E-businesses and insurers face new risks simply by doing business online. As if competing in the hyper-fast, hyper-competitive internet market were not enough, it is possible to be wiped out from any one of a number of new and unpredictable angles. How to protect oneself from online risks, and the absence of adequate cover, are fast emerging as major business issues in the development of e-commerce.
Often the first risks that come to mind are hacking or business interruption risks, such as the cost to Yahoo when its sites were attacked or to eBay during its calamitous downtime, when it was overwhelmed with users. However, there are a host of other exposures, some well-known, others not. Some arise from litigation and some arise from electronic data damage, but exposure begins very much at home before anything is even posted on a website.
Simply having a web link creates a risk of hacking and the consequent exposure of a business's valuable data to invasion, whether for the purpose of theft or mischievous corruption. At the very least there is a risk of exposure to liability for failing to protect the data of third parties from such piracy.
Thus, it can be seen that a host of new types of claims will arise. Attacks on data is just one area, and the scope of liability will expand as governments begin to create internet-related laws or to adapt existing laws to internet usage. For Europeans, there will be compliance issues with data protection laws, so that breaches of security or misuse of that data over the internet will have statutory penalties and possibly ground third parties in lawsuits.
Such new risks will have the further disadvantage of being accompanied by a huge increase in both the severity of claims and the speed at which claims are made and required to be settled, given the global nature of the internet.
The economic conundrum is whether to transfer risk or “beef up” security. At a practical level, it is easy enough to have specialist hackers-for-hire come in and expose all the weaknesses of one's systems. But to achieve 100% security would inevitably mean making the system unusable for employees and irksome to customers.
Yet trying to price insurance suitable for the true range of exposures, and not just the limited products available today, turns upon unsettled methodologies for determining the value of intellectual property.
Issues for internet service providers
Consumers will be very concerned to see their internet service providers (“ISPs”) do not buckle under the strain of compliance and from defending themselves against suits or prosecutions for their intermediary role in any issues affecting the businesses which they may host.
At a more practical level, ISPs will have to protect themselves against third party liability for denial of internet access or system failure. Who will pick up the costs if a customer loses out on a business opportunity because of an ISP's failure, and how will ISPs insure themselves against this risk given the huge potential for accumulations and the meagre availability of capacity?
Certainly it is possible to purchase cover for the repair costs of equipment failure, but what of the liability for failed security where systems fail to operate as intended? If a breach of a firewall allows invaders in to hack valuable data, what of a failure of a firewall which allows viruses to escape or spread? Who will be liable and who will provide the insurance cover?
The classic insurable exposure for business interruption is the loss of trade during downtime, but the risks do not simply end with lost sales. There is reputational damage, the opportunity cost on which competitors will capitalise, and actual liability to customers whose attempts to trade during that downtime have been frustrated and who have consequently suffered some loss.
There are also particular implications for web hosts if their downtime causes business interruption to their clients. Yet the question remains at both an intellectual and a practical level: how are policies to respond to losses based on non-physical business interruption, particularly where the complaint comes from a foreign jurisdiction on a basis which may well be different from the insurer's own legal system and understanding?
These issues will be especially acute for businesses such as banks, which are hosting for others. They will have multinational exposure for their guest's business interruption, whether it is the downtime itself or lost opportunities for the guest. In addition, the host business may find itself liable for wrongdoing by the guest where the host, for example, transmits false information supplied by the guest.
Recent legal developments have identified at least ten ways to be sued in respect of activities on the internet: trademarks, copyright and patent infringements of various sorts including statutory offences under recent US legislation; civil liability for misuse of trade secrets; defamation; civil liability for obstruction of free speech; employer liability for the online activities of employees; liability to customers for unfair business practices; frauds, hoaxes and forgeries; and criminal and civil liability for securities law infringement.
