Cyber insurance – What coverage in case of an alleged act of War? Questions raised by the Mondelez v. Zurich case

In October 2018, snack company Mondelez International, Inc. (Mondelez) filed an action against Zurich American Insurance Company (Zurich), requesting indemnification for more than USD $100,000,000 in losses caused by the NotPetya cyber virus. Zurich refuses to cover these damages alleging one of the insurance policy's exclusions for damage resulting from a hostile or warlike action by a government, as the NotPetya attack is said to have been sponsored by Russia. This case is noteworthy for multiple reasons: not only is it the first significant legal dispute in the insurance field concerning the recovery of costs resulting from a cyber attack, but it is also the first time that an insurance company is invoking the war exclusion to decline coverage for an allegedly state-sponsored cyber hack.This article analyzes the key issues of this important case, including attribution of a cyber attack to a State and interpretation of an insurance policy's war exclusion in a cyber context, and the likelihood of success of Mondelez's arguments. It also explores the strengths and limits of general principles of contract and public international law when applied to new technologies and cyber incidents. Finally, it discusses the potential impacts of the Mondelez case on the contents and limits of future traditional and cyber-specific insurance policies.     

Tripartite perspective on the copyright-sharing economy in China

Internet and digital technologies have facilitated copyright sharing in an unprecedented way, creating significant tensions between the free flow of information and the exclusive nature of intellectual property. Copyright owners, users, and online platforms are the three major players in the copyright system. These stakeholders and their relations form the main structure of the copyright-sharing economy. Using China as an example, this paper provides a tripartite perspective on the copyright ecology based on three categories of sharing, namely unauthorized sharing, altruistic sharing, and freemium sharing. The line between copyright owners, users, and platforms has been blurred by rapidly changing technologies and market forces. By examining the strategies and practices of these parties, this paper illustrates the opportunities and challenges for China's copyright industry and digital economy. The paper concludes that under the shadow of the law, a sustainable copyright-sharing model must carefully align the interests of businesses and individual users.     

Identity crisis: Global challenges of identity protection in a networked world

Modern identity is valuable, multi-functional and complex. Today we typically manage multiple versions of self, made visible in digital trails distributed widely across offline and online spaces. Yet, technology-mediated identity leads us into crisis. Enduring accessibility to greater and growing personal details online, alongside increases in both computing power and data linkage techniques, fuel fears of identity exploitation. Will it be stolen? Who controls it? Are others aggregating or analysing our identities to infer new data about us without our knowledge or consent? New challenges present themselves globally around these fears, as manifested by concerns over massive online data breaches and automated identification technologies, which also highlight the conundrum faced by governments about how to safeguard individuals' interests on the Web while striking a fair balance with wider public interests. This paper reflects upon some of these problems as part of the inter-disciplinary, transatlantic ‘SuperIdentity’ project investigating links between cyber and real-world identifiers. To meet the crisis, we explore the relationship between identity and digitisation from the perspective of policy and law. We conclude that traditional models of identity protection need supplementing with new ways of thinking, including pioneering ‘technical-legal’ initiatives that are sensitive to the different risks that threaten our digital identity integrity. Only by re-conceiving identity dynamically to appreciate the increasing capabilities for connectivity between different aspects of our identity across the cyber and the physical domains, will policy and law be able to keep up with and address the challenges that lie ahead in our progressively networked world.     

Use and Evolution of the Claims-Made Policy Form in Environmental Insurance: Selected Issues

Environmental risks have two basic components: the policyholder's obligation to clean up contaminated property and the policyholder's potential liability to third parties, including the government, resulting from environmental damage. The environmental risks for which policyholders seek coverage include environmental cleanup costs, third-party bodily injury claims, third-party property damage or devaluation claims, fines/penalties for noncompliance, or loss of market share due to lack of environmental stewardship. To be certain that all aspects of potential environmental liability are covered, an expert insurance consultant or broker should be retained to plan the program, analyze policy language and execute the purchase in the most cost effective way.     

Hackers Are After More than Just Data: Will Your Company's Property Policies Respond When Cyber Attacks Cause Physical Damage and Shut Down Operations?

Recent attention on high profile data breaches has overshadowed a potentially greater risk: cyber attacks on large industrial companies causing physical damage, potentially releasing contaminants, and shutting down operations. A handful of publicly reported cyber-attacks, including explosions at an oil pipeline and a steel mill, have highlighted the potential vulnerability of these companies' internet-facing industrial control systems to hackers. The insurance industry has reacted to the growing risk of privacy-related data breaches by marketing and selling so-called “cyber policies.” But these policies typically exclude coverage for property damage and are ill-suited to cover the magnitude of business interruption losses that could result from an extended shutdown of a large industrial operation. That leaves policyholders to look to their traditional property policies. This article examines the cyber-attack risk that large industrial companies face and how those companies' traditional property insurance policies may help mitigate that risk.     

