Although we have discussed insurance issues related to lost or corrupted
computer data, software, and programs ("data") in various articles in
this column since its inception more than 4 years ago, strategies for
addressing third-party liability risk involving lost or corrupted data have
changed somewhat in the past year or so. This edition of the Cyber Insurance
column is intended to briefly discuss these new strategies to help risk
managers, brokers, and others address the issue for their companies and
clients.
We are seeing three different types of third-party liability claim scenarios
involving lost or corrupted data that are being addressed in insurance and
contracts. Understanding the differences between these scenarios is important
for understanding how to address the risks with insurance and contractual risk
transfer techniques.
Risks Caused by eBusiness Activities
When a company communicates with other companies and its customers over the
Internet, whether by email, an intranet site accessible only to a few, or a
website accessible to the public at large, that company exposes itself to the
risk of damaging or corrupting the other party's data. Such a risk scenario
could happen any number of ways. The company could be the source of a computer
virus spread to other companies or its customers. The company could have a
rogue employee who uses the interconnectivity between the company and another
party to damage or corrupt the other party's data. And the company's
computer system could be hacked into by a hacker, who uses the
interconnectivity between the company and another party to damage or corrupt
the other party's data.
Risks Caused by the Performance of Professional Services
In contrast to the risk of data loss arising from eBusiness activities,
there is the risk of data loss arising from the performance of professional
services for others. A classic example of this risk is when a company is
designing, creating, and installing a computer-related network, system, or
other type of operating capability for a third party. There is a risk that when
the company is installing, monitoring, repairing, etc., the system, they could
damage or corrupt data on their customer's computers. Another type of risk
is when the system installed by the company has flawed security attributes, so
that it permits a hack into the customer's computer network. In either
setting, the customer's data could be lost or corrupted, and the company
could be liable for the loss.
Risks Caused by Media Activities
More and more media companies are broadcasting content into, or allowing
delivery of content into, devices that have data, such as television set-top
boxes, cell phones, and computers. These broadcasts/downloads expose the
company to the risk of damaging or corrupting the data on the device receiving
the content. Indeed, some of the companies that permit such
broadcasts/downloads require as a condition to permitting the transmission into
the devices used by their customers that the media company indemnify and hold
them harmless from all third-party claims arising out of damage to or
corruption of such data, and require that the media company carry liability
insurance that expressly covers such data claims.
Grey Areas Abound
Is it as clean cut as the foregoing discussion suggests? No. Especially for
media companies, the line can be blurred between what is eBusiness activity
versus media activity versus professional services. Nevertheless, insurance
professionals should understand that the insurance industry views these risks
differently when thinking about them in terms of eBusiness activities,
professional services and media activities, so that care must be taken when
structuring an insurance program to make sure that the different ways a company
is exposed to the risk of causing data loss to a third party are covered.
Insurance Strategies for Third-Party Data Risk
Although older general liability policies arguably covered most, if not all,
of the third-party data risks discussed, that is not necessarily the case with
newer general liability policies. That is because newer general liability
policies have modified versions of the definition of "property
damage" which expressly state that for purposes of the definition,
"data" is not "tangible property."
This change in wording is significant because "property damage" in
general liability policies typically is defined as (a) physical injury to
"tangible property" including the loss of use of such "tangible
property" resulting from such physical injury, or (b) loss of use of
"tangible property" where there has not been any physical injury to
"tangible property." By excepting "data" from the term
"tangible property," newer commercial general liability (CGL)
policies severely limit coverage for third-party liability claims involving
lost or corrupted data.
Given the foregoing, what should companies consider doing when it comes to
insuring these three different types of third-party data risks? Clearly,
companies should continue to buy general liability insurance (e.g., commercial
general liability, foreign general liability, and umbrella liability). One of
the grey areas in adjusting data loss claims is what happens when the insured
damages computer hardware so that the data thereon is lost or corrupted? An
argument can be made that the data loss in such a scenario can be covered by
general liability insurance because it falls within the insuring grant that
promises coverage for "damages because of … property damage." In such
a loss scenario, it can be argued that the damage to the computer hardware is
the "property damage" and the resulting data loss is encompassed
within the phrase "damages because of" that "property
damage."
