Expert Commentary

Third-Party Liability E-Commerce Risks and Traditional Insurance Programs

This article discusses e-commerce risks in the context of the potential coverage gaps in traditional insurance programs for many corporate insureds. Its objective is to help you better understand how to review an insurance program with respect to e-commerce risks, as well as to evaluate the need for special e-commerce insurance policies.


Cyber and Privacy Risk and Insurance
August 2000

This is the third installment in a series of articles discussing insurance issues for e-commerce risks. The first article provides a brief overview of e-commerce risks and gives some indication of the direction of this column. The second article provides a discussion of insurance issues for "first-party" e-commerce risks. This article discusses insurance issues for "third-party" liability risks associated with e-commerce activities.

Third-Party Liability Risks

Many of the articles written on the subject of liability risks associated with e-commerce activities provide a litany of the different types of third-party liability risk exposures for e-commerce activities. Rather than address the issues in that way, this article discusses the risk issues in the context of the potential coverage gaps in traditional insurance programs for many corporate insureds. Therefore, the discussion of liability risks set forth below is intended not to be comprehensive, but rather illustrative, and to help you better understand how to review any insurance program with respect to e-commerce risks, as well as to review the new e-commerce insurance policies.

Program Comprehensiveness

One reason for much of the debate about coverage for e-commerce risks among risk and insurance professionals is that the liability programs of many corporate insureds do not include all of the coverages needed to respond to liability risks associated with e-commerce activities. This is markedly different than with insurance for first-party risks, where most corporate insureds already have the necessary basic coverages in their programs (even if those coverages need to be enhanced a bit to fill potential gaps in coverage, as discussed in "First-Party E-Commerce Risks.").

At a minimum, insureds will need some form of the following three coverages, or their equivalent, in their liability insurance program to respond to e-commerce liability risks: (a) commercial general liability (or umbrella liability), (b) professional liability, and (c) multimedia errors & omissions. However, many corporate insureds have only standard CGL, umbrella, and excess liability coverage in their programs. These corporate insureds have the most issues to address if they want their liability risks for e-commerce activities more fully covered.

In contrast, some corporate insureds do have all three of these coverages, either in stand-alone policies or rolled into one manuscripted liability policy at a primary or umbrella layer. The risk managers of such organizations are the most vociferous in their opinion that they have no need for any of the new stand-alone e-commerce insurance policies. They might be right, but the point for them to recognize is that many U.S. Fortune 1000 companies have only standard CGL, umbrella, and excess liability coverage, and that stand-alone e-commerce insurance might be a viable option for those companies.

Why Is Standard CGL or Umbrella Coverage Not Sufficient for E-Commerce Risks?

Standard CGL or umbrella coverage is not sufficient for e-commerce risks for a variety of reasons. True, some e-commerce risks can be covered by traditional CGL or umbrella wording, just like a host of other types of liability claims, and the fact that such claims involve e-commerce activities will not affect the coverage afforded. However, there are several risks associated with e-commerce activities that likely will prove problematic for coverage under traditional CGL and umbrella wording. The following risks are illustrative of the problems that may be encountered (the discussion is not intended to be exhaustive).

Invasion of privacy. E-commerce activities pose a risk of liability for invasion, infringement, or interference with rights of privacy that could be problematic for traditional CGL and umbrella insurance wording. That is because traditional wording provides coverage for invasion of rights of privacy caused by the publication or utterance of information that violates a person's right of privacy. In other words, the "triggering" language in the policy is that the information must be disseminated. But the risk posed by e-commerce activity is not so limited-the "big" privacy risk being discussed is risk of liability for merely gathering information about someone who visits a website without that person knowing that information about him or her is being gathered-there does not need to be any dissemination of the information for the company's conduct to be actionable. A CGL or umbrella insurer faced with the insured's tender of such a claim likely will deny coverage on the basis that the insured's liability has nothing to do with disseminating information, but rather has only to do with the gathering of information. This is a potentially large gap in traditional CGL and umbrella wording for risks posed by e-commerce activities.

