Policy Guides

Search InfoCentral

Information Security Protection Policy (ISO)

Definitions

EC 00 10

The definitions are listed in alphabetical order.

Policy Language

Explanation

SECTION VII - Definitions

SECTION VII - Definitions
1. "Application" means the signed application for this Policy, including any attachments and other materials submitted in conjunction with the signed application.
  1. Application

The application and all accompanying information is made a part of the policy under Condition #9 (Representations).

2. "Business income" means the:

a. Net income (net profit or loss before income taxes) that would have been earned or incurred; and

b. Continuing normal operating expenses incurred, including payroll.

  1. Business Income

This definition applies to Insuring Agreement #6 (Business Income and Extra Expense).

3. "Claim" means:

a. A written demand for monetary or nonmonetary damages, including injunctive relief;

b. A civil proceeding commenced by the service of a complaint or similar proceeding; or

c. Under Paragraph b. of Insuring Agreement 2. Security Breach Liability, a "regulatory proceeding" commenced by the filing of a notice of charges, formal investigative order, service of summons or similar document;

against any "insured" for a "wrongful act", including any appeal therefrom.

  1. Claim

The three third-party insuring agreements apply to a "claim first made" against the insured during the policy period and this definition limits a claim to a written instrument naming the insured.

If the named insured knows of an occurrence or offense that may result in a claim or a loss covered by the policy during the policy period, the named insured must notify the company in writing as soon as practicable, but not to exceed 30 days. See Condition #14 (Duties in the Event of Claim or Loss). However, unless the reported occurrence or offense results in a claim (as defined) made against the insured during the policy period (or within 30 days of the end of the policy period under paragraph "a" of Condition #16 (Extended Reporting Periods), the resulting claim is not covered by this policy and may not be covered by any subsequent policy.

4. "Computer program" means a set of related electronic instructions, which direct the operation and function of a computer or devices connected to it, which enables the computer or devices to receive, process, store or send "electronic data".
  1. Computer Program

7.  "E-commerce activities" means those activities conducted by you in the normal conduct of your business via your web site or your e-mail system.

  1. E-Commerce Activites

"E-commerce" is defined in the dictionary as "business that is transacted by transferring data electronically, especially over the Internet."

Insuring Agreement #6 (Business Income and Extra Expense) is limited to incidents involving an interruption of e-commerce activities – see paragraph "b" of Condition #15 (Valuation – Settlement).

5. "Computer system" means the following which are owned, leased or operated by you:

a. Computers, including Personal Digital Assistants (PDAs) and other transportable or handheld devices, electronic storage devices and related peripheral components;

b. Systems and applications software; and

c. Related communications networks;

by which "electronic data" is collected, transmitted, processed, stored or retrieved.
  1. Computer system

8. "E-commerce incident" means a:

a. "Virus";

b. Malicious code; or

c. Denial of service attack;

introduced into or enacted upon the "computer system" (including "electronic data") or a network to which it is connected, that is designed to damage, destroy, delete, corrupt or prevent the use of or access to any part of the "computer system" or otherwise disrupt its normal operation.

Recurrence of the same "virus" after the "computer system" has been restored shall constitute a separate "e-commerce incident".

  1. E-Commerce Incident
This definition is used in Insuring Agreements #4 (Replacement or Restoration of Electronic Data), #6 (Business Income and Extra Expense) and #7 (Public Relations Expense) to limit coverage to the specified causes of loss shown here – virus, malicious code or denial of service attack. 
6. "Defense expenses" means the reasonable and necessary fees (attorneys' and experts' fees) and expenses incurred in the defense or appeal of a "claim", including the cost of appeal, attachment or similar bonds (without any obligation on our part to obtain such bonds) but excluding wages, salaries, benefits or expenses of your "employees".
  1. Defense Expenses

The expenses described here are paid under the three third-party insuring agreements, but any such payments reduce the limit of liability available to pay settlements or judgments.

9.  "Electronic data" means digital information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. "Electronic data" is not tangible property.

