Addressing Liability Risks for Data Loss from an Insurance and Contractual
Risk Transfer Perspective
July 2005
Although we have discussed insurance issues
related to lost or corrupted computer data, software, and programs ("data")
in various articles in this column since its inception more than 4 years ago,
strategies for addressing third-party liability risk involving lost or corrupted
data have changed somewhat in the past year or so. This edition of the Cyber
Insurance column is intended to briefly discuss these new strategies to help
risk managers, brokers, and others address the issue for their companies and
clients.
by Michael
A. Rossi
Insurance Law
Group
We are seeing three different types of third-party liability claim scenarios
involving lost or corrupted data that are being addressed in insurance and contracts.
Understanding the differences between these scenarios is important for understanding
how to address the risks with insurance and contractual risk transfer techniques.
Risks Caused by eBusiness Activities
When a company communicates with other companies and its customers over the
Internet, whether by e-mail, an intranet site accessible only to a few, or a
Web site accessible to the public at large, that company exposes itself to the
risk of damaging or corrupting the other party's data. Such a risk scenario
could happen any number of ways. The company could be the source of a computer
virus spread to other companies or its customers. The company could have a rogue
employee who uses the interconnectivity between the company and another party
to damage or corrupt the other party's data. And the company's computer system
could be hacked into by a hacker, who uses the interconnectivity between the
company and another party to damage or corrupt the other party's data.
Risks Caused by the Performance of Professional Services
In contrast to the risk of data loss arising from eBusiness activities, there
is the risk of data loss arising from the performance of professional services
for others. A classic example of this risk is when a company is designing, creating,
and installing a computer-related network, system, or other type of operating
capability for a third party. There is a risk that when the company is installing,
monitoring, repairing, etc., the system, they could damage or corrupt data on
their customer's computers. Another type of risk is when the system installed
by the company has flawed security attributes, so that it permits a hack into
the customer's computer network. In either setting, the customer's data could
be lost or corrupted, and the company could be liable for the loss.
Risks Caused by Media Activities
More and more media companies are broadcasting content into, or allowing
delivery of content into, devices that have data, such as television set-top
boxes, cell phones, and computers. These broadcasts/downloads expose the company
to the risk of damaging or corrupting the data on the device receiving the content.
Indeed, some of the companies that permit such broadcasts/downloads require
as a condition to permitting the transmission into the devices used by their
customers that the media company indemnify and hold them harmless from all third-party
claims arising out of damage to or corruption of such data, and require that
the media company carry liability insurance that expressly covers such data
claims.
Grey Areas Abound
Is it as clean cut as the foregoing discussion suggests? No. Especially for
media companies, the line can be blurred between what is eBusiness activity
versus media activity versus professional services. Nevertheless, insurance
professionals should understand that the insurance industry views these risks
differently when thinking about them in terms of eBusiness activities, professional
services and media activities, so that care must be taken when structuring an
insurance program to make sure that the different ways a company is exposed
to the risk of causing data loss to a third party are covered.
Insurance Strategies for Third-Party Data Risk
Although older general liability policies arguably covered most, if not all,
of the third-party data risks discussed above, that is not necessarily the case
with newer general liability policies. That is because newer general liability
policies have modified versions of the definition of "property damage" which
expressly state that for purposes of the definition, "data" is not "tangible
property."
This change in wording is significant because "property damage" in general
liability policies typically is defined as (a) physical injury to "tangible
property" including the loss of use of such "tangible property" resulting from
such physical injury, or (b) loss of use of "tangible property" where there
has not been any physical injury to "tangible property." By excepting "data"
from the term "tangible property," newer commercial general liability (CGL)
policies severely limit coverage for third-party liability claims involving
lost or corrupted data.
Given the foregoing, what should companies consider doing when it comes to
insuring these three different types of third-party data risks? Clearly, companies
should continue to buy general liability insurance (e.g., commercial general
liability, foreign general liability, and umbrella liability). One of the grey
areas in adjusting data loss claims is what happens when the insured damages
computer hardware so that the data thereon is lost or corrupted? An argument
can be made that the data loss in such a scenario can be covered by general
liability insurance because it falls within the insuring grant that promises
coverage for "damages because of … property damage." In such a loss scenario,
it can be argued that the damage to the computer hardware is the "property damage"
and the resulting data loss is encompassed within the phrase "damages because
of" that "property damage."
