Home | Articles | Cyber Risk

Cyber Risk:

An uncommon education on organizational and network exposures not ready for TV or governmental PRIME TIME

Volume 7, No. 1, Fourth Quarter 2000

By Donald W. Bendure, MBA, CPCU, RPLU, RF, ACI

The "Top Gun" fly-by-wire generation and the subsequent Internet surge have everyone feeling the "need for speed." The venture capital and commercial push/pull are compelling. It took three years for venture capital deals per quarter in the U.S. to double from $1.9 billion to $3.8 billion in the third quarter of 1998. By the third quarter of 2000, the venture capital deals were in excess of $20 billion per quarter! The growth rate for Texas has been even more pronounced. From the second quarter of 1999 to the second quarter of 2000, venture capital investment in Texas more than tripled, from $293 million to $1.09 billion, according to a recent study produced by PricewaterhouseCoopers Money Tree Survey.

Where are the hotbeds in the U.S.? California and Massachusetts have led the pack for each of the last five years, with more than 1,900 deals between them for 1999. Texas has ranked either #3, #4 or #5 for each of the last five years, with New York, Colorado, Washington and New Jersey sprinkled into the open slots over those same years. We are headed at point-and-click speed toward the biggest gold rush in world history. But as someone in the industry recently pointed out, speed is critical, but speed without accuracy is suicide.

So how do we lock in coordinates and navigate this fly-by-wire, warp-speed industry through the travails of cyber risks without slowing down the first-to-market and first-to-monetize philosophy? We do it through .edu(cation) of the .org(anization). This education process for the most part will be new for everyone involved, because there is little about the brick-and-mortar world that carries over well to the cyber world. Few issues have been tested in the courts, and there is little in the administrative areas that is well defined. Add to that the global nature of the Web, and borders dissolve into the Ethernet.

Where are the sensitivity areas for cyber risks? They fall into four broad categories: (1) security-related issues, (2) business continuity issues, (3) privacy issues and (4) intellectual property rights. Most questions and answers in all of these areas are young and untested. How they are answered will determine the complexity of their impact.

Security-related issues have been gaining even more attention since the Microsoft source code cyber burglary during October, which lasted roughly a week. Theft of the code was one major concern, but corruption of the code by a computer virus could have been devastating if left undetected. Many questions surround the contributory negligence of sites anywhere along the route used by hackers. For instance, if an Internet server is used as a "zombie slave" to destroy another computer's database, is the owner of that server partly liable? If a search engine brings the hacker to a site, is it partly to blame? The very Web itself creates complications in legal liability that never existed before. How much security is enough? Where is the line between prudence and negligence?

Business continuity issues are ever-present because of the cyberspace dependencies. Continuity is complicated by the interconnectivity of the business processes and their interdependency — from procurement of resources to logistics of product delivery. What is so profound about the Internet is that once it is embraced, paradigms shift dramatically, and the business itself increasingly depends upon the integrity of the processes. We're not in Kansas anymore.

Privacy issues to a large degree are dependent upon security issues, because without security being in place, there can be no privacy. Here is where design and anticipation can save a world of hurt. What happens when unauthorized parties gain access to information that can be used to damage the client? Was it the fault of the designer of the firewall, the designer of the encryption code, the designer of the Web site, the creator of the electronic form, or all of the above? Since cookies (the digital kind) have become such a ubiquitous tool for client relationship management, privacy has become even more complicated. If the information gleaned from cookie crunching is shared with another affiliate company of a Web site, issues can be raised on a very large scale. What if the affiliate company does not treat private information in the same way? Or should any of the companies have the private information of their clients in the first place? These questions point to the computer recording of this shared information as a smoking cannon. Metatags are becoming increasingly problematic, since there is an issue of consent for the use of someone else's name to draw attention to a site. Since Web sites are essentially exercises in publishing, the traditional exposures of libel and slander apply to Web publishers as well.

Intellectual property concerns keep CEOs awake at night almost as much as money issues these days. A fundamental change contained in the 1996 Patent Act included the "offer to sell a product" as a qualifier under the definition of "infringement." This change altered the landscape considerably. The State Street Bank case revolutionized the patent industry by allowing "processes" to be patented. Laws have been turned into offensive weapons overnight. Rather than using the traditional license approach for processes, Amazon.com has come under considerable criticism for using its business process patent for click-through purchasing to deny competitors like Barnes and Noble the ability to sell on the Web. Business process patents have not been examined well or thought through as much as they should be from the perspective of their impact upon business. There is now support mounting to change the patent term from 17 years to three years because of the potential commercial disruption from the longer term. But if we change to a three-year patent term, what does that do to the financial pro-forma for companies with research and development costs? Not pretty.

Clearly, cyber risk can truly be considered an enterprise risk for every Web-enabled organization, involving all facets of business management, from IT to legal. For Web enterprises, it is estimated that 70 percent of the net worth of the enterprise is contained within intangible property. "Data" has yet to be litigated as "tangible" property in many jurisdictions. As a result, recovery through traditional insurance is complicated because of the "property damage" definitions involved. Cyber risk insurance addresses these issues more adequately, and in many cases manuscript forms must be used to tailor coverage to the risk. But neither the cyber risk policies nor the manuscript forms have been in existence long enough to test the language, so the industry is in uncharted waters at this point.

Since the Web is dealing primarily with people and processes, regulators will be involved in many areas of governance. Napster has tested the patience of regulatory agencies, the courts and legislators. But consider this: there is no World Wide Web standard or consensus for business processes patents, Web advertising, or copyright infringement, nor does it appear one is coming down the road any time soon. Whose jurisdiction will allow an actionable claim? What are the laws that address these torts, committed in ways never encountered before?

If there was ever a question about what attorneys would do after Y2K, that has been answered. This developing area of law and practice will keep us all scratching our heads for some time to come. Cyber space has created the largest revolution in process the world has ever seen, and it's only just begun.