2/5/2016
Business Law Today
Advertisement
Follow ABA
myABA | Log In
JOIN THE ABA
SHOP ABA
CALENDAR
Membership
ABA Groups
Diversity
Advocacy
Resources for Lawyers
MEMBER DIRECTORY
Publishing
CLE
Career Center
News
About Us
Home
Membership
Committees
Events & CLE
Publications
Section News
Initiatives & Awards
About Us
Contact Us
Volume 11, Number 6 ­ July/August 2002
Dangers Lurk in Cyberspace
A primer on risks and insurance
By John E. Black Jr., Lorelie S. Masters and David S. Weitzel Cyberspace is a whole new world of risks. Can businesses control them? Is insurance
available?
With the emergence of global e­commerce, these questions now confront
businesses and require a new level of security awareness in corporate boardrooms.
Cyber­risks are myriad and continue to evolve. They include damage to networks,
data, other computer systems as well as exposure to third­ party claims. Controlling
cyber­risk therefore must be addressed by corporate risk departments and the
officers and directors who oversee their work. Not all security risks can be protected through system hardware and software. Some
exposure always exists and damage may occur despite a network manager's best
efforts. Nor does bringing cyber­criminals to justice mitigate the loss they cause. It
is the duty of a corporate risk manager to be aware of these risks and to actively
manage their corporate risk exposure.
In this environment, a new class of insurance has emerged to fill potential gaps in
standard insurance policies. This article identifies six principal cyber­risks, briefly
reviews insurance policies to identify common cyber­risk coverage concerns, and
describes the new insurance policies designed to insure those risks.
Security — A corporate manager should be aware of the risk of loss for network and
equipment, databases and information assets, proprietary and confidential
information. While property insurance typically covers these systems, many insurers
are limiting the risks covered under these contracts given the new computer­related
http://apps.americanbar.org/buslaw/blt/2002­07­08/black.html
1/6
2/5/2016
Business Law Today
exposures.
Just as with building fire suppression and physical security, a modern corporate
computer network system must have security features built into its architecture. As
a baseline, companies should install firewalls to deter intruders and to identify
incursions. Most companies that provide access to the Internet have been
"attacked." Most do not know it. A good security and monitoring system should help
identify such incursions and protect against future incursions.
Companies often keep previously access­restricted information on the corporate
intranet with minimal security measures added. Besides corporate product
development and internal budget and sales data, other data on such systems
includes employee­sensitive data — compensation scales and histories as well as
hiring and retention information. Companies also need to put in place and enforce security procedures to protect
against both internal "rogue employees" and external "social engineering" — the
willingness of employees to allow hackers and thieves posing as legitimate
repairmen or company personnel into the company's computer systems or physical
premises. E­commerce and computer assets — Does your insurance reflect the worldwide
nature of the Internet? More important, does it protect against liability regardless of
where it arises — here in the United States or in some remote corner of the world?
With the emergence of e­commerce business models, corporate managers must
review the exposure created by e­commerce contracts, warranties, product integrity
risks, professional services conducted online, and "fail­safe" transactions now
exposed on the Internet. Almost all Web sites can be accessed anywhere in the
world. As a result, part of this system investment should deal with the previously
unseen trans­border nature of the Net. Both companies and individuals should protect all valuable computer assets by
backing up data and creating fall­back system "architectures." To protect against the
operation of "Murphy's Law," companies also should create disaster recovery plans
in case the worst happens and a virus, act of God, or other unanticipated event
prevents the business from operating in normal fashion.
Privacy and information collection — "Fair information practices" underlie the issue
of privacy in cyberspace. Businesses should create Web site privacy notices and
review them periodically to assure that they meet fair practices. The Federal Trade
Commission (FTC) has been very active in overseeing these online information­
collection practices. Any company engaged in Internet­exposed business areas or
activities must protect privacy at a higher level. Similarly, companies that do
business outside the United States must be aware of foreign privacy laws, such as
those in Canada, Australia and the European Union with its Data Directive.
Several trust seal systems assist companies in complying with, and certifying
compliance with, fair information practices. TRUSTe and BBBOnline are two of the
better­known privacy seal programs. Both of these programs also have special seals
for companies collecting information from children.
