Module_10

MODULE 10: INSURANCE AND THE INTERNET

10.1 THE GROWING NEED FOR INTERNET LIABILITY INSURANCE

The need is steadily growing for an insurance policy catering for losses arising from commerce
conducted over the Internet. Such a policy should ideally protect against several problems:
losses arising from unauthorised access and use of computers; liability for business interruption;
losses arising from such use or from computer virus transmission; or theft or disclosure of
confidential information such as customer lists, business strategies and competitive
information.

Consider just a few facts and figures: 1999 saw a 183 per cent increase in the number of
computer attacks. In a 1999 survey by Information Security magazine, 53 per cent of
respondents rated information security at their company as ‘average’ or ‘below average’. Nearly
50 per cent reported an increase in unauthorised access by outsiders.

Meanwhile, Internet commerce is growing rapidly. CISCO Systems estimate that there will be
some 200 million Internet users by the end of the year 2002 generating e-business revenue of
US$ 1 trillion. Online shopping revenue is projected to top US$ 7 billion. Ninety per cent of all e-
commerce is transacted by just ten per cent of the world’s e-commerce companies. However,
just as the growth of the Internet is unprecedented so are the associated risks.

Third party liability is one such area of exposure. Disclosure of a third party’s confidential
information, ‘accidental’ transmission of a computer virus, or a web site containing a
defamatory statement or which breaches copyright or infringes a trademark are all scenarios
which can lead to a claim.

The main risk for companies, however; is the loss of information assets – assets which are by
their nature intangible, e.g. the loss of customer lists, business strategies or competitive
analyses to a non-employee or competitor who has hacked into the company’s system. What
protection exists for these losses?

10.2 TRADITIONAL INSURANCE: A RE-EXAMINATION OF BASIC PRINCIPLES

Conventional policies only cover losses of tangible property due to physical events such as fire,
weather hazards or burglary. They do not cover the intangible assets described above. Similarly,
computer crime policies, with a ‘computer fraud’ extension, cover only the actual cost of a
stolen floppy disk and not the information contained on it.

Similar problems arise with other traditional types of insurance. Business interruption policies
cover only lost revenue caused by a specific event of physical damage to property.
Comprehensive general liability insurance applies only losses arising out of bodily injury or
tangible property damage. ‘Cyber-liabilities’ fall into neither category.

True, E & O insurance may cover liability for negligently rendered professional services, whether
on or off the web. However, policies without specific reference to Internet activities may not
extend to them. A ‘cut and paste’ approach to developing a policy designed to respond to these

scenarios is unlikely to yield the desired result. The solution is to seek a bespoke policy. A ‘wish
list’ of requirements for such a policy will entail a number of considerations.

10.3 ESSENTIAL COVERAGE

A policy should specifically address risks associated with failures of networks or computer
security systems. It should also protect against losses from at least three things: computer
attacks from unauthorised users; accidental or deliberate transmission of a computer virus to
others; and disclosure of confidential client information (e.g. medical, credit card, etc).

Seven basic areas of coverage are required to address these concerns. These are as follows:

1. Liability. Cover should include so-called ‘denial of service’ claims – where a computer
system has been deliberately shut down or subjected to ‘flooding attacks’, where many
or very large computers are used to flood a target system with an overwhelming level of
traffic. Users who are then denied can sue for ‘denial of service’. Cover should also
protect against losses arising from virus transmission and disclosure of personal and
confidential information.

2. Media liabilities. Web pages potentially invade privacy or contain defamatory
statements or items in breach of copyright or an infringement of trademark. The
potential audience is vast; so is the risk.

3. Property. The assets of the future are not chairs, tables or ‘bricks and mortar’. They
include accounts, customer lists, supplier and competitor information, and trade secrets.
The loss of such assets should be covered, whether due to theft, destruction or other
perils. In the case of trade secrets, potential insureds would need to supply insurers with
a significant amount of information to enable a fixed insured sum to be calculated. In
many cases this will be difficult. For instance, how to determine the value of the formula
of Coca-Cola for example?

4. Business interruption. Cover should not be limited to a computer attack on the insured
company. It should ideally extend to loss of e-revenue due to business interruption of
another company, the so-called ‘dependent business interruption’. Ideally, a policy
should also cover extended business interruption which provides the insured with a
valuable period of recovery.

5. Cyber-extortion. The threat of a computer attack may itself result in loss. A policy should
provide access to special resources to help an insured manage or minimise such losses.
If, for example, there is a ransom demand, insurers might contemplate reimbursing the
insured for the cost of the ransom. Such payment could save the insured and the insurer
the cost of losses arising from an actual attack.

6. Criminal rewards. A reward fund for information leading to the arrest and conviction of
a ‘cyber-criminal’ may have a deterrent effect. Not every hacker is a hardened criminal:
many may be doing it simply for egoistical reasons.

7. Crisis management. An e-business crisis may cause catastrophic public relations
problems. For example, news of theft of an insured’s client’s credit card numbers may
severely damage consumer confidence. Access to an appropriate public relations and
crisis management consultancy may help to control such damage. Insurance cover
should extend to the fees of such agents.

