Loading
Notes
Study Reminders
Support
Text Version

E-Commerce Property Risks

Set your study reminders

We will email you at these times to remind you to study.
  • Monday

    -

    7am

    +

    Tuesday

    -

    7am

    +

    Wednesday

    -

    7am

    +

    Thursday

    -

    7am

    +

    Friday

    -

    7am

    +

    Saturday

    -

    7am

    +

    Sunday

    -

    7am

    +

Property Risk Management
E-Commerce Property Risks

LEARNING OBJECTIVES

In this section we elaborate on the following:
The increased frequency and severity of e-commerce property risks
Five major categories of e-commerce property risks
Loss-control steps that can reduce e-commerce property risks
Availability of insurance as a means of transferring e-commerce property risks

Introduction

This unit, as noted above, introduces areas that are growing in importance in the world of insurance. Almost every home, family, and business has risk exposures because of the use of computers, the Internet, and the Web; we refer to this as e-commerce property risk.

Regardless of the nature of the use of the Internet, cyber attacks have become more frequent and have resulted in large financial losses.

Businesses today are becoming aware of their e-commerce risk exposures. In every forum of insurers’ meetings and in every insurance media, e-risk exposure is discussed as one of the major “less understood” risk exposures. [3]

In this unit, we discuss the hazards and perils of e-commerce risk exposure to the business itself as the first party.

Example

According to the 2002 Computer Security Institute/Federal Bureau of Investigation (CSI/FBI) Computer Crime and Security Survey, Internet-related losses increased from $100 million in 1997 to $456 million in 2002. [1]

The 6th Annual CyberSource fraud survey indicated a $700 million increase (37 percent) in lost revenue in 2004, from an estimated $2.6 billion in 2003. Small and medium businesses were hit the hardest. These losses are in line with fast revenue growth from e- commerce. [2]

Causes of Loss in E-Commerce

The 2004 CSI survey provided many categories of the causes of losses in the computer systems area. By frequency, the 2004 order of causes of losses were:

Virus (78 percent)
Insider abuse of net access (59 percent)
Laptop/mobile thefts (49 percent)
Unauthorized access to information (39 percent)
System penetration (37 percent)
Denial of service (17 percent)
Theft of proprietary information (10 percent)
Sabotage, financial fraud, and telecom fraud (less than 10 percent)

This list does not account for the severity of losses in 2004; however, the 269 respondents to this section of the survey reported losses reaching $141.5 million.

Causes of Loss in E-Commerce (Continued)

The 2004 CSI/FBI survey covered a wide spectrum of risk exposure in e-commerce, for both first-party (property and business interruption) and third-party ) losses.

As you can see from this summary of the survey and other sources, the causes of e-commerce property risks are numerous. We can group these risks into five broad categories:

Hardware and software thefts
Technological changes
Regulatory and legal changes
Trademark infringements
Internet-based telephony crimes

Hardware and Software Thefts

Companies have rapidly become dependent on computers. When a company’s computer system is down, regardless of the cause, the company risks losing weeks, months, or possibly years of data.

Businesses store the majority of their information on computers. Customer databases, contact information, supplier information, order forms, and almost all documents a company uses to conduct business are stored on the computer system.

Losses from theft of proprietary information, sabotage of data networks, or telecom eavesdropping can cause major losses to the infrastructure base of a business, and can be done from a wide variety of sources as discussed below:

Hackers

Hackers can cause expensive, if not fatal, damage to a company’s computer
systems. Hackers are virtual vandals who try to poke holes in a company’s security network. [4] Hackers may be satisfied with defacing Web sites.

Crackers

Crackers are vandals who want to break in to a company’s security network and steal proprietary information for personal gain. Potential terrorists are usually classified as crackers. Their objective is to hit specific companies in order to bring systems down, steal data, or modify data to destroy its integrity.

Insiders

Insiders are internal employees upset with the company for some reason, perhaps because of a layoff or a failure to get an expected promotion. Inside access to the company computer network, and the knowledge of how to use it, gives this group the potential to cause the most damage to a business.

