In this section we elaborate on the following:
- The increased frequency and severity of e-commerce property risks
- Five major categories of e-commerce property risks
- Loss-control steps that can reduce e-commerce property risks
- Availability of insurance as a means of transferring e-commerce property risks
This chapter, as noted above, introduces areas that are growing in importance in the world of insurance. Almost every home, family, and business has risk exposures because of the use of computers, the Internet, and the Web; we refer to this as e-commerce property risk. Think about your own courses at the university. Each professor emphasizes his or her communication with you on the Web site for the course. You use the Internet as a research tool. Every time you log on, you are exposed to risks from cyberspace. Most familiar to you is the risk of viruses. But there are many additional risk exposures from electronic business, both to you as an individual and to businesses. Businesses with a Web presence are those that offer professional services online and/or online purchasing. Some businesses are business to consumer (BTC); others are business to business (BTB).
Regardless of the nature of the use of the Internet, cyber attacks have become more frequent and have resulted in large financial losses. According to the 2002 Computer Security Institute/Federal Bureau of Investigation (CSI/FBI) Computer Crime and Security Survey, Internet-related losses increased from $100 million in 1997 to $456 million in 2002.Richard Power, “Computer Security Issues & Trends,” Vol. VIII, Mo I. The survey was conducted by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad. Established in 1974, CSI has thousands of members worldwide and provides a wide variety of information and education programs to assist in protecting the information assets of corporations and governmental organizations. For more information, go to http://www.gocsi.com. The 6th Annual CyberSource fraud survey indicated a $700 million increase (37 percent) in lost revenue in 2004, from an estimated $2.6 billion in 2003. Small and medium businesses were hit the hardest. These losses are in line with fast revenue growth from e-commerce.The 6th Annual CyberSource Fraud Survey was sponsored by CyberSource Corporation and undertaken by Mindwave Research. The survey was fielded September 17 through October 1, 2004, and yielded 348 qualified and complete responses (versus 333 the year before). The sample was drawn from a database of companies involved in electronic commerce activities. Copies of the survey are available by visiting http://www.cybersource.com/fraudreport/.
Businesses today are becoming aware of their e-commerce risk exposures. In every forum of insurers’ meetings and in every insurance media, e-risk exposure is discussed as one of the major “less understood” risk exposures.For example, see Lee McDonald,” Insurer Points out Risks of E-Commerce,” Best’s Review, February 2000; Ron Lent, “Electronic Risk Gives Insurers Pause,” National Underwriter, Property & Casualty/Risk & Benefits Management Edition, May 7, 2001; Caroline Saucer, “Technological Advances: Web Site Design Provides Clues to Underwriting Online Risks,” Best’s Review, December 2000. In this chapter, we discuss the hazards and perils of e-commerce risk exposure to the business itself as the first party. In "12: The Liability Risk Management", we will discuss the liability side of the risk exposure of businesses due to the Internet and online connections. Next, we discuss the hazards and perils of electronic business in general.
Causes of Loss in E-Commerce
The 2004 CSI/FBI survey provided many categories of the causes of losses in the computer/electronic systems area. By frequency, the 2004 order of causes of losses were: virus (78 percent); insider abuse of net access (59 percent); laptop/mobile thefts (49 percent); unauthorized access to information (39 percent); system penetration (37 percent); denial of service (17 percent); theft of proprietary information (10 percent); and sabotage, financial fraud, and telecom fraud (less than 10 percent). This list does not account for the severity of losses in 2004; however, the 269 respondents to this section of the survey reported losses reaching $141.5 million.
The 2004 CSI/FBI survey covered a wide spectrum of risk exposure in e-commerce, for both first-party (property and business interruption) and third-party (liability losses, covered in "12: The Liability Risk Management") losses. As you can see from this summary of the survey and other sources, the causes of e-commerce property risks are numerous. We can group these risks into five broad categories:
- Hardware and software thefts (information asset losses and corruption due to hackers, vandalism, and viruses)
- Technological changes
- Regulatory and legal changes
- Trademark infringements
- Internet-based telephony crimes
Hardware and Software Thefts
Companies have rapidly become dependent on computers. When a company’s computer system is down, regardless of the cause, the company risks losing weeks, months, or possibly years of data. Businesses store the majority of their information on computers. Customer databases, contact information, supplier information, order forms, and almost all documents a company uses to conduct business are stored on the computer system. Losses from theft of proprietary information, sabotage of data networks, or telecom eavesdropping can cause major losses to the infrastructure base of a business, whether it is done by outside hackers or by insider disgruntled employees.
Hackers and crackers can cause expensive, if not fatal, damage to a company’s computer systems. Hackers are virtual vandals who try to poke holes in a company’s security network.George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management (Boston: Standard Publishing Corp., 2001), 13. Hackers may be satisfied with defacing Web sites, while crackers are vandals who want to break in to a company’s security network and steal proprietary information for personal gain. Potential terrorists are usually classified as crackers. Their objective is to hit specific companies in order to bring systems down, steal data, or modify data to destroy its integrity. Insiders are internal employees upset with the company for some reason, perhaps because of a layoff or a failure to get an expected promotion. Inside access to the company computer network, and the knowledge of how to use it, gives this group the potential to cause the most damage to a business.
