Dangers Lurk in Cyberspace
A primer on risks and insurance
By John E. Black Jr., Lorelie S. Masters and David S. Weitzel
Cyberspace is a whole new world of risks. Can businesses control them? Is
insurance available?
With the emergence of global e-commerce, these questions now confront
businesses and require a new level of security awareness in corporate
boardrooms. Cyber-risks are myriad and continue to evolve. They include
damage to networks, data, other computer systems as well as exposure to third-
party claims. Controlling cyber-risk therefore must be addressed by corporate
risk departments and the officers and directors who oversee their work.
Not all security risks can be protected through system hardware and
software. Some exposure always exists and damage may occur despite a network
manager's best efforts. Nor does bringing cyber-criminals to justice mitigate
the loss they cause. It is the duty of a corporate risk manager to be aware
of these risks and to actively manage their corporate risk exposure.
In this environment, a new class of insurance has emerged to fill potential
gaps in standard insurance policies. This article identifies six principal
cyber-risks, briefly reviews insurance policies to identify common cyber-risk
coverage concerns, and describes the new insurance policies designed to
insure those risks.
Security — A corporate manager should be aware of the risk
of loss for network and equipment, databases and information assets,
proprietary and confidential information. While property insurance typically
covers these systems, many insurers are limiting the risks covered under
these contracts given the new computer-related exposures.
Just as with building fire suppression and physical security, a modern
corporate computer network system must have security features built into its
architecture. As a baseline, companies should install firewalls to deter
intruders and to identify incursions. Most companies that provide access to
the Internet have been "attacked." Most do not know it. A good
security and monitoring system should help identify such incursions and
protect against future incursions.
Companies often keep previously access-restricted information on the
corporate intranet with minimal security measures added. Besides corporate
product development and internal budget and sales data, other data on such
systems includes employee-sensitive data — compensation scales and
histories as well as hiring and retention information.
Companies also need to put in place and enforce security procedures to
protect against both internal "rogue employees" and external
"social engineering" — the willingness of employees to
allow hackers and thieves posing as legitimate repairmen or company personnel
into the company's computer systems or physical premises.
E-commerce and computer assets — Does your insurance reflect
the worldwide nature of the Internet? More important, does it protect against
liability regardless of where it arises — here in the United States
or in some remote corner of the world? With the emergence of e-commerce
business models, corporate managers must review the exposure created by
e-commerce contracts, warranties, product integrity risks, professional
services conducted online, and "fail-safe" transactions now exposed
on the Internet. Almost all Web sites can be accessed anywhere in the world.
As a result, part of this system investment should deal with the previously
unseen trans-border nature of the Net.
Both companies and individuals should protect all valuable computer assets
by backing up data and creating fall-back system "architectures."
To protect against the operation of "Murphy's Law," companies also
should create disaster recovery plans in case the worst happens and a virus,
act of God, or other unanticipated event prevents the business from operating
in normal fashion.
Privacy and information collection — "Fair
information practices" underlie the issue of privacy in cyberspace.
Businesses should create Web site privacy notices and review them
periodically to assure that they meet fair practices. The Federal Trade
Commission (FTC) has been very active in overseeing these online information-
collection practices. Any company engaged in Internet-exposed business areas
or activities must protect privacy at a higher level. Similarly, companies
that do business outside the United States must be aware of foreign privacy
laws, such as those in Canada, Australia and the European Union with its Data
Directive.
Several trust seal systems assist companies in complying with, and
certifying compliance with, fair information practices. TRUSTe and BBBOnline
are two of the better-known privacy seal programs. Both of these programs
also have special seals for companies collecting information from
children.
In the United States, privacy is often protected statutorily by business
sector or activity. The applicable laws in this area include: Title V of the
Gramm-Leach-Bliley Act (GLBA), which applies broadly to financial
institutions; the Health Insurance Portability and Accountability Act
(HIPAA), which broadly applies to health care and some other organizations;
and the Children's Online Privacy Protection Act (COPPA), which applies to
businesses that collect information online from children 13 or under.
