Newsletter Sign-up

Silicon Valley is concerned, and when the capital of computing has a headache, every corporation with a Web site should stock up on the aspirin.

The consternation comes care of a May case in the 9th U.S. Circuit Court of Appeals in California--Fair Housing Council v. Roommates.com, LLC.

Of course, the ruling could hurt the most those organizations whose bottom line is anchored to the Internet, such as internet service providers that host other companies' sites and "e-tailers" that sell their wares predominantly online.

But experts say that most anybody with an Internet presence should tread gingerly in this new liability landscape.

"The second you have a Web site, you're going to have an e-media liability," said Kate Nashak, senior vice president, executive risk coverage, with Marsh FINPRO's Philadelphia office, when presenting at a cyberrisk seminar for the Risk and Insurance Management Society's Delaware Valley chapter.

Corporate risk managers could have more hair-pulling in store if their Web sites interact with users and post outside content.

"It could affect any corporation that has a Web site that does anything with the content other than just allow it to be posted by a user," says Kalinich of the appelate court's ruling. "Any way you categorize it, any way you rearrange it, any way you display it, any way you manipulate it, any way you distribute it now could affect the liability of the Web site."

Don't think your corporate Web site has such fancimajig features? It probably does.

Roommates.com has been charged with falling afoul of the Fair Housing Act simply because its Web site provided users (people looking for roommates) with the ability to categorize their roommate preferences along racial, sexual, gender and other lines. The site did not endorse any particular roommate type; nonetheless, the three appellate judges ruled that the Internet company could be liable because of these categories, says Kalinich.

Following the same logic, an e-tailer perhaps could now run afoul of libel or copyright laws if it allows visitors to post product reviews, says Ted Doolittle, a principal out of Integro's San Francisco office.

And your average Joe Schmoe corporate Web site could be liable because of all the bells and whistles that seem to be table stakes in the new "Web 2.0."

The first-version Internet, where visitors were just expected to click and hunt, has given way to Web 2.0, a world where viewers not only navigate a site--they create the content. Think wikis, chat rooms, blogs, file-sharing sites like YouTube, and social networking sites like MySpace and Flickr. It is a new collaborative Web, an ever-changing Web, a competitive Web.

"Content and copyright are king at the moment," said Martin Myers, member of the Insurance Recovery Practice Group at Heller Ehrman's San Francisco law office, at a recent tradeshow session on Web 2.0.

"It seems like today you can't be an in-touch Internet company if you don't have your own company blog," Doolittle points out.

Before Roommates.com, companies could be "in touch" yet safe from liability thanks to a legal framework that made it clear who was liable for protecting copyright and decency. The Digital Millennium Copyright Act and the Communications Decency Act provided the guidelines. The DMCA is relevant to intellectual-property issues, while the CDA has broader applications for how content is monitored and controlled.

Both contain similar notice and takedown provisions, along with other ways for companies to protect themselves if they hosted or operated a site, Doolittle says. For instance, these laws paved the way for Internet-savvy companies to post a privacy policy or user agreement on their sites, disclaiming all responsibility for third-party content and providing a contact for viewers if this material proved so offensive, libelous or plagiarized that it needed to be removed.

The companies' takedown policy would then kick in. Kalinich points out that the big search engines and e-tailers have solid takedown policies. When a visitor complains about third-party content, they can just remove that content and let the outside parties argue.

"In a way it's been easy up until now?there were a clear set of guidelines," says Doolittle. "You could follow these steps and be relatively secure in the knowledge that you're protected."

No longer.

"If you were a risk manager sitting across the table from me right now saying, 'OK, what do I need to do,' I don't have an answer for that," Doolittle admits.

The reason--Roommates.com has unhinged the liability protections in the CDA and DMCA, opening the door for who knows what monster lawsuits. Or the 9th Circuit's finding could turn out to hold sway in only very limited cases.

A third possibility--a new law could be installed where the old ones stood that redefines liability but creates a whole new set of requirements, costs and headaches.

Nevertheless, Doolittle was being modest before. He and other brokers do offer advice to risk managers.

"If they don't have in-house counsel, they ought to be checking with their external counsel about what this means for their particular Web site and how they use content," says Doolittle.

Another outside resource is--gasp!--the information-technology department. Nashak recommended risk managers talk with IT about building "sprinkler systems" for any and all cyberrisks.

Risk managers should also, well, manage the risk.

"We've been treating this thing differently than traditional risk management," Nashak said, "but it's the same thing."

Kalinich explains that companies should be clear about the purpose of their sites: Are customer and user postings necessary? Will an executive blog be needed to communicate the company's vision? Is the site meant to just sell product? Is driving traffic and activity the goal? Or will content make users content?

"If you don't need to manipulate the content of others, if you don't need to have the content of others, then why have it?" he says.

If you do, the broker suggests coming up with, or reviewing, those aforementioned notice and takedown procedures. Then devise a Web-site monitoring procedure.

"If you don't monitor it at all," the broker says, "it's pretty clear you're not liable, but to the extent that you start to monitor it, or you start to rearrange it, then you have to be very careful about the methodology you employ now to monitor these sites."

Another answer to the new liability landscape, which is cheap and plentiful at the moment, is-- surprise!--insurance.

"I would say that there hasn't been a better time as a user for this kind of insurance," says Doolittle about so-called tech E&O, which is needed for these exposures. "It's less expensive than it's ever been, it's broader than it's ever been."

Marsh's Nashak agreed that the coverage is competitive right now. At least six markets are in the game, providing "lots" of capacity, though she added that risk managers should be wary of special retentions for class actions, sublimits, claims-made policies or warranties.

Still, carriers themselves have been pushing for insureds to buy this type of cover, says Aon's Kalinich. They're building interest. Insurers only moved about $100 million in premium back in 2005. But by 2007, that figure's doubled.

Recent headlines of cyberrisk and crime have helped to wake insureds up, he says.

The biggest perhaps was TJX's revelation this past January that 45 million customer records from its system had been poached. Indications are that a "sophisticated crime syndicate" pulled off the heist, said Nashak, who cited Forrester Research's estimate that the incident could cost the retail company $1 billion over the next decade.

YouTube and Viacom Inc. have made news as well. The entertainment giant in March sued the video-sharing site and its parent company, Google Inc., for about $1 billion for copyright infringement, which Google is fighting. Another interesting case pits Target against the National Federation of the Blind, which argues that the retailer's Web site violates the Americans with Disabilities Act.

In the very least, risk managers with Web 2.0 exposure could follow the lead of Denise Schlitt, director of risk management at Atlanta-based ISP Earthlink Inc., who explained at the Web 2.0 session mentioned above how her company reconsiders its Web policies and procedures every time one of these cases emerges.

One would think insurers would do the same--and restrict coverage. Doolittle expects carriers to do just that post-Roommates.com.

But insurers move at abacus speed, not semiconductor speed, so it could be six months to a year before prices and terms are affected.

"The carriers aren't going to catch up with those exclusions," he says, "for a little while."

By that time, Web 3.0 could dominate, and these cases could be as old news as Y2K.

MATTHEW BRODSKY is associate editor of Risk & Insurance®.

READ MORE: Features | Special Reports | Industry Risk Reports | Columnists | In-Depth Series

September 1, 2007

Copyright 2007© LRP Publications