A virus is a program or code that replicates itself inside a personal computer or a workstation with the intent to destroy an operating system or control program. When it replicates, it infects another program or document.Adapted from the online glossary of Symantec, a worldwide provider of Internet security solutions, at www.symantec.com/avcenter/refa.html.
Another risk companies face in the cyber world is the rapid advancement of technology. When a company updates its computer system, its software package, or the process for conducting business using the computer system, business is interrupted while employees learn how to conduct business using the new system. The result of this downtime is lost revenue.
Regulatory and Legal Changes
Almost as quickly as the Internet is growing, the government is adding and changing applicable e-commerce laws. In the past, there were few laws because the Internet was not fully explored nor fully understood, but now, laws and regulations are mounting. Thus, companies engaged in e-commerce face legal risks arising from governmental involvement. An example of a law that is likely to change is the tax-free Internet sale. There is no sales tax imposed on merchants (and hence the consumer) on Internet sales between states partly because the government has not yet determined how states should apportion the tax revenue. As the volume of online purchases increases, so do the consequences of lost sales tax revenue from e-commerce.
Lack of qualified lawyers to handle cases that arise out of e-commerce disputes is another new risk. There are many areas of e-law that lawyers are not yet specialized in. Not only are laws complex and tedious, they are also changing rapidly. As a result, it is difficult for lawyers to stay abreast of each law that governs and regulates cyberspace.
Domain name disputes are a serious concern for many businesses. In most cases, disputes over the rights to a domain name result from two specific events. Domain name hijacking occurs when an individual or a business reserves a domain name that uses the trademark of a competitor. The other event arises when a business or an individual reserves the well-recognized name or trademark of an unrelated company as a domain name with the intent of selling the domain name to the trademark holder. Seeking compensation for the use of a registered domain name from the rightful trademark holder is known as cybersquatting.George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management (Boston: Standard Publishing Corp., 2001), 13.
A recent case involving cybersquatting is People for the Ethical Treatment of Animals v. Doughney. In August 2001, the Fourth Circuit Court of Appeals held that the defendant, Michael Doughney, was guilty of service mark infringement and unfair competition, and had violated the Anti-Cybersquatting Consumer Protection Act (ACPA). Doughney had created a Web site at http://www.peta.org, which contained the registered service mark PETA. People for the Ethical Treatment of Animals (PETA) is an animal rights organization that opposes the exploitation of animals for food, clothing, entertainment, and vivisection. When users typed in http://www.peta.org, they expected to arrive at the site for People for the Ethical Treatment of Animals. Instead, they surprisingly arrived at People Eating Tasty Animals, a “resource for those who enjoy eating meat, wearing fur and leather, hunting, and the fruits of scientific research.” The site contained links to a number of organizations that held views generally opposing those of PETA.People for the Ethical Treatment of Animals v. Doughney, No. 00-1918 (4th Cir2001); www.phillipsnizer.com/internetlib.htm. On two occasions, Doughney suggested that if PETA wanted one of his domains, or objected to his registration, it could “make me an offer” or “negotiate a settlement.”
Web site hijacking occurs when a Web site operator knowingly deceives the user by redirecting the user to a site the user did not intend to view. A recent case, Ford Motor Company v. 2600 Enterprises et al., caught attention in December 2001 when 2600 Enterprises automatically redirected users from a Web site they operate at a domain name directing profanity at General Motors to the Web site operated by Ford at www.ford.com. The defendants redirected users by programming an embedded link, which utilized Ford’s mark, into the code of the defendants’ Web site.Ford Motor Company v. 2600 Enterprises et al., 177 F. Supp. 2d 661, 2001, U.S. District Court Lexis 21302 (E.D. Michigan2001); www.phillipsnizer.com/int-trademark.htm. Domain-name hijacking, cybersquatting, and Web site hijacking for the sake of parody or satire is protected by the First Amendment, but sometimes the pranksters’ only purpose is to harass or extract profit from the trademark owner.Monte Enbysk, “Hackers and Vandals and Worms, Oh My!” Microsoft bCentral newsletter, http://www.bcentral.com.
Internet-Based Telephony Crimes
One of the fastest-growing communication technologies is Internet-based telephony—known as voice-over-Internet protocol (VoIP). The National Institute of Standards and Technology warned that this technology has “inherent vulnerabilities”Simon London, “Government Warns Users on Risks of Internet-Based Telephony: Voip Is Growing in Popularity as the Technology Proliferates, but Inherent in the Service, Warns the Government, Is Increased Security and Privacy Flaws,” Financial Times, February 6, 2005, http://www.ft.com/cms/s/0/5fca499c-7554-11d9-9608-00000e2511c8.html (accessed March 15, 2009). because firewalls are not designed to help in securing this industry, which is grew by $903 million in 2005, up from $686 million in 2004.
