Originally published July 2005
Traditional insurance policies are well designed to cover slips, falls, and fires. But are these the greatest risks businesses face? Dependence on technology, networked computers and the Internet has redefined risk for many businesses. Networked computers hold financial data, sensitive customer information, trade secrets, and proprietary software systems and databases. They also are essential communications channels. Traditional insurance policies, however, are not designed to provide protection for the risk environment that surrounds today’s business technologies. To fill the gap that traditional policies leave, the insurance industry offers a new generation of flexible and evolving products that prudent insurance buyers should consider.
1. Twenty-First Century Risk Environment
As technology and the Internet have transformed business and communications, they also have changed the risks businesses face.
Risks of loss related to protection of a business’s own information. These risks include loss of critical data and information resulting from denial-of-service attacks, viruses, and unauthorized access by hackers and competitors. Consequences can include restoring or replacing lost or corrupted data, and business interruption.
Risks of internal misuse and abuse.
A disgruntled employee can use a company computer to send offensive emails to customers, or to an entire customer list. Such internal misuse can disrupt business relationships, damage reputations, create liability under laws regulating unsolicited e-mail, and endanger the employer’s bottom line.Risks related to protection of third-party information. Many businesses are entrusted with customers’ confidential and proprietary information and employees’ personal information. Businesses that have access to, collect, or use sensitive information are at risk that it will be inadequately secured and that it will be stolen, mishandled, or misused. Identity theft is the fastest growing crime in the U.S. and the number one complaint to the Federal Trade Commission. Large criminal organizations steal confidential data, such as credit card numbers, and trade or sell it on underground Internet sites.1 A business’ own employees or subcontractors may disclose customer information to third parties without authorization. Recent data security failures involve data brokers, like ChoicePoint and LexisNexis, financial institutions, like Bank of America, Citigroup and Wachovia Corp., media giant Time Warner, and universities, like the University of California and Boston College.2 One bank disclosed three incidents within a year in which theft of computers jeopardized sensitive customer information.3 Outsourcing and off-shoring to payment processors, call centers and other third parties exacerbate these risks.4 Publication risks. "Old economy" companies now are electronic publishers. They face liability risks that media outlets traditionally have confronted. Because information can be collected and published worldwide with a few keystrokes, electronic publishing risks have mushroomed. Potential claims include libel, slander, invasion of privacy, infliction of emotional distress, and trade libel. Businesses with Internet sites also face copyright and trademark infringement risks involving text, images, and sound on web sites, including misuse of metatags, linking and framing. Since the web can be viewed worldwide, an online publisher is at risk of being sued anywhere under the laws of a foreign country.5 Risks stemming from providing technology services or products to others. Companies that create technology or provide it to others face errors and omissions risks in addition to the risks ordinary technology users confront. Errors and omissions by software professionals, web site designers, payment processors, intermediaries, and other service or content providers can result in financial loss to a customer or a downstream user. For example, software and Internet professional service providers face risks of programming errors, security failure, privacy invasion, and infringement of intellectual property rights through copying of software or misuse of metatags, linking, and framing.
In response to the changing risk environment, sophisticated corporations are rewriting insurance clauses in provider agreements to require vendors to maintain specialty coverages tailored to cover these risks.
2. Legislators, Regulators—and Class Action Lawyers--Target Security and Privacy Issues
New laws, regulations and legal theories are transforming the risk landscape.
