This article has been reviewed and the case law cited has been found to be still valid. Also, information about the ISO E-commerce policy and the current CGL form has been added by the editors of FC&S.

Topics covered:

Introduction Areas of third party loss Types of claims Coverage issues Current developments Conclusion

Introduction

As new technologies develop, allowing businesses to communicate via computer, so do the liability risks arising from their use. The potential for mischief and harm is also on the rise. Even in this time of Dot-com failures, the electronic business environment "with all its risks" has become a staple in business throughout the world. Although the claim activity associated with electronic commerce has, to date, been relatively quiet, the exposures created by cyberspace are intimidating. Insurers and reinsurers in the areas of both property and casualty coverages need to recognize the emerging liability issues resulting from use of computers and the Internet.

A brief overview of some of these serious exposure concerns as well as the subsequent coverage issues that have developed are discussed below, with concentration on the third party liability area.

Areas of Third Party Loss

There are several areas of third party loss that have resulted from the increase in e-commerce activities. In these areas, potential losses include: errors and omissions; intellectual property liability; content and advertising-related liability; and employee-related exposures.

Errors and omissions losses may include claims by consumers alleging loss arising from service interruptions, for example, investors unable to trade stocks during a two hour down-time. Other E&O loss exposures would be privacy invasion or software failure.

Intellectual property exposures most often involve misappropriation of software from a firm (or an individual) that is patented or copyrighted.

Content and advertising-related liability exposures include defamation, false advertising, and disparagement of competition.

Employee-related exposures most commonly include privacy violation. This is an area that is expected to expand greatly, limited only by the imagination of plaintiff attorneys.

Types of Claims

At this time, the following are the types of claims that are most prevalent in the areas of third party loss: breach of privacy; electronic defamation; electronic harassment; electronic trespass; and intellectual property infringement.

There is some type of privacy policy contained on most commercial Web sites that clarifies how the firm will or will not use personal information given to the sites by a user. However, unintentional release or use of personal information does occur in some instances. For example, a May 2002 Federal Trade Commission (FTC) ruling " Docket #C-4047 " regarding a settlement agreement between the pharmaceutical company Eli Lilly and the FTC may provide further direction for companies looking to get a bearing in Internet security. The settlement resulted from an FTC consumer privacy complaint based on an inadvertent Lilly e-mail distribution: each recipient of the e-mail was given the e-mail address of all other Prozac users on that address list. Eli Lilly was sued by eight states and settled for $160,000.

Court decisions have made it clear that defamation in the context of the Internet is just as legally actionable as it is on paper. Businesses must be sensitive to potentially defamatory statements posted at their Web site even if they are not the author of such content. For instance, certain Web sites host forums where visitors may post messages. Depending on the degree of editorial control the hosting firm exercises over the Web forum, courts may hold the firm liable as a publisher or such content in a defamation suit. And, there is another, although less likely, exposure for liability, by the use of hyper link to other Web sites where defamatory or infringing comments are posted. An example of this was an early case in the Internet law actions: Cubby v. Compuserve, 776 F. Supp. 135 (S.D.N.Y. 1991). This case was about defamatory statements made in a publication on a computerized database. The appropriate standard of liability to be applied to CompuServe was whether it knew or had reason to know of the allegedly defamatory "Rumorville" statements.

To the extent a firm's electronic message board is considered "part of the workplace", posting messages on the board may be considered harassment; an example of this is Blakey v. Continental Airlines, Inc., 751 A.2d 538 (N.J. 2000). This case concerned employee access to a bulletin board at the company's Web site and the continuing harassing comments that were made about a female pilot.

In several cases, one business has sued another business for trespassing on its Web site in order to collect valuable data at that site. For instance, in eBay v. Bidder's Edge, 100 F. Supp.2d 1058 (ND Cal. 2000), one firm was enjoined by a court from using a robot or spider to visit a competitor's site and mine business information that the competitor had taken the trouble to obtain and process. (Note that this ruling pertained to the tort of trespass to chattels as referenced in LaCourt v. Specific Media, Inc., 2011 WL 1661532 [C.D.Cal.]). In another case, Register.com v. Verio, 126 F. Supp. 2d 238 (SD NY 2000), a court enjoined a firm that sold Web site development services from visiting the Web site of an Internet domain name registrar each day in order to harvest the list of customers who had just purchased a domain name that day from that registrar; the firm planned to solicit Web development business from the new domain name owners.

Due to easy access one has to another person's Web content, opportunities for intellectual property infringement have increased. There have been several well-publicized instances (such as the Napster litigation) of Internet businesses taking copyrighted material from another's business and misappropriating it for profit. With respect to trademarks, the Internet has become the vehicle for countless episodes of infringement. In many instances, the defendant business or individual is accused of using a well-known trademark in its source code or domain name in order to lure Internet traffic to the defendant's Web site. These rulings are a clear warning sign that courts continue to deal with new technology in much the same way that they have as of old. In doing so, this case highlights the need for companies doing business on the Internet to understand that they should not ignore existing intellectual property laws. This includes businesses that have active Web sites as well as those that provide Internet access to their employees as part of their employment.

