Defining the Scope of Cyber-Insurance Protection
As e-commerce and use of the Internet for commercial transactions has grown, so too has the sale of so-called "cyber-insurance." This insurance product began to develop in the 1990s as companies increasingly recognized that failure to engage in commercial Internet transactions put them at an enormous competitive disadvantage, both with respect to the ability to service consumers and clients and in the ability to collect data regarding consumer interests and needs. Well-established "hard" companies like Borders Books and others fatally failed to keep pace with their competitors' electronic presence and transactions. Clearly, there is now a critical dependence on e-commerce.
Dependence on e-commerce, however, comes with risks. The Internet was designed—to the extent it was designed—as a method of transmitting data across multiple networks. The use of such a system necessarily requires that a company grant access to others, over whom it has no control, to at least some aspects of the company's transmitted data. And participation in the system necessarily requires that others, over whom one has no control, for at least a while input data into at least part of a system upon which one depends. Using e-commerce therefore subjects a company to the risk that others will take control over its ability to communicate and to engage in transactions with its consumers and clients. Hence the need for insurance designed to address the risk associated with e-commerce.
Not surprisingly, as more and more companies are subjected to and become aware of the risk of being a part of interconnected electronic networks, more and more insurers are offering to cover that risk in exchange for a premium. Unfortunately, many of these insurers, whether intentionally or not, appear to be structuring their products in a manner that does not reflect the nature of e-commerce and its risks. If cyber-insurance is to play a role in protecting companies against these risks, then it is incumbent on policyholders, insurers and ultimately the courts to understand the nature of cyber-risk and to structure their decisions and opinions regarding cyber-insurance in a manner that gives effect to the reasonable expectations of all involved.
The recent Universal American v. National Union Fire Insurance decision is a case in point. There, Universal American bought an insurance policy presumably to cover its e-commerce risks. Universal American is a health insurance company. It makes payments to medical providers who provide goods and services to patients insured by Universal. The providers are contractually authorized to access Universal's computer system in order to submit a request for payment. In connection with this underlying business model, the insurance policy provided coverage for:
Loss resulting directly from a fraudulent
(1) entry of Electronic Data or Computer Program into, or
(2) change of Electronic Data or Computer Program within the Insured's proprietary Computer System…provided that the entry or change causes
(a) Property to be transferred, paid or delivered,
(b) an account of the Insured, or of its customer, to be added, deleted, debited or credited, or
(c) an unauthorized account or a fictitious account to be debited or credited.1