Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.
Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post “No One is Immune. Even Government Entities Need Cyber/Tech Insurance?”
Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.
Let us say, speaking hypothetically, that a grossly negligent individual (who, since we are speaking hypothetically, is named…”Mr. X”) has accidentally uninstalled my favorite computer game, “Sid Meyers Civilization IV” (for which, by the way, I paid good money and patiently waited three whole hypothetical hours to legally download onto my computer).
Let us further hypothesize that I was twelve hours into a very successful game which has now gone the way of the passenger pigeon. Is the loss of my computer software considered “damage to property” for the purpose of a negligence action, or is it just a form of pure economic loss? “Of course it’s property damage!” I thought to myself, “and a most egregious form at that!”
Yet, in law, as in life, few things are certain. I was compelled to learn more, and so I conducted a brief review of the case law from Canada, the United States and Australia to satisfy my curiosity. What I have learned is that, notwithstanding that we live in the age of the internet, it is far from clear whether we can sue for the loss of electronic data in a negligence action.
On November 10, 2008, millions of people were left without electricity in two of Brazil’s biggest cities, São Paulo and Rio de Janeiro, as a result of a massive power failure. The outage also had a significant impact on telecommunications and the Internet routing system in a number of South American regions. According to CircleID Reporter, while Brazil took the largest hit, Paraguayan and Uruguayan networks also went out “as a result of the largest regional power outage to hit Brazil and its neighbors in several years.”
The losses arising from these types of outages can staggering. Recall in early July of 2008, when the network of Brazilian unit of Spanish telecom Telefónica (NYSE: TEF) was disrupted, leaving its 2.2mn Speedy broadband customers without internet access for about 36 hours in the state of São Paulo. According to Business News America, Zurich had said that it would set aside 24mn reais (US$15.2mn) for refunds to compensate for the service interruption.
Prompted by the internet losses, the Brazilian unit of Swiss insurer Zurich began offering a new civil liability insurance product in August of 2008 in the wake of a large-scale internet outage, reported the local financial daily Gazeta Mercantil. The product covers third-party damage and operational shutdowns resulting from service disruptions, according to the report.
According to Zurich Brasil’s financial insurance lines executive ,Vinicios Villela Jorge, “Many businesses were wanting to know whether the insurance market would make this type of product available so that they could require [clients] to get this policy when contracting their services.” It will be interesting to see whether new insurance products become available on the market as a result of this most recent network failure.