Archive for the ‘’ Category

New Perils in a Connected World – Ignorance is not Bliss

Tuesday, April 17th, 2012

Ignorance is NOT Bliss! By Stew Nelson

I can’t believe how many businesses that I speak with that when questioned about their exposure to a data breach, believe that that they have no risk at all! Perhaps the problem is the insurance industry’s practice of selling policies with “holes” in them. The carriers refer to the “holes” as Exclusions and then they stick them at the end of a policy that no one reads any way.

So, if you are not going to read your policy, I will read some “fine print” for you. This was found on page 65 of 212 pulled from a random policy I selected from my files. Under Property Not Covered -Electronic data, “Electronic data means information, facts or computer programs, stored as or on, created or used on, or transmitted to or from computer software (including systems and application software), on hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other repositories of computer software which are used with electronically controlled equipment.” Wow! I have to grade the author down because it is a run-on sentence but I have to give them credit as I cannot think of any way possible that you could get coverage for intangible property i.e. bits and bytes, from this policy!

Now let’s jump to the Liability Section of the policy. Under Perils Excluded, Computer Virus or Computer Hacking – “We do not pay for: 1. any direct or indirect loss or damage or, 2. loss of access, loss of use, or loss of functionality caused by a `computer virus` or by `computer hacking`”. There are other Exclusions in the Personal and Advertising Injury Section but I think you get the idea – No coverage for bits and bytes.

So I am going to repeat myself one more time – If your business uses computers that are attached to the internet for email or a web site, you need a Cyber Liability policy that will cover damage to yours or others intangible property. Do me a favor and call your local insurance professional right now and have a frank conversation of the financial risk you are unnecessarily assuming if you don’t have a Cyber Liability policy for your business. The business that owns the policy I just read to you from does. It cost all of $990 for $1M worth of coverage.

Tags: Avoiding Cyber Risks, Cyber Liability, damage, data breach, Data Breach Insurance, loss, Perils, Personal and Advertising Injury, risk
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | No Comments »

New Perils in a Connected World – Which Cyber policy should you use?

Friday, March 23rd, 2012

Confused about finding the correct Cyber policy? Join the crowd!
by Stew Nelson

As more and more insurance carriers issue a cyber liability policy, it is getting much more difficult to select the proper policy that is best for your business. I would venture to say that it is impossible for the average insurance agent to understand them all. I know as I spend four or five hours a week reading cyber policies to keep up to date with the latest and greatest offerings from Chubb, CNA, Chartis, Travelers, Hartford, Hiscox, Liberty Mutual, Hanover just to name a few.

To help you out, I am going to update a post that I made last year that examined a number of the features of Cyber policies that you should be aware are available. I have added a 4^th Major policy type to consider; Network Security, and a section on Common Exclusions. Remember that First Party costs are cost that you incur and Third Party costs are cost that you are obligated to pay to a client or unrelated party.

Major Cyber policy types (Not all are automatically included in a single policy):

1. Data Breach (Failure to protect an individual’s privacy)
2. Virus and Malware (Malicious software code)
3. Publishing/Media Liability (Web content)
4. Network Security (Loss or damage to insured’s or third party’s network)

1. DATA BREACH COVERAGE

First Party Costs
o Notification/Credit monitoring
o Public relations
o Extortion
o Terrorism
o Network damage
o Loss of digital property
o Enhancements in security
o Contractual liability in absence of a contract
o Allocation of covered and non covered claims
o Innocent mistakes
o Rogue employees
o Regulatory fines and penalties

Third Party Costs
o Privacy of employees
o Privacy of Customers
o Legal expenses
o Arbitration
o Coverage for independent contractors
o Non-monetary damages
o Innocent mistakes
o Assumed liability by contract

2. VIRUS & MALWARE

First Party Costs
o Network damage
o Business Interruption
o Enhancements in security
o Innocent mistakes