Risk Management of E-Commerce Exposures
Businesses can take loss-control steps to reduce the e-commerce property and business interruption risks by using the following:
- Security products and processes
- System audits
- Antivirus protection
- Backup systems and redundancies
- Data protection and security
- Digital signatures
- Virtual private network (VPN)
Businesses today buy electronic security systems and develop many steps to reduce the risk of data and hardware losses. Firms conduct regular system audits to test for breaches in network security. Auditors attempt to break into various components of the company computer system, including the operating systems, networks, databases, servers, Web servers, and business processes in general, to simulate attacks and discover weaknesses.Kevin Coleman, “How E-Tailers and Online Shoppers Can Protect Themselves,” KPMG. Managed security services provide an option for virus protection. They include both antivirus protection and firewall installation.
Regular system backup processes and off-site systems saved many businesses hurt by the September 11 attacks. One advantage of keeping backup data files off-site is having clean data in case of damage in the original files from viruses, hackers, and crackers. Because security may be breached from people within the company, Internet access is generally available only to authorized internal and external users via the use of passwords. E-mails are easy to intercept and read as they travel across the Internet. Attaching a digital signature allows the recipient to discern whether the document has been altered.George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management (Boston: Standard Publishing Corp., 2001), 13. Another method to protect e-mails is encryption. Encryption allows the sender of an e-mail to scramble the contents of the document. Before the recipient can read the message, he or she needs to use a password for a private key. Encryption is used for confidential communications.
A firewall is another loss-control solution that protects the local area network (LAN) or corporate network from unauthorized access. A firewall protects a network from intrusion by preventing access unless certain criteria are met. Another loss-control technique is the virtual private network, which connects satellite offices with a central location. A virtual private network (VPN) allows remote users to gain secure access to a corporate network. VPNs provide endless opportunities for telecommuters, business travelers, and multiple independent offices of a bigger company.
E-Commerce Property Insurance
According to the 2004 CSI/FBI Computer Crime and Security Survey described above, only 28 percent of 320 respondents had any external insurance policies to help manage cyber security risks. Traditional property insurance covers physical damage to tangible property due to an insured peril. Electronic data can be considered property in most instances, but standard commercial insurance policies, discussed in "1: The Nature of Risk - Losses and Opportunities", contain exclusions that “explicitly invalidate coverage for exposures in relation to the use of technology.”“New Policy Offered to Cover Tech Risks,” National Underwriter Online News Service, July 2, 2002; Stand Alone E-Commerce Market Survey, by IRMI at www.irmi.com/Expert/Articles/2001/Popups/Rossi02-1.aspx. Some insurers now offer customized e-commerce insurance policies that expand the areas of coverage available for e-commerce property risk. ISO has an e-commerce endorsement that modifies insurance provided under commercial property coverage. Under this endorsement,
insurers will pay for the cost to replace or restore electronic data which has suffered loss or damage by a Covered Cause of Loss…including the cost of data entry, re-programming and computer consultation services.
The endorsement has four sections. Section I describes the electronic data coverage. Section II defines the period of coverage as well as the coverage of business income, extra expenses, and resumption of e-commerce activity. Section III classifies covered and excluded perils; exclusions include mechanical breakdown; downtime due to viruses, unless the computer is equipped with antivirus software; errors or omissions in programming or data processing; errors in design, maintenance, or repair; damage to one computer on the network caused by repair or modification of any other computer on the network; interruption as a result of insufficient capacity; and unexplained failure. Section IV of the endorsement is for other provisions, explained in "10: Structure and Analysis of Insurance Contracts".
In addition to this endorsement, a few insurers have created a variety of e-commerce policies. Some of the companies include ACE USA, Chubb, AIG, the Fidelity and Deposit Companies (members of Zurich Financial Services Group), Gulf Insurance Group, Legion Indemnity Company, and Lloyd’s of London. This list is by no means inclusive.George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management (Boston: Standard Publishing Corp., 2001), 13. These companies provide not only first-party e-commerce property and business interruption coverage, but also liability coverage for third-party liability risks. The liability coverage will be discussed in "12: The Liability Risk Management". Because e-commerce does not see geographical boundaries, many policies provide worldwide e-commerce coverage.
In this section you studied the emerging exposure of e-commerce property risk:
- E-commerce property risks fall under five categories: hardware and software thefts, technological changes, regulatory and legal changes, trademark infringements, and Internet-based telephony crimes
- Cyber attacks have become more frequent and more costly in the financial losses they cause
- Hackers, crackers, insiders, and viruses are major causes of hardware and software theft and data losses
- Technological advancements cause downtime while employees learn how to use new systems and components
- Frequent additions to and changes in existing e-commerce laws creates compliance risks and lack of qualified lawyers to handle disputes.
- Domain name hijacking, cybersquatting, and Web site hijacking are all ways of infringing legitimate companies’ trademarks
- Voice-over-Internet protocol (VoIP) has inherent vulnerabilities due to the absence of effective security measures
- Loss-control steps that can reduce e-commerce property risks include security products, system audits, backup systems, and data protection
- While electronic data is considered property, it is typically excluded from standard commercial insurance policies, thus leading to the rise of customized e-commerce policies and endorsements
- What are the risk exposures of e-commerce?
- How should the property risk of e-commerce be managed?
- Describe the parts of an e-commerce endorsement.
- What are some of the potential e-commerce property losses that businesses face?