10.4 DEFINING KEY POLICY TERMS

As with any insurance policy, terms and conditions must be carefully defined. For example, if
losses triggered by a security failure are to be covered, the term ‘security failure’ must be made
clear. The definition should be made expansive, including inside as well as outside attacks; acts
whether motivated by profit or mere bravado and adventurism; attacks both malicious and non-
intentional, specific or random. There should be no distinction between failure involving
software, hardware or firmware: all should be addressed under the policy.

Losses may arise not simply from liability claims, but from threats, demands for money or
services. The term ‘claim’ requires broad definition. By definition, the World Wide Web has no
border. Any policy insuring the security of Internet transactions must obviously reflect this by
applying world-wide. In some jurisdictions, punitive damages can result. The definition of ‘loss’
should be scrutinised to see if such damages are covered.

The policy will need to make clear what is intended to be included in the term ‘information
assets’, so that the insurer knows what trade secrets are being underwritten, and in what sum.

Attention will be required to exclusion clauses. In addition to the usual exclusion in most
insurance policies, liabilities from the purchase or sale of securities or investment-related
liabilities should be kept out of the policy. Similarly, events of highest severity, such as an attack
on the entire Internet infrastructure itself (which would potentially trigger every insurance
policy written by the insurer) should be limited.

10.5 LOSS PREVENTION: ANALYSING SOLUTIONS

Can such an insurance play a role in loss prevention? There seems to be no reason why not.
Ideally, an insurer offering such an innovative cover will align itself with the ‘best-of-breed’
technology firms equipped to provide security assessments and products and services to
minimise risk. The policy should require every insured to have a security assessment conducted
by an approved technology firm. Added service could be provided by the policy granting special
access to many top-of-the-range products the technology firm offers, such as firewalls or a
public key infrastructure technology. An additional service might be provision of access to a law
firm or lawyer to assist in evaluating an insured’s information assets or trade secrets.

Policies including terms as described above are already being drafted. In the near future,
insurers will need to address the next generation risks, so-called ‘transaction risks’ concerning
quality of goods purchased, a purchase as credit risk, credit card fraud and delivery of goods.
The message is clear: just as insurers create solutions for today, it is important not to lose sight
of tomorrow.

10.6 PROPERTY AND BUSINESS INTERRUPTION COVERAGE

Like physical assets such as buildings or vehicles, a website is subject to damage from natural
disasters, accidents, human error, or international misconduct. It can be rendered inoperable
due to failure of the internet service provider (ISP), programming mistakes, or the failure of
‘back office’ systems. Malicious misconduct by third parties (e.g. hacker) also may disable a site.

10.7 PROPERTY COVERAGE ISSUES

When business assets are damaged, companies typically look to their property insurance
policies. The standard form commercial property policy published by the Insurance Services
Office (ISO) provides coverage for direct physical loss of, or damage to, covered property if the
damage is caused by a covered cause of loss. Under the ISO form, an insured can select three
different causes of loss options: the basic form, which includes loss due to fire, gale, and
vandalism; a broad form, which includes damage from several additional causes; and a special
form, which covers all risks of direct physical loss, subject only to enumerated exclusions.

Property coverage is often linked to business interruption coverage. Business interruption
coverage typically provides that the policy will pay for ‘actual loss of business income… due to
the necessary suspension of your “operations” during the “period of restoration”’. However, like
the property policy to which it relates, business interruption coverage applies only if the
suspension of operations is caused by direct physical loss of, or damage to, property, and the
loss must be caused by a covered cause of loss as defined in the policy.

10.8 PHYSICAL LOSS OR DAMAGE

A company seeking coverage for damage to a website or for loss of revenue while the site is
down will face several significant hurdles to recovery. First, the insured must show that the loss
resulted from direct physical loss of or damage to covered property. Insures will argue that loss
arising from impaired online functionality does not constitute physical loss or damage.

There are few cases discussing the application of property and business interruption coverage to
computer system failures, let alone to the internet. Additional judicial guidance however, may
be on the horizon. As evidenced by the US District Court’s decision in American Guarantee &
Liability Ins Co v Ingram Micro, Inc, property coverage issues arising from computer
malfunctions are beginning to make their way through the court system. Judicial
pronouncements involving internet-related malfunctions cannot be far behind.

In Ingram Micro, parts of the insured’s computer system were rendered inoperable for up to
eight hours by a power outage that caused a loss of certain programming information and a
malfunction in a critical matrix switch. The computers were part of a worldwide network that
tracked the insured’s customers, products, and daily transactions.

The cause of the power outage was a ground fault in the fire alarm panel on the insured’s
premises.

The insurer admitted that the insured’s computers and matrix switch did not function as they
had before the power outage, and that certain data entry and reconfiguration processes were
necessary to make the system operate as before. Nevertheless, the insurer argued that the
computer and matrix switch were not physically damaged because their capability to perform
their intended functions remained intact. The District Court had a different view:

‘At a time when computer technology dominates our professional as well as personal lives, the
Court must side with [the insured’s] broader definition of “physical damage”. The Court finds
that “physical damage” is not restricted to the physical destruction or harm of computer
circuitry but includes loss of access, loss of use, and loss of functionality.’

Because the Ingram Micro decision has not been approved by the District Court for official
publication, its value as legal precedent is open to debate. What is not open to debate is the
likelihood that courts will increasingly be asked to determine whether property damage
includes events that take place in whole or in part in cyberspace.

