Third-Party Liability E-Commerce Risks and Traditional Insurance Programs
August 2000
This article discusses e-commerce risks in
the context of the potential coverage gaps in traditional insurance programs
for many corporate insureds. Its objective is to help you better understand
how to review an insurance program with respect to e-commerce risks, as well
as to evaluate the need for special e-commerce insurance policies.
by Michael
A. Rossi
Insurance Law
Group, Inc.
This is the third installment in a series of articles discussing insurance
issues for e-commerce risks. The first article provides
a brief overview of the subject matter and gives some indication of the direction
of this column. The second article provides a discussion
of insurance issues for "first-party" e-commerce risks. This article discusses
insurance issues for "third-party" liability risks associated with e-commerce
activities.
Third-Party Liability Risks
Many of the articles written on the subject of liability risks associated
with e-commerce activities provide a litany of the different types of third-party
liability risk exposures for e-commerce activities. Rather than address the
issues in that way, this article discusses the risk issues in the context of
the potential coverage gaps in traditional insurance programs for many corporate
insureds. Therefore, the discussion of liability risks set forth below is intended
not to be comprehensive, but rather illustrative, and to help you better understand
how to review any insurance program with respect to e-commerce risks, as well
as to review the new e-commerce insurance policies.
Program Comprehensiveness
One reason for much of the debate about coverage for e-commerce risks among
risk and insurance professionals is that the liability programs of many corporate
insureds do not include all of the coverages needed to respond to liability
risks associated with e-commerce activities. This is markedly different than
with insurance for first-party risks, where most corporate insureds already
have the necessary basic coverages in their programs (even if those coverages
need to be enhanced a bit to fill potential gaps in coverage, as discussed in
"First-Party E-Commerce Risks.").
At a minimum, insureds will need some form of the following three coverages,
or their equivalent, in their liability insurance program to respond to e-commerce
liability risks: (a) commercial general liability (or umbrella liability), (b)
professional liability, and (c) multimedia errors & omissions. However, many
corporate insureds have only standard CGL, umbrella, and excess liability coverage
in their programs. As will be explained below, these corporate insureds have
the most issues to address if they want their liability risks for e-commerce
activities more fully covered.
In contrast, some corporate insureds do have all three of these coverages,
either in stand-alone policies or rolled into one manuscripted liability policy
at a primary or umbrella layer. The risk managers of such organizations are
the most vociferous in their opinion that they have no need for any of the new
stand-alone e-commerce insurance policies. They might be right, but the point
for them to recognize is that many U.S. Fortune 1000 companies have only standard
CGL, umbrella, and excess liability coverage, and that stand-alone e-commerce
insurance might be a viable option for those companies.
Why Is Standard CGL or Umbrella Coverage Not Sufficient for E-Commerce Risks?
Standard CGL or umbrella coverage is not sufficient for e-commerce risks
for a variety of reasons. True, some e-commerce risks can be covered by traditional
CGL or umbrella wording, just like a host of other types of liability claims,
and the fact that such claims involve e-commerce activities will not affect
the coverage afforded. However, there are several risks associated with e-commerce
activities that likely will prove problematic for coverage under traditional
CGL and umbrella wording. The risks set forth below are illustrative of the
problems that may be encountered (the discussion is not intended to be exhaustive).
Invasion of privacy. E-commerce activities
pose a risk of liability for invasion, infringement, or interference with rights
of privacy that could be problematic for traditional CGL and umbrella insurance
wording. That is because traditional wording provides coverage for invasion
of rights of privacy caused by the publication or utterance of information that
violates a person's right of privacy. In other words, the "triggering" language
in the policy is that the information must be disseminated. But the risk posed
by e-commerce activity is not so limited-the "big" privacy risk being discussed
is risk of liability for merely gathering information about someone who visits
a Web site without that person knowing that information about him or her is
being gathered-there does not need to be any dissemination of the information
for the company's conduct to be actionable. A CGL or umbrella insurer faced
with the insured's tender of such a claim likely will deny coverage on the basis
that the insured's liability has nothing to do with disseminating information,
but rather has only to do with the gathering of information. This is a potentially
large gap in traditional CGL and umbrella wording for risks posed by e-commerce
activities.