While you may not consider your client's organization to be a financial
institution or health-care institution, funding arrangements with customers
or providing health care self-insurance may bring the organization under the
purview of certain provisions of the GLBA or HIPAA.
Intellectual property — In cyberspace, the traditional role
and protections for patents, trademarks, copyrights and trade secrets are put
at risk, and the need for the licensing of others' intellectual property is
taken to new levels. New business-method patents also have been granted for
some business models used in cyberspace.
The role of intellectual-property protections for new concepts in
cyberspace such as domain names and metatags is still being explored. If a
domain name infringes on a corporate trademark, then new dispute-resolution
procedures are available. Law applicable to the use of hyperlinking and deep
linking to content created by others is still evolving. The protection of
corporate Web sites, chat rooms and e-mail systems also must be examined.
The corporate manager of a business operating in cyberspace must determine
if the business' systems are acting as an "interactive computer
service" or as an "Internet content provider." If they can be
viewed as a content provider, they may be subject to the higher standard that
copyright law sets for publishers.
However, the Digital Millennium Copyright Act (DMCA) affords protection for
Internet connectivity or content providers — such as Internet Service
Providers (ISPs) — against liability for content posted by others.
Although this protection requires the operator to "take down"
offending material after proper notice, the ISP is protected from both the
one who is requesting the removal of the offending information and the one
from whose site the information is being removed.
Defamation and publication — New levels of cyber-exposure
exist in the area of defamation. With the Internet, the audience to whom a
defamatory statement can be published has become worldwide, and businesses
must make sure that their Web sites do not contain defamatory material.
Employee chat rooms may create a higher risk of defamation. Employee e-mail
also presents this risk. Businesses should adopt and enforce
guidelines.
A corporate manager must also be aware that First Amendment protections
stop at our national borders. Comments that may be perfectly acceptable under
the United States' view of free-speech protections may be illegal or
actionable in other nations.
Advertising — In the United States, the FTC and state
attorneys general regulate advertising. The FTC has created several documents
regarding advertising and fair information practices for the collection of
information over the Internet. For example, the FTC has prepared guidelines
called "Advertising and Marketing Online: Rules of the Road," and
has posted them online.
Simply put, advertising over the Net, like that in real space, must be fair
and nondeceptive and, as the FTC states in its "Rules of the Road,"
advertising "claims must be substantiated." While Internet
advertising may not be "written" within a narrow interpretation of
the word, a company would best act as if its Internet advertisements were
written advertising and abide by rules governing such advertising.
One of the Internet's additions to the world of advertising is junk e-mail
or spam, the bane of many Internet users. ISPs have installed filtering
systems to assist users in eliminating spam. ISPs have used self-policing
services to keep known spammers from using their systems. Attempts at
legislation to prevent spam have been tried, but largely have failed because
of First Amendment concerns in the United States.
Countries outside the United States are not bound by the constitutional
limitations that may constrain efforts to regulate spam in this country. In
addition, even in the United States, companies should be aware of state and
other government efforts to regulate or at least minimize spam.
Most traditional insurance policies were written before the advent of
e-commerce. While some policies, such as comprehensive or commercial general
liability insurance (CGL) or media liability insurance, may afford coverage
for a portion of cyber-risk, companies engaged in e-commerce or dealing with
computer data assets may find that their standard or traditional insurance
policies provide at best incomplete coverage.
In addition, insurance companies selling traditional CGL or media insurance
increasingly are specifically excluding coverage for such risks out of
concern about the exposure and their ability to price the additional coverage
adequately.
A frequent matter of dispute concerns the definition of
"property" or "property damage." The standard CGL policy
typically defines "property damage" as "physical injury to
tangible property including the resulting loss of use of that property."
Insurance companies have denied coverage for the loss of or damage to data
stored in computers or the loss of access to such data on the basis that such
loss does not constitute tangible "property" or sufficient
"property damage."
