All posts by mitch tanenbaum

Terrorism Risk Insurance Act

After 9/11, Congress passed TRIA, the terrorism risk insurance act. They did this after insurance companies paid out more than $40 billion in claims from 9/11 and reinsurers – the companies that backstop the insurance companies – withdrew from the market.  When the reinsurance market dried up, insurers stopped covering terrorism claims.

The result of this was that  businesses could not get insurance to cover terrorist attacks like the attack on the World Trade Center.  TRIA was renewed in 2007 and, in the absence of Congressional action, will expire on December 31st – 10 days from now.  Given that Congress is in recess, that is not going to happen.

Some businesses won’t lose their coverage immediately, but some policies have a clause in them that voids the policy in the event of a claim if TRIA is not in effect.  So, while that group of people won’t lose their coverage, if they make a claim, it will be denied, so, in effect, they will lose their coverage.

Industries such as real estate (large commercial buildings), transportation (airlines), utilities (power plants) and others depend on terrorism coverage as part of their business risk mitigation strategy.  Assuming they don’t have any terrorism coverage and something happens, they would have to pay all the costs out of their own pocket.  The good news is that a terrorist attack is pretty unlikely.  So was the Sony attack.

Whether insurance companies will stop offering terrorism coverage like they did in 2002 is unknown. Whether insurance companies will cancel existing policies is also unknown.  If TRIA is not renewed, IF they offer coverage, it will come either at a much higher price or lower coverage limits.

Events like the Super Bowl and the Soccer World Cup have terrorism coverage in the very unlikely event that some wing nut decides to make a statement.  The World Cup almost didn’t play the final game a few years ago due to challenges in getting coverage.

If builders of large commercial projects cannot get terrorism insurance, banks would likely not lend them money – you get the idea.  The potential ripple effect on the economy is significant.

One assumes that when Congress reconvenes in January they will take up the issue of TRIA.  Hopefully, they will come to some sort of agreement that the President is willing to sign.  If not, expect some changes in your commercial liability policy.

What happens between January 1 and when or if TRIA is resurrected is unknown, but those in commercial real estate and other industries are no doubt paying close attention.





The Connecticut Mirror – Senate’s failure to act on terrorism risk insurance roils insurance industry

Bloomberg – The unexpected threat to Super Bowl XLIX

Sony cancels release of The Interview

After the Sony hack attackers threatened movie theatres and movie goers if theatres showed the Sony movie “The Interview”, Sony announced today that it was cancelling the release.

USAToday put the production cost of this movie at near $44 Million, which Sony stands to lose if they do not release this movie, but the risks are too great to both theatre owners and Sony if the movie was released and someone – even a copycat – were to blow up a movie theatre.

While some people complained that Sony was giving in to the attackers – and they are – those are the same people that would sue Sony if something happened, so it is a no win for Sony.

As a side note, the Terrorism Risk Insurance Act – the law that was enacted after 9/11 as a backstop for the insurance industry in case of a multi-hundred-million dollar claim as a result of a terrorist act – was not renewed by Congress and expires on December 31st.  While we do not know if Congress will renew it next year, the expiration of TRIA gives the insurance companies the right to cancel terrorism risk policies on January 1st.  Given that a claim could cause an insurance company to become insolvent, it is certainly possible that insurance companies will cancel policies after the 1st, leaving large building owners and events like the Super Bowl on their own to cover risk from a terrorist act that causes a big claim.


Is your small business safe from cyber attacks

In light of the recent cyber incidents, small and medium sized business owners should be looking at their cyber readiness and asking “Am I safe from cyber attacks?”.

Unfortunately, for many businesses, the answer is no.  The Huffington Post wrote an article on the issue and I think that some of the points that they made are worth repeating.

According to the National Cyber Security Alliance, one in five small businesses fall victim to a cyber attack each year.  Of those, 60 percent go out of business within 6 months.

There are likely a few reasons for this.  First, small and medium businesses are likely to not have a cyber risk plan, are less likely to have good security controls, are less likely to focus on good security hygiene and are less likely to have a plan in place if a breach occurs.