Trademarks, copyright and patents
These three fall under the head of intellectual property disputes, which will be the main battleground in the information age, but the fight will start at absurdly simple levels before even progressing to the arcana of copyright infringement. Thus, perfectly amicable businesses of the industrial age which have shared similar names whilst operating in different fields of industry will suddenly find themselves in domain name disputes with legitimate users of a similar name in different lines of business.
The dispute will turn upon who is to own and control the almighty “.com” appellation, together with the business name. “Prudential.com” could refer to an insurer, a financial advisor or a newspaper, among others. It is, of course, possible to have other dot domains, for example by country of operation, e.g. “.ky”, but for so long as “.com” is supreme, nothing else will do.
Disputes among friends are just for starters. There will also be litigation to prevent certain types of name piracy. Thus, there are claims against cybersquatters - sharp practitioners who register names to which they have no legitimate claim.
In the US, Congress has enacted legislation to deal with the issue, the Trademark Cyber Piracy Prevention Act, to prevent bad faith squatting. Similarly, there are typo-squatters who register names which are very slightly different to established businesses, so that a simple typographical error, when keying in the correct name, will take a customer to the squatter's site, for example“mirosoft”.
A more invidious form of trade identity competition is the practice of meta-tagging, which involves burying descriptions, key words and phrases in one's search engine that purloin a competitor's name or description. Thus, a search through Yahoo for “Porsche” will turn up a “Lada” because a distributor of “Lada” put “Porsche” in his meta-tags which catch a browser inquiry. Similarly, triggers for banner adverts can be infringing where the trigger could be a competitor's name so that going to the “Porsche” site could pull up a “Lada” advert.
Further breaches will be occasioned by competitors, or even innocent persons, which post copyright material on their own websites or even link their site to copyrighted material. In the US, Congress is considering the Digital Millennium Copyright Act which will protect hosts of old copyright material. Similarly, arguments will arise where businesses “frame” parts of other websites into their own webpage so as to imply a connection between the two enterprises.
Even those who benefit most from widespread publicity will want to control the use of their names and images. Hence, there will be increased litigation from the famous who will wish to govern their own publicity rights.
The legal and business worlds will find themselves on the cusp of a wave of new concepts of patentable subject matter, in particular business processes, for example “one click” ordering.
Businesses which create new ways of doing business online, or of navigating their site or the web generally, will wish to protect their innovation by registering the process as a patent, and either licensing it to others or barring others altogether. This will create a new class of insurance aimed at protecting businesses from the effect of “dormant” or “secret” patent registration; where a business, which has invested a fortune in devising a web-trading standard, could suddenly find itself thwarted by an obscure prior registration of a patent.
Businesses will be exposed to loss where e-mails containing sensitive business information are sent by careless or departing employees. This will have the effect of disclosure of trade secrets or, just as bad, the confidential information of clients of the employer. Not only will there be competitive loss but also liability to third parties for the breach of confidence. Equivalent damage, with a more difficult road to recovery, can be effected by anonymous postings on internet message boards.
Pursuing the posters of damaging information can be difficult and expensive, but US businesses are already putting themselves to the trouble of doing this to frighten off would-be cyber-hecklers who go beyond free speech and actively try to discredit a business. Such pursuits will have a knock-on effect for ISPs which will have subpoena compliance costs when target businesses go hunting for their attackers.
Employers will be responsible for their employees' online activities and the extent to which any of them source business information to be used for competitive purposes or otherwise. Liability can arise where the user has reason to know the information was obtained without authorisation.
Equally, employers can be liable to third parties for breach of client confidentiality by employees who, for example, post confidential client data on external websites or discuss client affairs in chat rooms.
In the US, at least, civil rights organisations will sue e-businesses where they judge that their rights of free speech are being encroached upon. Fortunately, such free speech issues do not seem to extend to employer/employee relationships, where disputes regarding internet access have usually been settled in the employer's favour.
The argument was that employers which monitor employee use of the internet during work hours were, therefore, snooping and invading the employees' privacy, but the courts have upheld the rights of employers to control their businesses' systems.