The Sarbanes-Oxley corporate governance reform law requires public corporations to identify and report to auditors and audit committees all significant deficiencies in the design or operation of internal controls that could adversely affect the corporation’s "ability to record, process, summarize, and report financial data" and all "material weaknesses" in internal controls.6 The Gramm-Leach-Bliley Act imposes an obligation upon "financial institutions" to safeguard "nonpublic financial information."7 At the same time, regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) require health care providers, clearinghouses, and health plans to ensure the confidentiality, integrity, and availability of all electronic protected health information that the entity creates, receives, maintains or transmits.8
Meanwhile, the Federal Trade Commission is aggressively bringing "deceptive practice" enforcement actions against companies based on alleged inadequacies in customer information security and gaps between the companies’ representations to customers about personal information security measures and actual practices. Microsoft, Guess?, Elli Lilly, Petco Animal Supplies, and Tower Records have entered into FTC consent decrees. In the most recent case, the respondent, BJ’s Wholesale Club had made no allegedly deceptive marketing claims, so the FTC invoked its authority to pursue "unfair" business practices. The FTC alleged that BJ’s failure to take "reasonable and appropriate security measures" was an unfair practice.9
Businesses that touch consumers’ sensitive personal information must comply with groundbreaking new laws. In 2003, California became the first state to require businesses to notify California residents of security breaches of unencrypted consumer data and to provide a cause of action to injured consumers.10 Because notifying only California residents is a public relations impossibility, the California law is having national impact. Moreover, the unremitting flood of security breach headlines has led to over twenty bills in Congress and at least 200 in state legislatures seeking to improve security in the handling of sensitive customer information.11
The California legislature followed up its 2003 security-breach notification law with three more consumer protection statutes in 2004: an information security law,12 an online privacy statute,13 and a spyware law.14
California’s information security law requires businesses that "own or license" sensitive personal information about California residents to implement and maintain "reasonable" security practices and procedures to protect the information from unauthorized access, destruction, use, modification, or disclosure. Businesses that disclose such information to unaffiliated third parties must require by contract that those entities maintain reasonable security measures. The new privacy law requires operators of commercial web sites or online services that collect "personally identifiable information" about California consumers to post conspicuous privacy policies. The law gives companies a 30-day safe harbor to post a policy "after being notified of noncompliance." The law prohibits "negligently and materially" or "knowingly and willfully" failing to meet the posting requirement or to abide by the posted privacy policy. The spyware law prohibits, among other things, intentionally deceptive use of keystroke logging software, of adware that tracks all or substantially all of the website visited by the computer user, and of software that extracts sensitive information from a user’s computer that could be used for identity theft. More states are likely to enact information security, online privacy, and anti-spyware laws.15
Class-action lawyers are moving even faster than legislators. Security breaches compromising personal information of millions of victims are drawing class-action attorneys to a new practice area. The result is class actions against such companies as Reed Elsevier, ChoicePoint, Inc, and CardSystems Solutions, Inc. 16 The CardSystems Solutions, suit, for example, invokes the new California laws that require companies to take reasonable security measures to protect customers’ personal information and to notify consumers of security breaches "in the most expedient time possible and without undue delay."17 Merrick Bank Corporation, Visa U.S.A. and MasterCard International also are named in that case.
Attacks against spyware marketing are another area where creative lawyering is at work. Even without anti-spyware legislation like California’s, the FTC and New York Attorney General Eliot Spitzer have filed false advertising and deceptive business practices suits against Internet marketers. These actions allege that the defendants offered free games, screen savers or other file-sharing programs that enabled them to download to users’ hard drives software code that then summoned streams of pop-up ads, changed Web browser settings, added unnecessary toolbar items, and caused computers to slow or crash. Both complaints seek injunctive relief and disgorgement of ill-gotten gains; the Spitzer action also prays for civil penalties.18
The federal CAN-SPAM Act of 200319 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for commercial e-mailers. For example, the statute bans false and misleading header information, prohibits deceptive subject lines. CAN-SPAM also requires that commercial email be identified as an advertisement, include the sender’s valid physical postal address and provide an opt-out method. Although CAN-SPAM does not create a private cause of action for email recipients, it authorizes the FTC and other agencies to enforce the Act and gives the Department of Justice and state attorneys general authority to bring criminal prosecutions. Companies that provide Internet access may sue violators, as well. CAN-SPAM allows states to enact laws addressing falsity or deception, and some state legislatures are moving forward with bills targeting fraudulent and deceptive spam.20
3. Twenty-First Century Insurance Products Augment Traditional Policies
Traditional insurance policies may not adequately cover some of policyholders’ greatest risks:
Traditional property policies are keyed to direct physical loss or damage. However, losses resulting from computer viruses, denial of service attacks, and theft of confidential information are intangible. If a traditional property policy includes an endorsement covering electronic vandalism or similar incidents, the coverage may be subject to a predetermined and potentially inadequate limit, such as $25,000.
General liability policies do not cover damage to intangible property, exclude nearly all intellectual property exposures, and exclude personal and advertising injury coverage entirely for companies whose business is advertising, broadcasting, publishing, or telecasting, as well as web site designers and Internet search, access, content, and service providers and companies that host bulletin boards.21 Moreover, general liability underwriters often add exclusions deleting all personal and advertising injury coverage for policyholders judged to present e-commerce risks. When this important coverage is deleted, policyholders lose all protection for libel, slander, disparagement, invasion of privacy, malicious prosecution, and other offenses traditionally included in general liability policies. Insurers also add "professional services" exclusions to avoid covering errors and omissions exposures for policyholders that provide professional services to others.22 As liability risks are expanding, coverage is contracting.
Crime policies are of limited help because they typically cover only loss of money, securities, and other tangible property. Moreover, these policies require identification of the perpetrator, which may not be possible in the case of hackers and cyber-thieves.
As a result, standard property, commercial general liability, and crime policies may not adequately protect against today’s technology, network security, intellectual property, and media risks.