EU Excise Duties and Section 90 of the Australian Constitution

The constitutionalisation of the EU has been not without its challenges. However, putting aside the apparent political difficulties of the constitutional process, this article argues that, because the further constitutionalisation of the EU depends on its ability to assimilate some features of a federal state, there are, at least, two reasons why the EU is not yet ready for its constitutionalisation. The first reason is that its excise duty system, which permits discriminatory and protectionist behaviour by Member States, prevents the EU from achieving its fundamental objective of an internal market. The second reason is the EU's budget, which is so small that it is doubtful whether the EU will survive its continuing enlargement. As a solution to this problem, this article introduces section 90 of the Australian Constitution, which provides the Commonwealth of Australia with the exclusive power to levy excise duties. The article argues that the adoption, by the EU, of a similar fiscal arrangement would remove the discriminatory and protectionist operation of its excise duty system and help enlarge the size of the EU's budget by providing it with a self‐ financing mechanism.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Busting the Myth of the Unavailability of Insurance Rule's Application to Loss Allocation for Pollution Liability Claims Since 1986

Tens of millions of dollars in pollution liability losses have been mistakenly allocated to general liability insurers under the “Unavailability of Insurance” rule in jurisdictions that employ it. Under this rule, a policyholder is not allocated losses for years when they claim that pollution liability was unavailable – mainly after the advent of the 1986 “absolute” pollution exclusion. Recent research has been compiled to include thousands of pages of evidence that by 1986 and to this date there was and has been a viable pollution liability insurance market that would not only underwrite a current year's risks, but also erase any prior pollution insurance coverage gaps by insuring decades of prior acts. This article looks at this rule and the enormous impact it could have on insurers' pollution liability reserves if it continues to be misapplied.     

欧盟保险法的统一进程

在欧盟,以宪法性法律文件为基础,通过三代保险指令,也包括正在形成的第四代保险指令,欧盟的单一保险市场正在逐步形成.但相对于欧盟的保险监管制度来说,保险合同方面的调和则严重滞后.在这一领域,目前法律的发展仅局限于对保险合同冲突法的调整.这种状况导致了保险服务自由的目标难以实现.为了改变这种局面,欧盟的相关机构进行了有益的探索.其中的关键问题在于,欧盟应为各成员国提供统一的保单持有者的保护标准.顺应这一要求,最好的办法是颁布有关欧盟保险合同的实体法.我国作为世贸组织的一员和保险法尚不完善的国家,对于其中的动态应给予足够的关注.     

Secrecy and Seclusion: Developments in Privacy Insurance Law

Privacy has become big news. Our society has an epidemic of identity theft, loss of personal data, blast faxing, and data mining. The wave of new privacy litigation has led to a wave of privacy insurance litigation, particularly with respect to coverage for blast faxes—unsolicited and unwanted facsimiles which bombard businesses and individuals. The main debate results from the fact that while the advertising injury section of the general liability policy provides some coverage for invasion of privacy, the new privacy causes of action do not necessarily fit the insurance policy's coverage. For example, while blast faxes invade the recipient's privacy or seclusion, insurers assert that the faxes do not involve the publication of secret material. To meet this problem, insurers are writing new tech or cyber policies that provide far more expansive coverage for privacy.     

Protecting digital identity in the cloud: Regulating cross border data disclosure

Widespread use of cloud computing and other off-shore hosting and processing arrangements make regulation of cross border data one of the most significant issues for regulators around the world. Cloud computing has made data storage and access cost effective but it has changed the nature of cross border data. Now data does not have to be stored or processed in another country or transferred across a national border in the traditional sense, to be what we consider to be cross border data. Nevertheless, the notion of physical borders and transfers still pervades thinking on this subject. The European Commission (“EC”) is proposing a new global standard for data transfer to ensure a level of protection for data transferred out of the EU similar to that within the EU. This paper examines the two major international schemes regulating cross-border data, the EU approach and the US approach, and the new EC and US proposals for a global standard. These approaches which are all based on data transfer are contrasted with the new Australian approach which regulates disclosure. The relative merits of the EU, US and Australian approaches are examined in the context of digital identity, rather than just data privacy which is the usual focus, because of the growing significance of digital identity, especially to an individual's ability to be recognized and to transact. The set of information required for transactions which invariably consists of full name, date of birth, gender and a piece of what is referred to as identifying information, has specific functions which transform it from mere information. As is explained in this article, as a set, it literally enables the system to transact. For this reason, it is the most important, and most vulnerable, part of digital identity. Yet while it is deserving of most protection, its significance has been largely under-appreciated. This article considers the issues posed by cross border data regulation in the context of cloud computing, with a focus on transaction identity and the other personal information which make up an individual's digital identity. The author argues that the growing commercial and legal importance of digital identity and its inherent vulnerabilities mandate the need for its more effective protection which is provided by regulation of disclosure, not just transfer.     

