Internet Exposures for Businesses

Summary: E-businesses, as well as brick and mortar companies, face a barrage of traditional and Internet-specific exposures. Whether a company conducts business solely online or maintains only an informational Web site about its products or services, both are open to exposures that are associated with e-business. Insurance professionals need to be aware of growing problems between traditional coverage and the emerging exposures resulting from doing business via the Internet. Insurance professionals should review their clients' needs in order to detect and fill the gaps in coverage their clients may face in the cyberworld.

This discussion focuses on issues arising for companies delving into any aspect of e-commerce.

Topics covered:
Intellectual property
Privacy
Security
Business interruption

Intellectual Property

Some of the most prominent and hardest to control exposures for companies involved in e-business are those involving intellectual property. Intellectual property risks revolve around copyright, patent, and trademark infringement.

Copyright infringement can occur in various forms of e-commerce, such as email transmissions, in developing Web sites, in blog posts and social media, and in browsing and downloading information. The fact that the Internet is ubiquitous makes almost every person either a publisher or soon to be publisher. Most know nothing about the law governing copyright. The copyright infringer probably does not know or realize a copyright has been violated, but knowledge is not a requirement for liability. Source codes, object codes, screen displays, images, text, and video or audio clips found on Web sites can all be copyrighted material. Using these materials without their creators' permission may be in violation of copyright laws. Parents whose children have a computer and access to the World Wide Web may learn that their child is violating multiple copyrights in a way that will expose the child and the parents to major suits.

Another type of exposure associated with intellectual property is patent infringement. Internet-based products or services, as well as business-method patents, can be violated on the Internet.

Trademark infringement is another area of concern for e-business. This type of infringement most commonly occurs on the Internet in four forms: (1) domain name hijacking or cybersquatting, (2) meta tagging, (3) adopting someone's trademark as your own, and (4) unfair linking practices. Cybersquatting occurs when someone purchases a domain name containing the name of a particular individual or organization with the intent of selling the name to the individual or organization for a profit. Numerous companies, celebrities, authors, and well-known brands have been the victims of domain name hijacking.

The use of meta tags pinpoints key words that lead users to Web sites containing information relating to such key words. Meta tagging occurs when another's trademark is used to draw searchers to a different organization's or individual's site. The following court case offers an example of current legal thinking on the issue of meta tags.

In Brookfield Communications, Inc. v. West Coast Entertainment Corp., 174 F.3d 1036 (9th Cir. 1999), the court found that using a competitor's trademark in the domain name of its Web site infringes upon the competitor's trademark and that using the trademark in meta tags causes confusion to consumers. The court stated, “Using another's trademark in one's metatags (sic) is much like posting a sign with another's trademark in front of one's store,” therefore causing initial customer confusion.

Unfair linking practices might result by avoiding a linked site's advertising pages, framing a linked site so that its origin is not identifiable, or by bypassing the home pages of a linked site. The following case is an example of this practice.

In CJ Products LLC v. Snuggly Plushez LLC, 809 F.Supp.2d 127 (E.D. N.Y. 2011), CJ, the makers of Pillow Pets, alleged that Snuggly was selling merchandise similar to theirs, was using similar marks resembling marks CJ had registered, and had purchased from Google AdWords tags to direct customers to their sites using these marks. The court concluded that “there is no dispute that defendants' use of the [plaintiff's] mark to purchase AdWords to advertise its products for sale on the Internet constitutes 'use in commerce' under the Lanham Act.” The Lanham Act is the trademark act enacted in 1946 and provides a national system of trademark registration. It protects the owner of the trademark against the use of similar marks if such use results in consumer confusion or dilution of the mark is apt to occur.

Similarly, in Allied Interstate LLC v. Kimmel & Silverman P.C., No. 12 Civ. 4204 (LTS)(SN), 2013 WL 4245987 (S.D.N.Y. Aug.12, 2013), the court, in denying a motion to dismiss a trademark claim found that “[a]lthough Defendants attempt to draw a distinction between Google's sale of Plaintiff's mark and their own purchase thereof, it is clear … that Defendant is using Plaintiff's trademark in commerce.” Allied Interstate claimed that Kimmel & Silverman had created an Internet advertising campaign that made unlawful use of the Allied Interstate trademark in order to create frivolous lawsuits against Allied.

Privacy

Privacy is a huge concern for all who conduct business on the Internet. Customers want their personal information to remain just that—personal. Information in the form of medical records, financial documents and statements, credit card numbers, and other personal statistics flows freely in cyberspace, and the potential to misuse such information is enormous. Companies must be careful how they use this information and who sees it. Health insurer Anthem was hacked in February 2015, with roughly 80 million customers having their private information such as social security numbers, dates of birth, and medical ID numbers exposed. In January 2014 Target was hacked and up to 110 million customers had their data stolen. Up to 70 million customers had their email, address, and phone numbers stolen, and 40 million may have had credit or debit card information stolen. The risk is not just the using of credit cards, but the identity theft of the person, which can create havoc with someone's finances and credit score. There have been many other instances of consumer data being accessed by unauthorized individuals.

Privacy can be further compromised by online marketing tactics, such as embedded cookies that relay personal data to Web hosts. Even entering Web sites, whether making purchases or not, can violate the user's privacy.

Online commerce is not the only avenue for violations of privacy rights. Employees using company email, either in the office or with outside parties, also exposes businesses to privacy issues. Sensitive or confidential information can find its way outside the company or to the wrong person inside the company. Privacy may also be invaded if employers monitor employees' email usage without notification.

Security

Along the same lines as privacy, security is another major issue to examine. Security exposures may arise from Web servers, the actual information transmitted, or site users.

Security can be compromised from both inside and outside sources. Hackers can find their way into networks and abscond with proprietary information, plant viruses or worms, or alter existing information. An entire company can be shut down if an employee opens the wrong email. Hackers will send emails that look innocuous but launch a virus once the email is opened, infecting one computer and its files or potentially infecting an entire company and its files. On the other hand, employees can, sometimes unknowingly or accidentally, leak confidential or sensitive information outside of the company. Security breach liability, due to actions such as the Anthem or Target hack, is a huge issue.

Business Interruption

Companies that rely solely on the Internet for conducting business can face serious interruptions in their operations when their customers cannot access their Web sites. Traditional businesses, though, probably would not experience complete shutdowns but have an exposure to major losses when their online businesses are interrupted.

Interruptions can be the result of property damage to computer systems, networks, servers, equipment, programs, software, electronic databases, and satellites. The systems and equipment of service providers and vendors can also lead to interruptions in operations.

A debate continues as to whether damage to data stored electronically is considered property damage. In American Guarantee & Liability Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 WL 726789 (D. Ariz. April 18, 2000), an Arizona court ruled that physical damage was not limited to computers damaged by a power outage. Services were interrupted by data being unavailable and the alteration of programs caused by the computer damage. The court said that the physical damage also included the loss of the computers' use or functionality.

Several years later a Tennessee followed this reasoning in Southeast Mental Health Center, Inc. v. Pacific Ins. Co., Ltd., 439 F.Supp.2d 831 (W.D. Tenn. 2006). finding a direct physical loss occurred where the insured's pharmacy computer data was corrupted due to a power outage.

Coverage

Because of the prevalence of data hacks and other issues, ISO has created an Information Security Protection Policy, EC 00 10, to provide coverage for some of the issues that arise from commerce conducted over the Internet and the storage of vast amounts of consumer data. The article Reducing Cyber Risk Exposures: 8 Category Coverages to Consider.provides a brief overview of this form.