CHAPTER 60

INSURANCE RELIEF

Robert A. Parisi, Jr. and Nancy Callahan

60.1 INTRODUCTION

60.1.1 Historical Background

60.1.2 Growing Recognition of the Need for Insurance

60.1.3 General Liability Issues

60.2 INTELLECTUAL PROPERTY COVERAGE

60.2.1 Loss/Damage to Intangible Assets

60.2.2 Intellectual Property Policies

60.2.3 Claims Made versus Occurrence Coverages

60.2.4 Duty to Defend versus Indemnity

60.2.5 Who Is Insured?

60.2.6 Definitions of Covered Claims

60.2.7 Prior Acts Coverage

60.2.8 Extensions of Coverage

60.2.9 Common Exclusions

60.2.10 First-Party Coverage and Other Key Provisions

60.3 PROPERTY COVERAGE

60.4 CRIME/FIDELITY COVERAGE

60.5 E-COMMERCE POLICIES

60.6 PRIVACY AND IDENTITY THEFT EXPOSURES

60.6.1 Issues for Businesses

60.6.2 Issues for Consumers

60.6.3 Insurance for Consumers

60.7 CONCLUDING REMARKS

60.8 FURTHER READING

60.9 NOTES

60.1 INTRODUCTION.

This chapter presents an overview of traditional insurance products and discusses how they may or may not provide coverage for the risks associated with intellectual property and with computer and network security. It also addresses the new types of coverage that have been developed expressly for those risks.

60.1.1 Historical Background.

Historically, people have responded to the risks associated with commerce by finding ways to lessen their impact or severity.

• Around 3000 BCE, Chinese merchants cooperated by distributing cargo among several ships prior to navigating dangerous waterways, so that the loss of one ship would not cause a total loss to any individual.
• Around 1700 BCE, Babylonian merchant caravans were constantly imperiled by bandits. In addition to any risk management practices they might have employed similar to those of Chinese merchants, the Babylonians opted for a risk transfer approach:

  Babylonian king Hammurabi developed a code of law, known as the Code of Hammurabi, which codified many specific rules governing the practices of early risk-sharing activities. For instance, the code dictated that traders had to repay merchants who financed trading voyages unless thieves stole goods in transit, in which case debts would be cancelled.¹

• In addition to the well-known Colossus, the people of Rhodes created the general average—an insurance construct that survives to this day. The people of Rhodes were a superstitious lot, and would often attribute the fact that a voyage was not going well to some aspect of the cargo being cursed; once identified, the “cursed” cargo was heaved overboard—much to the chagrin of its owner. In response to this practice, which apparently became a burden on trade, Rhodes developed the general average, whereby all the noncursed stakeholders on the voyage contributed pro rata to making the unlucky soul whole—at least economically.
• Similarly, as Venice rose to power in the thirteenth century CE and began to venture farther afield in pursuit of commercial and political gain, Venetians encountered such diverse problems as spoilage, pillage, and piracy. The clever Venetians established the practice of pooling their funds and then indemnified any losses from that fund—essentially creating the first mutual insurance company.
• Finally, during the late seventeenth century in London, as international commerce grew, there developed the modern approach to risk transfer, whereby disinterested third parties put up financial capital against the likelihood of a loss of a ship or cargo. The third parties, who frequented Edward Lloyd's coffeehouse, were called underwriters because they would literally write their names on posted pieces of paper under the names of the ships they desired to insure.

60.1.2 Growing Recognition of the Need for Insurance.

Network security is not a product, a software application, or a corporate edict. It is a process—a living entity that must evolve and adapt to meet increasing and ever-changing threats. There is no substitute for the combination of a comprehensive security policy and the employment of best-of-breed technology applications.

What has become painfully apparent, to both board members and chief information officers, is that the only network that can be maintained inviolate is one user on one computer—in other words, no network at all. If legitimate business can be done across a real network, then so too can malicious business be done across that network. This awareness is critical to an entity's network security. It should lead the entity to look beyond its technology to the more traditional ways that businesses have employed to manage the risks of simply doing business. A company does not decline to buy fire insurance because it relies on its new sprinkler system; a bank does not refrain from purchasing crime coverage because it has the best locks and guards.

Changes in accounting rules over the past decade have served to bring computer and network security to the fore. More and more companies now have an increasing percentage of their balance sheet assets represented by ones and zeroes in their databases. Companies traditionally have bought insurance to protect against damage or loss of their principal assets: their plant, their fleet of vehicles, and so on. Where do they turn now that these principal assets are the data and information stored in their networks?

The last few years have also seen a proliferation of laws, regulations, and industry practices that affect not just privacy and computer security but corporate governance as well. A company cannot be in compliance with the Sarbanes-Oxley Act (SOX) if it cannot make a definitive statement that its systems are providing accurate financial information—and yet SOX makes no mention of computer security per se.

60.1.3 General Liability Issues.

Businesses traditionally have managed the risks they face through the purchase of insurance, principally commercial general liability (CGL) and property policies. The additional risks faced by financial institutions and professional services firms usually were addressed through a mix of fidelity/surety bonds and specialty insurance products, for example, errors and omissions insurance. What they have in common, however, is the fact that all these lines of coverage were created before the widespread, commercial use of computers and networks, especially the Internet. Not surprisingly, these policies often fall short of addressing the complex computer and network security exposures that companies face in the New Economy.

The CGL policy is the most fundamental component of a corporation's insurance portfolio and, not surprisingly, the coverage that receives the most attention upon the prospect of an Internet loss. Originally called comprehensive general liability, such policies provide a wide range of coverage for the liability of an insured, because of bodily injury or property damage suffered by a third party as a result of the insured's action or inaction. This coverage, which is explored in greater detail, in Section 60.3 is the situs of coverage for intellectual property (IP) infringement claims—an issue of critical importance today, when so much of a company's worth, even its existence, is based on its rights under patents, copyrights, or trademarks.