Coverage Issues

The main reason for so much discussion and dispute about coverage for e-commerce risks among risk and insurance professionals is the lack of coverage available to respond to liability associated with e-commerce activities due to the traditional wording on coverage forms. Standard commercial general liability (CGL) or umbrella coverage forms do not provide the appropriate coverage for e-commerce risks for a variety of reasons. As an example, although typical CGL forms cover advertising liability, exclusions apply if an act causing the claim is committed by an insured whose business is broadcasting, publishing, or telecasting. These exclusions give rise to coverage issues due to the high percentage of firms being involved in e-commerce.

(Note that ISO has developed an e-commerce program providing coverage for cyber risks. The policy is EC 00 10 11 09, Information Security Protection Policy, This policy applies to web site publishing liability, security breach liability, programming errors and omissions liability, replacement or restoration of electronic data, extortion threats, business income and extra expense, public relations expense, and security breach expense. For more information on this policy, see Information Security Protection Policy).

Numerous defendants in intellectual property (that is, trademark) infringement lawsuits, however, have sought coverage under the advertising injury portion of their CGL policy. Robert Badgely noted in Electronic Risk Issues, "Specifically, insureds have argued that a trademark infringement claim constitutes a misappropriation of advertising ideas or style of doing business, or an infringement of title or slogan, or both. More often than not, insureds have succeeded in persuading the court that a trademark infringement claim falls within the CGL policy definition of advertising injury. (To date, however, most of the coverage decisions have involved pre-1998 CGL policy forms.)"

(Note that the current CGL form excludes personal and advertising injury arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights, but there is an exception for infringement, in the named insured's advertisement, of copyright, trade dress or slogan. For more information on the current CGL coverage form pertaining to advertising injury, see CGL Coverage Form—Coverage B).

A second issue among the questions of coverage for trademark claims under advertising injury related to causation: the underlying claim against the insured must arise in the course of the insured's advertising activities. Again, insureds have succeeded in many instances in meeting the policy's causation requirement, both at the state and federal level.

Another coverage issue is the notion of data being defined as property in both first party and third party claims. Some appellate courts have addressed this issue. Typical of the decisions in this area is the Minnesota Court of Appeals' treatment of the question whether a CGL policy provided coverage for erasure of data during repair and inspection of computer discs in Magnetic Data v. St. Paul Fire & Marine, 430 N.W.2d 483 (1988). The case centered on a claim that the policyholder had erased a client's data while servicing and repairing computer discs. The Minnesota Court of Appeals held that there was coverage in spite of the fact that it found that computer data was not tangible property. The court noted that while the damage to property clause was limited to tangible property, the policy did not limit coverage to tangible property when the claim involved loss of use of the property not physically injured. (However, this ruling was reversed by the Supreme Court of Minnesota in Magnetic Data, Inc. v. St. Paul Fire and Marine Insurance Company, 442 N.W.2d 153 (1989). The Supreme Court ruled that, absent clear language to the contrary, it declined to interpret the CGL policy to extend coverage to the loss of use of intangible property.)

The question that has arisen to cause this coverage issue is: what constitutes covered property? And this leads to the basic question of whether electronic data constitutes tangible property, as defined in the CGL form. There have been advances and setbacks for insurers.

In American Guarantee & Liability v. Ingram Micro, 2000 WL 726789 (D.Ariz.), the court held that the term "physical damage" covered the loss of access, loss of use, and loss of functionality of electronic data. (Note that this case is not reported in F. Supp.2d.) However, in more recent outcomes, insurers have prevailed on the "data as property" issue. In 2001, the court in State Auto v. Midwest Computers & More, 147 F. Supp. 2d 1113 (WD Okla. 2001), concluded that, under a liability policy, the loss of electronic data was not tangible property because the data could not be touched, held, or sensed by the human mind. In 2002, the court in America Online v. St. Paul Mercury, 207 F. Supp. 2d 459 (2002 US Dist.), held that the insurer did not have a duty to defend AOL against lawsuits that alleged that AOL's 5.0 software caused users' computers to crash and corrupted users' software and data. The court concluded: "electrical impulses that carry computer data may be observable with the aid of a computer, but they are invisible to the human eye."

(Note: the definition of property damage on the current CGL form specifically states that electronic data is not tangible property. In addition there is an exclusion that applies to damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.)

Current Developments

In recent years, courts have been faced with the challenge of applying longstanding legal positions to the new electronic world of e-commerce. However, legislatures are seemingly better equipped than courts to address these changes. They have tried to tackle some of the most pressing Internet concerns. For example, in late 1999, Congress passed the Anticybersquatting Consumer Protection Act (as an amendment to the Lanham Act) to curb the practice of cybersquatting (that is, registering as a domain name the trademark of another firm and then seeking a payment to transfer the domain name to that firm), and cyberpiracy (that is, registering as a domain name the trademark of another firm and using that domain name to generate Internet traffic to one's own Web site). Congress has also passed laws (and is considering additional legislation) in the area on Internet privacy. Also, various states have passed laws restricting the use of spam (unsolicited bulk commercial e-mail).

Conclusion

With respect to the noted third party scenarios being played out in the country's courts, some insureds already have the basic coverage needed in their liability insurance program to respond to the e-commerce risks and merely need to review it periodically. However, many insureds do not, as they have only the standard CGL, umbrella, and excess policies. These are the ones that should consider adding specific professional liability and multimedia errors and omissions coverage into their programs, or buying one of the new e-commerce insurance policies.

All must be wary of some of the advertising hype surrounding some of the new e-commerce insurance policies. Insureds must understand their own specific exposures and choose the best options for themselves.