INSURANCE COVERAGE 2006



From PLI’s Course Handbook

Insurance Coverage 2007: Claim Trends & Litigation

#11361

Get 40% off this title right now by clicking here.

9

high-tech insurance issues

Lorelie S. Masters

Jenner & Block LLP

Ms. Masters is a partner at Jenner & Block LLP, in Washington, D.C., where she advises and represents policyholders in insurance coverage, e-commerce, and litigation matters. She is co-author of two treatises on insurance coverage issues: (i) Insurance Coverage Litigation, published in its second edition in January 2000 by Aspen Law & Business and updated annually; and (ii) Liability Insurance in International Arbitration: The Bermuda Form, published in July 2004 by Hart Publishers, London.

Practising Law Institute

_________________________________________________

INSURANCE COVERAGE 2007: CLAIM TRENDS AND LITIGATION

High-Tech Insurance Issues

May 1 and May 22, 2007

4:45 p.m. EST

Lorelie S. Masters

Jenner & Block LLP

601 13th Street, NW

Suite 1200

Washington, DC

(202) 639-6076

Lmasters@

Biographical Information

Name: Lorelie S. Masters

Position/Title: Partner

Firm or Place of Business: Jenner & Block LLP

Address: 601 13th Street, NW, Suite 1200

Washington, DC 20005

Phone: (202) 639-6076

Fax: (202) 661-4924

E-Mail: Lmasters@

Primary Areas of Practice: Insurance coverage counseling and litigation

Law School/Graduate School: Notre Dame Law School

Work History:

Partner, Jenner & Block LLP, 2002-present

Director, Beveridge & Diamond, 2000-2002

Partner, Managing Partner, DC Office, Anderson Kill & Olick, 1996-2000

Partner, Anderson Kill Olick & Oshinsky, 1986-1996

Associate, Anderson Baker, Kill & Olick, 1983-1986

Associate, Howrey & Simon, 1981-1983

Professional Memberships:

American Bar Association, Insurance Coverage Litigation, Section of Litigation, 1989-present

American Bar Association, Insurance Coverage Litigation Committee, Policyholder Chair, 2000-2003; Editor, Coverage, 1998-2000

American Bar Association, Section of Litigation Leadership, Chair Committee Periodicals Committee, 2003-2006

DC Bar, Member, Litigation Steering Committee, 2003-Present

DC Bar, Chair, Litigation Steering Committee, 2004-Present

National Association of Women Lawyers, Chair Amicus Committee, 2004-present; winner, Service Award, 2004

Women’s Bar Association of the District of Columbia, President-Elect, 2006-2007

Women’s Bar Association Foundation, DC, Board Member, 2005-2006; ex officio, 2006-2007

INSURING COVERAGE ALONG THE INFORMATION SUPERHIGHWAY

by Lorelie S. Masters[i]

As businesses worldwide have increased their reliance on computers and cyberspace, the potential for loss or damage to one’s own property and for liability for damage or loss to others, due to reliance on computers and the Internet, has exploded. As shown by press reports about the early “Melissa” and “Papa” viruses in the spring of 1999, the distributed denial of service (DDOS) attacks against Yahoo!, E*Trade, , and eBay in February 2000, the “Blaster” B variant worm in the summer of 2003, and their counterparts,[ii] a computer virus or hacker damage can shut a business down. Indeed, an entire discipline has arisen to deal with the increasing concerns about computer security and “computer crime.”[iii]

Many traditional types of insurance – that is, those that have been on the market for years – may provide businesses and individuals with protection for high-tech risks of liability and loss. However, insurance companies may in years to come increasingly seek to exclude coverage for damage to computer assets from traditional coverage like property insurance and general liability insurance. The insurance industry in recent years also has been developing new insurance products for risks associated with use of the Internet and other losses that have arisen with the advent or the High-Tech Age.

This article discusses risks that arise from use of computers, the internet, and electronic databases and other such assets.

High Tech Risks

THE INTERNET PROVIDES BUSINESSES WITH ACCESS TO A GLOBAL MARKET. THEREFORE, COMPANIES ENGAGING IN E-COMMERCE CAN NO LONGER AFFORD TO THINK THAT THEIR ACTIVITIES ARE LIMITED TO THE STATE, OR EVEN THE COUNTRY, IN WHICH THEY ARE PHYSICALLY LOCATED. AS SHOWN BY THE SPATE OF CASES ADDRESSING JURISDICTION OVER COMPANIES OPERATING IN CYBERSPACE,[iv] ENGAGING IN E-COMMERCE MAY EXPOSE A COMPANY OR ITS OFFICERS TO CLAIMS OR LIABILITIES OUTSIDE THE BORDERS OF THE STATE OR COUNTRY IN WHICH THEY ARE PHYSICALLY LOCATED. FOR EXAMPLE, COURTS IN EUROPE HAVE RELIED ON THE EUROPEAN UNION’S DATABASE DIRECTIVE TO HOLD THAT LINKING TO CONTENT ON ANOTHER’S WEBSITE CONSTITUTES INFRINGEMENT.[v]

1 Security

With companies’ nearly universal reliance today on computers and the internet, most businesses today face the risk of loss for network and equipment, databases and information assets, proprietary and confidential information. Security breaches include any unauthorized access or use of a company’s computer system and data. For example, a hacker may break into a company’s computer system and steal or destroy data. Just as with building fire suppression and physical security, a modern corporate computer network system must have security features built into its architecture.[vi]

This exposure continues to increase. Several overlapping laws prohibit various types of security breaches. A key statute is the Counterfeit Access Device and Computer Fraud and Abuse Act (CFAA),[vii] the primary anti-hacking statute. The CFAA criminalizes, among other things, unauthorized access to protected computer – that is, computers used in interstate commerce or communication – for certain purposes, such as obtaining financial and other types of information, knowingly obtaining something of value through fraud, or causing damage to the computer.

In addition to providing criminal penalties, the CFAA creates a civil cause of action for “[a]ny person who suffers damage or loss by reason of a violation” of the CFAA.[viii] Several consumer class actions have challenged marketing activities by various Internet companies under the CFAA.[ix] To date, however, it does not appear that any of these challenges has been successful. Some internet service providers (ISPs) have also used the CFAA to try to bar spam emails to members.[x] In January 1998, Timothy Lloyd became the first person indicted under this statute allegedly because he activated a “$10 million computer ‘bomb’” that destroyed computer design and production programs used by his employer to produce sophisticated industrial equipment.[xi]

In the absence of exclusions, first-party property insurance should cover damage or loss to computer systems and data. However, insurance companies increasingly seek to exclude coverage of cyber-risk exposures, and policyholders need to examine policy forms carefully to ensure that insurance policies give adequate protection for computer hardware and software and computer databases and other assets.[xii]

2 E-Commerce & Computer Assets

With the emergence of e-commerce business models, corporate managers must review the exposure created by e-commerce contracts, warranties, product integrity risks, professional services conducted on-line, and “fail-safe” transactions now exposed on the Internet. Part of this system investment should deal with the previously unseen trans-border nature of the Internet. The website of almost any company can be accessed around the world. Does your insurance reflect the worldwide nature of the Internet? More importantly, does it protect against liability regardless of where it arises – here in the United States or in some remote corner of the world?

Both companies and individuals should protect all valuable computer assets by backing up data and creating redundant systems. To protect against the operation of “Murphy’s Law,” companies also should create disaster recovery plans in cases the worst happens and a virus, act of God, or other unanticipated event prevents the business from operating in normal fashion.

3 Privacy & Information Collection

Fair information collection practices underlie the issue of privacy in cyberspace. In the United States, privacy is protected by business sector or activity. Among the applicable laws in this area are: Title V of the Gramm-Leach-Bliley Act,[xiii] which applies broadly to financial institutions; the Health Insurance Portability and Access Act (HIPAA),[xiv] which broadly applies to healthcare organizations; and the Children’s Online Privacy Protection Act (COPPA), which applies to businesses that collect information online from children 13 or under.[xv]

The Federal Trade Commission (FTC) has also been very active in policing online information collection practices. The FTC has formulated and posted online its Privacy Agenda for consumers. This Agenda addresses identity theft, enforcement of “privacy promises,” and pretexting, the practice of fraudulently obtaining personal financial information.[xvi] Companies and individuals: may sue for misappropriation of data and personal information or invasion of privacy. Allegations of corporate espionage, even among companies that regularly do business, could lead to liability for fraud[xvii]; theft of trade secret or other proprietary or confidential information; interference with contractual relationships piracy; or other torts.[xviii] The United States Government’s Office of Management and Budget (OMB) required federal agencies to post privacy policies on their Websites in December 1999.[xix]

The European Union (EU) has established a uniform policy on privacy issues that went into effect in 1998. A company doing business in Europe must comply with the requirements imposed by the European Union Privacy Directive. The EU Privacy Directive generally limits the scope of data that can be collected and its use, and allows the transfer of personally identifiable information to non-EV, countries only if the transferee country’s privacy protection is deemed “adequate.” The EU generally has not deemed the United States’ privacy protections adequate. The United States Commerce Department negotiated “safe harbors” with the EU, including:

1. Onward transfer – Allows businesses to transfer information to third parties as long as it is consistent with the notice and choice principles. Those third parties must provide at least the same level of privacy as the collecting party.

