Addressing Privacy Risk from an Insurance and Contractual Risk Transfer
Perspective
May 2005
Although we have discussed privacy risk in
various articles in this column since its inception more than 4 years ago, privacy
risk has never been as publicized as it has been recently, given the rash of
breach of privacy incidents and lawsuits arising out of them that have occurred
since late 2004. This edition of the Cyber Insurance column is intended to briefly
discuss privacy risk from an insurance and contractual risk transfer perspective
to help risk managers, brokers, and others address the issue for their companies
and clients.
by Michael
A. Rossi
Insurance Law
Group
An understanding of the several different ways a company can be exposed to
claims of violation of another person's right of privacy is essential for understanding
how to structure an insurance and contractual risk transfer program to try to
address such risks. Set forth below is a brief description of those risks, and
key insurance-related information that needs to be kept in mind.
Dissemination of Information in Violation of Right of Privacy
The first type of privacy risk has been the type of privacy risk that companies
have been facing for decades. It is when the company knowingly gives information
to another party, either orally or in written form, and that dissemination of
information violates a person's right of privacy.
For decades, general liability insurers have been covering this type of privacy
risk in the "Personal Injury" and "Advertising Injury" coverage sections in
general liability policies. Newer general liability forms that combine these
two coverages into one definition of "Personal and Advertising Injury" describe
the covered offense as follows: "the publication or utterance of material that
violates a person's right of privacy."
Collecting Information in Violation of Right of Privacy
The second type of privacy risk may have existed for as long as the risk
of disseminating information, but it has only become publicized since the advent
of the Internet and e-Business activities. An example of this risk is when a
company collects information about persons visiting its Web site, without the
necessary privacy disclosures required by law or otherwise in violation of the
law of one or more of the jurisdictions where the Web site can be accessed.
Most, if not all, general liability insurers do not intend to cover this
type of privacy risk when they use the language quoted above, because the activity
of collecting information does not involve the act of "publication or utterance,"
which means to disseminate information. (Older general liability policies did not have this "publication or utterance"
limitation, and theoretically at least could have covered this type of privacy
risk)
Permitting the Theft of Information in Violation of Right of Privacy
This is the type of privacy risk that has exploded on the scene in the last
year as revelations of security breaches at several companies are revealed almost
on a monthly basis. It can occur several different ways, but for this article,
the following two scenarios are most important.
On the one hand, a company could have sensitive information (employee social
security numbers, birth dates, addresses, etc., and similar information about
key customers and/or suppliers) on its computer system. Somebody could steal
that information and use it for illegal purposes him or herself, or sell the
information, often to the international black market for such information which
has mushroomed in recent years.
On the other hand, a company could provide such information to a third party,
or give a third party access to the company's computer system so they have access
to such information. Such third party could be a key customer or supplier, vendor
of services (e.g., logistics or warehousing company, payroll processing company,
etc.), or outsourced information technology company. Somebody could steal that
information while it is residing on the third party's computer system, or somebody
could gain access into the company's computer system by using the access rights
that the company gave to the third party (e.g., by stealing access codes, hacking
into the third party's system, and then getting into the company's system, etc.).
Does either or both of these two privacy scenarios involve "the publication
or utterance" of material that violates a person's right of privacy in order
to trigger the "Personal and Advertising Injury" coverage in newer general liability
forms? If you ask general liability insurers, they say "no," because it involves
the "theft and use" of information by a non-insured, not the "dissemination
of" information by the insured. It is possible that coverage litigation on this
issue might ensue, and courts may or may not adopt the general liability insurer's
interpretation of how existing policy language applies to such a privacy scenario.
However, given the number of insurance products available in the market today
to expressly cover this type of risk to a certain extent, it is suggested that
companies would do better to expressly address the risk in their insurance programs
instead of waiting to see how the courts resolve the issue.
