HB Risk Notes Archives

Cyber Risks Enter a New and Increasingly Vicious Phase

October 31st, 2018|Categories: HB Risk Notes|

For anyone plotting the evolution of cyber risks, the last phase of cyber-attacks was dominated by breaches that resulted in lost or stolen personal or financial data that could then be monetized. The current phase is different. “We have observed a significant increase in the number of disruptive breaches that our clients are dealing with,” says Charles Carmakal, Vice President at Mandiant/FireEye. “These involve destruction, extortion, or public shaming.” How are organizations dealing with this shift? “It’s catching many organizations off guard. Most don’t have a playbook for dealing with extortion,” Carmakal says. “While they may have thought about a ransomware situation, that’s different from the more common type of extortion we are seeing these days, where a threat actor threatens C-level executives or corporate board members with the release of sensitive information.” “Many organizations assume the default is they wouldn’t give into the demands, but when in the middle of a crisis too often the decision is made to pay the threat actors,” he says. “So it’s important to consider what your organization will do in this situation. For example, who will be involved in the decision-making process? Organizations should play out an extortion scenario so they have a plan when faced with real demands.” How can organizations better test the efficacy of their security capabilities? Many organizations conduct penetration testing [...]

Foggan & Huggins on Opioid Litigation Defense Coverage

October 31st, 2018|Categories: HB Risk Notes|

Is a drug company that's sued in connection with the manufacture, promotion and distribution of opioids covered by its insurer for defense costs? According to Laura A. Foggan and Michael Lee Huggins of Crowell & Moring, LLP, that determination will come down to whether, in the relevant state, an accident takes place when either the act or the injury was unintentional, or whether an accident occurred if only the act was unintentional. This definition will vary by state, Foggan and Huggins wrote in California Litigation, published by the Litigation Section of the California Bar earlier this year. South Carolina may permit coverage if "either the act or the injury was unintentional," they explained. In Liberty Mutual v. J.M. Smith, the Fourth Circuit held that if a drug company failed to identify and alert regulatory agencies of suspicious drug orders, then there may be a duty to defend. But in California, the Crowell & Moring attorneys wrote, with that state's definition of "accident" a state appellate court in Travelers v. Actavis held that a "deliberate act is not an accident, even if the injury is unintentional, unless the injury was produced by an additional, unexpected, independent, and unforeseen happening." In that case drug company Actavis allegedly engaged in deceptive marketing in order to sell more opioids and reap more profits. According to Foggan and Huggins, the [...]

Kenneth Jones of Tanenbaum Keale on Law Firm Tech Development Capabilities

October 16th, 2018|Categories: HB Risk Notes, HB Tort Notes|Tags: data security, law firm clouds, law firm security|

Should Law Firms Should be Able to Develop Custom Technologies? Here is #10 of Jones' Top-10 List. #10. Security. The cloud is great, and generally speaking, companies in this space operate systems in a highly professional manner. However, occasionally one encounters special business needs which call for extensive “above and beyond” levels of security. This could be times a firm is storing financial information, medical records, or other data they wish to absolutely, positively protect. In these situations — under the theory that “no one does things better than I do” —it’s nice to have the option to build super-secure systems with features such as encrypted data within database tables, and to manage the systems with a very small number of highly trusted professionals specifically known by the law firm. Read more of the article posted by Thomson Reuters. Kenneth Jones oversees various aspects of technology at Tanenbaum Keale LLP in the role of Chief Technologist. He leads efforts to support TK’s computing environment and infrastructure, one that features a strategy of professionally protecting and processing client data in the cloud with highly skilled and respected leading-edge business partners in the technology space. Ken also helps lead and support various TK programs in the areas of security, compliance, business continuity and firm administration. Learn more.

Protecting Intangible Assets: Risk Transfer Market Yet to Catch Up

October 12th, 2018|Categories: Cyber Risk Litigation, HB Risk Notes|

Intrinsically Intangible. by Giles Harlow, Senior Vice President, Aon (Bermuda) Ltd. In the early 1980's, tangible assets made up around 80% of the value of the S&P 500. Fast forward to today and nearly 85% of the value of the S&P 500 is attributable to intangible assets. However, the risk transfer market has not caught up. According to the Aon/Ponemon report of last year, whilst around 60% of tangible assets (property, plant and equipment) are currently being insured, only 12% of informational assets are. So what gives? If the vast majority of companies' values in 2018 are attributable to intangibles, why are they not transferring those risks? Is it a lack of education on the client side? A lack of innovation in the brokerage community? A lack of understanding or willingness to accept these new risks on the carrier end? Or is it that whilst the marine and property markets have had centuries to evolve, the newer intangible insurance markets are just gearing up to size as they collate the data they need to properly price and model these risks? Likely, it is some combination of all of these factors. We have seen great strides in the cyber market, with double-digit premium growth over the last four-to-five years. The market has evolved from being focused on large data holders, to providing products [...]

Cyber Insurance Policy Language Review: A Deep Dive Into Key Policy Provisions and Important Differences Among Cyber Policies | Oct. 25, 2018 | Now On-Demand!

