This article can also be found in the Premium Editorial Download "Information Security magazine: Winners of Information Security magazine's Security 7 Award."
Download it now to read this article plus other related content.
Businesses are facing new risks and increasing liabilities related to their Internet presence and use of the Internet. A decade ago the focus was on Internet privacy issues, but the spotlight has shifted to Internet liabilities and high-profile lawsuits are commonplace. Take Cecilia I. Barnes vs. Yahoo! Inc.
Understanding the risks associated with the Internet is no longer a necessity solely for ISPs, big business or e-commerce sites. All organizations must become knowledgeable about their cyber exposures and take steps to implement a sound cyber risk management plan. This is especially true now as many Internet liability lawsuits seek class-action status, raising the stakes even higher.
There are several categories of law governing Internet-related activities:
- Intellectual property (IP) law prohibiting copyright and trademark infringement such as the U.S. Copyright Act;
- Privacy legislation regulating the use and protection of personal information including the Fair Credit Reporting Act (107) and Privacy Act of 1974, HIPAA, and the Fair and Accurate Credit Transactions Act;
- Communications decency law regulating user-generated content and requiring ISPs and bloggers to make sure their content does not violate federal laws;
- Spam legislation requiring that unsolicited commercial e-mails be identified accordingly and recipients given the option to opt-out.
Each federal law and related state legislation demands a new level of responsibility regarding websites, email marketing, blogs and general use of the Internet. For example, a company that posts a link to a particular copyrighted material on its site without the expressed permission of the copyright holder would be in violation of copyright law. Financial institutions or retailers that lose personal financial data would violate the Privacy Act. An ISP or website operator that allowed a third-party to post offensive material to a website they hosted or owned would violate the Communications Decency Act, as was the finding in Cecilia I. Barnes vs. Yahoo! Inc..
Cyber liabilities pose first-party and third-party risks. Examples of first-party risks include failing to install the latest security patches, which then exposes IT systems to a virus resulting in business interruption and extra expenses; regulatory claims for failure to notify in compliance with applicable law; and expenses related to privacy notifications, public relations, and cyber extortion. Third-party risks include an Internet advertising company tracking the behavior of a consumer on a retailer's website using "cookies," which many privacy advocates believe constitutes both deceptive practices and an invasion of privacy; a vendor posting an ad to an organization's website that contains slanderous content against one of its competitors; and privacy liability claims brought by others, caused by a hacker breaching your own system or using your system to access and breach a third party's network.
To control Internet exposures, businesses should take a three-pronged approach: educate, mitigate and insure. They should develop an Internet liability and risk management policy handbook that lists the potential risks and steps to prevent and/or reduce those risks. Minimum risk controls include enforcing an information security policy that must be followed by all employees, contractors or others with access to the network; ongoing monitoring of system security; automatic virus and threat notifications; a tested disaster recovery plan; and storing backup files in a protected location.
Many insurance carriers offer Internet-specific liability policies, which vary greatly from carrier to carrier and are meant to be in addition to a company's commercial general liability and other policies. To provide the best coverage, many carriers will assess an organization's various cyber liabilities by reviewing its Internet marketing and/or e-commerce practices, its overall IT system security and the scope of its Internet reach. The policy will then be designed to cover both first and third-party risks.
When purchasing Internet liability coverage, it's important to inquire about the definitions and exclusions in the policy. Read a sample policy prior to purchasing the insurance. Require your vendors to sign a contract including a hold harmless or indemnification agreement in your favor, require evidence of their professional liability insurance including contractual liability coverage in the form of a certificate of insurance, and follow up to make sure their insurance is maintained.
Taking these steps can help keep your company out of the courtroom or protect them in the event of a lawsuit.
Jeanne Debus is vice president at Cook, Hall & Hyde, Inc. , a regional provider of commercial and personal insurance, employee benefits and risk management services. Send comments on this column to firstname.lastname@example.org.
This was first published in October 2009