Virus

A virus is a program or code that replicates itself inside a personal computer or a workstation with the intent to destroy an operating system or control program. When it replicates, it infects another program or document. [5]

Technological Changes

Another risk companies face in the cyber world is the rapid advancement of technology.

When a company updates its computer system, its software package, or the process for conducting business using the computer system, business is interrupted while employees learn how to conduct business using the new system. The result of this downtime is lost revenue.

Regulatory and Legal Changes

Almost as quickly as the Internet is growing, the government is adding and changing applicable e- commerce laws. In the past, there were few laws because the Internet was not fully explored nor fully understood, but now, laws and regulations are mounting. Thus, companies engaged in e-commerce face legal risks arising from governmental involvement

Lack of qualified lawyers to handle cases that arise out of e-commerce disputes is another new risk. There are many areas of e-law that lawyers are not yet specialized in. Not only are laws complex and tedious, they are also changing rapidly. As a result, it is difficult for lawyers to stay abreast of each law that governs and regulates cyberspace.

Example

An example of a law that is likely to change is the tax- free Internet sale. There is no sales tax imposed on merchants (and hence the consumer) on Internet sales between states partly because the government has not yet determined how states should apportion the tax revenue.

As the volume of online purchases increases, so do the consequences of lost sales tax revenue from e-commerce.


Trademarks Infringements

Domain name disputes are a serious concern for many businesses. In most cases, disputes over the rights to a domain name result from two specific events.

Domain name hijacking occurs when an individual or a business reserves a domain name that uses the trademark of a competitor.

The other event arises when a business or an individual reserves the well-recognized name or trademark of an unrelated company as a domain name with the intent of selling the domain name to the trademark holder. Seeking compensation for the use of a registered domain name from the rightful trademark holder is known as cybersquatting. [6]

Example

A recent case involving cybersquatting is People for the Ethical Treatment of Animals v. Doughney.

In August 2001, the Fourth Circuit Court of Appeals held that the defendant, Michael Doughney, was guilty of service mark infringement and unfair competition, and had violated the Anti-Cybersquatting Consumer Protection Act (ACPA). Doughney had created a Web site at which contained the registered service mark PETA.

People for the Ethical Treatment of Animals (PETA) is an animal rights organization that opposes the exploitation of animals for food, clothing, entertainment, and vivisection. When users typed in they expected to arrive at the site for People for the Ethical Treatment of Animals. Instead, they surprisingly arrived at People Eating Tasty Animals, a “resource for those who enjoy eating meat, wearing fur and leather, hunting, and the fruits of scientific research.”

The site contained links to a number of organizations that held views generally opposing those of PETA. [7] On two occasions, Doughney suggested that if PETA wanted one of his domains, or objected to his registration, it could “make me an offer” or “negotiate a settlement.”

Website Hijacking

Web site hijacking occurs when a Web site operator knowingly deceives the user by redirecting the user to a site the user did not intend to view.


Example

A recent case, Ford Motor Company v. 2600 Enterprises et al., caught attention in December 2001 when 2600 Enterprises automatically redirected users from a Web site they operate at a domain name directing profanity at General Motors to the Web site operated by Ford at

The defendants redirected users by programming an embedded link, which utilized Ford’s mark, into the code of the defendants’ Web site. [8] Domain-name hijacking, cybersquatting, and Web site hijacking for the sake of parody or satire is protected by the First Amendment, but sometimes the pranksters’ only purpose is to harass or extract profit from the trademark owner. [9]





Internet-Based Telephony Crimes

One of the fastest-growing communication technologies is Internet-based telephony-known as voice- over-Internet protocol (VoIP).

The National Institute of Standards and Technology warned that this technology has “inherent vulnerabilities” [10] because firewalls are not designed to help in securing this industry, which is grew by $903 million in 2005, up from $686 million in 2004.


