Movie-goers and science fiction readers often areentertained by stories about alien invasions from outer space. Theother-worldly creatures come to earth and wreak havoc, death, anddestruction—until they are eventually beaten by human heroes, ofcourse.

These stories are make-believe and always end well. However,another threat facing humans today is not so easily vanquished—thethreat from cyber space. This threat is real, comes in many forms,is continuous, and can cause permanent damage.

The everyday use and reliance on the computer to carry ontoday's business dealings is a generally accepted way of life. Butthis reliance on computers can lead to huge problems forbusinesses, such as lawsuits based on claims for (among otherthings):

• Defamation
• Invasion of privacy
• Infliction of emotional distress
• Interference with business relationship
• Breach of information security

There are various risk-management techniques that a business canemploy to counter these threats. One way is the purchase ofinsurance.

A Strange New World of Liability
TheInsurance Services Office (ISO) has its commercial generalliability (CGL) coverage form and the information securityprotection policy to offer some insurance protection to insuredbusinesses. Of course, coverage always depends on the facts of theincident compared to the wording of the policy (especiallyexclusions) and how a court interprets the relationship betweenthem.

As an example, suppose an employee uses his company computer todefame a neighbor. The neighbor sues the employer and the employee,and the employer gives the lawsuit to its insurer and demandsdefense and indemnity. The insured has the CGL form and theinformation security protection policy with the same insurer. Theinformation security policy applies to loss that the insuredbecomes legally obligated to pay (and defense expenses) as a resultof a claim of a wrongful act. A wrongful act is defined in thepolicy to include defamation. Both the insured employer and theemployee are insureds under the policy, but there are exclusionsthat could prevent coverage.

The Full Policy Probe
The informationsecurity policy excludes coverage for loss or defense expensesbased upon written publication by an insured with the knowledge ofits falsity. So, if the employee knows what he posted on thecompany computer is false, then he certainly has no coverage underthe policy. But what about the insured employer?

The exclusion applies to injury caused by “an insured,” andthere is no exception for the insured that has no knowledge of thesituation. Moreover, another exclusion applies to loss arising outof any malicious act by “any insured.” The use of the words “an”and “any” when it comes to insureds and exclusions means that theexclusion applies to all of the insureds. Somejurisdictions are reconsidering the generalized scope of “an” and“any,” but most courts today would uphold the exclusions againstboth the employee and the employer.

The CGL form covers damages arising out of written publicationof material that libels a person. The form also has an exclusionpertaining to material published with knowledge of falsity.However, this exclusion refers to publishing the false material by“the” insured.

Is the Employee “An Insured”
It can beargued that the employee is not an insured since he was not actingwithin the scope of his employment when he defamed his neighbor—butis the exclusion still applicable to the employer? Unless theemployer knew about the falsity of the information published by theemployee and let the employee go ahead and put it on the companycomputer, the employer would have coverage under the CGL form for adefamation claim against him.

As another example, suppose the named insured company is chargedwith a security breach, i.e., allowing the acquisition of personalinformation held within its computer system by a person who is notauthorized to have access to such information. The informationsecurity protection policy offers insurance coverage to the insuredfor compensatory damages and defense expense that the insuredbecomes legally obligated to pay. The policy does not have anyapplicable exclusion to prevent coverage for the negligent acts (oromissions) of the insured.

The CGL form does apply to claims based on thewritten publication of material that violates a person's right ofprivacy. Disclosure of privacy facts fits this description. WilliamProsser, in his Law of Torts, states that the elementsnecessary to establish an invasion of the right of privacy arefirst, that the disclosure of the private facts must be a publicdisclosure, and second, that the disclosure must be in the form ofa highly objectionable kind. Obviously, if the insured allowsprivate data, such as Social Security numbers or medical history,to be made public, the elements Prosser notes are present. As withthe information security protection policy, there are no exclusionsin the CGL form that would prevent coverage for the negligence ofthe insured in this instance.

Residual Effects: Emotional Distress
Whenit comes to the infliction of emotional distress, the informationsecurity protection policy and the CGL form approach such claims intheir own respective manner. The information security protectionpolicy does not directly exclude claims of emotional distressarising out of website publishing liability or security breachliability. It does state that the policy will not pay for lossbased on, attributable to, or arising out of bodilyinjury.

In other words, if the injured party claims his emotional ormental distress arose out of some bodily injury, the policy willnot apply; the claim has to be that the infliction of emotionaldistress was the direct result of the publishing or securitybreach. The CGL form, under coverage B, applies to “injury”(including consequential bodily injury), and the use of this wordmeans that the form will apply to emotional distress claims thatarise out of defamation or violation of the right of privacy.

In another example of claims that may arise from the world ofcomputers, a plaintiff may assert that a disparagement or invasionof privacy resulted in an interference with its businessrelationships with existing or potential customers. Suppose aninsured, eager to increase his company's profits, disparages acompetitor's products or services by sending such material out intocyber space. Such an act is included in the definition of a covered“wrongful act” that appears in the website publishing liabilityinsuring agreement in the information security protection policy;the CGL form's definition of “personal and advertising injury” alsoincludes such an act.

Disparaging Others
Aside from anyapplicable exclusions that might prevent coverage, insureds shouldknow that some courts look at claims involving such acts inrelation to advertising. Both Acme United Corporation v. St.Paul Fire & Marine Insurance Company, 214 Fed.Appx. 596(2007) and Harleysville Mutual Insurance Company v. Buzz OffInsect Shield, 692 S.E.2d 605 (2010) are cases where thecourts addressed claims of false and disparaging statements aboutcompetitors' products, and both courts relied heavily for theirrulings on whether the allegations against the insureds involvedadvertising injury offenses.

Moreover, both the information security protection policy andthe CGL form emphasize advertisement or publication to the generalpublic as the basis for coverage for disparagement claims.

This has been a brief summary of two insurance policies that areavailable to any business that feels it is subject to claimsarising out of the use of computers. There are certainly otherrisk-management techniques available to counter cyber risks, and itis up to the individual business as to how best to handle suchrisks.