Let's get physical: loss of use of tangible property as coverage in cyber insurance.

• Author: Yu, Angela

1. Introduction II. Background A. The Internet Age B. The Nature of Risk C. The Business of Insurance D. CGL and its Recent Changes E. "Physical v. Non-physical" in Case Law F. A Shift in the Courts G. A Novel Approach III. A New Era A. A Necessary Shift B. An Avenue for Coverage C. The Modern Trend D. Future Claims E. The Future of Property in the Digital World IV. Imminent Changes to the Insurance Industry A. Clearer Understanding of CGL Interpretation B. Government's Potential Role V. Conclusion I. Introduction

   It is impossible to escape technology today--and who would want to? For most everyday tasks, there is a quicker, easier, and less costly technology-based alternative. Instead of mail, we use email. Instead of paper and pen, we use a screen and keyboard.

   Today, businesses take advantage of the leaps and bounds that technology has afforded them. Businesses use intangible files and Internet-based storage methods, such as the Cloud, (2) instead of physical files and spaces. Some business models go even further, employing exclusively computerized documents (3) or offering only computer-based services, neither with a physical manifestation. These changes have precipitated unprecedented legal issues related to their intangible (4) nature.

   Most insurance policies include coverage for "physical damages to tangible property." (5) However, today's new technological methods of operation have created much debate over what "tangible" and "physical" are in the eyes of an insurance policy, and thus, what kinds of injuries are afforded coverage by these policies. (6) The need for coverage of events, such as cyber breaches, (7) is ever-present and growing; technological loss is expectation, not anomaly. (8)

   Today, there is a visible effort to keep pace with changes in the way businesses conduct themselves. First, the cyber insurance industry is expanding rapidly. The growing number of major insurance companies offering some form of cyber insurance has increased exponentially. (9) Regulations that manage cyber breaches where privileged data is compromised exist on the federal level and in many state jurisdictions. (10)

   In spite of these efforts, there is still ambiguity as to whether electronic damage and loss constitute "physical damage to tangible property," and whether they are covered by the traditional insurance policies that exist today. The commercial general liability (CGL) form, one of the most common forms of insurance, have narrowly defined "physical" to exclude many computer-based intangible forms of storage in the 2001 updated CGL. (11) The current definition has led many, including a majority of courts, to comment correctly that CGL coverage for "physical damage to tangible property" is inappropriate. (12)

   However, these cases and comments are mistakenly focused on trying to find coverage for such events under the argument that the damage was physical. The CGL language has made this near impossible to do without "read[ing] the word 'physical' out of the [insurance policy] contract." (13) Instead, coverage should be sought under the second prong of the CGL's definition for physical property, which grants coverage for "loss of use of tangible property." (14)

   This Note argues that a better alternative to seek coverage for electronic loss is under the "loss of use of tangible property," the success of such cases indicates a shift in the court's perspective, and three major changes would promote and guide the development of the cyber insurance industry. Part II of this Note will briefly discuss the impact of the Internet on today's modern business structure, the infrastructure of modern insurance coverage, and the specific delineation of physical damage in the 2001 CGL and its role and effect in cases in which coverage was denied based on the "non-physical vs. physical" issue. This Note will then detail the three cases that demonstrate the modern movement towards finding coverage for electronic loss. Part IV will discuss cases using the "loss of use" definition to find coverage, and Part V will investigate the importance of these cases and their implications. Finally, this Note presents three arguments for change: 1) a society-wide conclusion on coverage for electronic loss under the CGL; 2) the need for specificity in the creation of cyber insurance coverage; and 3) government policies to advance the maturity of cyber insurance.

2. Background

   1. The Internet Age

      Internet usage first became widespread in the 1990s. (15) Since then, the Internet has become the preferred method of communication. (16) It is one of the largest research tools, and has revolutionized the way our world conducts its daily life. It is now normal to spend most of the workday in front of a computer, often creating files and documents that exist only on computers, with no physical trace of their existences. Digitalized existence is no longer a trend, but a way of life.