However, individuals are entitled in some jurisdictions to privacy of personal data, and cross-border litigation will result from personal data abuse. Another area of suit will be liability for unlicensed investment advice.
Internet business structure risk
In addition to the risks of business-to-business communications, there will be a need to insure against the risks of electronic corporate structuring which takes place internally and in alliance with others. This is because the much-touted ideal of tele-commuting exposes the employer to high risk with hacking and data loss occurring relatively frequently. Equally, the ideal model for global internet commerce - the alliance of different businesses on a particular project - has high risk for all parties as soon as they are wired together.
A more rarefied level of litigation will be shareholder suits based on accounting practices which inflate the revenues of internet companies. At present there are no accounting standards requiring internet companies which are in alliance with each other to show the netting effect of goods and services delivered between them.
As a result, sales may be booked in one entity for delivery through another on a barter basis, or some other form of business exchange, when, in fact, there is no actual cash sale to a customer. Such inflated “sales” have the effect of inflating the stock price of the companies in question. Internet risk factors will start to appear on financial reports.
Internet statutory breaches
Rules and standards, and associated actions for breach, will be on the increase. For example, the US is contemplating legislation to prohibit cyber-stalking. It will then be a crime to pursue people over the internet. The cost of policing this, and the compliance burden possibly placed on the ISPs, is another expense of doing business on the internet, which creates insurable risk.
What if an e-business knowingly or unknowingly assists a stalker? Considerations of liability are of acute concern for businesses that exist solely by virtue of the internet. If they are swamped with litigation and statutory responsibilities it could threaten their very existence, whereas traditional “bricks and mortar” businesses still have their real-world shops to fall back on whilst battling with the responsibilities of trading on the internet.
There is also content liability whether it is for accidental or intentional defamation of a competitor or for the professional responsibility assumed in any online advice given. Bermuda's Electronic Transactions Act 1999 has addressed this problem, in so far as ISPs are concerned, by stating that liability is limited to actual knowledge of error.
Whatever the cause, the result of data errors may enable parties to repudiate the purchase and charge back the credit card used to make the purchase. This will affect the companies which have made the sales and the credit card companies which have effected the settlements, as well as many others along the chain. There will be costs which the financiers and merchants may not be able to cover and against which they will wish to protect themselves.
Issues for advisers
So significant do US courts, at least, consider internet risk to be that malpractice suits have been successfully pursued against lawyers in the US for poor advice in those situations where lawyers did not advise of internet risks, notwithstanding the fact that they were engaged to advise on some other subject.
The same will soon be said of insurance brokers, whose Errors & Omissions (E&O) policies will need to cover failing to advise clients in order to protect themselves against e-risks.
With respect to brokers struggling to find the right cover for their clients where the issue is quantification of risk, one suggested method is to look at the cost involved in developing the intellectual property of the client and in carrying out the research which created its website, the value of revenue streams, any competitive advantage and the loss of reputation if one's systems were to be undermined.
For example, a bank would find it very difficult to recover trust once a hacker raided client accounts. Finally, one would need to try to quantify the costs if a substantial number of counterparties to the insured tried to repudiate contracts with the insured in the event of system loss.
Issues for insurers
Fights over copyright, ownership of trademarks and domain names, and assertions of a monopoly on a particular business process will all spawn massive litigation. Then there will be claims for unfair competition, where the set-up or “look” or “feel” of a website is similar to another's.
In some cases, the “feel” will be so distinct as to be capable of being patented, and thus patent infringement claims will be hugely significant. Likewise, defence costs for prosecutions and suits under the US's new Cybersquatting and Millennium Copyright Acts will also be substantial.
The stakes are obviously high - to be online or not to be online - but the risks are not only between two parties. A whole new class of indemnity risk claims will arise as third parties come to rely on the services of online businesses and of access providers. The best advice is to be aggressive in writing the cover because to miss this market as it rises is to miss out on building market share and the depth of expertise in what will be the main area for commercial risk in the future. The essential is to define and cap the exposure.