2. Data integrity – Requires the collecting party to keep only that personal data relevant for purposes for which it has been gathered.

Two things are important to note. First, a company with a physical presence in the EU must satisfy the requirements of the country in which it is doing business. Compliance with the safe harbors negotiated by the U.S. Commerce Department will not suffice. Second, finding the safe harbor requirements onerous, many U.S. companies choose simply to comply directly with the relevant country’s laws. This approach has what many feel is the added advantage of not voluntarily submitting to FTC jurisdiction.[xx]

4 Intellectual Property

In cyberspace, the traditional role and protections for patents, trademarks, copyrights, and trade secrets are put at risk, and the need for licensing of others intellectual property is taken to new levels. In 2005, the United States Supreme Court in its landmark decision in MGM Studios, Inc. v. Grokster, Inc.,[xxi] upheld causes of action for contributing copyright infringement against distributors of software used primarily download copyrighted music and other works. Also, new business method patents have been granted for some of the new business models used in cyberspace. The role of intellectual property protections in new concepts in cyberspace such as domain names and metatags is still being explored. If a domain name infringes on a corporate trademark, new dispute resolution procedures are available. Also, the use of hyperlinking and deep linking to content created by others is still being explored by the courts.[xxii] The protection of corporate websites, chat rooms, and email systems also must be examined.

5 Defamation and Publication

New levels of exposure exist in the area of defamation. With the Internet the audience to whom a defamatory statement can be published has become world-wide and businesses must make sure that their websites do not contain defamatory material.[xxiii] In addition, chat rooms, which often are a part of such websites,[xxiv] must be closely monitored to avoid a risk of defamation by employees. Employee email also presents this risk and businesses should adopt and enforce guidelines to control this risk.

Excessive, unsolicited email, popularly known as “spam,” presents a continuing risk to companies.[xxv] The “CAN-SPAM Act” of 2003 regulates practices by commercial emailers.[xxvi] The Act bans, for example, false and misleading header information and deceptive subject lines, and requires that commercial email be clearly identified as advertising. Such email must include a valid physical postal address for the sender and allow recipients to opt-out of the sender’s email listing. The statute does not create a private cause of action. However, it does direct the FTC and other federal agencies to enforce the act and authorizes the United States Department of Justice and state attorneys general to bring criminal prosecutions to enforce the Act.[xxvii] Internet service providers may sue violators as well. The Act also allows states to enact statutes to prevent misleading conduct and deceptive practices.[xxviii]

6 Advertising and Competition Issues

Although offshore companies may be more difficult to regulate, those businesses that engage in online advertising need to be aware of the risks of violating various regulatory schemes put in place to try to limit the volume of spam. In the United States, the First Amendment provides protections to advertisers using the internet. However, those protections stop at our borders. Some comments that are perfectly acceptable under the United States view of free speech protections may be illegal or actionable in other jurisdictions.

For example, litigation has arisen over the use of allegedly defective on-line banner advertisements,[xxix] allegedly infringing pop-up advertising,[xxx] “mousetrapping,”[xxxi] and pop-up ads bundled with software.[xxxii] Sending excessive unsolicited email, popularly called “spam,” can create liability for a company as well.[xxxiii] Thus, traditional advertising limitations apply even in high-tech medium of cyberspace. In the United States, the FTC and state attorneys general regulate advertising. The FTC, for example, has promulgated guidelines called “Advertising and Marketing Online: Rules of the Road.”[xxxiv] As in traditional print media, advertising on the internet must be fair and non-deceptive and, as stated in “Rules of the Road,” claims made “must be substantiated.”[xxxv]

States have moved to prevent deceptive practices over the Internet. California has taken the lead among United States jurisdictions on a variety of fronts. In 2003, the state enacted a law requiring businesses to notify state residents when security breaches lead to disclosure of unencrypted consumer data.[xxxvi] The law provides a private cause of action to consumers harmed by such disclosures. In 2004, California enacted the country’s first online privacy statute, requiring online companies to post privacy policies conspicuously.[xxxvii] The statute prohibits the negligent or material, and knowing and willful, failure to meet the posting requirement or to abide by the site’s posted policy. However, the Act also provides for a 30-day safe harbor to post the required privacy policy “after being notified of non-compliance.”

Publicly-traded companies must also heed regulations of the United States Securities and Exchange Commission (“SEC”) regulations, and companies in the securities industry are subject to additional SEC regulation. The United States statutes popularly known as Sarbanes-Oxley requires publicly-traded companies to report significant deficiencies in the design or operation of internal controls that could affect the company’s “ability to record, process, summarize, and report financial data” and “material weaknesses” in such controls.[xxxviii] In 1999, the SEC has opened its Office of Internet Enforcement to coordinate agency efforts to detect and root out cyber-fraud.[xxxix] The SEC also began relatively early to crack down on schemes involving fraudulent securities marketing and pyramid schemes.[xl]

7 Employment Issues

By giving a company’s employees access to the Internet, businesses expose themselves to new and potentially unanticipated risk exposures. Claims by current or former employees are one of the biggest risk exposures companies face today. For example, the New Jersey Supreme Court upheld an employee’s right to sue her employer, Continental Airlines, who had been using the company’s intranet and email to harass another employee.[xli] In Blakey v. Continental Airlines, the New Jersey Supreme Court found that the airline had noticed that individual pilots had been posting derogatory remarks on a company online bulletin board about the plaintiff, but did not seek to remedy the harassment. The court also found that this notice, combined with the company’s knowledge that the offensive statements would be published within a particular state, may subject the airline to that state’s jurisdiction.[xlii]

In other cases, employees have claimed that their employers have violated their privacy by searching their email or computer programs in violation of the employee’s reasonable expectation of privacy. Courts have limited an employee’s expectation of privacy, particularly when the employer has given employees specific notice of its intention to monitor computer use or has circulated policies that give notice of such an intention. For example, in Leventhal v. Knapek,[xliii] the United States Court of Appeals for the Second Circuit affirmed a lower court’s decision ailing that the employer’s search for unauthorized programs on an employee’s computer did not violate the employee’s right to privacy. In that case, after receiving a tip that the employee had been neglecting work duties; in part, by downloading programs off the Internet, the employer made a search confirming that Leventhal had downloaded unauthorized programs onto his work computer. The court found that, although Leventhal had a reasonable expectation of privacy, the employer had reasonable grounds for the search due to the allegations of workplace misconduct.[xliv] Employees have even less expectation of privacy in files that may he considered illegal.[xlv]

As Leventhal and other cases show, a company-wide policy defining approximate uses of the Internet may help limit this exposure. However, insurance should help protect companies from this source of potential liability.

Companies also face risks that employees may misappropriate or even inadvertently disclose company secrets or confidential information.

Legal Issues

MOST STANDARD-FORM, TRADITIONAL INSURANCE POLICIES WERE WRITTEN BEFORE THE ADVENT OF E-COMMERCE AND DID NOT ANTICIPATE CYBER-RISKS. ALTHOUGH TRADITIONAL INSURANCE POLICIES, SUCH AS COMPREHENSIVE GENERAL LIABILITY INSURANCE (“CGL”) OR MEDIA LIABILITY INSURANCE, MAY AFFORD COVERAGE FOR A PORTION OF CYBER-RISK, COMPANIES ENGAGED IN E-COMMERCE OR DEALING TO A SIGNIFICANT IN COMPUTER DATA ASSETS MAY FIND THAT THEIR LIABILITY AND PROPERTY INSURERS WILL BALK AT CLAIMS INVOLVING DAMAGE TO COMPUTER ASSETS AND INTELLECTUAL PROPERTY. IN ADDITION, INSURANCE COMPANIES SELLING TRADITIONAL CGL OR MEDIA INSURANCE INCREASINGLY ARE SPECIFICALLY EXCLUDING COVERAGE FOR SUCH RISKS OUT OF CONCERN ABOUT THE EXPOSURE AND THEIR ABILITY TO PRICE ADEQUATELY THE ADDITIONAL COVERAGE.

