When businesses utilize the Internet, they are exposed to a range of risks. Some are old risks in new guises; others are entirely new risks unique to the use of the Internet. These risks pose novel insurance coverage issues.
Where the existence of insurance coverage may have been clear cut in the traditional paper environment, coverage may be uncertain when the Internet is utilized rather than mail. Losses for which a business believed it had adequate insurance may be uncovered. At a minimum, the policyholder may have to sue its insurer to secure payment of claims, rather than merely submitting claims for adjustment as in the past.
Increasingly companies -- even if they do not view themselves as being in the cyber industry -- utilize electronic media for a variety of functions. The most common are electronic record keeping, e-mail and web sites. A smaller, but rapidly growing number of companies are transacting business on the Internet -- not merely providing information, but selling goods and services.
Every transition from a paper to a paperless function raises issues of the adequacy of insurance coverage. For example, electronic records are vulnerable to damage both from the same perils as paper records as well as some novel perils. Whether a company's electronic records are destroyed by a fire or destroyed by a virus, the impact on its operations may well be the same. The cost of restoring the records, the interruption to business operations may be virtually identical.
However, the insurance coverage provided by conventional property policies may be different. The typical property insurance policy contains language limiting the coverage to: "Direct physical loss or damage to property." If the electronic records are destroyed by fire, there is really no issue. Property coverage exists if the medium on which data is stored is also damaged. However, if the electronic records are destroyed by a computer virus, the damage to electronic data alone may not constitute "physical damage" to property and the policyholder may have to dispute the existence of coverage with its insurer.
Coverage uncertainties also arise with third party liability insurance. Does conventional liability insurance provide coverage if a company's e-mail transmits a virus which infects another company's computer system and they sue? Typical liability policy language states that coverage exists for "Physical injury to or loss of use of tangible property." It is unclear whether electronic data is "tangible property". Therefore, it is unclear whether the liability policy will provide a defense or coverage.
In practice, the coverage determinations may turn on exact language of the insuring clause in the policy. The coverage determination may also turn on the jurisdiction in which the company with the virus-damaged data files suit. That jurisdiction could be anywhere in the United States or could be a foreign jurisdiction. E-mail readily crosses state and national lines.
Few appellate courts have yet addressed this issue. Typical of the few decisions in this area is the Minnesota courts' treatment of the question whether a CGL policy provided coverage for erasure of data during repair and inspection of computer discs in Magnetic Data v. St. Paul Fire & Marine.
In Magnetic Data v. St. Paul Fire & Marine, the policyholder had erased a client's data while servicing and repairing computer discs. The client sued the policyholder and the insurer denied coverage.
The Minnesota Court of Appeal held that there was coverage in spite of the fact that it found that computer data was not tangible property. The Court of Appeal noted that while the damage to property clause was limited to tangible property, the loss of use provision was not limited to loss of use arising from damage to tangible property. (This language has subsequently been changed.)
The Minnesota Supreme Court reversed and held that if the data was not tangible property, it was not covered and if it was tangible property it still was not covered the control of property exclusion. (The control of property exclusion provided that the Commercial General Liability Policy ("CGL") policy did not cover "property on your premise for purposes of being worked on.)
The utility of e-mail in facilitating communications creates a variety of new risks. Consider the scenario in which a company's employees send libelous spam e-mails about a competitor. (Spam refers to "bulk" e-mails; the electronic equivalent of junk mail.) The competitor sues. If the company is sued for trade libel, is there coverage?
Advertising injury coverage is generally provided in CGL policies. The advertising injury provision covers:
Injury arising out of one or more of the following offenses:
- Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods or services;
- Oral or written publication of material that violates a person's right of privacy;
- Misappropriation of advertising ideas or style of doing business; or
- Infringement of copyright, title or slogan committed in the course of advertising your goods, products or services.
The coverage issue will turn on whether the employees' activities constituted "advertising" and is likely to depend on facts specific to the claim. How senior were the employees? How many e-mails were sent and to whom? In other words, are the e-mail or chat-room communications analogous to recognized forms of advertising? The insured has a reasonable shot at getting the insurer to pay for the defense, although possibly under a reservation of rights. (Under a reservation of rights, the insurer reserves the right to deny coverage if during the course of the litigation facts emerge which demonstrate that the claim is not within the scope of coverage.)
The existence of advertising injury would be more certain if the allegedly libelous material had been posted on the company's web site, since a web site is almost certainly an advertising vehicle.
Almost every business of any size has a web site these days. The range of activities carried out though the web site varies widely. Some sites offer information about the company and its products or services. Some web sites also offer "advice." Advice can be offered as an inducement to purchase more sophisticated services from the company. Or advice can be offered by membership organizations to assist members in utilizing services more effectively. Still other web sites offer products or services on-line.
Web sites also can be a source of insurance claims. Consider the scenario in which someone claims bodily injury or damage to property arising from information on a company's web site. The typical liability policy provides coverage for bodily injury and physical injury to or loss of use of tangible property. Here, the liability policy almost certainly will provide coverage.
There are a few possible catches. If the policy contains a clause excluding liability arising from the provision of professional services, the CGL carrier may tell the insured to look to its errors and omissions policy -- if any -- for coverage. The coverage question will turn on whether the information on the web site constituted the provision of professional services. Relevant facts will include the nature of the policyholder's business, whether there was a existing relationship between the injured party and the policyholder, as well as the nature of the information on the web site.
Given all of the uncertainty about insurance coverage for paperless office functions under traditional insurance products, the insurance industry is rolling out a host of products designed to provide coverage for a wide range of electronic media. A few of the new products are described below. Others are discussed in the attached articles from the insurance industry trade press.
A number of insurers including CNA, AIG, St. Paul and various Lloyds underwriters offer hacker/virus policies. These policies generally provide both first party and third party coverage. The first party coverage addresses damage to the insured's own equipment or data. The third party coverage addresses lawsuits by third parties that assert that the policyholder is responsible for hacker or virus damage to its computers or electronic data.
In considering a hacker/virus product watch out for criminal acts exclusions. For example, if damage to a third party's computer is the result of a criminal act, for example, if it violates a federal or state statute imposing criminal penalties for violations of privacy through Internet activities, then the exclusion would preclude coverage.
Most hacker/virus policies are claims made, i.e. they provide coverage only for claims made in the coverage period.
Media Liability policies provide coverage for defamation, invasion of privacy, misappropriation of name or likeness and violation of intellectual property rights arising from the insured's dissemination of information in covered media. The covered media specified in the policy can include web-sites. Although Media Liability policies generally do not cover errors and omissions in providing services, some insurers offer endorsements to cover errors and omissions in the content of covered information.
A useful tool in addressing insurance coverage issues raised by the paperless office is an insurance coverage audit. Any insurance coverage audit identifies risks arising from current and planned uses of electronic media, analyzes existing coverage and identifies coverage gaps. It also provides suggestions concerning ways to plug those gaps.