The basic CGL policy provides coverage for all sums the insured is legally obligated to pay as a result of bodily injury, property damage, or personal and advertising injury. However, the potential bodily injury associated with information technology is limited.

60.2 INTELLECTUAL PROPERTY COVERAGE.

Of critical importance to a company dealing with new technologies is the potential that its new innovation is a variation on existing and protected intellectual property. In such cases, the innovator may be forced to cease production, to obtain a license from the entity that owns the IP at issue, or to seek to have the legal protections of the applicable area of IP invalidated through the courts. Alternatively, the company in possession of protected technology, created through the expenditure of millions of dollars for research and development (R&D), may suddenly find that such technology has been incorporated in the new product of a competitor. The victimized company is faced with loss of market share and, possibly, with a threat to its very existence. It must enforce its legal property rights—either through a license to the offender or by seeking to preclude the use of the technology. In both situations, all parties will be subject to significant legal fees to resolve the issue.

In CGL policies, coverage generally exists (on a defensive basis) for the infringement of a third party's intellectual property. However, the coverage is neither a broad grant nor a particularly effective one. In order to trigger coverage, the infringement must be deemed an offense under the policy's Personal and Advertising Injury section. Even then, coverage is limited by the applicable definitions, exclusions, and the restrictive insuring agreement.

The most current International Organization for Standardization (ISO) language for the ISO CGL form CG 00 01 (July 1998) provides:

COVERAGE B. PERSONAL AND ADVERTISING INJURY LIABILITY.

By virtue of the use of the defined term—“advertisement”—the form is clear that advertising injury liability coverage is applicable solely to offenses committed in the course of advertising the insured's business.

This grant of coverage is conditioned by caveats that are restrictive in the old economy of brick-and-mortar commerce and all the more troublesome when viewed in context of the Internet. In order to comprehend fully which coverage provisions may or may not exist, it is first necessary to understand how the policy defines the operative terms.

The current CGL policy includes the key term:

As identified herewith, the grant of coverage is limited. There is no coverage for an infringement if it does not satisfy the three-pronged test outlined in New Hampshire Insurance Co. v. Foxfire:²

1. Advertising activity of the policyholder
2. A claim that falls within one or more of the enumerated advertising injury offenses
3. Causal nexus between the offense and the advertising activity

This test is merely one of several threshold requirements that must be satisfied before coverage will apply. The policy requires that the advertising injury arise out of the covered offense and that the claim seeks damages recoverable under the policy. The question of coverage is further limited by several exclusions that serve to drive home the limited scope of coverage.

Ambiguity in the language of the CGL has created some confusion in the marketplace. The situation worsens when applied to the Internet. More specifically, the exclusion regarding “an offense committed by an insured whose business is advertising, broadcasting, publishing or telecasting” makes the coverage particularly problematic.

If the policyholder specifically operates in the media business, the exclusion's applicability is clear and unequivocal. However, what happens in the more likely scenario where the policyholder is not a multimedia service provider, but merely an e-tailer or someone who maintains an informational Web site? Not surprisingly, there are two schools of thought.

One group, championed by the plaintiff's bar, argues that, unless the policyholder is actively engaged in the business of advertising, broadcasting, publishing, or telecasting as those industries have been traditionally defined, the exclusion is not applicable. This logic rests on the argument that computers and the Internet do not alter the fundamentals of how the world does business.

The second school of thought looks to the way that computers and the Internet have blurred the line between traditional media activities and a company's online presence. By maintaining any presence online, the policyholder's activities now fall within the parameters defined by the exclusion. This position is not readily understood and bears further exploration.

It is rare for a Web site not to contain a banner advertisement, hyperlink to a third party's site, or material imported from sources other than the policyholder's cache of copyrights and trademarks. The presence of such content clearly places the policyholder in the shoes of an advertiser, broadcaster, or publisher. Even the most literal policy interpreter is hard-pressed to differentiate between the newspaper or television network that accepts advertisements and the e-tailer that carries a banner ad.

The applicability of the exclusion becomes less clear when a business carries no banner ads or hyperlinks and contains no material beyond that which has sprung from the corporate mind of the policyholder. The question then becomes one not involving misuse of a third party's content. Does the simple maintenance of a Web site presume a business of advertising, broadcasting, publishing, or telecasting? The logic behind that position argues that the insured, by maintaining a Web site, is effectively sidestepping the services of publishers and broadcasters and doing the job itself.

Finally, another argument considers the manner, speed, and magnitude with which business is conducted via the Internet. The medium of the Internet was never contemplated when the insurance industry drafted the CGL policy. Similarly, premiums charged for CGL policies do not reflect any actuarial data related to the Internet. In fact, the very nature of the Internet lies in direct opposition to most assumptions an insurance underwriter formulates when calculating a premium.

For instance, when a business contemplates launching an advertising campaign, a concept traditionally goes through some preliminary review or in-house analysis. That concept is then taken to an advertising agency, where, among other things, it would be reviewed for general propriety (whether it infringed another's copyright, trademark, etc.). The final product then would be marketed to either the print or broadcasting media, where the publisher would review the advertisement. In granting advertising injury/personal injury coverage, the insurance underwriter assumes the content has gone through similar independent reviews. On the World Wide Web, however, such levels of scrutiny are typically nonexistent.

It is unlikely that this coverage ambiguity will be resolved definitively until more cases reach the courts. Even then, there will be issues surrounding the applicability of boilerplate policy. Several carriers have either clarified the intent of the policy by expressly excluding Internet activity or simplified it by not offering such coverage to those entities that have an Internet exposure. Finally, several companies have addressed the issue by creating a policy that affirmatively covers the risks associated with a company presenting information, be it substantive content or just a banner advertisement.