Because the function of a website is to exchange information in electronic form, judicial
precedents that might provide some guidance are those involving data or trade secrets that are
lost due to accident or misappropriation. So far, those cases have not favoured a finding of
coverage under conventional property insurance policies.

In one relatively recent case, a telephone company was denied coverage for charges incurred as
a result of the theft of mobile phone authorisation codes.

The court reasoned that the codes themselves were intangible property, and the company’s
claim primarily focused on recouping purely economic loss resulting from the theft rather than
on receiving compensation for traditional property damage. Other cases concerning stolen
trade secrets have denied coverage for the same reason.

Courts are also forced to confront the meaning of ‘property damage’ in applying the so-called
‘economic loss’ rule, which provides that the buyer of a defective product that causes economic
loss without personal injury or property damage must rely on contractual remedies rather than
product liability or negligence theories. Courts applying this rule have held that a computer
failure that causes system down time or loss of data without physical damage to other property
supports only a warranty claim against the seller.

Policyholders whose physical plant or equipment, including computer system, is rendered
unusable due to website failure can analogise their situation to that of a property owner whose
building is rendered uninhabitable as a result of environmental factors that leave the structure
itself untouched. Property owners have obtained coverage on these grounds in several cases.

The bottom line is that insured suffering website disruption or damage should expect resistance
in pursuing recovery under conventional property policies.

10.9 COVERED CAUSE OF LOSS

To recover under a conventional property policy, an insured must also trace its loss to a covered
cause of loss in the basic, broad, or special form. The list of enumerated perils under the basic or
broad ‘cause of loss’ form does not appear to include ISP failure, programming errors, or other
human errors.

Hence, the requirement that the loss be due to an enumerated cause of loss is a significant
restriction.

The inclusion of vandalism in the list of covered cause of loss may provide coverage where injury
is due to the malicious conduct of hackers. However, because the vandalism cause of loss
excludes loss due to theft, its use where information is simply stolen is limited.

Moreover, combinations of a covered loss with an excluded cause of loss can result in a denial
of coverage. In one case, an insured’s computer went down when power was lost due to a
substation fire. Although fire was a covered cause of loss, power outage was specifically
excluded; as a result, coverage was denied. The court also noted that the fire and power outage
caused no physical damage to the insured’s computer, other than rendering it inoperable for a
period of time.

Insured’s who have the special cause of loss from need not trace their loss to a listed cause but
must still show that it arose from something that caused a ‘risk of direct physical loss’. Negligent
actions by an ISP or programmer likely to result only in service interruption may not be
sufficient. Moreover, dishonest acts by one’s own employees are excluded even under this
coverage.

10.10 LIMITATIONS ON RECOVERY FOR HARM TO BUSINESS RECORDS

In the standard ISO form, coverage is specifically provided for costs necessary to research,
replace, and/or restore the information on valuable papers and records, including those that
exist on electronic or magnetic media. However, such coverage is often subject to severe dollar
limitations. The ISO form suggests that it be limited to $2,500 per location. What counts as a
location on the internet, however, is sure to be a source of dispute.

‘Suspension of operations’ for business interruption coverage

Business interruption policies vary regarding how long operations must be ‘suspended’ before
coverage is triggered. One policy may provide coverage for a partial or complete suspension,
but another may cover only a substantial suspension. This variability is significant for website
failures. Shutdown of a site may result only in partial disruption of a business that uses multiple
distribution channels (e.g. both e-commerce and mail order catalogues). This could fail to trigger
coverage.

10.11 LIABILITY COVERAGE

An online presence can result in liability claims by third parties. The claims will vary according to
the function of the website or other online activity. Sites that only provide information may face
claims arising from the content posted on the site, including copyright and trademark
infringement and defamation. This risk is increased for sites that post content provided by third
parties.

Sites providing ‘advice’ face potential claims based on negligence where erroneous information
posted on the site causes injury to those who rely upon it. Such liability is an increasing concern
to companies seeking to provide online individualised advice and information to users in

responding to more specific enquiries. Examples include sites offering medical or financial
advice or recommending health products.

A website could malfunction and deprive a third party of goods or services the party expected to
receive. Online business-to-business (B2B) exchanges will someday dominate the landscape,
leaving suppliers, manufacturers, and other business parties increasingly vulnerable to online
delays and disruptions.

The manner in which a company uses the internet may also give rise to previously unforeseen
liability. It is now common practice to gather and use personal information about site visitors,
including financial data obtained in the course of transactions; personal preference information
based on online behaviour; and information related to health, medical condition, sexual
orientation, and other personal matters. Because of the proliferation of laws regulating how
personal information can be gathered and distributed, misuse of such data, accidentally or
through the misconduct of employees or third parties, is one of the fastest growing areas of
online liability exposure. Even common law can be used to impose liability on companies that
misuse the internet.

Companies conforming such liabilities are likely to seek coverage under conventional insurance
products, such as comprehensive general liability (CGL) or errors and omissions (E & O) policies
that make up the large part of protection under most corporate insurance programmes.