"Electronic data" does not include your "electronic data" that is licensed, leased, rented or loaned to others.
  1. Electronic Data

10. "Employee" means any natural person who was, now is or will be:

a. Employed on a full- or part-time basis;

b. Furnished temporarily to you to substitute for a permanent employee on leave or to meet seasonal or short-term workload conditions;

c. Leased to you by a labor leasing firm under an agreement between you and the labor leasing firm to perform duties related to the conduct of your business, but does not mean a temporary employee as defined in Paragraph 10.b.;

d. An officer;

e. A director, trustee or manager (if a limited liability company);

f. A volunteer worker; or

g. A partner or member (if a limited liability company);

of the "named insured" and those of any organization qualifying as a "subsidiary" under the terms of this Policy, but only while acting within the scope of their duties as determined by the "named insured" or such "subsidiary".
  1. Employee

The persons shown here are insureds under the three third-party insuring agreements – see Definition #15 (Insured). The definition includes temporary and leased employees, officers, partners and volunteer workers.

Endorsement EC 20 02 (Include Specified Individuals as Employees) amends the definition of employee to include individuals (not entities) scheduled on the endorsement.

11. "Extortion expenses" means:

a. Fees and costs of:

(1) A security firm; or

(2) A person or organization;

hired with our consent to determine the validity and severity of an "extortion threat" made against you;

b. Interest costs paid by you for any loan from a financial institution taken by you to pay a ransom demand;

c. Reward money paid by you to an "informant" which leads to the arrest and conviction of parties responsible for "loss"; and

d. Any other reasonable expenses incurred by you with our written consent, including:

(1) Fees and costs of independent negotiators; and

(2) Fees and costs of a company hired by you, upon the recommendation of the security firm, to protect your "electronic data" from further threats.
  1. Extortion Expenses
These expense are covered under Insuring Agreement #5 (Extortion Threats).

12. "Extortion threat" means a threat or series of related threats:

a. To perpetrate an "e-commerce incident";

b. To disseminate, divulge or utilize:

(1) Your proprietary information; or

(2) Weaknesses in the source code;

within the "computer system" by gaining unauthorized access to the "computer system";

c. To destroy, corrupt or prevent normal access to the "computer system" by gaining unauthorized access to the "computer system";

d. To inflict "ransomware" on the "computer system" or a network to which it is connected; or

e. To publish your client's "personal information".

  1. Extortion Threat
This definition describes the coverage provided by Insuring Agreement #5 (Extortion Threats). 

13. "Extra expense" means necessary expenses you incur:

a. During an "interruption" that you would not have incurred if there had been no "interruption"; or

b. To avoid or minimize the suspension of your "e-commerce activities".

"Extra expense" does not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system".
  1. Extra Expense
This definition describes the coverage available for extra expenses covered by Insuring Agreement #6 (Business Income and Extra Expense).

14. "Informant" means a person, other than an "employee", providing information not otherwise obtainable, solely in return for a reward offered by you.

  1. Informant
This word is used in Definition #11 (Extortion Expenses) relative to the recipient of reward money. 

15. "Insured" means any "named insured" and its "employees".

  1. Insured

Variations to watch for:

  • Some policies include independent contractors as insureds.

16. "Interrelated wrongful acts" means all "wrongful acts" that have as a common nexus any:

a. Fact, circumstance, situation, event, transaction or cause; or

b. Series of causally connected facts, circumstances, situations, events, transactions or causes.
  1. Interrelated Wrongful Acts
This definition defines coverage for a wrongful act to include all wrongful acts having a common nexus. "Nexus" in a common dictionary means "a means of connection; tie; link" or "a connected series or group."

17. "Interruption" means:

a. With respect to an "e-commerce incident":

(1) An unanticipated cessation or slowdown of your "e-commerce activities"; or

(2) Your suspension of your "e-commerce activities" for the purpose of avoiding or mitigating the possibility of transmitting a "virus" or malicious code to another person or organization;

and, with regard to Paragraphs 17.a.(1) and 17.a.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

(a) 90 days after the "interruption" begins;

(b) The time when your "e-commerce activities" are resumed; or

(c) The time when service is restored to you.

b. With respect to an "extortion threat", your voluntary suspension of your "e-commerce activities":

(1) Based upon clear evidence of a credible threat; or

(2) Based upon the recommendation of a security firm, if any;

and, with regard to Paragraphs 17.b.(1) and 17.b.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

(a) 14 days after the "interruption" begins;

(b) The time when your "e-commerce activities" are resumed; or

(c) The time when service is restored to you.

  1. Interruption
This word is used to define the coverage provided by Insuring Agreement #6 (Business Income and Extra Expense).

18. "Loss" means:

a. With respect to Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability:

(1) Compensatory damages, settlement amounts and costs awarded pursuant to judgments or settlements;

(2) Punitive and exemplary damages to the extent such damages are insurable by law; or

(3) Under Paragraph b. of Insuring Agreement 2. Security Breach Liability, fines or penalties assessed against the "insured" to the extent such fines or penalties are insurable by law.

