EC 00 10 07 05 internet liability and network protection policy has been developed to answer the growing need for standardized forms addressing the risks of e-commerce in an increasingly hostile environment. What was once considered a wonderful new way of doing business has become fraught with peril for the unwary. Hackers, phishers, pharmers, as well as out and out thieves have become commonplace. This coverage form is an important “first step” in protecting against loss of electronic data, extortion threat, or wrongful act committed by the named insured with regard to Web site publishing, or a wrongful act with regard to unauthorized access to the insured's computer system with the result that a client's personal information is published. Included as well is business income loss because of an e-commerce incident or extortion threat.

This article discusses coverages, exclusions, and conditions of form EC 00 10 07 05. All words or terms appearing in italics in this article are defined; see Definitions.

Insuring Agreement A – Web Site Publishing Liability states that the insurer will pay for loss the insured becomes legally obligated to pay, and defense expenses as a result of a claim first made against the insured during the policy period or applicable extended reporting period, or a wrongful act or series of interrelated wrongful acts taking place on or after the retroactive date, if any, shown in the Declarations and before the end of the policy period.

Insuring Agreement B – Network Security Liability declares that the insurer will pay for loss the insured is legally obligated to pay, as well as defense expenses resulting from a claim first made against the insured during the policy period, or during the applicable extended reporting period, for a wrongful act or a series of interrelated wrongful acts taking place on or after the retroactive date, if any, shown in the Declarations and before the end of the policy period.

Insuring Agreement C – Replacement or Restoration Of Electronic Data promises the insurer will pay for loss of electronic data or computer programs stored within the business's computer system resulting directly from an e-commerce incident which is both sustained and reported to the insurer during the policy period.

Insuring Agreement D – Cyber Extortion declares the insurer will pay for loss resulting directly from an extortion threat that is both communicated to the insured business and reported to the insurer during the policy period. The insurer will not pay for extortion expenses or ransom payments which are part of a series of related threats that began prior to the policy period.

Insuring Agreement E – Business Income And Extra Expense states the insurer will pay for loss due to an interruption resulting directly from an e-commerce incident or an extortion threat.

Coverage is written on an aggregate basis. Any amount paid for covered loss and defense expenses reduces the policy aggregate. Upon exhaustion of the limits, the insurer will not be liable for any loss regardless of when a claim is made or a loss is sustained.

Each insuring agreement may be written for a different amount of insurance (and applicable deductible), or not included at all. Payment made for a covered loss and defense expenses under any of the insuring agreements is applied to the aggregate limit, and serves to reduce the aggregate limit.

The deductible application varies depending upon the insuring agreement to which it is applied. For Insuring Agreements A, B, C, or D, the insurer pays only the amount of covered loss and defense expenses in excess of the deductible shown in the Declarations. For example, under Insuring Agreement A, the deductible applies to all loss and defense expenses resulting from the same wrongful act or interrelated wrongful acts that are covered under Web Site Publishing Liability.

In regard to the deductible for Insuring Agreement E – Business Income And Extra Expense, the insurer pays only the amount of covered loss which exceeds the greater of the deductible amount shown in the Declarations, or the amount of loss incurred during the waiting period shown in the Declarations.

In the event that the loss is covered under more than one insuring agreement, the deductible amount is applied separately to each insuring agreement.

The defense and settlement provisions apply only to Insuring Agreements A – Web Site Publishing Liability, and B – Network Security Liability. The insurer has the right and duty to select counsel and defend the insured against any covered claim, regardless of whether the allegations of the claim are groundless, false or fraudulent. But if insuring agreement A or B clearly does not apply, the insurer has no duty to defend.

The insurer can make a reasonable settlement of a claim with the insured's consent. If the insured does not consent, then the insurer's liability for all loss resulting from such claim will not exceed the amount for which the insurer could have settled the claim, plus defense expenses incurred as of the date the settlement was proposed to the insured. From this point on, the insured assumes sole expense for all further responsibility for its defense, including all investigative costs, defense costs, and settlement costs.

