The electronic security industry, with its ever-growing deployment of Internet protocol (IP)-based networks, needs to be aware it, too, is prone to being ensnared in “cyber liability” litigation. 

According to the FBI, nine out of 10 organizations in the United States are victims of some form of computer security breach. Many incur significant losses due to viruses, worms, spyware and data sabotage. This chronic wave of cyber crime has risk managers, legislators and plaintiff attorneys taking legal action. Whether a defendant is liable or not, the cost to defend against data breach suits can be hugely expensive. 

As the law stands, any business or individual who interacts via a computer network is subject to claims of liability for alleged damage to another entity’s data or software. Hence, the electronic security industry’s exposure to liability has increased astronomically as it depends more and more on computer networks to deliver its services and information.
Through the years, insurance companies in response to this ever-increasing exposure have modified property and general liability policies with the intent to restrict coverage in connection with loss of electronic data and liability.
The Insurance Services Office Inc. (ISO), which provides underwriting and legal/regulatory services to property-casualty insurers, years ago crafted a commercial general liability (CGL) coverage option known as the electronic data liability endorsement CG 04 37. Concurrently, the CGL “property damage” definition was modified to stipulate “electronic data is not tangible property.” The upshot of the language revision was to eliminate coverage for direct damage to electronic data and coverage for the loss of use of data that are not physically injured, by removing such losses from the scope of “property damage.” 

A CGL revision in 2004 introduced added language to restrict coverage in connection with loss of electronic data. Known as exclusion “p” of the policy’s Coverage A, the exclusionary language is aimed at eliminating coverage for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Other endorsements “per company” are also added to policies such as “electronic data liability exclusions,” “computer data exclusions” and “malicious code exclusions.” It is important to keep in mind that limits of coverage are following form. If it is excluded, it is not covered under the liability or property policies. Effectively, this means no defense or indemnification. Clearly, managers need to make it a high priority to apply solutions that will mitigate cyber liability. To do so, appoint a risk manager to implement and oversee the following safeguards:

1. Employee training and policy statements on data use and disaster recovery should be held monthly
2. Apply anti-virus software and firewalls to security networks
3. Assign IT department personnel to track changes in technology, plus legal, privacy and other risks
4. Have insurance agent or broker review coverages and exclusions in existing general liability, professional liability and property insurance policies
5. Consider adding network or cyber liability insurance to include false or misleading advertising, personal injury, identity theft, equipment sales/installation/monitoring errors and omissions (E&O), plus viruses in Web sites, E-mail, monitoring, and data storage for both on- and offline

And there is more to consider. Allegation of intentional wrongful conduct, unauthorized access, disconnect or viruses of “rogue” employees or third-party contractors, contingent bodily injury and property damage, and prior acts coverage, copyright/trademark infringement, should all be a big part of your checklist of coverages.

To sum it up, consider: Internet liability is like looking at an iceberg … it may be deeper then it looks.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content