But companies should also consider doing the following. First, they should
buy insurance that expressly covers the risk of causing a third party to suffer
a data loss. That insurance could be called Internet liability, cyber
liability, or network security liability insurance. The label is not important;
rather the coverage provided by the policy is what needs to be reviewed.
Second, if the company performs any professional services to others or is a
media company, it should also be buying some type of errors and omissions
insurance. That insurance typically has some form of "property
damage" exclusion. What the insured wants to do is make sure that the
exclusion (a) is limited to "claims for property damage" (as opposed
to "claims based upon or arising from, directly or indirectly, property
damage"), and (b) expressly excepts "data." That can be done
either of two ways: e.g., the definition of "property damage" in the
form could expressly except data, or the exclusion could expressly except
data.
Although some technology E&O insurers were excepting "data"
from the "property damage" definition/exclusion in their forms almost
a decade ago, several other E&O insurers, both tech E&O and media
liability, used to refuse to address this issue, ironically pointing to general
liability insurance as the source of protection for third-party claims alleging
lost or corrupted data. (I say "ironic" because in the past several
years the general liability insurance industry has taken the position that
older general liability forms were never intended to cover data loss claims.)
That argument no longer can be made, because newer general liability policies
expressly except "data" from the definition of "property
damage." Accordingly, more and more E&O insurers (tech E&O, media
liability, miscellaneous professional liability, etc.) are amending their
"property damage" definitions/exclusions to expressly except data
claims, and more and more E&O insurers are willing to address the issue by
endorsement on their forms that have not yet been updated. In this way, if a
data loss arises out of the performance of professional services or media
activities, the E&O policy can cover the claim.
Finally, depending on the industry the company is in, and how its insurance
program is structured, both of these issues might be able to be addressed in
one and the same insurance product. The point is that the insured needs
coverage for damaging or corrupting a third party's data regardless of the
cause of the data loss, i.e., whether in the course of eBusiness activities,
media activities, performance of professional services, etc. And exactly how
the issue is addressed in any particular company's insurance program will
vary.
Contractual Risk Transfer Strategies for Third-Party Data Risk
In addition to a company buying its own insurance to address third-party
data loss risk, another important risk transfer/financing strategy for such
risk is to address the risk in indemnity and insurance provisions in contracts.
It is becoming more and more customary today to expressly address data risk in
a variety of different types of contracts, especially when the parties are
communicating with each other over the Internet or either or both of the
contracting parties is giving the other party access to a computer system.
In addition to the obvious example of a professional services contract to
design and install a network or other computer-related operation, contracts for
logistics and warehousing services, payroll processing services, and IT
infrastructure outsourcing services are examples of other types of contracts
where this risk is present.
A company that is giving another party access to its computer system, or is
otherwise connected to the other party via the Internet, will want that other
party to defend, indemnify, and hold the company harmless from claims arising
from lost or corrupted data. But such an indemnification and hold harmless
provision is only as good as the financial wherewithal of the party to the
contract giving the indemnity. What happens if that party does not have the
financial means to fulfill its indemnity and hold harmless obligations? To
protect against that risk, the company requiring the indemnity should also
require that the other party to the contract maintain certain types of
insurance.
And here is where the discussion of insurance set forth above is
important—it is not sufficient in such a contract to simply require
that the other party maintain general liability insurance, or even standard CGL
insurance and standard E&O insurance. To more fully protect itself, the
company seeking to transfer risk under the contract must require that
the other party maintain some type of insurance that expressly covers the risk
of third-party claims seeking damages because of damaged or corrupted data.
Concluding Remarks
Given society's increasing use of and reliance on computers and other
devices that use data to operate, as well as the increasing use of the
Internet, companies face third-party liability risks arising out of lost or
corrupted data like never before. These new risks call out for insurance and
risk transfer strategies that go beyond traditional methods. Hopefully, this
article provides some guidance on what methods should be used today.