The Maturing Risks of Cyberspace – Brief Article
The Internet is a rapidly evolving medium that brings a new dimension to exposures such as copyright and trademark infringement–as well as adding a plethora of its own risks.
To borrow a phrase from a popular scary movie in the 1980s, it’s heeeeeere!
For risk managers, cyberspace, aka the Internet, has arrived. Big time. And risk managers who ignore the new ways that the Internet delivers some old exposures do so at their own peril.
Based purely on numbers, the World Wide Web and cyberspace in general are moving well beyond the experimental stage in the business world. For example, the 1998 first annual report of the U.S. Government Working Group on Electronic Commerce reports that the number of Internet hosts worldwide increased from fewer than half a million in 1991 to more than 38 million in 1998.
On the personal use side, Santa Clara, Calif.-based Intel Corp., the computer chip manufacturer, estimates that there now are more than 100 million Internet users worldwide.
“Will a lawsuit develop from your company Web site? Does having a Web site change your tax liability? Can you and should you monitor employee email?” asks Rich Maloy Jr., vice president at Maloy Insurance, a Princeton, N.J., agency. “These are just some of the questions risk managers should know the answers to when it comes to risk and the Internet.”
Interestingly, if you go beneath the statistics, some experts, including Maloy, say the risks associated with cyberspace in themselves aren’t really all that new. Copyright violations, defamation, fraud, and related liabilities have been around for a long time. In those cases, it’s just the delivery methods that have changed, creating a new technology-fueled challenge for risk managers.
On the other hand, there are new security liabilities in the form of computer hackers or viruses that can unexpectedly disrupt business or result in claims against a company.
“As technology advances, companies will begin to face traditional liabilities in new forms,” says Clarissa Weiant, an attorney with McKenna and Cuneo, a Washington-based firm. Weiant, a member of the firm’s Insurance Recovery Group, specializes in Internet-related litigation.
Joshua Gold, a New York-based partner who specializes in Internet-related legal issues at the law firm of Anderson, Kill & Olick, agrees. So far, he says, the Internet offers the same exposures, albeit in a different form.
“Actually, not a whole lot has changed in the past two years relative to Internet-related exposures, except for the fact that nearly every business has a presence in cyberspace,” he says. Gold adds that his firm hasn’t seen a huge change yet in terms of decisions over insurance coverage related to Internet claims or losses. “But that’s not unusual because you have the underlying litigation, which typically takes a couple of years to be determined,” he says.
E-Mail, Content Risks
Risk exposures specifically associated with the Internet typically fall into three main categories. The first is Internet content. That means placing material on the Internet, either on a Web site or via e-mail, that could result in copyright or trademark infringement, defamation, invasion of privacy, and other related risks.
“The biggest Internet-related liabilities right now are copyright and trademark infringement,” adds Maloy. “Any time you put anything on a site, you have to know where it came from.” For example, material could come from a link to a strategic partner’s Web site. Using protected material without permission can cause some negativity that may result in litigation.
Weiant says that in most cases, a basic commercial general liability (CGL) policy should protect companies from defamation or libel that results from e-mail or Web site content.
“Generally, an insurance company has a duty to defend if the claim even potentially falls within the policy,” Weiant explains. “Thus, an insurance company likely will be obligated to defend a company in an Internet or e-mail defamation suit even if the court ultimately finds that there was no defamation.”
Insurers, however, may attempt to deny coverage for Internet or e-mail defamation claims on the grounds that the company knew that an employee’s defamatory statements were false. To prevail, Weiant says, the insurance company would have to prove both that the policyholder directed the activities of the employee and had knowledge of the falsity of the statement, both of which would be unlikely in most cases. And, depending on the terms of the policy, the insurance company may deny coverage on the grounds that the defamatory statement was not within the coverage territory or that the policy does not cover defamatory statements made by one employee against another.
The important thing to remember is that, by and large, CGL policies should cover the Internet or e-mail related defamation and libel suits that a company might face, and that companies should not overlook this valuable protection against liability in such suits.
“Advertising injury coverage sold under CGL policy is an important source of potential protection from Internet-related claims,” explains Gold. But he also is quick to point out that some insurers, with Internet liabilities in mind, have begun to reduce advertising injury coverage under CGL policies. Some even have begun to redefine “advertising injury” to exclude Internet-related issues.
“Policyholders must carefully review what their potential insurance coverage will be in the event of an Internet-related claim in this area’ he says. Gold believes that if a company regularly conducts business on the Internet, it might be a good idea to look at specialized insurance policies similar to those purchased by broadcasters, telecasters, publishers, advertisers, and other media companies.
Se purity, E&O
The second major risk category related to Internet activity involves what Gold calls “enabling” technology. In this category, liabilities or losses can result when the technology fails to perform as expected, or the promised creation or sale of enabling technology is claimed to infringe on the intellectual rights of another party. In this case, companies that develop enabling technologies may be exposed to errors & omissions (E&O) type risks.
For example, Gold cites how recent Web site crashes at companies that offer on-line securities trading have caused customers to complain very loudly that the outage caused them major financial headaches.
Gold notes that some on-line securities trading companies have already paid out millions of dollars to subscribers to avoid E&O-based lawsuits.
“Software glitches related to e-commerce are going to have a major impact on Internet liabilities and losses for certain companies,” Weiant adds.