There are at least two current battleground issues affecting insurance coverage for computer assets and data and intellectual property: the meaning of “property damage”; and applicability of Advertising Injury and Personal Injury coverages to liability for privacy violations, intellectual property infringement, and other claims.

1 “Property Damage”

To avoid insurance coverage under traditional property and general liability insurance policies, insurance companies argue that computer data, software, and other information assets do not constitute “tangible” property and cannot be “physically” damaged; therefore, they argue, traditional insurance policies do not cover damage to or loss of such assets.

Cases addressing this issue are split. Courts have held that computer data constitutes “tangible property which, when lost or destroyed, requires an insurance company to defend and indemnify a policyholder for liability to reimburse the policyholder for damage to its own property or third parties. The cases that have gone against the policyholder often do not appear to have developed a factual record “to establish that computer data loss or damage is a physical loss or to show the insurance industry’s historical position on this issue.

The standard CGL policy typically defines “property damage” as “physical injury to tangible property including the resulting loss of use of that property.” We all know than not to be true. Moreover, a virus, power outage, or computing error can “crash” or lock our machines and can damage the circuitry and memory – forever scrambling the original electronic pulse captured on computer drives, and rendering it all useless. Almost everyone has experienced, with dismay, the latter and knows the former to be untrue. Thus, computer data constitutes tangible property, covered under a CGL policy.

The potential area of dispute in that definition is illustrated through the example of a denial of service or other hack attack on a company. In such an attack, the company could lose proprietary or client data or company clients could lose access to the company’s system, which could result in an interruption in the company’s service or business. Alternatively, if the company negligently allowed its system to be used as a “zombie” for a dedicated denial of service (“DDOS”) attack on another company’s system, the company operating the “zombie” site may arguably have liability for the damage caused by the attack. Under standard “property” or “property damage” policy language, insurance companies and have denied coverage for the loss of data stored in computers or the loss of access to such data on the basis that such loss does not constitute “property” or “property damage.” These arguments may lead to disputes over coverage under a CGL insurance policy for claims for liability to third parties or under a business interruption- policy for the policyholder’s lost income and other expenses related to business interruption.

1 Decisions Favoring Policyholders

American Guarantee & Liability Insurance Co. v. Ingram-Micro Inc.[xlvi] shows that, in an appropriate case, courts will construe terms such as “physical damage” to find coverage under traditional business-interruption insurance. In Ingram-Micro, a power outage caused the loss of computer assets and data that were integral to the policyholder’s ability to conduct business. The power outage lasted only a few minutes, but the lost programming resulted in substantial loss of business to the policyholder and inability to operate for a period of time. Ingram made a claim for its losses under its business-interruption policy. However, the insurance company denied coverage and sued for a declaration that its insurance did not cover the policyholder’s computers and related assets. The United States District Court for the District of Arizona held that the loss of the policyholder’s custom software programming constituted “physical damage.” The court found that, “at a time when computer technology dominates our professional as well as our personal lives . . . ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.”

In Lambrecht Associates, Inc. v. State Farm Lloyd’s,[xlvii] a Texas appellate court rejected a property insurer’s argument that damage to the policyholder’s computer system from a computer virus caused no “physical” loss. The court first found that the loss was accidental because, judged, as it must be, from the policyholder’s standpoint, the loss was not intended.[xlviii] On the physical loss issue, the court found that “the plain language of the policy dictates that the personal property losses alleged by Lambrecht were ‘physical’ as a matter of law.”[xlix]

Although Lambrecht addresses the issue of coverage for damage to computer assets and data under a first-party property insurance policy, it relied on cases interpreting CGL insurance policies.[l] Lambrecht thus provides precedent for issues involving “physical” loss or “tangible property” under other types of insurance. Lambrecht also points out the importance of reading the policy as a whole as a persuasive argument for enforcing coverage may exist notwithstanding the existence of seemingly contrary precedent.[li] It is also important to note that the court in Lambrecht rejected the insurance company’s argument that coverage should be forfeit because the policyholder did not comply with a policy condition stating that the policyholder “‘must notify the police if a law may have been broken.’”[lii]

2 Decisions Favoring Insurance Companies

Insurance companies, in contrast, favor a decision by the United States District Court for the Eastern District of Virginia, in America Online, Inc. v. St. Paul Mercury Insurance Co.,[liii] as “the answer” on this issue. In AOL, customers of Internet service provider AOL sued claiming that its proprietary software package, AOL version 5.0, caused physical damage to, and loss of use of, the customers’ computers, data, and software. AOL sued St. Paul when the insurance company refused to defend AOL in the customers’ litigation. The United States District Court in the Eastern District of Virginia rejected AOL’s claim that St. Paul had a duty to defend AOL in the customers’ litigation. The trial court found, on a limited record, that “[c]omputer data, software and systems are incapable of perception by any of the senses” and, therefore, do not constitute “tangible property” under the definition of “property damage” in CGL insurance policies.[liv] The United Court of Appeals for the Fourth Circuit later affirmed, on a 2-to-1 vote. However, Judge Traxler pointed out in dissent that few courts have addressed this issue, and no court in Virginia had weighed in on this state-law issue.[lv] Judge Traxler also found that the allegations against AOL of “corruption of computer systems” were sufficient to satisfy at least the insurance company’s duty to defend.[lvi]

The trial court limited its finding recognizing that “the computer itself is tangible property” and that CGL insurance policies explicitly define “property damage” to include loss of use of property that suffers no physical injury.[lvii] However, the court found that the “impaired policy exemption [sic]” and the “common law economic loss rule” precluded coverage.’[lviii]

While giving lip service to the “eight corners rule” governing an insurer’s duty to defend under Virginia law, it appears that the trial court applied the incorrect standard. The court’s own recitation of the facts alleged in the consumers’ complaints against AOL identifies numerous facts and causes of action that fall outside the reach of the exclusion cited by the court. For example, the customers’ complaints sought to recover for:

(1) violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq.; (2) violation of various State Consumer Protection Acts; (3) injunctive relief to protect against Unfair Deceptive Acts and Practices and Consumer Fraud; (4) Product Liability for Defective Design; (5) Product Liability Failure to Warn; (6) Negligence; and (7) Negligent Misrepresentation.[lix]

Notwithstanding the finding on computer data, the court also explicitly held that “a computer is tangible property,” and that loss of use is covered property damage.[lx]

The court in AOL rejected St. Paul’s duty to defend for several reasons that do not appear to be supported in the decision and that limit its reach and in effect reversed the burden of proof on this issue. The dissent by Judge Traxler reached just this conclusion.[lxi] First, the trial court apparently was not presented with evidence about how computers work and capture data on physical media in a way that takes up memory and space on computer drives. AOL did present this argument on appeal to the Fourth Circuit, but the appellate court dismissed it because it had not arisen below. The court analyzed this issue with regard to both computer hardware and software. With regard to hardware, the court found that the arrangement of data on the hard drive had merely become “disordered” and that the hard drive itself had not been affected.[lxii] The court found that damage to consumers’ software did not constitute physical damage to tangible property.[lxiii] The case, however, may still have continued on appeal to suffer from an insufficient record on appeal.

Second, the trial court misapplied the impaired property exclusion: based on the findings of a lack of “property damage,” the appellate court upheld that ruling.[lxiv] A different record may have yielded a different result. In addition, both the trial and appellate courts missed a crucial fact. The exclusion should be applied to preclude coverage only if the property can be restored to use by nothing more than “adjustment, repair, replacement or removal” of the policyholder’s product.[lxv] The complaints alleged that AOL version 5.0 caused “the inability of users to remove the AOL 5.0 software,”[lxvi] and was designed with “exit barriers.”[lxvii] For that reason, the courts should have found that the exclusion did not apply.

Third, the trial court applied the tort doctrine of “economic loss” to an issue of insurance policy construction. Following the discredited “damages” issue in environmental insurance coverage cases,[lxviii] St. Paul argued, and the court implicitly agreed, that AOL sought recovery for only “economic” loss. However, as the vast majority of courts found in the environmental insurance context, CGL insurance policies cover a policyholder’s legal liability and, at base, all losses are “economic.”[lxix]

Questions also arise whether the damage to programming was sufficient to constitute damage to the network or whether integration of a damaged computer chip or other technology product causes “property damage.” These issues arose in Seagate Technology Inc. v. St. Paul Fire & Marine Insurance Co.,[lxx] when a personal computer company that bought and integrated Seagate disc drives into its computers sued Seagate for supplying defective disc drives. Seagate sought insurance coverage from its CGL policies under the theory that incorporation of its allegedly defective disk drives had caused “physical damage” to the plaintiff’s computers (i.e., “tangible property”). The Northern District of California found that the suit was not covered because there was no “physical property damage” caused to the computers as a whole.

