Expert Commentary

Addressing Liability Risks for Data Loss from an Insurance and Contractual Risk Transfer Perspective

Although we have discussed insurance issues related to lost or corrupted computer data, software, and programs ("data") in various articles in this column since its inception more than 4 years ago, strategies for addressing third-party liability risk involving lost or corrupted data have changed somewhat in the past year or so. This edition of the Cyber Insurance column is intended to briefly discuss these new strategies to help risk managers, brokers, and others address the issue for their companies and clients.


Cyber and Privacy Risk and Insurance
July 2005

We are seeing three different types of third-party liability claim scenarios involving lost or corrupted data that are being addressed in insurance and contracts. Understanding the differences between these scenarios is important for understanding how to address the risks with insurance and contractual risk transfer techniques.

Risks Caused by eBusiness Activities

When a company communicates with other companies and its customers over the Internet, whether by email, an intranet site accessible only to a few, or a website accessible to the public at large, that company exposes itself to the risk of damaging or corrupting the other party's data. Such a risk scenario could happen any number of ways. The company could be the source of a computer virus spread to other companies or its customers. The company could have a rogue employee who uses the interconnectivity between the company and another party to damage or corrupt the other party's data. And the company's computer system could be hacked into by a hacker, who uses the interconnectivity between the company and another party to damage or corrupt the other party's data.

Risks Caused by the Performance of Professional Services

In contrast to the risk of data loss arising from eBusiness activities, there is the risk of data loss arising from the performance of professional services for others. A classic example of this risk is when a company is designing, creating, and installing a computer-related network, system, or other type of operating capability for a third party. There is a risk that when the company is installing, monitoring, repairing, etc., the system, they could damage or corrupt data on their customer's computers. Another type of risk is when the system installed by the company has flawed security attributes, so that it permits a hack into the customer's computer network. In either setting, the customer's data could be lost or corrupted, and the company could be liable for the loss.

Risks Caused by Media Activities

More and more media companies are broadcasting content into, or allowing delivery of content into, devices that have data, such as television set-top boxes, cell phones, and computers. These broadcasts/downloads expose the company to the risk of damaging or corrupting the data on the device receiving the content. Indeed, some of the companies that permit such broadcasts/downloads require as a condition to permitting the transmission into the devices used by their customers that the media company indemnify and hold them harmless from all third-party claims arising out of damage to or corruption of such data, and require that the media company carry liability insurance that expressly covers such data claims.

Grey Areas Abound

Is it as clean cut as the foregoing discussion suggests? No. Especially for media companies, the line can be blurred between what is eBusiness activity versus media activity versus professional services. Nevertheless, insurance professionals should understand that the insurance industry views these risks differently when thinking about them in terms of eBusiness activities, professional services and media activities, so that care must be taken when structuring an insurance program to make sure that the different ways a company is exposed to the risk of causing data loss to a third party are covered.

Insurance Strategies for Third-Party Data Risk

Although older general liability policies arguably covered most, if not all, of the third-party data risks discussed, that is not necessarily the case with newer general liability policies. That is because newer general liability policies have modified versions of the definition of "property damage" which expressly state that for purposes of the definition, "data" is not "tangible property."

This change in wording is significant because "property damage" in general liability policies typically is defined as (a) physical injury to "tangible property" including the loss of use of such "tangible property" resulting from such physical injury, or (b) loss of use of "tangible property" where there has not been any physical injury to "tangible property." By excepting "data" from the term "tangible property," newer commercial general liability (CGL) policies severely limit coverage for third-party liability claims involving lost or corrupted data.

Given the foregoing, what should companies consider doing when it comes to insuring these three different types of third-party data risks? Clearly, companies should continue to buy general liability insurance (e.g., commercial general liability, foreign general liability, and umbrella liability). One of the grey areas in adjusting data loss claims is what happens when the insured damages computer hardware so that the data thereon is lost or corrupted? An argument can be made that the data loss in such a scenario can be covered by general liability insurance because it falls within the insuring grant that promises coverage for "damages because of … property damage." In such a loss scenario, it can be argued that the damage to the computer hardware is the "property damage" and the resulting data loss is encompassed within the phrase "damages because of" that "property damage."