Insurance Strategies for Addressing Privacy Risk
With respect to the three types of privacy risk discussed above, the following
can be said about general liability insurance. General liability insurance should
cover at least one of the three types of privacy risk discussed above, the insured's
dissemination of information in violation of a right of privacy. The coverage
can be found in the "Personal and Advertising Injury" coverage in current general
liability policies. It is highly unlikely that current general liability insurance
will cover the second type of risk, the insured's collection of information
in violation of a right of privacy. And it is debatable whether current general
liability insurance will cover the third type of risk.
Given the foregoing, what should companies consider doing when it comes to
insuring these three different types of privacy risk? Clearly, companies should
continue to buy general liability insurance (e.g., commercial general liability,
foreign general liability, and umbrella liability).
But companies should review their general liability policies to see if the
"privacy" coverage is limited to "the publication or utterance" of material
that violates a person's right of privacy. If so, they should seriously consider
buying one of the newer insurance products that expressly covers, at least to
some extent, privacy risk as described in this article. We say "at least to
some extent" because the newer policies on the market vary with respect to privacy
risk covered. For example, some only cover privacy risk arising out of the use
of a computer, and of those forms, some insurers cover the risk only with respect
to when the insured's information is residing on the insured's computer system
and will cover the risk of theft if the insured's information residing on a
third party's computer system only after receiving specific information about
the third party so that they can underwrite the risk. And some insurers cover
more than computer-related risk, offering an enterprise-wide privacy coverage,
but offer that coverage only to certain types of companies (e.g., financial
services and healthcare companies).
What are these newer types of policies? They go by various names, and therefore
cannot be described by use of one name, a point that is important to note when
constructing a contractual risk transfer program. Also, the coverage can be
provided by an endorsement to otherwise traditional media liability, technology
errors and omissions, or other type of E&O policy. That said, we would note
the following. When the coverage is limited to risk involving the use of a computer,
the coverage used to be called, "Internet Liability Insurance" or "Cyber Liability
Insurance," but the name that is used most frequently today is "Network Security
Liability Insurance" or a variation of that phrase.
However, the important point is not the name or label used on the insurance
policy or endorsement, but rather the extent of coverage offered by the product.
There are several issues to consider when buying such coverage, a discussion
of which is beyond the scope of this article. Suffice it to say for now that
these policies and endorsements provide broader coverage for privacy risk than
the newer general liability forms in use today.
Contractual Risk Transfer Strategies for Addressing Privacy Risk
In addition to a company buying its own insurance to address privacy risk,
another important risk transfer/financing strategy for such risk is to address
the risk in indemnity and insurance provisions in contracts. It is becoming
more and more customary today to expressly address privacy risk in a variety
of different types of contracts, especially when either or both of the contracting
parties is giving the other party sensitive information or access to a computer
system. Contracts for logistics and warehousing services, payroll processing
services, and IT infrastructure outsourcing services are just examples.
A company that is providing sensitive information to the other party to a
contract, or giving the other party access to the company's information via
the Internet, will want to expressly state in the contract that the information
is confidential and is not to get into the hands of any other party. Such company
will also want to expressly state that if anyone other than the other party
to the contract gets some of the information, then the other party will defend,
indemnify, and hold the company harmless from all liability arising from the
leak of the information.
But such an indemnification and hold harmless provision is only as good as
the financial wherewithal of the party to the contract giving the indemnity.
What happens if that party does not have the financial means to fulfill its
indemnity and hold harmless obligations? To protect against that risk, the company
requiring the indemnity should also require that the other party to the contract
maintain certain types of insurance.
And here is where the discussion of insurance set forth above is important—it
is not sufficient in such a contract to
simply require that the other party maintain general liability insurance. To
more fully protect itself, the company seeking to transfer risk under the contract must require that the other party maintain
some type of insurance that expressly covers the latter two types of privacy
risk discussed in this article.
Concluding Remarks
Companies have faced privacy risk for decades. But the increasing use of
computers and increase in e-Business activities exposes companies to privacy
risk in ways that have not been seen before. These new risks call out for insurance
and risk transfer strategies that go beyond traditional methods. Hopefully,
this article provides some guidance on what methods should be used today.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.