In addition, certain of the allegations against AOL may have fallen within the policyholder’s Advertising Injury or Personal Injury Coverages. It does not appear that the policyholder argued that those coverages applied in AOL. Because the CGL policy provides the “broadest package of coverage,” as the insurance industry itself said in touting these coverages, policyholders should seek the important additional coverage they provide.[lxxi]

While AOL may give comfort now to insurance companies, the decision suffers from a limited record. In arguing for coverage, policyholders in computer data cases, as in other high-stakes coverage issues in the last two decades, likely will meet success more consistently when they take care to develop a complete record.

2 “Advertising Injury”

Additional coverage issues may arise under traditional advertising injury coverage. While copyright and trademark infringement claims may be insured under the “advertising liability” coverage of a CGL policy, coverage is typically restricted to “advertising injury” caused by an offense committed in the course of advertising your goods, products or services . . . ..” Many coverage disputes have focused on the issue of whether the injury arose during the “course of” the policyholder’s “advertising.” Moreover, courts have held that the injury must arise from actual advertising, which many jurisdictions require be a widespread promotional activity directed to the public at large. Others have found that resolution of the issue must take into account the size of the policyholder’s business and potential market. Courts typically also have held that there must be a causal nexus between that activity and the injury. For example, in Novell, Inc. v. Federal Insurance Co.,[lxxii] Novell was accused of stealing a software program, renaming it, and selling it in a “bundle” with WordPerfect 6.0 Windows. The court found no causal connection between the injury and the advertising, and therefore no coverage.

1 Definition of “Advertising”

Until a recent revision of the standard CGL insurance policy in 1998, CGL policies typically did not define “advertising” or “advertising activities.”[lxxiii] In part as a result, the question of whether a claim alleges or arises from “advertising” has provided fertile ground for litigation.

The cases often turn on their facts. For example, a solicitation, by email or otherwise, may be considered “advertising” if its audience is most or all of the business of a competing firm. Because “advertising” in many insurance policies has not been defined, courts have found the term to be ambiguous, construing it against the insurance company.[lxxiv] Resolution of this issue should take into account the rules of insurance policy construction. Under these rules, any ambiguity in insurance policy provisions drafted by the insurance company are construed against the insurance company and in favor of coverage.

Generally, courts require that, to constitute advertising, the activity involve either the selling or promotion of a product or service to a third party.[lxxv] Policy language does not require that the policyholder itself perform the advertising activity.[lxxvi] That does not end the inquiry, as the issue often involves an analysis of the size of the target market.[lxxvii] Widespread dissemination should not be required as the policy language includes no such requirement. A proper analysis of the issue also should consider the relative size of the business in question and its target audience.

The construction of “advertising” typically arises in one of two contexts. First, it may arise as a threshold issue to determine whether there is the necessary connection, however slight, between the policyholder’s advertising injury activities and the allegedly injurious activity. The issue also has arisen in interpreting exclusions seeking to preclude coverage for policyholders that are engaged in the business of advertising.[lxxviii] When this arises under the insuring agreement, or grant of coverage, insurance companies typically have argued that Advertising Injury Coverage does not apply unless the policyholder’s advertising activities were directed at the public at large, as opposed to a discrete group.[lxxix] However, when the issue arises in the context of interpreting policy exclusions, insurance companies have asserted different positions.[lxxx]

Courts have recognized that the proper construction of the term may depend upon its use in the policy. For example, in American States Insurance Co. v. Canyon Creek,[lxxxi] the court noted that the “narrow definition” of “advertising,” that is, widespread dissemination of promotional material to the public at large, arose from cases interpreting the advertising injury policy exclusion, not cases construing the insuring agreement:

The court is mindful of the fact that some courts in other jurisdictions have given the term [advertising] a narrower definition and construed it to mean the widespread dissemination of promotional material to the public at large. [Citation omitted]. What is significant to note, however, is that in the cases that have given the term this narrow definition, the insurer was seeking a declaration that no coverage existed under an advertising injury exclusion. Because the term here is used within the context of the insuring provisions and not within an exclusion, the term should be interpreted broadly, with any doubts as to coverage resolved in favor of the insured.[lxxxii]

The court in Canyon Creek correctly recognized that the burden of proof differs depending on whether the term appears in a policy exclusion or an insuring provision. Insurance companies bear the burden to prove that all of the policyholder’s potential bases of liability fall within the scope of a policy exclusion asserted as a bar to coverage.

Courts have not always recognized this distinction in interpreting “advertising.” Many courts have held that “advertising” means widespread distribution of promotional material to the public at large.[lxxxiii] In upholding coverage, courts have interpreted “advertising” to preserve insurance coverage in a number of different situations:

a. solicitation letters;[lxxxiv]

b. a flyer describing a business’s products or services;[lxxxv]

c. Prominently displaying or circulating a trademarked name;[lxxxvi]

d. demonstrations of a machine’s performance.[lxxxvii]

Other courts have held, in upholding coverage, that advertising need not be widespread or aimed at the public at large but may include solicitation of discrete numbers of potential customers.[lxxxviii]

2 Application of Definition of “Advertising”

A second threshold issue in Advertising Injury Coverage cases concerns the extent of the connection that is required between the alleged “offense” and the policyholder’s advertising activities. The policy wording includes no requirement that advertising injury be caused by the alleged advertising activity. Courts, therefore, should not read this requirement into the policy language. “Advertising injury” is defined in the 1976 Broad-Form Endorsement as injury “arising out of” one of the enumerated offenses during the policy period.[lxxxix] The 1986 Form states that Advertising Injury coverage applies “only if caused by an offense committed . . . (2) in the course of advertising your goods, products or services . . . .”[xc]

Insurance companies have argued that the “arising out of” or “in the course of” language requires widespread dissemination of promotional materials to the public at large. However, courts typically have not yet considered the views of the insurance industry organization ISO on this issue. In its Explanatory Memorandum for the 1976 Broad-Form Endorsement, ISO used “arising out of” interchangeably in the place of the “in the course of” language:

Advertising Injury covers the insured for various types of injuries such as piracy, unfair competition, infringement of copyright, etc., arising out of the insured’s advertising, promotional or publicity activities.[xci]

ISO, thus, made no distinction between “arising out of” and “in the course of.” ISO’s failure to make such a distinction supports policyholder’s arguments that the insurance industry did not intend the “in the course of” language to be restrictive and require widespread publication of material to the general public to constitute advertising. ISO’s explanation that injury need only “arise out of” the policyholder’s advertising activities suggests a minimal connection between the policyholder’s advertising activities and the allegedly injurious activity.

Courts are divided on this issue. In John Deere,[xcii] the court upheld insurance coverage, finding that the insurance policy contained no express requirement that the advertising activity be a proximate cause of the plaintiff’s injury.[xciii] Courts also have found “advertising” ambiguous and thus have construed it in favor of coverage.[xciv] On the other hand, the California Supreme Court’s decision in Bank of the West agreed that the view that “‘advertising injury’ must have a causal connection with ‘advertising activities,’ best articulates the insured’s objectively reasonable expectations about the scope of coverage.”[xcv]

3 Policy Exclusions

Insurance companies often raise a variety of policy exclusions as possible defenses to coverage under either Advertising Injury or Personal Injury Coverage. As with all exclusions, the insurance company bears the burden of showing that all allegations against the policyholder clearly fit within the scope of the exclusion.[xcvi] None of these exclusions should prevent the insurance company from immediately accepting its duty to defend its policyholder unless all allegations clearly fall within the exclusion.[xcvii] If any of the allegations arguably fall outside the exclusion and, thus, within coverage, the insurance company is obligated to defend until the insurance company can show that all allegations are excluded.[xcviii]

1 “Prior Publication” Exclusion

The “prior publication” exclusion states:

(B) This insurance does not apply:

(1) to personal injury or advertising injury arising out of a publication or utterance of a libel or slander, or a publication or utterance in violation of an individual’s right of privacy, if the first injurious publication or utterance of the same or similar material by or on behalf of the named insured was made prior to the effective date of this insurance.[xcix]

Courts have enforced the exclusion to preclude coverage when it is clear that the advertising activity took place prior to the inception date of the insurance policy at issue.[c] Courts have found the exclusion ambiguous.[ci] Of those courts, some have found that this exclusion applies to preclude coverage only for the offenses of libel, slander defamation, and invasion of privacy.[cii]

Some courts have found that the exclusion applies only if all of the injurious publication took place prior to the policy period. In Guardian Trust Co. v. American States Insurance Co.,[ciii] for example, the court refused to apply the “prior publication” exclusion in a trade disparagement case, even though the complaint clearly alleged that at least some disparaging remarks had been made prior to the inception date of the insurance policy. The New Jersey Appellate Division rejected a motion for summary judgment by an insurance company, finding issues of fact regarding the timing of the publications in question.[civ]

2 “Knowledge” Exclusion

The “knowledge of falsity” exclusion appears in the 1986 Form and states:

2. Exclusions.

This insurance does not apply to:

a. “Personal injury” or “advertising injury”:

(1) Arising out of oral or written publication of material, if done by or at the direction of the insured with knowledge of its falsity; . . . .

