The FCC Jumps into Cyber-Regulation with Millions in Fines

Posted by on November 18, 2014 | Be the First to Comment

Recently, the Federal Communications Commission entered into the cyber regulatory field in a big way: proposing to fine two companies $10 million for alleged data security breaches.

The FCC is taking action against two telecommunications companies who provided prepaid phone services to low-income residential customers. According to the agency, the companies “collected names, addresses, Social Security numbers, driver’s licenses, and other proprietary information (PI) belonging to low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.”

The FCC justified imposing such large fines in part because “the companies stored such consumer PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.” The FCC gave the companies 30 days to seek a reduction in the fine.

The FCC’s $10 million fine followed a $7.4 million settlement with Verizon in September over its use of customer information for marketing, and a $7.5 million settlement with Sprint back in May over “do not call” violations. These multimillion dollar fines are coming from a federal regulator not thought of as a data security and privacy watchdog. The Federal Trade Commission has mainly filled that role.


The FCC appears to be a new aggressive player on the cyber regulatory field that may have the power to move quicker in issuing fines than the FTC. When faced with a data security situation, the FTC typically issues a complaint setting forth its charges. If the respondent elects to settle the charges, it may sign a consent agreement (without admitting liability), agreeing to the entry of a final order and waiving all right to judicial review.

If contested, the matter is adjudicated, starting with an administrative trial working its way through the Federal courts and ending, potentially with the U.S. Supreme Court. Fines and penalties may be imposed on a respondent for violations of the FTC Act. The FCC, however, can move much more quickly in connection with companies it regulates and may impose a fine once it determines the company failed to protect the “confidentiality of proprietary information of its customers.”

From a risk standpoint, the recent FCC actions represent yet another exposure for telecommunications companies in connection with data security. A cyber insurance product is designed to protect against this risk and should offer coverage for regulatory claims such as those brought by the FTC, FCC or any other governmental agency, federal, state or local.

For those who already purchase a cyber policy to address this risk, it would be prudent to review the policy wordings to assure that regulatory claims are defined as broadly as possible to address new entrants in the privacy regulatory arena.

Additionally, cyber coverage purchasers should look to see whether their policy provides full policy limits for regulatory claims. In some cases, insurers hedge their bets by offering reduced sub-limits of liability for regulatory claims. Given the ramped up efforts by regulators such as the FCC, it is important to make sure adequate limits are in place.

State of the Cyber Insurance Market: 10 Lessons Learned From Major Retailer Breaches

Posted by on August 22, 2014 | Be the First to Comment


It is not an overstatement to say that there is a “pre-Target and “post-Target” state of the cyber market for major retailers from both the underwriting and the client side.

In November–December 2013, cyber thieves executed a well-planned intrusion into Target’s computer network and the point-of-sale terminals at its 1,800 stores around the holiday season and successfully obtained not only 40 million customers’ credit and debit card information, but also noncard customer personal data for as many as 70 million customers.

But Target was not alone, as in that same time period, retailers such a s Neiman Marcus and Michaels were also reportedly exposed with 1.1 million and 3 million cards at their respective establishments.

Read my newest white paper that features a comprehensive snapshot of the Target case study, the 10 lessons learned from the underwriters and pointe of view, as well as a peer group perspective on the current state of the cyber insurance market.

International Engagement on Cyber: Developing Global Norms for a Safe, Stable, and Predictable Cyber Environment

Posted by on March 18, 2014 | Be the First to Comment

Cyber security has become a major priority for governments on a global scale. In February 2014, the U.S. government launched a Cyber Security Framework under Executive Order 13636 to support critical infrastructure industries in improving defenses against a cyber attack.

 On March 4th, international leaders including Secretary Michael Chertoff, General Michael Hayden, Rear Admiral Michael Brown, and Senator Sheldon Whitehouse, gathered in Washington D.C. to debate how the global community can come together to implement a common security approach.

 The International Engagement on Cyber 2014 was hosted by Georgetown University Institute for Law, Science and Global Security, and took place as planned, despite the threat of winter weather interrupting the meeting.

 The day included four panel discussions on topics such as national cyber strategies, Internet governance, national cyber security in a post-Snowden era, and the development of international norms for cyberspace.

 Key to overcoming our global cyber security challenges is an increased willingness for both the private and public sectors to share information, such as threat intelligence. I was pleased to participate in a panel discussing private/public partnerships to protect critical infrastructure. Co-panelists included Adam Sedgwick from NIST (National Institute of Standards and Technology), the architect of the new cyber security framework, as well as representatives of the Department of Homeland Security.

 The federal government has engaged the insurance industry directly to support the roll out of the framework and I expressed support for the initiative, as it will cement cyber security as a boardroom risk.

 For more information about cyber security, read my white paper, The Ever-Evolving Cyber Laws, and visit Lockton’s Cyber & Technology website.

Lockton Expert Talks Cyber Insurance with Marketplace

Posted by on | Be the First to Comment

High profile data breaches have brought cyber insurance into the media spotlight. Estimates indicate more than 70 million people who shopped at Target between Thanksgiving and Christmas had their personal data compromised, costing the company $60 million. However, Target expects to see that number drop to $17 million, thanks to cyber insurance coverage.

 In a recent story by American Public Media’s Marketplace, Lockton cyber expert Emily Freeman talks about the growing demand for cyber coverage. She stresses that this coverage serves only as a safeguard.

 “We sit on the shoulders of their best efforts to prevent the event from happening in the first place,” said Freeman.

 Cyber policies can be contingent on a company having protection measures in place to stave off a cyber attack or lessen its impact.

 Learn about Lockton’s Cyber Risk capabilities.

Lockton’s Beeson to Chair Cyber Risk Insights Conference in London

Posted by on January 31, 2014 | Be the First to Comment

Lockton’s cyber expert Ben Beeson will chair Advisen’s upcoming Cyber Risk Insights Conference in London on Tuesday 25 February 2014. Risk managers and insurance buyers may attend at no charge.

The agenda features 30 speakers discussing topics such as data security, privacy legislation, and the evolution of coverage products. The keynote address will be given by Lord Reid, Principal at the Chertoff Group and Chair of the Institute for Security and Resilience Studies. He was a Member of Parliament and served as a cabinet minister under Prime Minister Tony Blair.

“I am thrilled and honored to be chairing this conference,” said Ben Beeson. “Given the recent rash of cyber attacks, it’s crucial for risk managers to have a clear view of the threats and know their cyber insurance coverage options.”

The conference will explore the range of cyber risks with emphasis on emerging areas of concern where London insurance markets have taken a global leadership position. While the focal point is cyber insurance solutions, the agenda aims to give risk managers an understanding of the full range of cyber-related risk and insurance issues.

For more information and to register, visit the Cyber Risk Insights Conference website.