10.12 CGL COVERAGE ISSUES

Commercial general liability policies typically include two coverage parts that are relevant to
internet liability. Part A covers amounts the insured becomes legally obligated to pay as
damages because of bodily injury or property damage occurring to third parties during the
policy period CGL policies also generally require the insurer to defend the insured if potentially
covered claims are brought against it. Because this is third-party coverage, Part A excludes
coverage for damage to the insured’s own property. Separate exclusions also apply for damage
to an insured’s ‘product’ or ‘work’. These exclusions are intended to deny coverage for breach
of warranty claims that also do not cause separate injury to third-party property.

Part B provides coverage for sums that the insured becomes legally obligated to pay because of
personal and advertising injury caused by an offence arising out of the insured’s business.
‘Personal and advertising injury’ is defined to include libel and slander (oral or written); invasion
of privacy; use of another’s advertising idea in an advertisement; and infringement of another’s
copyright, trade dress, or slogan in an advertisement.

10.13 PROPERTY DAMAGE TO THIRD PARTIES

Where third parties have suffered property damage or bodily injury, coverage may fall under
Part A of a CGL policy. Where such injury occurs, the phrase ‘property damage’ in Part A raises
questions similar to those discussed above in connection with first-party property policies.

Again, harm to data or electronically stored information alone may not be enough to trigger
coverage. CGL policy forms traditionally define property damage only as ‘physical injury to

tangible property’ and ‘loss of use of tangible property’. This language is similar, but not
identical, to the ‘direct physical loss or damage’ language of first-party property policies.

Courts have held that purely economic losses that are not related to physical harm are not
compensable under a CGL policy. They have divided on whether the loss of electronic data not
linked to physical injury constitutes such damage under the CGL policy.

Courts have indicated that the mere loss of data alone does not involve the loss of tangible
property. One court held that the incorporation of allegedly defective disk drives into personal
computers did not cause physical damage to tangible property of others and was not ‘property
damage’ under an umbrella liability policy. This meant that the insurer had no duty to defend a
lawsuit by the computer manufacturer against the maker of the drives. However, another
appellate court required the insurer to provide a defence under a CGL, policy where the only
loss was to information stored in computer files. Another court held that loss of a computer
tape that held the only copy of certain valuable data was a physical loss to tangible property. In
an arguably analogous context, loss of intellectual property such as trade secrets or engineering
designs has been held not to constitute damage to tangible property under the CGL form.

Recently, a revised commercial general liability form was approved for use in most states (the
‘Revised CGL Form’). It includes revisions specifically intended to address coverage for computer
or cyber risks. For Part A, the Revised CGL Form specifies that electronic data is not tangible
property. In turn, ‘electronic data’ is defined as ‘information, facts or programs stored as or on,
created or used on, or transmitted to or from computer software…or any other media which are
used with electronically controlled equipment’. These revisions appear designed to remove any
doubt that mere loss of data is not ‘property damage’ under the Revised CGL Form.

Given these uncertainties, insureds have every incentive to look for evidence of tangible
physical injury wherever they can find it, in the form of scratches on a disk caused by a head slap
event, or even physical changes at the subatomic level involved in the transfer of data to
magnetic media.

Insureds may argue that events that disable a website and consequently render a computer
system unusable for some period of time, without causing physical damage, may still constitute
property damage ( at least under coverage forms other than the Revised CGL Form) because
they cause loss of use of tangible property. In light of inconsistent precedents, it is apparent that
claims based on damage to website, or website down time, will be contested by many insurers
under CGL policies.

10.14 PERSONAL AND ADVERTISING INJURY

Claims arising from content posted on a website are most likely to be covered, if a at all, under
Part B of a CGL policy rather than Part A. The definition of ‘personal and advertising injury’ in
Part B specifically includes several of the content-related claims likely to be asserted online, such
as libel and product disparagement, violation of the right to privacy, use of another’s advertising
idea in an advertisement, and infringement of another’s copyright, trade dress, or slogan in an
advertisement.

Moreover, changes to Part B of the Revised CGL Form make clear that persona and advertising
injury in the form of libel, slander, or invasion of privacy can occur through publication‘ in any
manner’, including presumably the internet. They also make clear that for the purposes of
advertising injury coverage (e.g. infringement of another’s copyright, trade dress or slogan in an
advertisement), the term ‘advertisement’ can include ‘material placed on the internet or on
similar electronic means of communication’, but for websites, ‘only that part of a website that is
about [the insured’s] goods, products or services for the purposes of attracting customers or
supporters [will be] considered an advertisement’.

There are several important coverage limitations in Part B, however, that may affect online
activities. The Revised CGL Form, for example, specifies that all personal and advertising injury
arising out of the infringement of copyright, patent, trademark, or other intellectual property
rights is excluded, except for infringement of copyright, trade dress, or slogans in the business’s
advertisement. Although some web pages are nothing more than electronic advertisements,
other are the delivery vehicle for the company’s product itself. It can often be difficult to
determine what part, if any, of a company’s website constitutes advertising sufficient to trigger
coverage for infringement of copyright, trade dress, or slogan.