Third Party Costs
o Business Interruption
o Loss or damage to digital property

3. PUBLISHING/MEDIA LIABILITY

Defense and Settlement costs for
o Copyright infringement, slogan, trademark, trade name or service name
o Libel, slander or defamation, product disparagement or emotional distress
o Invasion of privacy
o Plagiarism, failure to attribute
o Misstatement or misleading statement
o Failure to follow published privacy policy
o Wrongful entry or eviction
o Contextual errors and Omissions

Miscellaneous issues
o Defense costs within the limits
o Claims Made or Occurrence
o Punitive Damages
o Territory

4. NETWORK SECURITY

First Party

o Cyber Extortion

o Denial of service Attacks

o Network Business Interruption

o Network asset damage & extra expense

o Emergency Response Fund

o Electronic Theft (Money, products,

Third Party

o Denial of service Attacks

o Network Business Interruption

o Network asset damage & extra expense

COMMON EXCLUSIONS ( All of these are not in every policy thank goodness!)

o Fraudulent acts of insured

o Deliberate acts

o Infringement of a patent or trade secret

o Bodily injury or property damage

o Loss caused by an employee, officer, director, owner, Independent Contractors

o Liability assumed in a contract (Business Associates should watch out for this one!)

o Antitrust, restraint of trade, unfair competition

o Regulatory Taxes, Fines & Penalties

o Deliberate failure to report

o Electrical or mechanical failures

o Telecommunications interruptions

o Failure to follow Minimum Required Practices

Please use this “Check List” and sit down and have a frank conversation with your insurance professional before you have an uncovered cyber claim. All 50 states have privacy regulation on the books and HIPPA and HITECH regulations have put some real teeth behind penalties for violations of privacy and inadequate network security. Don’t get bit.

Tags: Cyber Insurance, cyber Risk, general liability, Insurance, Insurance News, insurance policy, Michigan Business Insurance, risk, Stew Nelson Blog
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | No Comments »

The cost of “not knowing what you don’t know about cyber liability” going up

Friday, February 24th, 2012

Effective September 2012 if you “do business in Texas” – whatever that means – and you have a data breach involving personal information, PI, and fail to notify the affected individuals “as quickly as possible” you are open for a $100/day/Individual fine up to $250,000! The infraction is a misdemeanor unless the information is Personal Health Information, PHI, and then the offense can be a felony! Yikes! H.B No 300, adds some serious teeth to their mandatory notification disclosure law.

Better keep your attorney’s phone number close to the phone number of your cyber insurance agent in case of a breach. Keeping track of the notification requirements of 46 different states seems almost impossible without professional help. I unconditionally recommend one of two attorneys in SE Michiganif you have a breach; Claudia Rast at Butzel Long or Stephen Tupper at Dykema. Trust me these two are terrific attorneys. Call one or both before you have a data breach so you are ready for the day you get the call…”We’ve been breached.”

Tags: Breach Notification Laws, Cyber Insurance, Cyber Liability, cyber Risk, data breach, data security breach, hacked, Stew Nelson Blog
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | No Comments »

Happy New Year! Your Account Has Been Hacked!

Thursday, February 2nd, 2012

That was the news my oldest son received last week from Zappo’s. Seems my son’s largess at Christmas time included buying my youngest son a pair of shoes from the online retailer, owned by Amazon, Zappos. Needless to say my son was shocked and a bit put off by the need to change his passwords for numerous websites scattered around cyberspace. The good news was the hackers did not get complete credit card numbers, but they did get enough information including email addresses and encrypted passwords for 24 million people. With some simple effort it would not be inconceivable that the hackers could do some real damage by taking control of thousands of email accounts and by using the information obtained to perpetrate some sophisticated phishing attacks.

To my regular readers this is not new news. It seems like every week some seemingly hacker proof company gets hacked! So if it is not too late, I would like to suggest another New Year’s resolution for you – Reset all your passwords with “strong passwords”. We all know what makes a “strong @A66$i?+” from my previous articles. I know what a pain it is to manage dozens of passwords but if you are going to keep doing business on the Internet, we need to stay vigilant and one step ahead of the bad guys waiting for chance to get their hands in our wallets.