Infringement of intellectual property rights. E-commerce activities pose a risk of liability for infringement of intellectual
property rights, such as infringement of patent, trademark, copyright, right
of publicity, and the like. Some of these risks are covered under standard CGL
and umbrella wording. However, some of these risks are not covered for any of
the following reasons.
First, the claimed injury must be "causally connected" to the insured's advertising
activities. That is because much of the coverage for such risks will be provided
by the "advertising injury" coverage in a CGL or umbrella policy. But that coverage
only responds if the injury arises out of the insured's "advertising activities."
One of the problems associated with e-commerce activities is that an insured
could be faced with liability because a third person's advertisement on its
Web site (e.g., a banner ad) is the source of infringing material. For such
claims, CGL and umbrella insurers are already denying coverage, on the basis
that such a claim does not arise out of the insured's advertising activities.
There also is the possibility that courts might not construe the insured's
Internet and Web site activity as "advertising activity." In this case, none
of the intellectual property claims based on such activity can be covered "advertising
injury" under a CGL or umbrella policy. One example of that problem concerns
the risk that some of the computer software, programs, or hardware being used
by the insured to conduct its e-commerce activities might be infringing someone
else's intellectual property rights.
Second, even if the claimed injury does arise out of the insured's advertising
activities, the injury still must fall within one of the specified "offenses"
set forth in the standard definition of "advertising injury" in the CGL or umbrella
policy. Some of the intellectual property risks associated with e-commerce activities
likely fall outside of such definitions. For example, the risk of infringement
of the right of publicity likely does not fall within the scope of the definitions.
Many courts also do not recognize coverage for patent infringement under newer
standard CGL wording (i.e., the wording that does not include "piracy" and "unfair
competition" but rather includes only "infringement of copyright, title, or
slogan").
Third, many CGL insurers are issuing their policies with very narrow "advertising
injury" coverage. Such narrow provisions limit coverage to infringement of trademarked
or copyrighted advertising materials and specify that the infringement must
be caused by the insured's paid advertisement in a newspaper, magazine, television
ad, or other medium. Such language severely restricts the extent of coverage
for intellectual property risks posed by e-commerce activities.
These potential "gaps" for the risks discussed above are not new. Indeed,
these issues were discussed at length a few years ago in the October 1997 issue
of "The Risk Report."
The "solution" at that time was to purchase some form of media errors and omissions
insurance, typically termed something like "multimedia" liability insurance.
Although those forms covered the types of risks discussed here, coverage for
Internet activities had to be added by endorsement, because other forms of media
(CD-ROM, video games, and the like, in addition to standard forms of broadcasting,
publishing, and advertising) were the main concern of those insurance products.
Interestingly, those older multimedia forms serve as part of the platform for
many of the new e-commerce liability insurance products.
Damage to third person's computer data, software,
programs, or computer network. E-commerce activities pose a risk of liability
for causing damage to another person's computer data, software, programs, computer
network, and the like. This could occur, for example, by infecting a customer's
or supplier's computer system with a virus. If that customer or supplier suffers
damage, it could present a claim against the insured for that damage, and all
consequential losses suffered because of that damage (e.g., lost profits, repair
costs, extra expenses, etc.). The question raised by such a claim scenario is
whether the claimant is seeking damages because of "property damage" as that
term is defined in standard CGL and umbrella policies. The standard policies
used in the United States define "property damage" as meaning "physical" injury
to "tangible property" or loss of use of "tangible property" that has not been
"physically injured." Throughout 1998 and 1999 in the United States, and even
today, insurance companies and their lawyers were taking the position that computer
data, programs, software, and networks do not constitute "tangible property"
as contemplated by the definition of "property damage" in CGL and umbrella policies
(this position was taken to, among other things, posture insurers so that they
could deny coverage for Y2K claims). U.S. courts have not fully resolved this
coverage question (although several courts have found in non-insurance coverage
cases that computer data is "tangible property"). In any event, until this issue
is resolved, it poses a large potential gap in traditional CGL and umbrella
coverage for e-commerce risks.
Pure financial losses sustained by a customer or supplier. In addition to the scenario outlined above (where the insured causes the spread
of a computer virus to a customer or supplier), there are other risks of loss
faced by the insured's customers and suppliers. For example, what if the insured's
computer network or Web site "crashes," sustains a "denial of service" attack,
or for some other reason is inaccessible by the insured's customers and suppliers?
