NAVIGATING THE CYBER MINEFIELD
Part 1: The Problem

Agents need to understand Internet exposures
to better counsel their customers

By D. Douglas Graham

A Web site is a lawsuit waiting to happen. Or so say some concerned legal experts and insurance specialists. Though still a relatively recent phenomenon, the Internet is now ubiquitous in our culture, and significant to a greater or lesser extent to the economies of most nations throughout the world. Roughly 166 million people in the U.S. go online for business and pleasure. Clearly, the Internet has become an essential operational feature of trade, despite the slump in Web-based commerce and the dot-com decline.

Everyone's a player, even if that person's participation is limited to sending and receiving e-mails. So where's the danger in that? Just about everywhere, says Kirk Denebeim, vice president of ECM Insurance Services, Inc., in San Francisco, California.

"The most innocuous use of the Net is an informational Web site," he explains. "After that, you're looking at interactive sites, and business-to-business, which enable businesses to work more efficiently with one another. All of this has created new liability exposures that prior to the Net did not exist. Worse still, the existing liability policy does not cover most exposures."

Legal pathogens

It's not "new" news that we live in an extremely litigious society, where people sometimes sue one another just to make a buck. For entrepreneurs in this area of "business," the Web is a golden goose, Denebeim continues. Injury assessments in Internet lawsuits can be astronomical because the damaging data riding on the Web may be instantly disseminated everywhere, 24/7. A legal pathogen could conceivably travel virus-like throughout the entire world, forging a long blame chain, with multiple links of opportunity.

"Just putting content on the Web exposes you," says Denebeim. "You might post a site and get a letter from somebody complaining that he has the same site. Then you've got a plagiarism suit on your hands. When you put yourself on the Web you're effectively doing business with the whole planet. You also become automatically vulnerable to every conceivable exposure, and should someone decide to come after you it may cost you everything you've got and more to fend him off, even if you're utterly blameless."

Attorneys who make their living defending Internet suits charge outrageously, Denebeim claims. Most suits involve intellectual property law, (trademark and copyright) which is very nebulous stuff. Only the most expensive, highbrow attorneys are qualified to work in the field, and good ones command hourly rates of $500 or more. The medium defense costs for such suits fall between $350,000 and $500,000, and that's just to pay attorney fees. It gets even uglier when the case is lost. These would constitute catastrophic losses to the average corporation, yet only recently have the full implications of Internet exposure become the subject of concern and debate in the U.S. business community. Like dinosaurs totally ignorant of the meteors about to rock their world, many companies are unaware of the problem and are unprepared to cope with it. Some make their living selling insurance.

"The perils of e-business are so many that some might think twice about going online," says Larry Harb, president and CEO of IT Risk Managers, Inc., in Okemos, Michigan. "Things like viruses, unauthorized access, denial of service attacks, sabotage, financial fraud, and identity theft and the theft of credit card data and customer information immediately spring to mind. What people don't think about is the fact that the dangers of Net business mandate the creation of a whole new class of insurance. The risks involved in doing business online are not fundamentally different from those you run into off-line. The difference is the trigger. In the traditional business policy, the trigger is physical loss. On the Net, it's virtual."

When the Insurance Services Office released the latest edition of the CGL, it excluded Internet coverage, Harb continues. (For a more in depth discussion of this see Don Malecki's "Risk Management" column on page 110.)

The revisions are overdue. And when companies rely on outdated forms, they wind up covering areas they never intended to cover, and so it is with the Internet. The selling cycle for Internet coverage is significantly different than it is for any other class of insurance business. Mostly it's an issue of education. In most cases the agents are as much in the dark about the legal pitfalls of
e-business as are their clients. According to Harb, Internet coverage is so new that an agent should counsel with a specialist when attempting to draft polices for clients doing business online.

Wolves at the door

"What we're seeing in the marketplace right now is that risks associated with the use of technology and the Internet are not covered under traditional commercial liability policies," says Joel Rothman, an attorney specializing in Internet and technology issues, and president of Technology Risk Solutions, LLC, in Boca Raton, Florida. "Organizations like the Insurance Services Organization have recognized this, but the only way for a company to close that gap is to implement a program of technology risk management consisting of good information technology policies combined with the appropriate hardware, software and insurance coverage."

The concept of Internet liability takes into account first- and third-party risks. The risk category includes privacy issues, the infringement of intellectual property, virus transmission, or any other serious trouble that may be passed from first to third parties via the Web.

First-party risks include the effects of electronic vandalism. Hackers, those desperados of cyberspace, wreak havoc in more ways than one. A hacker in it for the glory alone may do no further harm than to temporarily sabotage the system into which he has wormed his way, forcing a company to spend time and money cleaning up the mess. In this case, the damage is restricted to the company itself and does not extend to its clients. A third-party risk scenario involving a hacker might be: A hacker steals credit card numbers from the database of X, Inc., and sells them to an organized crime family operating in Romania. When the Romanians go on a spending spree, the blame trail will lead right back to X, and a flood of lawsuits will quickly follow.

Viruses, which also arrive courtesy of hackers, represent both a third- and first-party risk, and when the infection sets in whole systems will crash and burn. When this happens to a commercial enterprise highly dependent on e-mail to do business, the costs can be far-reaching and astronomical. Not only does the company take a big hit itself, it inadvertently causes its Internet trading partners to suffer as well. Some will try to recoup their losses in court.

"From an underwriting standpoint the third-party risks are easier and less expensive to manage," says Bob Phelan, chairman and CEO of Litchfield Insurance Group in Torrington, Connecticut. "By contrast, the first-party risks are getting more difficult to underwrite and are extremely costly as well. I know of one carrier that requires a two-day interview with the applicant before the process even gets started. Stricter underwriting in this line of coverage makes a problem that is already highly complex, even more difficult for potential insurers to get their hands on. Many brokers and their customers feel that if they are not deeply involved in e-commerce or don't have a Web site of their own, then this insurance issue has no relevance to them. The fact is that should a business unintentionally send some virus or other contaminated transmission to a customer, a supplier or some other third party, he may be facing a huge lawsuit."

Editor's note: Next month, in Part 2 of this feature, we will look at some of the possible solutions for addressing cyber liability problems. *

The author

D. Douglas Graham is a freelance writer from Columbia, Missouri. He specializes in technology, e-commerce and other areas of the new economy.

Injury assessments in Internet lawsuits can be astronomical because the damaging
data riding on the Web may be instantly disseminated everywhere, 24/7.