VoIP/POTS liability debate rages online!

 - 
03/03/2010
I had to just go ahead post some excerpts from Ken Kirschenbaum's email newsletter. If you don't get it, you can sign up at his site and tune in for the occasional back and forth between security industry mainstay Bart Didden and industry insurer Mike Kelly. They've been engaged in little friendly sparring match for a while now... Below please find some of their... uh... repartee. Here's the initial entry from Mike re: VoIP and liability issues...
Ken:     Your article of Jan 2010 ... on IP alarms had brought up a few interesting issues.   It is true & agreed alarm monitoring communications over POTS (phone) lines is beyond the control of the monitoring co.   However communications over a VoIP Networks for monitoring now has control responsibilities to protected the alarm network from  'Cyber (virus or Hacking) Breach' , this exposure is referred to as 'Frailer to protected your Network' .        I have built into our Cyber Liability Policy  E&O for negligent including gross negligent for 'Cyber Breach'   that extends to PERS, Alarm, GPS, & Video Monitoring ----------------and use of E-mail & Web Sites Network Liabilities is also provided.     My view on the contract provision is to included the words VoIP,, Network, Wireless, Phone lines and all  communications , this covers both 'Analog and IP (Internet Protocol)' transmissions.     The issue of Insurance coverage  for a General Liability E&O policy address 'Analog' or POTS Line communications Liability, and the Cyber E&O Liability policy address VoIP /Network Liability is--- both policies interface with one alarm contract.     Its is my understanding you are providing a VoIP Disclaimer Notice which is separate from your contrasts , we need to review all the above between us to understand all view points.   ATT has confirmed over 42% of the USA has switched from POTS Lines to VoIP Networks.  Over the next 5 years 90% will have changed over to VoIP communications. Best Regards; Mike Kelly Security & Communications Insurance
Huh...? (keep reading, it gets better...) Here's Ken's reply to that initial comment.
My Standard Alarm Contracts have been updated to include IP and Internet monitoring, although the Disclaimer Notice still warns subscribers that POTS is the preferred mode of communication.  In view of the email article that circulated on February 9, 2010 in which Mark Fischer of Nationwide Digital opined that POTS may soon be obsolete and VOIP the more common mode of communication, cyber liability issues which Mike Kelly has been so concerned about may very well become an important consideration insurance issue.      I spoke to Mike about his E&O program, which he developed.  There are a couple of points that he explained.  First, his program is underwritten by a carrier that offers the traditional general liability coverage with E&O for the alarm industry, but also includes cyber liability as part of the package.  Mike says that for minimum cover the premium is about the same as the other E&O policies in the alarm industry.  May as well get the extra coverage.      Now here is what cyber liability involves, if I understand it correctly.  First, a cyber attach [hacker would be one] that shuts down the central station computers preventing monitoring.  Second, that same virus then attacks the subscriber computer systems that are tied into the central station's computers through the Internet.  Apparently current E&O policies would not cover the alarm company from a claim arising form such an event.  Mike's policy would.  And, before I move on, Mike is offering a 5% agency premium discount and  Security America Risk Retention Group is offering a 5% premium discount if you use the Kirschenbaum Standard  Contracts, so make sure you get that discount.     Mike Kelly compiled a list of examples for cyber liability.  Here it is:  Examples of Cyber Liability not Covered an ANY GL Policy: 1)       'Identity Theft Liability' CRIME exposures of 1st and 3rd parties over the Internet that “breach” the Network Computers and access Med. info. BIOMETRIC ACCESS ID.,and other Personal data of Employees and Clients, FTC Required Notification Liabilities Is---- Cyber Liability. 2)       World Wide Liability of Internet Alarm Monitoring 'Virus Infection Breach' that shuts down a Central Station Monitoring—'Frailer to Protect your Network Liability' Cyber Contingent BI /PD Liability’s is Cyber Liability. 3)       IP / Internet Media---Use of  E-mail or Web Site Personal Injury Liability , Includes Copyright Infringement, Virus accidental introduction into network, Invasion of Privacy,  Liable / Slander / e-Hosting / e-Learning. are Cyber Liability. 4)        Network Acts Terrorism Liability, including World Wide Cyber Extortion, Data & Software Replacement, e-Business Interruption/ loss of income/extra expense/ is Cyber Liability. 5)       Internet Network Unauthorized Transfer Liability---loss of Funds / Money / Securities is Cyber Liability.     If indeed alarm communication is going to involve and depend upon the Internet cyber liability policies may very well be necessary for proper protection.  I'd like to hear more from Mike on this and also from the other alarm insurance brokers who often contribute to this forum.     I may even invite Mike to make a few comments at my first day presentation at the Smith & Wesson Security Dealer seminar on March 24, 2010.  For those of you who don't make it to the bottom of these emails [Mike apparently doesn't get that far], here is where I'll be at the ISC show in March:  I hope to see all of your there.  Stop by and say hello.