The transformative nature of the EU Declaration on Digital Rights and Principles: Replacing the old paradigm (normative equivalency of rights)

In December 2022 the European Commission, the European Parliament and the Council of the European Union jointly signed the European Declaration on Digital Rights and Principles, a document aiming to steer the EU digital agenda upon EU constitutional values and fundamental rights. Digital constitutionalism scholars regard the Declaration as a positive step forward within the process of constitutionalization of the digital environment in Europe. The Declaration includes both traditional rights enshrined in the EU Charter of Fundamental Rights and digital principles. Some of these principles have progressively underpinned the EU digital policy framework while others have been expanded in the Declaration or are of completely new formulation. In this contribution, we assess the Declaration's value in terms of relevance and novelty within the landscape of protection of online needs and interests in the EU. By assessing the Declaration's normative approach and using Lawrence Lessig's distinction between codifying and transformative constitutional regimes, we evaluate the Declaration's progressive and transformative character under a constitutional perspective.     

The new EU cybersecurity framework: The NIS Directive,ENISA's role and the General Data Protection Regulation

The NIS Directive is the first horizontal legislation undertaken at EU level for the protection of network and information systems across the Union. During the last decades e-services, new technologies, information systems and networks have become embedded in our daily lives. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures constitute a serious threat to their operation and consequently to the functioning of the Internal Market and the Union. This paper first discusses the Directive's addressees particularly with regard to their compliance obligations as well as Member States’ obligations as regards their respective national strategies and cooperation at EU level. Subsequently, the critical role of ENISA in implementing the Directive, as reinforced by the proposal for a new Regulation on ENISA (the EU Cybersecurity Act), is brought forward, before elaborating upon the, inevitable, relationship of the NIS Directive with EU's General Data Protection Regulation.     

Eu search for regulatory answers to crypto assets and their place in the financial markets’ infrastructure

Crypto assets are no longer a niche topic for geeks but an important trend in financial markets and an uprising asset class. This is due to technological advancements, spike in token issuances, and Facebook's Libra project, now called Diem, among other things. Many potential benefits of crypto assets for the financial sector are widely recognized, including cost savings, improved efficiency and transparency. The rapid growth of the crypto assets ecosystem has intensified the focus of regulators. They are challenged to provide an adequate response, protect investors and customers, and mitigate risks while fostering technological development. Currently, at the EU-wide level, there is a regulatory gap, which contributes to legal uncertainty and weak investor protection. Several European jurisdictions have been proactive and successfully designed their own national regulatory solutions to crypto assets. Many European and international supervisory and regulatory bodies contributed to the debate and issued reports, analysis and statements highlighting risks and making regulatory recommendations. The European Commission took the first steps to assume its competence over all crypto assets within the EU and, after a comprehensive review of the entire crypto assets ecosystem, issued a proposal for a regulation on markets in crypto assets. This paper evaluates the EU's current regulatory approach to crypto assets against the background of the views and reports of several advisory and supervisory bodies and international organizations and against market developments.     

Of Values and Legitimacy – Discourse Analytical Insights on the Copyright Case Law of the Court of Justice of the European Union

The Court of Justice of the European Union (CJEU) increasingly faces societal value‐conflicts in EU law disputes. For example, in EU copyright law, in the digital age, diverse fundamental values, as well as cultural and societal developments, are at stake. This article discusses the role of the CJEU in the European value discourse, using copyright law as a case study. The methodological approach used, critical discourse analysis, is seldom applied in jurisprudential studies, but is well suited for teasing out value‐related aspects of case law. Exploratory research of seminal copyright cases suggests that the CJEU's discourse of the various values seems unnecessarily one‐sided and shallow. A lack of discursiveness in the jurisprudence would diminish the legitimacy of the Court's decisions, and would not offer adequate guidance to national courts or private decision‐makers, to whom the Court at the same time may be leaving more of the task of value reconciliation.     

Women's Political Representation in the European Union

Feminist studies of the European Union seek to make sense of a field that has become enormously complex. Gender equality has been an issue in the EU since the inclusion of Article 119 on equal pay in the Treaty of Rome 1957 but has since widened to the recognition of equality between women and men as a fundamental principle of democracy for the whole EU. Gender equality is present both in gender-specific policies, such as women's participation in the labour market, sexual harassment and reconciliation of work and family, as well as informing the basic principles and functioning of the EU institutions wherever gender mainstreaming is implemented. Feminist explorations of the EU have tended to overlook one aspect of EU gender policies: women's political representation in the EU institutions. This article seeks to address this gap.     

