First-Party E-Commerce Risks

The first article in this series provided a general overview of how policyholders, insurance brokers, and insurers are responding to the increased awareness of e-commerce risks. This article examines one aspect of the insurance program issues relating to this subject. Namely, what are the gaps in traditional insurance policies with respect to first-party e-commerce risks, and what can policyholders do to cover those gaps? The last article discusses insurance issues for "third-party" liability risks associated with e-commerce activities.

First-Party Risks

"First-party risks" are the risks generally covered by commercial property policies, commercial crime policies, fidelity bonds, and kidnap and ransom policies. It is true that these types of policies can also provide liability coverage in the context of such first-party losses, when a third party seeks to impose liability on the insured for a loss that is recognized as a first-party loss under the policy. However, the focus of the discussion here is on the first-party loss itself.

Commercial Property Policy Issues

With respect to commercial property policies, one gap relating to e-commerce risks comes in the form of the requirement in most all-risk policies that there be "physical loss or damage" to property to trigger both the property damage and time element (e.g., business interruption and extra expense) coverages of the policy. Some e-commerce risks involve "nonphysical events," where it is not clear that "physical loss or damage" to property has occurred.

Denial of Service Attacks. The most frequently referenced example of a "nonphysical event" e-commerce loss is a denial of service attack, where an insured's website is bombarded with millions of e-mails from a bogus source, thereby blocking access to the site by legitimate users. (Technically, the computer server hosting the website is what has been attacked. So, whenever "website" is mentioned in this article, it is actually the computer server hosting the website that is being referred to.)

A well-publicized spat of denial of access attacks occurred in February of this year, to web-based companies such as e-Bay and others. Does such an event constitute "physical loss or damage" to any property? Insurers say, "No." Courts most likely will side with the insurance industry on this issue. If so, such a loss probably will not trigger either property damage coverage or time element coverage in a traditional commercial property policy.

Indemnity Period Provisions. Another gap occurs via the "indemnity period" provisions of a commercial property policy. These provisions are "key" for the time element coverage provided by such a policy, because they determine the time period from inception of a loss for which the insured gets to claim coverage for lost income, extra expenses, and other time element losses. However, the indemnity period provisions in standard commercial property policies are not well suited for all e-commerce risks, even if the e-commerce event at issue triggers coverage in the first instance (i.e., triggers the "physical loss or damage" requirement).

For example, some traditional policies provide that the indemnity period relating to losses involving computer data, software, programs, etc. (typically those items of property falling within the definition of "electronic data processing media" covered by the policy), is the time it takes to copy lost or destroyed media from backup tapes or the previous generation of such media. If that time period is minimal (e.g., a few hours or so), that time period might not encompass the full period for which the insured sustained time element losses.

It is true that some traditional policies provide broader indemnity period provisions for electronic data processing (EDP) media, such as the time it takes to replace or restore lost or damaged media, including research and engineering costs. However, what if the loss at issue does not involve lost or destroyed computer data, programs, software, etc., but rather simply involves the rendering of a website or computer system useless for a period of time to eradicate a computer virus or respond to other problems that do not involve the actual destruction or corruption of computer data, software, or programs?

Computer Viruses. In addition to denial of service attacks, this issue might also arise with certain types of computer viruses, such as the recent "I Love You" virus. Early reports show that that virus did, indeed, cause damage to computer data, software, and/or programs. However, it also appears that in most if not all cases, that damage was not to critical operating systems, and insureds shut down their computer systems to prevent the spread of the virus.

In other words, viruses like the "I Love You" virus appear to be conceptually different than viruses that cause a system or website to go down because they delete, destroy, or otherwise corrupt data, software, or programs that are essential to running the system or website. The system or website is thereby rendered inoperable unless and until the lost, damaged, or corrupted data is restored or replaced.