Second, small and medium businesses likely don’t have cyber risk insurance and if they do, the limits are inadequate.  The costs of dealing with the breach put them out of business.

Using my poster child as an example, Sony, here is what is being said.  Scale the numbers up or down for your business size, but the results are the same.

The had a cyber and media liability policy but because of previous claims, their current insurer declined to renew it.  They went to Lockton and obtained a $20 Million policy with $10 million in self insurance (meaning Sony pays the first $10 Mil, then insurance covers the next $20 Mil.  Above that Sony is on the hook).

This year, they got a new $10 million policy from AIG and then a month later they hired a different broker, Marsh, to review their options.

They selected a $60 million policy with $5 million in self insurance.

Given Sony’s size, $60 million is WAY undersized and as we are seeing from the events of this month and last, Sony is going to be writing a large check out of their checkbook.

The article reports on a business impact analysis at Sony done in 2008 – hopefully they have done one since, but maybe not – and it reports that various systems have an impact of any where from $2 million a day to $6 million a day for outages.  Almost all systems were down for a week and even if you exclude weekends, the four systems listed in the article, if down, cost Sony over $13 million a day.  Times 5 days for that first week.  That is a $65 million impact.

Those numbers are from 2008 and Sony is likely more dependent on technology now, so those numbers are likely low, possibly very low.

Add to that the cost of remediation, the fact that many of those systems were down for more than a week, the P.R. impact, loss of sales, replacing employees who leave because of the incident, lost ticket revenue, lawsuits and fines and you can quickly see that $60 million is not enough.

The moral of the story is that every business should be doing a cyber risk/business impact analysis and planning exercise on an annual basis and then doing remediation as needed.  Nobody wants to be in that 60% of businesses that fail after a cyber breach.  Plan ahead.


Microsoft, Amazon and Apple fighting together for privacy

The Department of Justice appears to be doing its best to kill off the cloud – at least in the U.S.

Microsoft has been fighting, for months, a DoJ search warrant to provide emails and address book information for a customer who’s data is stored in an Irish data center.

Microsoft has been fighting this search warrant at least since April when a New York judge ordered Microsoft to turn over the emails, but also suspended that order pending appeal.  This week Microsoft filed an appeal of the order and included Amicus briefs from Amazon, Apple, AT&T, eBay, Verizon and dozens of other organizations.

Assuming those emails were stored on the user’s PC in Ireland, it would be clear that the DoJ would need to get the Irish courts involved.  They could do a black bag job, but then the U.S. courts would never admit the evidence.

The reason, at least in part, for why there were over 40 amicus filings with this appeal is that part of the DoJ’s claim is that when personal emails and other documents are stored in the cloud they are no longer personal property, but rather business records, owned in part by the cloud providers.

While the records for this case are sealed, it appears to be part of a drug investigation and what is not clear is whether this person is a U.S. Citizen living in the US.

Microsoft is arguing that this data is being held by an Irish company (the Irish subsidiary of Microsoft) and if you want the data, you need to do so in Irish courts according to Irish law.  Assuming that this person they are going after is not an American, this makes perfect sense.

Microsoft argues that the U.S. would  not be fond of say, the Russian government ordering the Russian subsidiary of Microsoft to hand over information held in the U.S.  based on a Russian search warrant and Russian law — and that is hard to argue.

In another article,  Microsoft EVP and general counsel Brad Smith, when asked if users should encrypt their email in the cloud, said that encryption is important and protects data in many circumstances, but said that it would make it hard for Microsoft to hand over your stuff to the feds if it was encrypted.  Duh!  And your point is?  I am not sure what the downside to Microsoft is if they were to say yes to that question.  I don’t get their hedging.  Obviously, if they did that, like Apple and Google are doing with their smartphones, it would make the feds upset, but is that their logic?