For those of you that have a difficult time remembering all your passwords I have a recommendation. Give LastPass a try. LastPass is a free password management site that manages all your passwords across multiple devices such as computers and mobile phones. Not only will it store your password and automatically log you in, it will actually generate a strong password for you. There are other features such as having it automatically load memorized passwords but I don’t recommend you do that. Just try it out on a few web sites and then as you revisit each site generate another password and LassPass will memorize it for you automatically. You can even store credit card information and the program will complete online order forms for you. I know you are wondering how they keep our information safe. The answer is they encrypt all your data (Zappos only encrypted the passwords) which makes the information almost worthless to hackers. Notice I didn’t say totally worthless. Encryption is not a Silver Bullet but it is the next best thing.

Let me know how you like this program. I am a big fan after using it for only a week.

Tags: Breach Notification Laws, computer hacking, computer security, Cyber Insurance, Cyber Liability, cyber Risk, data security breach, hacked, hacker, Insurance News, personal insurance
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson, Uncategorized | No Comments »

A Holistic Approach to Insuring Venture Capital Firms and Their Portfolio Companies

Tuesday, January 17th, 2012

New Perils in a Connected Word by Stew Nelson

This is a long article so I am just posting the intro paragraph and the summary. If you would like to read the full article follow the link.

CLICK HERE for full article

From the moment the CEO of a startup signs a Term Sheet offered by a venture capital company, the futures of both entities are inextricably linked at least until the venture firm “cuts the cord” on their investment. In most cases, their large investments grant the lead venture firm full or partial control of the start-up’s Board of Directors, thereby allowing them to install outside directors and also to replace members of the management team for failure to meet specific milestones. This contractual arrangement aligns both companies risk profiles much as a parent company and subsidiary are. As their risk profiles overlap, properly insuring a portfolio company should recognize the overlap and attempt to create a seamless layer of protection much as granting Additional Insured status does to a wholly owned subsidiary. In non-insurance terms, both the venture capital (VC) firm and their portfolio company should be insured by the same agency and if possible by the same carrier with the utmost care that accommodates the unique relationship between these two entities.

SUMMARY Insuring Venture Firms and Their Portfolio Companies–

Always use specific insurance language in the Term Sheet

Use one carrier to insure both VC firm and portfolio companies if possible

Every conduct exclusions needs a severability clause

Utilize ironclad indemnity agreements for each outside director

Insist that Insured v. Insured is waived for Employment Practices claims

[1] Why “Side A” Matters to You, The Ins and Outs of D&O Liability Insurance, February 11 ,2005, Wilson, Sonsini, Goodrich & Rosarti PC, from their web site 1/10/12.

Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | No Comments »

New Perils in a Connected World – Data Security Seminar

Wednesday, December 14th, 2011

Kapnick Insurance Group presented its first client seminar in our new auditorium on December 12^th,2011. The new room outfitted with dual whiteboards with touch technology, a raised podium and seating for up to 80 participants was a perfect forum for the Data Security Seminar I moderated. Thirty-five attendees seemed to enjoy hearing from 5 prominent speakers on a variety of pertinent topics relevant to any business that does not want sensitive information shared with the world.

Mike Klein, President & COO of OnLine Tech, the leading data storage facility in Michigan started the presentation off by explaining how OnLine handles security at their state of the art facilities in Ann Arbor and Flint. I have been to one of the Ann Arbor facilities and I can attest that Online is the “Gold Standard” for protecting sensitive data. If I was looking for a way to store sensitive data the first call I would make. It makes economic sense. Think about it….OnLine can spread the cost of all of their current and future security measures across all of their clients opposed to an individual company having to pay for it themselves. For most companies that would break the budget.

