As an example, suppose an employee uses his company computer to defame a neighbor. The neighbor sues the employer and the employee, and the employer gives the lawsuit to its insurer and demands defense and indemnity. The insured has the CGL form and the information security protection policy with the same insurer. The information security policy applies to loss that the insured becomes legally obligated to pay (and defense expenses) as a result of a claim of a wrongful act. A wrongful act is defined in the policy to include defamation. Both the insured employer and the employee are insureds under the policy, but there are exclusions that could prevent coverage.

The Full Policy Probe
The information security policy excludes coverage for loss or defense expenses based upon written publication by an insured with the knowledge of its falsity. So, if the employee knows what he posted on the company computer is false, then he certainly has no coverage under the policy. But what about the insured employer?

The exclusion applies to injury caused by “an insured,” and there is no exception for the insured that has no knowledge of the situation. Moreover, another exclusion applies to loss arising out of any malicious act by “any insured.” The use of the words “an” and “any” when it comes to insureds and exclusions means that the exclusion applies to all of the insureds. Some jurisdictions are reconsidering the generalized scope of “an” and “any,” but most courts today would uphold the exclusions against both the employee and the employer.

The CGL form covers damages arising out of written publication of material that libels a person. The form also has an exclusion pertaining to material published with knowledge of falsity. However, this exclusion refers to publishing the false material by “the” insured.

Is the Employee “An Insured”
It can be argued that the employee is not an insured since he was not acting within the scope of his employment when he defamed his neighbor—but is the exclusion still applicable to the employer? Unless the employer knew about the falsity of the information published by the employee and let the employee go ahead and put it on the company computer, the employer would have coverage under the CGL form for a defamation claim against him.

As another example, suppose the named insured company is charged with a security breach, i.e., allowing the acquisition of personal information held within its computer system by a person who is not authorized to have access to such information. The information security protection policy offers insurance coverage to the insured for compensatory damages and defense expense that the insured becomes legally obligated to pay. The policy does not have any applicable exclusion to prevent coverage for the negligent acts (or omissions) of the insured.

The CGL form does apply to claims based on the written publication of material that violates a person's right of privacy. Disclosure of privacy facts fits this description. William Prosser, in his Law of Torts, states that the elements necessary to establish an invasion of the right of privacy are first, that the disclosure of the private facts must be a public disclosure, and second, that the disclosure must be in the form of a highly objectionable kind. Obviously, if the insured allows private data, such as Social Security numbers or medical history, to be made public, the elements Prosser notes are present. As with the information security protection policy, there are no exclusions in the CGL form that would prevent coverage for the negligence of the insured in this instance.

Residual Effects: Emotional Distress
When it comes to the infliction of emotional distress, the information security protection policy and the CGL form approach such claims in their own respective manner. The information security protection policy does not directly exclude claims of emotional distress arising out of website publishing liability or security breach liability. It does state that the policy will not pay for loss based on, attributable to, or arising out of bodily injury.

In other words, if the injured party claims his emotional or mental distress arose out of some bodily injury, the policy will not apply; the claim has to be that the infliction of emotional distress was the direct result of the publishing or security breach. The CGL form, under coverage B, applies to “injury” (including consequential bodily injury), and the use of this word means that the form will apply to emotional distress claims that arise out of defamation or violation of the right of privacy.

In another example of claims that may arise from the world of computers, a plaintiff may assert that a disparagement or invasion of privacy resulted in an interference with its business relationships with existing or potential customers. Suppose an insured, eager to increase his company's profits, disparages a competitor's products or services by sending such material out into cyber space. Such an act is included in the definition of a covered “wrongful act” that appears in the website publishing liability insuring agreement in the information security protection policy; the CGL form's definition of “personal and advertising injury” also includes such an act.

Disparaging Others
Aside from any applicable exclusions that might prevent coverage, insureds should know that some courts look at claims involving such acts in relation to advertising. Both Acme United Corporation v. St. Paul Fire & Marine Insurance Company, 214 Fed.Appx. 596 (2007) and Harleysville Mutual Insurance Company v. Buzz Off Insect Shield, 692 S.E.2d 605 (2010) are cases where the courts addressed claims of false and disparaging statements about competitors' products, and both courts relied heavily for their rulings on whether the allegations against the insureds involved advertising injury offenses.

Moreover, both the information security protection policy and the CGL form emphasize advertisement or publication to the general public as the basis for coverage for disparagement claims.

This has been a brief summary of two insurance policies that are available to any business that feels it is subject to claims arising out of the use of computers. There are certainly other risk-management techniques available to counter cyber risks, and it is up to the individual business as to how best to handle such risks.