Best Practices Internet Media Liability/Cyberspace Policy
I. INTRODUCTION
The international insurance market is grappling with the challenge of creating a policy that adequately addresses the number of risks posed by new technologies and Internet activities in particular. Currently, there is no industry standard policy form. A recent panel of brokers and insurance coverage counsel seeking to evaluate policies offered in the marketplace failed to identify a single best policy form given the wide variance in the coverage that applies. The group recommended that each business examine its particular needs and determine which companies’ products best address such needs.
There is another solution, however: craft a “best practices” policy form from which the majority of businesses may benefit. The concept is much like that which inspired the creation of the Commercial General Liability policy, which was itself a response to the number of variant policy forms issued by carriers – some broker-influenced, others not.
II. “BEST PRACTICES” INSURANCE COVERAGE
ACE: ACE DigiTech Digital Technology & Professional Liability Insurance Policy; ACE Digital DNA Network Risk Insurance Program for Business Interruption Coverage
ACE net Advantage Complete: Internet Media Liability, Internet Professional Services Liability, Cyber Extortion, Information Asset, Business Interruption, Criminal Reward Fund, Crisis Expense
Chubb: Information and Network Technology Errors or Omissions and Endorsements Reputation Injury and Communications Liability Coverage (separate part of GL coverage)
Travelers CyberTech: Technology Errors and Omissions Liability Communications and Media Liability Network and Information Security Liability (CyberTech & General Provisions)
Insurer Providing Best Coverage
Cyber Tech Coverage
Cyber Extortion -- ACE: For credible threat or series of related threats directed at the Insured to release, divulge, disseminate, destroy or use confidential information; introduce malicious code; corrupt, damage or destroy the Insured’s computer system, or restrict or hinder access to the Insured’s computer system
Denial of Service -- ACE: For liability resulting from the failure to prevent unauthorized access to or unauthorized use of the Insured’s computer system that in turn results in denial of authorized user’s access
Loss of Data -- ACE: The ACE Network Risk Insurance Program covers costs to replace, restore, or recollect digital assets, including disaster recovery or computer forensic recovery efforts. If not replaceable, the coverage provides reasonable and necessary costs incurred to make that determination. A digital asset loss does not include economic value of digital assets or other consequential loss or damage. The liability module covers liabilities as a result of unauthorized access or unauthorized use resulting in theft, alteration, or destruction of data
Physical Theft of Hardware, Laptops, Servers, etc. -- AIG net Advantage Complete: Only for liability arising from physical theft of hardware or firmware controlled by Insured on which electronic data of third party is stored, if hardware or firmware is stolen from Insured’s premises
Privacy Liability -- ACE: For liability resulting from failure to handle, manage, store, destroy, or otherwise control Personal Information or third party corporate information in certain circumstances
Transmission of Virus -- ACE: For liability resulting from the failure to prevent the transmission of malicious code from the Insured’s computer system to the computer system of another
Unauthorized Access -- ACE: For liability resulting from failure to prevent it if the act has a particular result
Unauthorized Use -- ACE: For liability resulting from failure to prevent it if the act has a particular result
Errors And Omissions
Products -- ACE: For liability arising out of the failure of the “Insured’s Technology Products” (includes hardware and software) to perform the function or serve the purpose intended
Services -- ACE: For liability arising out of rendering or failure to render “Technology Services” for a fee. “Technology Services” definition can encompass activities from IT consulting to website design
Intellectual Property Coverage
Copyright -- AIG net Advantage Complete: In performance of designated “Internet Professional Services” or in display of material on Insured’s Internet site
Copyright for Software Code -- Chubb: Separate endorsement will cover copyright infringement generally by third parties Excluded under RICL coverage
Service Mark -- ACE: See above
Service Name -- ACE: See above
Title -- ACE: See above
Trade Dress -- ACE: See above
Trade Name -- ACE: See above
Trademark -- ACE: See above
Personal Injury Coverage
Defamation -- ACE: In the course of the provision of “Electronic Media Activities,” including electronic publishing on the Internet
Invasion or other violation of a right of publicity -- ACE: See above
Libel -- ACE: See above
Invasion or other violation of a right to privacy -- ACE: See above
Product Disparagement -- ACE: See above
Slander -- ACE: See above
Trade Libel -- ACE: See above
Business Interruption
Business Interruption Loss -- AIG net Advantage Complete: Net pre-tax profit (or loss) that is prevented from being earned because of actual and measurable interruption to computer system, and extra expense to reduce loss and continue business, plus income loss and certain expenses incurred by entity on which policyholder depends (if loss results from failure in computer security of that business), plus loss during extended period if loss and expense during original period exceed retention.