Risk Management of E-Commerce Exposures

Businesses can take loss-control steps to reduce the e-commerce property and business interruption risks by using the following:

Security products and processes

System audits

Antivirus protection

Backup systems and redundancies

Data protection and security




Passwords

Digital signatures

Encryption

Firewalls

Virtual private network (VPN)


Risk Management of E-Commerce Exposures (Continued)

Businesses today buy electronic security systems and develop many steps to reduce the risk of data and hardware losses. Firms conduct regular system audits to test for breaches in network security.

Auditors attempt to break into various components of the company computer system, to simulate attacks and discover weaknesses. [11] Managed security services provide an option for virus protection. They include both antivirus protection and firewall installation.

Regular system backup processes and off-site systems saved many businesses hurt by the September 11 attacks.

Note

One advantage of keeping backup data files off-site is having clean data in case of damage in the original files from viruses, hackers, and crackers.

Because security may be breached from people within the company, Internet access is generally available only to authorized internal and external users via the use of passwords.

Encryption

E-mails are easy to intercept and read as they travel across the Internet. Attaching a digital signature allows the recipient to discern whether the document has been altered. [12]

Another method to protect e-mails is encryption. Encryption allows the sender of an e-mail to scramble the contents of the document. Before the recipient can read the message, he or she needs to use a password for a private key. Encryption is used for confidential communications.

Firewall

A firewall is another loss-control solution that protects the local area network (LAN) or corporate network from unauthorized access. A firewall protects a network from intrusion by preventing access unless certain criteria are met.

Another loss-control technique is the virtual private network, which connects
satellite offices with a central location . A virtual private network (VPN) allows remote users to gain secure access to a corporate network. VPNs provide endless opportunities for telecommuters, business travelers, and multiple independent offices of a bigger company.

E-Commerce Property Insurance

According to the 2004 CSI/FBI Computer Crime and Security Survey described above, only 28 percent of 320 respondents had any external insurance policies to help manage cyber security risks.

Traditional property insurance covers physical damage to tangible property due to an insured peril. Electronic data can be considered property in most instances, but standard commercial insurance policies, contain exclusions that “explicitly invalidate coverage for exposures in relation to the use of technology.” [13]

Note

Some insurers now offer customized e- commerce insurance policies that expand the areas of coverage available for e-commerce property risk.
ISO has an e-commerce endorsement that modifies insurance provided under commercial property coverage. Under this endorsement:

“Insurers will pay for the cost to replace or restore electronic data which has suffered loss or damage by a Covered Cause of Loss…including the cost of data entry, re-programming and computer consultation services.”

E-Commerce Property Insurance (Continued)

In addition to this endorsement, a few insurers have created a variety of e-commerce policies. Some of the companies include ACE USA, Chubb, AIG, the Fidelity and Deposit Companies (members of Zurich Financial Services Group), Gulf Insurance Group, Legion Indemnity Company, and Lloyd’s of London. This list is by no means inclusive.[14]
These companies provide not only first-party e-commerce property and business interruption coverage, but also liability coverage for third-party liability risks. The liability coverage will be discussed in the next module. Because e-commerce does not see geographical boundaries, many policies provide worldwide e-commerce coverage.

KEY TAKEAWAYS

In this section you studied the emerging exposure of e-commerce property risk:
E-commerce property risks fall under five categories: hardware and software thefts, technological changes, regulatory and legal changes, trademark infringements, and Internet-based telephony crimes
Cyber attacks have become more frequent and more costly in the financial losses they cause
Hackers, crackers, insiders, and viruses are major causes of hardware and software theft and data losses
Technological advancements cause downtime while employees learn how to use new systems and components
Frequent additions to and changes in existing e-commerce laws creates compliance risks and lack of qualified lawyers to handle disputes.
Domain name hijacking, cybersquatting, and Web site hijacking are all ways of infringing legitimate companies’ trademarks
Voice-over-Internet protocol (VoIP) has inherent vulnerabilities due to the absence of effective security measures
Loss-control steps that can reduce e-commerce property risks include security products, system audits, backup systems, and data protection
While electronic data is considered property, it is typically excluded from standard commercial insurance policies, thus leading to the rise of customized e-commerce policies and endorsements