60.2.1 Loss/Damage to Intangible Assets.

Property damage is generally defined as physical injury to tangible property including all resulting loss of use of that property and loss of use of tangible property that is not physically injured.

Several cases have looked at the nexus between the virtual world and property damage. In a recent case, a large assembler of personal computers purchased disk drives from a manufacturer and subsequently alleged that the disk drives were defective. It did not, however, allege that the defective drives caused any harm to the other components, nor did it claim any loss of use. The manufacturer presented the claim to its CGL carrier, which later denied the claim. In the resultant coverage litigation, the court ruled the claim did not involve property damage because “physical incorporation of a defective product into another does not constitute property damage unless there is a physical harm to the whole.”³ The implication is clear: The mere fact that a piece of hardware or application is defective will not trigger coverage based on an argument of property damage. The importance of this distinction cannot be underestimated. This issue will be emphasized further in Section 60.2.10 when first-party coverage is explored as a result of similar direct loss.

The more critical and interesting issue is whether damage to or loss of computer data is property damage. Generally, courts that have looked at the issue have held that loss of data in isolation does not constitute damage to tangible property.⁴ This position is under attack.

60.2.2 Intellectual Property Policies.

As a result of the emerging importance of technology and the increased financial recognition of intangible assets, various insurance products have been developed to fill the void.

These policies fall within three general types:

1. Third-party liability
2. Prosecution or abatement
3. First-party liability/loss

The most common forms of insurance coverage available for IP are third-party liability policies, including policies offering errors and omissions or professional liability coverage. In these policies, coverage can be found for an insured's liability to a third party for infringing on that party's IP rights. There is a limitation on this coverage, though. Coverage usually is conditioned on the infringement being part and parcel of the insured rendering the service that is the basis (or trigger) of the coverage. Additionally, coverage usually is restricted to claims for copyright or trademark infringement and generally carries express exclusions for trade secrets and patents.

This sort of coverage is written either on a claims-made or occurrence basis. Traditionally, firms that provide content (e.g., advertising agencies, media firms, and publishing companies) have found coverage copyright and/or trademark infringement in multimedia liability policies that are written on an occurrence basis. The policy covers an insured for claims arising out of wrongful acts that occur during the policy period. In contrast, most other errors and omission/professional liability policies are written on a claims-made basis. They provide coverage for claims made and reported to the carrier during the policy period. The two types of policies can be distinguished further by the fact that claims-made policies may provide coverage for wrongful acts of the insured that occurred prior to the policy period, often dating back several years.

Firms looking for more explicit coverage for IP infringement claims, including coverage for trade secrets and patents, must look to policies with the sole purpose of providing such coverage.

60.2.3 Claims Made versus Occurrence Coverages.

Insurance policies generally fall into one of two types: claims-made or occurrence based. The differences in such policies are relatively simple to grasp.

An occurrence insurance policy provides coverage for claims that are made at any time so long as the wrongful acts that form the basis of the claim occurred during the policy period. As such, a one-year occurrence policy that was effective January 1, 2010, would respond to any claim relating to covered wrongful acts that occurred after January 1, 2010, and before January 1, 2011.

It generally does not matter if the claim is made long after the policy has expired. Traditionally, some CGL and most media liability policies have been written on an occurrence basis; this group of policies is often the first line of defense for claims of copyright and trademark infringement.

A claims-made insurance policy provides coverage for claims made during the policy period, regardless of when the wrongful acts giving rise to the claim occurred. Using the previous 1999–2000 example, a claims-made policy would respond to a claim made against the policyholder only during the policy period, even if the wrongful acts complained of occurred several years prior to the inception of the policy. Nearly all professional liability/errors and omissions policies and some CGL policies are written on a claims-made basis. Nearly all policies that offer express and specialized coverage for IP infringement liability are written on a claims-made basis.

How the occurrence/claims-made distinctions apply to the exposures created by the Internet is generally of interest only to insurance brokers and underwriters. Some insurance companies have taken the approach that the Internet is entirely a media risk and, as such, should be addressed by occurrence-based coverage. In contrast, other carriers view the exposure as entirely based in the services a Web site provides, even if those services are media related and offer only claims-made coverage to Internet businesses. Still another, smaller group of insurance carriers has taken the approach that the Internet presents risks that are best served by both types of coverage and have offered blended policies.

The benefits of occurrence versus claims-made policies really depends on whether the claimant is likely to discover and assert its claim soon after the wrongful act, and whether the policyholder has any existing insurance coverage that will respond to potential claims from its prior actions.

60.2.4 Duty to Defend versus Indemnity.

Those policies providing express coverage for IP are written on both a duty-to-defend and an indemnity basis. The differences between the two types of coverage are less subtle than the claims-made/occurrence distinction, although the two share some of the same history.

Generally, most third-party liability policies written by domestic insurance companies today obligate the insurance company to defend the policyholder so long as the asserted claim alleges facts that might reasonably be expected to result in coverage under the policy. Different jurisdictions take different views on how to interpret that duty and its trigger. The question is the subject of no small amount of case law and legal analysis. For the purposes of this discussion, it need merely be noted that the general duty to defend under the law is broader than the insurer's duty to indemnify the policyholder for damages. So long as a claim alleges arguably covered damages, the carrier will owe a defense.

Some older policies, as well as those offered through Lloyds' of London, are written on an indemnity basis. The practical effect of this is that the policyholder must incur the cost of defending itself and paying damages for which it is held liable. The insured then must seek indemnity or reimbursement, subject to any retention or deductible, from the carrier.