(3) Arising out of the wilful violation of a penal statute or ordinance committed by or with the consent of the insured . . . .[cv]

Few cases address this exclusion. Of the courts that have addressed it, most have concluded that the insurance company did not convey its burden to show that all allegations against the policyholder included an element of deceit.[cvi] For example, in Bay Electric, the court found that Travelers had not met its burden because the conduct alleged “could have been found merely negligent or reckless.”[cvii] Courts also have concluded that, with its emphasis on publication, this exclusion applies only to libel and slander liabilities.[cviii] In contrast, the court in Callas noted that the exclusion provided another basis for rejecting coverage because the policyholder knew that its defamatory statements were false.[cix]

The exclusion also can be analogized to the “expected or intended” exclusion found in the “occurrence” definition of standard-form CGL insurance policies and thus should relate only to the knowledge of the policyholder’s senior management. In applying the “expected or intended” exclusion, many courts have refused to bar coverage for intentional acts that cannot be imputed to the policyholder’s senior management.[cx]

3 Breach-of-Contract Exclusion

Some insurance policies include an exclusion seeking to restrict coverage for liability “arising out of breach of contract.” Little law exists applying this exclusion. One court applied it broadly to preclude coverage for claims made by one party to exclusive right-to-sell contract against the other.[cxi] The court found that all allegations, including those of unfair competition, breach of the Lanham Act, defamation, and tortious interference with business relationships, were barred because of the existence of the agreement. The court relied on another decision that had interpreted “arising out of” to mean “having its origins in” or “flowing from.”[cxii]

Of course, many actions “arise out of” some sort of contract. Thus, this broad application of this exclusion would eviscerate the coverage that many policyholders think they are buying. Other courts have implicitly recognized this point, refusing to apply the exclusion in the absence of a claim centered in a contract breach.[cxiii] Those courts also have found that, even if a breach of contract were involved, other allegations against the policyholder activated the insurance company’s duty to defend.[cxiv]

4 Entertainment Exclusion

Some policies include an exclusion for copyright or trademark infringement liability arising out of the “field of entertainment business,” defined as:

The creation, production, publication, distribution, exploitation, exhibition, advertising and publicizing in various media of motion pictures of any kind and character, television programs, commercial, industrial, educational and training films, phonograph records, audio and video tapes, cassettes and discs, electrical transcription, music in sheet or other form, books and other publications, and other similar properties.

The conduct of any players, entertainers or musicians in any production, show appearance or performance, or exhibition . . . .

c. The ownership, operation, maintenance or use of radio and television broadcasting stations, CATV systems, cinemas, stage productions with living actors, and any similar exhibition or broadcast media.

d. The ownership, operation, maintenance or use of merchandising programs, advertising or publicity material, characters or ideas whether or not on premises of the Insured or in possession of the Insured at the time of the alleged offense.[cxv]

This exclusion was likely intended to preclude coverage for liabilities typically covered under media liability insurance policies.

Again, little law exists on this exclusion. In Vivid Video, the court refused to apply the exclusion to non-entertainment aspects of the policyholder’s business. The court found that the exclusion was susceptible to two different interpretations and, thus, construed[cxvi] the ambiguity in the policyholder’s favor.[cxvii]

4 Other Provisions and Types of Coverage

Traditional insurance policies often include other provisions that lead to disputes over coverage for e-commerce or Internet claims. CGL policies may contain “media exclusions” that seek to deny coverage for advertising injuries if the insured is a company involved in providing media services. Also, the territory covered by the policy may be limited to the United States.

Media liability insurance traditionally was written for publishers, advertising agencies, and other companies involved in broadcasting or publishing for themselves or others. Its applicability to cyber-risks chiefly arises in connection with publishing-related liability exposures. However, such policies often are written only for named perils, and disputes may arise about whether the cause of the loss in question falls within one of the named perils identified in the policy. Disputes also may arise about whether coverage extends only to the policyholder’s own efforts, not for others (i.e., not professional liability). Also, the coverage usually excludes coverage for liability for “property damage,” and disputes arise about whether it would apply to liability or loss from security breaches.

Directors and officers (“D&O) liability coverage may provide limited protection for cyber-risks as the standard form typically offers coverage only to named insureds. Unless coverage for the company itself is purchased (usually called “entity coverage”), D&O insurance often will cover only the directors and officers identified as named insureds. D&O insurance thus may not cover the corporation – which is the most likely target for third-party claims – or certain individual employees who were involved in the activities that are the subject of the litigation. Publicly traded corporations may purchase entity coverage, but typically only for securities suits or derivative actions. Privately-held corporations may purchase D&O coverage with broader coverage for the corporation, but such policies typically exclude claims involving liability for property damage and intellectual property infringement.

Errors and omissions insurance policies may be limited by the definition of “professional services” and exclusions for media liability and property damage. Coverage is not necessarily worldwide.

5 Cyber-risk Insurance Coverage

The exposures and potential gaps in traditional insurance policies have created a market for new insurance products, which, in their various permutations, are often referred to as cyber-risk insurance policies. Cyber-risk policies are designed to address the specific insurance needs of technology companies and businesses operating in cyberspace. These policies help to address policyholders’ concerns about gaps in traditional coverages, such as property, inland marine, and commercial general liability policies, or employee theft bonds. In addition, they specifically seek to address concerns about traditional policies’ coverage for “physical damage” to computer assets.

Because this market is new, the policy forms vary greatly. Some policies have been adapted from traditional policies to extend coverage to specific Internet related losses, while others have been drafted primarily with the new technological advances in mind. Regardless of their origin, Cyber-risk policies often are lengthy and complex forms reflecting the unique nature of the risks they are intended to cover.

1 Types of Exposures Covered

Cyber-risk policies available on the market today vary greatly in the nature and scope of coverage they offer. Some cover losses related to an insured’s computer network in general while others focus on insuring risk relating to specific aspects of Internet commerce or the operation of Websites. For example, the Electronic Business and Internet Commerce Protector, an e-commerce policy underwritten in London, covers loss relating to the operation of electronic media, digital services, software, bulletin board, data processing, Internet or information services.

Some Cyber-risk policies often provide broad crime coverage and contain a corporate crime provision that is not limited to theft of or damage to computer-related property. As a hybrid product, these policies also offer coverage for loss caused by fraudulent insider misuse of payment systems. They were designed to reduce disputes over coverage that arose under traditional insurance policies when businesses, such as financial institutions, began to use electronic payment systems and networks. Traditional policies covering financial institutions generally excluded theft by employees because coverage for such acts was available in the form of blanket bonds. Because corporations are now using electronic funds transfer systems, they require separate coverage for such activities not provided by blanket bonds.

Most cyber-risk insurance policies use multiple insuring agreements. For example, the Lloyd’s Computer Information and Data Security policy contains seven insuring agreements relating to fraud and the use of electronic data, computer viruses, and business interruption, among other risks.

2 First-Party versus Third-Party Coverage

One of the most significant factors distinguishing cyber-risk policies is whether the coverage provided is first-party insurance only, third-party only, or both. Many insurers have shown greater comfort in offering either first-party coverage for on-line businesses or third-party coverage, than in offering both coverages.

Typical first-party losses which are covered include physical damage or damage to software or computer data caused by hackers or viruses, illicit computer transfer of money, securities, or tangible property, extortion, business interruption or denial of Website service resulting from electronic vandalism or ISP outage, and loss-control costs. Loss-control costs mean those reasonable expenses incurred by an insured to prevent further loss caused by a covered event.

These cyber-risk first-party coverages typically exclude coverage for loss caused by dishonest acts of insiders, failure to adhere to required system security practices or mismanagement of system, Y2K-related loss, and remediation costs.

Third-party coverage insures against liability to third parties for loss due to exchange of data via e-mail or the Internet, denial of service, theft or destruction of data, unauthorized access, libel and slander, violation of privacy rights, misappropriation of ideas, and unfair competition. Coverage is usually excluded for failure to exercise reasonable care of due diligence, intentional or fraudulent acts, violation of laws such as antitrust, securities, or employment related laws, or legally protected rights, such as patent or copyright, Y2K-related loss, and expenses incurred in the recall of products or services from the marketplace.