Period of Restoration -- ACE: Up to 30 days beginning with the date of “Interruption of Service” and ending when the computer system is or could have been repaired or restored with reasonable speed to the same functionality and level of service prior to the Interruption of Service
Definition Of A Claim
Administrative / Regulatory Proceedings -- ACE: As “Regulatory Proceeding” is defined by the policy; the defined term includes a broad spectrum of governmental agency actions.
Cyber Extortion Claim -- ACE: A credible threat or series of related threats to attack in a specific way the Insured’s computer system
Legal Proceedings -- ACE: Includes both civil and arbitration proceedings
Written Demands -- ACE: For monetary and non-monetary damages
Written Reports -- ACE: A written report by the Insured to the Insurer identifying an actual or alleged violation of a privacy regulation
Definition Of Loss/Damages
Consequential Damages -- ACE: Not specifically omitted in the liability module
Disgorgement / Restitution -- AIG net Advantage Complete: Not specifically addressed, although a separate exclusion for uninsurability and for costs and expenses of complying with any form of equitable relief
Injunctive Relief -- AIG net Advantage Complete: No, although duty to defend against civil proceedings seeking injunctive relief
Judgments -- ACE: Yes
Legal Expenses -- ACE: Duty to defend any covered claim
Pre-Judgment and Post-Judgment Interest -- ACE: Yes
Settlement -- ACE: Yes
Coverage Territory
Location of Claim or Suit -- ACE: Claim may be brought anywhere in the world
Location of Act or Injury -- ACE: Yes
Other Exclusions
Act of God -- Chubb: No
Antitrust -- Chubb: No
Contractual Liability -- AIG net Advantage Complete: With carve back for liability that would exist in absence of the contract except that for Internet Media Liability coverage (for personal injuries arising from any material on policyholder’s Internet site), contractual liability is not excluded
Liability arising from over-redemption of coupons offered by Insured -- AIG net Advantage Complete: Yes, except exclusion does not apply to business interruption coverage and coverage for loss of information assets arising from a failure of security
Deceptive/Unfair Business Practices -- ACE: Yes, but regarding the duty to defend the duty will exist until a finding is made; if made the policyholder must repay defense expenses
Digital Rights Management Failure -- AIG net Advantage Complete: No
Enhancement -- AIG net Advantage Complete: Yes, under Information Assets and Business Interruption coverage, for costs or expenses incurred to enhance assets beyond their status prior to loss; also, exclusion for failure to take reasonable steps to upgrade and maintain software only for Security Liability, Cyber-Extortion, Information Asset, and Business Interruption claims
Failure of Security -- ACE: No
Fraud/Dishonesty -- Travelers CyberTech: Yes, but duty to defend still applies until it is “determined or admitted in a legal proceeding” that the fraud/dishonest act was committed by or with the knowledge of an insured
Implied or Actual Warranty, Guarantee or Promise -- Chubb: No, included in definition of “your product and your service”
Infrastructure Failure -- Chubb: No
Intentional Act -- AIG net Advantage Complete: Not per se (but see fraud/dishonesty exclusion); also, intentional violations of Insured’s privacy policy and intentional misrepresentation in advertising excluded upon adverse judgment, finding of fact, or adverse admission
Internet Failure -- Chubb: No
Insured vs. Insured -- AIG net Advantage Complete: Yes, excluded from all but Business Interruption and Information Asset Loss coverage, with some limitations
Mass Mailing (incl. anti-spam) -- AIG net Advantage Complete: No
Personal Information Collection -- AIG net Advantage Complete: No
Personal Injury Exclusion -- AIG net Advantage Complete: No
Prior Knowledge/Prior Acts Exclusion -- AIG net Advantage Complete: Yes, exclusion for claims arising from or relating to prior or pending claims/proceedings
Support Termination -- AIG net Advantage Complete: No
Upgrades -- Chubb: No
War -- Chubb: No
Trigger