Whether a policyholder is better served by an indemnity or a duty-to-defend policy depends not only on its ability to fund a defense but also on its desire to maintain complete control over that defense. In a duty-to-defend policy, the carrier, subject to the deductible or retention, provides a defense for covered claims from day 1, including designating and appointing defense counsel.

Duty-to-defend policies usually are associated with a pay-on-behalf-of component. This element of coverage obligates the carrier to pay on behalf of the policyholder any covered damages for which the policyholder is held liable, subject only to the applicable deductible or retention.

In the case of an infringement liability policy, the duty to defend is triggered when a claim alleges that an insured has violated or infringed on the IP rights of another in the course of its business or, if more narrowly underwritten, in the course of the expressly designated covered activity. It is important to note that the validity of the claim is often irrelevant to the duty of the carrier to provide a defense.

60.2.5 Who Is Insured?

The typical policy generally provides coverage to the principal or named insured and to subsidiaries of the named insured; the named insured usually is the entity that applied for the insurance and completed the application. Subsidiary coverage traditionally has been limited to actions taken while a subsidiary of the named insured. Coverage also would be provided to any present or former partner, officer, director, or employee of the named insured or subsidiary, but only while acting in his or her capacity as such. Generally it includes the estates, heirs, legal representatives, or assigns of deceased persons who were insureds at the time that the IP infringement was alleged to have been committed, and the legal representatives or assigns of insureds in the event of the insured's incompetence, insolvency, or bankruptcy.

Persons qualifying as insureds under the policy are a potentially large and diverse group. Traditionally, IP infringement liability policies have focused not so much on the who but on the what of coverage. In this case, the what is the scope of the policyholder's business activity for which the insurance carrier has agreed to provide coverage. This can be anything from a single product or service to the entire breadth of the policyholder's operations.

60.2.6 Definitions of Covered Claims.

The value of IP coverage can best be viewed by how it defines a claim. As can be seen by current cases, more often than not, the first salvo fired by a plaintiff is not one seeking damages, but rather one seeking to enjoin the infringer from further infringement. Unfortunately, many policies require that the claimant seek monetary damages before coverage attaches. For coverage to be truly effective, a company should make sure that it would respond to actions seeking:

• A demand for money, services, nonmonetary, or injunctive relief or
• A suit(s), including a civil, criminal, or arbitration proceeding, for monetary or nonmonetary relief

Integral to a covered claim is how the policy defines claims expenses. Simply offering coverage for those expenses incurred in defense of an infringement action often gets to only half of an effective defense. To paraphrase the cliché, often the best defense is a strong offense. In order for defensive coverage to be effective, it needs to incorporate coverage for expenses incurred in seeking to challenge the validity of the patent that a company's product or service is allegedly infringing.

60.2.7 Prior Acts Coverage.

The question of prior acts coverage can be a crucial one when the coverage is written on a claims-made basis. A company must consider how long it has been doing what it is seeking to protect. Ideally, coverage should go back to the inception of the company; unfortunately, such broad coverage is not always available. Carriers often limit coverage to a discrete number of years prior to policy inception—the time when the policyholder instituted certain internal IP controls and/or when it began the activities for which coverage is sought.

Prior acts coverage is not an issue for policies written on an occurrence basis, since, by definition, they provide coverage only for acts that occur within the policy period.

60.2.8 Extensions of Coverage.

Most IP insurance policies currently available are written to cover only a specific type of IP infringement, chief among them the patent infringement policy. The typical company, assuming that such an entity even exists, does not have the luxury of being sued only for an isolated activity. It is more probable that a company, by its very existence, will create potential exposures across the entire spectrum of intellectual property. As such, companies need coverage that will respond to an allegation of more than just patent infringement.

Several insurance carriers offer coverage options that address this range of IP risks in a single policy form. Other carriers have addressed this issue by endorsing only that coverage that the company specifically requests. The most common coverage extensions available are for copyright and/or trademark infringement.

60.2.9 Common Exclusions.

The most common exclusions in third-party liability coverage generally relate to intentional or criminal activities. Several policies contain absolute exclusions when the infringement is willful or intentional. Other carriers soften the impact by providing a defense until the prohibited conduct is proven. Even then it is possible that coverage will apply to those insureds under the policy that did not know of or participate in the willful conduct.

Along similar lines is the exclusion for punitive or exemplary damages. Historically, such damages have been excluded as a matter of course. Recently, however, some carriers have offered coverage for awards of such damages to the extent that to do so is not against public policy or otherwise against the law.

Other common exclusions track with the principle that liability insurance is meant to cover fortuitous risks. They include claims arising out of breach of contract, antitrust activities, and infringements that existed prior to the inception of the policy. The policies are meant to cover unforeseen risks, not known claims or the cost of doing business.

60.2.10 First-Party Coverage and Other Key Provisions.

One breed of coverage differs by its very nature. This first-party coverage reimburses the policyholder for the loss of the value of its IP after it is declared invalid (patents) or misappropriated (trade secrets). In addition, coverage is available in the market for a policyholder's loss of a trade secret resulting from a computer attack.

At the moment, the number of carriers offering such coverage is very limited, and the underwriting is, in a word, intense. The first coverage is called patent validity coverage, which indemnifies buyers and/or sellers of patent rights for loss related to the patents subsequently being declared invalid or held unenforceable. Such coverage can be tailored to the premium that the company wants to pay. The basic coverage pays up to the purchase price of the patent rights. Expanded coverage pays for the loss of expected royalty income. This coverage is limited to patent only.

Another recent innovation provides first-party coverage for loss of a company's trade secrets. At least two Internet-focused policies also provide first-party coverage to a policyholder for the loss of its trade secrets. These policies provide coverage for the assets a policyholder has decided to treat as a trade secret. The policies generally require that the trade secrets be misappropriated through some deficiency in the security of the policyholder's computer system.

