Cyber World Insurance and “Kidnap Ransom & Extortion” (KRE) Policies

The Chubb Group of Insurance Companies has put out a KRE policy that covers both the so-called “real world” and the “cyber world.” As readers well know, I hold distinction in contempt; there is one world and various dimensions. Of course, there are a variety of ways in which the cyber dimension of the world can present itself, video games being a prominent one.  Of course, video games are that; they are games, and they are videos of the game.  They are not “eyes” into a separate reality. Nevertheless, I will use the phrases “cyber world,” “cyberspace” and “virtual world” because of their popular use.

In any case, Chubb has classified this policy as part of a system of policies that it has named “FOREFRONT PORTFOLIO 3.0(sm).” I will focus on the parts of this policy in which cyber coverages are important. The use of computers, digital languages, etc. making ransom demands, dealing with them, and communicating about them are no topics here.

Nothing will be said about real-world kidnapping coverages.  There will be no reference to the seizure of real children. At the same time, in this policy, there is no explicit distinction built into this coverage when used in the cyber-world or used in the real world.  In both cases, some “bad guy(s),” as they are now called on television (and therefore elsewhere, as well) have captured a person and are demanding money for his/her return in exchange for something valuable, usually money.  (Of course, there may be peculiar forms of ransom demands arising out of cyber-world and real-world interactions. Exchanging networks for people, exchanging networks for networks, exchanging the life of a child for a pledge of no-more-hacking, a demand that bitcoins be used to pay the ransom, and so forth.)

Background 
The prose and organization of this type of policy is of the same format, organization, and to some extent the vocabulary as those policies that are typically in this category but conceived only for the real world. It is a “claims-made policy” with purchasable extensions, either or both, (1) back in time for including more insured events for which there may be coverage causes and (1)coverage continuing forward in time for including more filing claims, repairing damages, accomplishing restoration, etc., but not new covered causing damage.

Claims-made insurance policies come in many forms. The basic idea of them, however, is quite simple. In a claims-made policy, the right to coverage is tied in time to when the covered event causing damage or injury occurred.  That period of time is often one year, but it could be different. Policies that are not claims-made policies do not tie injury-causing events and make claims arising out of them together in time.  A covered event and the injury it causes can be years apart.

The temporal tie between an injurious event, the injury, and the claim(s) can take different forms. Here is an example. Medical malpractice insurance is to be found in the claims-made policy.  If Doctor Diogenes, an amputation surgeon, slices off Larry’s left arm, when it should be the right, then the covered negligence and the injury occur at the same time.  After that, Diogenes must make a claim to  Isabella Insurance Inc. during the same policy period.

Of course, claims-made policies and fact patterns can become vastly more complex, e.g., when the injury is subtle and is not noticed for longer than the policy period.  But none of that applies here. Extortion policies and person-napping policies involve very quick successions of time.

First-party coverage is about losses sustained by the insured.  A helpful analogy when thinking about first-party policies is policies covering tangible property.  There are other sorts of first-party policies, but this is a simple and easily understandable starting point. Obviously, the kinds of policies discussed here are first-party policies.

Various first-party policies have a variety of different provisions regarding how and when they are obligated to pay covered damages.  A few will pay in advance for work that has to be done.  Others pay on behalf of the insured for such work. Some will receive the invoices from vendors and pay those.  The far more common provisions obligation that the insurer need pay the insurer for covered losses the insured has paid form.  For example, if the insurer’s building is tipped over, the carrier would be obligated to pay only if the loss was covered; the insured has paid to repair or replace at least some of it, and the payments are reasonable. These are called, naturally enough, “reimbursement policies.”  Sometimes the insurer is not obligated to pay any reimbursement costs until the job is through, but it is far more common for the insurer to monitor the work of the vendor, or of the insured itself, a pay a bit at a time.

The Chubb Policy
This point having been made, it is important to note that all of the coverage in the first-party portions of the Chubb policy (with one exception not relevant here) pay only on a reimbursement basis.  This means that the insured must pay his own way down the path of covered situations and then the insurer will pay him for the reasonable expenses it has spent.  Obviously, this is invariably an area of sharp controversy in all sorts of reimbursement policies.

In cyber policies, the definitions are often crucial. This is because much of the terminology is “foreign” users of common English.  The central definition of this policy is the phrase Extortion Threat.  (In this policy, words and phrases defined in the policy are in bold.) It is discussed here only in so far as it applies to cyber states of affairs.  I am leaving out threats made about doing something injurious to solid objects.