      Today, more and more companies are e-businesses. (17) The ease of starting a business online, as opposed to the traditional brick and mortar business, is unrivaled. It can be as simple as obtaining a web address and operating out of a computer. There is little cost to obtaining a web address. (18)

      There is incentive for new start-ups and existing companies alike to be computer-based. It cuts costs; transactions costs are lower because the middleman is often purged, and it may even eliminate the need for employees who perform filing tasks. (19) Additionally, it is environmentally conscious to cut out any unnecessary paper and waste by working digitally. (20) Moreover, being environmentally conscious can generate goodwill for a company, attracting eco-friendly consumers and projecting a forward-thinking image.

      There is far reaching political pressure for businesses to embrace the trend to maintain a paperless workplace. Even the medical industry is affected, as it is now subject to the Health Insurance Portability and Accountability Act (HIPAA). (21) In 2009, the Health Information Technology for Economic and Clinical Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act (ARRA) to motivate "the adoption of electronic health records in the United States through incentives and grants." (22) The transition to computer-based practices is modern and permanent. Intel Corporation's chairman stated, "[i]n five years time, all companies will be Internet companies or they won't be companies at all." (23)

   2. The Nature of Risk

      Threats to computerized data and functions in our computer-based world can take a number of forms, from those that are unprecedented and accidental to those that are malicious in nature. For example, in the wake of Hurricane Sandy in 2012, many East Coast businesses reported losses of data with cost estimates in the billions of dollars. (24) Hurricane Sandy's blackouts caused a number of businesses to lose functionality and data. (25) Damage to digital information also took the more familiar form of physical damage to hard drives that held such data. (26)

      Some types of data loss are more calculated and deliberate. Two infamous examples are viruses and hackers. A computer virus is defined as a "small software program[] that [is] designed to spread from one computer to another and to interfere with computer operation." (27) Most users today have had some interaction with computer viruses or, at a minimum, in protecting their computers and devices from viruses. (28) Viruses have the potential to cause extensive and expensive damage to computers and data. One of the most notorious computer viruses is endearingly known as the "LOVE-BUG," which would infiltrate a computer in the form of an email that contained a message with some variety of "I LOVE YOU," only to have a virus attached to the email. (29) Upon opening it, the virus would install another virus on the computer, search the computer for passwords, and send itself out to every other email address in the user's electronic address book. (30) It is estimated that losses totaling $15 billion worldwide occurred within the first day were reported. (31)

      Hackers may also try to deliberately gain access to digital data by breaching security methods. A lot of valuable information exists as digital data. Cyberterrorism (32) often occurs when the digital data contains personal information, including credit card information. For example, in 2012, hackers accessed partial e-mail addresses, street addresses, and credit card information from over 24 million users of Zappos.com, the online shoe store giant owned by Amazon.com. (33) Such data breaches are not isolated incidents. In 2011, Sony's PlayStation and Qriocity (34) were attacked, and an estimated 77 million users' billing information was accessed. (35) Only about two weeks later, Sony's website was also hacked, leading to stolen personal and billing information of roughly 24 million users. (36) Sony shut down its website quickly thereafter. (37) Data breaches are extremely expensive; the cost of data loss due to breaches has been estimated at upwards of $30 billion in 2011. (38) Most recently and publicly, Target, the retail store chain, suffered a massive data breach where information including mailing and email addresses, phone numbers, and credit card information of 70 million customers was stolen. (39) Target is facing nearly seventy class action lawsuits as a result. (40)

      Security systems interested in protecting their internal information from external intruders may not have considered the possibility of government intrusion. At the end of 2009, CyberSitter, a web filtering company, filed suit against the Chinese government for misappropriating intellectual property software, seeking $2.2 billion in damages. (41) The complaint alleges that the Chinese government used this technology for its Green Dam Youth Escort software, software that it would later mandate to be installed in all computers sold in China. (42) In late 2010...