Joe Dylewski, CEO of ATMP Solutions spoke about HIPAA compliance and how his business works with Covered Entities to help them comply with the rules of HIPAA and no the HITECH regulations. While there were only a few Covered Entities in the room, Joe reminded us that Business Associates, i.e. any company that has physical or virtual access to Personal Health Information, PHI, is bound by the same rules as the customers they serve. That places Kapnick Insurance squarely in that category and I can assure you that our agency takes that responsibility very seriously and aggressively follows the HIPAA & HITECH regulations to the letter.

Next up was Mark Ford. Mark Ford is a senior leader in Deloitte’s Security & Privacy practice. Currently he serves as the Security & Privacy Health Sciences Industry Leader and Healthcare Provider & Plans Sector champion. Mark’s main theme was that HIPAA & HITECH enforcement action are going to heat up over the next 3 years as the Office for Civil Rights, OCR, awarded KPMG, LLP a $9.2 million contract to administer the HIPAA privacy and security compliance audits required by Congress via HITECH. The first phase of the audits – in which OCR plans to visit 150 covered entities — is expected to this fall and will end by December 31, 2012. Bottom line is that more fines are expected and the fines will fund more enforcement. This has the potential of going viral and creating head aches for Covered Entities and Business Associates.

Mark Ford, Joe Dylewski, Mike Klein and Adam Goslin listen while Stephen Tupper not pictured gives his talk.

Adam Goslin, Owner of High Bit Security was next up and clearly a crowd favorite. Adam spends his days trying to hack into his client’s networks to test their Fire Walls and vulnerability to external attacks. Adam explained why hackers with intent to steal data are so motivated to penetrate your security. The obvious Willie Sutton answer is because that is where the money is! For example Adam revealed that a Facebook account and password is worth $300 to a hacker and bank account number and passwords up to $850.¹ If you are interested in learning more about what Adam does when he tests security please take a look at his FAQ on his web site.

Last but certainly not least was Stephen Tupper with Dykema in their Bloomfield Hills office is the practice manager for data security, privacy and ecommerce. Stephen using military fighter pilot terminology amused the audience as he discussed various federal and state laws that affect victims of data breach. Stephen provided everyone that attended with a checklist that lists all the steps a company should take of they are a victim of a data breach. Given that 70% of the data breaches occurring are happening to private companies it would not be surprising if several of the companies in the audience will actually need to use it at some time. The point that Stephen wanted to make however and that I have been pounding into your heads is that the time to prepare is before you actually have the breach.

I hope that attending this seminar caused 35 firms to review their security practices and it they find themselves lacking, they will call several of the presenters and start taking steps to make themselves prepared. Don’t forget also that we can insure almost any risk that you can encounter doing business on the web.

Examples of how much your data (or customer data) means to the hacker

– Utility bill scanned = $10

– Full identity = $6 – $80

– Gmail user and password = $80

– Facebook username and password = $300

– Passport, scanned = $20

– Drivers license scanned = $20

– Bank account credentials = $15 – $850

– Credit card with $1000 avail = $25

– Credit card with personal info = $80

Source: April, 2011 – Popular Science

Tags: Cyber Insurance, Cyber Liability, cyber Risk, data security breach, SAFE Data Act, Stew Nelson Blog
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | 5 Comments »

How safe is my data and intellectual property?

Friday, December 2nd, 2011

NEW PERILS IN A CONNECTED WORLD by Stew Nelson

How safe is my data and intellectual property? – What do I do if it is compromised? – How much is a data breach going to cost me? -

What can I do to adequately protect my company from a data breach?

Kapnick Insurance Group is pleased to announce a data security panel discussion open to the public at Kapnick Insurance Group’s Ann Arbor office located at 1201 Briarwood Cir., Ann Arbor, MI, 48108 on December 12, 2011 from 7:00AM to 9:30AM to discuss these important issues facing virtually every business.