Form EC 00 10 07 05 contains twenty-eight exclusions. The following are excluded based upon, attributable to, or arising out of:

Lightning, earthquake, hail, volcanic action, or other act of nature;

War, warlike action, insurrection;:

Dispersal of a pathogenic or poisonous biological, chemical, or nuclear material;

Bodily injury or physical damage or destruction of tangible property;

Unexplained or indeterminable failure of the computer system;

Interruption in normal computer function because of overload of the system;

Complete or substantial failure of the internet, regardless of cause;

Actual or alleged violation of the Racketeer Influenced and Corrupt Organizations Act (RICO)

Actual or alleged violation of ERISA and its amendments;

Malfunction or failure of any satellite;

Injury caused by an insured;

Oral or written publication of material;

Insured's assumption of liability;

Actual or alleged patent or trade secret violation;

Actual, alleged or threatened dispersal, seepage, release of pollutants;

Claim or suit pending or existing prior to the policy period;

Employment practices;

Wrongful act occurring prior to the Retroactive Date, if any;

Wrongful act alleged in any claim reported under any prior policy;

Violation of the Securities Act of 1933 or the Securities Exchange Act of 1934;

Willful violation of any statute or regulation; however, the insurer will defend until final adjudication is rendered against the insured violating the statute (with certain exceptions; read the form);

Costs, fees or other expenses incurred to establish the existence or amount of insured loss;

Employees for whom similar prior insurance has been canceled;

Action by governmental authority (with certain exceptions; read the form);

Regulatory charges brought on behalf of the FTC or other regulatory authority, unless the authority is acting in its capacity as a customer of the insured business or a subsidiary;

Costs associated with upgrading or improving the computer system;

Claims of one insured against another insured.

Form EC 00 10 07 05 contains several conditions relating to cancellation, loss settlement, duties in event of a loss, etc. They are summarized below:

Cancellation: The first named insured can cancel with written notice to the insurer; the insurer can cancel with ten days notice for nonpayment; otherwise thirty days notice is given. (This provision might be modified by a state amendatory endorsement). Proof of mailing will be sufficient proof of notice.

Changes: The first named insured can make changes, but only with the insurer's consent, to the policy terms. Terms can be amended or waived with the insurer's endorsement.

Examination of Books and Records: The insurer has permission to examine and audit the insured's books.

Inspections and Surveys: The insurer has the right to make inspections or surveys and recommend changes, but is not obligated to do so.

Premium: The first named insured is responsible for payment of all premiums, and is the payee for any return.

Transfer of the Policy: The insured's rights and duties cannot be transferred except with the insurer's permission except in the case of death of an individual named insured.

Subrogation: The insurer is subrogated to the extent of any payment to the insured and/or the insured's right of recovery.

Bankruptcy: The insurer's obligations under the policy do not terminate in event of the insured's bankruptcy.

Representations: The insured warrants that all information and statements contained in the application are true, accurate and complete.

Changes in Exposure: If an insured acquires another business, there is no coverage unless notice is given to the insurer within ninety days, consent by the insurer is obtained, and an additional premium paid. If the named insured business is acquired or merges with another, the policy continues until the end of the policy period but only with respect to wrongful acts occurring prior to the merger or acquisition. If an organization ceases to be a subsidiary, coverage continues to the end of the policy period but only with respect to wrongful acts occurring prior to the cessation.

Other Insurance: If a covered loss is also covered by another valid policy, then this policy applies only in excess of any retention, deductible, and limit of the other policy, even if the other policy declares itself to be primary, contributory, excess, contingent, or otherwise, unless the other policy is specifically written to be excess of this policy. When this policy is excess, the insurer has no duty to defend if any other insurer has that duty. But if no other insurer defends, this policy will provide a defense but then be entitled to the insured's rights against the other insurers.

Legal Action Against Us: The insurer cannot be enjoined in a suit against its own insured. The insured must comply with all policy terms before bringing suit against the insurer. Suit must be brought within two years from the date loss is reported (unless modified by law).

Separation of Insureds: Except with respect to the applicable limits of insurance, the insurance applies separately to each insured against whom claim is made.

Duties in the Event of a Claim or Loss: The named insured must notify the insurer in event of an occurrence or claim that might result in a claim against an insured or a loss that might be covered by the policy. The insurer must be authorized to obtain records and other information. In event of a loss under Insuring Areements C and D, the insured must notify law enforcement officials. Proof of loss is due within 120 days.

Valuation – Settlement: Premiums and any other monetary amounts are expressed and payable in the currency of the Unites States of America . Business income loss is determined based on net income before the covered interruption; the insured's likely income had no interruption occurred; operating expenses, including payroll, necessary to resume e-commerce activities, and other relevant sources of information. Business income is reduced to the extent any e-commerce activities are offset be an increase in other means of business, such as mail or telephone. Extra expense is determine based on necessary expenses exceeding the normal operating expenses that would otherwise have been incurred, and necessary expenses that reduce the business income loss.