Infringement of intellectual property rights. E-commerce activities pose a risk of liability for infringement of intellectual property rights, such as infringement of patent, trademark, copyright, right of publicity, and the like. Some of these risks are covered under standard CGL and umbrella wording. However, some of these risks are not covered for any of the following reasons.

First, the claimed injury must be "causally connected" to the insured's advertising activities. That is because much of the coverage for such risks will be provided by the "advertising injury" coverage in a CGL or umbrella policy. But that coverage only responds if the injury arises out of the insured's "advertising activities." One of the problems associated with e-commerce activities is that an insured could be faced with liability because a third person's advertisement on its website (e.g., a banner ad) is the source of infringing material. For such claims, CGL and umbrella insurers are already denying coverage, on the basis that such a claim does not arise out of the insured's advertising activities.

There also is the possibility that courts might not construe the insured's Internet and website activity as "advertising activity." In this case, none of the intellectual property claims based on such activity can be covered "advertising injury" under a CGL or umbrella policy. One example of that problem concerns the risk that some of the computer software, programs, or hardware being used by the insured to conduct its e-commerce activities might be infringing someone else's intellectual property rights.

Second, even if the claimed injury does arise out of the insured's advertising activities, the injury still must fall within one of the specified "offenses" set forth in the standard definition of "advertising injury" in the CGL or umbrella policy. Some of the intellectual property risks associated with e-commerce activities likely fall outside of such definitions. For example, the risk of infringement of the right of publicity likely does not fall within the scope of the definitions. Many courts also do not recognize coverage for patent infringement under newer standard CGL wording (i.e., the wording that does not include "piracy" and "unfair competition" but rather includes only "infringement of copyright, title, or slogan").

Third, many CGL insurers are issuing their policies with very narrow "advertising injury" coverage. Such narrow provisions limit coverage to infringement of trademarked or copyrighted advertising materials and specify that the infringement must be caused by the insured's paid advertisement in a newspaper, magazine, television ad, or other medium. Such language severely restricts the extent of coverage for intellectual property risks posed by e-commerce activities.

These potential "gaps" are not new. Indeed, these issues were discussed at length a few years ago in the October 1997 issue of "The Risk Report." The "solution" at that time was to purchase some form of media errors and omissions insurance, typically termed something like "multimedia" liability insurance. Although those forms covered the types of risks discussed here, coverage for Internet activities had to be added by endorsement, because other forms of media (CD-ROM, video games, and the like, in addition to standard forms of broadcasting, publishing, and advertising) were the main concern of those insurance products. Interestingly, those older multimedia forms serve as part of the platform for many of the new e-commerce liability insurance products.

Damage to third person's computer data, software, programs, or computer network. E-commerce activities pose a risk of liability for causing damage to another person's computer data, software, programs, computer network, and the like. This could occur, for example, by infecting a customer's or supplier's computer system with a virus. If that customer or supplier suffers damage, it could present a claim against the insured for that damage, and all consequential losses suffered because of that damage (e.g., lost profits, repair costs, extra expenses, etc.). The question raised by such a claim scenario is whether the claimant is seeking damages because of "property damage" as that term is defined in standard CGL and umbrella policies. The standard policies used in the United States define "property damage" as meaning "physical" injury to "tangible property" or loss of use of "tangible property" that has not been "physically injured." Throughout 1998 and 1999 in the United States, and even today, insurance companies and their lawyers were taking the position that computer data, programs, software, and networks do not constitute "tangible property" as contemplated by the definition of "property damage" in CGL and umbrella policies (this position was taken to, among other things, posture insurers so that they could deny coverage for Y2K claims). U.S. courts have not fully resolved this coverage question (although several courts have found in non-insurance coverage cases that computer data is "tangible property"). In any event, until this issue is resolved, it poses a large potential gap in traditional CGL and umbrella coverage for e-commerce risks.