3 Role of Auditing and Loss Prevention

Most cyber-risk policies require that a prospective insured=s computer or Internet operation be audited by an independent technical expert service designated by the insurer for underwriting purposes. The policies may also require that the insured undergo an ongoing loss prevention program conducted by the same entity. This is important in light of reports revealing that most organizations that have undergone external security assessment have discovered significant vulnerabilities in their systems.

In addition, policies providing first-party coverage often provide for the hiring of a crisis- management consultant once a loss has been incurred. The role of the crisis management consultant, who may be pre-selected by the insurance company based on the policy language, is to assess damages resulting from the covered loss and coordinate recovery efforts.

Cyber-risk policies continue to evolve and will become even more refined as computer technology and the Internet evolves and additional data regarding significant exposures becomes available. The magnitude of exposure is difficult to predict and underwrite, particularly due to the lack of strong actuarial backup and the complex nature of the risks involved. However, it seems only a matter of time before cyber-risk coverage becomes an integral part of most businesses-risk management programs.

Endnotes

-----------------------

[i] Ms. Masters is a partner at Jenner & Block LLP, in Washington, D.C., where she advises and represents policyholders in insurance coverage, e-commerce, and litigation matters. She is co-author of two treatises on insurance coverage issues: (i) Insurance Coverage Litigation, published in its second edition in January 2000 by Aspen Law & Business and updated annually; and (ii) Liability Insurance in International Arbitration: The Bermuda Form, published in July 2004 by Hart Publishers, London.

[ii] Technically, the correct term for a person who intentionally breaks into other people’s computer systems, causing damage, is “cracker.” A “hacker” is someone with expertise in computer security who may and frequently does use such knowledge for beneficial purposes like preventing security breaches. Unfortunately, the traditional media have typically used “hacker” when “cracker” would have been the correct term. See, e.g., .

[iii] E.g., Andrew Briney & Frank Prince, Disciplined Security, 6 Info. Security, No. 4, at 56 (Oct. 2003); Bruce Schneider, The Process of Security, 3 Info. Security, No. 4, at 32 (Apr. 2000). The United States Department of Justice has created a Computer Crime and Intellectual Property Section (CCIPS) and an Electronic Commerce Working Group to discuss legal issues related to electronic commerce and improper uses of the Internet. See, e.g.,. This site summarizes the federal government’s prosecutions of computer intrusion cases under the federal computer crime statute, 18 U.S.C. § 1030; other relevant federal statutes; and other pertinent information relating to computer crime.

[iv] E.g., Purco Fleet Servs., Inc. v. Towers, 38 F. Supp. 2d 1320 (D. Utah 1999). See also Porsche Cars N. Am., Inc. v. , No. Ca-99-6-A, 1999 WL 378360 (E.D. Va., June 9, 1999), aff’d in part, vacated in part, 302 F.2d 248 (4th Cir. 2002).

[v] E.g., Mainpost v. NewsClub, discussed in (July 25, 2002) . The Database Directive promulgated by the European Union extends copyright protection to those who “select and arrange” information in a database even if the creator does not hold copyrights on the individual works. Id. Long-arm statutes may provide the basis for jurisdiction when website operators are found to be doing business in a jurisdiction in which the company is not physically based. Such business contacts must be of some significance, however. For example, in Mattel, Inc. v. Anderson, No. 04 Civ. 5275 (RCC), 2005 U.S. Dist. LEXIS 14404 (S.D.N.Y. July 18, 2005), the court found that a single sale from a small website business in Canada could not support a finding of personal jurisdiction in a United States court.

[vi] As far back as 1995, the United States Senate’s Permanent Subcommittee on Investigations “reported that a sample of just 12 large corporations revealed theft of electronic funds and intellectual property totaling $800 million.” Reported in Arnold Ceballos, “Law Firms Face Computer Security Snags,” Wall St. J., Aug. 15, 1996, at B2.

[vii] 18 U.S.C. §§ 1030 et seq.

[viii] 18 U.S.C. § 1030(g).

[ix] See, e.g., In re Am. Online, Inc. Version 5.0, 168 F. Supp. 2d 1359 (S.D.N.Y. 2001); In re Doubleclick, Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001).

[x] America Online, Inc. v. National Health Carediscount, Inc., 174 F. Supp. 2d 890 (N.D. Iowa 2001).

[xi] Ex-Employee lndicted for Computer “Bomb” That Deleted Employer’s Critical Programs, 3 BNA Elec. Commerce & L. Rep., No. 8, at 247 (Feb. 25, 1998).

[xii] For example, many standard property insurance and general liability insurance policies continue to include “Year 2000,” or “Y2K,” exclusions. These exclusions are not simply historical artifacts. Such exclusions are so broadly written that they may preclude coverage for damage to computer assets; they should be carefully scrutinized to ensure that they do not unexpectedly vitiate the policyholder’s expected coverage for damage or loss to computer assets or use of the internet. See, e.g., “Insuring Cyberspace: Back to the Future: Coverage for Y2K Remediation Costs Under ‘Sue and Labor’ Clauses,” E-Commerce Law Report, Vol. 2, No. 3, December 1999/January 2000, at 26.

[xiii] The Gramm-Leach-Bliley Act, 15 U.S.C. § 6802, imposes an obligation upon “financial institutions” to safeguard, for example, “nonpublic financial information.”

[xiv] 42 U.S.C. § 1320. HIPAA applies generally to any entity that collects personal information pursuant to the administration or sale of a health-insurance product, or in the provision of health services. Among other things, HIPAA:

• Mandates access to and ability to amend health information.

• Establishes an “opt-in” for the dissemination of protected information that is not necessary for treatment, payment, or health care operations.

• Imposes certain administration requirements including the segregation of information between a health plan and an employer (although summary information can be provided).

[xv] Pub.L. 105-277, div C, tit. XIII (Oct. 21, 1998), 112 Stat 2681-728, codified at 15 U.S.C. §§ 6501-6506 (COPPA). This statute is often confused with a statute with a similar name, the Children’s Online Protection Act (COPA), which sought to limit the ability of minors to access pornography on the internet. The United States Supreme Court found COPPA unconstitutional. Ashcroft v. American Civil Liberties Union, 542 U.S. 656 (2004).

[xvi] .

[xvii] As early as mid-1990s, the Wall Street Journal noted,

Even corporations aren’t immune from watchers. Their e-mail systems can be infiltrated by hackers, and sensitive data sent over the Web can be intercepted by unscrupulous competitors. And in their own version of “Spy vs. Spy,” companies can keep tabs on each other by analyzing how often rivals visit their Websites.

Gautam Naik, Do I Have Privacy On-Line?, Wall St. J., Dec. 9, 1996, at R12.

[xviii] E.g., Conference Report, Apr. 16, 1998, World Computer Law Conf., Website Operators Urged to Be Mindful of International Data Protection Laws, 3 BNA Elec. Commerce & L. Rep., No. 16, at 521 (Apr. 22, 1995); see also .

[xix] OMB Requires All Federal Agencies Websites To Have Privacy Policies by December 1999, 4 BNA Elec. Commerce & L. Rep., No. 24, at 525 (June 16, 1999). Model language for federal agencies’ websites posted at the Chief Information Officers’ Council site .

[xx] If using the safe harbors, a company collecting data submits to FTC jurisdiction and also agrees to allow enforcement by individuals. In 2001, the EU adopted standard contractual clauses that allow contracting parties to also satisfy the EU Privacy Directive.

[xxi] 545 U.S. 913 (2005).

[xxii] For an earlier discussion of infringing uses of deep-linking, see TicketMaster Corp. v. , Inc., No. CV 99-7654, 2000 U.S. Dist. LEXIS 4553, at *6, *11-12 (C.D. Cal. Mar. 12, 2000).

[xxiii] The United States Congress enacted the Communication’s Decency Act (CDA), a law that shields ISPs from liability for allegedly defamatory or other injurious publication of materials posted on Web sites, chat rooms, or bulletin boards. However, ISPs do not automatically enjoy such protection elsewhere. The safe-harbor provisions of the CDA may not apply if, as a matter of fact, the plaintiff has played an active role in developing the allegedly defamatory: material. E.g., Carafano v. , Case No. CV 01-0018 DT [CWx] (C.D. Cal. 2002). Courts have held, however, that minor editing of website content will not affect the immunity provided by the CDA. E.g., Batzel v. Smith, 333 F.3d 1018 (9th Cir. 2003).