As far as coverage for this risk category, a CGL or E&O policy might be enough. But again, Gold warns that risk managers should carefully examine current coverages. “E&O policies typically are weighed down with exclusions,” he says. His advice? Seek out specialized E&O coverage for Internetrelated risks.
The third major risk category involves security, or, more accurately, the breach of security. By now, we’ve nearly all heard about Melissa, the nefarious virus-like program that caused a major panic among corporate e-mail systems back in late March.
But viruses are just the tip of the security iceberg. There are also losses and/or liabilities that can occur when on-line information is stolen or damaged, hackers break into a system via the Internet, or cyber criminals are able to use the Web for fraudulent purposes.
For example, hackers can obtain valuable information via the Internet. Dishonest employees also can pose a major security threat by sabotaging systems, stealing key information, or, in the case of financial institutions, stealing money through electronic transfer of funds.
A Secure Net?
Industry watchers say that companies or individuals doing business on the Intemet should consider insurance coverage under their CGL policies, E&O policies, or other insurance policies potentially providing coverage for those types of claims.
And in terms of losses suffered through a breach of security, insureds should look to their inland marine, fidelity, computer crime, business interruption, and any other related policies for coverage.
Several large insurance companies, including Chubb, Reliance National, Cigna, St. Paul, Kemper, and Lloyd’s of London have begun to sell policies specifically aimed at Internet coverage. Naturally, among those new products are several policies specific to companies whose primary business is Internet-related.
For example, Intemet service providers, or ISPs, which sell access to the Internet (including e-mail), have much different coverage issues than typical businesses that sell non-Internet products and services over the Internet or merely establish a company Web site for customers to visit. For technology-based companies, there are multimedia policies specifically designed for their insurance coverage needs.
According to Tom Cornwell, vice president and worldwide manager in Chubb’s Technology Insurance Group, there are key questions a risk manager should ask in examining policies designed for Internet-related risk.
For example, does the policy cover a company’s Internet activities, both internal and external? Does it provide defense costs for injunctive relief? Does it cover all forms of expression or only content? Is it good anywhere in the world? Does it provide coverage assumption for liability in contracts? Will it cover damage by computer viruses? And more.
“The point is that insurance products that respond only to Internet or e-commerce miss the point,” he says. “Those that don’t respond anywhere in the world miss the point. There are all these kinds of little nuances in this area, and risk managers need to work with their insurer and broker to analyze them all.”
“We are of the opinion in coverage, especially in a policy like CGL, that the less you say, the more coverage you have,” says Anderson, Kill & Olick’s Gold. “But if your business is solely on the Web, policyholders and underwriters must be on the same page. Coverage depends on the makeup of the policy holder.”
Perhaps the most comprehensive Internet risk program created to date involves a recent partnership between J&H Marsh & McLennan, IBM and several insurers, including Chubb, AIG, Zurich Financial Services Group, and Lloyd’s of London. Called Net Secure, this program offers the highest available insurance limits for e-business risks with a wide range of network security services.
According to J&H Marsh & McLennan, Net Secure addresses exposures that may not be covered or adequately addressed under a firm’s existing commercial insurance policies, including:
* loss or theft of electronic information assets, including intellectual property.
* loss of income due to network and Web site disruptions or interruptions.
* theft of credit card information.
* third-party financial losses associated with computerized business links and interdependencies.
* breach of privacy and unauthorized release of personal information.
* multimedia or content injury, such as Web-related defamation, copyright infringement, and false advertising.
As part of Net Secure, insureds have the opportunity to contract with IBM or other leading consulting resources to assess information network security, monitor Internet Web sites, identify and remediate potential breaches, and pro- vide business recovery solutions. The insurance also enables a company that identifies a security breach or potential crisis with its Web site or network to receive up to $50,000 for the use of security consultants, technical support, or public relations consultants to address the problem.
Among other things, the coverage offers $200 million in total capacity, global coverage, and primary or difference-in-conditions approach to fill any gaps and limitations in traditional commercial insurance policies.
“One thing we have seen is that insurance companies have stepped up to cover all sorts of cyberspace risks,” says Gold. “We don’t have the full story yet, but there is room for liabilities to grow. There are all these novel insurance products being developed right now, and in the upcoming years, there will be pressure points in that type of coverage. Everything depends on whether people are seriously litigious about cyberspace, and I think they will be.
“The Internet is the wave of the future, not some fad,” he adds. “There are many of these risks lurking out there. We’ll have to see what happens.”
Risk Management WWW-style
While the Internet poses some new ways to suffer from some established offers many resources that can help risk managers be better at their jobs. Below are some risk management sites on the World Web that might prove helpful:
* RISKMail: RISKMail is an electronic discussion forum list that allows people around the world to hold “no holds barred” discussions of risk and insurance issues. (www.riskmail.lsu.edu/)
* RMIS-Web: A risk management formation systems on-line resource, owned by Info Tech Consulting (www.rmisweb.com/)
* Captive.Com: A one-stop location for information on captives, insurers self-insureds reciprocals, risk retention groups and public entity pools. (www.captive.com)
* RIMS: The Risk and Insurance Management Society’s Web site.(www.rims.org)
* Insurance Express: A comprehensive list of insurance-related links, including the latest news sources. (www.isn-inc.com/html/insurance_express.html)
* American Risk and Insurance Association: The ARIA Web site is a great spot for risk managers to glean information. (www.aria.org/)
COPYRIGHT 1999 Axon Group
COPYRIGHT 2004 Gale Group