In brief, with respect to the "I Love You" virus and similar viruses in the future, insurers whose policies are worded correctly likely will recognize coverage for the cost to replace or restore any data, software, or programs lost or damaged because of the virus. However, we have a hunch that most insurers will not recognize coverage for time element losses related to such viruses. They will argue that time element losses did not flow directly from the lost or damaged data, software, or programs; rather, they flowed from the voluntary shutdown of the insured's computer system.

Although insureds have arguments to rebut such a position and to argue otherwise for coverage of their loss, until such coverage issues are resolved by the courts, sound risk management should treat it as an issue that needs to be expressly addressed in an insurance program, if for nothing more than to confirm that the insurer's intent conforms with the insured's expectations of coverage.

Employee Dishonesty. Another risk with respect to commercial property policies deals with employee dishonesty. Most commercial property policies contain an exclusion for loss caused by employee theft. Some policies even exclude loss caused by employee malicious destruction. Even with this latter provision removed, the policy still will exclude loss caused by employee theft.

Insureds may not think that is a problem, because employee theft losses are covered by commercial crime policies and fidelity bonds. However, such policies and bonds contain a time element loss exclusion. This means that while the property loss might be covered, the time element losses are not.

Commercial Crime Policy and Fidelity Bond Issues

Standard commercial crime policies and fidelity bonds contain a time element exclusion. The exclusion bars coverage for business interruption, extra expense, etc. The exclusion does not use such words, but that is how courts have interpreted it. The exclusion typically is labeled the "potential income" or "indirect loss" exclusion, or some other similar name.

So, if your e-commerce loss is an employee theft loss, the big surprise is this: It will not be covered under your commercial property policy because of the employee theft exclusion. Therefore, you must look to your commercial crime policy or fidelity bond. But that policy does not cover time element losses. Can you say "gap" in coverage? This important coverage gap with respect to e-commerce risks and commercial crime policies and fidelity bonds is big enough to drive a truck through.

Another gap for e-commerce risks has to deal with valuation issues for stolen computer data, software, or programs. Whereas standard commercial property policies that have been slightly amended contain detailed valuation provisions for lost or damaged data, software, or programs, standard commercial crime policies and fidelity bonds do not. Such policies typically provide coverage for the lesser of the actual cash value of the stolen property or replacement cost. It is not clear how much, if any, coverage will be provided for stolen EDP media under such valuation provisions.

Kidnap and Ransom (K&R) Policy Issues

E-commerce activities invite extortion risks. Consider the following scenarios.

• A computer hacker demands money or something else of value from an insured under threat of unleashing a denial of service attack against the insured's computer system or website.
• A computer hacker threatens to attack an insured's computer system or website with a virus that will delete, destroy, or otherwise corrupt the key operating data, software, or programs necessary to operate such system or website.
• A computer hacker threatens to hack into the insured's computer system and delete important information, perhaps not information necessary to run key operations, but important information nonetheless (e.g., proprietary manufacturing, marketing, human resources, legal, or other information).

Some K&R policies limit coverage for extortion to threat of bodily injury. Obviously, such wording does not respond to the risk mentioned here. Some K&R policies do extend coverage to threat of damage to property. However, it is not clear whether such wording will respond to threats of denial of service attacks and other computer viruses that do not damage or destroy computer data, software, or programs, but instead merely render such property useless.

Closing the Gaps with New E-Commerce Insurance Policies

Several insurers have created and are selling stand-alone policies to cover one or all of these issues. The policy forms currently available include the following.

• Marsh's Net Secure program, underwritten by a consortium of insurers
• The E-Risk policy from Fidelity and Deposit Companies, a member of Zurich
• The Secure System policy from ACE USA
• The Networker policy from St. Paul
• Several policy forms from different Lloyd's facilities

AIG and Chubb also have policies under development. Some of these programs provide both first-party coverage and liability coverage, where the insured can pick and choose the coverages. And some of these programs can be purchased on either a difference-in-conditions/difference-in-limits (DIC/DIL) basis or primary basis.