Participating in the panel discussion are; Mark Ford, Deloitte Touche, Privacy and Security consultant, Joseph Dylewski, ATMP Solutions, HIPAA Expert and Consultant, Adam Goslin, High Bit Security, Network Security Analyst/ PCI consultant, Stephen Tupper, attorney, Dykema Gossett, privacy practice leader and Mike Klein, President, Online Tech, the largest data center hosting provider in Michigan. The panel discussion is being moderated by Stewart Nelson, Kapnick Insurance, Account Executive.

Business owners, Executives, Managers and IT professionals, from any company that stores information or data that they would not want to share with the world – should plan to attend. The panelists will discuss; how to prevent data loss, what to do after you’ve been hacked and how to comply with numerous federal regulations such as HIPAA, HITECH, PCI and state laws governing breach notification rules and other pertinent topics. There will be time for questions and answers after the panel discussion.

“Kapnick Insurance Group is pleased to be able to sponsor this educational seminar in our new Ann Arbor location and Auditorium bringing together an outstanding group of experts to discuss the risk implications of storing data in a connected world” said Jim Kapnick, President of Kapnick Insurance Group.

Don’t Delay! Online registration is only open to the 1^st – 100 individuals that sign up at http://tiny.cc/n3cwm

Questions regarding the seminar can be directed to Stewart.Nelson@Kapnick.com

Tags: data security, HIPPA, IT Professionals Ann Arbor, Privacy and Security consultant Ann Arbor, Tech security Ann Arbor
Posted in Events, Featured Posts, New Perils in a Connected World – by Stew Nelson, Press Releases | No Comments »

Should I be Afraid of Being Hacked?

Monday, October 3rd, 2011

New Perils in a Connected World – by Stew Nelson

You bet your business you should!! This company did…and lost.

I have been railing on you about the high cost of a data breach but this is the first company I know of that paid the ultimate price… Declaring bankruptcy! In late September Diginotar, a Dutch digital authentication company filed for bankruptcy after the company was hacked and valuable authentication certificates were stolen from their servers.

Without getting into all of the technical details about authentication certificates, you should note that in the wrong hands these certificates could allow a hacker to spy on e-mail accounts, set up phony websites, steal login passwords and worse yet destroy confidence in e-commerce in general. Over 500 certificates were stolen for domain names such as the CIA, Mossad, Facebook, Google, Twitter, Microsoft Update Service, Yahoo and Skype just to mention a few. Obviously, this was a very serious breach.

Weak passwords and other security lapses.

After the breach and independent consultant identified numerous security lapses such as weak passwords, lack of virus protection and out of date security patches for their core software. These lapses are inexplicable and contemptible for company playing such a vital role in e-commerce. The Dutch government quickly revoked their authority to issue authentication certificates and the company ceased operations almost immediately.

The parent company pays the price also!

Diginotar was purchased by a U.S., publically traded company Vasco Data Security (VDSI) not too long ago for over $13 million. I suspect and the stock market agrees that substantial write-offs will impact future earnings as Vasco’s share price has dropped almost 60% since the incident happened in mid-July.

Lessons learned.

Businesses must take data security seriously. The old adage “an ounce of prevention is worth a pound of cure” comes to mind. If you store data – you better secure it! After a hack if there is perceived negligence by your customers, competitors or state and/or federal regulators you’ll end up paying the price like Diginotar also.

Tags: computer security, Cyber Liability, cyber Risk, data breach, hacked, michigan insurance company, passwords, Stew Nelson Blog
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | No Comments »

New Perils in a Connected World – Data Breaches of the Month

Monday, September 12th, 2011

New Perils in a Connected World – by Stew Nelson

Data breaches announced in August at the University of Wisconsin-Milwaukee and Yale University compromised Personal Information consisting of names and Social Security numbers of almost 120,000 individuals. These breaches could potentially cost $500,000 just to provide credit monitoring for two years for everyone affected. If you add $10 to send a registered letter of notification it will add another $1.2 million to the remediation costs! It is not hard to imagine the total cost of these two breaches to exceed $2 million in total costs. Serious money!