With regard to Paragraphs 18.a.(1) through 18.a.(3), "loss" does not include:

(a) Civil or criminal fines or penalties imposed by law, except civil fines or penalties as provided under Paragraph 18.a.(3);

(b) The multiplied portion of multiplied damages;

(c) Taxes;

(d) Royalties;

(e) The amount of any disgorged profits; or

(f) Matters that are uninsurable pursuant to law.


b. With respect to Insuring Agreement 4. Replacement Or Restoration Of Electronic Data:

The cost to replace or restore "electronic data" or "computer programs" as well as the cost of data entry, reprogramming and computer consultation services.

"Loss" does not include the cost to duplicate research that led to the development of your "electronic data" or "computer programs". To the extent that any "electronic data" cannot be replaced or restored, we will pay the cost to replace the media on which the "electronic data" was stored with blank media of substantially identical type.

c. With respect to Insuring Agreement 5. Extortion Threats:

"Extortion expenses" and "ransom payments".

d. With respect to Insuring Agreement 6. Business Income And Extra Expense:

The actual loss of "business income" you sustain and/or "extra expense" you incur.

e. With respect to Insuring Agreement 7. Public Relations Expense:

"Public relations expenses".

f. With respect to Insuring Agreement 8. Security Breach Expense:

"Security breach expenses".
  1. Loss
Each insuring agreement contains the word "loss." This definition describes the extent of coverage provided for a loss under each insuring agreement. 

19. "Named insured" means the entity or entities shown in the Declarations and any "subsidiary".

  1. Named Insured

20. "Negative publicity" means information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the "named insured" or of one or more of its products or services.

  1. Negative Publicity
This phrase is used in Insuring Agreement #7 (Public Relations Expense).

21. "Personal information" means any information not available to the general public for any reason through which an individual may be identified including, but not limited to, an individual's:

a. Social security number, driver's license number or state identification number;

b. Protected health information;

c. Financial account numbers;

d. Security codes, passwords, PINs associated with credit, debit or charge card numbers which would permit access to financial accounts; or

e. Any other nonpublic information as defined in "privacy regulations".

  1. Personal Information
The divulging of "personal information" as defined here is the subject of Insuring Agreement #2 (Security Breach Liability) and Insuring Agreement #3 (Programming Errors and Omissions Liability).
22. "Policy period" means the period of time from the inception date of this Policy shown in the Declarations to the expiration date shown in the Declarations, or its earlier cancellation or termination date.
  1. Policy Period
23. "Pollutants" means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals and waste. Waste includes materials to be recycled, reconditioned or reclaimed.
  1. Pollutants
This word is used in Exclusion #14 (Pollution).

24. "Privacy regulations" means any of the following statutes and regulations, and their amendments, associated with the control and use of personally identifiable financial, health or other sensitive information including, but not limited to:

a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191);

b. The Health Information Technology for Economic and Clinical Health Act (HITECH) (American Recovery and Reinvestment Act of 2009);

c. The Gramm-Leach-Bliley Act of 1999;

d. Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)), but solely for alleged unfair or deceptive acts or practices in or affecting commerce;

e. The Identity Theft Red Flags Rules under the Fair and Accurate Credit Transactions Act of 2003; or

f. Any other similar state, federal or foreign identity theft or privacy protection statute or regulation.
  1. Privacy Regulations
This phrase is used in Definition #21 (Personal Information) to supplement the types of information subject to that definition. It names all current federal statutes regarding privacy and incorporates current and future state, federal or foreign identity theft or privacy protection statutes or regulations.

25. "Public relations expenses" means:

a. Fees and costs of a public relations firm; and

b. Any other reasonable expenses incurred by you with our written consent;

to protect or restore your reputation solely in response to "negative publicity".
  1. Public Relations Expenses
This phrase is used in Definition #18 (Loss) to describe expenses covered under Insuring Agreement #7 (Public Relations Expense).
26. "Ransom payment" means a payment made in the form of cash.
  1. Ransom Payment
27. "Ransomware" means any software that encrypts "electronic data" held within the "computer system" and demands a "ransom payment" in order to decrypt and restore such "electronic data".
  1. Ransomware

This word is used in Definition #12 (Extortion Threat).