Extended Reporting Periods: The basic extended reporting period lasts thirty days, but does not apply to claims covered under any subsequent insurance the insured has purchased. It does not extend the policy period. The supplemental extended reporting period is available by endorsement and for an extra charge if the policy is cancelled (except for nonpayment) or nonrenewed by the insurer. Request for this must be made in writing and the full premium paid within thirty days after the end of the policy period. This reporting period does not extend the policy period; it gives the insured an additional time to report claims arising out of a wrongful act which occurred on or after the retroactive, date, if any, and before the end of the policy period.

Confidentiality: The insured is to make every effort not to divulge he or she has coverage for cyber extortion.

Territory: Coverage applies to wrongful acts committed anywhere in the world; however, suits must be brought in the United States, including its territories, Puerto Rico, or Canada .

There are twenty-seven definitions listed on EC 00 10 07 05. Whenever a definition includes another defined word or term, it will be given in italics.

Application: This is the signed application for the policy, including any attachments and other materials submitted in conjunction with the application. As devised by ISO, the application EC AP 01 08 05 is ten pages long. The applicant furnishes underwriting information on the type of company, its Web site content protocols (who provides content for the web site, for example), electronic data collection practices, type of network (including firewall information and network intrusion devices), third party access to the network, backup and recovery procedures, income generated over the network that could be lost as a result of an attack, and other financial information. The application also contains pertinent fraud statements.

Business Income: The definition for business income is common to the ISO forms: net income (profit or loss before incomes taxes) that would have been earned or incurred; and continuing normal operating expenses incurred, including payroll.

Claim: Likewise, the definition of a claim is common. It means a written demand for monetary damages; or a civil proceeding commenced by the service of a complaint or similar proceeding against any insured for a wrongful act. Included as well is any appeal arising from the claim.

Computer program: A computer program is defined as a set of electronic instructions directing operations and functions of a computer or devices connected to it, which enable it to receive, process, store, or send electronic data.

Computer system: This includes computers and related peripheral components, systems and applications software, terminal devices, and related communications networks. The term is limited to computer systems owned by the named insured or licensed or leased to the named insured.

Defense expenses: These are the reasonable and necessary fees (attorneys' and experts' fees) and other expenses incurred in defense of appeal of a claim. Excluded are wages or other expenses of the named insured's employees.

E-commerce activities: Means activities conducted by the named insured in the normal conduct of the business via the Web site and the e-mail system.

E-commerce incident: Means a virus, malicious instruction (such as directing incoming visitors to another, fraudulent site), or denial of service attack (as when hackers bombard a site with so much traffic they cause it to shut down). Any of these must be introduced into the computer system or network with intent to damage, destroy, delete, corrupt or prevent the use of or access to any part of the system, or otherwise disrupt normal operation.

Electronic data: This is information, images, and sounds stored or created, as or on, or transmitted to or from computer software, CD-ROMS, tapes, drives, cells, processing devices or other media used with electronically controlled equipment. It does not include data licensed, leased, or rented to others, and should not be considered tangible property.

Employee: This definition is different from other ISO forms. Included are permanent, temporary or leased employees, officers, volunteer workers, partners, and members if the company is a limited liability one. Also, these persons are employees if they are from a subsidiary, but only while acting with the scope of duties as determined by the named insured or the subsidiary.

Extortion expenses: These are expenses incurred by a security firm, if any (as shown in the Declarations), or a person or entity hired with the insurer's consent to investigate the validity and severity of the extortion threat made against the insured business. The definition states that the consent is not to be unreasonably withheld. Also included are interest costs for any loan from a financial institution to pay an extortion threat, reward money paid to an informant whose information leads to an arrest and conviction of those responsible for the loss, and other reasonable costs incurred by the insured business including hiring a security firm to protect against further threats made by the same person(s) providing the security firm (as shown in the Declarations) recommends this.

Extortion threat: This is a threat or series of threats attempting to cause an e-commerce incident or utilize proprietary information or weakness in the source code by gaining unauthorized access to the computer system, or publishing clients' personal information held within the system.

Extra expense: These are the necessary expenses incurred during an interruption that would otherwise not have been incurred, or incurred to avoid or minimize the suspension of the e-commerce.

