K&R COVERAGE CAN APPLY TO MORE THAN JUST EMPLOYEES

Companies seeking to shield their proprietary information and data from sabotage may find an unlikely source of protection: kidnap and ransom coverage.

"One would think that you would have to buy special coverage," observed David Gauntlett, a partner with Gauntlett & Associates, an insurance coverage law firm based in Irvine, Calif.

But a lot of electronic data and information risks are covered under existing insurance policies, he said.

For example, in cases where criminals threaten to release a virus unless the company pays a ransom, "kidnap and ransom policies would be and should be quite responsive," according to David Steuber, a partner with Troop, Meisinger, Steuber & Pasich in Los Angeles. This situation is commonly known as "EDP Extortion" or electronic data processing extortion.

"Most often these policies cover extortion demands," he explained. "It's not simply a policy to respond to the kidnap of a person, but also to demands that might be applicable to a business or its products."

When the best-laid risk management plans fail, companies may find they not only have insurance coverage to respond to the losses but also to help foot the bill for additional security that may be required to respond to threats of a computer theft or virus being implanted.

For example, if a criminal were to threaten to introduce a malignant, malicious virus if a ransom were not paid, "this quite clearly would fall within the confines of kidnap and ransom policies," according to Mr. Steuber.

Mr. Steuber, an intellectual property and insurance coverage specialist, addressed this issue at a February conference in Laguna Niguel, Calif., on "Emerging Insurance Battles." Legal publisher Mealey Publications Inc. of Wayne, Pa., and Gauntlett & Associates co-sponsored the conference.

American International Group Inc. recently said that to respond to computer virus and other threats, it has broadened the coverage available under its Corporate Kidnap and Ransom/Extortion Insurance Policy, which is marketed through American International Underwriters' Crisis Management Division.

Among the expenses covered by the expanded K&R/Extortion policy are ransom/extortion monies, in-transit/delivery costs, consulting costs, judgments, settlements, legal costs, death and dismemberment, and other expenses related to trade secret/EDP extortions.

As part of the expanded coverage, AIU has eliminated most limits on covered expenses during an insured event so that any reasonable and necessary expense will be reimbursed.

While AIU underwriters say they have not seen an increasing number of claims for EDP extortion, there is increasing interest in K&R coverage from corporate policyholders, especially financial and high-technology firms.

"There's not been an increase in claims, but there's been an increase in interest in the coverage," especially because standard electronic data processing protection policies do not provide extortion coverage, according to Jean McDermott-Lucey, vp of AIU Crisis Management in New York.

"Multinationals are usually interested in protecting personnel, while domestics are more interested in the extortion side," she said.

Theft of sensitive information has been a concern of the federal government for decades, and it is now increasingly becoming a concern of private businesses as they become more information-dependent and realize the value of their proprietary data, experts say.

Computerized accounting systems, for example, make it possible to steal more money faster and more surreptitiously.

However, reliable data is hard to come by on which companies suffer from what types of "cybercrime."

Most companies do not report computer crime, to avoid public embarrassment and possible revenue loss, according to Dixie Baker, chief scientist in the El Segundo, Calif.-based Center for Information Security Technology. The Center is a unit of Science Applications International Corp., a San Diego-based computer systems integration contractor.

In fact, 37% of the 236 respondents to a recent U.S. Senate subcommittee survey of Fortune 1,000 companies said they would report computer crime only if they were required to do so by law.

Fifty-eight percent of the survey respondents reported break-ins to computer systems during the past year, with nearly 18% estimating losses exceeding $1 million.

More than 66% reported losses exceeded $50,000, according to the study, conducted by WarRoom Research L.L.C. in Baltimore for the Permanent Senate Subcommittee on Investigations. The report was released at "Security in Cyberspace" hearings late last year.

All of the empirical data collected over the past 20 years suggest that computer crime more frequently is committed by people within an organization than by outsiders, Ms. Baker said.

Often crimes thought to have been perpetrated by outsiders later were found to involve some insider collaboration, she said.

The Senate study found that the majority of the losses up to $500,000 were from insiders, while losses exceeding $500,000 were more likely to be attributable to outside attacks.

About 22% of the companies surveyed said they thought corporate competitors seeking trade secrets or documents of primary interest to the competitor were responsible for outside attacks.

Besides selling insurance, brokers and insurers usually contract with security consultants such as Encino, Calif.-based Pinkerton's Inc. and New York-based Kroll Associates to help their clients and policyholders develop risk management strategies to protect their information system assets.

There's really no substitute for good loss control where the protection of intellectual property in concerned, said Karen J. Miller, risk manager in the corporate legal department at LSI Logic Corp., a semiconductor manufacturer based in Milpitas, Calif.

"People have the wrong notion that insurance is a panacea," she said. "We haven't really looked to insurance to provide protection. We tend to focus on loss control and then use insurance as a backup."

Like most high-tech firms, LSI is very concerned about protecting its intellectual property and has gone so far as to take legal action against former employees for misappropriating trade secrets, Ms. Miller said.

Furthermore, she said, "When we enter into negotiations or discussions with third parties, we have a requirement that they sign non-disclosure agreements which protect our intellectual property."

"We've also set up a fairly extensive system of firewalls to protect access to our systems, which is where our IP resides," she said. "We have all sorts of password protection, and our codes are encrypted."

In addition, access to outside computers-such as to the Internet-is through servers rather than through individual modems, which provide two-way communication, Ms. Miller explained. While someone could upload a virus unintentionally with a modem, that is not possible with a server.

Although claims for sabotage to proprietary information and data would be covered by the K&R policy, this information is kept confidential by everyone who knows about it, experts note.

"Chances are if there's a payoff, you'll never hear about it, because that's the nature of the policy," points out Mr. Gauntlett.

"It's that kind of coverage. Once you know about it, it's an invitation to use it," agreed Mr. Steuber.