60.3 PROPERTY COVERAGE.

Of particular importance to any commercial entity that values its information is the protection, or lack thereof, afforded under existing property policy forms. Traditionally, such policies provide coverage for the direct financial loss suffered by the policyholder for damage to or loss of use of an entity's physical or tangible property as a result of such brick-and mortar-perils as fire, windstorm, theft, and the like. This form of property policy is referred to in the insurance industry as all-risk; while broader in the scope of the perils it covers, it is still subject to the brick-and-mortar restraint that what is damaged be of a tangible nature.

The realities of the how things work today, and the shift away from a company's worth being largely comprised of physical assets, suggests that such tangible property coverage is no longer adequate or sufficient, in and of itself. In today's economy, the lifeblood of an organization is generally not its buildings and equipment, although the events of September 11 demonstrate how vital such coverage may be. In fact, a fairly standard business model is for a company to have equipment provided to it only virtually, by its Web hosting company or by any number of application service providers. The latter often replace many of the systems that a company would have leased or purchased outright, only a few short years ago.

Such relationships create further problems for the traditional property policy. The typical policy provides coverage for tangible property at the physical locations of a business. As such, even if one overcomes the hurdle of whether intangible assets are or are not covered under the policy, it is likely that such property is not resident at the locations covered under the policy.

Often purchased in conjunction with the standard property policy is coverage for loss of income due to a business interruption. This coverage has the same damage to or loss of use of trigger, but whereas the basic property policy seeks to indemnify the policyholder for the actual lost or damaged property, business interruption coverage reimburses a policyholder for loss in the form of (1) the loss of net income plus normal operating expenses that continue during the covered interruption; and (2) the necessary extra expense incurred in the effort to continue normal business operations. In addition, coverage often is extended to include contingent or dependent business interruption. This provides coverage for a policyholder if a business that the policyholder depends on is interrupted by a peril covered under the policy, and subsequently causes the policyholder to suspend business as a result.

In today's world, most if not all businesses rely on third parties to maintain some element of their network or computer systems, from the obvious application service provider (ASP), or hosting company (ISP), to the less obvious, but equally vital, outsourcing of network security. The concept of weakest link applies not only to those allowed within a firewall—such as supply chain elements and extranets members—but also to the backbone and infrastructure suppliers. The network or site will be just as inoperative, whether the distributed denial-of-service attacks the business directly or brings down its hosting company or ASP, backup and business continuity plans notwithstanding.

A case in Arizona threw into question much of what the insurance industry felt was well settled on the issue of tangible versus intangible. In American Guarantee & Liability Ins. Co. v. Ingram Micro, Inc.,⁵ a policyholder sought coverage under a property policy for loss of functionality of its computer systems resulting from the loss of programming information in random access memory due to a power outage. The judge, in finding for the policyholder, based his decision largely on federal computer crime law and his own stated belief that the continued distinction between tangible and intangible property was pointless.

Not surprisingly, the Ingram Micro case has had a galvanizing effect on the legal and insurance community. The policyholder bar has hailed it as a commonsense decision whereas the carriers and the legal community at large have pointed at the holes in the logic, personal opinion, and leaps of faith in the decision. What all can agree on, however, is that it has created an increasing awareness and sensitivity by companies as to their insurance portfolios. Since the Ingram Micro decision was never published, it is not binding precedent. In addition, subsequent case law has thrown the Ingram Micro decision into question.

The logical extension of increased interaction and dependencies between service providers and clients, as well as between coventurers and simple conversants, is that, increasingly, businesses will come to hold or touch more and more information assets besides their own in their computer system. Such property, like its electronic brethren, tortured judicial logic notwithstanding, will not rise to the level of covered property, which generally is limited to tangible property located in or on the policyholder's premises.

It has been suggested that coverage might be found under the property policy pursuant to the valuable papers and records extension. The only problem with this argument is that absent express endorsement to the contrary, valuable papers and records are defined as manuscripts and the like, not electronic data or the media used to store or record such data.

There also have been attempts to resurrect the notion that coverage might be found under the sue and labor aspect of coverage. This would afford coverage not for the loss itself but for the costs associated with fixing the problem. Much was made of this in numerous cases seeking coverage for year 2000 (Y2K) remediation efforts; these cases have begun to die quiet deaths due in large part to the known element of Y2K (the technological equivalent of a burning building in that programmers were well aware of the problem) and the nonevent that Y2K eventually proved to be. The analogy in network and computer security would be to look to one's insurance company to pay for the company's firewall and intrusion detection system.

60.4 CRIME/FIDELITY COVERAGE.

Traditional crime and fraud policies have provided, and do provide, a certain level of coverage for direct financial loss due to computer fraud. These policies, however, have usually been limited to indemnifying a policyholder for loss of money, securities, and other property. The policies also can contain limitations as to coverage involving both the intent and the identity of the thief, that is, whether an employee of the policyholder or a third party. However, these policies fall short in protection or indemnification for the theft or misappropriation of information and of intangible assets such as trade secrets, data, and technology—the essential elements of e-commerce.

The policies that do afford express coverage for the loss suffered by a policyholder as a result of a computer crime generally limit the coverage to the loss of intangible property or information assets. They also can include loss that is other than the deprivation of the information asset, such as situations where the crime involves the copying of data. In today's economy, a company can effectively suffer a loss where its information assets are only copied—for example, the disclosure of a client list, business plan, vendor relationship details, and the like.