KEY TAKEAWAYS

In this section you studied the emerging exposure of e-commerce property risk:
E-commerce property risks fall under five categories: hardware and software thefts, technological changes, regulatory and legal changes, trademark infringements, and Internet-based telephony crimes
Cyber attacks have become more frequent and more costly in the financial losses they cause
Hackers, crackers, insiders, and viruses are major causes of hardware and software theft and data losses
Technological advancements cause downtime while employees learn how to use new systems and components
Frequent additions to and changes in existing e-commerce laws creates compliance risks and lack of qualified lawyers to handle disputes.
Domain name hijacking, cybersquatting, and Web site hijacking are all ways of infringing legitimate companies’ trademarks
Voice-over-Internet protocol (VoIP) has inherent vulnerabilities due to the absence of effective security measures
Loss-control steps that can reduce e-commerce property risks include security products, system audits, backup systems, and data protection
While electronic data is considered property, it is typically excluded from standard commercial insurance policies, thus leading to the rise of customized e-commerce policies and endorsements

DISCUSSION QUESTIONS

1. What are the risk exposures of e-commerce?
2. How should the property risk of e-commerce be managed?
3. Describe the parts of an e-commerce endorsement.
4. What are some of the potential e-commerce property losses that businesses face?

[1] Richard Power, “Computer Security Issues & Trends,” Vol. VIII, Mo I. The survey was conducted by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad. Established in 1974, CSI has thousands of members worldwide and provides a wide variety of information and education programs to assist in protecting the information assets of corporations and governmental organizations. For more information, go to

[2] The 6th Annual CyberSource Fraud Survey was sponsored by CyberSource Corporation and undertaken by Mindwave Research. The survey was fielded September 17 through October 1, 2004, and yielded 348 qualified and complete responses (versus 333 the year before). The sample was drawn from a database of companies involved in electronic commerce activities. Copies of the survey are available by visiting.

[3] For example, see Lee McDonald,” Insurer Points out Risks of E-Commerce,” Best’s Review, February 2000; Ron Lent, “Electronic Risk Gives Insurers Pause,” National Underwriter, Property
& Casualty/Risk & Benefits Management Edition, May 7, 2001; Caroline Saucer, “Technological Advances: Web Site Design Provides Clues to Underwriting Online Risks,”Best’s Review, December 2000.

[4] George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management(Boston: Standard Publishing Corp., 2001), 13.

[5] Adapted from the online glossary of Symantec, a worldwide provider of Internet security solutions, at .

[6] George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management(Boston: Standard Publishing Corp., 2001), 13.

[7] People for the Ethical Treatment of Animals v. Doughney, No. 00-1918 (4th Cir2001); .

[8] Ford Motor Company v. 2600 Enterprises et al., 177 F. Supp. 2d 661, 2001, U.S. District Court Lexis 21302 (E.D. Michigan2001);.

[9] Monte Enbysk, “Hackers and Vandals and Worms, Oh My!” Microsoft bCentral newsletter, .

[10] Simon London, “Government Warns Users on Risks of Internet-Based Telephony: Voip Is Growing in Popularity as the Technology Proliferates, but Inherent in the Service, Warns the Government, Is Increased Security and Privacy Flaws,” Financial Times, February 6, 2005,(accessed March 15, 2009).

[11] Kevin Coleman, “How E-Tailers and Online Shoppers Can Protect Themselves,” KPMG.

[12] George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management(Boston: Standard Publishing Corp., 2001), 13.

[13] “New Policy Offered to Cover Tech Risks,” National Underwriter Online News Service, July 2, 2002; Stand Alone E-Commerce Market Survey, by IRMI
at .

[14] George S. Sutcliffe, Esq., E-Commerce and Insurance Risk Management(Boston: Standard Publishing Corp., 2001), 13.

END of UNIT
Click NEXT to proceed to next unit