For example, in a denial of service or other hack attack, the company could
lose proprietary or client data or company clients could lose access to the
company's computer systems, which could result in an interruption in the
company's business. Alternatively, if the company negligently prevented its
system from being used as a "zombie" in a distributed denial of
service (DDOS) attack on another company's system, the company operating the
"zombie" site may be sued for the damage caused by the attack.
Additional coverage concerns may arise under traditional advertising injury
coverage. While copyright and trademark infringement claims may be insured
under the "advertising liability" coverage of a CGL policy,
coverage is typically restricted to "advertising injury caused by an
offense committed in the course of advertising your goods, products or
services . . ." Many coverage disputes have focused on whether the
injury arose during the "course of" the policyholder's
"advertising."
Moreover, in policies that do not define "advertising," courts
have held that the injury must arise from actual advertising, which some
jurisdictions require to be a widespread promotional activity directed to the
public at large. Others have found that resolution of the issue must take
into account the size of the policyholder's business and potential market.
Also, courts typically require a causal nexus between that activity and the
injury.
Traditional insurance policies also often include other provisions that
lead to disputes over coverage for e-commerce or Internet claims. CGL
policies may contain "media exclusions" that seek to deny coverage
for advertising injuries if the insured is a company involved in providing
media services. Also, the territory covered by the policy may be limited to
the United States.
Media liability insurance traditionally was written for publishers,
advertising agencies and other companies involved in broadcasting or
publishing for themselves or others. Its applicability to cyber-risks chiefly
arises in connection with publishing-related liability exposures. However,
such policies often are written only for named perils, and disputes may arise
about whether the cause of the loss in question falls within one of the named
perils identified in the policy.
Disputes also may arise about whether coverage extends only to the
policyholder's own efforts, not for others (that is, not professional
liability). The coverage also usually excludes coverage for liability for
"property damage," and disputes arise about whether it would apply
to liability or loss from security breaches.
Directors and officers (D&O) liability coverage may provide limited
protection. Unless coverage for the company itself is purchased (usually
called "entity coverage"), D&O insurance often will cover only
the directors and officers identified as named insureds. D&O insurance
thus may not cover the corporation — which is the most likely
target for third-party claims — or certain individual employees who
were involved in the activities that are the subject of the
litigation.
Publicly traded corporations may purchase entity coverage, but typically
only for securities suits or derivative actions. Privately held corporations
may purchase D&O coverage with broader coverage for the corporation, but
such policies typically exclude claims involving liability for property
damage and intellectual property infringement.
Errors and omissions (E&O) insurance policies may be limited by the
definition of "professional services" and exclusions for media
liability and property damage. Coverage is not necessarily worldwide.
New cyber-risk insurance policies are designed to address the specific
insurance needs of technology companies and businesses operating in
cyberspace, in traditional coverage areas, such as property, inland marine,
and CGL policies, or employee theft bonds. In addition, they specifically
seek to address concerns about traditional policies' coverage for
"physical damage" to computer assets or other potential
gaps.
Because this market is new, the policy forms vary greatly, and little law
interpreting their terms exists. Some policies have been adapted from
traditional policies to extend coverage to specific Internet-related losses,
while others have been drafted primarily with new technological advances in
mind. Regardless of their origin, cyber-risk policies often are lengthy and
complex forms, reflecting the unique nature of the risks they are intended to
cover.
Cyber-risk policies available on the market today lack uniformity in the
nature and scope of coverage they offer. Some cover losses related to an
insured's computer network in general while others focus on insuring risk
relating to specific aspects of Internet commerce or the operation of Web
sites.
For example, an e-commerce policy underwritten in London covers loss
relating to the operation of electronic media, digital services, software,
bulletin boards, data processing and Internet or information services.
Additionally, some cyber-insurance policies are offered by themselves, while
others are packaged with more traditional coverages. Typically, cyber-risk
insurance policies use multiple insuring agreements (separate policies) to
provide the full coverage available.