Claims Made -- AIG net Advantage Complete: Yes, Internet Media Liability Coverage claims must be reported in writing “as soon as practicable”; Internet Professional Services Liability, Security Liability, and Cyber-Extortion claims must be reported in writing within policy period, or within 30 days after policy period, as long as claim is reported within 30 days of being made
Extended/Limited and Optional Reporting Period -- AIG net Advantage Complete: 60-Day automatic extended reporting period upon cancellation of policy; option of purchasing an extended reporting period
Insured Definitions
Additional Insured if Required by Contract -- AIG net Advantage Complete: Yes, but only for wrongful acts of the named Insured
Independent Contractors Coverage -- AIG net Advantage Complete: Independent contractors included for Internet media liability and Internet professional service liability coverage, but only if claim was also brought against Insured and while such claim is pending
III. ANALYSIS OF PROPOSED “BEST PRACTICES” MODEL FOR CYBERSPACE AND INTERNET MEDIA LIABILITY
When analyzing appropriate coverage, the following issues should be considered:
(1) Is it a claims-made or claims-made-and-reported policy form? The former is preferable.
(2) Does the coverage provide for payment on “amounts paid on” or only on amounts related to the cost of contract, and is co-insurance required? Preferably, the form would not require co-insurance, would include a duty to defend rather than “amounts paid on” language, and would not restrict defense fee reimbursement with the number of policy limits.
(3) Can the insured choose counsel? If not, is an acceptable panel counsel list provided? The least desirable situation is one where the insured must prove conflict of interest in order to obtain the right to independent counsel, particularly since a fight with the carrier may ensue not only over the acceptability of such counsel but also over the rate of reimbursement. Such intricacies should be agreed upon up-front if possible.
(4) Is the insured the only party covered? Can coverage extend to parties whom the insured must indemnify, or to whom it subcontracts work or licenses its product? “Yes” is the optimal answer to each of these questions.
(5) Is the definition of “products and services covered” sufficiently broad to encompass the errors and omissions portion of the agreement? The ideal form would be enterprise-wide and would include technology service E&O, consulting service E&O, Internet IP infringement, full media IP infringement, network security coverage, and personal injury coverage.
(6) Intellectual property coverage should also be available, at minimum, for copyright, trademark, trade dress, service mark, service name, title, and trade secret. Patent coverage should be sought where possible. The insured may combat insurer resistance on this issue by providing separate sub-limits for this coverage, a higher deductible or self-insured retention. Security and privacy coverage, as well as Internet web service activity coverage, are key.
(7) Does the coverage for personal injury include libel, slander, product disparagement, and invasion of privacy? Is first-party cyber coverage included for unauthorized access or use, denial of service, or virus transmission?
(8) Key policy definitions must be broad in describing claims, claim expenses, losses, and damages.
(9) Is there an automatic threshold for newly acquired subsidiaries, and if so, what time limits are imposed? Where a contract obligation requires an insured to insure another party, is the “additional insured” opportunity readily available?
(10) Is the coverage territory worldwide? Are exclusions narrow and/or capable of elimination? The following exclusions must be carefully examined: “Bodily injury” and “property damage” exclusions, “prior knowledge” and “prior act” exclusions, “security breach” and “unauthorized access” exclusions; and “contractual liability” exclusions that “carve back” for liability. “Intentional acts” exclusions are especially important.
IV. CONCLUSION
The proposed “best practices” model may serve the interests of businesses who rely on insurance brokers to provide a competitive cyberspace coverage policy but wish to better attune the policies offered to their corporation’s precise needs. The model may also serve the needs of corporations of all sizes who wish to directly procure policies that offer the broadest coverage available in the marketplace.
