facing a security breach, the survey points out that customers, especially those in the financial and health industries, do lose trust and leave a company after a breach is reported.

The answer primarily depends upon the services provided by the tech company but, first, let’s look at the usual Commercial General Liability (CGL) policy. A standard CGL policy provides coverage for infringement of trade dress, copyright or slogan if the infringement occurs in the insured’s advertisement. A CGL policy also contemplates coverage for the use of another’s advertising idea in an advertisement. Further, a CGL policy does consider websites as an advertisement but only protects that portion of the website that functions as a means for promoting the insured’s products and services to attract clients. So, with these CGL protections, a tech company with intellectual property (IP) exposures limited to advertising activities, may not require IP protection in its E&O policy.

Click to read more ...

Nude photos on a smartphone serve to illustrate another potential vulnerability in information security for companies.

A married couple sued McDonald’s Corp. after photos of the wife turned up on the internet. Phillip Sherman says he left his iPhone, which contained the photos, at a restaurant in Arkansas and that an employee of the restaurant promised to secure the phone until he returned. He and his wife, Tina Sherman, want to hold the franchisor responsible for distribution of the photos.

Click to read more ...