October 3rd, 2018|Categories: Cyber Risk Litigation, HB Risk Notes, Risk-On-Demand-CLE|Tags: Cyber Risk, cyber risk insurance|

Now Available On Demand PLACE: Your computer or mobile device PRICE: $197 CLE: 1 credit Please send CLE questions to CLE@LitigationConferences.com SPEAKERS: Judy Selby Principal Judy Selby Consulting LLC Scott Godes Partner Barnes & Thornburg Please contact us with any registration questions: Brownie.Bokelman@LitigationConferences.com Kathleen.McFadden@LitigationConferences.com Your registration includes: • A site license to attend this webinar (invite as many people in one location as you can fit around your computer at no extra charge). • Downloadable PowerPoint presentations from our speakers. • The opportunity to connect directly with speakers via email to HBWebinars@LitigationConferences.com • At least one-hour of CLE credit. Produced in collaboration with Judy Selby Consulting LLC Also available as part of your subscription at the Thomson Reuters West LegalEdcenter. What's in your cyber policy? Cyber insurance can provide a lifeline to companies dealing with today’s high stakes and constantly evolving cyber risk and regulatory compliance landscape. But not all cyber policies are created equal, and a single policy word can mean the difference between a covered and an uncovered claim. In this session, we analyze various cyber insurance coverage terms, conditions, and exclusions and describe how the words can impact coverage for real-life claims. What you will learn: • Important differences among generally available insurance coverages for cyber and privacy risks • Understanding basic cyber insurance policy [...]

Financial Services Cyber Risk Information Sharing

September 26th, 2018|Categories: HB Risk Notes|Tags: Cyber Risk, cyber security, cybersecurity, data security, financial data, FS-ISAC, hacking, icrmc, privacy law|

Why We Need to be More Like Apes, Less Like Seagulls By Tom Hagy Featuring Craigg Ballance, Director of Canadian Member Services, FS-ISAC Even before we can walk we are encouraged to share. We’re told to share our things even when we barely have any. Even some wild animals share food and resources – even when those resources are scarce. Some creatures are better at it than others, of course. Apes and lions? Absolutely. Seagulls? All you have to do next time you’re on the beach is toss what’s left of your ham sandwich into the air and see how generous gulls are. People fall into sharing -- and not-fond-of-sharing -- groups, too. Sharing is particularly critical in the financial sector where, while privacy and security regulations command a tight lid on data, global financial institutions are successfully sharing data about cyber risk, says Craigg Ballance, Director of Canadian Member Services for FS-ISAC in Toronto. But, he says, sharing has to take place across a broad landscape. “Information analysis sharing has to cut across the various subsets of the financial sector,” says Ballance. “While banks share local data, they are trying more and more to share globally, but,” he says, “banks need to share with other institutions, like insurers, investment funds, pension funds, and other types of financial institutions, for this cooperation [...]

Blockchain: Power to the People

August 28th, 2018|Categories: HB Risk Notes|Tags: blockchain|

Dan Solove, co-founder of the Privacy+Security Forum and professor at GW Law School, just posted an interview with Steve Shillingford, Founder and CEO of Anonyome Labs, a consumer privacy software company. Below is part of just one exchange in the interview. SOLOVE: The Internet has made so many things possible that we couldn’t do in an analog world. Yet, in some ways, the online world seems to lack the capabilities of the offline world. In the offline world, it is much easier to have anonymous transactions. This becomes much more challenging online. How can the online world be made more like the offline world in this regard? SHILLINGFORD: Blockchain technology shifts the balance of power back to people—to individuals—and away from tech giants, governments and data miners. It allows you to transact on your terms, just as you do offline. And it’s not just limited to financial transactions. Put anything on the blockchain you want. The blockchain gives a person the ability to publish only the information THEY decide to divulge. Nothing more, nothing less. And no more hidden agendas, no selling personal data without your consent, no worries about privacy. Just like the analogue world, you decide the context, the content, and duration of the information you provide…not the big guys. It can really be that easy. Read the complete interview. See the latest faculty and agenda updates for the Privacy+Security Forum [...]

International Cyber Risk Management Conference | April 15-16, 2019 | Toronto

August 22nd, 2018|Categories: Conferences, HB Risk Notes|Tags: cyber insurance, Cyber Risk, cyber security, cybersecurity, data breach, icrmc, privacy law, ransomware, Toronto cyber conference|

Get 10% off with promotion code HB2019 Check out the Agenda and Faculty Date: April 15-16, 2019 Venue: Metro Toronto Convention Centre 255 Front St. West Toronto, ON M5V 2W6, Canada Information Brownie Bokelman Email +1 (484) 844-0437 Ask for the list of attending organizations. Photo: Tom Ridge, the first Secretary of the U.S. Department of Homeland Security and the 43rd Governor of Pennsylvania, speaking at ICRMC in 2017. Join 300 cyber insurance and risk professionals. Learn from a carefully selected faculty. Benefit from the program's impressive Steering Committee. Don't miss this great business opportunity!