Pure financial losses sustained by a customer or supplier. In addition to the scenario outlined above (where the insured causes the spread of a computer virus to a customer or supplier), there are other risks of loss faced by the insured's customers and suppliers. For example, what if the insured's computer network or website "crashes," sustains a "denial of service" attack, or for some other reason is inaccessible by the insured's customers and suppliers? And what if, as a result of such inaccessibility, the insured's customers and/or suppliers sustain a purely financial loss (i.e., a financial loss not caused by "physical injury" to "tangible property" so as to be covered "property damage" by a standard CGL or umbrella policy)? How are such claims going to be covered by a standard CGL or umbrella policy? The answer is that they likely are not covered. Such claim scenarios have been the subject of much coverage litigation in the United States for decades. The general consensus among U.S. courts is that the only time that financial losses sustained by third persons can be covered under a CGL or umbrella policy is when the losses result from or flow from "property damage" as defined by the particular CGL or umbrella policy at issue.

It should be noted that risks of such "pure financial loss" also are not new to many corporate insureds. The insurance "solution" in times past to fill the gap in insurance programs for such risk typically has been some form of professional liability/errors and omissions coverage. To avoid confusing it with the "multimedia errors and omissions" coverage already mentioned, we will simply call it "professional liability" coverage. Professional liability coverage typically is intended to work hand-in-glove with an insured's CGL and umbrella program. For example, if the insured's activities or products cause physical injury to property, then the insured's CGL or umbrella policy should respond, but not the professional liability policy. However, if the insured's activities or products do not cause physical injury to property, then the professional liability policy should respond, but not the CGL or umbrella policies. Finally, it also is important to note that, as with the older multimedia E&O insurance forms, these professional liability insurance forms serve as part of the platform for many of the new e-commerce liability insurance products.

Discussion of Risks Is Intended To Be Illustrative

As already stated, this discussion is not intended to provide a comprehensive listing of third-party liability risks associated with e-commerce activities. Rather, it is intended to illustrate the types of risks at issue, to show how such risks fit within three types of coverages: (a) CGL and umbrella insurance, (b) multimedia errors and omissions insurance, and (b) professional liability insurance. Understanding these three types of coverages and how they insure different types of risks is essential to understanding not only the key features of the new stand-alone e-commerce liability insurance policies, but also to understanding how to amend an insurance program to better respond to e-commerce liability risks.

Closing the Gaps for Liability Risks with New E-Commerce Insurance Policies

The insurance industry has responded to these potential gaps with a proliferation of new e-commerce insurance products intended to respond to liability risks. The names of these policies are quite fanciful, even if the liability insurance coverages provided by them are not really all that novel. For example, AIG is selling the "netAdvantage Internet Professional Liability Policy"; Chubb is selling the "Safety'Net Internet Liability Policy"; Zurich is selling the "E-Risk Protection Policy"; Royal is selling the "Computer, Telecommunications and Internet Services Liability Coverage" policy; Gulf (through Media/Professional Liability) is selling the "CyberLiability Plus Insurance Policy"; and Great American (through Tamarack) is selling the "Dot.Com Errors and Omissions Liability Insurance Policy." These are just examples of the new e-commerce insurance policies for liability risks being offered in the United States. There are a host of other policies available in the United States from several different Lloyd's facilities and several other U.S. insurers.

These policies are designed to insure some or all of the risks discussed herein. So, for those companies whose liability insurance program consists of only standard CGL, umbrella, and excess liability policies, buying one of these new e-commerce insurance policies is a viable option.

However, looking beyond the labels and "buzz words" used in the policies and focusing on the substance of the coverage being provided, one is almost immediately struck by the following observation. With respect to the liability insurance coverages provided (some of the policies also provide coverage for first-party risks), these policies are not much more than combined multimedia errors and omissions and professional liability coverages. Indeed, some of the policies are blatant in this respect, by setting forth different insuring agreements, one entitled something like "professional services coverage" and the other entitled something like "media errors and omissions coverage" or "publisher's errors and omissions coverage."

This observation leads to two very important considerations for companies attempting to address their e-commerce liability risks when their insurance programs currently consist only of standard CGL, umbrella, and excess liability insurance. First, they need to realize that their choices are not limited to forgoing coverage or buying one of these new e-commerce insurance policies. They could insure the risks by adding amended professional liability and multimedia errors and omissions coverage to their programs.