[xxiv] E.g., Batzel v. Smith, 333 F.3d 1018 (9th Cit. 2003) (found a listserv moderator and operator of a website liable for publishing allegedly defamatory material provided by third party because of the minor selection and editing provided by the listserv).

[xxv] E.g., America Online, Inc. v. CN Productions, Inc., No. 98-552-A, 2002 U.S. Dist, LEXIS 1607 (E.D. Va. 2002), reprinted at .

[xxvi] The full name of the statute is the Controlling the Assault of Non-Solicited Pornography and Marketing Act. 15 U.S.C. § 7701. See generally Joyce Manishin, Current Spam Law & Policy: An Overview and Update, 21 Computer Internet Law 1 (Oct. 2004).

[xxvii] 15 U.S.C. §§ 7703, 7705, 7706(a)-(e).

[xxviii] 15 U.S.C. § 7706(f).

[xxix] E.g., Carstens v. Bonzi Software, Inc., No. 02-207199-1 (Wash. 2003), discussed at (lawsuit over pop-up Internet window entitled “security alert” called deceptive).

[xxx] E.g., Washington Post v. Gator Corp. (E.D. Va. 2002), discussed at .

[xxxi] E.g., FTC v. Zuccarini, No. 0l-cv-4854 (E.D. Pa. 2001). The trial court granted the FTC a temporary restraining order against the defendants’ mousetrapping, which occurs when a visitor to a Website cannot return to the original site because the back button on the browser activates pop-up advertising and is otherwise disabled. FTC Release at .

[xxxii] E.g., U-Haul Int’l, Inc. v. , No. 02-1469-A, 2003 U.S. Dist. LEXIS 15710, 68 U.S.P.Q.2d (BNA) 1038 (E.D. Va., Sept. 3, 2003). A federal court dismissed an action by U-Haul, complaining of the defendant’s practice of delivering competitors’ pop-up advertisements to visitors to U-Haul’s Website. The court rejected U-Haul’s charges of trademark infringement, unfair competition, and copyright infringement.

[xxxiii] E.g., America Online, Inc. v. CN Productions, Inc., No. 98-552-A, 2002 U.S. Dist, LEXIS 1607 (E.D. Va. 2002), reprinted at .

[xxxiv] Online at buspubs/ruleroad.htm.

[xxxv] Id.

[xxxvi] Cal. Civil Code § 1798.29.

[xxxvii] Cal. Bus. & Prof. Code § 22577 et seq.

[xxxviii] 15 U.S.C. § 7241(a).

[xxxix] Testimony of Richard J. Hillman, Associate Director of GAO’s Financial Institutions and Markets Issues of the General Government Division, to Sen. Permanent Subcomm. on Investigations of Governmental Affairs Comm., Mar. 22, 1999, reported in 4 BNA’s Elec. Commerce & L. Rep., No. 13, at 284 (Mar. 31, 1999).

[xl] See, e.g., “Deborah Lohse, Stock Regulators Are Worried Dangers Lurk for Investors in On-Line Chat Sites,” Wall. St. J., Sept. 12, 1996, at C1; Bradley D. Belt, From the Industrial Age to the Informational Age, Washington Quar., July 1996, at 107.

[xli] Blakey v. Continental Airlines, 164 N.J. 38, 751 A2d 538 (2000) (“Blakey”).

[xlii] Id. at 55-56, 751 A.2d at 556-57.

[xliii] 266 F.3d 64 (2d Cir. 2001) (“Leventhal”).

[xliv] Id. at 75-77.

[xlv] E.g., United States v. Angevine, 281 F.3d 1130 (10th Cir.), cert. denied, 537 U.S. 845 (2002) (affirming trial court’s refusal to suppress images of child pornography seized from the computer of an employee of Oklahoma State University). The court concluded that employees do not have an objectively reasonable expectation of privacy for employees downloading obscene material in violation of the employer’s office policies. 281 F.3d at 1135.

[xlvi] No. 99-185 TUC, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. Apr. 18, 2000) (“Ingram-Micro”) (upholding first-party property coverage for damage to computer hardware and data).

[xlvii] 119 S.W.3d 16 (Tex. App. 2003) (“Lambrecht”).

[xlviii] Id. at 21-23.

[xlix] Id. at 25. The court noted, for example, that the server, which was ruined, fell within the definition of “electronic media and records.” Id.

[l] See, e.g., id. at 24 (citing Ingram-Micro, 2000 U.S. Dist. LEXIS 7299; and America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459, 466-67 (E.D. Va. 2002), aff’d, 347 F.3d 89 (4th Cir. 2003)).

[li] See generally the discussion in Lambrecht, at 119 S.W.3d at 25-26.

[lii] Id. at 26.

[liii] 207 F. Supp. 2d 459, 466-67 (E.D. Va. 2002), aff’d, 347 F.3d 89 (4th Cir. 2003) (“AOL”).

[liv] Id. at 462.

[lv] 347 F.3d at 101.

[lvi] Id. at 101-02.

[lvii] Id.

[lviii] Id. See also State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001).

[lix] 207 F. Supp. 2d at 464.

[lx] Id. at 462, 469-70.

[lxi] 347 F.3d at 101-02.

[lxii] Id. at 94-95.

[lxiii] Id. at 97.

[lxiv] Id. at 97-98.

[lxv] See, e.g., Eugene R. Anderson, Jordan S. Stanzler, & Lorelie S. Masters, Insurance Coverage Litigation §14.07[E] (Aspen Law & Business, 2000 & Supp. 2007) (Insurance Coverage Litigation).

[lxvi] 207 F. Supp. 2d at 463. See also Cincinnati Ins. Co. v. Professional Data Servs., Inc., No. 01-2610-CM, 2003 U.S. Dist. LEXIS 15859 (D. Kan. July 18, 2003).

[lxvii] Id. at 464.

[lxviii] See, e.g., Insurance Coverage Litigation § 15.06.

[lxix] Id.

[lxx] 11 F. Supp. 2d 1150 (N.D. Cal. 1998).

[lxxi] Insurance Coverage Litigation § 16.02.

[lxxii] 141 F.3d 983 (10th Cir. 1998).

[lxxiii] See John Deere Ins. Co. v. Shamrock Indus., 696 F. Supp. 434 (D. Minn. 1988), aff=d, 929 F.2d 413 (8th Cir. 1991) (John Deere); New Hampshire Ins. Co. v. R.L. Chaides Constr. Co., 847 F. Supp. 1452 (N.D. Cal. 1994) (Chaides); New Hampshire Ins. Co. v. Foxfire, Inc., 820 F. Supp. 489 (N.D. Cal. 1993) (Foxfire).

[lxxiv] E.g., Copart, Inc. v. Travelers Ins. Co., Nos. 99-17380, 99-17470, 2001 U.S. App. LEXIS 6140, at *4-5 (9th Cir. Apr. 3, 2001) (Copart).

[lxxv] Tri-State Ins. Co. v. B&L Prods. Co., 964 S.W.2d 402, 404-05 (1998) (Tri-State); Farmington Cas. Co. v. Cyberlogic Techs., Inc., 996 F. Supp. 695, 701 (E.D. Mich. 1998) (Farmington). See Attorneys= Title Guar. Fund, Inc. v. Maryland Cas. Co., No. 90C 3916, 1991 U.S. Dist. LEXIS 11909 (N.D. Ill. Aug. 27, 1991).

[lxxvi] Flodine v. State Farm Ins. Co., No. 99 C 7466, 2001 U.S. Dist. LEXIS 2204, at *32-33 (N.D. Ill. Mar. 1, 2001) (Flodine).

[lxxvii] See, e.g., Chaides, 847 F. Supp. at 1456 (issues must be “examined in the context of the overall universe of customers to whom a communication may be addressed.”). Courts have reached differing results. Compare Elan Pharmaceutical v. Employers Ins. Co., 144 F.3d 1372 (11th Cir. 1998) (dissemination of studies to develop market for policyholder=s products constitutes “advertising”) (Elan), with Bank of the West v. Superior Court, 833 P.2d 545 (Cal. 1992) (requiring wide-spread distribution to the public at large).

[lxxviii] A typical advertising injury exclusion states as follows:

B. This insurance does not apply to:

* * *

(7) with respect to advertising injury

(a) to any insured in the business of advertising, broadcasting, publishing or telecasting . . . .

1 Jack P. Gibson & Maureen C. McLendon, Commercial Liability Insurance at IV.T.24 (2007) (hereinafter Gibson & McLendon); see also id. at IV.T.37.

