RISKVUE ARCHIVE | FEATURE STORIES

New Technologies Create New Risks:
Traditional CGL Policies May Not Cover Internet Attacks On Your Business

By Andrew M. Hansell, Lindquist & Vennum PLLP

Recent years have seen a virtual explosion of Internet use in the business world. Internet commerce is no longer exclusively used by dot.com companies. Traditional brick and mortar businesses have responded with initiatives to allow customers to access accounts, execute transactions and communicate over the Internet. Even if a business does not complete transactions over the Internet, the connection of its computers to the World Wide Web though e-mail alone may give hackers and viruses a window of opportunity to cause damage. The widespread use of the Internet has created new risks that might not be covered under traditional commercial general liability (CGL) insurance policies. Traditional CGL policies are often triggered only by physical damage to property or individuals and specifically enumerated torts. Because attacks on computer systems often result in no physical damage and are not among the listed torts, a CGL policy may not offer protection for these risks. These new realms of electronic risks may require your business to obtain new insurance coverage.

New Risks In Cyberspace

The rise of the Internet as a tool in the business world has created new risks. Chief among these are attacks by hackers and viruses on business computer systems. Examples of these attacks include so-called denial of service (DOS) attacks, e-mail worms, and unauthorized access to information. These attacks can result in anything from the loss of access to the business’s computer system by consumers or employees to the theft or destruction of proprietary and customer information. The consequences of these attacks can be broken into two distinct categories: first-party losses to the business itself and potential liability to third parties.

Examples of potential first-party losses included damages resulting from the business’s Web site or computer system being disrupted or shutdown. As a direct consequence of this damage, businesses may lose sale transactions and incur other costs from employee and business downtime.

Third-party liability may include actions against a business as a result of the unauthorized access or theft of customers’ or clients’ personal or proprietary information. In addition to traditional tort actions, concerns over data privacy have resulted in a number of specific laws creating causes of action against a party who discloses private information without authorization.¹

While these types of claims would likely be covered under a traditional CGL policy if they occurred in the physical world, these claims might not be covered when they occur in the non-tangible world of cyberspace.

Cyberspace Claims May Not Trigger Traditional CGL Policies

A standard CGL policy defines “property damage” as “physical injury to tangible property including the resulting loss of use of that property.” However, the corruption or theft of computer data by viruses or hackers seldom causes any actual physical damage to the computer or data storage device. Additionally, courts are split on whether computer data can be considered “tangible” for purposes of a CGL policy.

Court decisions regarding whether computer data is covered by a CGL policy as “tangible property” are far from uniform. For example, in Minnesota, an appellate court concluded that computer data was covered “tangible property” where the tape containing the data was physically lost.² A year later, the same court concluded that confidential data was not “tangible property” because the information itself was not tangible and therefore was not covered under a CGL policy.³ In fact, courts across the country have reached differing conclusions whether data stored on a computer can be considered tangible property.⁴

Similarly, liability actions against a business based on the theft of computer data might also not be covered by a CGL policy. The theft of personal data is not a physical injury to the third party. Standard CGL policies do provide coverage for “violation of the right of privacy” as a personal injury. However the theft of confidential data does not likely fall into any of the traditional causes of action for invasion of privacy.⁵

At the very least, court decisions demonstrate uncertainty about whether a traditional CGL policy will provide coverage from damages incurred as a result of cyberspace attacks. Additionally, in response to these court cases and to policyholders who seek coverage for cyberspace claims under CGL policies, insurers have begun to specifically exclude such risks in the terms of their policies. As a result, businesses should consider whether they should acquire computer-specific policies to insure against these risks.

New Products Offer Coverage—Cyber-Risk Policies

In response to the risks presented by businesses operating on the Internet, some insurers now offer endorsements to their CGL policies that are designed to specifically cover these so-called “cyber-risks.” Some insurers have also created completely separate policies to cover these risks.

Uncertainty exists in the underwriting of these new cyber-risk policies because insurers lack sufficient actuarial information or loss histories. As a result, there is little uniformity in the type or terms of coverage in these policies and the coverage offered is often limited in scope. Some common limitations on cyber-risk policies include:

• “Claims made” coverage—Most cyber-risk policies are offered on a “claims made” basis rather than an “occurrence” basis. The coverage will apply only to claims made against the insured during the term of the policy. The policy will not cover claims made against the insured after the term of the policy, even if the incident occurred during the policy’s term.
  
  
• Limited to either first-party or third-party coverage—Many cyber-risk policies will cover either direct losses of the insured (such as business interruption and loss of use damages) or liabilities to a third-party (such as claims for stolen customer information), but not both.
  
  
• Insiders’ Exclusion - Most cyber-risk policies will contain a provision excluding losses caused as a result of dishonest acts of an employee of the insured.

As part of the underwriting process, most cyber-risk policies require the inspection and approval of the covered computer system by a technical expert. An independent expert often conducts this inspection. The policy may also require a continuing periodic inspection and certification of the insured’s system to assure adequate security measures are continually updated as a condition of coverage.

Businesses should bear in mind that the interpretation of the new cyber-risk policies by the courts remains an open question. Because cyber-risk policies contain many new terms and cover areas that have not been previously addressed in insurance policies, the interpretation of these terms and coverages by a court is not well settled. Accordingly, the actual scope of coverage afforded under these policies is not well defined.

The widespread use of the Internet in business has opened the door to new opportunities and new risks in the non-physical world of cyberspace. Businesses must be aware of these evolving and emerging risks and adapt accordingly. Given the increasing use of the Internet by businesses, it seems likely that cyber-risk coverage will become part of any business’s risk management plan.

Notes
¹ Examples of laws creating causes of action for individuals based on the disclosure of information include: portions of the Gramm-Leach-Bliley Act (GLBA) (regulating financial institutions); the Health Insurance Portability and Accountability Act (HIPPA) (regulating health care providers); and the Children’s Online Privacy Protection Act (COPPA) (regulating the collection of data from children).
² See Retail Systems, Inc. v. CNA Ins. Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991).
³ See St. Paul Fire & Marine Ins. Co. v. Nat’l Computer Sys., Inc., 490 N.W.2d 626 (Minn. Ct. App. 1992).
⁴ See America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459, 466 (E.D. Va. 2002) (collecting cases).
⁵ The tort of invasion of privacy includes four general categories: (1) intentional intrusion into the private affairs of another; (2) appropriation of the name or likeness of another for commercial use; (3) publicizing of private facts; and (4) publicity of another in a “false light.”

ABOUT THE AUTHOR

Andrew M. Hansell advises clients on commercial litigation, products liability, public law and insurance coverage. He can be contacted at 612-371-3204; ahansell@lindquist.com.

This article is only a general summary for informational purposes and does not constitute legal advice. Consult a qualified and experienced insurance advisor for your specific situation or particular questions.

riskVue | The webzine for risk management professionals
March 2004