60.5 E-COMMERCE POLICIES.

In the time since the fourth edition of this Handbook was published in 2002, the marketplace for ecommerce policies has matured only slightly, with little or no uniformity between the competing products. One thing that the market does seem to agree on, though, is a focus on all industries as opposed to the technology, telecommunications, and financial sectors. The markets offering policies with definitive coverage for information technology, e-commerce, and network security have remained relatively static, though new entrants now come from established carriers as opposed to small start-up entities. What remains important to note is that all of these forms must, and will, continue to change with time as the technology to which they are tied changes and evolves. One need only look back to the early 1990s to find policies that spoke of the infinite channels of the Internet, and information security as part and parcel of the general content-related risks faced by publishers and broadcasters.

These e-commerce policies generally fall into two categories: (1) those that cover damage caused to others by the actions or failures of the policyholder's computer systems and (2) those that cover direct financial loss of the policyholder from certain specified cyber perils.

The most common e-commerce policy is that which would defend and indemnify a policyholder for claims made against it by others for damages allegedly suffered by those third parties. In addition to filling the gaps in traditional policies, such as the CGL policy, such policies also extend new coverage that is peculiar to the needs and exposures of information technology and computer system security.

Typical third-party exposures include the infringement of another's intellectual property, violation of privacy rights, content-based liability such as libel and slander, and professional malpractice. Claims alleging such suffered wrongs are more often than not attributable to acts of negligence by an insured. They also do not differ dramatically from their Old Economy cousins, with the exception of the myriad of privacy issues that recently have come to the fore in the form of general privacy, healthcare, and financial information.

The new exposures or risks that these policies respond to include the damage caused by the transmission of malicious code, the unwitting participation in a distributed denial of service attack as a zombie,⁶ and others. These perils also are the triggers for coverage for the direct loss suffered by the policyholder itself in the form of stolen information assets, corrupted data, network interruption, cyber extortion, and so on.

The more robust e-commerce policies must, and will, adapt to the inherent differences between the Old and the New Economy. Policyholders risk finding themselves bare at worst or at best succeeding in forcing a settlement after protracted litigation, when they seek to shoehorn coverage for the unique risks of the Internet into hoary old policies from the days of black-and-white television and the Cold War. Just as new coverages developed around the new exposures of employment practices, so too have new coverages arisen to address the new exposures of a company Web-enabling its business practices.

As these new e-commerce policies cover new risks, the due diligence performed by the insurance carrier in underwriting the risk must break new ground. The few carriers that have taken the time to educate themselves about the risks inherent in computer and network security have turned to computer security professionals to assist in their due diligence. This due diligence generally takes the form of remote penetration testing, an online network security assessment, a full-blown on-site security audit, or some combination. What is important to note is that these activities basically are unrelated to insurance and that they focus exclusively on the computer and network security issues; as such, they represent a true value added to the applicant in the form of an additional set of eyes taking a critical look at its security without the applicant having to pay for it.

In addition, companies recently have begun to develop and market coverage that would allow individuals to cover the damages and costs associated with the loss and repair of their financial or credit identity. Such coverage also has been available to individuals under traditional personal lines policies, such as homeowners' insurance, although that capacity seems to be disappearing as the risks associated with such loss become more widespread and publicized.

Recent events, and like as not future events, will continue to highlight the vulnerability of even the most robust computer and network security. Apart from simply shutting down a business, the only way for a business to operate with the confidence that it will survive a successful computer attack and to instill that same confidence in its trading partners, be they customers or suppliers, is to have that traditional old risk-transfer vehicle, the insurance policy, sitting behind all that technology.

The issue of computer and network security is itself changing as well. Accounting changes, shifts in asset composition, and the leveraging of intangible assets have caused network and computer security to evolve from a technology issue into a management liability issue. That evolution requires that companies address both the efficacy of their technology and the completeness of their insurance portfolio. Of critical importance today, is the issue of privacy.

60.6 PRIVACY AND IDENTITY THEFT EXPOSURES.

Businesses of all sizes across all industries hold both confidential commercial, and personally identifiable, information in their care. Both businesses and consumers can take advantage of insurance to mitigate the consequences of breaches of confidentiality involving personally identifiable information.

60.6.1 Issues for Businesses.

Consumers, employees, clients, vendors, merger partners, and other constituents expect the businesses they entrust with confidential information to safeguard it. When a business fails to do so, the consequences can be severe.

60.6.1.1 Civil/Legal Liability.

Companies may be held legally liable for losses that consumers or other third parties incur if information in their care is compromised or identity theft occurs. Even if a business has sound security practices in place and is not negligent in handling private data, the cost of defending allegations of negligence, and the settlements that often result, can be significant. A few of the many recent scenarios that have put companies at risk follow.

• In June 2005, victims of a massive compromise involving millions of credit card accounts stolen from payment-processor CardSystems Solutions⁷ filed a class-action lawsuit demanding damages. Plaintiffs included not only individuals but also retailers affected by the breach.⁸ CardSystems was also charged by the Federal Trade Commission (FTC) and agreed to comply with strict standards for security improvements and audits.⁹
• After a hacker stole debit card information in 2006 from TJX Companies, Inc., owners of T.J. Maxx and Marshalls stores across the United States, approximately a dozen banks had to reissue thousands of new cards to customers.¹⁰ The banks sued the retailer for the cost of reissuance and fraud.¹¹ This case was deemed the largest security breach in history to that date.¹² A settlement agreement was negotiated in 2008 that offered “vouchers, cash benefits, credit monitoring, identity theft insurance, and reimbursements to eligible people affected by the intrusion(s). TJX will also hold a one-time special event reducing prices 15% for one day at T.J. Maxx, Marshalls, T. J. Maxx'n More, Marshalls MegaStore, HomeGoods, A.J. Wright, Winners and HomeSense stores on a future date not yet determined.”¹³

60.6.1.2 Regulatory Issues.

Various regulatory bodies may bring administrative actions against entities experiencing a privacy breach. Actions may be brought by the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), state insurance authorities, federal banking agencies, and state attorneys general. Responding to these investigations can require significant managerial and legal expenses. In addition, companies may be forced to undertake lengthy, expensive corrective actions as a result of the investigations and settlements.