Remember – and this is very important – that any form of transparent encryption where Microsoft or any other cloud provider holds the encryption keys, DOES NOT STOP THE PROVIDER FROM TURNING OVER YOUR DATA IF THEY WANT TO.  In fact, Smith specifically said that if the cloud provider does not hold the encryption keys, things get problematic for them (Microsoft).

If after all the appeals, the courts hold that YOUR data stored in the cloud is no longer personal property and is owned, at least in part, by the service provider, that will have a huge negative impact on U.S. cloud providers like Amazon, Google and Microsoft.  Constitutionally, the protection of your stuff, if it is ruled to be a business record of the cloud provider you are using, is dramatically less than if it is your personal property.

I assume this is likely to be appealed all the way up the the Supreme Court, so stay tuned.

The Sony saga gets stranger if that is possible

UPDATE 12-17-14 : Sony has cancelled the New York premiere of the movie the Interview according to USAToday and is leaving it up to theatre owners to decide if they want to show the film.  The cost of this move as well as if they have insurance to cover it is unknown, although it will likely have to be reported in Sony’s next regulatory filing.

Depending on where the attacks are originating from, the source of the attacks may never be found and if they are found, the bad guys may never be arrested.

According to USAToday, the GOP released a new message this past Monday warning of a 9-11 style attack on movie theaters screening The Interview.  The GOP said:

The GOP’s message warned potential viewers, “We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you’d better leave.)”
“The world will be full of fear,” the message said, adding, “Remember the 11th of September 2001.”
Whether there is any actual danger, given the lack of information about who originally hacked Sony Pictures Entertainment or who is behind the messages about the hack, is unclear.

Given the vagueness of the threat, it is not clear what actions can be taken.  If Sony were to pull the picture, it would cost them tens of millions of dollars and their likely is no insurance that would cover it.  There probably is also no insurance available to Sony to cover something happening at a theater showing the Sony movie in question.

As a movie theater owner, I assume you would definitely increase security.  If they did not in the light of this threat and something happens, they would get sued into outer space.  The owners of the Aurora movie theaters in Colorado are currently in the middle of that exactly litigation after James Holmes shot up the place in 2012.  The plaintiffs say that should have known that a crazy person might lob tear gas grenades into the theater and then kill 12 people and injure 70.  There was never any direct threat in that case and they are still getting sued.

Obviously, what these hackers want to do it hurt Sony financially, trying to get people to avoid those theaters showing that film out of fear.  Only time will tell if that works.

On an other Sony note, apparently the hackers did try to extort money out of Sony before they released the files, but Sony declined.




Why Healthcare Providers Need To Have An Effective Cyber Security Program

The Anchorage Community Mental Health Services (ACMHS) just agreed to pay a $150,000 fine after a 2012 breach of approximately 2,500 patients protected Health Information (PHI) due to malware on their healthcare software system according to Healthcare IT News.

Apparently ACMHS had adopted the sample Security Rule policies in 2005 but didn’t bother to follow them from 2005 to the date of the breach in 2012.  As a result, they ran outdated, unpatched software leading to the breach.

In addition to the $150,000 fine, they agreed to a corrective action plan lasting two years, which, if they complete successfully, they are off the hook for this HIPAA violation.

While this organization had 5 locations, if they only have 2,743 patients, they are small.

On the other hand, the good, old fashioned paper breaches are still going strong.  Parkview Health System in Ft. Wayne Indiana decided that placing 71 boxes of patient records on the driveway of a retiring physician  (who was out of town) was a good plan.  They had to cough up $800,000 in fines.

But these fines are not limited to the small guys.  New York Presbyterian Hospital/Columbia University Medical System paid a $4.8 million fine after patient records for 6,800 patients would up on Google back in 2010.

These 3 incidents represent a small part of the $26 million in fines the Feds have levied against healthcare entities so far.

While having a good cyber security program won’t stop you from having a breach, it will improve the odds.  For example, If your cyber security program requires you to encrypt data on laptops and tablets and you actually do that, when one of your employees loses a device containing PHI, you have a safe harbor meaning that you don’t have to pay a fine.