As recognized below in Pamela’s post discussing whether the loss of computer data is “property damage” in the eye of tort law, the issues surrounding cyber/tech/privacy liability and the attendant insurance coverages are not the exclusive province of the United States or U.S. courts.

To the contrary, virtually every country worldwide is increasingly faced with the problem of having to deal with the hard social and legal issues presented by a rapidly evolving cyber world.  So too, policyholders and the insurers who typically grant worldwide coverage under their policies must recognize that the risks faced are not exclusive to the U.S. or our Canadian cousins. The risks are global in nature and policyholders and insurers alike need to stay current with what’s happening outside our cocoon of the Western Hemisphere.

I am certain every reader is aware of the socio-political dispute whereby Google has threatened to withdraw from China amid claims that the Chinese government has hacked into Google’s and other third-parties’ databases, spied on Google email accounts, and tightened blocks on tens of thousands of internet sites, including Facebook, Twitter and YouTube. U.S. Secretary of State Hillary Clinton has spoken on the subject, advocating that companies such as Google refuse to support “politically motivated censorship.” Secretary Clinton also accused China, Tunisia and Uzbekistan of boosting censorship and called on Beijing to investigate the recent cyber attacks on Google and others. (On a side note, just last week, Europe’s principal security and human rights watchdog accused Turkey of blocking 3700 internet sites for “arbitrary and political reasons.”).

Not surprisingly, China fired back at Secretary Clinton, accusing her of double standards, asserting that the U.S. had invented cyber warfare and regularly restricted websites “concerning terrorism, porn, racial discrimination and other threats to society.” According to an editorial in The People’s Daily newspaper, China alleges that following 9/11, the U.S. Congress passed the USA Patriot Act so that security agencies could search private telephone and email communications.

Should the escalating war of words lead internet companies to withdraw from China, or, alternatively, if a foreign government were to block access to certain websites entirely, it is not unlikely that a policyholder would turn to its first and/or third-party insurance provider to recover based on claims of business interruption, network/data corruption and the like. Whether or not such alleged resultant damage would be covered can only be determined by the relevant policy’s wordings, terms and conditions. But at a minimum, policyholders and their insurers must understand the risks going forward so that policies – and premium ratings – can be tailored appropriately.

Google’s dispute with China is only the tip of the international iceberg (metaphorically speaking). Take, for example, what’s been happening in the EU, where free speech and entrepreneurialism are hallmarks of their open societies.

This past week, Google disclosed that a number of German newspapers and magazine publishers have accused it of antitrust violations, demanding that Google pay them for using extracts from their publications in Google’s internet news service and search results. (Similar concerns have been raised in Italy and Belgium). In turn, Germany’s Justice Minister recently criticized Google over its alleged “lack of transparency” in failing to inform users about how their personal data is used. At the same time, a German City has passed a law which imposes a fee on Google for using its Street View application (which provides satellite images of streets and even peoples’ homes). (In stark contrast, Greece’s privacy watchdog, the Data Protection Authority (“DPA”), last week lifted its objections to a site much like Street View based on assurances from the site owner that it uses face-blurring technology and limits the storage of original images. The DPA reportedly is in talks with Google over similar concerns).

France has been equally pro-active. In December 2009, a French court ruled that Google had violated copyright laws through its efforts to digitalize all of the world’s books and ordered it to pay €300,000 ($430,000). Google’s violation arose from its having digitalized 4000 books from one of France’s largest publishers, La Martiniere. The French government also is considering imposing a tax on Google’s advertising revenues in order to subsidize creative industries impacted by the digital revolution. And it goes on. A French legislator has proposed a so-called “right to forget” law which would give internet users the option of having old data about themselves removed. If passed, the law would force online and mobile companies to delete emails and text messages at the request of the subject person or once a mandated retention period has expired. A violation could lead to the imposition of heavy fines. Would a cyber risk policy cover such fines?  Some may, some may not.  

Just this week, the Spanish government proposed a new internet anti-privacy law which would permit judges to close down websites which offer illegal downloads of movies, music, etc. The proposed procedure, akin to an injunction in the U.S., would enable judges to rule within four days of having heard the parties’ arguments. And in Italy, a proposed new rule would require people who upload videos onto the Internet to obtain permission to do so from the country’s Communications Ministry. (Needless to say, this proposal has evoked strong opposition from free speech advocates).

Finally, to come full circle, European officials have recommended against the use of Microsoft’s Internet Explorer because of the alleged security gap that enabled the Chinese hackers discussed above to attack Google’s website. Not surprisingly, Microsoft has challenged this recommendation.

Simply put, internet companies must be keenly sensitive to and aware of the risks presented by their global footprint, including their exposures to U.S. and other countries’ laws. So too, underwriters and actuaries who are tasked with rating insurance coverages and risks must take into account the geographic scope of their policyholders’ businesses as well as the breadth of the substantive risks they are intending to cover.

In sum, good underwriting practices are getting far more complicated. And, as a result, much more interesting.