Illustrating the impact of a regulatory investigation is the widely publicized case of ChoicePoint, in which a major consumer data broker agreed to pay $10 million in civil penalties and $5 million for consumer redress in January 2006 to settle FTC charges arising from a data security breach. Under the terms of the settlement, the company was also required to implement new procedures to enhance information security and must undergo security audits by a third party every other year for decades. The breach compromised the personal financial records of more than 163,000 consumers and resulted in at least 800 cases of identity theft.¹⁴

Many states have enacted laws requiring companies to notify consumers if information has been compromised. These laws dictate when a company must give notice and what method of communication must be used. Although requirements vary state to state, costs of notification can run into hundreds of thousands of dollars.

On the federal side, a number of initiatives have been progressing through the House and Senate. At the time of writing (July 2008), the links to the Library of Congress THOMAS system¹⁵ provided the following status for significant proposals with possible liability implications for holders of personally identifiable information:

• H.R. 516
  • Title: To increase the security of sensitive data maintained by the Federal Government.
  • Sponsor: Representative Jo Ann Davis [VA-1] (introduced 1/17/2007); Cosponsors (None)
  • Latest Major Action: 3/23/2007. Referred to House subcommittee. Status: Referred to the Subcommittee on Information Policy, Census, and National Archives.
• H.R. 3046
  • Title: To amend the Social Security Act to enhance Social Security account number privacy protections, to prevent fraudulent misuse of the Social Security account number, and to otherwise enhance protection against identity theft, and for other purposes.
  • Sponsor: Representative Michael R. McNulty (NY-21) (introduced 7/16/2007); Cosponsors (53)
  • Latest Major Action: 9/24/2007 Placed on the Union Calendar, Calendar No. 210.
• H.R. 4175
  • Title: To amend title 18, United States Code, with respect to data privacy and security, and for other purposes.
  • Sponsor: Representative John Conyers, Jr. (MI-14) (introduced 11/14/2007), Cosponsors (7)
  • Latest Major Action: 12/18/2007 House committee/subcommittee actions. Status: Subcommittee Hearings Held.
• H.R. 4241
  • Title: To prohibit the transfer of personal information to any person or business outside the United States, without notice.
  • Sponsor: Representative Ted Poe (TX-2) (introduced 11/15/2007), Cosponsors (None)
  • Latest Major Action: 1/11/2008 Referred to House subcommittee. Status: Referred to the Subcommittee on Financial Institutions and Consumer Credit.
• S.239
  • Title: A bill to require Federal agencies, and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information.
  • Sponsor: Senator Dianne Feinstein (CA) (introduced 1/10/2007), Cosponsors (None)
  • Latest Major Action: 5/31/2007 Placed on Senate Legislative Calendar under General Orders. Calendar No. 180.
• S.495
  • Title: A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
  • Sponsor: Senator Patrick J. Leahy (VT) (introduced 2/6/2007), Cosponsors (7)
  • Latest Major Action: 5/23/2007 Placed on Senate Legislative Calendar under General Orders. Calendar No. 168.
  • Senate Reports: 110-70
• S.1208
  • Title: A bill to provide additional security and privacy protection for Social Security account numbers.
  • Sponsor: Senator Byron L. Dorgan (ND) (introduced 4/25/2007), Cosponsors (None)
  • Related Bills: H.R. 3271
  • Latest Major Action: 4/25/2007 Referred to Senate committee. Status: Read twice and referred to the Committee on Finance.
• S.1814
  • Title: A bill to provide individuals with access to health information of which they are a subject, ensure personal privacy with respect to health related information, promote the use of nonidentifiable information for health research, impose criminal and civil penalties for unauthorized use of protected health information, to provide for the strong enforcement of these rights, and to protect states' rights.
  • Sponsor: Senator Patrick J. Leahy (VT) (introduced 7/18/2007), Cosponsors (2)
  • Latest Major Action: 7/18/2007 Referred to Senate committee. Status: Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
• S. 2454
  • Title: A bill to amend the Communications Act of 1934 to protect the privacy rights of subscribers to wireless communications services.
  • Sponsor: Senator Barbara Boxer (CA) (introduced 12/12/2007), Cosponsors (2)
  • Latest Major Action: 12/12/2007 Referred to Senate committee. Status: Read twice and referred to the Committee on Commerce, Science, and Transportation.
• S. 2859
  • Title: A bill to amend the Family Educational Rights and Privacy Act of 1974 to clarify limits on disclosure of student health records, and for other purposes.
  • Sponsor: Senator Jim Webb (VA) (introduced 4/15/2008), Cosponsors (1)
  • Latest Major Action: 4/15/2008 Referred to Senate committee. Status: Read twice and referred to the Committee on Health, Education, Labor, and Pensions.

60.6.1.3 Damages to Brand Image, Consumer Confidence.

When private information in a company's care is compromised or stolen, the company can suffer damage to its reputation and a decline in customer and employee confidence. How a company communicates the problem to those affected and manages the aftermath of an incident is critical.

If a company responds to a security breach or a potential security breach with rapid, effective communications and proactive, practical assistance for victims, it can mitigate damage to its public image. Companies that handle private or confidential data must plan, and prepare to mount, an appropriate response, and they must consider the costs such a response will entail.