Future challenges for smart cities: Cyber-security and digital forensics

Smart cities are comprised of diverse and interconnected components constantly exchanging data and facilitating improved living for a nation's population. Our view of a typical smart city consists of four key components, namely, Smart Grids, Building Automation Systems (BAS), Unmanned Aerial Vehicles (UAVs), Smart Vehicles; with enabling Internet of Things (IoT) sensors and the Cloud platform. The adversarial threats and criminal misuses in a smart city are increasingly heterogenous and significant, with provisioning of resilient and end-to-end security being a daunting task. When a cyber incident involving critical components of the smart city infrastructure occurs, appropriate measures can be taken to identify and enumerate concrete evidence to facilitate the forensic investigation process. Forensic preparedness and lessons learned from past forensic analysis can help protect the smart city against future incidents. This paper presents a holistic view of the security landscape of a smart city, identifying security threats and providing deep insight into digital investigation in the context of the smart city.     

The Role of the Broker When Environmental Claims Occur

While environmental incidents tend to occur infrequently, they are often serious enough to disrupt the operations of the entities that experience releases of hazardous materials. The consequences of such events may include third-party claims for bodily injury and property damage, orders to clean up contamination, and regulatory actions against responsible parties. Fortunately, environmental insurance is available to provide protection against the financial consequences of a wide variety of pollution events. This article looks at the role of the broker in assisting clients to identify, analyze, and insure against environmental liability. With properly drafted policies and active participation in the claims management process, the broker can play a significant role in assuring that an environmental insurance policy responds as anticipated when an unexpected incident threatens a client's operations.     

The Meaning of Champion Dyeing and Finishing: EIL Insurance Must Be Available in the Year That the Precise Risk Manifested Itself

Champion Dyeing & Finishing Co., Inc. v. Centennial Insurance Company and North River Insurance Company, decided in November 2002, represents a decisive victory for policy holders in environmental coverage litigation involving the availability of EIL insurance after 1985 or 1986. EIL coverage was generally unavailable after 1985 and until 1995, particularly for old leaking underground storage tanks (UST's). The availability issue arises in environmental coverage cases where the court adopts a prorata rather than joint and several theory of allocating responsibility for cleanup costs, and when in such cases there are periods of no insurance, because, for example of the insertion of the absolute pollution exclusion in commercial general liability (CGL) policies. In those circumstances, the courts apply the “willing self-insurer” rule and allocate responsibility to the insured who willingly decided to retain the risk. Until Champion Dyeing, there was little guidance about how to determine availability in the context of site-specific environmental pollution. The case was part of a 1998 declaratory judgment action by a small manufacturing company seeking reimbursement for cleanup costs attributable to pollution from two fuel oil storage tanks found leaking in November 1997. Reversing the trial court's decision, the New Jersey appellate court found that defendants failed to prove insurance available to the insured in 1997 and that therefore the duty to indemnify should have been apportioned solely among the insurers. In doing so, it stressed the necessity of demonstrating that insurance could have been purchased covering the precise risk that manifested, not simply that EIL insurance covering undefined risks was available. Its rationale was based on a recognition of the two essential differences between EIL and CGL insurance: claims made trigger of coverage and coverage of specific pollution conditions rather than generalized occurrences. In addition, testimony at trial failed to demonstrate the availability in 1997 of insurance providing coverage for the risk at issue because the testimony at the insurer's expert lacked foundation. This decision indicates that, in order to prove or disprove availability, the parties must first hire a competent environmental insurance expert and then must ask and answer three questions: What policies were being issued in the market that applied to the particular type of risk during the relevant time period, and especially in the year that the risk manifested? Would the insured have been able to purchase one of these policies or endorsements for its particular risk? Would the policy terms have provided coverage for the specific manifested risk in question? After applying these three questions to a number of hypotheticals with typical fact patterns, it is evident how impossible it is to prove coverage available for UST risks such as in the Champion case and how extremely difficult it will be to do so for non-UST, generally-site specific risks.     

A Review of the Creation by the European Court of Justice of the Right to Effective and Speedy Medical Treatment and its Outcomes

Abstract:  This article is in two parts. The first part examines a number of judgments delivered by the Court of Justice of the European Communities since 1998, all of which relate to the free movement of medical services covered by national healthcare schemes of the Member States. It then demonstrates that these judgments, when construed cumulatively, reveal that not only have all EU citizens insured under national healthcare schemes been accorded the right to obtain effective and speedy medical treatment anywhere in the EU, in the event that their home national healthcare fails to provide this, but also that the cost of such treatment shall be borne by their home national insurance scheme. The fact that the new right has developed despite each Member State having exclusive competence with respect to the organisation and financing of its healthcare system is commented upon. The second part suggests and discusses risks and limitations currently surrounding the right and its exercise, and indicates challenges that the new right poses for the national healthcare systems of the Member States.