The global scale of exposure means that no one insurer will be able to provide their clients with “soup-to-nuts” cover; the accumulations build up too quickly and too widely. There is an obvious need for alliances and massive catastrophe protections.
The internet exacerbates loss
One of the largest elements of cost will be the demand for high-speed repair of any malfunction. Damage will accumulate at lightning speed for every minute that an e-business is offline, and so time is of the essence. Insurers will have to work with clients to control the repair process and stand ready to make cash settlements to enable repair almost before all the elements of any claim have been worked out - a very difficult proposition for insurers indeed, but loss control will likely be as important as the minutiae of policy wordings.
Insurers should concentrate on reinsurance protection. The wild card in the attempts to structure insurance protection for internet risks is the sheer global nature of the internet. There will be multi-jurisdictional damages exposures, plus multi-jurisdictional defence costs. A simple example is afforded by considering that internet advertising is worldwide, with infringement or liability potential in multiple jurisdictions. What would a Chilean court make of a German automobile manufacturer's advertising assertions on the website of a Mexican distributor accessed from Chile?
This all raises the question of how the insurers are responding. Certainly, a criticism that has been levelled is that new policy forms are needed. A further problem is that insurers are using their standard forms with no real control of accumulations. Then there is the troublesome issue of punitive damages cover. Many insurers are diffident in providing punitive cover, but the aggressive penalties of new US intellectual property and internet laws make the possibility of exposure very real. However, issues of public policy and enforceability of penalty cover arise.
Yet as the global nature of the internet manifests itself, the courts of other jurisdictions, not just the US, will impose penalties on e-businesses in circumstances not necessarily reconcilable with US public policy or any other known precepts. Thus, it will be essential for businesses to obtain some sort of cover, and if insurers wish to retain the business they will have to develop a high degree of creativity.
Problems with policies
In considering how to insure against the risks ranging from hacking to loss of intellectual property or reputation and beyond, the insurers and reinsurers have had to grapple with clear but unquantifiable loss calculations. There is simply insufficient historical data to go by. Further, insurers are trapped by well-established “industrial age” insurance concepts which are central to the forms of their policies. Certainly, efforts are being made to create internet-ready products, but there is still much embedded insurance software, as it were.
As a result, the entire area of tampering with electronic data is fraught with definitional issues for insurers, currently rendering the insurance of theft, disclosure or damage to electronic data very difficult.
Property/casualty coverage typically includes notice of “physical” damage, which clearly does not apply if operated online. Likewise, it is difficult to define and protect against malicious codes and “viruses”.
From tampering with the system supporting e-businesses other consequences flow, such as the denial of service to clients with the consequent liability to them. Indeed, what of the liability where a system failure allows access violations to a client's account?
Whilst it is clear enough to conceive of the risk, if not the solution, when there is fault somewhere, what if all these horrors arise by reason of simple programming errors? There is no “damage” or “intrusion” - just a business that was set up incorrectly in the first place, and insurers do not generally see themselves as responsible for that. Yet, in the internet world of globalised exposure to loss and liability, there is a clear imperative for an E&O solution to programming risk.
At a more fundamental level, static policy forms are poor performers in internet time. E-businesses may well recognise they need cover, but the young busy entrepreneurs of the internet age, with their small staffs, simply do not have the time to complete the application forms of traditional insurers.
What they are saying is: “If you want to sell to me, you do the work.” Thus insurers will need, at the very least, to automate their forms. The product must adapt to the environment. Ultimately, policy applicants will simply refuse to fill in questionnaires, instead insisting that the insurer should go into the client's website and make their own analysis.
Trapped in bricks and mortar insurance
All of these issues raise the question of whether traditional insurance products respond to online risks, to which the answer seems to be a resounding “no”. What are the new products being developed and by whom? Typically, property/casualty coverage includes notice of “physical” damage, which does not apply if the business operates online.