60.6.1.4 Special Considerations.

All businesses that handle personal information are exposed to privacy- and identity theft-related liabilities. Certain businesses hold especially sensitive information, and have a particularly pronounced risk. This includes:

• Any company that holds confidential information under a confidentiality agreement.
• Financial services companies that hold information concerning an individual that would be considered nonpublic personal information as defined under Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338). This definition encompasses all information on applications to obtain financial services, such as credit card or loan applications, bank or credit card account histories, and the fact that an individual is or was a customer of the financial institution.
• Healthcare companies that handle information that could be considered protected health information within the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA defines protected health information to encompass all individually identifiable health information held or transmitted by a covered entity or its business associate in electronic, paper or oral form.

60.6.1.5 Business Insurance for Identity Theft and Privacy Liability.

Specialized insurance allows businesses to manage the significant exposure associated with privacy breaches and identity theft. The insurance addresses the expenses and liability that can result when confidential information in a company's care, custody, and control is disclosed, compromised, or stolen. The same markets that provide e-commerce policies have responded with specialized coverage for privacy breaches. In evaluating this coverage, it is important to note that while the e-commerce policies generally require a computer malfunction of some sort, the privacy liability coverage responds to the claim however the privacy breach occurs—be it a computer glitch, Dumpster diving, or a rogue employee walking out the door with a laptop or paper file. A sound insurance program should provide coverage for:

• Legal liability and defense costs. This includes judgments, settlements, and defense fees incurred as a result of civil litigation initiated by consumers, clients, organizations or other businesses.
• Regulatory action expenses. This includes legal expenses that result from investigations, negotiation of consent orders, and formal adversarial proceedings instituted by government or regulatory agencies. This is a critical privacy coverage, since the regulatory action will often precede the civil suit. It is in the insured's and insurer's best interests to have a favorable resolution of the regulatory action.
• Notification costs. The costs incurred to notify individuals or businesses whose information was compromised or stolen, including costs of mail, e-mail, telephone, or advertising. This is an interesting coverage enhancement, not generally found in other policy forms. It is, however, of growing importance as relates to current and pending state and federal regulations.
• Crisis communications management expenses. This includes the cost of public relations counsel to help a company shield its reputation during a pivotal period.
• Costs of recovery services for victims. This includes the costs of education, assistance, and credit monitoring for customers, employees, or others whose information was stolen or compromised. Providing these services can help a company to retain customers, maintain employee satisfaction, and prevent costly legal actions in the wake of an incident.

60.6.1.6 Other Commercial Insurance Policies.

Many companies operate with the perception that traditional insurance policies, such as commercial general liability (CGL), directors and officers (D&O) liability, or errors and omissions (E&O) insurance, address privacy and identity theft exposures. However, traditional commercial insurance policies are generally not designed to address risks related to computer networks and electronic information. Citing just one example, CGL policies typically do not define territory to align with the global nature of the Internet and do not contemplate the various privacy laws worldwide. They would not normally include expenses associated with victim notification, crisis management, and identity theft recovery either.

In fact, company management and other professionals who rely solely on traditional insurance could be surprised to find they have little or no insurance when a privacy breach or identity theft incident occurs. The specialized privacy and identity theft insurance discussed previously was designed expressly to fill this significant coverage gap.

60.6.2 Issues for Consumers.

Identity theft, defined as the theft and fraudulent use of an individual's personal identification information, including a Social Security number, account numbers, or other personal data, is the fastest-growing financial crime in America. One of every eight adults, or a family member, has been a victim of identity theft.¹⁶ More than 9.3 million individuals were victimized in the United States in 2004.¹⁷

Identity theft is not only widespread, but it is costly. Individuals use unlawfully obtained personal information to purchase goods and services or to obtain new mortgages, lines of credit, or additional credit cards. A criminal may use a stolen identity to commit employment fraud or to escape criminal prosecution.

60.6.3 Insurance for Consumers.

Consumers in the United States are well protected from the direct financial loss that can result from identity theft. If unauthorized credit card charges and electronic banking transactions are reported promptly, an individual has little financial liability. Still, individuals whose identities are stolen must undertake a time-consuming and often costly process to restore their names and credit. It can take six months to detect identity theft and up to 600 hours to recover from the crime.¹⁸ In some cases, individuals must pay to dispute fraudulent debts and accounts opened by an identity thief.

Insurance can help individuals alleviate the costs associated with the compromise of their personal information and identity theft. This insurance is geared primarily to mitigate the costs of recovering from such incidents and to ease the recovery process. A typical policy might provide:

• Expense reimbursement, encompassing numerous fees and expenses required to recover from identity theft
• Income protection, which pays wages lost as a result of time off from work required to recover from identity theft
• Identity restoration services, including the services of a personal case manager to handle identity recovery work on the victim's behalf
• Loss prevention and mitigation services, such as access to a customer service center to assist in preventing identity theft and credit monitoring to promote early detection of problems

Many financial institutions, associations, employers, and service providers make this type of insurance available to customers, members, and employees.¹⁹ Identity theft insurance may also be available to consumers in conjunction with homeowners' or business owners' policies.

60.7 CONCLUDING REMARKS.

The significant exposures resulting from intellectual property and privacy breaches that companies and individuals face today have become serious boardroom concerns. To mitigate against these exposures, a comprehensive insurance program should be a critical component of the risk management strategies put in place. Although insurance for information systems exposures was once considered novel and limited in scope, it has quickly evolved, and new products in the marketplace offer broad and effective protection.

60.8 FURTHER READING

Dionne, G. Handbook ofInsurance, vol. 22. Huebner International Series on Risk, Insurance and Economic Security. Dordrecht, The Netherlands: Kluwer Academic Publishers, 2000.

Ostrager. B. R., and T. R. Newman Handbook on Insurance Coverage Disputes, 9th ed. New York: Aspen Law & Business, 1998.

Sutcliffe, G. S. E-Commerce Insurance and Risk Management, 2nd ed. Gainesville, GA: Shelby Publishing, 2001.

60.9 NOTES