The traditional CGL form excludes advertising injury coverage for acts committed by an insured
whose business is advertising, broadcasting, publishing, or telecasting. Under the traditional
form, therefore, a question arises as to whether a site’s sponsor crosses the line to ‘publishing’
when the site generates revenue through agreements with advertisements; the content
consists of news or entertainment; or the site serves as an open forum for the exchange of
views, like the ‘letters to the editor’ page of a newspaper. Insurers may take the position that
companies in online pursuits analogous to advertising, publishing, broadcasting, or telecasting
should purchaser the separate media coverage limitations in Part B apply specifically to certain
types of online operations. For example, the Revised CGL Form states that there is no coverage
in Part B for personal and advertisement injury suffered by an insured whose business is
designing or determining the content of websites for other, or an internet search access,
content, or service provider. Personal and advertising injury arising out of an electronic chat
room or bulleting board the insured hosts, owns, or exercises control over is also excluded
under the Revised CGL Form.

Finally, the Revised CGL Form excludes personal and advertising injury arising out of the
unathorised use of another’s name or product in the insured’s e-mail address, domain name, or
metatag, or any other similar tactics designed to mislead another’s potential customers. This
new exclusion appears to have been prompted by recent cases holding that the diversion of
web traffic by using another’s trademark in a metatag (non-visible text on a website) constitutes
trademark infringement.

10.15 INVASION OF PRIVACY COVERAGE

Both the standard and Revised CGL forms provide coverage for injury caused by oral or written
publication of material that violates a person’s right of privacy. As online marketers seek more
detailed data about consumers’ internet use habits and share or sell that information, there are
likely to be claims that the dissemination of such information constitutes a privacy violation.

The CGL policy covers invasions of privacy only through oral or written ‘publication’ of material.
Typically, use of personal data online does not disseminate it broadly (‘publish’ it) but instead
gathers it, aggregates it with the personal data of others, and reuses or resells the data for
targeted marketing. Coverage limited to publishing as the source of injury may not be relevant
to internet practice. Nor will the CGL policy cover violations of privacy rights caused by or at the
directions of the insured with the knowledge that the act would violate the rights of another.

10.16 GEOGRAPHICAL SCOPE OF CGL POLICIES

The standard CGL form limits coverage to the geographical territory specified in the policy,
usually the United States and its territories and possessions, Puerto Rico, and Canada. Because a
website can be accessed from anywhere in the world, a business may lack coverage for claims
arising from personal or advertising injury offences that arguably take place outside the covered
territory. Indeed, StatMarket reports that in June 1999, 44 per cent of US web traffic came from
foreign sources. The potential for extraterritorial claims based on website activities is real.

Courts will have to determine precisely where a claimed injury or offence occurred when the
injured party is outside the covered territory but the defendant is in the United States. As with
procedural issues such as personal jurisdiction, choice of law, and forum non conveniens,
litigation based on web use will address novel issues arising out of the borderless medium of
cyberspace.

The geographical scope of coverage is clarified to a large extent under the Revised CGL Form. It
expands the policy’s coverage territory to include ‘the world’ if the injury or damage arises out
of personal and advertising injury offences that take place through the internet or similar
electronic means of communication.

10.17 E & O COVERAGE ISSUES

E & O policies generally provide coverage for negligent acts, errors, and omission occurring
during the performance of a service. E & O policies vary in the scope of coverage provided, and
there is no standardised form for E & O policies. In addition to traditional medical and legal
malpractice policies, E & O products provide coverage for technology professionals such as
software and website developers and internet access providers.

It is worth nothing that CGL policies may contain exclusion for claims arising from the provision
of ‘professional services’. Thus, if a website offers advice or other consideration that arguably
constitutes the provision of professional services, a CGL carrier may tell the policyholder to look
to its E & O policy, if it has one.

The economic promise of the internet is accompanied by many uncertainties regarding the
scope of insurance coverage for cyber risks. As the internet matures, many of those coverage
questions will be resolved or rendered moot by the creation of new products and new policy
language. However, business utilising websites today cannot afford to assume that their
conventional insurance programmes will provide adequate coverage for their activities on the

internet. An evaluation of a company’s insurance coverage programme is a critical component
of any overall assessment of a company’s risk from internet activities.

10.18 IS THERE A PROBLEM FOR INSURERS AND POLICYHOLDERS?

Despite the recent trouble in the technology sector, now is the time to understand and prepare
for all the issues associated with internet risk and policyholders’ use of it – before the claims
start to come in. Why? Because regular people (policyholder) have adopted the technology as a
part of their experience at home. By looking at the numbers and the types of internet activity,
we will examine the personal liability or third party exposures brought about by having a
connected computer in the home, and the legal standards that may apply.

This article will examine, by assessing levels of interactivity and exposures, how many people
are on the internet, how they are using the technology and what the exposures are. Next, the
article will look at some examples of business and insured losses to illustrate how the exposures
to liability have already been created in the real world. There are additional issues to consider if
a policyholder operates a home business.

Finally, the article will line up the exposures with the current crop of coverage forms and
highlight areas that might be affected by claims for coverage.

10.19 LEVELS OF INTERACTIVITY AND EXPOSURE

The level of interactivity and the ways people use the internet are varied. In order to look at
the issues, it is necessary to look at households in a couple of ways. It is not the purpose of
this article to carry out an exhaustive analysis but merely to illustrate the most likely
situations one may find.

Households can be loosely broken into the following two groups:

1. Those with access to the internet through an online internet service provider (ISP). This
group uses the internet to connect with family and friends, to undertake research for
school or personal interests, to keep up to date with the latest financial and other news,
to participate in online communities of shared interests, or to carry out online shopping.