Okay, I'm with ya. Kinda. Here's where it starts to get really interesting with Mike talking about buzz words... VoIP's really more of an acronym (I've been writing about how the industry's full of em since way back), but...
Ken:     SWICHING FROM POTS LINE TO IP NETWORK---IT CAN BE CONFUSING AND IT’S ALL IN THE TERMINOLOGY;     We all have buzz words to explain what is POTS Lines , Phone Line connection , PSTN (Public switched telephone network),  & Analog  Communications .  This group after talking with a few dealers & Insurance folks looks like  these are best called 'POTS LINES'.     Other buzz words used are VoIP, 'All Digital' , IP Platform. IP-VoIP, , Internet, .or Network.   This group again after reviewing –looks like these are best called 'IP NETWORK'.     I would very much like your input and a up or down vote  on the terminology , please extend this e-mail to anyone who has any ideas on how we should best express these crossroads of communications. Thanks; Mike Kelly
Okay, here's the fun part, where Bart chimes in...
Hello Michael,     This e-mail request only adds to the mounting confusion and your insistence that there is a cyber liability that has been established upon alarm companies.     My concern is that an insurance professional should not be spearheading an effort that blurs the lines of the terms you are looking to join for the purpose of fulfilling your goal of creating the need for an additional insurance product.     If for no other reason but for clarity of the issue, could you please define for the alarm industry, as you are an insurance professional, what cyber liability is and how it applies to alarm company with some specificity to the way certain protocols are used by the alarm industry, other than your one commonly attached sheet that lists three case decisions to which you offer nothing other than the parties involved, rather than the actual written decisions.     I will admit that the one thing you have been successful at is forcing members of the SARRG Board to talk about this issue and continue to try and figure out it you are correct or just creating a market.     So far it has not been going your way. Bart Didden
A little inflammatory and adversarial, but you can see his point. And now Mike's comeback... you can see where "repartee" doesn't really fit here, but...