In the United States, privacy is often protected statutorily by business sector or
activity. The applicable laws in this area include: Title V of the Gramm­Leach­Bliley
Act (GLBA), which applies broadly to financial institutions; the Health Insurance
Portability and Accountability Act (HIPAA), which broadly applies to health care and
some other organizations; and the Children's Online Privacy Protection Act (COPPA),
which applies to businesses that collect information online from children 13 or
under.
While you may not consider your client's organization to be a financial institution or
health­care institution, funding arrangements with customers or providing health
care self­insurance may bring the organization under the purview of certain
provisions of the GLBA or HIPAA.
Intellectual property — In cyberspace, the traditional role and protections for
patents, trademarks, copyrights and trade secrets are put at risk, and the need for
the licensing of others' intellectual property is taken to new levels. New business­
method patents also have been granted for some business models used in
cyberspace. The role of intellectual­property protections for new concepts in cyberspace such as
domain names and metatags is still being explored. If a domain name infringes on a
http://apps.americanbar.org/buslaw/blt/2002­07­08/black.html
2/6
2/5/2016
Business Law Today
corporate trademark, then new dispute­resolution procedures are available. Law
applicable to the use of hyperlinking and deep linking to content created by others is
still evolving. The protection of corporate Web sites, chat rooms and e­mail systems
also must be examined. The corporate manager of a business operating in cyberspace must determine if the
business' systems are acting as an "interactive computer service" or as an "Internet
content provider." If they can be viewed as a content provider, they may be subject
to the higher standard that copyright law sets for publishers.
However, the Digital Millennium Copyright Act (DMCA) affords protection for Internet
connectivity or content providers — such as Internet Service Providers (ISPs) —
against liability for content posted by others. Although this protection requires the
operator to "take down" offending material after proper notice, the ISP is protected
from both the one who is requesting the removal of the offending information and
the one from whose site the information is being removed.
Defamation and publication — New levels of cyber­exposure exist in the area of
defamation. With the Internet, the audience to whom a defamatory statement can
be published has become worldwide, and businesses must make sure that their Web
sites do not contain defamatory material. Employee chat rooms may create a higher
risk of defamation. Employee e­mail also presents this risk. Businesses should adopt
and enforce guidelines.
A corporate manager must also be aware that First Amendment protections stop at
our national borders. Comments that may be perfectly acceptable under the United
States' view of free­speech protections may be illegal or actionable in other nations.
Advertising — In the United States, the FTC and state attorneys general regulate
advertising. The FTC has created several documents regarding advertising and fair
information practices for the collection of information over the Internet. For
example, the FTC has prepared guidelines called "Advertising and Marketing Online:
Rules of the Road," and has posted them online. Simply put, advertising over the Net, like that in real space, must be fair and
nondeceptive and, as the FTC states in its "Rules of the Road," advertising "claims
must be substantiated." While Internet advertising may not be "written" within a
narrow interpretation of the word, a company would best act as if its Internet
advertisements were written advertising and abide by rules governing such
advertising. One of the Internet's additions to the world of advertising is junk e­mail or spam,
the bane of many Internet users. ISPs have installed filtering systems to assist
users in eliminating spam. ISPs have used self­policing services to keep known
spammers from using their systems. Attempts at legislation to prevent spam have
been tried, but largely have failed because of First Amendment concerns in the
United States. Countries outside the United States are not bound by the constitutional limitations
that may constrain efforts to regulate spam in this country. In addition, even in the
United States, companies should be aware of state and other government efforts to
regulate or at least minimize spam. Most traditional insurance policies were written before the advent of e­commerce.
While some policies, such as comprehensive or commercial general liability insurance
(CGL) or media liability insurance, may afford coverage for a portion of cyber­risk,
companies engaged in e­commerce or dealing with computer data assets may find
that their standard or traditional insurance policies provide at best incomplete
coverage. In addition, insurance companies selling traditional CGL or media insurance
increasingly are specifically excluding coverage for such risks out of concern about
the exposure and their ability to price the additional coverage adequately.
A frequent matter of dispute concerns the definition of "property" or "property
damage." The standard CGL policy typically defines "property damage" as "physical
injury to tangible property including the resulting loss of use of that property."
Insurance companies have denied coverage for the loss of or damage to data stored
in computers or the loss of access to such data on the basis that such loss does not
constitute tangible "property" or sufficient "property damage." For example, in a denial of service or other hack attack, the company could lose
http://apps.americanbar.org/buslaw/blt/2002­07­08/black.html
3/6
2/5/2016
Business Law Today
proprietary or client data or company clients could lose access to the company's
computer systems, which could result in an interruption in the company's business.