2. Those with both access and a website. These households may have personal websites or
may operate a home business website that advertises the home business or actually
allows for commerce through the site.

10.20 ACCESS STATISTICS

There are several million users on the internet. They subscribe through ISPs such as America
Online, Earthlink, Microsoft Network and Juno, to name but a few. Individuals at this level of
activity are said to have ‘access’ to the internet. According to the Nielson/Net Ratings (a
strategic partnership between Net Ratings, Nielson Media Research and AC Nielson, accessible
at www.nielson-netratings.com, at the end of July 2001 there were 165.2 million people with
internet access in the United States.

10.21 ACCESS EXPOSURES

‘Access online’ means that users have e-mail and web browsing or surfing capability. The
personal liability exposures to individuals or households with access to the internet through e-
mail or web surfing is:

• data damage to others from viruses or hacking;
• defamation from statements made in chat rooms or bulletin boards;
• infringement of copyright or trademark;
• violation of another’s right to privacy;
• vandalism or malicious mischief from defacing other websites;
• vicarious liability for the acts of children in the household.

10.22 PRESENCE STATISTICS

Some consumers are going a step further by obtaining a web address and building a website for
themselves – for personal and business reasons. Presence on the internet through the use of a
website introduces another set of exposures to individuals.

When a site is really for personal use, people often post pictures of family and friends onto it.
Teenagers in the house may create a site as a forum for posting their views on various topics,
such as schools, teachers and classmates. Home business sites may be little more than pictures
and/or information about the home business. Whether for personal or business use, presence
on the internet introduces different exposures than those generated by access alone.

10.23 PRESENCE EXPOSURES

Presence online has all the exposures of access, but now the focus is on what is posted on the
home website as opposed to what the user does via e-mail. Having a website carries all the
media errors and omissions exposures that one would encounter in publishing a newsletter
from home. Most homeowners do not publish traditional hard-copy newsletters, and so the
publishing exposure on a personal lines book or portfolio level has been quite small thus far.
With the availability of inexpensive software that enables people to create web pages, scanners
that allow the posting of photos, and the copy-and-paste functionality built into most software,
the scale and the ease of developing a website heightens the publishing exposure in a way
never seen before. One special note, the creation of a website ha special significance in the area
of usage by teenagers. The internet is a real magnet for teenagers. As you will surmise in the
coverage section, activity by teenagers on the internet is an emerging issue of sizeable
proportions.

Here are some examples of the personal liability exposures individuals or households face when
they have their own websites:

• data damage from viruses or hacking attacks by making available downloadable
software;

• defamation from statements made in content posted on the site;

• defamation from comments made on a bulletin board or chat room available from the
home site;

• copyright or trademark infringement (vicarious or direct) for any unauthorised content
posted on the site;

• violating the right of privacy by posting unauthorised picture or content on the site.

10.24 E-COMMERCE STATISTICS

A home business may move from internet access and presence to e-commerce in relatively
short order. E- commerce is defined as the sales of goods and services online. While there are
other levels of interactivity, they are not usually found in a home business situation. The
statistics in this area are more difficult to obtain. Those interested in the home business
segment may look at the latest statistics in a report of 7 March 2001 on e-commerce from the
Department of Commerce for e-commerce sales in 1999. The statistics reflect the growing
trends. While they did not survey every business, the Department did include in the survey
those industries that comprise 70 per cent of the economic activity in the United States as
measured in the 1997 Economic Census. The results by industry are set out in that survey.

10.25 E-COMMERCE EXPOSURES

Where there is a home business that is selling goods or services online, some fundamental
exposures arise. All of the exposures we see in access and presence exist in e-commerce, plus
the exposures relating to website downtime. The liability for fraudulent transaction or
disclosure of customer information, such as credit cards, is also an issue.

All in all, individuals and households with internet access, presence or e-commerce functionality
increase exposure to loss on both the homeowners and personal umbrella policies that may not
yet be contemplated in the underwriting process, policy language or rates.

10.26 INTERNET LOSSES

This section will look at several examples of how this new technology is creating risk – for
insurers and policyholders. Think about these losses in light of an insurer’s underwriting
processes and coverage forms. How would an insurance company handle these cases?

While not exhaustive, problematic situations for those people with access to the internet fall
into a few discrete areas:

• company disparagement;
• individual defamation;
• copyright and trademark infringement or fraud;
• security issues, i.e. hacking or virus attack.

10.27 OPINION IN CHAT ROOMS, MESSAGE OR BULLETIN BOARDS

Many people participate in chat rooms, message and bulletin boards. There are no good
statistics on the number of people participating in these activities, but one thing is certain –
stating your opinion is not risk free. Unlike comments made at the office water cooler, online
opinions can be downloaded and printed, circulated around the globe, forwarded to others and
potentially viewed by million. Thinking that anonymity on the internet is an unassailable right
can clash with the law of defamation, as we will see from the examples below.

10.28 WHAT IS COMPANY DISPARAGEMENT OR DEFAMATION?

Libel refers to the written publication of material, whereas slander is committed through the
spoken word. The right to free speech comes with an exposure to liability when the statement
tends to harm the reputation of another. The exposure to harm extends to companies as well as
individuals. Generally speaking, the liability for defamation is created when there is:

• a false or defamatory statement concerning another;
• an unprivileged publication to a third party;
• fault amounting at least to negligence on the part of the publisher;
• damage resulting from the defamation.