28. "Regulatory proceeding" means an investigation, demand or proceeding brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other administrative or regulatory agency, or any federal, state, local or foreign governmental entity in such entity's regulatory or official capacity.
  1. Regulatory Proceeding
This definition describes the types of proceedings covered under paragraph "b" of Insuring Agreement 2 (Security Breach Liability).

29. "Security breach" means the acquisition of "personal information" held within the "computer system" or in nonelectronic format while in the care, custody or control of the "insured" or authorized "third party" by a person:

a. Who is not authorized to have access to such information; or

b. Who is authorized to have access to such information but whose access results in the unauthorized disclosure of such information.
  1. Security Breach

This phrase is used in paragraph "b" of Definition #35 (Wrongful Act) to describe the trigger for coverage provided by Insuring Agreement #2 (Security Breach Liability) and is also used in Insuring Agreement #7 (Public Relations Expense) and Insuring Agreement #8 (Security Breach Expense).

The release of personal information is not limited to information contained in electronic form. The accidental release of information contained in paper files or documents is also covered. Endorsement EC 20 06 (Amend Definition of Security Breach) amends this coverage to exclude personal information in nonelectronic format and thus apply only to personal information held within the computer system.

The personal information can be held by the insured or by a third party entity engaged by the insured under a written contract, such as a computer services entity or a document storage or document disposal entity.

30. "Security breach expenses" means:

a. Costs to establish whether a "security breach" has occurred or is occurring;

b. Costs to investigate the cause, scope and extent of a "security breach" and to identify any affected parties;

c. Costs to determine any action necessary to correct or remediate the conditions that led to or resulted from a "security breach";

d. Costs to notify all parties affected by a "security breach";

e. Overtime salaries paid to "employees" assigned to handle inquiries from the parties affected by a "security breach";

f. Fees and costs of a company hired by you for the purpose of operating a call center to handle inquiries from the parties affected by a "security breach";

g. Post-event credit monitoring costs for the parties affected by a "security breach" for up to one year from the date of notification to those affected parties of such "security breach"; and

h. Any other reasonable expenses incurred by you with our written consent.

"Security breach expenses" do not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system" as a result of a "security breach". 
  1. Security Breach Expenses
This definition establishes the types of expenses covered under Insuring Insuring Agreement #8 (Security Breach Expense).
31. "Subsidiary" means any organization in which more than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, trustees, managers (if a limited liability company) or persons serving in a similar capacity is owned, in any combination, by one or more "named insured(s)".
  1. Subsidiary

32. "Suit" means a civil proceeding in which damages to which this Policy applies are claimed against the "insured". "Suit" includes:

a. An arbitration proceeding in which such damages are claimed and to which the "insured" submits with our consent; or

b. Any other alternative dispute resolution proceeding in which such damages are claimed and to which the "insured" submits with our consent.

"Suit" does not include a civil proceeding seeking recognition and/or enforcement of a foreign money judgment.
  1. Suit
33. "Third party" means any entity that you engage under the terms of a written contract to perform services for you.
  1. Third Party
This phrase is used in Definition #29 (Security Breach).
34. "Virus" means any kind of malicious code designed to damage or destroy any part of the "computer system" (including "electronic data") or disrupt its normal functioning.
  1. Virus
35. "Wrongful act" means:
  1. Wrongful Act
This phrase is used in each of the three third-party liability insuring agreements to describe the scope of coverage.

a. With respect to Insuring Agreement 1. Web Site Publishing Liability:

Any actual or alleged error, misstatement or misleading statement posted or published by an "insured" on its web site that results in:

(1) Any type of infringement of another's copyright, title, slogan, trademark, trade name, trade dress, service mark or service name;

(2) Any form of defamation against a person or organization; or

(3) A violation of a person's right of privacy.
  1. Wrongful Act for Insuring Agreement #1 (Web Site Publishing Liability)
c. With respect to Insuring Agreement 3. Programming Errors And Omissions Liability:

Any actual or alleged programming error or omission that results in the disclosure of your client's "personal information" held within the "computer system". 
  1. Wrongful Act for Insuring Agreement #3 (Programming Errors and Omissions Liability)

b. With respect to Insuring Agreement 2. Security Breach Liability:

Any actual or alleged neglect, breach of duty or omission by an "insured" that results in:

(1) A "security breach"; or

(2) A "computer system" transmitting, by e-mail or other means, a "virus" to another person or organization.

  1. Wrongful Act for Insuring Agreement #2 (Security Breach Liability)