Alternatively, if the company negligently prevented its system from being used as a
"zombie" in a distributed denial of service (DDOS) attack on another company's
system, the company operating the "zombie" site may be sued for the damage
caused by the attack. Additional coverage concerns may arise under traditional advertising injury
coverage. While copyright and trademark infringement claims may be insured under
the "advertising liability" coverage of a CGL policy, coverage is typically restricted to
"advertising injury caused by an offense committed in the course of advertising your
goods, products or services . . ." Many coverage disputes have focused on whether
the injury arose during the "course of" the policyholder's "advertising." Moreover, in policies that do not define "advertising," courts have held that the
injury must arise from actual advertising, which some jurisdictions require to be a
widespread promotional activity directed to the public at large. Others have found
that resolution of the issue must take into account the size of the policyholder's
business and potential market. Also, courts typically require a causal nexus between
that activity and the injury.
Traditional insurance policies also often include other provisions that lead to disputes
over coverage for e­commerce or Internet claims. CGL policies may contain "media
exclusions" that seek to deny coverage for advertising injuries if the insured is a
company involved in providing media services. Also, the territory covered by the
policy may be limited to the United States.
Media liability insurance traditionally was written for publishers, advertising agencies
and other companies involved in broadcasting or publishing for themselves or
others. Its applicability to cyber­risks chiefly arises in connection with publishing­
related liability exposures. However, such policies often are written only for named
perils, and disputes may arise about whether the cause of the loss in question falls
within one of the named perils identified in the policy.
Disputes also may arise about whether coverage extends only to the policyholder's
own efforts, not for others (that is, not professional liability). The coverage also
usually excludes coverage for liability for "property damage," and disputes arise
about whether it would apply to liability or loss from security breaches.
Directors and officers (D&O) liability coverage may provide limited protection. Unless
coverage for the company itself is purchased (usually called "entity coverage"), D&O
insurance often will cover only the directors and officers identified as named
insureds. D&O insurance thus may not cover the corporation — which is the most
likely target for third­party claims — or certain individual employees who were
involved in the activities that are the subject of the litigation.
Publicly traded corporations may purchase entity coverage, but typically only for
securities suits or derivative actions. Privately held corporations may purchase D&O
coverage with broader coverage for the corporation, but such policies typically
exclude claims involving liability for property damage and intellectual property
infringement.
Errors and omissions (E&O) insurance policies may be limited by the definition of
"professional services" and exclusions for media liability and property damage.
Coverage is not necessarily worldwide.
New cyber­risk insurance policies are designed to address the specific insurance
needs of technology companies and businesses operating in cyberspace, in
traditional coverage areas, such as property, inland marine, and CGL policies, or
employee theft bonds. In addition, they specifically seek to address concerns about
traditional policies' coverage for "physical damage" to computer assets or other
potential gaps.
Because this market is new, the policy forms vary greatly, and little law interpreting
their terms exists. Some policies have been adapted from traditional policies to
extend coverage to specific Internet­related losses, while others have been drafted
primarily with new technological advances in mind. Regardless of their origin, cyber­
risk policies often are lengthy and complex forms, reflecting the unique nature of
the risks they are intended to cover.
Cyber­risk policies available on the market today lack uniformity in the nature and
scope of coverage they offer. Some cover losses related to an insured's computer
http://apps.americanbar.org/buslaw/blt/2002­07­08/black.html
4/6
2/5/2016
Business Law Today
network in general while others focus on insuring risk relating to specific aspects of
Internet commerce or the operation of Web sites. For example, an e­commerce policy underwritten in London covers loss relating to
the operation of electronic media, digital services, software, bulletin boards, data
processing and Internet or information services. Additionally, some cyber­insurance
policies are offered by themselves, while others are packaged with more traditional
coverages. Typically, cyber­risk insurance policies use multiple insuring agreements
(separate policies) to provide the full coverage available.
Some cyber­risk policies often provide broad crime coverage, with a corporate crime
provision that is not limited to theft of or damage to computer assets. As a hybrid
product, these policies also offer coverage for loss caused by fraudulent insider
misuse of payment systems. They were designed to reduce disputes over coverage
that arose under traditional insurance policies when businesses, such as financial
institutions, began to use electronic­payment systems and networks. Traditional policies covering financial institutions generally excluded theft by
employees because coverage for such acts was available in the form of blanket
bonds. Because corporations are now using electronic funds­ transfer systems, they
require separate coverage for such activities not provided by blanket bonds.