Readers should note, like most situations involving the common law, there will be state
variations on these general elements. There may even be instances under a particular state’s
law where the offending conduct constitutes defamation per se. A statement that is simply false
is not defamatory – it must rise to the level of being injurious to the reputation of another. A
defamatory statement may be based on fact or be in the form of an opinion. Without going into
the nuance of each of these elements, suffice it to say that as applied to the activities of users
on the internet, there are cases every day testing the meaning of each of the elements
enumerated above.

10.29 COVERAGE ISSUES – TEENAGERS AND THE INTERNET: A HYPOTHETICAL CASE

Teenagers are a fast-growing population likely to use the internet in ways parents in ways
parents and insurers have not yet contemplated. This presents both challenges and
opportunities. As such, it is an area ripe for risk management by insurers.

Let us look at the following hypothetical case:

A teenager creates a website …

1. He posts pictures of his classmates (without their knowledge or permission) and
makes disparaging remarks about some of the students whose pictures are on the
site.

2. He allows others in his class to post messages and these comments are highly critical
of teachers at the school.

3. There is a place on the site where he posts details about how to make a bomb and
suggestions on how to attack the school.

4. Finally, he has files which can be downloaded that contain unauthorised video and
audio files.

Who can sue whom for what? By examining the combination of policy forms and coverage
available, insurers, agents and policyholders are better able to evaluate what vulnerabilities
may exist in the coverage policyholders’ purchase today. Coverage forms vary by market
and geographical location, so a review of the forms used in your market is necessary for a
more accurate analysis.

As one can see, the expansion of the internet into policyholders’ homes brings with it new
and challenging issues. We think it is an area that should be on everyone’s collective radar
screen. Issues involving the education of insurers regarding exposures, market conditions,
and policyholder expectations will impact their decisions on these important lines of
business.

The internet’s lack of respect for national borders provides considerable scope for
international disputes. As such it emphasizes the importance of the rules for determining
the jurisdiction and law applicable to disputes within the European Community arising from
the ‘online’ sale of goods and service, including insurance products.

10.30 JURISDICTION

Currently, and until March 2002, the rules determining jurisdiction within the European
Union are governed by the Brussels Convention. The Convention applies to all EU Member
State and was implemented into English law by the Civil Jurisdiction and Judgements Act
1982. The Lugano Convention in similar terms applies to those countries that are part of the
European Free Trade Association.

The Convention is primarily concerned with the domicile of the defendant in any dispute.
Save in certain circumstances, therefore, issues of ascertaining precisely where someone is
trading, or precisely where a contract was formed (the source of much debate in relation to
the internet) are irrelevant to the question of jurisdiction. The issue of domicile itself is
patently not something that is affected by the electronic nature of internet trade. Article 2
of the Convention states that subject to provisions stipulating otherwise ‘persons domiciled
in a contracting state shall, whatever their nationality, be sued in the courts of that state’.
Therefore, unless otherwise provided (see Article 5 for exceptions for claims in contract and
tort), parties wishing to bring an action must issue proceedings in the country of the
defendant’s domicile. If the defendant is domiciled in a country that is not party to the
Brussels Convention, then Article 4 states that the claimant may determine may determine
the question of jurisdiction according to the law of its own state.

Articles 13-15 of the Convention deal specifically with consumer contracts and provide that
a consumer may choose to bring proceedings in either the courts of his own domicile or in
the courts of the other contracting party’s domicile. Conversely, the other contracting party
may only bring an action against a consumer in the state where the consumer is domiciled.
These rules were incorporated for reasons of consumer protection and to balance the
unequal bargaining powers prevalent in consumer contracts. They apply only when the

conclusion of the contract is preceded in the consumer’s state by advertising or by a specific
invitation addressed to him, and the customer takes steps in his own state to conclude the
contract.

Articles 7-12 contain specific provisions that govern all disputes arising from an insurance
contract. Article 8 states that the policyholder may either bring legal proceedings against an
insurer in his own state, in the state in which the insurer is domiciled, or in the state in
which the insurer has a relevant branch or agency. Conversely, by Article 11, an insurer may
only sue in the defendant’s state of domicile, irrespective of whether he is the policyholder,
insured, or beneficiary under the policy.

Jurisdiction agreements contained in the contract will not assist insurers, since they are
permitted (by Article 12) only in very limited circumstances, critically, when entered into
after a dispute has arisen. Any other jurisdiction agreement will not be binding.
Interestingly, however, it may be possible to obtain the forum of choice for a dispute if the
relevant policy were to include an arbitration clause, since the Convention states expressly
that it does not apply to arbitration.

The question arises whether the terms of the Convention are binding on persons domiciled
outside the European Union seeking to bring proceedings against persons within it. This
issue was considered in Group Josi Reinsurance Co SA v Universal General Insurance
Company (Case C-412/98). The European Court of Justice held that the Brussels (and
Lugano) Convention rules do apply to a contracting party that is not domiciled within an EU
Member State. The conventions are based on the principle that the defendant’s domicile
determines which country shall have jurisdiction over a dispute and that; therefore, the
claimant’s domicile is irrelevant for the purpose of applying the rules of jurisdiction.