These policy forms are in a state of flux, with the insurers apparently reviewing each other's forms to try to address the same issues as much as possible. A more detailed comparison of these and other forms, and the issues to consider when buying them, will be the subject of future articles in this series. Suffice it to say, however, that with respect to first-party risks, practically all of these policies provide some form of coverage for each of the issues raised above.

So, one way for an insured to close these gaps in coverage is simply to buy one of these new policies, at least on a DIC/DIL basis. In that way, if an e-commerce loss falls through the cracks of the insured's program as constituted by traditional policies, the stand-alone e-commerce policy should respond to the loss.

Closing the Gaps by Amending Traditional First-Party Policies

There is an alternative to buying one of the new e-commerce policies, at least theoretically. In brief, an insured could amend one or more of the policies to cover the gaps at issue.

For example, an insured could add express language to its commercial property policy describing all the different types of loss events it could experience with respect to its computer systems, website, data, software, programs, etc., and then stating that all of such events shall be deemed physical loss or damage for the purposes of coverage under the policy. The insured can also amend the "indemnity period" provisions to more closely tie into such special "physical loss or damage" language so that the time element coverage matches up with e-commerce risks. Also, the insured will want to make sure that the employee dishonesty exclusion is limited to employee theft and excepts all other forms of "physical loss or damage" to property caused by an employee.

An insured also could delete the potential income or indirect loss exclusion (however worded) in its commercial crime policy or fidelity bond. The insured might want to consider adding express language for time element losses (both business interruption and extra expense at a minimum), rather than simply relying on the deletion of the exclusion.

The insured also might want to amend the valuation provisions to more closely mirror the valuation provisions in its commercial property policy. In this way, whether the property is stolen by a third person (where the commercial property policy would respond) or by an employee of the insured (where the commercial crime policy or fidelity bond would respond), the coverage provided by the different policies in the insured's program should be the same.

Finally, the insured will want to amend its extortion coverage in its kidnap and ransom policy to address e-commerce extortion risks or perhaps add the coverage to its commercial crime policy, fidelity bond, or commercial property policy. Several options could be available, but the point is that it needs to be covered somewhere in the insured's program.

Indeed, there are any number of ways to add such coverages into an insurance program. Much will depend on how the insured's program currently is structured (i.e., what is already in the insured's policies) and its insurers' willingness to amend their policies. That is the hitch. To date, most insurers selling the traditional policies discussed in this article are not willing to amend their policies to cover the gaps relating to e-commerce risks. So, while such amendments are theoretically possible, it remains to be seen whether they will become practically possible.

Conclusion

As discussed in the first article of this series, Fortune 1000 companies in the United States by and large are taking the position that the insurance industry should respond to first-party e-commerce risks by amending traditional policies to cover the gaps. These firms do not want to buy and administer yet another stand-alone insurance program. In contrast, startup and middle market companies, especially dot com companies, which lack a sophisticated risk manager and premium clout, are buying the new policies to address these risks.

The insurance industry to date has not shown much interest in the desires of most Fortune 1000 companies in regard to these issues. Commercial property insurers do not want to insure "nonphysical events." Commercial crime and fidelity insurers do not want to insure time element losses. And K&R insurers are wary.

The insurance brokerage community appears to be assessing the situation. Smart brokers appreciate the different policyholder markets and are selling the new products to the smaller/startup companies, while helping their Fortune 1000 clients try to amend their current policies or otherwise finance e-commerce risks with alternative risk transfer solutions.

Although it is anyone's guess how these issues will play out, Fortune 1000 companies will probably eventually be successful in persuading insurers to amend their policies to cover first-party e-commerce risks. By that time, however, there will be an established market for stand-alone e-commerce policies that are being purchased by middle market and startup companies, and brokers will respond accordingly.

Coming Up Next ...

The next edition of this column discusses insurance issues for "third-party" liability risks associated with e-commerce activities. There is a discussion of the gaps in traditional liability policies for such risks, how the new e-commerce liability policies respond to them, and how insureds are reacting to these issues.