Informant: A person other than an employee who provides information in return for the reward offered by the insured business is an informant.

Insured: This is any named insured and its employees.

Interrelated wrongful acts: This term means all wrongful acts that have the same common nexus (connection; link) of fact, circumstances, cause or a series of related facts.

Interruption: With regard to an e-commerce incident, this means an unanticipated cessation or slow-down of the e-commerce activities, or a suspension of these activities to avoid or mitigate a virus or malicious instruction. With regard to an extortion threat, it means a voluntary suspension of the activities based on evidence of a credible threat, or on the recommendation of the security firm (shown in the Declarations). Any interruption arising out of an e-commerce incident is deemed to begin when the e-commerce activities are interrupted and ends the earliest of: 90 days after the interruption begins; the time e-commerce activities are resumed; or the time service is restored to the insured business. If the interruption arises from an extortion threat, it is deemed to begin when e-commerce activities are interrupted, and end at the earliest of: 14 days after the interruption begins; the time when e-commerce activities are restored; or the time when service is restored.

Loss: Loss is defined according to which Insuring Agreement is being referenced. With regard to Insuring Agreements A and B, it means compensatory damages, settlement amounts, and costs awarded pursuant to judgments. With regard to Insuring Agreement C, it means costs to replace or restore electronic data including cost of data entry, reprogramming, and computer consultation services. With respect to Insuring Agreement D, it means extortion expenses or ransom payments. With regard to Insuring Agreement E it means the actual loss of business income sustained and/or extra expenses incurred.

Named insured: The named insured is the entity or entities shown in the Declarations, and any subsidiary.

Personal information: This is any information collected by the insured in the normal course of business that the law requires be protected from public disclosure.

Policy period: The period of time from the inception date of the policy shown in the Declarations to the expiration date shown in the Declarations, or its earlier cancellation or termination date.

Pollutants: Pollutants are any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals and waste; waste includes materials to be recycled, reconditioned or reclaimed. This definition is common to other ISO forms.

Ransom payment: As the name implies, this is a payment made in the form of cash.

Subsidiary: Any organization in which more than 50 percent of the outstanding securities or vetoing rights representing the present right to vote for the election of directors, or equivalent position, is owned in any combination by one or more named insureds, qualifies as a subsidiary.

Suit: As with other definitions in the form, the definition of suit is common to ISO forms. It includes a civil proceeding, arbitration, or any other alternative dispute resolution proceeding.

Virus: any kind of malicious code designed to damage or destroy any part of a computer system (including electronic data) or disrupt its normal function.

Wrongful act: This term applies to Insuring Agreement A, and means any actual or alleged error, misstatement or misleading statement posted or published by an insured on its Web site. This must result in: an infringement of copyright, trade dress, trademark, or service mark; any form of defamation against a person or organization; or a violation of a person's right of privacy. With respect to Insuring Agreement B, a wrongful act means any actual or alleged neglect, breach or duty or omission by an insured that results in the unauthorized access to the insured's computer system by a non-insured, and the access results in unauthorized publication of a client's information from within the insured's computer system, or the insured's system transmitting a virus to a third party.

There are several endorsements available for use with EC 00 10 07 75. Many of them amend terms or coverage or cancellation in accord with various jurisdictions' statutes, regulations, or insurance code, and so will not be reviewed here.

Endorsement EC 10 03 07 05 non-binding arbitration gives the insured the right to request arbitration as to whether or not a claim against a named insured is covered, as opposed to arbitration to set the amount of the loss.

Specified individuals can be added as employees by scheduling them on EC 20 02 07 05 specified individuals as employees.

Endorsement EC 20 03 07 05 amend territory condition for wrongful acts or suits allows the insured to exclude certain territories for wrongful acts, or include certain territories in which a suit can brought.

Endorsement EC 20 03 07 05 amend territory condition – suits worldwide modifies the territory so that wrongful acts occurring anywhere in the world, or suits brought anywhere in the world, are not precluded.

Endorsement EC 20 05 07 05 agreed value endorsement applies to Insuring Agreement E and modifies the amount of business income payable. The number of hours elected for the waiting period deductible is subtracted from the total number of hours of interruption; the result is multiplied by the agreed value hourly amount. Any business income loss payable under this formula is reduced to the extent that the reduction in business generated over the Internet is offset by any increase in volume of business from mail or telephone.