10.31 BRUSSELS REGULATION

From 1 March 2002, the Brussels Convention is superseded by Council Regulation No
44/2001 of 22 December 2000 (the ‘Brussels Regulation’). The aim of the Brussels
Regulations is to increase uniformity between the Member States in their application of the
rules of jurisdiction contained in the Brussels Convention and, in addition, to take into
account new forms of commerce, particularly e-commerce, that did not exist when the
Convention was first drafted. Like the Convention, the Regulation emphasises the protection
of consumers.

Largely, the Regulation follows the regime of the Convention. There are, however, a number
of significant changes. One of these is that the Regulation introduces a test for the domicile
of companies and unincorporated businesses, which was previously left to the laws of the
individual Member State. Article 60 provides that the domicile of such entities will now be
either the ‘statutory seat’ (i.e. registered office), the place of central administration, or the
principal place of business.

In Article 5, another test is introduced for the place of enforcement of ‘the obligation in
question’ in matters of contract. For the sale of goods, it will be the place where the goods
were or should have been delivered. In the case of the provision of services, it will be the

place where, under the contract, the services were or should have been provided. This
definition can be displayed by specific agreement in the contract.

Jurisdiction in matters relating to insurance is dealt with in Articles 8-14. Article 9 now
provides that the policyholder, the insured person and the beneficiary may issue
proceedings against the insurer in their own state of domicile. Currently, under the
provisions of the Convention, this right is granted solely to the policyholder.

Articles 15-17 deal with consumer contracts.
Article 15 is potentially of particular interest to contracts formed over the interests as it sets
out the types of contracts in respect of which a consumer will be permitted to sue a supplier
in the consumer’s territory of domicile. The rules relating to jurisdiction over consumer
contracts will apply wherever ‘the contract has been concluded with a person who pursues
commercial or professional activities in the Member State of the consumer’s domicile or, by
any means, directs such activities to that Member State or to several States including that
Member State …’ This is a considerable dilution of the previous requirements of the
Convention (which require direct advertising/invitation) and potentially encompasses
contracts concluded over websites accessible in a Member State. This will depend, however,
upon how individual Member State interpret the phrase ‘direct such activities’.

Another acknowledgement to e-commerce appears in Article 23. This provides that
jurisdiction agreements (where permitted) must be evidenced in writing, but that
communication by electronic means which provides a durable record of the agreement shall
be equivalent to an agreement in writing.

10.32 GOVERNING LAW

Once the issue of jurisdiction has been determined, it is necessary to address which law
applies. Within the European Union, a harmonisation of conflict of law rules has been
achieved by way of the Second and Third Directives on a Long Term Insurance and the
Second and Third Non-Life Directives. These Directives have been implemented into English
law by Schedules 3 and 3A to the Insurance Companies Act 1982.

If the insured risk is located within the European Union, it is necessary to consider the type
of risk insured. For life assurance or long-term insurance, the Directives provide that the law
applicable to the contract of insurance is the law of the Member State of ‘the commitment’.
If the policyholder is an individual, the commitment is considered to be located in the
Member State where the individual has his habitual residence. If the policyholder is not an
individual, the commitment is considered to be located in the Member State where the
policyholder’s establishment to which the contract relates is situated.

In respect of general insurance, the Directives provide that the absence of express or
implied choice in the contract, it is governed by the law of the country with which it is most
closely connected, this being the Member State where the risk is situated. The risk is
situated where an individual policyholder is resident or where a business has its relevant
establishment.

10.33 ADDITIONAL CONSIDERATION

An insurance provider wishing to sell products over the internet in the European Union must
be aware not only of the jurisdiction and governing law issues applying, but also of the
forthcoming European legislation regulating the conduct of e-commerce. These include the
Electronic Commerce Directive (2000/31/EC of 8 June 2000) which establishes a legal
framework for e-commerce in the European Union and will apply to all ‘information
services’ that are provided online for money. The Directive deals with; inter alia, the
formalities for concluding a contract online. There is also the proposed Directive on Distance
Selling of Financial Services which will apply to any contract concerning financial services
concluded with a consumer over the internet. It will contain protective measures such as a
general right for the consumer to withdraw from the contract without penalty for a limited
period, and the requirement for comprehensive information to be provided prior to the
conclusion of the contract. There are also numerous practical issues to consider in respect of
website content and design in order to minimise the risk of offending local laws and
restricting access to the site from those jurisdictions in which there is no intention to trade.

Although there may be increasing harmonisation on jurisdiction issues, this is still far from
the case in other areas of commercial law within the European Union. Until, therefore, such
laws are harmonised, there are many traps for the unwary inherent in online trading.

The ‘network economy’ may have fallen on hard times with investors, but for businesses all
over the world, the scope and importance of online operations continue to increase.
Revenue generated by these operations becomes more substantial with each passing year.
In turn, the cost to restore online operations to functions to functionality can be significant,
while the revenue lost during down time can equal or exceed that lost when traditional
assets such as plants and equipment are damaged. Companies with online operations can
also be exposed to tremendous third-party liability.

As a result, companies are increasingly asking whether current property and liability
insurance will protect them from exposure generated by internet-related activities.
Corporate risk managers have good reason to worry. Standard form property and casualty
policies issued to many businesses have gaps that substantially increase the risk that
coverage will be denied for internet-related claims.