[lxxix] See, e.g., Bay Elec. Supply, Inc. v. Travelers Lloyds Ins. Co., 61 F. Supp. 2d 611, 617-19 (S.D. Tex. 1999) (Bay Electric).

[lxxx] See, e.g., Playboy Enterprises, Inc. v. St. Paul Fire & Marine Ins. Co., 769 F.2d 425 (7th Cir. 1985) (Playboy); Fox Chem. Co. v. Great Am. Ins. Co., 264 N.W.2d 385 (Minn. 1978) (Fox Chemical).

[lxxxi] 786 F.2d 821 (N.D. Cal. 1991) (Canyon Creek).

[lxxxii] Id. at 828 (emphasis added).

[lxxxiii] E.g., Playboy, 769 F.2d at 429; Monumental Life Ins. Co. v. United States Fidelity & Guar. Co., 617 A.2d 1163, 1173-74 (Md. Ct. App. 1993); Smartfoods, Inc. v. Nortbrook Property & Cas. Co., 618 N.E.2d 1365, 1368 (Mass. App. Ct. 1993) (Smartfoods); Delta Pride Catfish, Inc. v. Home Ins. Co., 697 So. 2d 400, 405 (Miss. 1997).

[lxxxiv] John Deere, 696 F. Supp. at 439-40; Foxfire, 820 F. Supp. at 493; Tri-State, 61 Ark. App. at 82. See also Elan, 144 F.3d at 1376-77 (distribution of clinical studies in effort to establish market constitutes “advertising”); U.S. Fidelity & Guar. Co. v. Star Techs., Inc., 935 F. Supp. 1110, 1114 (D. Or. 1996) (“The majority of courts . . . have broadly construed ‘advertising activities’ to encompass a variety of business solicitations.”). Contra Monumental Life Ins. Co. v. United States Fidelity & Guar. Co., 617 A.2d 1163 (Md. App.), cert. denied, 330 Md. 319 (1993).

[lxxxv] Merchants Co. v. American Motorists Ins. Co., 794 F. Supp. 611 (S.D. Miss. 1992) (Merchants). Contra Smartfoods, 618 N.E.2d 1365.

[lxxxvi] Platinum Tech., Inc. v. Federal Ins. Co., No. 99 C 7378, 2000 U.S. Dist. LEXIS 9509, at *10-16 (N.D. Ill. June 27, 2000) (Platinum Tech).

[lxxxvii] John Deere, 696 F. Supp. at 439-40.

[lxxxviii] E.g., Sentex Sys., Inc. v. Hartford Accident & Indem. Co., 882 F. Supp. 930, 939 (C.D. Cal. 1995), aff=d, 93 F.3d 578 (9th Cir. 1996) (Sentex); Foxfire, 820 F. Supp. at 494; John Deere, 696 F. Supp. at 440.

[lxxxix] 1 Gibson & McLendon at IV.T.24 (emphasis added).

[xc] Id. at IV.T.37 (emphasis added).

[xci] ISO Explanatory Memorandum (1976) (emphasis added), discussed in Insurance Coverage Litigation § 16.02.

[xcii] 696 F. Supp. 434 (D. Minn. 1988), aff=d, 929 F.2d 413 (8th Cir. 1991).

[xciii] 696 F. Supp. at 446. Accord Erie Ins. Group v. Sears Corp., 102 F.3d 889 (7th Cir. 1996); Foxfire, 820 F. Supp. 489.

[xciv] E.g., Bay Electric, 61 F. Supp. 2d at 617-19; Amway Distributors Benefits Ass=n v. Federal Ins. Co., 990 F. Supp. 936 (W.D. Mich. 1997).

[xcv] 10 Cal. Rptr. 2d 538, 552 (Cal. 1992). See also Microtec Research, Inc. v. Nationwide Mut. Ins. Co., 40 F.3d 968 (9th Cir. 1994); Frog, Switch & Mfg. Co. v. Travelers Ins. Co., 20 F. Supp. 2d 798 (M.D. Pa. 1998), aff=d, 193 F.3d 742 (3d Cir. 1999) (Frog, Switch).

[xcvi] E.g., ECKO Group, Inc. v. Travelers Indem. Co., 273 F.3d 409, 2000 U.S. Dist. LEXIS 17702, at *24-25 (1st Cir. 2001); Bay Electric, 61 F. Supp. 2d at 619.

[xcvii] See, e.g., Insurance Coverage Litigation § 3.2, 3.5, 3.17.

[xcviii] See, e.g., Avondale Indus., Inc. v. Travelers Indem. Co., 887 F.2d 1200, 1204-05 (2d Cir. 1989), cert. denied, 496 U.S. 906 (1990); J.A.J., Inc. v. Aetna Cas. & Sur. Co., 529 A.2d 806, 807-08 (Me. 1987).

[xcix] 1 Gibson & McLendon at IV.T.24 (emphasis added).

[c] See, e.g., Envirotech Indus., Inc. v. United Capitol Ins. Co., 141 F.3d 1175 (9th Cir. 1998) (not citable in 9th Cir.) (published in electronic services only at 1998 U.S. App. LEXIS 6175).

[ci] Iron Home Builders, Inc. v. Auto-Owners, Inc., 839 F. Supp. 1260, 1264-65 (E.D. Mich.) (Iron Home).

[cii] Iron Home, 839 F. Supp. at 1264. Contra Applied Bolting Tech. Prods., Inc. v. United States Fidelity & Guar. Co., 942 F. Supp. 1029, 1037 (1996), aff’d, 118 F.3d 1574 (3d Cir. 1997).

[ciii] No. 95-4073-SAC, 1996 U.S. Dist. LEXIS 13076 (D. Kan. July 30, 1996).

[civ] Tradesoft Techs., Inc. v. Franklin Mut. Ins. Co., 329 N.J. Super. 137, 152-53, 746 A.2d 1078, 1084-85 (App. Div. 2000).

[cv] 1 Gibson & McLendon at IV.T.37 (emphasis added).

[cvi] Bay Electric, 61 F. Supp. 2d at 619; Ethicon, Inc. v. Aetna Cas. & Sur. Co., 737 F. Supp. 1320 (S.D.N.Y. 1990); see also Elcom Techs. v. Hartford Ins. Co. of the Midwest, 991 F. Supp. 1294 (D. Utah 1997) (rejecting “knowledge of falsity exclusion argument where the underlying case involved false advertising claims”).

[cvii] 61 F. Supp. 2d at 619.

[cviii] E.g., Interface, Inc. v. Standard Fire Ins. Co., No. 1:99-cv-1485-MHS, 2000 U.S. Dist. LEXIS 14019, at *13-14 (N.D. Ga. 2000).

[cix] 193 F.3d 952 (8th Cir. 1999) (applying Minnesota law) (Callas). Callas ignored an earlier Minnesota Court of Appeals decision upholding Advertising Injury Coverage for alleged trademark infringement. Williamson v. North Star Cos., No. C3-96-1139, 1997 WL 53029 (Minn. Ct. App. Feb. 11, 1997) (Williamson); see also Louis J. Speltz & Ann S. Grayson, Is That Your Final Answer? Are Insureds Entitled to Insurance Coverage for Trademark Infringement?, 23 Hamline L. Rev. 348 (Spring 2000) (discussing Williamson and Callas).

[cx] Many such decisions are predicated on the court=s finding that the term “insured” is ambiguous with respect to corporate policyholders. See, e.g., Edwards v. Akion, 279 S.E.2d 894 (N.C. Ct. App.), aff=d, 284 S.E.2d 518 (N.C. 1981).

[cxi] Callas, 193 F.3d at 957.

[cxii] Id.

[cxiii] Flodine, 2001 U.S. Dist. LEXIS 2204, at *38-39.

[cxiv] Id.

[cxv] Vivid Video, Inc. v. North Am. Specialty Ins. Co., No. 98-8674 RSWL, 1999 U.S. Dist. LEXIS 15322, at *10-13 (C.D. Cal. June 29, 1999) (Vivid Video).

[cxvi] Id. At least one case also addressed an exclusion in an umbrella insurance policy for liability from infringement of a trademark, service mark, or trade name for goods or services “sold, offered for sale, or advertised; but this exclusion does not apply to titles or slogans.” Industrial Indem. Co. v. Apple Computer, Inc., 79 Cal. App. 4th 817, 95 Cal. Rptr. 2d 528, 544-45 (1999). The court in Apple Computer applied the exclusion to preclude coverage in an infringement action between the Beatles= companies, Apple Corp., Ltd., and Apple Corp., S.A., and Apple Computer, Inc. 95 Cal. Rptr. 2d at 545.

[cxvii] Vivid Video, 1999 U.S. Dist. 15322, at *10-13.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download