There are no insured kidnappings in the cyber world. Executives of  Microsoft might get kidnapped, but that is the real world. Would it be of any interest in the “world” of insurance coverage if a video game got hacked and some character in the game, some avatar named “Schmuck” was “kidnapped”?  For the same reason, it is hard to see how there could be actual, real demands to pay a ransom.  For what?  “I’ve got your avatar, Archangel, and if you don’t pay me a bunch of bits, she will disappear into far cyberspace galaxies a long way away, where you will never find her”?

The idea of extortion, however, works in the cyber world, just fine. “Pay a gazillion dollars into a trust fund at Credit Swiss named “Hackers’ Delight” and do it tomorrow between 1:00 PM and 2:00 PM.  The person in charge of the account is Jack Bauer, ask for him by name.”

 
I will be concentrating on some of the substantive parts of this policy, in particular the part that specified what the coverages are, the portion that consists of definitions, and the part setting forth explicit exclusions. There will be little here about conditions, portions of the policy related to conditions, or the declarations pages.

Insuring Agreements
In any case, here are the subtitles of the “Insuring Clauses,” often called “Insuring Agreements.” They provide a good start for developing an idea of what is covered:

A. Kidnapping, Extortion Threat and Express Kidnapping Coverage.
B. Custody Coverage
C. Expense Coverage
D. Accidental Loss Coverage
E. Legal Liability Costs Coverage
F. Emergency Political Repatriation Expense Coverage
G. Disappearance Investigation Expense Coverage [&]
H. Express Kidnap Cost Coverage Hostage Crisis Costs Coverage
I. Hostage crisis Costs Coverage

Definitions
 
Cyber policies often have many more definitions than real-world policies do. This one is not very different, except that most of the definitions are easier to understand. In any case, this policy has  
approximately 42 definitions, some of which have quite a large number of sub-parts, and only approximately 12 of them have components have parts that are important to grasp to understand the cyber components of the coverage.
The key definitions that are noticeably cyber-related are:
“Insured Person,” which I will petty much  ignore
“Extortion Threat,” which is extremely important when formulated in terms of cyber matters
“Computer System”
“Computer Violation
“Contaminate” [here applied only to the physical parts of  “Computer Systems”]
“Expenses,” in part [This is by far the longest of the definitions, 18 subparts, though not all of them apply to cyber situations.]
“Extortion Threat,” [Probably the most central of all the definitions though applicable only to cyber situations involving one or more Insured(s).]
“Independent Contractor,” [In the cyber realm.]
“Insured Event,” [Applying only, for our purposes, to cyber matters.]
“Merchandise,” [Relevant but not discussed here.]
“Propriety Information,” [In the cyber realm.]
See immediately below.

Now for a look at what I find the most interesting definition of all, the one for the Exportation Threat.  The list of covered expenses for extortion threats is mixed together with other covered states of affairs that result from such a threat.  Most of these are expenses an insured company (an Organization, as the company called it) has to deal with when there has been an Extortion Threat, kidnapping, etc.:  Of course, those expenses must be reasonable.  In any case here are some of them:

security consultant,
public relations consultant,
cost of relevant advice,
temporary security measures,
forensic analyst,
security consulted who can analyze the Extortion Threat,
fees for retraining relevant employees,
&c.
I find this exciting because there are few real-world policies that have this sort of coverage, some D & O policies being exceptions.  I especially enjoy reflecting on all the adjustment problems which would arise out of the spending on the expenses.  Imagine a controversy over whether the fees of the independent security consultant were reasonable.  Imagine having to deal will controversies about all the expenses at once. 

As already stated these definitions, at least in theory, have some limited applicability to cyber situations, but not all of them are relevant to every such situation, or even most of them.  I am being overly cautious, perhaps, when I say this definition probably does not do much work, if any, in the cyber world.  There is little precedent, if any, in this field, and lawyers involved in coverage litigation on these types of issues can be very inventive and subtle.

Perhaps the central definition in the list is Computer systems. That phrase means “any computer or network of computers of an Organization including its input, output, processing, storage and communication facilities, and shall include off-line media libraries…”  Obviously, this phrase as defined includes both solid objects, such as the one which I am working from on this blog and the one you may be used to read what I have written, and would at least appear not to be a solid object, e.g., data, its “location, its structure, internal directions and so forth.”