One of the most significant factors distinguishing cyber­risk policies is whether the
coverage provided is first­party insurance only (damage to the policyholder's own
property), third­party only (liability for injury or damage to others), or both. Many
insurers have shown greater comfort in offering either first­party coverage for online
businesses or third­party coverage, than in offering both coverages. The typical first­party losses covered by these policies include physical damage or
damage to software or computer data caused by hackers or viruses, illicit computer
transfer of money, securities or tangible property, extortion, business interruption or
denial of Web site service resulting from electronic vandalism or ISP outage, and
loss­control costs. Loss­control costs mean those reasonable expenses that the
policyholder incurs to prevent further loss caused by a covered event. These cyber­risk first­party coverages typically exclude coverage for loss caused by
dishonest acts of insiders, failure to adhere to required system security practices or
mismanagement of system as well as computer­remediation costs. Third­party coverage in these policies typically insures against liability to others for
loss due to exchange of data via e­mail or the Internet, denial of service, theft or
destruction of data, unauthorized access, libel and slander, violation of privacy
rights, misappropriation of ideas and unfair competition. They usually exclude
liability for failure to exercise reasonable care of due diligence, intentional or
fraudulent acts, violation of laws such as antitrust, securities or employment­related
laws, or legally protected rights, such as patent or copyright, and expenses incurred
in the recall of products or services from the marketplace.
Most cyber­risk policies require that a prospective insured's computer or Internet
operation be audited by an independent technical expert service designated by the
insurer for underwriting purposes. The policies may also require that the insured
undergo a continuing loss­prevention program conducted by the same entity. This is
important in light of reports revealing that most organizations that have undergone
external security assessment have discovered significant system vulnerabilities.
In addition, new cyber­risk insurance policies providing first­party coverage often pay
for a crisis­management consultant once a loss occurs. The crisis­management
consultant, who may be pre­selected by the insurance company based on the policy
language, assesses damages resulting from the covered loss and coordinates
recovery efforts.
Almost all companies today are involved in some form of electronic commerce, if
only by providing Internet e­mail to its employees. These e­ commerce activities
potentially expose companies to risks of liability far beyond the physical premises of
the business. Companies need to assess these new risks regularly and ensure that
their policies and risk­management procedures are sufficient in the face of these
evolving risks.
One element of this process is assessment of the business' risk­transfer programs
and insurance. Cyber­risk policies continue to evolve and will become even more
refined as computer technology and the Internet evolves and additional data
regarding significant exposures becomes available. http://apps.americanbar.org/buslaw/blt/2002­07­08/black.html
5/6
2/5/2016
Business Law Today
The magnitude of exposure is difficult to predict and underwrite, particularly because
of the lack of strong actuarial backup and the complex nature of the risks involved.
However, it seems only a matter of time before cyber­risk coverage becomes an
integral part of most businesses' risk­ management programs.
Black is managing partner at Peterson & Ross, in Chicago; his e­mail is
[email protected]. Masters is a partner at Jenner & Block, LLC, in
Washington. Her e­mail is [email protected]. Weitzel is a senior principal at
Mitretek Systems, in Falls Church, Va.; his e­mail is [email protected]. Black
and Weitzel co­chair the Cyberspace Insurance Working Group in the Section of
Business Law's Cyberspace Law Committee. Masters is co­chair of the Insurance
Coverage Litigation Committee of the Section of Litigation.
Back to Top
FOR THE PUBLIC
RESOURCES FOR
ABA­Approved Law Schools
Bar Associations
Law School Accreditation
Government and Public
Sector Lawyers
Public Education
Public Resources
STAY CONNECTED
Non­US Lawyers
Twitter
Public Interest Lawyers
Facebook
Senior Lawyers
Judges
Solo and Small Firms
Law Students
Young Lawyers
LinkedIn
ABA Career Center
Contact Us Online
Military Lawyers
Terms of Use
Reserved
| Code of Conduct
| Privacy Policy
| Your California Privacy Rights | http://apps.americanbar.org/buslaw/blt/2002­07­08/black.html
Copyright & IP Policy
| Advertising & Sponsorship | ABA
| © 2015 ABA, All Rights
6/6