Lessons we can learn

The breach in Milwaukee was caused by malware installed by an unknown individual. It could be that an insider installed the malware in the affected server but it is equally likely that the malware infected someone’s computer when they visited an infected website. No matter how much security you install, a rogue employee can always do damage. But if the malware was caused by someone web surfing it is much more preventable with education of employees and strict usage policies of university or corporate computers. As hackers become more sophisticated they are setting traps in what appear to be innocuous websites, employees home computers and even cell phones. So using personal computers for work or personal cell phone for work can compromise an entire network.

The breach in New Haven Connecticut at Yale University appears to be a case of negligence (As most breaches are!) that left a server containing names addresses and Social Security numbers from former employees, employees and students from 1999 connected to the Internet. So wouldn’t you know along came a Google spider and found the data file that did the damage. The issue here is why the server was connected to the Internet to begin with as there probably wasn’t much immediate need to retrieve information from this legacy database. The lesson to be learned is that all data that is stored by an organization needs to be assessed and evaluated for confidentiality and stored accordingly. As I have mentioned in previous posts if you don’t need to store it….. shredded it!

Universities typically are self-insured for these type of liabilities however, you don’t have to be. Each of these situations could have been fully insured at very reasonable prices. Talk to your agent about cyber liability insurance.

Tags: cyber liability insurance, cyber Risk, data breach
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | No Comments »

Three Simple Ways to Improve Network Security

Friday, August 12th, 2011

New Perils in a Connected World – by Stew Nelson

With all the data breaches in the news lately, it is becoming obvious that we are not doing a very good job of securing our data. No doubt there, are some clever hackers out there are smart enough to penetrate even DOD and bank firewalls but there are still many breaches we read about that could easily have been prevented with common sense and a few simple tips. Here are three easily implemented tips for you to consider:

Be Suspicious. The most important tip I can give you is to be on your guard and overly suspicious of every file or link that you receive from outside your business. Not to sound paranoid, but even files received from supposedly trusted sources must be treated as potential threats. In 2009, the Controller of a small metal manufacturing company in SE Michigan received an email purportedly from their bank asking him to “Click on a Link” to a web form to verify all their passwords for their online bank account as part of the banks routine maintenance program. After the controller complied with the “banks” instructions, it took hackers less than 6 hours to empty their bank account of almost $2M. The bank was able to recover all but $560,000 of the company’s money and the company recovered that from the bank in the subsequent lawsuit. For those of you that do not understand what happened, I am only going to say this once! - A bank will never ask you for passwords to your account!

Use Strong Passwords. A strong password consists of at least ten characters including upper and lower case letter, a number or two and special characters. Don’t use dictionary words or the name of your kids as they are too easily hacked. I know you are all getting really tired of making up new passwords to comply with HITECH so if you run out of ideas, take a look at a neat web site I found called HealthyPasswords.com. They make it easy to find clever passwords that are less easy to hack. I also recommend that you use separate passwords for personal and business use. I know this is mentally taxing but habits are hard to break and if a hacker gains access to your personal files why jeopardize your business files also.

Lock Down Your Laptop, Cell Phone and Wi-Fi Networks. More and more we are accessing our business networks with our smart phone and tablets. If your laptop, smart phone or iPad is not currently password protected, take five minutes and install a password program on it right now! If you are like me, your contact list contains any number of passwords and door codes that could compromise your security. While you are at it set a password for your personal WiFi network right now also. Hackers can learn a lot about our business by strolling into our personal lives through an open network portal. You probably don’t leave the front door of your house open when you are not home so why leave the “front door” to your digital profile open.

Every individual in your organization is responsible for network security. Remember, the most vulnerable part of any network is the end user….and that is you. Cyber crime is a real threat and the criminals are getting more sophisticated every day. Don’t make their job any easier by being complacent concerning network security.

Tags: Avoiding Cyber Risks, Cyber Insurance, Cyber Liability, Data Breaches
Posted in Featured Posts, New Perils in a Connected World – by Stew Nelson | No Comments »