But companies should also consider doing the following. First, they should
buy insurance that expressly covers the risk of causing a third party to suffer
a data loss. That insurance could be called Internet liability, cyber liability,
or network security liability insurance. The label is not important; rather
the coverage provided by the policy is what needs to be reviewed.
Second, if the company performs any professional services to others or is
a media company, it should also be buying some type of errors and omissions
insurance. That insurance typically has some form of "property damage" exclusion.
What the insured wants to do is make sure that the exclusion (a) is limited
to "claims for property damage" (as opposed to "claims based upon or arising
from, directly or indirectly, property damage"), and (b) expressly excepts "data."
That can be done either of two ways: e.g., the definition of "property damage"
in the form could expressly except data, or the exclusion could expressly except
data.
Although some technology E&O insurers were excepting "data" from the "property
damage" definition/exclusion in their forms almost a decade ago, several other
E&O insurers, both tech E&O and media liability, used to refuse to address this
issue, ironically pointing to general liability insurance as the source of protection
for third-party claims alleging lost or corrupted data. (I say "ironic" because
in the past several years the general liability insurance industry has taken
the position that older general liability forms were never intended to cover
data loss claims.) That argument no longer can be made, because newer general
liability policies expressly except "data" from the definition of "property
damage." Accordingly, more and more E&O insurers (tech E&O, media liability,
miscellaneous professional liability, etc.) are amending their "property damage"
definitions/exclusions to expressly except data claims, and more and more E&O
insurers are willing to address the issue by endorsement on their forms that
have not yet been updated. In this way, if a data loss arises out of the performance
of professional services or media activities, the E&O policy can cover the claim.
Finally, depending on the industry the company is in, and how its insurance
program is structured, both of these issues might be able to be addressed in
one and the same insurance product. The point is that the insured needs coverage
for damaging or corrupting a third party's data regardless of the cause of the
data loss, i.e., whether in the course of eBusiness activities, media activities,
performance of professional services, etc. And exactly how the issue is addressed
in any particular company's insurance program will vary.
Contractual Risk Transfer Strategies for Third-Party Data Risk
In addition to a company buying its own insurance to address third-party
data loss risk, another important risk transfer/financing strategy for such
risk is to address the risk in indemnity and insurance provisions in contracts.
It is becoming more and more customary today to expressly address data risk
in a variety of different types of contracts, especially when the parties are
communicating with each other over the Internet or either or both of the contracting
parties is giving the other party access to a computer system.
In addition to the obvious example of a professional services contract to
design and install a network or other computer-related operation, contracts
for logistics and warehousing services, payroll processing services, and IT
infrastructure outsourcing services are examples of other types of contracts
where this risk is present.
A company that is giving another party access to its computer system, or
is otherwise connected to the other party via the Internet, will want that other
party to defend, indemnify, and hold the company harmless from claims arising
from lost or corrupted data. But such an indemnification and hold harmless provision
is only as good as the financial wherewithal of the party to the contract giving
the indemnity. What happens if that party does not have the financial means
to fulfill its indemnity and hold harmless obligations? To protect against that
risk, the company requiring the indemnity should also require that the other
party to the contract maintain certain types of insurance.
And here is where the discussion of insurance set forth above is important—it
is not sufficient in such a contract to
simply require that the other party maintain general liability insurance, or
even standard CGL insurance and standard E&O insurance. To more fully protect
itself, the company seeking to transfer risk under the contract must require that the other party maintain
some type of insurance that expressly covers the risk of third-party claims
seeking damages because of damaged or corrupted data.
Concluding Remarks
Given society's increasing use of and reliance on computers and other devices
that use data to operate, as well as the increasing use of the Internet, companies
face third-party liability risks arising out of lost or corrupted data like
never before. These new risks call out for insurance and risk transfer strategies
that go beyond traditional methods. Hopefully, this article provides some guidance
on what methods should be used today.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.