The phrase Computer Violation is just as important. It is divided into three sections.  It means “unauthorized”
(A) “entry into or deletion of data in the Computer System;”
(B) “changes of data elements or program logic. . .kept in machine-readable format;” or
(C) “introduction of instructions, programmatic or otherwise, which propagate themselves through a Computer System,” where any of these are “directly against any Organization.”

[The term Organization is not explicitly defined, but it is probably intended to mean objections that are not natural persons that are insured, e.g, a corporation and a subsidiary limited partnership, or an entity not connected to another Organization that is part of a business system involving “artificial” entities but which has some special status. For example, it might belong to an owner of the central Organization.]

The phrase Extortion Threat is also central. Its essence is that of being a threat, and that means the damaging state of affairs has not yet occurred.  Extortion is a new though-related event. Here are at least some of its relevant parts.  Not all of the threats concern cyber situations; here are some that may:

In any case, here are some cyber-relevant parts of the definition:
(C) threaten to disseminate, divulge or utilize Proprietary Information;
(D) threaten to “disseminate or make negative information regarding the [insured’s] Merchandise; or
(E) threat [made by various sorts of persons with various intents and purposes] to “adulterate or destroy any Computer System by a Computer Violation. . .” but to seek payment(s) for not following through. 
the definition further provides.

Built into the idea of Extortion Threats is the idea of Proprietary Information.  This is extremely important to cyber coverage in general since intellectual property is one of the most difficult and financially significant areas for coverage.  Some violations of the privacy rights of customers of Target, for example, may be awkward, irritating, worrisome, and reputation-reductive for a short time, but actual serious financial losses have heretofore proved unlikely, and their probability may be diminishing further as time goes by.  IP is a different matter’ both individuals and businesses face tremendous financial losses.

Consequently, the terms of the definition are “all-important,” as popular slang would have it, and here it is: “Proprietary Information means any confidential, private or secret information unique to the [Insured’s] business including client lists, drawings, negatives, microfilm, tapes, transparencies, manuscripts, prints, computer discs, or other records of a similar nature which are protected by physical or electronic control or other reasonable efforts to maintain nondisclosure of such information.”

[Interestingly, coverage for Proprietary Information is not created by an insuring agreement.  It is through an insuring agreement for Extortion Threats and then Proprietary Information is central to the definition of Extortion Threat.

[There will be controversies coming out of this definition.  Significantly, the term “copyright” does not appear in this definition, and the title of the phrase being defined includes the word “information.”  Copyrights are not necessarily information.  A new novel or a new poem may be copyrighted, but they may contain no information at all.  The same point applies to other artworks as well.  Abstract painting of Jackson Pollock? One by Hopper? A concerto by John Cage? A painting by Balthus?  (Paradoxically, there are exceptions: works of art that are not copyrighted but which contain information.  What did Machiavelli look like?
What about music that contains codes with information in them that can be understood by a few?  Can allegory ever count as information?  What about metaphor?  A novel that contains a fictional character but one which “everyone” knows is really a deep literary portrait of Bathsheba Finkelstein {an actual friend of mine from graduate school}, and many people know that this is who is portrayed.

[Another area of likely conflict is whether that which is being insured is something that belongs to the insured? Does that insured have an ownership interest in that information?  Must that insure have an ownership interest in that which contains the information?  A place that might arise is cyber insurance for law firms.

The Quincy, Quiggley, Quinn Firm has “tons” of information on all sorts of devices, and none of it or them belongs to the law firm.

[Or suppose the owner of the Proprietary Information has 100 devices upon which some of it is stored, but half of them have no information at all, or material, like abstract art, which may or may not have information. . . . .Notice that the list of definition does not contain one for what counts as information.  Can a proposition that is false count as “information”?  What if the client lists contained one falsehood?  Surely the list would be information.  Now consider the document entitled “Client List” where all but one of the entries is false.  Surely that would not be information.  Obviously, there is such a thing as “alleged information” which is not information. Some might think that this is what litigation is all about.

Thus the idea of Proprietary Information is not like all that is found in the idea of intellectual property.  However, the notion of Propriety Information might be just as good when it comes to trademarks and similar matters.]

Obviously, there is much more to say, but at this point, the discussion here may be enough for now.

Exclusions
 
Most of the “Exclusions” are common to kidnap, etc. policies.  They do not fit with cyber exhortations, so they will be ignored, for now. 

********************************************************************************

p.s. Keep in mind that in the cyber world, the use of this policy is very limited when it comes to Extortion Threats.  I shall return to this topic in another blog.

Originally posted on 01/16/2014 @ 10:42 pm

Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 1