Last Updated Feb. 22, 2005
The more sophisticated computer systems become and the more companies do business over the Web, the more succeptible companies are to viruses and hacker attacks and new types of liability. Insurers are rising to the occasion with policies tailored to businesses that face computer crimes, Web site liability, and other online risks.
What is the risk?
Advertising injury. Business interruption. Copyright infringement. These same risks covered in many commercial general liability CGL policies, as well as property coverage and criminal loss policies, may look like what is needed to cover the risks online. But there are differences.
|Each day’s business on the Web brings new ways businesses are at risk from fraud, liability or hacker damage.|
The biggest difference is that insurance companies do not have the long history of reviewing claims information for the new Internet risks. This makes deciding what risks the insurance company is willing to cover, as well as how much premium they will charge, very difficult to determine.
Each day’s business on the Web brings new ways businesses are at risk from fraud, liability or hacker damage. Without any history to use in determining how much a particular risk will cost the business, the insurance company has to make a “best guess,” something any good actuary is reluctant to do.
In addition, each passing month brings new case law for suits brought for or against companies doing business on the Web, sometimes with almost contradictory results.
In April 2000, a U.S. District Court judge in Arizona ruled that American Guarantee & Liability Insurance Co. (AGLIC) must pay business-interruption and property claims made by a policyholder, Ingram Micro Inc., for damages to its computer system during a power outage. Ingram argued that the complete wipeout of its computers’ RAM constituted “direct physical damage from any cause.” AGLIC disagreed, but the judge ruled in Ingram’s favor. As a result of that case, specific guidelines are now put in many policies for the type of computer backup systems that must be in place prior to any loss, and that these systems must be damaged as well before any claim will be paid.
A 2002 survey by St. Paul Cos. of 501 information technology (IT) managers and risk managers at 460 U.S. companies found that many underestimate the risks of electronic commerce and are not training employees to cope with them. Only 55 percent of the risk manager responding to the survey stated they had reviewed existing insurance coverage in place for their company to include coverages for electronic risks. Fewer than half of those report they are covered for intellectual property infringement, such as copyrights.
Paying for what you get
Like most coverage, Internet policies require the insurer to look at your business activities in order to determine your risk. The difference is, that’s all they can look at, since there’s none of the usual actuarial data to help calculate a premium.
Computer viruses caused an estimated $13 billion in damage in 2001, according to American International Group’s eBusiness Risk Solutions. It is estimated that premiums written for cyber insurance are likely to exceed $2 billion within the next four to five years as companies recognize existing gaps in their coverage.
Insurance companies try to assess the risk of doing business for each company they insure. Does the policyholder write brochures for businesses, passing information back and forth along the Web to be printed into hard copy for use? Or does the company build Websites, placing potentially inflamatory statements out there for anyone to read, or even infringe on another company’s copyrights?
The insurance company also looks at the potential for fraud or liability, both in what their policyholder creates, and in the business they do. A retail operation operating over the Web has the potential for fraud in identity theft and for liability if a hacker breaks into their site and copies credit card information of customers.
If you’re using archived material, such as old articles, photos, or sound clippings, you need to hold the electronic rights as well as the normal media rights to the material before putting it on your site.
Anyone can register any domain name they like, without proving that they own a trademark for it. You might need to sue if someone else registers your trademarked name, or a variation, as a domain name; some e-policies cover your legal fees.
Meta tags are the hidden codes in a Web page that tell search engines what’s included on the page. A company might use its competitors’ names in the meta language to draw visitors under false pretenses, if it’s listed on a results page for a search on a competitor’s name.
What are you doing with your customers’ data? Web sites can collect personal data such as credit card numbers, Social Security numbers, and product preferences. If you’re not careful about how you use that data, you could be sued by an irate customer.
An insurer might also examine your the company’s loss history in other, similar categories of insurance, such as a standard media policy or crime coverage. And having loss-control mechanisms in place can, as with all insurance, help lower your premium. For example, regular, thorough audits of your computer network will help you to identify any holes in your network security, which has the added effect of reassuring your insurance company that you’re doing your best to prevent hacking disasters.
Filling the liability gaps
Web site liability coverage closely resembles standard media coverage for magazines, newspapers, and other media outlets, but is written especially for the Internet. Unlike a CGL policy, which lists specific situations in which your liability coverage applies (insurance pros call this a “named perils” policy), Web policies cover all liabilities arising from Web site advertising or content.
Do you have banner ads on your site and think that “advertising injury” coverage will help? Think again — CGL policy provides some coverage for ad-related liability, but it’s only for your ads.
Once you start flashing ads from other companies on your site and collecting the ad revenue, you might be surprised to hear that your insurer considers you to be in the advertising business. Any claims made against you will probably not be covered if they concern another company’s ads. That’s a hole in your standard coverage, and it can be filled by a Web-specific policy.