Second, the new e-commerce insurance policy forms and endorsements must be carefully reviewed to make sure that the quoted coverage covers all the professional liability and media errors and omissions risks that otherwise would be insured by buying professional liability and multimedia errors and omissions coverage. Some of the policy forms come up short in one coverage area or the other, either focusing on the professional liability aspect to the detriment of the media errors and omissions aspect or leaving out one of the coverages altogether. And some of the insurers with policy forms that contain both coverages are quoting with exclusionary endorsements that delete one of the coverages. These two realities are because the market for this insurance is young, and some of the underwriters for the insurance are not experienced in or comfortable with both professional liability or media errors and omissions underwriting.

Third, regardless of which course of action a company takes, it must also realize that in any event it should try to amend its CGL and/or umbrella policies to address some of the gaps mentioned herein (and any other gaps) for any risks that it actually wants to be covered under those policies. For example, most insureds seem to prefer having coverage for the invasion of privacy risk run through the CGL and/or umbrella program and therefore are trying to amend the definitions of "personal injury" and "advertising injury" to accommodate the risk. In other words, they are trying to delete the requirement of "publication or utterance" so that the wording reads something like, "any form of infringement of, interference with, or invasion of privacy."

Closing the "Gaps" for Liability Risks with Traditional Insurance Policies

As with first-party e-commerce risks, the question must be asked: Does an insured have to buy one of these new e-commerce insurance policies to insure its e-commerce liability risks? Whereas the answer with respect to first-party e-commerce risks is "in theory, no, but in practice perhaps yes for now," the answer with respect to liability e-commerce risks is "in practice, no." As noted above, in many ways the new e-commerce liability insurance policies are nothing more than a combination of one old standard coverage-professional liability insurance-with one newer standard coverage-multimedia errors and omissions.

Thus, those insureds who have a program using only standard CGL, umbrella, and excess liability insurance should be able to simply add traditional professional liability and multimedia errors and omissions coverage to their program, making some adjustments to confirm coverage for e-commerce exposures. Some of the issues that also will need to be addressed include the following.

  • Does the insured want to have such coverage on a primary level?
  • If so, should such coverages be bought separately or in a combined policy, and can the coverage be scheduled as underlying insurance on the umbrella policy, or must the insured maintain a separate tower of insurance for the coverage?
  • If the insured does not want such coverage on a primary level, can the coverage be built into the insured's umbrella program?

And regardless of how such coverage is built into the program, an insured still should consider whether there are any adjustments that should be made to the CGL or umbrella program to better insure e-commerce risks that the insured prefers to run through that coverage. Finally, all of these coverages should be reviewed to minimize coverage overlaps. In other words, the risks can be covered in more than one place; the job for the insured is to determine where to place the coverage in the program to maximize coverage with least cost and inefficiencies.

Those insureds who already have professional liability and multimedia errors and omissions coverage in their programs (whether with stand-alone policies or manuscripted policies at a primary or umbrella layer) should be able to review their program to determine what, if any, gaps exist and to close all identified gaps with further amendments to the policies. This is why the risk managers of such companies are so vociferous in their opinion that there is no need for the new e-commerce liability insurance policies. Again, however, such risk managers should realize that many U.S. Fortune 1000 companies do not have any form of media errors and omissions or professional liability coverages in their programs and that, therefore, such companies could use such new e-commerce policies, or the types of coverages provided by them (i.e., professional liability and multimedia errors and omissions coverage).

With respect to liability insurance issues, all of the foregoing scenarios are being played out in the U.S. market (as well as several other insurance markets around the world, such as the United Kingdom and Australia). Some insureds already have the basic coverages needed in their liability insurance programs to respond to e-commerce liability risks and are merely reviewing their programs to confirm coverage intent with their insurers and/or are amending some of the policies where necessary. Some insureds have only standard CGL, umbrella, and excess liability policies in their programs and are either adding standard professional liability and multimedia errors and omissions coverage into their programs or are buying one of the new e-commerce insurance policies.

Concluding Thoughts

In the final analysis, risk and insurance professionals should not be led astray by the hype surrounding the new e-commerce insurance policies. Nor should they ignore the issue, believing those risk managers who say that there is no need to address e-commerce insurance issues with new policies or amended traditional policies. Rather, insurance professionals should gain an understanding of the issues and develop the knowledge to review the options and choose the best alternatives for their companies.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More