The limitations of traditional twentieth century insurance policies are prompting policyholders to turn to specialty insurance products. Insurers offer a cafeteria of first-party and liability coverages. First-party coverages include electronic information loss or corruption, related business interruption (including extra expense and forensic expenses), cyber-extortion, public relations expense, cyber terrorism, and identity theft. Liability coverages frequently are written on updated media or professional liability forms. Liability coverages include web content liability (including defamation, invasion of privacy, and copyright and trademark infringement), technology, telecommunications, and Internet professional liability, and network security liability.
Unfortunately, no standard policy exists for these new coverages. Insurers’ coverage forms vary significantly, are continuously evolving, and are marketed under a variety of proprietary names. Because insurers’ offerings and options vary, policyholders should carefully analyze specimen policies and endorsements with the help of an insurance broker and counsel. On the plus side, policyholders can purchase $100 million or more in coverage through U.S., Bermudan, and London markets. Sub-limits may apply to some coverages, however. Among the leading industries for this rapidly growing market are technology, telecommunications, financial services, health care, entertainment, news and information, retail, hospitality and travel, utilities, and manufacturing.
4. Conclusion
Traditional insurance policies are well designed to cover slips, falls, and fires. But these may not be the greatest risks many businesses face. For insurance protection in today’s risk environment, the insurance industry offers a new generation of flexible and evolving insurance products that prudent insurance buyers should consider.
William Campbell is a member of the Insurance Litigation and Coverage Group of DLA Piper Rudnick Gray Cary US LLP. He is a partner in the San Francisco.
Endnotes
1 Cassall Bryan-Low, Identity Thieves Organize, Wall Street Journal, April 7, 2005, at B1.
2 Tom Zeller Jr., U.P.S Loses a Shipment of Citigroup Client Data, New York Times, June, 7, 2005, at A1.
3 David Lazarus, Privacy Breached by Theft, San Francisco Chronicle, Nov. 7, 2004, at B1.
4 See, e.g., Eric Dash, Take a Number/How Electronic Thefts Revealed the Vulnerabilities of Payment Systems, New York Times, June 30, 2005, at CI.
5 See, e.g., Richardson v. Schwarzenegger, 2004 E.W.C.H. 2442 (Q.B.) (English court was convenient forum for UK citizen’s defamation claim against spokesperson for California gubernatorial candidate based on statements reported in Los Angeles Times article, which was published in UK in hard copies and on the web).
6 15 U.S.C. § 7241(a).
7 15 U.S.C. § 6802.
8 16 C.F.R. § 314.1, et seq.
9 In the Matter of BJ’s Wholesale Club, Inc., Federal Trade Commission File No. 042 3160 (June 16, 2005).
10 Cal. Civil Code § 1798.82.
11 Zeller Jr., U.P.S Loses a Shipment of Citigroup Client Data, New York Times, June, 7, 2005, at A1; Mitchell Pacelle and Christopher Conkey, Card Issuers Take Swipe at Rules—Federal, State Legislators Propose Bills on Reporting Data Thefts; Financial Firms Want Control, Wall Street Journal, June 23, 2005, at C1.
12 Cal. Civil Code § 1798.81.5.
13 Cal. Business & Professions Code § 22575, et seq.
14 Cal. Business & Professions Code § 22947, et seq.
15 For a summary of state and federal legislative initiatives on spyware, including statutes recently enacted by California, Utah, Arkansas and Georgia, see Jim Halpert, America’s Developing Approach to Spyware, 2 Data Protection Law and Policy 7 (April 2005).
16 David Bank, Security Breaches of Customers’ Data Trigger Lawsuits, Wall Street Journal, July 21, 2005, at B1.
17 First Amended Complaint, Parke v. CardSystems Solutions, Inc. (July 6, 2005) (San Francisco Superior Court No. CGC-05-442624).
18 Federal Trade Commission v. Seismic Entertainment Productions, Inc., 2004 U.S. Dist. LEXIS 22788 (D. N.H. October 21, 2004) (temporary restraining order granted); Verified Petition, People v. Intermix Media, Inc. (April 28, 2005) (N.Y. County No. 05401394).
19 15 U.S.C. § 7701.
20 E-Mail Marketing/Florida, Maryland Bills Targeting Spam Are Drafted to Avoid Federal Preemption, 9 Electronic Commerce and Law Report, March 31, 2004, at 311.
21 William F. Campbell, The Incredible Shrinking Advertising Injury Coverage, 14 Coverage 1 (May/June 2004).
22 See generally, Rahul Karnani, Application of the "Professional Services" Exclusion, 14 Coverage 31 (Sept./Oct. 2004).
This article is intended to provide information on recent legal developments. It should not be construed as legal advice or legal opinion on specific facts. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.