But companies should also consider doing the following. First, they should buy insurance that expressly covers the risk of causing a third party to suffer a data loss. That insurance could be called Internet liability, cyber liability, or network security liability insurance. The label is not important; rather the coverage provided by the policy is what needs to be reviewed.

Second, if the company performs any professional services to others or is a media company, it should also be buying some type of errors and omissions insurance. That insurance typically has some form of "property damage" exclusion. What the insured wants to do is make sure that the exclusion (a) is limited to "claims for property damage" (as opposed to "claims based upon or arising from, directly or indirectly, property damage"), and (b) expressly excepts "data." That can be done either of two ways: e.g., the definition of "property damage" in the form could expressly except data, or the exclusion could expressly except data.

Although some technology E&O insurers were excepting "data" from the "property damage" definition/exclusion in their forms almost a decade ago, several other E&O insurers, both tech E&O and media liability, used to refuse to address this issue, ironically pointing to general liability insurance as the source of protection for third-party claims alleging lost or corrupted data. (I say "ironic" because in the past several years the general liability insurance industry has taken the position that older general liability forms were never intended to cover data loss claims.) That argument no longer can be made, because newer general liability policies expressly except "data" from the definition of "property damage." Accordingly, more and more E&O insurers (tech E&O, media liability, miscellaneous professional liability, etc.) are amending their "property damage" definitions/exclusions to expressly except data claims, and more and more E&O insurers are willing to address the issue by endorsement on their forms that have not yet been updated. In this way, if a data loss arises out of the performance of professional services or media activities, the E&O policy can cover the claim.

Finally, depending on the industry the company is in, and how its insurance program is structured, both of these issues might be able to be addressed in one and the same insurance product. The point is that the insured needs coverage for damaging or corrupting a third party's data regardless of the cause of the data loss, i.e., whether in the course of eBusiness activities, media activities, performance of professional services, etc. And exactly how the issue is addressed in any particular company's insurance program will vary.

Contractual Risk Transfer Strategies for Third-Party Data Risk

In addition to a company buying its own insurance to address third-party data loss risk, another important risk transfer/financing strategy for such risk is to address the risk in indemnity and insurance provisions in contracts. It is becoming more and more customary today to expressly address data risk in a variety of different types of contracts, especially when the parties are communicating with each other over the Internet or either or both of the contracting parties is giving the other party access to a computer system.

In addition to the obvious example of a professional services contract to design and install a network or other computer-related operation, contracts for logistics and warehousing services, payroll processing services, and IT infrastructure outsourcing services are examples of other types of contracts where this risk is present.

A company that is giving another party access to its computer system, or is otherwise connected to the other party via the Internet, will want that other party to defend, indemnify, and hold the company harmless from claims arising from lost or corrupted data. But such an indemnification and hold harmless provision is only as good as the financial wherewithal of the party to the contract giving the indemnity. What happens if that party does not have the financial means to fulfill its indemnity and hold harmless obligations? To protect against that risk, the company requiring the indemnity should also require that the other party to the contract maintain certain types of insurance.

And here is where the discussion of insurance set forth above is important—it is not sufficient in such a contract to simply require that the other party maintain general liability insurance, or even standard CGL insurance and standard E&O insurance. To more fully protect itself, the company seeking to transfer risk under the contract must require that the other party maintain some type of insurance that expressly covers the risk of third-party claims seeking damages because of damaged or corrupted data.

Concluding Remarks

Given society's increasing use of and reliance on computers and other devices that use data to operate, as well as the increasing use of the Internet, companies face third-party liability risks arising out of lost or corrupted data like never before. These new risks call out for insurance and risk transfer strategies that go beyond traditional methods. Hopefully, this article provides some guidance on what methods should be used today.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More