And what if, as a result of such inaccessibility, the insured's customers and/or
suppliers sustain a purely financial loss (i.e., a financial loss not caused
by "physical injury" to "tangible property" so as to be covered "property damage"
by a standard CGL or umbrella policy)? How are such claims going to be covered
by a standard CGL or umbrella policy? The answer is that they likely are not
covered. Such claim scenarios have been the subject of much coverage litigation
in the United States for decades. The general consensus among U.S. courts is
that the only time that financial losses sustained by third persons can be covered
under a CGL or umbrella policy is when the losses result from or flow from "property
damage" as defined by the particular CGL or umbrella policy at issue.
It should be noted that risks of such "pure financial loss" also are not
new to many corporate insureds. The insurance "solution" in times past to fill
the gap in insurance programs for such risk typically has been some form of
professional liability/errors and omissions coverage. To avoid confusing it
with the "multimedia errors and omissions" coverage discussed above, we will
simply call it "professional liability" coverage. Professional liability coverage
typically is intended to work hand-in-glove with an insured's CGL and umbrella
program. For example, if the insured's activities or products cause physical
injury to property, then the insured's CGL or umbrella policy should respond,
but not the professional liability policy. However, if the insured's activities
or products do not cause physical injury to property, then the professional
liability policy should respond, but not the CGL or umbrella policies. Finally,
it also is important to note that, as with the older multimedia E&O insurance
forms, these professional liability insurance forms serve as part of the platform
for many of the new e-commerce liability insurance products.
Discussion of Risks Is Intended To Be Illustrative
As noted above, this discussion is not intended to provide a comprehensive
listing of third-party liability risks associated with e-commerce activities.
Rather, it is intended to illustrate the types of risks at issue, to show how
such risks fit within three types of coverages: (a) CGL and umbrella insurance,
(b) multimedia errors and omissions insurance, and (b) professional liability
insurance. Understanding these three types of coverages and how they insure
different types of risks is essential to understanding not only the key features
of the new stand-alone e-commerce liability insurance policies, but also to
understanding how to amend an insurance program to better respond to e-commerce
liability risks.
Closing the Gaps for Liability Risks with New E-Commerce Insurance Policies
The insurance industry has responded to the potential gaps discussed above
with a proliferation of new e-commerce insurance products intended to respond
to liability risks. The names of these policies are quite fanciful, even if,
as will be explained below, the liability insurance coverages provided by them
are not really all that novel. For example, AIG is selling the "netAdvantage
Internet Professional Liability Policy"; Chubb is selling the "Safety'Net Internet
Liability Policy"; Zurich is selling the "E-Risk Protection Policy"; Royal is
selling the "Computer, Telecommunications and Internet Services Liability Coverage"
policy; Gulf (through Media/Professional Liability) is selling the "CyberLiability
Plus Insurance Policy"; and Great American (through Tamarack) is selling the
"Dot.Com Errors and Omissions Liability Insurance Policy." These are just examples
of the new e-commerce insurance policies for liability risks being offered in
the United States. There are a host of other policies available in the United
States from several different Lloyd's facilities and several other U.S. insurers.
These policies are designed to insure some or all of the risks discussed
above. So, for those companies whose liability insurance program consists of
only standard CGL, umbrella, and excess liability policies, buying one of these
new e-commerce insurance policies is a viable option.
However, looking beyond the labels and "buzz words" used in the policies
and focusing on the substance of the coverage being provided, one is almost
immediately struck by the following observation. With respect to the liability
insurance coverages provided (some of the policies also provide coverage for
first-party risks), these policies are not much more than combined multimedia
errors and omissions and professional liability coverages. Indeed, some of the
policies are blatant in this respect, by setting forth different insuring agreements,
one entitled something like "professional services coverage" and the other entitled
something like "media errors and omissions coverage" or "publisher's errors
and omissions coverage."
This observation leads to two very important considerations for companies
attempting to address their e-commerce liability risks when their insurance
programs currently consist only of standard CGL, umbrella, and excess liability
insurance. First, they need to realize that their choices are not limited to
forgoing coverage or buying one of these new e-commerce insurance policies.
They could insure the risks by adding amended professional liability and multimedia
errors and omissions coverage to their programs (that issue is discussed below).
Second, the new e-commerce insurance policy forms and endorsements must be
carefully reviewed to make sure that the quoted coverage covers all the professional
liability and media errors and omissions risks that otherwise would be insured
by buying professional liability and multimedia errors and omissions coverage.