Some cyber-risk policies often provide broad crime coverage, with a
corporate crime provision that is not limited to theft of or damage to
computer assets. As a hybrid product, these policies also offer coverage for
loss caused by fraudulent insider misuse of payment systems. They were
designed to reduce disputes over coverage that arose under traditional
insurance policies when businesses, such as financial institutions, began to
use electronic-payment systems and networks.
Traditional policies covering financial institutions generally excluded
theft by employees because coverage for such acts was available in the form
of blanket bonds. Because corporations are now using electronic funds-
transfer systems, they require separate coverage for such activities not
provided by blanket bonds.
One of the most significant factors distinguishing cyber-risk policies is
whether the coverage provided is first-party insurance only (damage to the
policyholder's own property), third-party only (liability for injury or
damage to others), or both. Many insurers have shown greater comfort in
offering either first-party coverage for online businesses or third-party
coverage, than in offering both coverages.
The typical first-party losses covered by these policies include physical
damage or damage to software or computer data caused by hackers or viruses,
illicit computer transfer of money, securities or tangible property,
extortion, business interruption or denial of Web site service resulting from
electronic vandalism or ISP outage, and loss-control costs. Loss-control
costs mean those reasonable expenses that the policyholder incurs to prevent
further loss caused by a covered event.
These cyber-risk first-party coverages typically exclude coverage for loss
caused by dishonest acts of insiders, failure to adhere to required system
security practices or mismanagement of system as well as computer-remediation
costs.
Third-party coverage in these policies typically insures against liability
to others for loss due to exchange of data via e-mail or the Internet, denial
of service, theft or destruction of data, unauthorized access, libel and
slander, violation of privacy rights, misappropriation of ideas and unfair
competition. They usually exclude liability for failure to exercise
reasonable care of due diligence, intentional or fraudulent acts, violation
of laws such as antitrust, securities or employment-related laws, or legally
protected rights, such as patent or copyright, and expenses incurred in the
recall of products or services from the marketplace.
Most cyber-risk policies require that a prospective insured's computer or
Internet operation be audited by an independent technical expert service
designated by the insurer for underwriting purposes. The policies may also
require that the insured undergo a continuing loss-prevention program
conducted by the same entity. This is important in light of reports revealing
that most organizations that have undergone external security assessment have
discovered significant system vulnerabilities.
In addition, new cyber-risk insurance policies providing first-party
coverage often pay for a crisis-management consultant once a loss occurs. The
crisis-management consultant, who may be pre-selected by the insurance
company based on the policy language, assesses damages resulting from the
covered loss and coordinates recovery efforts.
Almost all companies today are involved in some form of electronic
commerce, if only by providing Internet e-mail to its employees. These e-
commerce activities potentially expose companies to risks of liability far
beyond the physical premises of the business. Companies need to assess these
new risks regularly and ensure that their policies and risk-management
procedures are sufficient in the face of these evolving risks.
One element of this process is assessment of the business' risk-transfer
programs and insurance. Cyber-risk policies continue to evolve and will
become even more refined as computer technology and the Internet evolves and
additional data regarding significant exposures becomes available.
The magnitude of exposure is difficult to predict and underwrite,
particularly because of the lack of strong actuarial backup and the complex
nature of the risks involved. However, it seems only a matter of time before
cyber-risk coverage becomes an integral part of most businesses' risk-
management programs.
Black is managing partner at Peterson & Ross, in Chicago; his e-mail is
jblack@petersonross.com. Masters is a partner at Jenner & Block, LLC, in Washington. Her e-mail is
lmasters@jenner.com. Weitzel is a senior principal at Mitretek
Systems, in Falls Church, Va.; his e-mail is dweitzel@mitretek.org.
Black and Weitzel co-chair the Cyberspace Insurance Working Group in the Section of Business Law's Cyberspace
Law Committee. Masters is co-chair of the Insurance Coverage Litigation Committee of the Section of Litigation.
|