Similarly, liability coverage is for bodily injury or property damage, though under a liability policy “property” is more broadly defined to include “loss of use” of property.
The catch is the definition of “damage”; what is “damage” to electronic data which has been copied or forced “offline” by reason of a programming error? On the basis of traditional thinking, insurers want to distinguish between “business risks” and “accident”. Thus, a general liability property definition refers to loss of use of “tangible” property, and it is a stretch to define electronic impulses as “tangible”.
Also, insurers are concerned with insuring unpredictable events, not insuring business for doing business the wrong way. Many of the risks of the electronic world turn on securing system structures and ensuring that business alliances and outsourced services are reliable. Poor judgment or bad business luck is sometimes viewed as the “real” reason for a loss. It is feared that the removal of physical barriers opens up greater scope for loss of profit arguments.
Underwriting guidelines for the information age
Before a business can begin properly to assess its online risks, it needs a sophisticated international team with knowledge of different cultures and legal systems. This is not often available but must be approximated because jurisdiction risk in the global internet business environment is the magnifier which alters both the type and quantum of risk beyond anything known today.
The underwriter or risk manager ought to focus on risk control, beginning at the moment of transition of a traditional business into an e-business, or turn such focus to the business plan of a start-up.
In examining these processes a risk manager creates a risk map, highlighting all the areas of risk and then attaching a value to each. Thereafter, one describes risk control techniques for each risk point, together with the financial tools for funding loss at each risk point, tailored to that specific point.
But before even thinking about insurance one should first consider the avoidance of risk, and certainly the control of risk both before and after a risk event. On the risk funding side, one ought to examine non-insurance risk transfers such as pre-set loan facilities.
Risk points on the map
There are numerous, non-exhaustive points of risk in an e-business for the risk manager to consider: financial; technical; political/social; organisational; customers; employees; products; operational; physical. The non-exhaustive nature of the list means there are many “unknowns”, hence the need for as wide a team of multi-jurisdictional multi-disciplined staff as possible.
At each point, gather data and set benchmarks for loss quantification where there is historical information or an industry standard. Develop risk models and scenarios for worst-case developments. At each point, ask how much risk the business can retain and how much it should retain, and then ask what is to be done with the risk that is not to be retained.
Having examined alternative ways of transferring risk before seeking insurance, if all that remains is insurance, then price and coverage will be a function of the size of the business. Specialised coverages are available, but these are limited in different ways.
Nevertheless, in response to the demand for cover there are about 50 different policies on the market, many of which try to bridge the problems described. AIG, Royal and Lloyd's are all designing covers but none of them can be said to be cure-alls, partly because the potential exposure to insurers is so huge. Loss can be total, even though the actual “incident”, at first sight, appears to be manageable.
This is because there is no motive to settle a confrontation, as a competitor can get all its competitor's business very quickly by taking it offline in, say, an infringement case, as there is no physical limit to business capacity.
Thus, whereas a bricks and mortar company could never take on all of a competitor's clients at once, a web business simply ratchets up its servers and, at a stroke, scoops up all of its competitor's clients.
Still gaps in coverage
The coverage gaps to be closed by any of these possible “solutions” are, for example, that policies protect intellectual property but only for internet exposures, which leaves short the many other ways of infringing in the e-business world. Then there are E&O policies which don't work well enough in defining the “acts” and “business model” covered in a web environment.
Other lacunae are: virus cover excludes property damage liability; occurrence forms exclude pre-existing issues; business income coverage; interruption of service liability; public relations coverage; e-publishing liability; and protection for difference in conditions.
This then is the brave new world of internet insurance and the loss control exercises that every online business will need to consider. There will still need to be a lot of prevention and a lot of cure in the globalised world of e-risk exposure.
Warren Cabral is a partner at Bermuda law firm Appleby, Spurling & Kempe, where he is practice leader, intellectual property and information technology.