In a post from The Lawyers Weekly, Gordon Hilliker looks at an area most enterprises will need to become more familiar (and current) with: cyber risks and liability insurance. He suggests that organizations might find themselves inadequately protected from claims of liability by relying on out-dated insurance products:
Any organization with a website, online storage facilities or even just an email account is vulnerable to a claim that it has caused damage to another’s computer software or data, whether through the inadvertent distribution of malevolent code, inadequate protection against hacking or otherwise. The Internet also provides a ready forum for the commission of various other torts, such as defamation, breach of privacy and infringement of copyright.
For liability insurance protection, most organizations purchase a commercial general liability (CGL) policy, which is a one-size-fits-all insurance product that was originally created to protect against claims for bodily injury or damage to tangible property. Cyber risks do not generally fall into either category. A data breach from a hacking incident or an errant email does not involve tangible property. Tangible property may be involved in the case of a careless erasure of a hard drive but whether there has been physical injury is open to debate. Although, as a matter of physics, there has been a magnetic alteration to the hard drive, the fact remains that the drive can nevertheless still serve its intended purpose and the claim is for the loss of the data itself rather than any possible alteration to the physical structure on which the data resides. As might be expected, American authority can be found in support of either side in this debate.
In response to this issue, the Insurance Bureau of Canada, an insurance industry association that, among other things, publishes recommended policy forms, revised its CGL form so as to specifically