Some of the policy forms come up short in one coverage area or the other, either
focusing on the professional liability aspect to the detriment of the media
errors and omissions aspect or leaving out one of the coverages altogether.
And some of the insurers with policy forms that contain both coverages are quoting
with exclusionary endorsements that delete one of the coverages. These two realities
are because the market for this insurance is young, and some of the underwriters
for the insurance are not experienced in or comfortable with both professional
liability or media errors and omissions underwriting.
Third, regardless of which course of action a company takes, it must also
realize that in any event it should try to amend its CGL and/or umbrella policies
to address some of the gaps mentioned above (and any other gaps) for any risks
that it actually wants to be covered under those policies. For example, most
insureds seem to prefer having coverage for the invasion of privacy risk run
through the CGL and/or umbrella program and therefore are trying to amend the
definitions of "personal injury" and "advertising injury" to accommodate the
risk. In other words, they are trying to delete the requirement of "publication
or utterance" so that the wording reads something like, "any form of infringement
of, interference with, or invasion of privacy."
Closing the "Gaps" for Liability Risks with Traditional Insurance Policies
As with first-party e-commerce risks, the question must be asked: Does an
insured have to buy one of these new e-commerce insurance policies to insure
its e-commerce liability risks? Whereas the answer with respect to first-party
e-commerce risks is "in theory, no, but in practice perhaps yes for now," the
answer with respect to liability e-commerce risks is "in practice, no." As noted
above, in many ways the new e-commerce liability insurance policies are nothing
more than a combination of one old standard coverage-professional liability
insurance-with one newer standard coverage-multimedia errors and omissions.
Thus, those insureds who have a program using only standard CGL, umbrella,
and excess liability insurance should be able to simply add traditional professional
liability and multimedia errors and omissions coverage to their program, making
some adjustments to confirm coverage for e-commerce exposures. Some of the issues
that also will need to be addressed include the following.
- Does the insured want to have such coverage on a primary level?
- If so, should such coverages be bought separately or in a combined policy,
and can the coverage be scheduled as underlying insurance on the umbrella
policy, or must the insured maintain a separate tower of insurance for the
coverage?
- If the insured does not want such coverage on a primary level, can the
coverage be built into the insured's umbrella program?
And regardless of how such coverage is built into the program, an insured
still should consider whether there are any adjustments that should be made
to the CGL or umbrella program to better insure e-commerce risks that the insured
prefers to run through that coverage. Finally, all of these coverages should
be reviewed to minimize coverage overlaps. In other words, the risks can be
covered in more than one place; the job for the insured is to determine where
to place the coverage in the program to maximize coverage with least cost and
inefficiencies.
Those insureds who already have professional liability and multimedia errors
and omissions coverage in their programs (whether with stand-alone policies
or manuscripted policies at a primary or umbrella layer) should be able to review
their program to determine what, if any, gaps exist and to close all identified
gaps with further amendments to the policies. This is why the risk managers
of such companies are so vociferous in their opinion that there is no need for
the new e-commerce liability insurance policies. Again, however, such risk managers
should realize that many U.S. Fortune 1000 companies do not have any form of
media errors and omissions or professional liability coverages in their programs
and that, therefore, such companies could use such new e-commerce policies,
or the types of coverages provided by them (i.e., professional liability and
multimedia errors and omissions coverage).
With respect to liability insurance issues, all of the foregoing scenarios
are being played out in the U.S. market (as well as several other insurance
markets around the world, such as the United Kingdom and Australia). Some insureds
already have the basic coverages needed in their liability insurance programs
to respond to e-commerce liability risks and are merely reviewing their programs
to confirm coverage intent with their insurers and/or are amending some of the
policies where necessary. Some insureds have only standard CGL, umbrella, and
excess liability policies in their programs and are either adding standard professional
liability and multimedia errors and omissions coverage into their programs or
are buying one of the new e-commerce insurance policies.
Concluding Thoughts
In the final analysis, risk and insurance professionals should not be led
astray by the hype surrounding the new e-commerce insurance policies. Nor should
they ignore the issue, believing those risk managers who say that there is no
need to address e-commerce insurance issues with new policies or amended traditional
policies. Rather, insurance professionals should gain an understanding of the
issues and develop the knowledge to review the options and choose the best alternatives
for their companies.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.