Bart—thanks for your response,     As an Insurance Licensed  Professional I have produced three (3) alarm Insurance Programs over the past 31 years,  we can all agree Insurance products for the alarm Industry can not have blurred confusion and must define the coverage’s and fit the exposures.  The reason for my last e-mail was to separate the exposures of communications and bring forward understanding of what is  POTS Line (Analog Insurance )  vs. IP (Internet Protocol ) IP Network Insurance.     The IP Cyber Insurance Product is NOT new --- the Insurance Market responded to IP Internet liability 8 years ago when the worldwide web network came to be –some say the founder was Al Gore ?.    Back then e-mail and web site Liability for 'IP network' 3rd party protection ( as  today) is not found in a General Liability Policy for-- Identity Theft of data, Copyright /Trademark Infringement, Libel, Slander,  Personal Injury and False Advertising---  and was the base  then of the Cyber liability product.  I have extended the above coverage’s and included 'Access Control' Crime Liability from ID theft of Biometric information (eye retina. fingerprint, voice print & face print) as  ID Theft and Crime Liabilities now affect both 1st & 3rd Parties (Clients & Employees) .  I have also added Other Coverage’s : loss of funds in unauthorized  network transfer ,  loss of income & extra expense (Including FTC Red Flag notification costs)  due to network cyber breach, & cyber extortion to name a few endorsements.      Today—the FBI has confirmed  'IP Network Identity Theft is the number one Crime' , but Cyber Liability has moved far beyond  what once was just ID Theft.  With 45+% of homes and businesses switching from POTS Line to IP Networks   The Alarm Industry especially is exposed when Alarm,  PERS, Video, Access Control Installation & Monitoring is done over IP Networks . Some of the main exposures are due to the IP Network  connected to the worldwide web, a virus or hacker can come from anywhere in the world and inject malicious coding attacking  any software and  affecting  monitoring computers, or (office) network computers shutting them down and or causing data unauthorized  downloading.   The Insurance policy must have Worldwide Liability Reinsured Treaty Coverage, not just USA Territory--  for defense and indemnification.   This virus network breach will be viewed as negligence   on the part of the alarm dealer known as 'Failure  to protect your Network'  and is a 1st party Liability.  As Other Liability exposures come from 'Rogue Employees' or 'Rogue Sub-Contractors'  selling or using  your IP network codes to access your networks, and then Acts Of Terrorism comes into the picture both from domestic and foreign parties,  to further cause 'Failure to protect your Network' Liability.     What is New about Cyber IP Network Insurance coverage’s ( In my professional view) is  it has Four (4) main sections of coverage’s. 1) Worldwide Liability to protect 1st & 3rd parties  2) Crime Liability 1st & 3rd Parties, 3) Media Liability e-mail, web site (see above exposures) but also e-Learning & e-networking E&O .4) Network RMR Loss of Income, extra expense, virus / hacking software /computer replacement & loss of funds transferred.     I have enclosed our outline of Cyber coverage’s within the  AXIS IP-e Alarm Security Insurance Program for your review and comment.    I am open to review with you and the SARRG Board or an Insurance Company-- anytime on the Cyber Insurance issues.     Your Input is Appreciated & Very Timely  ; Mike Kelly
I'll say it again--Huh? I mean, if you're still reading, you're a veritable industry blog ninja. Kudos to you. And this post wouldn't be complete without Bart's response...
Michael, you’re welcome.     However, I must admit that I cannot read your last e-mail for it hurts my brain, eyes and skeletal structure in general. I think that I also got whiplash from my head falling to the side so much.     Through your rambling you have perfectly defined why the industry in general should take this issue away from you and devote it to a committee who understands not only our transmission and connected technologies, but the data that we store in connection with the services we provide, which at that point we should invite the esteemed attorneys that you listed to establish the risks that will need to be mitigated, and levels of insurance to protect our assets, besides adopting Standards to also answer how we move forward.     Finally, I am concerned about the distribution list of these e-mails. You have included representatives from companies that have such internal conflicts between the insurance programs you sell and the subrogation departments that look to dismantle the very contract provisions that make insurance affordable for our industry and our services affordable for society.     Please stop, sit back and allow the leaders of our (my) industry do what they do best, protect my interests as an alarm service provider in a cooperative organized manner, rather than an insurance agent just trying to make a market and increase his/hers book of business. Bart A. Didden
Check out Ken's site for more... Keep up the discussion, guys.

Comments

I have two shocking things to say. Firstly, many will surprised to learn that it is far easier to "hack" into an alarm transmission over a PSTN/POTS line than it is to hack into one over IP or even VoIP . Secondly, I agree with Bart (you don't know how much that hurts).
There are some very clever people in the security & IT industries that should be consulted by the Insurance people before some crazy new legislation is put into place.

Thanks for the comment Steve. Nice to hear from you. I think this kind of dialogue is important, especially when trying to work out industry standards and practices and decide on insurance and legislation.