Oracle Health Sciences on Pharmacovigilance and Artificial Intelligence

August 22nd, 2018|Categories: HB Risk Notes, HB Tort Notes|Tags: adverse incident, artificial intelligence, drug safety, pharma regulation, pharmacovigilance|

"The potential to use artificial intelligence methods increasingly for the analysis of the increasing amounts of pharmacovigilance data is well understood and many companies are moving (or planning to move) there, and we can predict that routine tasks in pharmacovigilance will in the future be increasingly automated. It will be crucial, however, for regulatory authorities to very clearly provide a position about the use of AI as well as the acceptable level of quality from AI applications. But in parallel with the shaping of those definitions, given the massive increase in their AE case workloads that most companies are currently experiencing, the industry will out of necessity proceed swiftly with the adoption of AI and cloud technologies to reduce their costs and increase their efficiencies. "Like other industries, the pharmaceutical business and in particular the pharmacovigilance field will see a massive change in their processes in the near future, away from tedious, repetitive manual tasks towards a better utilization of scarce resources, in particular medical and scientific knowledge, for value-adding tasks. It is imperative for all stakeholders – industry, service providers and regulators – to provide an environment in which such a transformation can take place without ever compromising public health or the safety of the individual patient, and ideally providing additional benefit for patients." A quote from Addressing the Data Challenges [...]

Courtney Klein on Social Media & Security

August 1st, 2018|Categories: HB Risk Notes|Tags: cybersecurity, data security, social media risk|

A Restructured Paradigm for Corporate Teamwork By Courtney Klein of Soteria Risk Consultants Social media has become an integral part of everyday life. It’s how some of us get our news, research our opinions, learn about local events, and connect with friends. For the modern western business, it is also immensely important for staying in touch with customers, advertising, and overall visibility. For this reason, many companies employ veritable armies of “Social Media Specialists” that do everything from designing graphics to writing tweets to replying to customer questions and complaints. Some companies interact with each other (such as the hilarious and long-standing Twitter Battle between Wendy’s and McDonald's), and some use it as their primary form of communication. Customers, too, know that social media is a way to get in touch with a company - for good reasons and for bad - and while many companies are aware that they will and do receive threats on social media, very few of them have any kind of protocol in place for how to deal with them – and even fewer still encourage their social media teams to pass this information on to or (better yet) work together with their security team. This sort of blasé attitude to threats – either because “it’s not my job” or “they can’t be serious” – leads to [...]

Francoise Gilbert on Colorado’s New Privacy Law: Are You Ready?

August 1st, 2018|Categories: HB Risk Notes|Tags: colorado privacy law, cyber security, francoise gilbert, privacy security forum|

Effective Sept. 1, 2018, Colorado will require all entities that process or store certain personal information of Colorado residents, regardless of whether the entity is located within or outside of Colorado, to have formal data security and data disposal programs. This is the result of the adoption of Bill 18-1128 “Concerning Strengthening Provisions for Consumer Data Privacy,” signed into law at the end of May 2018, to amend and supplement existing law .... Previously, the definition of “personal identifying information” under the Colorado law was limited to a resident’s first name or initial and last name in combination with the individual’s Social Security, driver’s license, or identification card number, or a credit or debit card or bank account number, combined with a password or access code. The new definition includes additional forms of identification, such as student, military, passport, and health insurance identification number, as well as other types of information, such as medical information or biometric data. It also includes username or e-email address in combination with a password or security question answers that would permit access to an online account .... Organizations that collect personal identifying information of Colorado residents and that do not yet have the written programs necessary to formalize their data protection practices urgently need to focus on compliance. -- Francoise Gilbert, Greenberg Traurig Francoise Gilbert, a partner [...]

A.I. Best Practices: Rules and Policies for Using Artificial Intelligence in Your Business

July 30th, 2018|Categories: HB Risk Notes|Tags: critical infrastructure, cybersecurity, data breach, data security, ransomware, ransomware insurance|

DATE: Sept. 27, 2018 TIME: 2 p.m. EDT; 1 p.m. CDT; 12 p.m. MDT; 11 a.m. PDT PLACE: Your computer or mobile device PRICE: $197* per dial-in site *Price is good through Aug. 16. After that it's $247. GROUPS ARE GOOD: Registering qualifies you to multiple attendees at your location. CLE: 1 credit Please send CLE questions to CLE@LitigationConferences.com SPEAKER: John Frank Weaver Attorney McLane Middleton Your registration includes: • A site license to attend this webinar (invite as many people in one location as you can fit around your computer at no extra charge). • Downloadable PowerPoint presentations from our speakers. • The opportunity to connect directly with speakers during the audience Q&A session. • At least one-hour of CLE credit. Produced in collaboration with and their new Journal of Robotics, Artificial Intelligence & Law Nearly every industry is adopting or preparing to adopt artificial intelligence applications into their business practices. That's exciting. However, there are almost no government regulations for their use and few resources providing best practices that anticipate ethical considerations and forthcoming legal requirements. This lack of direction poses a serious problem as A.I. applications become more widespread. Businesses are creating their own ad hoc practices without considering the eventual government oversight and ethical consensus, which will result in costs and potential liability later when [...]